Query was: 20-Aug-2013 client 89.248.172.121: query: edelion.su IN A +E
Update 21-Aug-2013:
Attacks have started with this domain. Query comes in as Edelion rather than edelion. Corrected my iptables rule to be case-insensitive.
Source:
89.248.172.121 AS29073 Ecatel Network
Seen before:
1 hackwhatlol.cc
1 edelion.su
IPtables rule:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x07454445 && 0x2c&0xDFDFDFDF=0x4c494f4e && 0x30&0xFFDFDFFF=0x02535500" -j DROP -m comment --comment "DROP DNS Q edelion.su"
Full Rule Set
Response:
244 A records in the 204.46.43.x range
Name servers:
;; ANSWER SECTION:
edelion.su. 43200 IN NS ns2.reg.ru.
edelion.su. 43200 IN NS ns1.reg.ru.
;; ADDITIONAL SECTION:
ns1.reg.ru. 86376 IN A 31.31.204.52
ns1.reg.ru. 86376 IN A 31.31.205.55
ns1.reg.ru. 86376 IN A 144.76.40.132
ns2.reg.ru. 86376 IN A 88.212.207.122
ns1.reg.ru. 86376 IN A 31.31.205.39
ns2.reg.ru. 86376 IN A 31.31.204.37
ns2.reg.ru. 86376 IN A 31.31.205.56
ns2.reg.ru. 86376 IN A 31.31.204.25
ns1.reg.ru. 86376 IN A 88.212.207.121
Whois:
domain: EDELION.SU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: dim199351@mail.ru
registrar: REGRU-REG-FID
created: 2013.01.30
paid-till: 2014.01.30
free-date: 2014.03.04
source: TCI
Last updated on 2013.08.20 23:56:40 MSK
Seen this attack a lot today. My solution:
ReplyDelete#!/bin/bash
if [ "$1" != "" ]; then
iptables -t raw -I PREROUTING -p udp --destination-port 53 -m string --algo kmp --from 30 --hex-string "|$1|" -j DROP
else
echo "$0 HEXDUMPSTRING"
echo "Localize hexstring at line 0030 containing unwanted query: tshark -i eth0 host port 53 -x "
fi
echo; echo;
echo "Existing DENY rules regler"
echo "-------------------------------------"
iptables -t raw -L -n