pitter patter on the keyboard

Yesterday I posted an article regarding the importance of ACLs in BIND because a client’s DNS server was under extreme load and, at the time, I believed it was because a network of web form spammers was outsourcing their lookups to the target. Upon further investigation it turned out that this was not the case – the hosts were indeed a part of some sort of spamming ring/botnet but they were actually performing endless repeated ANY lookups on isc.org – the producers of BIND, among other things.

The whole attack doesn’t make any sense; if they wanted to involve this server in the attack against isc they would be wasting reams of bandwidth that could otherwise have been applied directly, unless they knew both recursive lookups were allowed and caching was disabled. Even with no recursive ACL at the time the only server suffering was my client’s thanks to caching and there is no conceivable reason, in my mind, that a spam network would be targeting this specific dns server among many in its address space – from one source address at a time. Fortunately adding a recursive ACL reduced the bandwidth impact but it did not stop the scans, and bandwidth is a pricey commodity after all.

I whipped out wireshark and took a sample capture, these are the contents of a typical request packet:

0000  00 16 3e bb 00 02 00 16  3e cc 00 02 08 00 45 00   ..>..... >.....E.
0010  00 40 8b 0d 00 00 e9 11  d7 93 d1 0b f2 7b 00 00   .@...... .....{..
0020  00 00 63 01 00 35 00 2c  00 00 2a 39 01 00 00 01   ..c..5., ..*9....
0030  00 00 00 00 00 01 03 69  73 63 03 6f 72 67 00 00   .......i sc.org..
0040  ff 00 01 00 00 29 10 00  00 00 80 00 00 00         .....).. ......

Next it was just a matter of crafting a suitable snort rule for the upstream gateway:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org DDoS"; content:"|03 69 73 63 03 6f 72 67 00|"; reference:foxpa.ws,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)

Now I’m kicking back, watching the spammer network expose itself as its constituent hosts smack against the firewall like bugs against a windshield.

If only I had some beer.

See how this story progressed:

• ISC.Org ANY Request DRDoS Update
• ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD
• ISC Contacts L’il Ol’ Me!

To see how I actually solved this particular problem please see Thwarting the isc.org DDoS

It has long been held as best practice that one should use separate servers for authoritative (server) and recursive (client) domain name services. In some cases, this is not practical – for example I inherited one particular network at an ISP I do consulting for that has had its combined authoritative and recursive DNS servers on the same IP addresses for about a decade. Splitting up the roles of the servers would require either hundreds of clients with statically configured DNS to change their settings (imagine the load on tech support) or dozens of domain-holders to update their registrar glue, assuming their registrar even provides it (another load on tech support).

On this network I had – contrary to the gospel I know only too well – allowed recursive lookups from any source on the Internet for several years. I knew it was ideologically incorrect but have found it immeasurably handy to have a set of memorized nameserver IPs that you know will just work any time, anywhere in the world when you are tech supporting or trying to resolve an issue. No one seemed to notice for the years before and after I took on this client, and I couldn’t see the harm if a few folks started using them. It didn’t – and still doesn’t – make sense to me that a spammer would outsource their DNS operations to a vastly remote location (see updates at bottom, they are spammers but they’re actually trying to DDoS), at the cost of not only speed and latency but expensive bandwidth at all.

But today they did.

At around 12:40 I was notified of the situation and began my investigation. Handy-dandy iftop told me it was coming from one IP and they were making DNS requests – good news! The server wasn’t hacked – it was just being DoSed as a side-effect of over-querying. In fact, named was performing exceptionally well for a ~5-mbit/s load on a tiny virtual machine used to 150kbit/s, it was only the upstream bandwidth throttling that was keeping the flow in check.

I ran a full port scan on the attacker and much to my surprise it didn’t respond to pings and all ports were filtered. I was growing suspicious that this wasn’t a typical zombie. I blocked the attacker at the gateway and for a moment the network settled down. Then out of nowhere another attacker from a completely different IP showed up – I gave them a full scan and they too were filtered and unresponsive to ICMP echo requests. The new attacker came from 173.1.52.117.reverse.gogrid.com but forward lookups didn’t work. I didn’t have to go to their website to realize this was a VPS provider, clearly I was dealing with someone who owned their own kit – an organized spammer. My suspicions confirmed, I knew I would have to give up my little “public” DNS service and implement an Access Control List for recursive lookups.

