If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x064b5241 && 0x2c&0xDFDFDFFF=0x53544902 && 0x30&0xDFDFFF00=0x55530000" -j DROP -m comment --comment "DROP DNS Q krasti.us"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q krasti.us"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
Unknown
Name server:
;; ANSWER SECTION:
krasti.us. 3440 IN NS ns64.domaincontrol.com.
krasti.us. 3440 IN NS ns63.domaincontrol.com.
;; ADDITIONAL SECTION:
ns63.domaincontrol.com. 8556 IN A 216.69.185.42
ns63.domaincontrol.com. 8556 IN AAAA 2607:f208:206::2a
ns64.domaincontrol.com. 8556 IN A 208.109.255.42
ns64.domaincontrol.com. 8556 IN AAAA 2607:f208:302::2a
Response:
A 2
MX 30
NS 2
SOA 1
TXT 1
Rsize 4886
The response it self is noteworthy:
;; ANSWER SECTION:
krasti.us. 3600 IN SOA ns63.domaincontrol.com. dns.jomax.net. 2013101709 28800 7200 604800 600
krasti.us. 589 IN A 184.168.221.51
krasti.us. 3589 IN NS ns63.domaincontrol.com.
krasti.us. 3589 IN NS ns64.domaincontrol.com.
krasti.us. 604800 IN TXT "sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasssdasdassdasdassdasdas sdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasd" "assdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassda sdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasd" "assdasdassdasdassdasdassdas dassdasdassdasdassdaasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas dassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas5533 > sdasdassdasdassda" "sdassdasdassdasdassdasdassdasdassdassdasdassdasdassdasdassdasdass dasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdasdassdas55 33 > sdasdassdasdassdasdassdasdassdasdassd" "asda"
krasti.us. 604800 IN MX 26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuckg.com.
krasti.us. 604800 IN MX 26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksugck.com.
krasti.us. 604800 IN MX 28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresuc7ksucksucksuck.com.
krasti.us. 604800 IN MX 28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksuckgsuck.com.
krasti.us. 604800 IN MX 28 lolwutevet0.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuckg.com.
krasti.us. 604800 IN MX 29 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouares6ucksucksucksuck.com.
krasti.us. 604800 IN MX 29 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouaresucksucksgucksuck.com.
krasti.us. 604800 IN MX 30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouare5sucksucksucksuck.com.
krasti.us. 604800 IN MX 30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouaresucksucksucksuckf.com.
krasti.us. 604800 IN MX 30 lolwutevet23.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouaresucksucksucgknsuck.com.
krasti.us. 604800 IN MX 32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouar4esucksucksucksuck.com.
krasti.us. 604800 IN MX 32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouaresucksucksucksuckn.com.
krasti.us. 604800 IN MX 32 lolwutevet33.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandy ouaresucksucksucksucku.com.
krasti.us. 604800 IN MX 10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand youaresucksucksucksuck.com.
krasti.us. 604800 IN MX 10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand you3aresucksucksucksuck.com.
krasti.us. 604800 IN MX 10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand youaresucksuckssucksuck.com.
krasti.us. 604800 IN MX 10 lolwutevet1.ddos-guard.sux.net.antipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutand youaresucksucksucksucdk.com.
krasti.us. 604800 IN MX 21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo ua2resucksucksucksuck.com.
krasti.us. 604800 IN MX 21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuckd.com.
krasti.us. 604800 IN MX 21 lolwutevet2.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksuscksuck.com.
krasti.us. 604800 IN MX 22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo u1aresucksucksucksuxck.com.
krasti.us. 604800 IN MX 22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksuckncsucksuck.com.
krasti.us. 604800 IN MX 22 lolwutevet3.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksugckd.com.
krasti.us. 604800 IN MX 23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuckn.com.
krasti.us. 604800 IN MX 23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucnksucksuck.com.
krasti.us. 604800 IN MX 23 lolwutevet4.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucknbsuxck.com.
krasti.us. 604800 IN MX 24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuck.com.
krasti.us. 604800 IN MX 24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksu0cksucksuck.com.
krasti.us. 604800 IN MX 24 lolwutevet5.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresucksucksucksuckg.com.
krasti.us. 604800 IN MX 26 lolwutevet8.ddos-guard.sux.net.aipainkillyouallmydomainthebestever.h4xored.by.antipainlolwutandyo uaresuck8sucksucksuck.com.
