# filtering a hexstring, example please



## parcival (Nov 22, 2012)

Hi all,
is this possible with pf, especially with the option "-m string â€“hex-string" ?


```
"iptables -A INPUT -p udp -m string â€“hex-string "|03697363036f726700|" â€“algo bm â€“to 65535 -j DROP"]
```

thx
parcival


----------



## SirDice (Nov 22, 2012)

What's that rule supposed to do?


----------



## parcival (Nov 22, 2012)

hi SirDice
blocking ddos on bind to isc.org, hexstring = isc.org (60 query per second)

example:


```
22-Nov-2012 10:50:22.612 client 184.168.72.113#26636 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 10:50:23.372 client 93.170.127.96#55471 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
```


----------



## SirDice (Nov 22, 2012)

It's not a DDoS, it's not even a DoS. It's some remote clients that are trying to resolve isc.org on your DNS server.

Are you hosting some domains? If not, there's no reason why your DNS server should be accessible from the internet.


----------



## parcival (Nov 22, 2012)

Hmm i think this is a "DNS Amplification Attacks"
And yes, i see it on all of our three dns sever (opennic-dns, one DNS even more than 700 q/s)

more about DNS Amp you will find on:
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf


----------



## SirDice (Nov 22, 2012)

If I read that correctly you should turn of recursion for unknown clients (i.e. everything that comes from the internet). Which is a good idea anyway.

Simply blocking queries for isc.org won't help as you can get the same effect using a different domain.


----------



## kpa (Nov 22, 2012)

Not allowing recursion to clients that you don't trust is part of DNS 101.


----------



## parcival (Nov 22, 2012)

SirDice I solved this with fail2ban.

filter:

```
# Fail2Ban configuration file for named (bind9). Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
#
# $Revision: 730 $
#

[Definition]

#
# Daemon name
_daemon=named

#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org) IN ANY \+ED*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
```

@kpa
These are T2 DNS-Servers (slaves)
Keep in mind that T2 servers are only required to slave the dns.opennic.glue zone (with the option to slave the root zone if you desire), and recursion is acceptable and expected for all other zones.


----------



## SirDice (Nov 22, 2012)

parcival said:
			
		

> and recursion is acceptable and expected for all other zones.


Are these servers used by (internal) clients to resolve? If not, turn off recursion.

The fail2ban solution may work for this particular example but as I said you can get the same results using _any_ domain that's not being served on that DNS server. So blocking queries for ripe.net or isc.org isn't going to prevent recursive queries using freebsd.org for example. Hence, you're still open to the same DDoS. And, because you allow recursion, you're also vulnerable to cache poisoning.


----------



## parcival (Nov 22, 2012)

I block not generally everything immediately (ripe.net or isc.org).
With these parameters of fail2ban, i can control that "normal users" can reach also ripe.net or isc.org.

example:

```
# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 8
```


----------



## SirDice (Nov 22, 2012)

parcival said:
			
		

> I block not generally everything immediately (ripe.net or isc.org).
> With these parameters of fail2ban, i can control that "normal users" can reach also ripe.net or isc.org.


Doesn't matter, I can still use you as an amplifier if I used freebsd.org (or any of the millions of other domains) instead of ripe.net or isc.org.

Why don't you just turn off recursion? What's the reason to keep it on?


----------



## kpa (Nov 22, 2012)

Uhm, I recommend that you start reading about BIND ACLs and how they can be used to do better what you're now doing with tools that are not designed for the job. For example:

http://www.zytrax.com/books/dns/ch7/acl.html

https://deepthought.isc.org/article/AA-00659/116/BIND-9.9.0-Administrator-Reference-Manual.html
PDF File. Section 6.2.1.


----------

