First of all, we need to have a look to the hexadecimal values of a DNS ANY query packet. Below it is reported an example of a DNS query for www.facebook.com - ANY
21:45:17.159364 00:0f:34:ac:fa:49 > d0:50:99:53:f2:fc, ethertype IPv4 (0x0800), length 76: 192.168.0.2.44040 > 172.16.0.3.53: 29319+ ANY? www.facebook.com. (34)
0x0000: 4500 003e d702 0000 4011 36ef c0a8 0002 E..>....@.6.....
0x0010: ac10 0003 ac08 0035 002a 7d19 7287 0100 .......5.*}.r...
0x0020: 0001 0000 0000 0000 0377 7777 0866 6163 .........www.fac
0x0030: 6562 6f6f 6b03 636f 6d00 00ff 0001 ebook.com.....
Analyzing the hexadecimal of the trace, at the end of the packet we can notice the value 0x00ff0001 (corresponding to “.....” ASCI) that identifies the DNS query as type ANY. Thanks to that, iptables can analyze each DNS query packet, identifies those that are DNS query of type equal to ANY, have memory of the IP source that sends the ANY request, and temporary restrict the number of DNS ANY query for that specific IP address for a period of time.
Let’s analyze and explain the iptables rules deployed on DNS Server:
iptables -I INPUT 4 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent --set --name dnsanyquery –rsource
iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP
First rule - from left to right:
iptables -I INPUT 4 --> configure an iptables rules on INPUT chain and place it on position 4 of the ACL
-p udp –dport 53 --> take in account UDP packet with destination port number 53
-m string --> use the iptables-extension module called “string”
--hex-string "|0000ff0001|" --> The string to be matched inside the packet must correspond is the hexadecimal value of “0000ff0001” (that correspond at ANY DNS query type on the above tcpdump trace)
--algo bm --> At those packets that match the above values, apply the Boyer-Moore algorithm
-m recent --> Apply a second iptables-extension module called recent. Recent module allows to dynamically create a list of IP addresses and then match against that list in a few different ways. For example, you can create a "badguy" list out of people attempting to connect to port xyz on your firewall and then DROP all future packets from them without considering them.
--set --name dnsanyquery --> At those packets, apply a list named dnsanyquery
–rsource --> In dnsanyquery list save the source IP address for those packets that match the above rules
Second rule – The first part is the same of the first rule (iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm -m recent)
--rcheck --> Check if the source address of the packet is currently in the list (dnsanyquery)
--seconds 60 -> This will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds (60 seconds in this rule)
--hitcount 5 -> This will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value (5 hits in this rule)
name dnsanyquery –rsource -> Same meaning of the first rule
-j DROP -> Drop the packets that match the value described in this iptable rule.
Thanks to a bash script, we can convert the raw data of dnsanyquery list and find out which IP address (and when) sent more than 5 ANY queries in less than 60 seconds
192.168.0.2........................................Tue Sep 29 22:36:15 BST 2015
2015-12-17 0:33 GMT+00:00 Josh Sanders <[hidden email]>:
Pdns-users mailing list
|Free forum by Nabble||Edit this page|