By the time the third and most aggressive (getting pissed off about the IPs I was blocking?) wave of queries rolled around I had collected a list of all the networks and public addresses which require recursive lookups. Regardless of whether you have your authoritative services separated from your recursive unless your recursive server is on a private network it is best practice (and even then I would recommend it) to implement an ACL.

Open your named.conf and before the global options section, define an ACL as shown below. Notice that address ranges can be specified with CIDR notation:

acl "trusted" {
 localhost;
 192.168.0.0/16;
 172.16.0.0/16;
 10.0.0.0/8;
 192.168.0.1;
 222.222.222.222;
};

Now we can call the trusted ACL with the allow-recursive directive in the global options section. You can define any number of ACLs with different names, we’re just going with trusted as an example. Make sure the ACL includes every network and IP address that should have permission to perform recursive lookups – ensure your private subnets, public networks and any stray uplinks or remote locations are included. Those hosts not in the ACL and not performing lookups on domains for which your server is authoritative or already has cached will fail.

options {
 version "fuck off, buddy";
 recursion yes;
 allow-recursion { trusted; };
};

Run rndc reload or restart BIND for the changes to take effect.

As you can tell from the bumps in my graph after the giant spike this guy (or these guys) is taking his time trying to figure out what I did, but the good news is he’s using less bandwidth and a whole whack of spam ain’t goin nowhere. Eventually they will realize that this server isn’t doing them any good and they’ll move on to greener pastures.

Finally, I got one of the attackers post-ACL to submit to a scan:

bzp ~ # nmap -P0 87.237.229.150

Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-20 18:15 EDT
Interesting ports on 87.237.229.150:
Not shown: 990 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
25/tcp   filtered smtp
80/tcp   open     http
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
646/tcp  filtered ldp
2000/tcp open     callbook
8291/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 390.66 seconds

Well, that looks like any number of shared hosting servers, I wonder what’s on port 80:

Sweet, some sort of crazy European embedded linux routing solution. And their webconfig is wide open to cracking.

MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware.

It can also be installed on a PC and will turn it into a router with all the necessary features – routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more.

RouterOS is a stand-alone operating system based on the Linux v2.6 kernel, and our goal here at MikroTik is to provide all these features with a quick and simple installation and an easy to use interface.

You can try RouterOS today, go to www.mikrotik.com and download the installation CD image. The free trial provides all of the features with no limitations.

If I had to guess I’d say this guy went the server route, or maybe he virtualizes his gateways like me. This distro has some neat stuff but it doesn’t have the balls and teeth of server-targeted ClearOS – and did they say free trial? I’ll have Nunuvut. This kind of explains why my port scans are being cut off though, a sufficiently advanced firewall like this probably has some sort of Intrusion Prevention mechanism and since I caught them with their web config (and telnet config for that matter) exposed and flapping in the breeze I’d say this is one of the installations my friend the spammer has not completed configuring, hence this one successful scan.

For the interest of Googlers trying to figure out why so and so is blasting the shit out of their name server(s) one IP at a time, here’s a list of IPs and PTRs (where available) I’ve caught so far:

82.225.94.140   sju13-2-82-225-94-140.fbx.proxad.net
173.1.52.117    173.1.52.117.reverse.gogrid.com
74.208.164.54   something from schlund.de
87.237.229.150  RIPE says the block belongs somewhere in Dubai 194.8.74.227    hosted by dragonara.net, listed as comment spammer by project honeypot
75.125.150.106  hosted by ev1servers.net
173.1.52.117   173.1.52.117.reverse.gogrid.com
98.126.124.203 MOLECHART.com
88.191.89.71
74.208.149.208  hosted by schlund.de
78.129.202.96
78.129.202.142
74.208.166.146  hosted by schlund.de
74.198.4.87     Rogers (Wave ???)
174.36.42.115   Italian-show-passion-quality-hostserver.com (lol)
98.126.54.227   98.126.54.227.STATIC.CUSTOMER.KRYPT.COM
74.198.0.53     Rogers (Wave ???)
88.191.109.130
85.25.150.72
173.192.224.100 173.192.224.100-static.reverse.softlayer.com
209.11.242.123  server12.elnastalk.com

