Recent DDoS Attacks - Aural Moon

**VAXman**(Admin) · #1 10-02-2012, 07:50 AM

As you may or may not be aware, the network -- my network -- serving the Aural Moon web site has been unwittingly solicited as a participant in a more likely than not BotNet DDoS (Distributed Denial of Service) amplification attack. Be it known, it is not my network, nor is it the Aural Moon web site, that is the target of these attacks. My network's DNSs (Domain Name Servers) are being used -- or there's been an attempt to use them -- to facilitate a flood of requests to the intended targets. This is done by faking the source address in the IP packet such that when the unwitting DNS responds, it sends the response to the target victim. By using unwitting DNS participants around the 'net, they can amplify the attack's effect and essentially drown the target victim with too much traffic; hence, a denial of service.

I have taken steps to mitigate this but there's really no defense of this action because there's no way to trace the source of these feigned DNS requests. I have been able to identify a number of the targets and I have enabled an input filter on my network's routers to simply deny these request into/onto my network and, subsequently, to the DNSs. This is an ongoing battle. I have a packet sniffer running on the connection between the ISP's interface and the routing interface of the router. I've implemented some filter rules which quickly identify these feigned DNS requests. When I have the source IP address(es), I add them to an ACL (Access Control List) on the router to simply drop them. Note, however, that this doesn't STOP these attacks, it merely mitigates their effectiveness by keeping them from passing onto my network. These attacks are still consuming a vast chunk of my bandwidth.

Code:

Cisco871W#show access-list Deny-DDoS-ACL
Extended IP access list Deny-DDoS-ACL
    10 deny udp 182.96.0.0 0.15.255.255 any eq domain
    20 deny udp 184.172.0.0 0.1.255.255 any eq domain (85 matches)
    30 deny udp 209.205.64.0 0.0.31.255 any eq domain
    40 deny udp 216.218.128.0 0.0.127.255 any eq domain (65 matches)
    50 deny udp 66.249.64.0 0.0.31.255 any eq domain (5580 matches)
    60 deny udp 67.211.96.0 0.0.15.255 any eq domain
    70 deny udp 67.59.128.0 0.0.63.255 any eq domain
    80 deny udp 69.64.32.0 0.0.31.255 any eq domain
    90 deny udp 72.20.0.0 0.0.63.255 any eq domain (520922 matches)
    100 deny udp 72.52.64.0 0.0.63.255 any eq domain (19 matches)
    110 deny udp 72.8.128.0 0.0.63.255 any eq domain (537785 matches)
    120 deny udp 76.76.0.0 0.0.31.255 any eq domain (90 matches)
    130 deny udp 8.0.0.0 0.255.255.255 any eq domain (10344 matches)
    140 deny udp 80.243.162.160 0.0.0.31 any eq domain
    150 deny udp 80.65.250.128 0.0.0.63 any eq domain
    160 deny udp 81.27.213.0 0.0.0.255 any eq domain
    170 deny udp 89.248.160.0 0.0.7.255 any eq domain
    180 deny udp 95.108.150.0 0.0.1.255 any eq domain (582 matches)
    190 deny udp 95.128.184.0 0.0.0.255 any eq domain
    200 deny udp 199.83.128.0 0.0.7.255 any eq domain
    210 deny udp 159.253.152.160 0.0.0.7 any eq domain (114439 matches)
    230 deny udp 68.68.16.0 0.0.15.255 any eq domain (358260 matches)
    250 deny udp 91.237.250.0 0.0.0.255 any eq domain (1074545 matches)
    290 deny udp 198.144.120.0 0.0.1.255 any eq domain (313799 matches)
    300 permit ip any any (2646852 matches)

As you can see, these are unrelenting attacks as is indicated by the matches counts. That number is the count of how many times (since my router's last reload) that the particular listed network has been targeted through my network.

I totaled the matches counts for the 'deny' clauses and that number is 2,936,515. The total count of packets that were permitted onto the network is 2,646,852. Some quick math shows that that is about 52% of the traffic currently hitting my router's interface. So, if things seems slow, you know know why.

