LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-27-2013, 10:46 AM   #1
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Rep: Reputation: Disabled
'isc.org/ANY/IN' denied: 1466 Time(s)


Hi all,

I've been getting these messages ('isc.org/ANY/IN' denied: 1466 Time(s) ) through on my logwatch. I'm a bit of an amateur but have done quite a bit of research on this and found these 2 rules for my iptables -

iptables -I INPUT 1 -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery

iptables -I INPUT 2 -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 5 -j DROP

However having installed them I'm still getting the same messages. I'd be really grateful if somebody was able to tell me what I've done wrong.

Thanks very much,
A
 
Old 03-27-2013, 11:13 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 281

Rep: Reputation: 118Reputation: 118
Hi there,

The queries you are seeing might be related to the attack described at http://www.minihowto.eu/protectio-ag...-org-any-query if you're not expecting these requests.

It looks like your server is denying these query requests, though, which implies no harm done to you (except for a bit of traffic flow). Are these messages coming from BIND?

Regarding the iptables rules you ae using, what is that hex string meant to match?

Regards,

Clifford
 
Old 03-27-2013, 02:10 PM   #3
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thanks Clifford, I think they are that sort of attack! So no harm meant to my server, but I wanted to stop them to be a good citizen!

Emabarrasingly I'm not sure what the hex string is .... I copied it from here - http://www.junkemailfilter.com/blog/...rg-any-attack/

Do you think it should be something different?

Thanks again,

A
 
Old 03-27-2013, 03:31 PM   #5
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 281

Rep: Reputation: 118Reputation: 118
Hi again,

The "denied" message seems to indicate that you are being a good citizen & not sending the replies to the intended target IPs. This is presumably done by bind, though and not by iptables. That should be fine - as long as it is stopped, it doesn't matter who does that.

Regarding the hex string, there's a different string in the URL I posted, but I haven't tried to validate or test this.

Regards
 
Old 03-27-2013, 03:50 PM   #6
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thanks UnSpawn,

I did take a look at some of the old threads but I'm a bit of a novice with servers and they dont mean a whole lot to me. I spent ages working out how iptables work and thought I'd found what looks like a neat solution? Is anybody able to tell me whether its just a tweak to the rules I've got thats needed?

For the no recursion solution I'm not sure if I have an authoritative server! My domain dns settings are with the people that I bought the domain from - and the domain just points at my server. Does that me my server isnt authoritative?! Sorry to be such a dunce.

Thanks,
Alessia
 
Old 03-27-2013, 03:58 PM   #7
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Sorry Clifford, didnt see your reply. I think I read that even though the attempt is denied it still sends back a 'denied' message to the IP under attack?

If I change the rules to:

iptables -I INPUT 1 -p udp --dport 53 -m recent --set --name dnsanyquery
iptables -I INPUT 2 -p udp --dport 53 -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 5 -j DROP

... will that cause me problems? I cant see why an individual would do more than 5 dns queries of any type in 60 seconds? Or have I misunderstood?

Thanks v much
Alessia
 
Old 03-27-2013, 08:36 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,685
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by alexiag View Post
For the no recursion solution I'm not sure if I have an authoritative server! My domain dns settings are with the people that I bought the domain from - and the domain just points at my server. Does that me my server isnt authoritative?!
cliffordw asked the right question when he said "Are these messages coming from BIND?" (as they have to be resolver messages and it would be odd getting those from a LAN-only caching name server) so you must be running a publicly exposed resolver. He's also right in that the "denied" message indicates your resolver does not allowing recursion. The iptables rule the foxpa.ws site promotes to drop the UDP reflection attack is:
Code:
iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
Try that and please report back.
 
Old 03-29-2013, 12:41 PM   #9
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thanks unSpawn, would the rule you've suggested not block some legitimate isc.org/ANY/IN requests? Or are there no legitimate isc.org/ANY/IN requests?
 
Old 03-29-2013, 12:44 PM   #10
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
I've also found these 2 rules which look good and came well recommneded on another site ...

iptables -A INPUT -p udp --port 53 -m hashlimit --hashlimit 1/minute --hashlimit-burst 5 -j ACCEPT
iptables -A INPUT -p udp --port 53 -j DROP
 
Old 04-01-2013, 05:31 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,685
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by alexiag View Post
Thanks unSpawn, would the rule you've suggested not block some legitimate isc.org/ANY/IN requests? Or are there no legitimate isc.org/ANY/IN requests?
In short (somebody correct me if I'm wrong but) any client request should, by way of the providers name servers, end up at the root servers so no, you shouldn't be receiving isc.org/ANY/IN requests nor should you allow recursion for domains you're not the authoritative name server for unless you're operating a shielded caching-only name server.
 
Old 04-02-2013, 09:25 AM   #12
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thanks for your help unSpawn, I've used your suggestion and will let you know how i get on in the next few days!
 
Old 04-02-2013, 10:14 AM   #13
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 281

Rep: Reputation: 118Reputation: 118
Quote:
Originally Posted by unSpawn View Post
In short (somebody correct me if I'm wrong but) any client request should, by way of the providers name servers, end up at the root servers so no, you shouldn't be receiving isc.org/ANY/IN requests nor should you allow recursion for domains you're not the authoritative name server for unless you're operating a shielded caching-only name server.
This depends on how this name server is set up and used. If it is a name server for specific zones only, then the above statement is correct.

If it is the name server for a LAN, then it is the first stop for all queries, and needs to respond to legitimate requests for the isc.org domain (either with the root servers if recursion is off, or with the final answer if recursion is on). In such a case the iptables rules should probably be refined to block only requests from the outside, while still allowing them from inside (by physical interface or IP range).
 
Old 04-04-2013, 11:50 AM   #14
alexiag
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi unSpawn and Clifford,

Great success with unSpawns sgguestion -

Code:
iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
Has blocked 6000 packets so far, seems to have completely solved it.

Thanks so much!
 
Old 04-04-2013, 11:57 AM   #15
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
My understanding of this attack was that the Internet was simply being flooded with these requests, which of all rights should only originate from "upstream" DNS servers, but actually coming from everywhere ... on the assumption that any server would respond to them anyway if received, and thereby contribute to the chaos.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Long time user, first time poster to LinuxQuestions.org nevek LinuxQuestions.org Member Intro 1 07-21-2008 11:18 AM
isc.sans.org -- Brute-force SSH Attacks on the Rise unixfool Linux - Security 3 05-17-2008 10:43 PM
Cyber Security Awareness Month at isc.sans.org unixfool Linux - Security 2 11-02-2007 09:35 PM


All times are GMT -5. The time now is 07:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration