Go Back   Aural Moon - Progressive Rock Discussion > Station News > Website
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 10-02-2012, 07:50 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Recent DDoS Attacks

As you may or may not be aware, the network -- my network -- serving the Aural Moon web site has been unwittingly solicited as a participant in a more likely than not BotNet DDoS (Distributed Denial of Service) amplification attack. Be it known, it is not my network, nor is it the Aural Moon web site, that is the target of these attacks. My network's DNSs (Domain Name Servers) are being used -- or there's been an attempt to use them -- to facilitate a flood of requests to the intended targets. This is done by faking the source address in the IP packet such that when the unwitting DNS responds, it sends the response to the target victim. By using unwitting DNS participants around the 'net, they can amplify the attack's effect and essentially drown the target victim with too much traffic; hence, a denial of service.

I have taken steps to mitigate this but there's really no defense of this action because there's no way to trace the source of these feigned DNS requests. I have been able to identify a number of the targets and I have enabled an input filter on my network's routers to simply deny these request into/onto my network and, subsequently, to the DNSs. This is an ongoing battle. I have a packet sniffer running on the connection between the ISP's interface and the routing interface of the router. I've implemented some filter rules which quickly identify these feigned DNS requests. When I have the source IP address(es), I add them to an ACL (Access Control List) on the router to simply drop them. Note, however, that this doesn't STOP these attacks, it merely mitigates their effectiveness by keeping them from passing onto my network. These attacks are still consuming a vast chunk of my bandwidth.


Code:
Cisco871W#show access-list Deny-DDoS-ACL Extended IP access list Deny-DDoS-ACL 10 deny udp 182.96.0.0 0.15.255.255 any eq domain 20 deny udp 184.172.0.0 0.1.255.255 any eq domain (85 matches) 30 deny udp 209.205.64.0 0.0.31.255 any eq domain 40 deny udp 216.218.128.0 0.0.127.255 any eq domain (65 matches) 50 deny udp 66.249.64.0 0.0.31.255 any eq domain (5580 matches) 60 deny udp 67.211.96.0 0.0.15.255 any eq domain 70 deny udp 67.59.128.0 0.0.63.255 any eq domain 80 deny udp 69.64.32.0 0.0.31.255 any eq domain 90 deny udp 72.20.0.0 0.0.63.255 any eq domain (520922 matches) 100 deny udp 72.52.64.0 0.0.63.255 any eq domain (19 matches) 110 deny udp 72.8.128.0 0.0.63.255 any eq domain (537785 matches) 120 deny udp 76.76.0.0 0.0.31.255 any eq domain (90 matches) 130 deny udp 8.0.0.0 0.255.255.255 any eq domain (10344 matches) 140 deny udp 80.243.162.160 0.0.0.31 any eq domain 150 deny udp 80.65.250.128 0.0.0.63 any eq domain 160 deny udp 81.27.213.0 0.0.0.255 any eq domain 170 deny udp 89.248.160.0 0.0.7.255 any eq domain 180 deny udp 95.108.150.0 0.0.1.255 any eq domain (582 matches) 190 deny udp 95.128.184.0 0.0.0.255 any eq domain 200 deny udp 199.83.128.0 0.0.7.255 any eq domain 210 deny udp 159.253.152.160 0.0.0.7 any eq domain (114439 matches) 230 deny udp 68.68.16.0 0.0.15.255 any eq domain (358260 matches) 250 deny udp 91.237.250.0 0.0.0.255 any eq domain (1074545 matches) 290 deny udp 198.144.120.0 0.0.1.255 any eq domain (313799 matches) 300 permit ip any any (2646852 matches)
As you can see, these are unrelenting attacks as is indicated by the matches counts. That number is the count of how many times (since my router's last reload) that the particular listed network has been targeted through my network.

I totaled the matches counts for the 'deny' clauses and that number is 2,936,515. The total count of packets that were permitted onto the network is 2,646,852. Some quick math shows that that is about 52% of the traffic currently hitting my router's interface. So, if things seems slow, you know know why.

How to stop this? Good question. The Bots in the BotNet are, more likely than not, WEENDOZE boxes. STOP USING WEENDOZE. Also, the ISPs of the world are culpable too. A responsible ISP would/should not route ANY packets that do not maintain source IP addresses within their network.

Because I've never had to contend with this before, I'm learning some more Cisco IOS. IOS has "policing" policies that can throttle certain protocols, networks, etc. As soon as I can get my head wrapped around how to properly implement them, I will put in a throttle for DNS requests that should mitigate these attacks without having to constantly monitor and modify the Cisco's ACLs.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #2  
Old 10-02-2012, 11:18 AM
Diff_Drummer's Avatar
Diff_Drummer Diff_Drummer is offline
Registered User
 
Join Date: Jan 2007
Location: Divide Colorado (by Colorado Springs)
Posts: 116
Re: Recent DDoS Attacks

Well VAX, I understood about 62.1374% of what you were saying. But as long as YOU understand it, that's really all that matters. I appreciate all the time, dedication and technical knowledge that you bring to Aural Moon. Thanks for keeping prog alive on the web and may all your packets be legitimate.
__________________
Welcome back my friends to the show that never ends...
Reply With Quote
  #3  
Old 10-02-2012, 12:02 PM
KenSchwartz KenSchwartz is offline
Registered User
 
Join Date: Dec 2008
Location: Upstate, NY
Posts: 57
Re: Recent DDoS Attacks

Vax,

I'm always amazed at the sh** that you have to deal with in order to make everyone else's life more enjoyable. It is *truly* appreciated.

Ken
Reply With Quote
  #4  
Old 10-02-2012, 02:15 PM
emperorken's Avatar
emperorken emperorken is offline
Patron
 
Join Date: Jun 2007
Location: South Bend, Indiana
Posts: 338
Re: Recent DDoS Attacks

Ditto what the other guys said. Thanks for everything, VAX
Reply With Quote
  #5  
Old 10-02-2012, 03:22 PM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Re: Recent DDoS Attacks

OK. I believe I have this right. I've enabled some of the Cisco's policing action. The rules I've put in place (using the lowest values the Cisco would allow me) should slow down any would be DNS floods that aren't already dropped with the ACLs I've added.

Code:
class-map match-all DDoS match protocol dns policy-map Throttle-DDoS class DDoS police 8000 1000 1000 conform-action transmit exceed-action drop violate-action drop interface FastEthernet4 description INTERNET service-policy input Throttle-DDoS : :
This SHITE has occupied yet another day of my life, permitting me little time to work on the stuff that inevitably keeps the Guinness flowing.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #6  
Old 10-02-2012, 03:24 PM
mariocc's Avatar
mariocc mariocc is offline
Registered User
 
Join Date: Dec 2007
Location: Santiago
Posts: 1,209
Re: Recent DDoS Attacks

Diff is more advanced than me in computers..I recognize,,'network',,,"web site' ....and couple of things.
I m with KEN,,thanks a lot from here,,thanks to do everything you can to avoid problems for many,me included of course, AM is a important part in our day.
Reply With Quote
  #7  
Old 10-02-2012, 04:28 PM
Yesspaz's Avatar
Yesspaz Yesspaz is offline
Moderator
 
Join Date: May 2001
Location: Brandon, MS
Posts: 3,134
Re: Recent DDoS Attacks

I followed about 80%, but still, I couldn't DO it. Thanks, VAX, for your hard work.
__________________
Feels like I'm fiddling while Rome is burning down.
Think I'll lay my fiddle down, take a rifle from the ground!
Reply With Quote
  #8  
Old 10-02-2012, 08:13 PM
NorCalKurt's Avatar
NorCalKurt NorCalKurt is offline
la familia patron
 
Join Date: Sep 2006
Posts: 962
Re: Recent DDoS Attacks

I won't even try to understand. I will give you a gigantic, BRAVO. Without your efforts Aural Moon would fall into the abyss of internet trash. Thanks so much, Vax.
Reply With Quote
  #9  
Old 10-02-2012, 08:21 PM
gr8sho92's Avatar
gr8sho92 gr8sho92 is offline
Patron
 
Join Date: Jan 2007
Location: Wellington, FL
Posts: 328
Re: Recent DDoS Attacks

All we can do is express our gratitude for the amount of personal time you continue to dedicate for our collective benefit. We all owe you a pint. Thanks!
__________________
Cheers,
Carl
Reply With Quote
  #10  
Old 10-03-2012, 01:41 AM
JamForte's Avatar
JamForte(Admin) JamForte is offline
Faffer-In-Denial
 
Join Date: Mar 2004
Location: Romsey, UK
Posts: 246
Re: Recent DDoS Attacks

nice work, and explanation ... I learned something new too ...

... one day the world's ISPs will have to start cooperating in managing these problems. After all, a legit ISP has nothing to lose from contributing - since all must be getting hit in approximately the same way.

What was a big surprise to me was that many of the attack targets are in CN .. almost funny (but only almost).
__________________
In theory, theory and practice are the same; in practice, they differ.
Reply With Quote
  #11  
Old 10-03-2012, 09:30 AM
deSousa's Avatar
deSousa deSousa is offline
Registered User
 
Join Date: Nov 2008
Location: Esch-sur-Alzette
Posts: 130
Re: Recent DDoS Attacks

Fascinating! I wonder how many other websites out there have also 50% of their traffic used up by DDoS attacks? And how many of these have a VAXman administering them!?

Just for the sake of curiosity, can you reveal what kind of targets are being hit by these fake requests?
__________________
Music musings | Last.fm profile

...and left a galaxy of dreams behind...
Reply With Quote
  #12  
Old 10-03-2012, 10:27 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Re: Recent DDoS Attacks

Quote:
Originally Posted by deSousa View Post
Fascinating! I wonder how many other websites out there have also 50% of their traffic used up by DDoS attacks? And how many of these have a VAXman administering them!?

Just for the sake of curiosity, can you reveal what kind of targets are being hit by these fake requests?
The networks are all listed in my post; however, I didn't save the actual target IPs that caused me to block those networks.

Ironically, ost of them turned out to be the web sites of companies offering DDoS mitigation services or appliances. Several others were web hosting and co-lo service companies.

Currently, there is this address: 66.249.17.112

dig tells me:

Code:
vaxman@Satellite:~$ dig -x 66.249.17.112 ; <<>> DiG 9.7.0-P1 <<>> -x 66.249.17.112 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1203 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;112.17.249.66.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 17.249.66.in-addr.arpa. 1739 IN SOA ns1.dnscloud.com. hosting-support.spry.com. 1278544067 7200 3600 604800 259200 ;; Query time: 21 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Wed Oct 3 11:22:22 2012 ;; MSG SIZE rcvd: 117
Looks like a hosting site.

Whois says:

Code:
vaxman@Satellite:~$ whois 66.249.17.112 # # Query terms are ambiguous. The query is assumed to be: # "n 66.249.17.112" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=66.249.17.112?showDetails=true&showARIN=false&ext=netref2 # The Endurance International Group, Inc. BIZLAND-FC01 (NET-66-249-0-0-1) 66.249.0.0 - 66.249.31.255 Name Intelligence, Inc. NAMEI-NET-1 (NET-66-249-16-0-1) 66.249.16.0 - 66.249.17.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
I'll ACL 66.249.16.0 0.0.1.255. (Name Intelligence Inc.'s network)
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #13  
Old 10-05-2012, 07:31 AM
Bmithra's Avatar
Bmithra Bmithra is offline
Registered User
 
Join Date: Mar 2004
Location: lost angeleesss
Posts: 607
Re: Recent DDoS Attacks

Wow VAX, the sh** you go through for the Moon amaze me. Thanks for all you do for us all!
__________________
People should not be afraid of their Governments,
Governments should be afraid of their People.
Reply With Quote
  #14  
Old 10-05-2012, 08:02 AM
Ted's Avatar
Ted Ted is offline
Registered User
 
Join Date: Nov 2006
Location: Round Rock, Texas
Posts: 729
Re: Recent DDoS Attacks

VAX,

I also thank you. I have not been much of a participant lately - at least in the shout box due to work load - but I have been following this problem on the website, and I truly appreciate what you are doing. Again - THANK YOU. As has been mentioned, it is amazing what you are doing keeping Aural Moon functioning on the net.