How to stop this? Good question. The Bots in the BotNet are, more likely than not, WEENDOZE boxes. STOP USING WEENDOZE. Also, the ISPs of the world are culpable too. A responsible ISP would/should not route ANY packets that do not maintain source IP addresses within their network.

Because I've never had to contend with this before, I'm learning some more Cisco IOS. IOS has "policing" policies that can throttle certain protocols, networks, etc. As soon as I can get my head wrapped around how to properly implement them, I will put in a throttle for DNS requests that should mitigate these attacks without having to constantly monitor and modify the Cisco's ACLs.

Diff_Drummer · #2 10-02-2012, 11:18 AM

Well VAX, I understood about 62.1374% of what you were saying. But as long as YOU understand it, that's really all that matters. I appreciate all the time, dedication and technical knowledge that you bring to Aural Moon. Thanks for keeping prog alive on the web and may all your packets be legitimate.

KenSchwartz · #3 10-02-2012, 12:02 PM

Vax,

I'm always amazed at the sh** that you have to deal with in order to make everyone else's life more enjoyable. It is *truly* appreciated.

Ken

emperorken · #4 10-02-2012, 02:15 PM

Ditto what the other guys said. Thanks for everything, VAX

**VAXman**(Admin) · #5 10-02-2012, 03:22 PM

OK. I believe I have this right. I've enabled some of the Cisco's policing action. The rules I've put in place (using the lowest values the Cisco would allow me) should slow down any would be DNS floods that aren't already dropped with the ACLs I've added.

Code:

class-map match-all DDoS
 match protocol dns

policy-map Throttle-DDoS
 class DDoS
    police 8000 1000 1000 conform-action transmit  exceed-action drop  violate-action drop 

interface FastEthernet4
 description INTERNET
 service-policy input Throttle-DDoS
  :
  :

This SHITE has occupied yet another day of my life, permitting me little time to work on the stuff that inevitably keeps the Guinness flowing.

mariocc · #6 10-02-2012, 03:24 PM

Diff is more advanced than me in computers..I recognize,,'network',,,"web site' ....and couple of things.
I m with KEN,,thanks a lot from here,,thanks to do everything you can to avoid problems for many,me included of course, AM is a important part in our day.

Yesspaz · #7 10-02-2012, 04:28 PM

I followed about 80%, but still, I couldn't DO it. Thanks, VAX, for your hard work.

NorCalKurt · #8 10-02-2012, 08:13 PM

I won't even try to understand. I will give you a gigantic, BRAVO. Without your efforts Aural Moon would fall into the abyss of internet trash. Thanks so much, Vax.

**gr8sho92** · #9 10-02-2012, 08:21 PM

All we can do is express our gratitude for the amount of personal time you continue to dedicate for our collective benefit. We all owe you a pint. Thanks!

**JamForte**(Admin) · #10 10-03-2012, 01:41 AM

nice work, and explanation ... I learned something new too ...

... one day the world's ISPs will have to start cooperating in managing these problems. After all, a legit ISP has nothing to lose from contributing - since all must be getting hit in approximately the same way.

What was a big surprise to me was that many of the attack targets are in CN .. almost funny (but only almost).

deSousa · #11 10-03-2012, 09:30 AM

Fascinating! I wonder how many other websites out there have also 50% of their traffic used up by DDoS attacks? And how many of these have a VAXman administering them!?

Just for the sake of curiosity, can you reveal what kind of targets are being hit by these fake requests?

**VAXman**(Admin) · #12 10-03-2012, 10:27 AM

Quote:

Originally Posted by deSousa

Fascinating! I wonder how many other websites out there have also 50% of their traffic used up by DDoS attacks? And how many of these have a VAXman administering them!?

Just for the sake of curiosity, can you reveal what kind of targets are being hit by these fake requests?

The networks are all listed in my post; however, I didn't save the actual target IPs that caused me to block those networks.

Ironically, ost of them turned out to be the web sites of companies offering DDoS mitigation services or appliances. Several others were web hosting and co-lo service companies.

