CentOS - Nov 2015 - Server used in DOS attack on UDP port 0

Hi,

One of our AWS machines was used in an DOS attack last night and I am
looking for possible attack vectors. AWS tells me it was sending UDP port 0
traffic to a cloudflare address.

This instance had an incorrectly configured AWS security group exposing all
ports.

The server in question is a Centos 7 based FreeIPA server, OpenVPN
concentrator and DNS server.

With a brief inspection before the instance was stopped no evidence of
intrusion could be detected in the obvious places and the machine is
protected by standard SELinux policies.

On this machine Firewalld is currently configured with a single zone with
masquerade enabled

firewalld config.
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp
openvpn ssh
  ports: 81/tcp
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

Thanks,

Andrew

Have you a public IP on the server? Take a loot at your DNS 
configuration it could be an open resolver

http://openresolver.com/

Did you run basic checks like rkhunter and so on?

Is there password login enabled or only public key on ssh service.

Weak passwords on ssh is usually primary reason on system compromise.

Eero
4.11.2015 12.23 ip. "Andrew Holway" <andrew.holway at gmail.com>
kirjoitti:
> Hi,
>
> One of our AWS machines was used in an DOS attack last night and I am
> looking for possible attack vectors. AWS tells me it was sending UDP port 0
> traffic to a cloudflare address.
>
> This instance had an incorrectly configured AWS security group exposing all
> ports.
>
> The server in question is a Centos 7 based FreeIPA server, OpenVPN
> concentrator and DNS server.
>
> With a brief inspection before the instance was stopped no evidence of
> intrusion could be detected in the obvious places and the machine is
> protected by standard SELinux policies.
>
> On this machine Firewalld is currently configured with a single zone with
> masquerade enabled
>
> firewalld config.
> public (default, active)
>   interfaces: eth0
>   sources:
>   services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp
> openvpn ssh
>   ports: 81/tcp
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> Thanks,
>
> Andrew
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On Wed, November 4, 2015 4:22 am, Andrew Holway wrote:
> Hi,
>
> One of our AWS machines was used in an DOS attack last night and I am
> looking for possible attack vectors.
Is it AWS as in Amazon Web Services?
> AWS tells me it was sending UDP port
> 0
> traffic to a cloudflare address.
Ironic, cloudflare is known as you can not get abused who hides behind
them (therefore some people just block all traffic to/from them), and now
they are becoming the victims of the same. I would recommend to block
traffic to cloudflare address blocks on the level of routing tables
(google that) - may help you in a future.
>
> This instance had an incorrectly configured AWS security group exposing
> all
> ports.
>
> The server in question is a Centos 7 based FreeIPA server, OpenVPN
> concentrator and DNS server.
>
> With a brief inspection before the instance was stopped no evidence of
> intrusion could be detected in the obvious places
As far as I know (someone correct me) regular user can send UDP packets
(regular user can not do UDP port scan but that is purely as root access
is necessary to _read_ raw socket, i.e. read response, sending is doable).
That is for this particular incident I wouldn't suspect root compromise
right away. Check which users were connected (run processes rather) at a
time in question, and check the activity. psacct (if enabled) is your
friend.
> and the machine is
> protected by standard SELinux policies.
Hm, I personally am a bit sceptical about SELinux. Its protection (of
vulnerable system) IMHO is grossly overestimated. It helps some, but I'd
rather have kernel without SELinux (not possible already, of course, the
tons of SELinux code _is_ already in the kernel, with all potential
bugs...)

Somebody already suggested nice tool (rootkit hunter). I would mention
http://www.chkrootkit.org/. I also would add to forensics (especially if
you didn't reboot yet) comparison of what you get internally (like open
ports, and whole tree of files on machine with file checksums) and
externally (like external port scan after you turned off machine firewall)
with list of files after you mount machine's drive(s) on sane box.

Good luck on forensics!

Valeri
>
> On this machine Firewalld is currently configured with a single zone with
> masquerade enabled
>
> firewalld config.
> public (default, active)
>   interfaces: eth0
>   sources:
>   services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp
> openvpn ssh
>   ports: 81/tcp
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> Thanks,
>
> Andrew
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Am 04.11.2015 um 11:22 schrieb Andrew Holway:
> The server in question is a Centos 7 based FreeIPA server, OpenVPN
> concentrator and DNS server.
Can have been a DNS amplification attack.

https://www.us-cert.gov/ncas/alerts/TA13-088A

https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/

Alexander