Popisu obranu proti utoku, ktery jsem nahodou dnes v noci detekoval.
Priznaky:
* podezrele plny conntrack dotazama do DNS
* podezrele velky tok z DNS serveru obsluhujiciho jen par domen
* v logu bindu (syslog) zadne zaznamy, kdyz ho mate spatne nastaveny
Me konkretne chybela options "recursion no". Chybne jsem se domnival, ze vyrazenim povoleni rekurze je tato vyrazena. Neni.
// allow-recursion { any; };
Je treba napsat explicitne ''recursion no;''
Logovani kvuli obrovskemu toku dat je treba presmerovat jinam. Navic se tim zbytecne nebude vycerpavat kapacita na centralnim remote-log serveru, kam se vsechny syslogy on-line posilaji.
logging {
category lame-servers { null; };
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
Toto byl prvni krok k uspechu.
====== Druhy krok k uspechu ======
Priznaky utoku:
* log je uplne plny hlasek:
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
zde opet perfektne zafunguje fail2ban s timto nastavenim:
[named-refused-udp]
enabled = true
port = domain,953
protocol = udp
filter = named-refused
logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = true
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
Po chvili se ve vypisu iptables zacne objevovat tucny seznam podobny tomuto:
dns:/etc/fail2ban# iptables -L -n
[...]
Chain fail2ban-named-refused-udp (1 references)
target prot opt source destination
DROP all -- 24.131.123.64 0.0.0.0/0
DROP all -- 69.246.154.178 0.0.0.0/0
DROP all -- 64.120.30.66 0.0.0.0/0
DROP all -- 76.186.226.253 0.0.0.0/0
DROP all -- 82.11.150.206 0.0.0.0/0
DROP all -- 142.136.203.131 0.0.0.0/0
DROP all -- 64.31.23.230 0.0.0.0/0
DROP all -- 185.5.174.200 0.0.0.0/0
DROP all -- 67.167.168.119 0.0.0.0/0
DROP all -- 50.23.74.93 0.0.0.0/0
DROP all -- 201.124.46.222 0.0.0.0/0
DROP all -- 24.189.209.41 0.0.0.0/0
DROP all -- 81.2.197.157 0.0.0.0/0
DROP all -- 37.5.92.17 0.0.0.0/0
DROP all -- 65.128.26.184 0.0.0.0/0
DROP all -- 68.55.173.3 0.0.0.0/0
DROP all -- 184.61.247.204 0.0.0.0/0
DROP all -- 99.233.205.66 0.0.0.0/0
DROP all -- 77.96.105.112 0.0.0.0/0
DROP all -- 189.228.237.69 0.0.0.0/0
DROP all -- 200.147.38.48 0.0.0.0/0
DROP all -- 200.221.11.116 0.0.0.0/0
DROP all -- 200.147.38.49 0.0.0.0/0
DROP all -- 200.147.6.35 0.0.0.0/0
DROP all -- 208.115.222.253 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
===== Bind9 notify =====
Bind DNS sends notify to all name servers expect itself and master nameserver in SOA.
notify yes;
sends notify to all name servers in RR (except itself and SOA master)
notify yes;
also-notify { x.x.x.x; y.y.y.y; };
sends notify to x.x.x.x, y.y.y.y and all name servers in RR (except itself and SOA master).
notify explicit;
also-notify { x.x.x.x; y.y.y.y; };
sends notify to just x.x.x.x, y.y.y.y
**Upozorneni:**
takto nastaveny bind+fail2ban muze zpusobit DoS vlastniho serveru. UDP packety mohou prichazet s podvrzenou zdrojovou IP.