Currently, there is this address: 66.249.17.112

dig tells me:

Code:

vaxman@Satellite:~$ dig -x 66.249.17.112

; <<>> DiG 9.7.0-P1 <<>> -x 66.249.17.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;112.17.249.66.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
17.249.66.in-addr.arpa. 1739    IN      SOA     ns1.dnscloud.com. hosting-support.spry.com. 1278544067 7200 3600 604800 259200

;; Query time: 21 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Wed Oct  3 11:22:22 2012
;; MSG SIZE  rcvd: 117

Looks like a hosting site.

Whois says:

Code:

vaxman@Satellite:~$ whois 66.249.17.112
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 66.249.17.112"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=66.249.17.112?showDetails=true&showARIN=false&ext=netref2
#

The Endurance International Group, Inc. BIZLAND-FC01 (NET-66-249-0-0-1) 66.249.0.0 - 66.249.31.255
Name Intelligence, Inc. NAMEI-NET-1 (NET-66-249-16-0-1) 66.249.16.0 - 66.249.17.255


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

I'll ACL 66.249.16.0 0.0.1.255.

(Name Intelligence Inc.'s network)

Bmithra · #13 10-05-2012, 07:31 AM

Wow VAX, the sh** you go through for the Moon amaze me. Thanks for all you do for us all!

Ted · #14 10-05-2012, 08:02 AM

VAX,

I also thank you. I have not been much of a participant lately - at least in the shout box due to work load - but I have been following this problem on the website, and I truly appreciate what you are doing. Again - THANK YOU. As has been mentioned, it is amazing what you are doing keeping Aural Moon functioning on the net.

Hat's off my man, and grab another G!

Regards from Texas,
Ted

P.S. Also - as Jam said, thanks for sharing with us - I too only understand a fraction, but it is still fascinating.

**VAXman**(Admin) · #15 10-06-2012, 06:45 AM

Another attack last evening. This one: http://www.rivalhost.com/

Most of the attacks that I've mitigated were directed at such sites. (ie. company sites that provide guaranteed DDoS hosting services, DDoS mitigation services or DDoS mitigation appliances.)

Oh well, another network in the router's "direct those packets into the packet toilet" rules.

**VAXman**(Admin) · #16 10-06-2012, 04:06 PM

FWIW, it's been exceptionally bad today!!!

Code:

