=^.^=

More Fun with DNS Amplification Attacks: pkts.asia and babywow.co.uk

I recently intercepted some DNS amplification attacks using the domains pkts.asia and babywow.co.uk involving a server which has recursion disabled but is, for some reason, returning the list of root name servers. I suppose that will be the topic of my next article :p

Big thanks to this really sweet site http://dnsamplificationattacks.blogspot.ca/ for providing a list of iptables rules which cover these attacks at https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt.

You can find more information on these two specific domains at:
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-pktsasia.html
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-babywowcouk.html

I found that I had to drop the --start and --stop flags to get these rules to work. I'm not sure if I'm not taking into account an offset or perhaps I'm seeing a different strain of the attack but the start and stop positions appear to be different when we crack open the packets:

pkts.asia
00163ebb000300163ecd000208004500
00476dd90000f8114fa44c670d3c0000
0000fd5900350033000095b201000001
00000000000104706b74730461736961
0000ff00010000292328000000000000
0000000000

The string we are blocking for appears to be between 36 and 40 rather than 40 and 51.

babywow.co.uk
00163ebb000300163ecd000208004500
004b9e0c0000f8110d4dd0729b500000
0000a216003500370000c1ff01000001
0000000000010762616279776f770263
6f02756b0000ff000100002923280000
000000000000000000

The string we are blocking for appears to be between 36 and 44 rather than 40 to 55.

You should note that not using --start and --stop will make netfilter inspect the whole packet which will have a (probably negligible) performance hit.

ClearOS seems to have trouble with the comment formatting so I've made a couple of minor edits to the list which will drop these rules into FORWARD on your router:

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"

Mounting an NFS Share on OS X: There was a Problem Connecting to the Server

You've tried to mount your linux NFS share via the Go menu's Connect to Server dialogue but you keep getting an error message stating:

There was a problem connecting to the server
There was a problem connecting to the server

You know your URI is formatted correctly (nfs://server/share) and you can mount the share on other Linux hosts so what gives?

It turns out that in order to get OS X to play ball we have to add insecure to the export options of the shares you would like to mount. For example:

/home/karma/torrents 192.168.1.0/24(ro,no_root_squash,no_subtree_check,insecure)

OS X ... is Damaged and can't be Opened. You Should Move it to the Trash.

"This App" is damaged and can't be opened. You should move it to the Trash.

...is damaged and can't be opened. You should move it to the trash
...is damaged and can't be opened. You should move it to the trash

If you have just downloaded a new app and received this message upon attempting to launch it chances are it's fine, OS X is just being a good nanny.

To fix, open System Preferences... under the Apple menu. Open Security & Privacy then click the lock to make changes. Change your Allow applications downloaded from: radio selection to Anywhere and give it another spin.

Flush the Qmail Queue

Flushing the mail queue with postfix is straightforward enough:

# postfix -f

But qmail, as usual, is a little more obtuse:

# ps aux | grep qmail-send
root     18971  0.0  0.0  1328  260 pts/1    S    18:18   0:00 supervise qmail-send
qmails   18978  0.0  0.0  1416  384 pts/1    S    18:18   0:00 [qmail-send]
root     19469  0.0  0.0  1724  604 pts/1    R    18:20   0:00 grep qmail-send
# kill -s ALRM 18978

Fix Cordova Launch Image Problem in Xcode 4.6.3

I recently updated to Xcode 4.6.3 to gain the iOS 6.1 SDK and created a new Cordova project. When it came time to set the Launch Images I encountered weird behaviour; images for certain resolutions were overwriting the images for other resolutions or not updating at all.

When I went to build the project Xcode complained "warning multiple build commands for" XYZ lauch image. To fix this select your build Target then click on the Build Phases tab. Expand Copy Bundle Resources and delete the duplicate entries for your icons and launch images under {Project Name}/Resources/screen and icons/