Duvida no caso de ataque (Open recursive resolver used for an attack)

[jamers0n]

Boa Noite a todos
Venho aqui com uma questão que para mim é meio complicada.
Recebi um e-mail hoje pela manha segue abaixo.
Não consegui entender o que fazer.
Bloqueando as portas citadas resolve ?
Alguma Regra no MK que possa resolver ?
Como localizar o cliente que fez o ataque ?
estou usando uma RB Mikrotik na 6.3x autenticação PPPoE.

Desde já agradeço a todos pela atenção e compreensão
Obrigado.




Prezado cliente JAMERSON

Segundo a notificação abaixo do NFOservers, teu IP 200.1xx.xx.xx participou de ataque DoS. Favor verificar tua rede e tomar as devidas correções.


Qualquer dúvida estamos à disposição.


-------- Mensagem encaminhada --------

Assunto:	Open recursive resolver used for an attack: 200.152.69.87
Data:	Mon, 7 Dec 2015 20:23:00 -0800
De:	NFOservers.com DDoS notifier <[email protected]>

You appear to be running an open recursive resolver at IP address 200.152.69.87 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.Please consider reconfiguring your resolver in one or more of these ways:- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088AIf you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.Example DNS responses from your resolver during this attack are given below. Date/timestamps (far left) are UTC.2015-12-08 04:17:53.117828 IP (tos 0x0, ttl 46, id 59658, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 70.42.74.x.4444: 45778| 22/0/0 cpsc.gov. RRSIG[|domain] 0x0000: 4500 05c4 e90a 2000 2e11 dfc7 c898 4557 E.............EW 0x0010: 462a 4a3d 0035 115c 1007 a43a b2d2 8380 F*J=.5.\...:.... 0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go 0x0030: 7600 00ff 0001 c00c 002e 0001 0000 0832 v..............2 0x0040: 011c 0010 0702 0000 5460 566e 3191 5664 ........T`Vn1.Vd 0x0050: e901 ..2015-12-08 04:17:53.120891 IP (tos 0x0, ttl 46, id 59659, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 70.42.74.x.4444: 45778| 22/0/0 cpsc.gov. RRSIG[|domain] 0x0000: 4500 05c4 e90b 2000 2e11 dfc6 c898 4557 E.............EW 0x0010: 462a 4a3d 0035 115c 1007 9dbc b2d2 8380 F*J=.5.\........ 0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go 0x0030: 7600 00ff 0001 c00c 002e 0001 0000 0832 v..............2 0x0040: 011c 000f 0702 0000 5460 566e 3191 5664 ........T`Vn1.Vd 0x0050: e901 ..2015-12-08 04:17:53.123945 IP (tos 0x0, ttl 46, id 59660, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 70.42.74.x.4444: 45778| 22/0/0 cpsc.gov. RRSIG[|domain] 0x0000: 4500 05c4 e90c 2000 2e11 dfc5 c898 4557 E.............EW 0x0010: 462a 4a3d 0035 115c 1007 f8dc b2d2 8380 F*J=.5.\........ 0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go 0x0030: 7600 00ff 0001 c00c 002e 0001 0000 0832 v..............2 0x0040: 011c 0002 0702 0000 5460 566e 3191 5664 ........T`Vn1.Vd 0x0050: e901 ..(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "61".)-JohnPresidentNFOservers.com(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at [email protected].)

[wdnc5]

DROP na pota 53 amigo, Resolve seu problema.

[jamers0n]

DROP na pota 53 amigo, Resolve seu problema.

Obrigado pela atenção caro colega
Desculpa minha ignorância.
O que seria DROP na porta.

[fabbabenco]

amigo boa noite drop na porta 53 é bloquear ela no servidor

[wdnc5]

Você vai criar uma Regra de Bloqueio UDP na porta 53 (53 DNS)
e desmaca a opção allow Remote Reguest Do mikrotik se tiver marcada

segue um exemplor de proteção para aplicar no firewall:

/ip firewall filter
add chain=forward dst-address=x.x.x.x/x dst-port=53 protocol=udp \
src-address=x.x.x.x/x

add action=drop chain=forward dst-address=x.x.x.x/x dst-port=53 \
in-interface=interface link protocol=udp


onde x é a ranger de seus clientes.