Extended IP access list Deny-DDoS-ACL
    10 deny udp 182.96.0.0 0.15.255.255 any eq domain
    20 deny udp 184.172.0.0 0.1.255.255 any eq domain (33 matches)
    30 deny udp 209.205.64.0 0.0.31.255 any eq domain
    40 deny udp 216.218.128.0 0.0.127.255 any eq domain (32 matches)
    50 deny udp 66.249.64.0 0.0.31.255 any eq domain (2318 matches)
    60 deny udp 67.211.96.0 0.0.15.255 any eq domain
    70 deny udp 67.59.128.0 0.0.63.255 any eq domain
    80 deny udp 69.64.32.0 0.0.31.255 any eq domain (11 matches)
    90 deny udp 72.20.0.0 0.0.63.255 any eq domain (6908 matches)
    100 deny udp 72.52.64.0 0.0.63.255 any eq domain (16 matches)
    110 deny udp 72.8.128.0 0.0.63.255 any eq domain
    120 deny udp 76.76.0.0 0.0.31.255 any eq domain (54 matches)
    130 deny udp 8.0.0.0 0.255.255.255 any eq domain (3191 matches)
    140 deny udp 80.243.162.160 0.0.0.31 any eq domain
    150 deny udp 80.65.250.128 0.0.0.63 any eq domain
    160 deny udp 81.27.213.0 0.0.0.255 any eq domain
    170 deny udp 89.248.160.0 0.0.7.255 any eq domain
    180 deny udp 95.108.150.0 0.0.1.255 any eq domain (216 matches)
    190 deny udp 95.128.184.0 0.0.0.255 any eq domain (42 matches)
    200 deny udp 199.83.128.0 0.0.7.255 any eq domain
    210 deny udp 159.253.152.160 0.0.0.7 any eq domain
    230 deny udp 68.68.16.0 0.0.15.255 any eq domain
    250 deny udp 91.237.250.0 0.0.0.255 any eq domain
    290 deny udp 198.144.120.0 0.0.1.255 any eq domain
    310 deny udp 23.20.0.0 0.3.255.255 any eq domain (491 matches)
    320 deny udp 31.170.160.0 0.0.3.255 any eq domain
    330 deny udp 64.62.128.0 0.0.127.255 any eq domain (2 matches)
    340 deny udp 69.162.64.0 0.0.63.255 any eq domain (49 matches)
    350 deny udp 94.23.80.0 0.0.7.255 any eq domain
    360 deny udp 94.242.192.0 0.0.63.255 any eq domain
    370 deny udp 95.154.192.0 0.0.63.255 any eq domain
    380 deny udp 99.0.0.0 0.127.255.255 any eq domain (8 matches)
    390 deny udp 82.41.0.0 0.0.127.255 any eq domain
    400 deny udp 107.22.0.0 0.0.255.255 any eq domain (19 matches)
    410 deny udp 24.20.0.0 0.0.255.255 any eq domain
    420 deny udp 72.194.124.0 0.0.0.255 any eq domain
    440 deny udp 146.0.72.0 0.0.7.255 any eq domain
    450 deny udp 188.165.0.0 0.0.255.255 any eq domain
    460 deny udp 199.192.72.0 0.0.7.255 any eq domain
    470 deny udp 217.23.0.0 0.0.15.255 any eq domain (20 matches)
    480 deny udp 46.251.224.0 0.0.15.255 any eq domain
    490 deny udp 62.141.32.0 0.0.15.255 any eq domain
    500 deny udp 62.187.213.0 0.0.0.63 any eq domain
    510 deny udp 72.53.176.0 0.0.15.255 any eq domain
    520 deny udp 76.181.192.0 0.0.7.255 any eq domain
    530 deny udp 77.91.200.0 0.0.7.255 any eq domain
    540 deny udp 77.96.80.0 0.0.15.255 any eq domain
    550 deny udp 78.46.0.0 0.1.255.255 any eq domain (1337 matches)
    560 deny udp 81.30.144.0 0.0.15.255 any eq domain
    570 deny udp 85.236.96.0 0.0.31.255 any eq domain
    580 deny udp 91.123.192.0 0.0.15.255 any eq domain
    590 deny udp 92.28.0.0 0.1.255.255 any eq domain
    610 deny udp 216.145.0.0 0.0.31.255 any eq domain (20 matches)
    620 deny udp 64.246.160.0 0.0.31.255 any eq domain (6 matches)
    640 deny udp 173.248.128.0 0.0.63.255 any eq domain
    660 deny udp 174.127.64.0 0.0.63.255 any eq domain (830 matches)
    680 deny udp 212.56.192.0 0.0.31.255 any eq domain
    700 deny udp 66.249.16.0 0.0.1.255 any eq domain (135 matches)
    720 deny udp 67.15.238.0 0.0.0.255 any eq domain
    740 deny udp 37.221.163.0 0.0.0.31 any eq domain
    760 deny udp 78.140.172.0 0.0.3.255 any eq domain (1078434 matches)
    770 permit ip any any (1341306 matches)

Total packets blocked: 1,094,123
Total packets passed: 1,341,306
Total packet payload: 2,435,429

Do a little division and you'll see that 45% of my total bandwidth is being pissed away with this nonsense.

nsgobbi · #17 10-07-2012, 09:28 PM

Hi VAx, it´s quite clear that you're a professional fighting all these threats, but I simply ask myself why the hell did you write down here your whole strategy.....don't you think it may turn hackers' life easier ?

**VAXman**(Admin) · #18 10-08-2012, 05:30 AM

Quote:

Originally Posted by nsgobbi

Hi VAx, it´s quite clear that you're a professional fighting all these threats, but I simply ask myself why the hell did you write down here your whole strategy.....don't you think it may turn hackers' life easier ?

There's nothing here that's earth-shattering in the realm of these malfeasants.

jspen2 · #19 04-28-2013, 01:10 PM

**tobytanzer** · #20 04-29-2013, 09:31 AM

Adding my thanks to those of others who have expressed their gratitude so well.
Your self description as "janitor" of the Moon is starting to make a lot more sense to me.
Merci beaucoup Vax!

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode