filtering a hexstring, example please

P

parcival

Hi all,
is this possible with pf, especially with the option "-m string –hex-string" ?

Code: 
"iptables -A INPUT -p udp -m string –hex-string "|03697363036f726700|" –algo bm –to 65535 -j DROP"]

thx
parcival
 
hi SirDice
blocking ddos on bind to isc.org, hexstring = isc.org (60 query per second)

example:

Code: 
22-Nov-2012 10:50:22.612 client 184.168.72.113#26636 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 10:50:23.372 client 93.170.127.96#55471 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
 
It's not a DDoS, it's not even a DoS. It's some remote clients that are trying to resolve isc.org on your DNS server.

Are you hosting some domains? If not, there's no reason why your DNS server should be accessible from the internet.
 
If I read that correctly you should turn of recursion for unknown clients (i.e. everything that comes from the internet). Which is a good idea anyway.

Simply blocking queries for isc.org won't help as you can get the same effect using a different domain.
 
SirDice I solved this with fail2ban.

filter:
Code: 
# Fail2Ban configuration file for named (bind9). Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
#
# $Revision: 730 $
#

[Definition]

#
# Daemon name
_daemon=named

#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org) IN ANY \+ED*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

@kpa
These are T2 DNS-Servers (slaves)
Keep in mind that T2 servers are only required to slave the dns.opennic.glue zone (with the option to slave the root zone if you desire), and recursion is acceptable and expected for all other zones.
 
parcival said:
and recursion is acceptable and expected for all other zones.
Click to expand...
Are these servers used by (internal) clients to resolve? If not, turn off recursion.

The fail2ban solution may work for this particular example but as I said you can get the same results using any domain that's not being served on that DNS server. So blocking queries for ripe.net or isc.org isn't going to prevent recursive queries using freebsd.org for example. Hence, you're still open to the same DDoS. And, because you allow recursion, you're also vulnerable to cache poisoning.
 
I block not generally everything immediately (ripe.net or isc.org).
With these parameters of fail2ban, i can control that "normal users" can reach also ripe.net or isc.org.

example:
Code: 
# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 8
 
parcival said:
I block not generally everything immediately (ripe.net or isc.org).
With these parameters of fail2ban, i can control that "normal users" can reach also ripe.net or isc.org.
Click to expand...
Doesn't matter, I can still use you as an amplifier if I used freebsd.org (or any of the millions of other domains) instead of ripe.net or isc.org.

Why don't you just turn off recursion? What's the reason to keep it on?
 
You must log in or register to reply here.
Back
Top