I''ve place my DNSDDOS action files at http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the aaREADME.txt file. Shorewall-perl users should be able to use it as-is. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Sir, Squid 3.1 has built-in feature to differentiate local cache hits>From Squid-cache.orgqos_flows local-hit=0xff Responses found as a HIT in the local cache I want to put Linux TC with MARK 4 on the high speed LAN so that I need not penalize for the cache content. Where should I change this in Shorewall.. and tc is outside shorewall. I am using WEBHTB -- a Web enabled HTB frontend using Ajax, MySql, Htbtools and generating tc rules. I need shorewall to MARK squid cache HIT as 0x04. I think if I have to do with raw iptables I have to write iptables -t mangle -A FORWARD -m tcp -p tcp --sport 80 -d 192.168.0.0/24 -j MARK --set-mark 4 iptables -t mangle -A FORWARD -m mark --mark 4 -j TOS --set-tos 4 Regards Rayudu. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Rayudu Madhava wrote:> Where should I change this in Shorewall..In the tcrules file -- ''man shorewall-tcrules''. And don''t hijack a thread on this list again if you want to continue to post here. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep wrote:> I''ve place my DNSDDOS action files at > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the > aaREADME.txt file. > > Shorewall-perl users should be able to use it as-is.It seems like 90+% of DNS queries against my name server are DDoS: Counters reset Sat Jan 31 19:02:01 PST 2009 Chain DNSDDOS (1 references) pkts bytes target prot opt in out source destination 4675 210K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO name bm FROM 29 TO 30 330 23531 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:/etc/shorewall # -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
On Sat, 2009-01-31 at 20:10 -0800, Tom Eastep wrote:> > It seems like 90+% of DNS queries against my name server are DDoS: > > Counters reset Sat Jan 31 19:02:01 PST 2009 > > Chain DNSDDOS (1 references) > pkts bytes target prot opt in out source > destination > 4675 210K DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO > name bm FROM 29 TO 30 > 330 23531 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > gateway:/etc/shorewall #Damn. I have an iptables installation with the older, 1.3.3 string match which doesn''t support the --algo, --from and --to modifiers. What are the --to and --from arguments? I would guess bytes offset from somewhere, probably the packet start. But 29-30 is only two bytes. How does that compute with "hex-string" of "|010000010000000000000000020001|"? Thanx for any clarification you can provide. b. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Brian J. Murrell wrote:> On Sat, 2009-01-31 at 20:10 -0800, Tom Eastep wrote: >> It seems like 90+% of DNS queries against my name server are DDoS: >> >> Counters reset Sat Jan 31 19:02:01 PST 2009 >> >> Chain DNSDDOS (1 references) >> pkts bytes target prot opt in out source >> destination >> 4675 210K DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO >> name bm FROM 29 TO 30 >> 330 23531 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> gateway:/etc/shorewall # > > Damn. I have an iptables installation with the older, 1.3.3 string > match which doesn''t support the --algo, --from and --to modifiers. > > What are the --to and --from arguments? I would guess bytes offset from > somewhere, probably the packet start. > > But 29-30 is only two bytes. How does that compute with "hex-string" of > "|010000010000000000000000020001|"? > > Thanx for any clarification you can provide.As is normally the case with iptables/Netfilter, documentation is practically non-existent; you get to learn how it works by a combination of code reading and experimentation. From what I''ve gleaned, --from and --to specify a byte offset range from the beginning of the IP header that is to be searched for *the first byte of the pattern*. The signature pattern begins at byte offset 30. I have changed the DNSDDOS file to specify "--from 30 --to 31" rather than "--from 29 --to 30"; while either way works, there is no point at looking at offset 29. The implementation is somewhat broken in my view. When the rule is being loaded into the kernel, an error is raised if from_offset > to_offset. But if the two are equal, no searching occurs because the search itself starts with "if from_offset + consummed >= to_offset then we''re done" where ''consummed'' is the number of bytes already examined (initially zero). So in practice, --from must be strictly less than --to. Another thing to note: Just because you specify --hex-string rather than --string doesn''t cause the following string to be interpreted as a hex string! To be considered a hex string, it must begin and ends with ''|''. I wasted a good hour yesterday before I did enough code reading to grok that undocumented ''feature''. As a side note, the rate of attack seems to be down this morning, I''m only seeing 40-50% bogus queries. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep wrote:> I''ve place my DNSDDOS action files at > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the > aaREADME.txt file. > > Shorewall-perl users should be able to use it as-is.As with Perl, with Shorewall "there is more than one way to do it". You can also accomplish the same thing using /etc/shorewall/compile: -------------- use strict; use Shorewall::Chains; my $chainref = ensure_manual_chain qw/DNSDDOS/; add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP); add_rule $chainref, q(-j ACCEPT); 1; --------------- As with the action technique, the first add_rule call should be on a single line. The rules file change is the same as when using the files at the URL above; see the aaREADME.txt file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Tom Eastep said the following, On 01/31/2009 08:07 PM:> I''ve place my DNSDDOS action files at > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the > aaREADME.txt file. > > Shorewall-perl users should be able to use it as-is. > > -TomI am not seeing any. Counters reset Sun Feb 1 12:02:03 CST 2009 Chain DNSDDOS (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO name bm FROM 30 TO 31 3482 210K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Yet they are still coming. 03-Feb-2009 09:42:46.115 client 76.9.16.171#63994: view world: query (cache) ''./NS/IN'' denied ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Steve Ladewig wrote:> Tom Eastep said the following, On 01/31/2009 08:07 PM: >> I''ve place my DNSDDOS action files at >> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the >> aaREADME.txt file. >> >> Shorewall-perl users should be able to use it as-is. >> >> -Tom > > I am not seeing any. > > Counters reset Sun Feb 1 12:02:03 CST 2009 > > Chain DNSDDOS (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO > name bm FROM 30 TO 31 > 3482 210K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Yet they are still coming. > 03-Feb-2009 09:42:46.115 client 76.9.16.171#63994: view world: query > (cache) ''./NS/IN'' denied >Then you will have to use Wireshark and see what the packets that you are receiving look like. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Tom Eastep said the following, On 02/03/2009 09:52 AM:> Steve Ladewig wrote: >> Tom Eastep said the following, On 01/31/2009 08:07 PM: >>> I''ve place my DNSDDOS action files at >>> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the >>> aaREADME.txt file. >>> >>> Shorewall-perl users should be able to use it as-is. >>> >>> -Tom >> I am not seeing any. >> >> Counters reset Sun Feb 1 12:02:03 CST 2009 >> >> Chain DNSDDOS (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO >> name bm FROM 30 TO 31 >> 3482 210K ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Yet they are still coming. >> 03-Feb-2009 09:42:46.115 client 76.9.16.171#63994: view world: query >> (cache) ''./NS/IN'' denied >> > > Then you will have to use Wireshark and see what the packets that you > are receiving look like.I see the pattern at offset 30 but the rule misses it. 10:05:44.057686 IP 76.9.16.171.63109 > 64.108.225.55.domain: 15117+ NS? . (17) 0x0000: 4500 002d c775 0000 3411 40f3 4c09 10ab 0x0010: 406c e137 f685 0035 0019 4b9b 3b0d 0100 0x0020: 0001 0000 0000 0000 0000 0200 0100 If I change the offset back 1 byte to 29 the rule does work. Counters reset Tue Feb 3 13:43:16 CST 2009 Chain DNSDDOS (1 references) pkts bytes target prot opt in out source destination 4 180 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|010000010000000000000000020001|" ALGO name bm FROM 29 TO 31 11 627 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Thanks, steve ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Steve Ladewig wrote:> Tom Eastep said the following, On 02/03/2009 09:52 AM:>> Then you will have to use Wireshark and see what the packets that you >> are receiving look like. > > > I see the pattern at offset 30 but the rule misses it. > 10:05:44.057686 IP 76.9.16.171.63109 > 64.108.225.55.domain: 15117+ NS? > . (17) > 0x0000: 4500 002d c775 0000 3411 40f3 4c09 10ab > 0x0010: 406c e137 f685 0035 0019 4b9b 3b0d 0100 > 0x0020: 0001 0000 0000 0000 0000 0200 0100 > > If I change the offset back 1 byte to 29 the rule does work.Thanks for the update. I''ve changed the code on the primary web site to check 29 through 31. That change will percolate out to the mirrors over the next several hours. I assume that this reflects differences between Netfilter versions; sigh. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Tom Now that you have a system to fix it looks like there is another method in the works :-( http://www.scmagazineus.com/New-style-of-DNS-amplification-can-yield-powerful-DDoS-attacks/article/126839/?DCMP=EMC-SCUS_Newswire John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
John McMonagle wrote:> Tom > > Now that you have a system to fix it looks like there is another method > in the works :-( > http://www.scmagazineus.com/New-style-of-DNS-amplification-can-yield-powerful-DDoS-attacks/article/126839/?DCMP=EMC-SCUS_Newswire >I didn''t see anything new in that article. Did I miss something? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Tom Eastep wrote:> John McMonagle wrote: > >> Tom >> >> Now that you have a system to fix it looks like there is another method >> in the works :-( >> http://www.scmagazineus.com/New-style-of-DNS-amplification-can-yield-powerful-DDoS-attacks/article/126839/?DCMP=EMC-SCUS_Newswire >> >> > > I didn''t see anything new in that article. Did I miss something? > > -Tom >New quiry now "." instead of "./IN/NS". -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
John McMonagle wrote:> Tom Eastep wrote: >> John McMonagle wrote: >> >>> Tom >>> >>> Now that you have a system to fix it looks like there is another method >>> in the works :-( >>> http://www.scmagazineus.com/New-style-of-DNS-amplification-can-yield-powerful-DDoS-attacks/article/126839/?DCMP=EMC-SCUS_Newswire >>> >>> >> I didn''t see anything new in that article. Did I miss something? >> >> -Tom >> > New quiry now "." instead of "./IN/NS". >I sure don''t get that out of the article: “This new tactic uses a very short query, asking simply the name servers for the ‘.'' domain [a single dot],” he wrote Monday in an analysis of DNS amplification. “This domain is the root server domain, so the answer is large [or long]. A list of all the root domain name servers is sent back in response." That''s exactly what we''ve been dealing with. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
Hello: Tom Eastep wrote:> I''ve place my DNSDDOS action files at > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the > aaREADME.txt file. > > Shorewall-perl users should be able to use it as-is.The filter seems to be working well. But I''ve still seem some sporadic client 213.61.92.192#23951: query (cache) ''./NS/IN'' denied in my logfile. I did some investigation and found that the hexstring is a bit different than what is in your rule. Here is a comparison: Your: 0100 0001 0000 0000 0000 0000 0200 01 Mine: 0000 0001 0000 0000 0000 0000 0200 01 ^ Difference As per Wireshark, your rule is looking for a recursive query, while the packets I''ve been seeing are looking for a non-recursive query. Questions: is what I''m seeing another variant of the DNSDDOS attack, or am I maybe seeing these for some legitimate reason? Thanks for any input you have, and thanks for a great product! -- Brian Schang ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Brian Schang wrote:> Hello: > > Tom Eastep wrote: >> I''ve place my DNSDDOS action files at >> http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/. See the >> aaREADME.txt file. >> >> Shorewall-perl users should be able to use it as-is. > > The filter seems to be working well. But I''ve still seem some sporadic > client 213.61.92.192#23951: query (cache) ''./NS/IN'' denied > in my logfile. > > I did some investigation and found that the hexstring is a bit different > than what is in your rule. Here is a comparison: > > Your: 0100 0001 0000 0000 0000 0000 0200 01 > Mine: 0000 0001 0000 0000 0000 0000 0200 01 > ^ > Difference > > As per Wireshark, your rule is looking for a recursive query, while the > packets I''ve been seeing are looking for a non-recursive query. > > Questions: is what I''m seeing another variant of the DNSDDOS attack, or > am I maybe seeing these for some legitimate reason? > > Thanks for any input you have, and thanks for a great product! >Looks like another variant -- I''ll update the action. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:>> > > Looks like another variant -- I''ll update the action.http://www1.shorewall.net/pub/shorewall/contrib/DNSDDOS/DNSDDOS has been updated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom: Tom Eastep wrote:> Tom Eastep wrote: >> Looks like another variant -- I''ll update the action. > > http://www1.shorewall.net/pub/shorewall/contrib/DNSDDOS/DNSDDOS has been > updated.Thank you! -- Brian Schang ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H