Answer the question
In order to leave comments, you need to log in
Y
Y
Yoh2014-04-07 22:09:17
Yoh, 2014-04-07 22:09:17
Firewall iptables, state module - can be used as a type of protection?
Hello.
Based on an article on habrahabr.ru about the DNS Amplification attack, it says: "The attack is based on sending a DNS request to any DNS server with a substituted source ip address equal to the ip address of the victim."
I'm not strong in the network part, at what level is the IP address spoofed? I do not think that this is done at the network level, as a result of this, the following scheme seems to me
: DNS service.
2. Next, the DNS service parses the received data, "eats" a fake IP (or am I wrong at this stage?) And tries to send a response to a fake server.
Actually, based on this scheme, there are two rules in iptables:
-A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPTAs a result, iptables will allow you to accept a request on port 53 from the attacker's server, but then, when sending a response to a dummy server, will iptables reset the connection? After all, the answer is allowed only to the server with which the connection is established.
I understand that in order to protect against this type of attack, it is necessary to disable recursion and transfer in the BIND settings and update the software to the latest versions, as well as update NTP to the latest version. The problem is that this was all done at the time of the attack.
Right now all UDP traffic is only allowed up to Google's DNS, to a limited number of NTP servers. There remains the rule that is provided above. Can it be used as an additional form of protection? Or it will not protect against the described scheme?
2 answer(s)
@Yoh
The iptables rules given by you do not solve the problem of protection against dns amplification in any way.
As a result, iptables will allow you to accept a request on port 53 from the attacker's server, but then, when sending a response to a dummy server, will iptables reset the connection? After all, the answer is allowed only to the server with which the connection is established.
Because this attack uses UDP, no connections are established. The attacker sends ONE UDP packet with a request (in which the source address is replaced by the attacked ip) and your server sends one packet with a response to this request, to the address specified in source. The NEW,ESTABLISHED state is quite correct in this case.
A source address spoofing attack is not possible in the case of TCP, since several packets are used to establish a connection in both directions. SYN->ACK<--SYN_ACK and only after that the connection is opened. And since in the case of the substitution of the outgoing address, the server's response to SYN will go to a different address, so no one will respond to it with SYN_ACK.
To solve your problem, you need to use the restriction of requests from one address:
@vvpoloskin
P
Pavel Zhovner, 2014-04-07 @Yoh
First, you do not need to shine recursive DNS on the Internet.
For bind it looks like this:
//disable recursive requests from outside
allow-recursion { 127.0.0.1;
::1; };The iptables rules given by you do not solve the problem of protection against dns amplification in any way.
As a result, iptables will allow you to accept a request on port 53 from the attacker's server, but then, when sending a response to a dummy server, will iptables reset the connection? After all, the answer is allowed only to the server with which the connection is established.
Because this attack uses UDP, no connections are established. The attacker sends ONE UDP packet with a request (in which the source address is replaced by the attacked ip) and your server sends one packet with a response to this request, to the address specified in source. The NEW,ESTABLISHED state is quite correct in this case.
A source address spoofing attack is not possible in the case of TCP, since several packets are used to establish a connection in both directions. SYN->ACK<--SYN_ACK and only after that the connection is opened. And since in the case of the substitution of the outgoing address, the server's response to SYN will go to a different address, so no one will respond to it with SYN_ACK.
To solve your problem, you need to use the restriction of requests from one address:
# Requests per second
RQS="15"
# Requests per 7 seconds
RQH="35"
iptables -I INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
iptables -I INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
iptables -I INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
iptables -I INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROPV
Valentine, 2014-04-07 @vvpoloskin
The change is just done on the network. Classical routing only checks the destination address, so it doesn't give a damn about the source address. This can be done, for example, using NAT tools on any piece of hardware, or you can independently generate a request with a script.
Specifically on your topic, what prevents you from hanging up rules with different states, trying to make queries and see counters?
PS already use conntrack instead of state)
Similar questions
V
K
P
V
L
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question