Luca Camillo
2013-Sep-23 12:41 UTC
Custom iptables rules to drop DNS Amplification Attacks
Hi all, I need an help to implement this kind of rules on shorewall: iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x055a5a47 && 0x2c&0xDFDFFFDF=0x53540343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP This kind of rules need to block a DNS Amplification Attack. I found this file https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt where we can find iptables rules to prevent this kind of attack by filter message request. I already found http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/ but seems old and ineffective Is there any way to do that on shorewall? Best regards Luca ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
Tom Eastep
2013-Sep-23 17:47 UTC
Re: Custom iptables rules to drop DNS Amplification Attacks
On 9/23/2013 5:41 AM, Luca Camillo wrote:> Hi all, I need an help to implement this kind of rules on shorewall: > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x055a5a47 && 0x2c&0xDFDFFFDF=0x53540343 && 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP > > This kind of rules need to block a DNS Amplification Attack. > I found this file https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt where we can find iptables rules to prevent this kind of attack by filter message request. > > I already found http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/ but seems old and ineffective > > Is there any way to do that on shorewall?Yes. /etc/shorewall/actions: DNSR /etc/shorewall/rules: DNSR net all udp 53 Attached is a file named action.DNSR which needs to be moved to /etc/shorewall. That file only implements the first three rules from the example -- the rest are left to those that want to implement this (I think it is pretty obvious how to add the additional rules). Also attached is a patch which must be applied to Config.pm. That file may be installed in /usr/share/shorewall/Shorewall or somewhere under /usr/share/perl*. patch <path to>/Config.pm < ADDCOMMENT.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
Luca Camillo
2013-Sep-30 19:27 UTC
Re: Custom iptables rules to drop DNS Amplification Attacks
Thank you very much Tom for this solution but I have a problem with new function set_comment during compilation Checking /etc/shorewall/action.DNSR for chain DNSR... ERROR: Undefined subroutine &Shorewall::User::set_comment called at /etc/shorewall/action.DNSR line 22. Naturally I patch the file /usr/share/shorewall/Shorewall/Config.pm shorewall version: 4.5.18 After some search I found a stupid fix but I want you approve it! I add "use Shorewall::Config qw(:DEFAULT :internal);" after add_drop_rule definition I can't test it now.. What do you think about it? Thanks for support Luca ----- Messaggio originale ----- | Da: "Tom Eastep" <teastep@shorewall.net> | A: "Shorewall Users" <shorewall-users@lists.sourceforge.net> | Inviato: Lunedì, 23 settembre 2013 19:47:17 | Oggetto: Re: [Shorewall-users] Custom iptables rules to drop DNS Amplification Attacks | | On 9/23/2013 5:41 AM, Luca Camillo wrote: | > Hi all, I need an help to implement this kind of rules on | > shorewall: | > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 | > "0x28&0xFFDFDFDF=0x055a5a47 && 0x2c&0xDFDFFFDF=0x53540343 && | > 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP | > | > This kind of rules need to block a DNS Amplification Attack. | > I found this file | > https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt | > where we can find iptables rules to prevent this kind of attack by | > filter message request. | > | > I already found | > http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/ but seems | > old and ineffective | > | > Is there any way to do that on shorewall? | | Yes. | | /etc/shorewall/actions: | | DNSR | | /etc/shorewall/rules: | | DNSR net all udp 53 | | Attached is a file named action.DNSR which needs to be moved to | /etc/shorewall. That file only implements the first three rules from | the | example -- the rest are left to those that want to implement this (I | think it is pretty obvious how to add the additional rules). | | Also attached is a patch which must be applied to Config.pm. That | file | may be installed in /usr/share/shorewall/Shorewall or somewhere under | /usr/share/perl*. | | patch <path to>/Config.pm < ADDCOMMENT.patch | | -Tom | -- | Tom Eastep \ When I die, I want to go like my Grandfather who | Shoreline, \ died peacefully in his sleep. Not screaming like | Washington, USA \ all of the passengers in his car | http://shorewall.net | \________________________________________________ | | ------------------------------------------------------------------------------ | October Webinars: Code for Performance | Free Intel webinars can help you accelerate application performance. | Explore tips for MPI, OpenMP, advanced profiling, and more. Get the | most from | the latest Intel processors and coprocessors. See abstracts and | register > | http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk | _______________________________________________ | Shorewall-users mailing list | Shorewall-users@lists.sourceforge.net | https://lists.sourceforge.net/lists/listinfo/shorewall-users | ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2013-Sep-30 20:17 UTC
Re: Custom iptables rules to drop DNS Amplification Attacks
On 9/30/2013 12:27 PM, Luca Camillo wrote:> Thank you very much Tom for this solution but I have a problem with new function set_comment during compilation > > Checking /etc/shorewall/action.DNSR for chain DNSR... > ERROR: Undefined subroutine &Shorewall::User::set_comment called at /etc/shorewall/action.DNSR line 22. > > Naturally I patch the file /usr/share/shorewall/Shorewall/Config.pm > > shorewall version: 4.5.18 > > After some search I found a stupid fix but I want you approve it! > I add "use Shorewall::Config qw(:DEFAULT :internal);" after add_drop_rule definition > I can''t test it now.. What do you think about it?With the patch, you should only need: use Shorewall::Config; See -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk