Go Back   Aural Moon - Progressive Rock Discussion > Station News > Website
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 10-02-2012, 07:50 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Recent DDoS Attacks

As you may or may not be aware, the network -- my network -- serving the Aural Moon web site has been unwittingly solicited as a participant in a more likely than not BotNet DDoS (Distributed Denial of Service) amplification attack. Be it known, it is not my network, nor is it the Aural Moon web site, that is the target of these attacks. My network's DNSs (Domain Name Servers) are being used -- or there's been an attempt to use them -- to facilitate a flood of requests to the intended targets. This is done by faking the source address in the IP packet such that when the unwitting DNS responds, it sends the response to the target victim. By using unwitting DNS participants around the 'net, they can amplify the attack's effect and essentially drown the target victim with too much traffic; hence, a denial of service.

I have taken steps to mitigate this but there's really no defense of this action because there's no way to trace the source of these feigned DNS requests. I have been able to identify a number of the targets and I have enabled an input filter on my network's routers to simply deny these request into/onto my network and, subsequently, to the DNSs. This is an ongoing battle. I have a packet sniffer running on the connection between the ISP's interface and the routing interface of the router. I've implemented some filter rules which quickly identify these feigned DNS requests. When I have the source IP address(es), I add them to an ACL (Access Control List) on the router to simply drop them. Note, however, that this doesn't STOP these attacks, it merely mitigates their effectiveness by keeping them from passing onto my network. These attacks are still consuming a vast chunk of my bandwidth.


Code:
Cisco871W#show access-list Deny-DDoS-ACL Extended IP access list Deny-DDoS-ACL 10 deny udp 182.96.0.0 0.15.255.255 any eq domain 20 deny udp 184.172.0.0 0.1.255.255 any eq domain (85 matches) 30 deny udp 209.205.64.0 0.0.31.255 any eq domain 40 deny udp 216.218.128.0 0.0.127.255 any eq domain (65 matches) 50 deny udp 66.249.64.0 0.0.31.255 any eq domain (5580 matches) 60 deny udp 67.211.96.0 0.0.15.255 any eq domain 70 deny udp 67.59.128.0 0.0.63.255 any eq domain 80 deny udp 69.64.32.0 0.0.31.255 any eq domain 90 deny udp 72.20.0.0 0.0.63.255 any eq domain (520922 matches) 100 deny udp 72.52.64.0 0.0.63.255 any eq domain (19 matches) 110 deny udp 72.8.128.0 0.0.63.255 any eq domain (537785 matches) 120 deny udp 76.76.0.0 0.0.31.255 any eq domain (90 matches) 130 deny udp 8.0.0.0 0.255.255.255 any eq domain (10344 matches) 140 deny udp 80.243.162.160 0.0.0.31 any eq domain 150 deny udp 80.65.250.128 0.0.0.63 any eq domain 160 deny udp 81.27.213.0 0.0.0.255 any eq domain 170 deny udp 89.248.160.0 0.0.7.255 any eq domain 180 deny udp 95.108.150.0 0.0.1.255 any eq domain (582 matches) 190 deny udp 95.128.184.0 0.0.0.255 any eq domain 200 deny udp 199.83.128.0 0.0.7.255 any eq domain 210 deny udp 159.253.152.160 0.0.0.7 any eq domain (114439 matches) 230 deny udp 68.68.16.0 0.0.15.255 any eq domain (358260 matches) 250 deny udp 91.237.250.0 0.0.0.255 any eq domain (1074545 matches) 290 deny udp 198.144.120.0 0.0.1.255 any eq domain (313799 matches) 300 permit ip any any (2646852 matches)
As you can see, these are unrelenting attacks as is indicated by the matches counts. That number is the count of how many times (since my router's last reload) that the particular listed network has been targeted through my network.

I totaled the matches counts for the 'deny' clauses and that number is 2,936,515. The total count of packets that were permitted onto the network is 2,646,852. Some quick math shows that that is about 52% of the traffic currently hitting my router's interface. So, if things seems slow, you know know why.

How to stop this? Good question. The Bots in the BotNet are, more likely than not, WEENDOZE boxes. STOP USING WEENDOZE. Also, the ISPs of the world are culpable too. A responsible ISP would/should not route ANY packets that do not maintain source IP addresses within their network.

Because I've never had to contend with this before, I'm learning some more Cisco IOS. IOS has "policing" policies that can throttle certain protocols, networks, etc. As soon as I can get my head wrapped around how to properly implement them, I will put in a throttle for DNS requests that should mitigate these attacks without having to constantly monitor and modify the Cisco's ACLs.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



All times are GMT -5. The time now is 05:57 AM.