Archive for the ‘ClearOS’ Category

More Fun with DNS Amplification Attacks: pkts.asia and babywow.co.uk

I recently intercepted some DNS amplification attacks using the domains pkts.asia and babywow.co.uk involving a server which has recursion disabled but is, for some reason, returning the list of root name servers. I suppose that will be the topic of my next article :p

Big thanks to this really sweet site http://dnsamplificationattacks.blogspot.ca/ for providing a list of iptables rules which cover these attacks at https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt.

You can find more information on these two specific domains at:
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-pktsasia.html
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-babywowcouk.html

I found that I had to drop the –start and –stop flags to get these rules to work. I’m not sure if I’m not taking into account an offset or perhaps I’m seeing a different strain of the attack but the start and stop positions appear to be different when we crack open the packets:

pkts.asia
00163ebb000300163ecd000208004500
00476dd90000f8114fa44c670d3c0000
0000fd5900350033000095b201000001
00000000000104706b74730461736961
0000ff00010000292328000000000000
0000000000

The string we are blocking for appears to be between 36 and 40 rather than 40 and 51.

babywow.co.uk
00163ebb000300163ecd000208004500
004b9e0c0000f8110d4dd0729b500000
0000a216003500370000c1ff01000001
0000000000010762616279776f770263
6f02756b0000ff000100002923280000
000000000000000000

The string we are blocking for appears to be between 36 and 44 rather than 40 to 55.

You should note that not using –start and –stop will make netfilter inspect the whole packet which will have a (probably negligible) performance hit.

ClearOS seems to have trouble with the comment formatting so I’ve made a couple of minor edits to the list which will drop these rules into FORWARD on your router:

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"

Installing APCUPSD on ClearOS 6.3

First we’re going to need to install net-snmp:

# yum install net-snmp

The latest version of apcupsd also requires libgd.so.2 which is brought in with the gd package:

# yum install gd

Now we’re going to pull the matching architecture and RHEL version of apcupsd from http://pkgs.repoforge.org/apcupsd/:

# rpm -iv http://pkgs.repoforge.org/apcupsd/apcupsd-3.14.10-1.el6.rf.x86_64.rpm
Retrieving http://pkgs.repoforge.org/apcupsd/apcupsd-3.14.10-1.el6.rf.x86_64.rpm
warning: /var/tmp/rpm-tmp.YEqjxf: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
Preparing packages for installation...
apcupsd-3.14.10-1.el6.rf

Please see my earlier article Configuring APCUPSD on Gentoo for APC SmartUPS Over Serial for configuration details.

To enable apcupsd on bootup:

# chkconfig --level 2345 apcupsd on

How to Tell What Version of a RedHat-Based Flavour you are Using

It’s important to know what version of RHEL/Fedora/CentOS/Scientific Linux/etc. you are dealing with when looking for version-compatible RPMs that are out-of-repo. I always end up forgetting how to do this, so for our mutual benefit:

$ cat /etc/redhat-release
CentOS release 5.6 (Final)
Return top
foxpa.ws
Online Marketing Toplist
Internet
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Bad Karma Networks

Please Donate!


Made in Canada  •  There's a fox in the Gibson!  •  2010-12