LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-29-2014, 08:47 AM   #1
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Rep: Reputation: Disabled
Iptables Drop DNS Damion resolving


Hello
In last three months we faced DNS amplification attacks from more then 1000 different source IPs to one domain only, please check log file below,

13:56:40.261793 IP (tos 0x0, ttl 124, id 23273, offset 0, flags [none], proto: UDP (17), length: 72) X.X.X.X.64154 > Y.Y.Y.Y.domain: [udp sum ok] 40021+ A? uhjoabgwpkh.www.wfgj18.com. (44)

Is there any way to use Iptables to drop the fake domain "wfgj18.com" ?

Thanks ,,,
 
Old 04-30-2014, 02:43 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Have a look here, seems to be what you're after http://dnsamplificationattacks.blogs...lock-list.html
 
Old 04-30-2014, 08:53 AM   #3
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Have a look here, seems to be what you're after http://dnsamplificationattacks.blogs...lock-list.html

This method need to analyzing the signature, Actually I looking on Iptable rule that dropping any query for specific domain, please check logs below, How can I drop any query for wfgj18.com.

13:56:40.261793 IP (tos 0x0, ttl 124, id 23273, offset 0, flags [none], proto: UDP (17), length: 72) X.X.X.X.64154 > Y.Y.Y.Y.domain: [udp sum ok] 40021+ A? uhjoabgwpkh.www.wfgj18.com. (44)


Thanks ,,,

Last edited by NewLegend; 04-30-2014 at 09:08 AM.
 
Old 04-30-2014, 11:04 AM   #4
gknetw
LQ Newbie
 
Registered: Mar 2012
Posts: 6

Rep: Reputation: Disabled
Hi NewLegend , The blog suggested by acid_kewpie has ip table rules to filter out the dns packet queried for isc.org and wont it help resolve your problem by changing the filter rule data.

The query mentioned in the blog drops the query for isc.org.

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x1c=0x1d420100 && 0x28=0x03697363 && 0x2c=0x036f7267 && 0x30=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY isc.org dns.id 0x1d42"

There are other options to compare the direct string values and drop.

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|09486363466f72756d73026e6c00|' -j DROP -m comment --comment "DROP DNS Q HccForums.nl"
 
Old 05-01-2014, 07:38 AM   #5
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by gknetw View Post
Hi NewLegend , The blog suggested by acid_kewpie has ip table rules to filter out the dns packet queried for isc.org and wont it help resolve your problem by changing the filter rule data.

The query mentioned in the blog drops the query for isc.org.

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x1c=0x1d420100 && 0x28=0x03697363 && 0x2c=0x036f7267 && 0x30=0x0000ff00" -j DROP -m comment --comment "DROP DNS Q ANY isc.org dns.id 0x1d42"

There are other options to compare the direct string values and drop.

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 54 --algo bm --hex-string '|09486363466f72756d73026e6c00|' -j DROP -m comment --comment "DROP DNS Q HccForums.nl"
Hi ,
I have a script to find top attacker domain and drop it in the live time, So It's hard to convert the string to hex and analyze the signature in the script.

How can I drop the domain direct without analyzing, Is the method below will be work, ?

iptables --insert INPUT -p udp --dport 53 -j DROP -m comment --comment "DROP DNS Q Domain.net"

Last edited by NewLegend; 05-01-2014 at 07:43 AM.
 
Old 05-01-2014, 12:37 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
if you don't analyze something how is it supposed to know what you want to do?!?!
 
Old 05-03-2014, 01:47 PM   #7
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
if you don't analyze something how is it supposed to know what you want to do?!?!
My script will find the domain. Just I need to drop this domain automattly.
 
Old 05-04-2014, 03:07 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Right, and I've provided a reference to a document describing how to block a domain. It's up to your script to work out what the strings are to use in the block. There's no "automatic" in iptables.
 
