Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-29-2014, 08:47 AM
|
#1
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Rep:
|
Iptables Drop DNS Damion resolving
Hello
In last three months we faced DNS amplification attacks from more then 1000 different source IPs to one domain only, please check log file below,
13:56:40.261793 IP (tos 0x0, ttl 124, id 23273, offset 0, flags [none], proto: UDP (17), length: 72) X.X.X.X.64154 > Y.Y.Y.Y.domain: [udp sum ok] 40021+ A? uhjoabgwpkh. www.wfgj18.com. (44)
Is there any way to use Iptables to drop the fake domain "wfgj18.com" ?
Thanks ,,,
|
|
|
04-30-2014, 02:43 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
|
|
|
04-30-2014, 08:53 AM
|
#3
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
|
This method need to analyzing the signature, Actually I looking on Iptable rule that dropping any query for specific domain, please check logs below, How can I drop any query for wfgj18.com.
13:56:40.261793 IP (tos 0x0, ttl 124, id 23273, offset 0, flags [none], proto: UDP (17), length: 72) X.X.X.X.64154 > Y.Y.Y.Y.domain: [udp sum ok] 40021+ A? uhjoabgwpkh. www.wfgj18.com. (44)
Thanks ,,,
Last edited by NewLegend; 04-30-2014 at 09:08 AM.
|
|
|
04-30-2014, 11:04 AM
|
#4
|
LQ Newbie
Registered: Mar 2012
Posts: 6
Rep:
|
Hi NewLegend , The blog suggested by acid_kewpie has ip table rules to filter out the dns packet queried for isc.org and wont it help resolve your problem by changing the filter rule data.
The query mentioned in the blog drops the query for isc.org.
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x1c=0x1d420100 && 0x28=0x03697363 && 0x2c=0x036f7267 && 0x30=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY isc.org dns.id 0x1d42"
There are other options to compare the direct string values and drop.
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|09486363466f72756d73026e6c00|' -j DROP -m comment --comment "DROP DNS Q HccForums.nl"
|
|
|
05-01-2014, 07:38 AM
|
#5
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Quote:
Originally Posted by gknetw
Hi NewLegend , The blog suggested by acid_kewpie has ip table rules to filter out the dns packet queried for isc.org and wont it help resolve your problem by changing the filter rule data.
The query mentioned in the blog drops the query for isc.org.
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x1c=0x1d420100 && 0x28=0x03697363 && 0x2c=0x036f7267 && 0x30=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY isc.org dns.id 0x1d42"
There are other options to compare the direct string values and drop.
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|09486363466f72756d73026e6c00|' -j DROP -m comment --comment "DROP DNS Q HccForums.nl"
|
Hi ,
I have a script to find top attacker domain and drop it in the live time, So It's hard to convert the string to hex and analyze the signature in the script.
How can I drop the domain direct without analyzing, Is the method below will be work, ?
iptables --insert INPUT -p udp --dport 53 -j DROP -m comment --comment "DROP DNS Q Domain.net"
Last edited by NewLegend; 05-01-2014 at 07:43 AM.
|
|
|
05-01-2014, 12:37 PM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
if you don't analyze something how is it supposed to know what you want to do?!?!
|
|
|
05-03-2014, 01:47 PM
|
#7
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
if you don't analyze something how is it supposed to know what you want to do?!?!
|
My script will find the domain. Just I need to drop this domain automattly.
|
|
|
05-04-2014, 03:07 AM
|
#8
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Right, and I've provided a reference to a document describing how to block a domain. It's up to your script to work out what the strings are to use in the block. There's no "automatic" in iptables.
|
|
|
05-04-2014, 03:44 AM
|
#9
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
Right, and I've provided a reference to a document describing how to block a domain. It's up to your script to work out what the strings are to use in the block. There's no "automatic" in iptables.
|
Suppose there's an attack in the middle of the night, How can I drop the domain ? Is I need to convert the domain-string to Hexadecimal ?
My script is simple, just looking on the victim domain and drop any query for this domain.
Regarding automate iptables, I think that's not correct, Already I created a lot of scripts to drop IP's automatically by IPtable and it's working perfect. But my really problem now, How can I drop the domains automatically.
|
|
|
05-05-2014, 05:20 AM
|
#10
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Is there any idea
Moreover, How can I convert the domain-string to hex, for example how can I convert 30259.info to hex ?
Last edited by NewLegend; 05-05-2014 at 05:41 AM.
|
|
|
05-05-2014, 07:37 AM
|
#11
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Plenty of ways to do this if you have a google. e.g. http://stackoverflow.com/questions/5...onvert-in-bash
iptables does not do this in a complex way. Because complex = intensive and slow. If you made all traffic passing through a box interrogate the traffic to the level you are apparently after, it'd be very inefficient and slow. So you do the work out of band, i.e. in a period script, and then update rules within that script. Rules that require the very least possible amount of constant effort.
|
|
|
05-05-2014, 08:23 AM
|
#12
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
Plenty of ways to do this if you have a google. e.g. http://stackoverflow.com/questions/5...onvert-in-bash
iptables does not do this in a complex way. Because complex = intensive and slow. If you made all traffic passing through a box interrogate the traffic to the level you are apparently after, it'd be very inefficient and slow. So you do the work out of band, i.e. in a period script, and then update rules within that script. Rules that require the very least possible amount of constant effort.
|
Thanks for your update, please check the command below. It's converted this domain: gerdar3.ru To '|07676572646172330272|' .
# drop domain by hex-string
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|07676572646172330272|' -j DROP -m comment --comment "DROP DNS Q gerdar3.ru"
But that not match with your example in the blog above, please check below
$ echo gerdar3.ru|hexdump -v
0000000 6567 6472 7261 2e33 7572 000a
Last edited by NewLegend; 05-05-2014 at 08:26 AM.
|
|
|
05-06-2014, 05:09 AM
|
#13
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
Hi,
I don't know what's the problem exactly, I have a really problem with convert domain-string to hex.
The rule below is working in my server, from this blog: http://archive.today/SEVRE#selection-1065.1-504.369
iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|056c7573653003636f6d00|' -j DROP -m comment --comment "DROP DNS Q luse0.com"
But for example, I tried drop this domain: innovadex.com and I did the steps below:
1/ I has converted innovadex.com to hex by use this website: http://www.string-functions.com/string-hex.aspx
The rusult is: innovadex.com ==> 696e6e6f76616465782e636f6d
2/ changed the rule as below
iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|696e6e6f76616465782e636f6d|' -j DROP -m comment --comment "DROP DNS Q innovadex.com"
But It's not working ?
Last edited by NewLegend; 05-06-2014 at 05:11 AM.
|
|
|
05-08-2014, 02:32 AM
|
#14
|
LQ Newbie
Registered: Oct 2012
Posts: 18
Original Poster
Rep:
|
No one know, how can I convert doamin-string to hex.
|
|
|
05-08-2014, 06:29 AM
|
#15
|
Member
Registered: Oct 2013
Distribution: RedHat CentOS Fedora SuSE
Posts: 354
Rep:
|
|
|
|
All times are GMT -5. The time now is 07:50 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|