Hat's off my man, and grab another G!

Regards from Texas,
Ted

P.S. Also - as Jam said, thanks for sharing with us - I too only understand a fraction, but it is still fascinating.
Reply With Quote
  #15  
Old 10-06-2012, 06:45 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Re: Recent DDoS Attacks

Another attack last evening. This one: http://www.rivalhost.com/

Most of the attacks that I've mitigated were directed at such sites. (ie. company sites that provide guaranteed DDoS hosting services, DDoS mitigation services or DDoS mitigation appliances.)

Oh well, another network in the router's "direct those packets into the packet toilet" rules.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #16  
Old 10-06-2012, 04:06 PM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Re: Recent DDoS Attacks

FWIW, it's been exceptionally bad today!!!

Code:
Extended IP access list Deny-DDoS-ACL 10 deny udp 182.96.0.0 0.15.255.255 any eq domain 20 deny udp 184.172.0.0 0.1.255.255 any eq domain (33 matches) 30 deny udp 209.205.64.0 0.0.31.255 any eq domain 40 deny udp 216.218.128.0 0.0.127.255 any eq domain (32 matches) 50 deny udp 66.249.64.0 0.0.31.255 any eq domain (2318 matches) 60 deny udp 67.211.96.0 0.0.15.255 any eq domain 70 deny udp 67.59.128.0 0.0.63.255 any eq domain 80 deny udp 69.64.32.0 0.0.31.255 any eq domain (11 matches) 90 deny udp 72.20.0.0 0.0.63.255 any eq domain (6908 matches) 100 deny udp 72.52.64.0 0.0.63.255 any eq domain (16 matches) 110 deny udp 72.8.128.0 0.0.63.255 any eq domain 120 deny udp 76.76.0.0 0.0.31.255 any eq domain (54 matches) 130 deny udp 8.0.0.0 0.255.255.255 any eq domain (3191 matches) 140 deny udp 80.243.162.160 0.0.0.31 any eq domain 150 deny udp 80.65.250.128 0.0.0.63 any eq domain 160 deny udp 81.27.213.0 0.0.0.255 any eq domain 170 deny udp 89.248.160.0 0.0.7.255 any eq domain 180 deny udp 95.108.150.0 0.0.1.255 any eq domain (216 matches) 190 deny udp 95.128.184.0 0.0.0.255 any eq domain (42 matches) 200 deny udp 199.83.128.0 0.0.7.255 any eq domain 210 deny udp 159.253.152.160 0.0.0.7 any eq domain 230 deny udp 68.68.16.0 0.0.15.255 any eq domain 250 deny udp 91.237.250.0 0.0.0.255 any eq domain 290 deny udp 198.144.120.0 0.0.1.255 any eq domain 310 deny udp 23.20.0.0 0.3.255.255 any eq domain (491 matches) 320 deny udp 31.170.160.0 0.0.3.255 any eq domain 330 deny udp 64.62.128.0 0.0.127.255 any eq domain (2 matches) 340 deny udp 69.162.64.0 0.0.63.255 any eq domain (49 matches) 350 deny udp 94.23.80.0 0.0.7.255 any eq domain 360 deny udp 94.242.192.0 0.0.63.255 any eq domain 370 deny udp 95.154.192.0 0.0.63.255 any eq domain 380 deny udp 99.0.0.0 0.127.255.255 any eq domain (8 matches) 390 deny udp 82.41.0.0 0.0.127.255 any eq domain 400 deny udp 107.22.0.0 0.0.255.255 any eq domain (19 matches) 410 deny udp 24.20.0.0 0.0.255.255 any eq domain 420 deny udp 72.194.124.0 0.0.0.255 any eq domain 440 deny udp 146.0.72.0 0.0.7.255 any eq domain 450 deny udp 188.165.0.0 0.0.255.255 any eq domain 460 deny udp 199.192.72.0 0.0.7.255 any eq domain 470 deny udp 217.23.0.0 0.0.15.255 any eq domain (20 matches) 480 deny udp 46.251.224.0 0.0.15.255 any eq domain 490 deny udp 62.141.32.0 0.0.15.255 any eq domain 500 deny udp 62.187.213.0 0.0.0.63 any eq domain 510 deny udp 72.53.176.0 0.0.15.255 any eq domain 520 deny udp 76.181.192.0 0.0.7.255 any eq domain 530 deny udp 77.91.200.0 0.0.7.255 any eq domain 540 deny udp 77.96.80.0 0.0.15.255 any eq domain 550 deny udp 78.46.0.0 0.1.255.255 any eq domain (1337 matches) 560 deny udp 81.30.144.0 0.0.15.255 any eq domain 570 deny udp 85.236.96.0 0.0.31.255 any eq domain 580 deny udp 91.123.192.0 0.0.15.255 any eq domain 590 deny udp 92.28.0.0 0.1.255.255 any eq domain 610 deny udp 216.145.0.0 0.0.31.255 any eq domain (20 matches) 620 deny udp 64.246.160.0 0.0.31.255 any eq domain (6 matches) 640 deny udp 173.248.128.0 0.0.63.255 any eq domain 660 deny udp 174.127.64.0 0.0.63.255 any eq domain (830 matches) 680 deny udp 212.56.192.0 0.0.31.255 any eq domain 700 deny udp 66.249.16.0 0.0.1.255 any eq domain (135 matches) 720 deny udp 67.15.238.0 0.0.0.255 any eq domain 740 deny udp 37.221.163.0 0.0.0.31 any eq domain 760 deny udp 78.140.172.0 0.0.3.255 any eq domain (1078434 matches) 770 permit ip any any (1341306 matches)
Total packets blocked: 1,094,123
Total packets passed: 1,341,306
Total packet payload: 2,435,429

Do a little division and you'll see that 45% of my total bandwidth is being pissed away with this nonsense.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #17  
Old 10-07-2012, 09:28 PM
nsgobbi nsgobbi is offline
Registered User
 
Join Date: May 2011
Location: São Paulo, Brazil.
Posts: 55
Re: Recent DDoS Attacks

Hi VAx, itīs quite clear that you're a professional fighting all these threats, but I simply ask myself why the hell did you write down here your whole strategy.....don't you think it may turn hackers' life easier ?
Reply With Quote
  #18  
Old 10-08-2012, 05:30 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
 
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,362
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Re: Recent DDoS Attacks

Quote:
Originally Posted by nsgobbi View Post
Hi VAx, itīs quite clear that you're a professional fighting all these threats, but I simply ask myself why the hell did you write down here your whole strategy.....don't you think it may turn hackers' life easier ?
There's nothing here that's earth-shattering in the realm of these malfeasants.
__________________
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote
  #19  
Old 04-28-2013, 01:10 PM
jspen2 jspen2 is offline
Registered User
 
Join Date: Jan 2012
Posts: 2
Re: Recent DDoS Attacks

...

Last edited by jspen2 : 08-11-2015 at 08:34 PM.
Reply With Quote
  #20  
Old 04-29-2013, 09:31 AM
tobytanzer's Avatar
tobytanzer tobytanzer is offline
Patron
 
Join Date: Jun 2010
Location: Barrie, Ontario
Posts: 246
Re: Recent DDoS Attacks

Adding my thanks to those of others who have expressed their gratitude so well.
Your self description as "janitor" of the Moon is starting to make a lot more sense to me.
Merci beaucoup Vax!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



All times are GMT -5. The time now is 09:53 AM.