Old 05-04-2014, 03:44 AM   #9
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Right, and I've provided a reference to a document describing how to block a domain. It's up to your script to work out what the strings are to use in the block. There's no "automatic" in iptables.
Suppose there's an attack in the middle of the night, How can I drop the domain ? Is I need to convert the domain-string to Hexadecimal ?

My script is simple, just looking on the victim domain and drop any query for this domain.

Regarding automate iptables, I think that's not correct, Already I created a lot of scripts to drop IP's automatically by IPtable and it's working perfect. But my really problem now, How can I drop the domains automatically.
 
Old 05-05-2014, 05:20 AM   #10
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Smile

Is there any idea

Moreover, How can I convert the domain-string to hex, for example how can I convert 30259.info to hex ?

Last edited by NewLegend; 05-05-2014 at 05:41 AM.
 
Old 05-05-2014, 07:37 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Plenty of ways to do this if you have a google. e.g. http://stackoverflow.com/questions/5...onvert-in-bash

iptables does not do this in a complex way. Because complex = intensive and slow. If you made all traffic passing through a box interrogate the traffic to the level you are apparently after, it'd be very inefficient and slow. So you do the work out of band, i.e. in a period script, and then update rules within that script. Rules that require the very least possible amount of constant effort.
 
Old 05-05-2014, 08:23 AM   #12
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Plenty of ways to do this if you have a google. e.g. http://stackoverflow.com/questions/5...onvert-in-bash

iptables does not do this in a complex way. Because complex = intensive and slow. If you made all traffic passing through a box interrogate the traffic to the level you are apparently after, it'd be very inefficient and slow. So you do the work out of band, i.e. in a period script, and then update rules within that script. Rules that require the very least possible amount of constant effort.
Thanks for your update, please check the command below. It's converted this domain: gerdar3.ru To '|07676572646172330272|' .

# drop domain by hex-string
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 58 --algo bm --hex-string '|07676572646172330272|' -j DROP -m comment --comment "DROP DNS Q gerdar3.ru"


But that not match with your example in the blog above, please check below

$ echo gerdar3.ru|hexdump -v
0000000 6567 6472 7261 2e33 7572 000a

Last edited by NewLegend; 05-05-2014 at 08:26 AM.
 
Old 05-06-2014, 05:09 AM   #13
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
Hi,
I don't know what's the problem exactly, I have a really problem with convert domain-string to hex.

The rule below is working in my server, from this blog: http://archive.today/SEVRE#selection-1065.1-504.369
iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|056c7573653003636f6d00|' -j DROP -m comment --comment "DROP DNS Q luse0.com"


But for example, I tried drop this domain: innovadex.com and I did the steps below:
1/ I has converted innovadex.com to hex by use this website: http://www.string-functions.com/string-hex.aspx
The rusult is: innovadex.com ==> 696e6e6f76616465782e636f6d

2/ changed the rule as below
iptables --insert INPUT -p udp --dport 53 -m string --from 34 --to 80 --algo bm --hex-string '|696e6e6f76616465782e636f6d|' -j DROP -m comment --comment "DROP DNS Q innovadex.com"

But It's not working ?

Last edited by NewLegend; 05-06-2014 at 05:11 AM.
 
Old 05-08-2014, 02:32 AM   #14
NewLegend
LQ Newbie
 
Registered: Oct 2012
Posts: 18

Original Poster
Rep: Reputation: Disabled
No one know, how can I convert doamin-string to hex.
 
Old 05-08-2014, 06:29 AM   #15
voleg
Member
 
Registered: Oct 2013
Distribution: RedHat CentOS Fedora SuSE
Posts: 354

Rep: Reputation: 51
Check my memoFencing DNS attack with bind9, syslog-ng and iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy? rootaccess Linux - Networking 5 08-22-2012 08:10 PM
DNS Resolving kaitech76 Linux - Networking 14 04-08-2009 02:59 PM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
DNS Resolving sarukie Linux - Networking 1 11-22-2004 10:41 AM
/etc/hosts resolving before DNS resolving ? markraem Linux - Networking 4 11-02-2003 04:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration