DDOS Attack

Support for security such as Firewalls and securing linux
Post Reply
saeed
Posts: 20
Joined: 2014/05/30 14:50:33

DDOS Attack

Post by saeed » 2014/07/24 08:14:11

Hello

For the past few days, my firewall (CSF) keeps denying queries from various clients. I'm not sure if it can be considered a DOS attack, but they simply won't stop. So my question is if this is a case of dos attack and if I should be worried?

In the following, I just give the last four lines of from among thousands of similar lines.

Code: Select all

Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.AA#33505: query (cache) 'ns1.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.BBB#63202: query (cache) 'ns1.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.CCC#48476: query (cache) 'ns2.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.CCC#46512: query (cache) 'ns2.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.DDD#42247: query (cache) 'ns2.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.EEE#26687: query (cache) 'ns2.somedomain.com/A/IN' denied 
Jul 23 19:28:31 server named[1362]: client AAA.AAA.AAA.FF#18078: query (cache) 'ns2.somedomain.com/A/IN' denied 


Usually after a few lines such as the above ones, I also get a line similar to the following:

Code: Select all

kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23327 PROTO=UDP SPT=50947 DPT=1947 LEN=48   


and sometimes several of the same lines together:

Code: Select all

Jul 23 20:29:44 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23329 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:30:23 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23331 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:31:01 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23334 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:31:40 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23336 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:32:18 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23338 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:32:57 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23341 PROTO=UDP SPT=50947 DPT=1947 LEN=48 
Jul 23 20:33:35 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=xxx.xxx.x.xx DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23343 PROTO=UDP SPT=50947 DPT=1947 LEN=48 


Any ideas would be highly appreciated.

Thanks

User avatar
TrevorH
Forum Moderator
Posts: 29667
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DDOS Attack

Post by TrevorH » 2014/07/24 09:36:14

Is the SRC= IP address that you have obscured within the same subnet as your own server? If so then does that ip address also belong to you? If not then I recommend you report it to your ISP.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Re: DDOS Attack

Post by saeed » 2014/07/24 10:18:43

Hello TrevorH

No they do not belong to me, none of them. I reported the issue but I was told that since they are from various ports ( ports such as AAA.AAA.AAA.AA#33505), it might be harmless. What do you think?

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

Re: DDOS Attack

Post by vonskippy » 2014/07/24 15:31:18

saeed wrote:Any ideas would be highly appreciated.
Here's an idea - if you expect people to help YOU, don't obfuscate the logs into random garbage.

DDOS attacks range from dozens-thousands of hits per second, anything less is simple network chatter (crawlers, bots, scripts, etc).

If your ISP isn't concerned, I'm guessing the traffic is no where near DDOS caliber, or they would be making efforts to shut it down so it doesn't impact their network.
For the 2.5^15th time :: Better Details = Better Answers

saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Re: DDOS Attack

Post by saeed » 2014/07/24 20:03:11

vonskippy wrote:
saeed wrote:Any ideas would be highly appreciated.
Here's an idea - if you expect people to help YOU, don't obfuscate the logs into random garbage.

Hi vonskippy

Thanks for the tip. I really did not tend to obfuscate anything. The problem is, due to the nature of the forums being public, I sometimes do not know if I have to hide some parts or not. Please consider me a novice in all this. I'm just learning as ever.

Your explanation seems quite logical. I think I'm less worried now. Thanks

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

Re: DDOS Attack

Post by vonskippy » 2014/07/24 20:25:07

Usually you just want to mask the Public IP of your EDGE.

You need to mask it such that it conveys enough data to verify you don't have a simple networking error.

So mask according to your subnet mask.

Examples:

132.54.234.23/24 would be publicly displayed as x.x.x.23

but 132.54.234.23/16 would be publicly displayed as x.x.234.23

You're still protected by millions of possibilities.

For domains, unless you run a completely private shop, it's ALL public domain stuff anyways. Do you have any public DNS entries - then it's all available to the public anyways - so why make it hard for the people that are trying to HELP you when you're not making it any harder (that whole security thru obscurity myth) for people trying to hurt you. If you can't withstand an external review now, they you have bigger worries then thinking that listing it in a distro support forum is going to trigger more attacks.

For emails, use a throwaway account if you're worried, then use the old **Name** <<at>> [domain] <.com> method to limit most crawlers.

If you're troubleshooting a email server, then setup a test account to post.

Although paranoia can be a good thing - you have to balance the risk with the reward - the more info you provide, the more likely you'll get some knowledgeable person here to solve your problem, and it won't cost you a dime. If that risk is too great, then you need to hire a local consultant and pay their price.

As the saying goes -that ain't no such thing as a free lunch (i.e. you're giving up a bit of security in order not to pay a large consulting bill).
For the 2.5^15th time :: Better Details = Better Answers

saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Re: DDOS Attack

Post by saeed » 2014/07/25 10:10:06

Hi

Words of wisdom!! Yes, I admit you're right.

But when one does not have the sufficient knowledge about a field, then he might know that " A little knowledge is a dangerous thing". So "masking" is often the only strategy left.

Here is another sample of the potential error/attack logs. Please note that DST=178.162.xxx.xxx is my only IP address. The rest (both the IPs and domains) do not belong to me. Actually, I am running my VPS under only one IP and one domain.

Code: Select all

Jul 25 14:09:00 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 219.88.186.xxx#49602: query (cache) 'Ns1.SOOR.iR/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 219.88.187.xxx#49574: query (cache) 'www.suPeRhIgHLIgHts.Com/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 219.88.187.xxx#49574: query (cache) 'www.suPeRhIgHLIgHts.Com/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 212.140.144.xx#52810: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 212.140.144.xx#52810: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 219.88.186.xxx#50160: query (cache) 'www.sUpErhIghLIGHts.coM/A/IN' denied
Jul 25 14:09:00 server named[1362]: client 219.88.186.xxx#50219: query (cache) 'www.sUpErhIghLIGHts.coM/A/IN' denied
Jul 25 14:09:01 server named[1362]: client 203.192.163.xxx#36957: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:01 server named[1362]: client 203.192.163.xxx#32011: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:01 server named[1362]: client 203.192.163.xxx#31074: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 217.138.14.xx#54107: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 217.138.14.xx#54107: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 217.138.14.xx#54107: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 203.192.163.xx#16706: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 203.192.133.xx#46321: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 203.127.16.xxx#25008: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 203.192.133.xx#54686: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:02 server named[1362]: client 203.127.16.xxx#25008: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:03 server named[1362]: client 203.192.133.xx#3694: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:03 server named[1362]: client 203.127.16.xxx#25008: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:03 server named[1362]: client 203.192.133.xx#34976: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:03 server named[1362]: client 203.192.133.xx#36909: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:04 server named[1362]: client 203.192.133.xx#50269: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:04 server named[1362]: client 61.14.134.xx#57221: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:04 server named[1362]: client 61.14.134.xx#57221: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:04 server named[1362]: client 61.14.134.xx#57221: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns1.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns1.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns1.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns1.soor.ir/AAAA/IN' denied
Jul 25 14:09:06 server named[1362]: client 203.192.163.xxx#62659: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.163.xxx#40080: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.133.xx#65495: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.163.xxx#33627: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.133.xx#21589: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.163.xxx#58346: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:07 server named[1362]: client 203.192.133.xx#53062: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:08 server named[1362]: client 203.192.163.xxxx#53: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:08 server named[1362]: client 203.192.133.xx#11918: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:08 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/AAAA/IN' denied
Jul 25 14:09:08 server named[1362]: client 212.140.144.xx#49269: query (cache) 'ns2.soor.ir/AAAA/IN' denied
Jul 25 14:09:08 server named[1362]: client 203.192.163.xxx#53: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:08 server named[1362]: client 203.192.133.xx#43913: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:08 server named[1362]: client 203.192.133.xx#51129: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:09 server named[1362]: client 61.14.134.xx#56029: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:09 server named[1362]: client 61.14.134.xx#56029: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:09 server named[1362]: client 61.14.134.xx#56029: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:09 server named[1362]: client 165.21.83.xx#27685: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:10 server named[1362]: client 165.21.83.xx#38853: query (cache) 'ns1.soor.ir/A/IN' denied
Jul 25 14:09:11 server named[1362]: client 165.21.83.xx#50500: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:11 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=8e:8b:ee:bd:1a:cc:00:1c:73:3c:df:6d:08:00 SRC=23.95.24.xxx DST=178.162.xxx.xxx L$
Jul 25 14:09:12 server named[1362]: client 165.21.83.xx#32410: query (cache) 'ns2.soor.ir/A/IN' denied
Jul 25 14:09:12 server named[1362]: client 165.21.100.xx#2063: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:12 server named[1362]: client 165.21.100.xx#48053: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:12 server named[1362]: client 203.127.16.xxx#37966: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:13 server named[1362]: client 203.127.16.xxx#37966: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:13 server named[1362]: client 203.127.16.xxx#37966: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:13 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:ba:08:45:88:fc:a1:08:00 SRC=192.168.1.81 DST=255.255.255.255 $
Jul 25 14:09:15 server named[1362]: client 217.138.14.xx#55074: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:15 server named[1362]: client 217.138.14.xx#55074: query (cache) 'www.superhighlights.com/A/IN' denied
Jul 25 14:09:15 server named[1362]: client 217.138.14.xx#55074: query (cache) 'www.superhighlights.com/A/IN' denied

Thanks for your help.

Whoever
Posts: 1135
Joined: 2013/09/06 03:12:10

Re: DDOS Attack

Post by Whoever » 2014/07/25 14:44:13

It's possible that someone is trying to use your system for a amplification attack against someone else. However, since your dns server is responding with "denied", it's not very effective.

Why is your firewall listening for DNS queries on its public IP address? Probably you don't need this and could configure your DNS server not to listen on the public IP address.

If you really need your firewall to resolve DNS queries on its public address, use iptables to limit the source IP addresses that can contact your DNS server.

saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Re: DDOS Attack

Post by saeed » 2014/07/25 18:09:25

@whoever Thanks for replying.

I have configured named.conf as follows

options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;

Could you please tell me how I can configure my DNS server not to listen on my public IP. I'll be thankful.

Whoever
Posts: 1135
Joined: 2013/09/06 03:12:10

Re: DDOS Attack

Post by Whoever » 2014/07/26 04:33:42

saeed wrote:@whoever Thanks for replying.

I have configured named.conf as follows

options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;

Could you please tell me how I can configure my DNS server not to listen on my public IP. I'll be thankful.
Add the following in your options block:

Code: Select all

      listen-on {127.0.0.1;};

Post Reply

Return to “CentOS 6 - Security Support”