krasti.us. 86389 IN RRSIG NSEC 5 2 86400 20131117021009 20131018011009 24075 US. Vlhl+ElSyzbwVU3MM+u1u0bGJqoOF05SaoCvO2A4oMYq9 tt3IbAQUUNv u5+QVWtuiijylhFNIFMEBbVNsyfbGgGbA+2OhtrOKf2kyh5GWH9Hlb32 +sSn6cxvRPoVBPdwjIJhknriy0o1ignfsEPj74mBLPsCobdH7YISdywc l/A=
krasti.us. 86389 IN NSEC KRASZEWSKI.us. NS RRSIG NSEC
Whois
Domain Name: KRASTI.US
Domain ID: D42540828-US
Sponsoring Registrar: GODADDY.COM, INC.
Sponsoring Registrar IANA ID: 146
Registrar URL (registration services): whois.godaddy.com
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: CR152951749
Registrant Name: Ivan Kudashev
Registrant Address1: gorod rostov, sprosit' evgenya
Registrant Address2: marchenko is ddog-guarda
Registrant City: Rostov
Registrant Postal Code: 531189
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.9651765432
Registrant Email: ivan-kudashev@insorg-mail.info
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: CR152951751
Administrative Contact Name: Ivan Kudashev
Administrative Contact Address1: gorod rostov, sprosit' evgenya
Administrative Contact Address2: marchenko is ddog-guarda
Administrative Contact City: Rostov
Administrative Contact Postal Code: 531189
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.9651765432
Administrative Contact Email: ivan-kudashev@insorg-mail.info
Administrative Application Purpose: P3
Administrative Nexus Category: C11
Billing Contact ID: CR152951752
Billing Contact Name: Ivan Kudashev
Billing Contact Address1: gorod rostov, sprosit' evgenya
Billing Contact Address2: marchenko is ddog-guarda
Billing Contact City: Rostov
Billing Contact Postal Code: 531189
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.9651765432
Billing Contact Email: ivan-kudashev@insorg-mail.info
Billing Application Purpose: P3
Billing Nexus Category: C11
Technical Contact ID: CR152951750
Technical Contact Name: Ivan Kudashev
Technical Contact Address1: gorod rostov, sprosit' evgenya
Technical Contact Address2: marchenko is ddog-guarda
Technical Contact City: Rostov
Technical Contact Postal Code: 531189
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.9651765432
Technical Contact Email: ivan-kudashev@insorg-mail.info
Technical Application Purpose: P3
Technical Nexus Category: C11
Name Server: NS63.DOMAINCONTROL.COM
Name Server: NS64.DOMAINCONTROL.COM
Created by Registrar: GODADDY.COM, INC.
Last Updated by Registrar: GODADDY.COM, INC.
Domain Registration Date: Fri Oct 18 02:09:40 GMT 2013
Domain Expiration Date: Fri Oct 17 23:59:59 GMT 2014
Domain Last Updated Date: Fri Oct 18 02:09:40 GMT 2013
>>>> Whois database was last updated on: Sat Oct 19 00:15:16 GMT 2013 <<<<
All domain names are subject to certain additional domain name registration
rules. For details, please visit our site at www.whois.us.
Thank you for your dns-iptables-rules contribution in GitHub. I downloaded your string iptables script to defend these attacks, and it seems works well. However, the attacks directed to the domain, krasti.us, are not filtered by my linux box. I checked this line
ReplyDeleteiptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q krasti.us"
but it seems to be without any problem, but attacks stills be there, and my system log also records these attacks to krasti.us (but attacks to other domains are all filtered by iptables)
Some system logs look like the following:
Nov 15 10:49:29 mylinuxbox named[22751]: client 50.26.186.78#19889: query (cache) 'krasti.us/ANY/IN' denied
Nov 15 10:49:29 mylinuxbox last message repeated 14 times
Nov 15 10:49:30 mylinuxbox named[22751]: client 107.201.8.16#24368: query (cache) 'krasti.us/ANY/IN' denied
Juster wonder why the attacks to krasti.us are not filtered by iptables.
Many thanks to your help.
iptables --insert INPUT -p udp --dport 53 -m string --from 36 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q krasti.us"
ReplyDeleteChange the --from 40 to --from 36
You could just configure the DNS server properly not to allow recursive queries, blocking it in iptables is like a dog chasing his own tale.
ReplyDelete