[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Blocking massive DNS queries

Subject: RE: [cobalt-users] Blocking massive DNS queries


> >
> > Thanks Dan ..
> >
> > Well they recommend that I should turn off the DNS server!!
> >
> > But anyway I posted the list of IPs and they contacted abuse ...
> >
> > my nick is jstone in the session here below of irc.ev1.net ->
> > ev1servers
> >
> > <jstone> yes DNS queries port 53
> > <Resolution_Black> do you have dns running and being in
> > activly in use <Resolution_Black> if not turn it off
> > <Resolution_Black> that'll reduce the effects of the attack
> > <jstone> then my webserver will die <EV1-Todd> jstone, what
> > kind of bandwidth usage are you talking about?
> >
>
> Except Resolution_Black wouldn't be an ev1 employee. They're identified
> by @ or RS_ I think in front of the nick.
> --
> C2003 Dan Kriwitsky
> 

Started rolling a perl script for a raq4 that uses logtail, logcheck to look
at log files
then extracts the offending ip# and then sticks it automagicly in ipchains
then looks em up and lists em or sends info to root email. it also backs
up the ip's it entered into ipchains in case you gotta boot and has a simple
command line interface.
It can also use the route program though ipchains is less apt to crash you
in a dos attack.

Example of the command line interface
[root lcp]# ./lcp.pl
 Command line argument values for program [./lcp.pl argv0 argv1]:

 query-   Looks for perl, logcheck, logtail, ipchains, route and reports
where.

 routes   Show Kernel IP routing table.
 chains   Show ipchains.
 ls-bak   List backup directory files.
 ls-ign   List Ignore File.

 add-ip ip.nu.mb.er   Add a input IP address to Block.
 del-ip ip.nu.mb.er   Delete a input IP address that this Blocked.

 add-ig ip.nu.mb.er   Add a input IP address to the Ignore list.
 del-ig ip.nu.mb.er   Delete a input IP address from the Ignore list.

 re-bak m-d-y-h-m     Input a existing blocked backup file date to load.
                      USE ONLY if routes or ipchains have been unloaded.

 sv-tmp   Save current data. Restore from this temp later.
 unload   Unload all.
          Watch auto_prune configuration setting if unloaded
          for a long time. Also use the on_off_s_w if needed.
 rl-tmp   Restore the saved temp.

 -load-   Load the current list.
          USE ONLY if routes or ipchains have been unloaded.
 run-cc   Runs Program via Cron or Command Line.

Its web output: (actually this is another program that displays offenders)
http://www.pagekeeperservice.com/sysinfo/blocked.pl

Its short e mail output:
Saturday, April 24, 2004 12:46:00 PM
 Blocked 4 more. Deleted 0. Total Blocked 12842.
 [Purge: ON] (Purge Interval: 90.00 Days)
 Backup Directory Size: 85.30 MB

 POP3 Logins
 =-=-=-=-=-=-=-=-=-=

Apr 24 12:30:19 "user" 69.21.xxx.xxx
Apr 24 12:30:29 "user" 69.21.xxx.xxx


 No Such User
 =-=-=-=-=-=-=-=-=-=

Apr 24 12:35:13 www sendmail[21877]: i3OHZDf21877: <kwest@xxxxxxxxxxxx>...
No such user here
Apr 24 12:35:13 www sendmail[21877]: i3OHZDf21877: lost input channel from
emailgate-server.com [208.254.69.136] to MTA after rcpt

named could be used too!
so if the presets in the script missed this connection and you wanted to
block 208.254.69.136 from connecting again
you would paste
perl /root/lcp/lcp.pl add-ip 208.254.69.136
on the ssh command line as root.
perl /root/lcp/lcp.pl del-ip 208.254.69.136
then removes it.

adding ipchains that are backed up
/root/lcp/lcp.pl -load-
to rc.local would reload the ipchains at startup or from the command line
along with any kernel security parameters.

Making a crontab command to run it like every 5-15 mins would get rid of a
lot of bogas connections
while you sleep. It can auto remove them at a set time too.

Just no time to finish and really test it..

  David Hahn
  PageKeeper Service
  1512 Deborah Road #102
  Rio Rancho, New Mexico 87124 US
  505-892-8723
  http://www.pagekeeperservice.com