Posted on 2006-02-15 13:22:52,  modified on 2006-02-15 13:55:21
Tags: Networking,  DNS,  DDOS
Dear Script kiddies, Blackmailers and other thugs on the internet,
Please stop abusing my computer as a reflector for your 'greater plans' on the Internet.
Edwin
13:05
I get a phone call via my VoIP phone. Halfway the call, the call, it just drops dead and I see the phone rebooting. Funny, not something I see often since I moved from wireless ADSL to just-use-an-ethernet-ADSL.
13:06My VPN connection is... getting... very... sluggish. Yes, sluggish is the word. Trafshow to the rescue!
13:06Wonder why there is so much DNS traffic going on:
From Address To Address Prot Bytes CPS 63.214.168.62..15796 192.168.1.1..53 udp 48193 11632 192.168.1.1..53 63.214.168.62..15796 udp 488276 65655
A general WTF comes up in my mind. Anyway, now that I know it's DNS traffic, let's see what it is.
13:07# tcpdump -s 1500 -ni sk0 port 53 13:07:17.035118 IP 63.214.168.62.20435 > 192.168.1.1.53: 15043+ [1au] ANY ANY? x.p.ctrc.cc. (40) 13:07:17.035258 IP 192.168.1.1.53 > 63.214.168.62.20435: 15043- 1/1/2 TXT[|domain] 13:07:17.176355 IP 63.214.168.62.15879 > 192.168.1.1.53: 13909+ [1au] ANY ANY? x.p.ctrc.cc. (40) 13:07:17.176515 IP 192.168.1.1.53 > 63.214.168.62.20435: 13909- 1/1/2 TXT[|domain] 13:07:17.225230 IP 208.222.0.82.9761 > 192.168.1.1.53: 24263+ [1au] ANY ANY? x.p.ctrc.cc. (40) 13:07:17.225398 IP 192.168.1.1.53 > 208.222.0.82.9761: 24263- 1/1/2 TXT[|domain]
Somebody is asking my nameserver for x.p.ctrc.cc. Why me? And why do I give answers (and why is 1500 bytes not enough to hold the answer?
First things first:13:09# ipfw -a l ipfw add 50 deny udp from 63.214.168.62 to me dst-port 53 ipfw add 51 deny udp from 208.222.0.82 to me dst-port 53
Why does my nameserver actually answer this request? I mean, I'm not authoritative and I have disabled recursion and I have... oh wait... This new machine still has a virgin named running.
acl nobody {
        none;
};
acl everybody {
        any;
};
acl we {
        192.168.0.0/16;
        127.0.0.0/8;
};
options {
        allow-recursion {
                we;
        };
};I forgot, the payload. Why wasn't 1500 bytes enough to hold the answer?
$ dig x.p.ctrc.cc any ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.3.1 <<>> x.p.ctrc.cc any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;x.p.ctrc.cc. IN ANY ;; ANSWER SECTION: x.p.ctrc.cc. 81842 IN TXT "............................... ................................................................................ ................................................................................ ................................................................" "............. ................................................................................ ................................................................................ ................................................................................ .." "........................................................................... ................................................................................ [...] ............................................................................" ". ................................................................................ ........" ;; AUTHORITY SECTION: p.ctrc.cc. 81842 IN NS 321blowjob.com. ;; ADDITIONAL SECTION: 321blowjob.com. 27224 IN A 66.98.217.195 ;; Query time: 12 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 15 13:30:05 2006 ;; MSG SIZE rcvd: 4015
That's 4015 bytes of data to be sent out for every request. No wonder my VoIP phone dropped out.
Moral of the storyKeep your configurations secure. Do not allow SMTP relaying, do not allow DNS recursion. There are people out there who don't play nice.
13:50Weblog finished :-)