-

freebsd, pf and udp ddos attack

Issue: Public DNS server, accessible from all over the world. Spoofed DNS requests flood victims networks.

# tcpdump -n -i sis0 port 53

14:59:33.030638 IP 178.33.159.24.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:33.033488 IP 78.128.27.117.53 > 178.33.159.24.25345: 10809 Refused- 0/0/1 (36)
14:59:36.069100 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:36.071047 IP 78.128.27.117.53 > 37.59.194.196.25345: 10809 Refused- 0/0/1 (36)
14:59:37.718659 IP 178.33.159.24.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:37.720365 IP 78.128.27.117.53 > 178.33.159.24.25345: 10809 Refused- 0/0/1 (36)
14:59:39.413152 IP 178.33.159.24.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:39.414769 IP 78.128.27.117.53 > 178.33.159.24.25345: 10809 Refused- 0/0/1 (36)
14:59:39.861961 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:39.863728 IP 78.128.27.117.53 > 37.59.194.196.25345: 10809 Refused- 0/0/1 (36)
14:59:40.360437 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
14:59:40.362897 IP 78.128.27.117.53 > 94.23.145.254.25345: 10809 Refused- 0/0/1 (36)
178.33.159.24, 37.59.194.196, 94.23.145.254 are victims and the DNS server floods them with unrequested answers.

Workaround:
All requests are comming from port 25345. The DNS server is in separate jail and I use pf rdr to route the dns requests.

# cat /etc/pf.conf
...
set block-policy drop
...
no rdr on $ext_if proto udp from any port 25345 to 78.128.27.117 port 53
rdr pass on $ext_if proto udp from any to 78.128.27.117 port 53 -> 192.168.100.105
...
block all
...
# pfctl -n -f /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -s states | grep ":53)"
all udp 192.168.100.105:53 (78.128.27.117:53) <- 37.59.194.196:25345       MULTIPLE:MULTIPLE
all udp 192.168.100.105:53 (78.128.27.117:53) <- 178.33.159.24:25345       MULTIPLE:MULTIPLE
all udp 192.168.100.105:53 (78.128.27.117:53) <- 94.23.145.254:25345       MULTIPLE:MULTIPLE
# pfctl -k 192.168.100.105
States must be killed or replies will not stop.

1. Firewall policy is drop. Don't want to reply anything to the sender.
2. Don't redirect udp requests with source port 25345 and push them to the filter rules.
3. Block all.
Be careful with the other filter rules.

After workaround:

# tcpdump -n -i sis0 port 53
15:05:39.129676 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:41.109744 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:41.608512 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:42.179105 IP 178.33.159.24.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:44.155841 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:47.522229 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:47.652616 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:49.591880 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:50.841837 IP 37.59.194.196.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:54.181441 IP 94.23.145.254.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)
15:05:54.323259 IP 178.33.159.24.25345 > 78.128.27.117.53: 10809+ [1au] ANY? isc.org. (36)


Posted at Fri Dec 16 14:31:31 2016 # Google