Who would be the right person to bother about this?
-- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- From: "Wido den Hollander" <w...@widodh.nl> To: dev@cloudstack.apache.org Sent: Monday, 23 June, 2014 12:26:08 PM Subject: Re: [security] The case of the open dns resolver On 06/23/2014 12:31 PM, Nux! wrote: > Hi, > > Today I've been bitten again by the $subject and complaints were sent to my > hoster's abuse email address; apparently someone used my VR in a DDOS attack. > It is my fault as I knew about this issue, but I'd like to throw the blame on > Cloudstack. :) > > So, the VR is accepting DNS requests from everybody on the interwebs and this > should be changed, imho. > > I see there are already iptables rules concerning port 8080 of the VR and > only the public IP ranges are allowed. Why isn't this the case for port 53 as > well? > I see no reason why this shouldn't be the case. DNS is only meant for the Instances and not for the rest of the internet in this case. > I have placed this script in my VR's rc.local, but it's not kosher at all. > > # disallows global DNS traffic and only allows it from the cloud public > subnets > for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I INPUT -s > $i -p tcp -m tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i -p udp -m udp > --dport 53 -j ACCEPT; done > iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT > iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > > This could be greatly improved and added in the official tree. > Currently I'm getting the subnets by checking which IPs the 8080 rules apply, > how can I retrieve this information in a more elegant way? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro >