Posts Tagged ‘script’

More Fun with DNS Amplification Attacks: pkts.asia and babywow.co.uk

I recently intercepted some DNS amplification attacks using the domains pkts.asia and babywow.co.uk involving a server which has recursion disabled but is, for some reason, returning the list of root name servers. I suppose that will be the topic of my next article :p

Big thanks to this really sweet site http://dnsamplificationattacks.blogspot.ca/ for providing a list of iptables rules which cover these attacks at https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt.

You can find more information on these two specific domains at:
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-pktsasia.html
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-babywowcouk.html

I found that I had to drop the –start and –stop flags to get these rules to work. I’m not sure if I’m not taking into account an offset or perhaps I’m seeing a different strain of the attack but the start and stop positions appear to be different when we crack open the packets:

pkts.asia
00163ebb000300163ecd000208004500
00476dd90000f8114fa44c670d3c0000
0000fd5900350033000095b201000001
00000000000104706b74730461736961
0000ff00010000292328000000000000
0000000000

The string we are blocking for appears to be between 36 and 40 rather than 40 and 51.

babywow.co.uk
00163ebb000300163ecd000208004500
004b9e0c0000f8110d4dd0729b500000
0000a216003500370000c1ff01000001
0000000000010762616279776f770263
6f02756b0000ff000100002923280000
000000000000000000

The string we are blocking for appears to be between 36 and 44 rather than 40 to 55.

You should note that not using –start and –stop will make netfilter inspect the whole packet which will have a (probably negligible) performance hit.

ClearOS seems to have trouble with the comment formatting so I’ve made a couple of minor edits to the list which will drop these rules into FORWARD on your router:

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"

Quick and Dirty (and Free!) Host Monitoring for DNS Failover and Round-Robin

Round-Robin DNS gets trash-talked a lot because although it is a cheap and easy way to distribute loads it is counter-redundant: the more A records (servers) there are behind a domain the more points of failure there are and the lower your mean time to failure is going to be. The good news is that if one in five web servers/reverse proxies are down then only about one fifth of your audience is unable to connect at any given time.

The answer to this problem is host monitoring. If we can update our DNS records to remove the IPs of downed servers then add them back when the hosts recover no direct intervention on our part is required. Unfortunately, DNS is a heavily cached system so we will have to work with reasonably short timeouts. DNS Made Easy recommends a TTL of no less than 180 seconds as some ISPs are configured to ignore the TTLs of records which they deem are too short and default to a much higher value. The drawback to short TTLs is that you will end up receiving more DNS queries, which is a problem if you use a commercial billed-by-million-queries DNS provider like Amazon’s Route 53 or EasyDNS’s enterprise service.

If your objective is to have web server failover that happens instantly this is simply not the solution for you – you need a load balancer and/or anycast address space. Amazon’s Route53 and DNS Made Easy can be configured to check as often as every minute and it doesn’t make a lot of sense to run a ping/tcp test more often than that. At worst this means that the failover system doesn’t even know there is a problem for up to 60 seconds. Once the failover system updates the records there may be a short delay while the slave name servers synchronize. Then we have to wait for the record to expire at any-given-user’s ISP’s recursive name servers, which could take up to the TTL of your record or longer if their ISP is manipulative. Then you may have to wait for the record to expire in the caching DNS daemon on their home or office router. Then you may have to wait for the record to expire in their OS or browser’s DNS cache. This could take up to 15 minutes even if you use a very low TTL like 180.

So the question is: you already have DNS infrastructure. Why pay these large DNS outfits for host monitoring and DNS failover when it’s not really that great anyway and you can do it just as well as they can?

Just because BIND doesn’t have built-in support? Pshaw!

You could just as easily do the host monitoring with nagios/icinga or use the mysql-bind backend or even some other database-backed name daemon but in this article I’ll show you how to drop in a simple shell script that will work with your existing BIND installation because it demonstrates how mind-numbingly simple this is and why it shouldn’t be charged for as a premium service.

Observe a typical zone file with round-robin:

$TTL 6400       ; max TTL
@       IN      SOA     ns1.somedomain.com. admin.somedomain.com. (
                                201305140       ; Serial
                                28800           ; Refresh
                                7200            ; Retry
                                60480           ; Expire
                                600 )           ; TTL Minimum
@               IN      A       10.0.0.10
@               IN      A       10.0.0.11
@               IN      A       10.0.0.12
@               IN      A       10.0.0.13
@               IN      A       10.0.0.14
*               IN      A       10.0.0.10
*               IN      A       10.0.0.11
*               IN      A       10.0.0.12
*               IN      A       10.0.0.13
*               IN      A       10.0.0.14
ns1             IN      A       10.0.1.10
ns2             IN      A       10.0.1.11
@               IN      NS      ns1.somedomain.com.
@               IN      NS      ns2.somedomain.com.
www             IN      CNAME   somedomain.com.

Our SOA contains the serial which will have to be updated by the script if our changes are to propagate properly. In the zone file on the master server(s) replace the SOA and block of round-robin A records with $INCLUDE statements like this:

$INCLUDE "/var/bind/soa.include"
$INCLUDE "/var/bind/ips.include"
ns1             IN      A       10.0.1.10
ns2             IN      A       10.0.1.11
@               IN      NS      ns1.somedomain.com.
@               IN      NS      ns2.somedomain.com.
www             IN      CNAME   somedomain.com.

Do this for every zone file which is to use this pool of A records. Now we have a centralized place to put the IPs and serial number that come from the shell script.

Create the script on the master name server and chmod +x it, don’t forget to update the paths to reflect your DNS situation. Also note that I’m adding a wildcard subdomain to the pool:

#!/bin/bash
HOSTS="10.0.0.10 10.0.0.11 10.0.0.12 10.0.0.13 10.0.0.14"
COUNT=4
echo "; Generated by monitor.sh $(date)" > /chroot/dns/var/bind/ips.include
for myHost in $HOSTS
do
  count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
  if [ $count -eq 0 ]; then
    # 100% failed 
    echo "$(date) $myHost is down" >> /var/log/monitor.log
  else
    echo "@               IN      A       $myHost" >> /chroot/dns/var/bind/ips.include
    echo "*               IN      A       $myHost" >> /chroot/dns/var/bind/ips.include
  fi

done

echo "; Generated by monitor.sh $(date)
\$TTL 300       ; max TTL
@       IN      SOA     ns1.somedomain.com. admin.somedomain.com. (
                                $(date +%s)      ; Serial
                                300             ; Refresh
                                60              ; Retry
                                86400           ; Expire
                                300 )           ; TTL Minimum" > /chroot/dns/var/bind/soa.include

rndc reload

This script will ping each host in the HOSTS array four times. If at least one ping is received the host is written to a new version of ips.include (note the single angle bracket when inserting the date). If all four pings fail a message will be recorded in /var/log/monitor.log. You may want to adjust the number of pings and failure tolerance, or replace the logging line with an e-mail notification instead. Once the ping tests are done a new soa.include is written with an epoch serial number and the zones are reloaded.

At the end of execution you should see something like this in ips.include:

; Generated by monitor.sh Tue May 14 16:15:26 EDT 2013
@               IN      A       10.0.0.10
*               IN      A       10.0.0.10
@               IN      A       10.0.0.11
*               IN      A       10.0.0.11
@               IN      A       10.0.0.12
*               IN      A       10.0.0.12
@               IN      A       10.0.0.13
*               IN      A       10.0.0.13
@               IN      A       10.0.0.14
*               IN      A       10.0.0.14

And in soa.include:

; Generated by monitor.sh Tue May 14 16:15:26 EDT 2013
$TTL 300       ; max TTL
@       IN      SOA     ns1.somedomain.com. admin.somedomain.com. (
                                1368562526      ; Serial
                                300             ; Refresh
                                60              ; Retry
                                86400           ; Expire
                                300 )           ; TTL Minimum

Note that you may need to chown named: the .include files after they are created the first time, depending on your environment.

I switched from using the widely popular YYYYMMDDID format to epoch since the 5 minute interval requires hours, minutes and seconds to be effective and YYYMMDDHHMMSS is too large a value for BIND. This resulted in a lower serial value – you may have to go around to your slaves and manually delete then reload their zone files.

This approach ends up generating a lot of NOTIFY traffic since every 5 minutes (or whatever interval you cron the shell script at) a new serial is loaded and all of your slaves have to be contacted. A more graceful improvement would be to save the state that each host is in inside of a temporary file and only update the serial when there has actually been a change in the status of your pool.

Another neat thing I thought of trying was using something like heartbeat for real-time monitoring and dnsupdate to dynamically update the zone files. This should narrow the propagation latency on your side of the equation down to the barest minimum possible.

Zimbra Firewall Configuration for RHEL/CentOS and Others

The firewall on a RHEL system is configured by default with system-config-firewall, which on the console is an annoying ncurses menu which doesn’t permit adding custom ports/protocols.

The ports you probably want open for Zimbra are:

25
    smtp [mta] - incoming mail to postfix 
80
    http [mailbox] - web mail client 
110
    pop3 [mailbox] 
143
    imap [mailbox] 
443
    https [mailbox] - web mail client over ssl 
465
    smtps [mta] - incoming mail to postfix over ssl (Outlook only) 
587
    smtp [mta] - Mail submission over tls 
993
    imaps [mailbox] - imap over ssl 
995
    pops [mailbox] - pop over ssl 
7071
    https [mailbox] - admin console

The raw iptables configuration is stored in /etc/sysconfig/iptables:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 456 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7071 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Ensure the iptables init script is part of your default runlevel.

# chkconfig --level 345 iptables on

Restart it to apply the changes.

/etc/init.d/iptables restart
Return top
foxpa.ws
Online Marketing Toplist
Internet
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Bad Karma Networks

Please Donate!


Made in Canada  •  There's a fox in the Gibson!  •  2010-12