[wdnc5]

Caso persista o problema me add no Skype que Dou uma geral ai pra vc.

wanderson_costa2012

[jamers0n]

DROP na pota 53 amigo, Resolve seu problema.

Você vai criar uma Regra de Bloqueio UDP na porta 53 (53 DNS)
e desmaca a opção allow Remote Reguest Do mikrotik se tiver marcada

segue um exemplor de proteção para aplicar no firewall:

/ip firewall filter
add chain=forward dst-address=x.x.x.x/x dst-port=53 protocol=udp \
src-address=x.x.x.x/x

add action=drop chain=forward dst-address=x.x.x.x/x dst-port=53 \
in-interface=interface link protocol=udp


onde x é a ranger de seus clientes.

Obrigado pela atenção caro colega.

Vou fazer agora, mas tenho a última dúvida, só para ter certeza para não fazer errado.
in-interface=interface link (seria a interface para os clietes ou entrada do Meu link dedicado ?)
protocol=udp

[wdnc5]

Obrigado pela atenção caro colega.

Vou fazer agora, mas tenho a última dúvida, só para ter certeza para não fazer errado.
in-interface=interface link (seria a interface para os clietes ou entrada do Meu link dedicado ?)
protocol=udp

Entrada do Seu Link!

[jamers0n]

Como Faço autenticação pelo PPPoE no dedicado
ficou essa duvida.

Etner1 ou o PPPoE que autentica?

e Obrigado novamente.

[deson00]

vc precisa dropar bloquear a porta de entrada externa ou seja tudo que seja input na porta 53 sendo udp ou tcp.

Exemplo parecido do que vc tem que fazer.

[jamers0n]

Boa Noite para todos
E desde ja agradeço a atenção de todos
Pessoal Recebi outra Notificação.
Meu IP X está novamente atacando
Como foi citado acima já fiz o drop na 53 e voltou.

Alguma Dica como resolver ?

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)

More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

Example DNS responses from your resolver during this attack are given below.
Date/timestamps (far left) are UTC.

2016-01-12 14:45:26.273175 IP (tos 0x0, ttl 51, id 21217, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 66.150.155.x.4444: 15628| 22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05c4 52e1 2000 3311 234f c898 4557 E...R...3.#O..EW
0x0010: 4296 9b73 0035 115c 1007 2e6f 3d0c 8380 B..s.5.\...o=...
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 4504 v.............E.
0x0040: 011c 0030 0702 0000 5460 569d a78b 5694 ...0....T`V...V.
0x0050: 5efb ^.
2016-01-12 14:45:26.283788 IP (tos 0x0, ttl 51, id 21220, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 66.150.155.x.4444: 15628| 22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05c4 52e4 2000 3311 234c c898 4557 E...R...3.#L..EW
0x0010: 4296 9b73 0035 115c 1007 ad62 3d0c 8380 B..s.5.\...b=...
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 4504 v.............E.
0x0040: 011c 0001 0702 0000 5460 569d a78b 5694 ........T`V...V.
0x0050: 5efb ^.
2016-01-12 14:45:26.287165 IP (tos 0x0, ttl 51, id 21221, offset 0, flags [+], proto UDP (17), length 1476) 200.152.69.87.53 > 66.150.155.x.4444: 15628| 22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05c4 52e5 2000 3311 234b c898 4557 E...R...3.#K..EW
0x0010: 4296 9b73 0035 115c 1007 d7b3 3d0c 8380 B..s.5.\....=...
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f .........cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 4504 v.............E.
0x0040: 011c 0010 0702 0000 5460 569d a78b 5694 ........T`V...V.
0x0050: 5efb ^.

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "115".)

-John
President
NFOservers.com