PF Drop packet by hex string match

zgasparian

zgasparian

Hello
Dears, I'm using FreeBSD with Unbound DNS service to resolve DNS queries. In case of DNS amplification attacks (most on 'ANY' type of record), I can not find any solution on FreeBSD to drop the packets which are carrying type 'ANY' record.
But instead in Linux and iptables you can drop required packets with the HEX string matching in the payload.
Is there anyone who can help me to find any solution for BSD firewalls, otherwise I need to switch to Linux.

here is the rule for iptables:
Code: 
-A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|00FF0001|' -m recent --set --name dnsanyquery2
-A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|00FF0001|' -m recent --name dnsanyquery2 --rcheck --seconds 10 --hitcount 3 -j REJECT
 
zgasparian said:
Incase of DNS amplification attacks (most on 'ANY' type of record)
Click to expand...
You should fix this in your DNS configuration. Don't allow recursive queries from unknown sources.

Unbound is a local caching server and should only be accessible from your internal netwerk. Because it's not an authoritative DNS server there's no reason why you need to allow any connection to it from outside your network. So, simply block everything incoming from outside your network.
 
PF comes from OpenBSD where the developers focus on "correctness" and that means in case of PF that it has no capabilities to inspect the data payloads on the IP packets that are passed trough. Another way to say that is that the packet filter respects layer separation and only deals with IP layer information on the IP packets for filtering.
 
kpa said:
PF comes from OpenBSD where the developers focus on "correctness" and that means in case of PF that it has no capabilities to inspect the data payloads on the IP packets that are passed trough. Another way to say that is that the packet filter respects layer separation and only deals with IP layer information on the IP packets for filtering.
Click to expand...
That's true up to a point. pf also looks at layer 4 (i.e. UDP/TCP), and has some limited ability to filter packets based on the VLAN ID. It can even filter based on the user id of the sending process.
Point is: the purity of the firewall as a layer 3 entity is not a major consideration.

It is true that pf currently cannot filter based on string matches. I wouldn't reject a patch to add such support out of hand, but it's also not high on my list of priorities. It has some utility, although the potential for foot-shooting is high.
 
Thank you all,
but let me explain what was my concern, and how did i found a solution for it.
i am running a huge network with about 7K number of DSL subscribers, previously ACL was configured on the DNS itself and i think it didn't worked, because there were some IP addresses, still getting responded, while the IP addresses was outside of my network range.
so i have removed the acl from unbound DNS to my router, and used BGP-black hole to limit the access only from the country, since most of the attacks were coming from China and Russia.
Also have enabled ip verify source feature in my cisco routers, thus this feature combined with the feature told above i am sure, that there wouldn't be any attack on my DNS server, even with spoofed ip addresses.
Thanks
Zareh K
 
You must log in or register to reply here.
Back
Top