Update I found 87.237.229.150 spamming on a strange Iraqi forum that reveals posters’ IP addresses to the general public. Strange indeed, but now I know I’m dealing with web form spammers, not e-mail spammers. Here’s a sample of the spam found at http://www.iraqal7ob.com/vb/t710.html

The image at the top was hotlinked from a free hosting service, the exact URL was http://hosting.bearzddl.com/uploads/9b0b60d466.jpg. Bearzddl is itself a shady file site and at the time of writing http://hosting.bearzddl.com/uploads/ provides a directory listing of all sorts of spammy looking images that have been uploaded through their free file hosting feature:

Update This morning we were attacked once again, I took the following sample capture:

 11.695249 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.695449 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ams.sns-pb.isc.org NS ns.isc.afilias-nst.info NS ord.sns-pb.isc.org NS sfba.sns-pb.isc.org
 11.705516 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.705891 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ns.isc.afilias-nst.info NS ams.sns-pb.isc.org NS sfba.sns-pb.isc.org NS ord.sns-pb.isc.org
 11.723779 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.723787 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.723983 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.723989 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.724154 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS sfba.sns-pb.isc.org NS ams.sns-pb.isc.org NS ns.isc.afilias-nst.info NS ord.sns-pb.isc.org
 11.724333 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ord.sns-pb.isc.org NS sfba.sns-pb.isc.org NS ns.isc.afilias-nst.info NS ams.sns-pb.isc.org
 11.724495 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ams.sns-pb.isc.org NS ns.isc.afilias-nst.info NS sfba.sns-pb.isc.org NS ord.sns-pb.isc.org
 11.724648 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ams.sns-pb.isc.org NS ord.sns-pb.isc.org NS sfba.sns-pb.isc.org NS ns.isc.afilias-nst.info
 11.725244 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.725256 194.8.74.227 -> xxx.xxx.xxx.xxx DNS Standard query ANY isc.org
 11.725488 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS sfba.sns-pb.isc.org NS ord.sns-pb.isc.org NS ns.isc.afilias-nst.info NS ams.sns-pb.isc.org
 11.725645 xxx.xxx.xxx.xxx -> 194.8.74.227 DNS Standard query response RRSIG RRSIG DS DS NS ns.isc.afilias-nst.info NS ord.sns-pb.isc.org NS ams.sns-pb.isc.org NS sfba.sns-pb.isc.org

See how this story progressed:

• Thwarting the isc.org DNS DDoS
• ISC.Org ANY Request DRDoS Update
• ISC.org DRDoS Update 2: Problems with .nl Netherlands TLD
• ISC Contacts L’il Ol’ Me!

Plain FTP suffers from a number of problems, foremost is transmission in cleartext. Unless SSL is used (I have come across very few occurrences of its use in the wild) usernames and passwords, as well as the files being transmitted, are sent over the wire unencrypted. This means anyone with a well-placed sniffer or man-in-the-middle setup between the client and server can intercept or mutilate the data without much skill or resource cost. FTP also suffers from NAT issues, in that some users must forward ports or use passive transfer mode – words most of the users who will be using your hosting service have probably never heard, don’t want to hear and have no idea how to implement.

Enter SFTP: file transfer over Secure Shell. Not to be confused with FTPS, or “FTP Secure” (FTP with SSL), SFTP shares nothing in common with FTP other than its purpose: moving files around the network. SFTP uses a single, wholly encrypted tunnel from the client to the server to send and receive files. This avoids the problems associated with NAT and FTP’s dual-connection implementation, provides a relatively secure means of authentication and prevents third-party manipulation of the data in transit. SSH also warns users when a server’s RSA keys change so diligent users can identify and avoid potential man-in-the-middle attacks. SFTP is not, however, a perfect solution. OpenSSH, the implementation which we will be dealing with in this article, can be found on most Linux and BSD servers. Due to its ubiquity it is a prime target for 0-day exploits on one hand, and well hardened against known exploits on the other (you do keep your software patched and up-to-date, right?).

SSH, like any service that uses a username-password authentication scheme – including FTP, is vulnerable to brute-force or dictionary cracking attacks. This problem can be virtually eliminated by disabling user-pass authentication altogether and using on shared keys (please my article Passwordless or Single Password SSH with Key Exchange for instructions on implementing this configuration) however this is probably not an appropriate solution for your public hosting project as the process is difficult for regular users to implement, particularly if they are using a Windows client such as FileZilla. One solution which I highly recommend is fail2ban, it will read your sftpd logs and temporarily block an IP address associated with a specified number of failed attempts over a given period of time. I have provided simple instructions for implementing fail2ban for SSH in my article Stifling Brute Force Attacks with fail2ban. Because we are dealing with a situation where users are prone to forget their password you may wish to use fairly loose criteria in configuring fail2ban, enough failures should be tolerated that a forgetful user won’t be quickly blocked but an automated attack should be picked up. You might also wish to block access to sftpd rather than all ports as affected users might understand sftp disappearing after several failed attempts but could think the server is down if they are unable to access their website (assuming it is hosted from the same server).

The “chroot jail” concept is as old as the hills and has provided a way for us to separate vulnerable services from the filesystem-at-large by faking them into thinking a certain directory is the absolute root (/) of the filesystem. In this article we’re going to apply this concept to regular users using OpenSSH’s built-in functionality available since version 4.9. Before then it was a royal pain to implement whereas most popular FTP daemons had supported the feature out-of-the-box for years, now SFTP can finally be considered a complete and suitable replacement.

One probably does not wish to restrict SSH access for ALL user accounts, since one probably needs remote administrative access to the machine. Therefore one shall create a group to which users who must be chroot jailed will be added. For the purposes of this article we shall call the group hosted but you may call it anything:

# groupadd hosted

Next add users to the group, if you want to make sure these users do not get regular shell access (the ability to log in and run commands etc) be sure to specify a dummy shell, such as /bin/false or /sbin/nologin (Gentoo):

# useradd -G hosted -s /bin/false demo-user
or
# usermod -G hosted -s /bin/false demo-user

Don’t forget to give your test account a password if it is a new account.

# passwd demo-user

Now open your sshd config file (most users: /etc/ssh/sshd_config) and go to the very bottom. If there is a Subsystem sftp line already delete it. Add the following:

Subsystem       sftp    internal-sftp

Match Group hosted
        ChrootDirectory %h
        ForceCommand internal-sftp
	AllowTcpForwarding no

The Match Group directive tells sftpd to use the proceeding settings for any user in the group hosted. Now you must change the owner (and optionally group) of the user’s home directory to root:

# chown root: /home/demo-user

Due to these permissions the user will not be able to create new files at the top level of their directory tree, which to you looks like /home/demo-user and to them /. That’s fine because we’re going to give them a directory for the site they want to host with appropriate ownership, then they can do whatever they want in that. I typically set users up thus:

# mkdir ~demo-user/demo-site.com
# mkdir ~demo-user/demo-site.com/htdocs
# mkdir ~demo-user/demo-site.com/log
# mkdir ~demo-user/demo-site.com/cgi-bin
# chown demo-user: ~demo-user/demo-site.com/ -R

Restart your sshd (/etc/init.d/ssh(d) restart) and try logging in as your jailed user via sftp. If it works, congratulations. If you chose to restrict regular SSH access you may need to include /bin/false (or /sbin/nologin etc) to your /etc/shells valid shells list or the user may not be able to log in at all. Try logging in via SSH to ensure access has been blocked.