I have seen it and I already tried it based on your previous mail. I
updated shorewall to the latest version and added the rule:
IPTABLES(DROP) wan1 $FW udp 53 ; -m string --hex-string
"|0000FF0001|" --algo bm
It doesn't work the way I hoped: iptables -nvL shows 0 packets. After
your answer I changed the the rule to:
IPTABLES(DROP) wan1 $FW udp 53 ; -m string --from 50 --algo bm
--hex-string "|0000FF0001|"
Still no success. But perhaps any suggestions to improve this rule?
Tom Eastep schreef op 8-7-2014 18:29:
On 7/8/2014 8:53 AM, Ruud Baart wrote:
Tom Eastep schreef op 8-7-2014 17:35:
On 7/8/2014 8:10 AM, Ruud Baart wrote:
Tom Eastep schreef op 8-7-2014 16:55:
On 7/8/2014 5:30 AM, Ruud Baart wrote:
Good day,
I have a problem in protecting one of our DNS severs (Debian, bind9).
One of our DNS servers is attacked with cache queries. Our servers are
protected the best way I can but this type of requests are coming from
everywhere and I can not find a effective way of stopping these queries.
The queries look like these (tcpdump):
14:17:52.521563 IP 36.234.214.186.7824 > <my DNS server>.53: 47574+ A?
kjaveb.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.522458 IP 72.37.49.70.49040 > <my DNS server>.53: 17713+ A?
mdsfcn.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.523229 IP <my DNS server>.53 > 36.234.214.186.7824: 47574
Refused- 0/0/0 (70)
14:17:52.523313 IP <my DNS server>.53 > 72.37.49.70.49040: 17713
Refused- 0/0/0 (70)
I can't find a pattern in the banned IP addresses: they don't belong to
one or a few IP address blocks.
So my question: is there a way to drop DNS query cache requests with
shorewall without interfering the intended DNS service?
Which Shorewall version are you running?
4.5.5.3
But a upgrade is no problem
Assuming that all of the queries contain the string "fsf.crayumm.com",
then on a 4.6 Shorewall version (such as found in Debian testing), you
can use a rule such as this one:
IPTABLES(DROP) net xxx udp 53 ; -m string --string "fsf.crayumm.com"
where xxx is the zone where your DNS server is running.
The queries contain all different domainnames, no pattern. As far as
I can see the only common ground is the recursion desired flag in the
UDP DNS query request (in wireshark: ...1 .... .... = Recursion
desired: Do query recursively). As far as I know normal client don't
set the recursion flag. Is it possible and meaningful to block all
these packets (from non trusted hosts)?
Your internal clients will set that flag -- legitimate external clients
will not.
According to some references I've found on the web, this string match
should block them:
IPTABLES(DROP) net xxx udp 53 : -m string --from 50\
--algo bm --hex-string '|0000FF0001|'
-Tom
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Met vriendelijke groeten/Regards,
Tiswe/R.J. Baart Automatisering B.V.
Ruud Baart
Tel: +31 6 51318104
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
