Page 1 of 1

DNS DDOS - IP Spoofing - isc.org

Posted: 05 Aug 2013, 12:14
by Greee
Hello, from the last 5 days we get real ddos on 53.

EX:
.....
.....
Aug 4 22:34:08 s1 named[10195]: client 85.25.2.8#21707: view external: query (cache) 'isc .org/ANY/IN' denied
Aug 4 22:34:08 s1 named[10195]: client 85.25.2.8#21707: view external: query (cache) 'isc .org/ANY/IN' denied
Aug 4 22:34:08 s1 named[10195]: client 85.25.2.8#21707: view external: query (cache) 'isc .org/ANY/IN' denied
Aug 4 22:34:08 s1 named[10195]: client 85.25.2.8#21707: view external: query (cache) 'isc .org/ANY/IN' denied
Aug 4 22:34:08 s1 named[10195]: client 85.25.2.8#21707: view external: query (cache) 'isc .org/ANY/IN' denied
Aug 4 22:34:09 s1 kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=00:1e:67:1b:ad:64:00:01:e8:8b:14:e9:08:00 SRC=85.25.2.8 DST=89.40.16.97 LEN=64 TOS=0x00 PREC=0x00 TTL=108 ID=54799 PROTO=UDP SPT=21707 DPT=53 LEN=44
Aug 4 22:34:11 s1 kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=00:1e:67:1b:ad:64:00:01:e8:8b:14:e9:08:00 SRC=85.25.2.8 DST=89.40.16.107 LEN=64 TOS=0x00 PREC=0x00 TTL=108 ID=18442 PROTO=UDP SPT=21707 DPT=53 LEN=44
Aug 4 22:34:12 s1 lfd[11389]: (bind) bind triggered by 85.25.2.8 (DE/Germany/charlie195.server4you. net): 60 in the last 300 secs - *Blocked in csf* for 604800 secs [LF_BIND]

I have read that this iptables command deny future attack.
#$IPT -A MY_INPUT -p udp –dport 53 -m string –algo bm –hex-string “isc|03|org” -j LOG –log-prefix ‘ATTACK ‘
$IPT -A MY_INPUT -p udp –dport 53 -m string –algo bm –hex-string “isc|03|org” -j DROP

( Source : http://foxpa. ws/2010/07/21/thwarting-the-isc-org-dns-ddos/ )

How i loaded into CSF ?

Can be added to next version this option ? "isc .org" DNS DDOS.

Regards

Re: DNS DDOS - IP Spoofing - isc.org

Posted: 30 Aug 2013, 15:17
by rustelekom
Hello,

You could load your own rules into file csfpost.sh or csfpre.sh. Please read readme.txt in /etc/csf folder for details.

Regards