Tuesday, October 1, 2013

Domain: pkts.asia

Thanks Allan for the tip. Also observed a discovery from:


IPtables:

There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.

U32:

iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04504b54 && 0x2c&0xDFFFDFDF=0x53044153 && 0x30&0xDFDFFFFF=0x49410000" -j DROP -m comment --comment "DROP DNS Q pkts.asia"

More U32 rules can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt


String:

iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|04706b7473046173696100|' -j DROP -m comment --comment "DROP DNS Q pkts.asia"

More Iptables rules for the STRING module can be found here:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt

Source:


89.248.168.136 - Ecatel

Seen this ip before:

TheSwat.net
Hizbullah.met

Name server:


pkts.asia.              14676   IN      NS      ns1.pkts.asia.
pkts.asia.              14676   IN      NS      ns2.pkts.asia.

;; ADDITIONAL SECTION:
ns1.pkts.asia.          14676   IN      A       69.42.219.74
ns2.pkts.asia.          14676   IN      A       69.42.219.74

Response:


245 A records in the 1.1.1.x range

Whois


Domain ID:D2806247-ASIA
Domain Name:PKTS.ASIA
Domain Create Date:01-Oct-2013 03:22:21 UTC
Domain Expiration Date:01-Oct-2014 03:22:21 UTC
Domain Last Updated Date:01-Oct-2013 19:54:25 UTC
Last Transferred Date:
Created by:Internet.bs Corp. R176-ASIA (814)
Last Updated by Registrar:Internet.bs Corp. R176-ASIA (814)
Sponsoring Registrar:Internet.bs Corp. R176-ASIA (814)
Domain Status:CLIENT TRANSFER PROHIBITED
Domain Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:INTEj09wxvky9cwv
Registrant Name:Domain Administrator
Registrant Organization:Fundacion Private Whois
Registrant Address:Attn: pkts.asia
Registrant Address2:Aptds. 0850-00056
Registrant Address3:
Registrant City:Panama
Registrant State/Province:
Registrant Country/Economy:PA
Registrant Postal Code:Zona 15
Registrant Phone:+507.65995877
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:524a3fe3bbnpgi8d@5225b4d0pi3627q9.privatewhois.net
Administrative ID:INTEord72uqcb16n
Administrative Name:Domain Administrator
Administrative Organization:Fundacion Private Whois
Administrative Address:Attn: pkts.asia
Administrative Address2:Aptds. 0850-00056
Administrative Address3:
Administrative City:Panama
Administrative State/Province:
Administrative Country/Economy:PA
Administrative Postal Code:Zona 15
Administrative Phone:+507.65995877
Administrative Phone Ext.:
Administrative FAX:
Administrative FAX Ext.:
Administrative E-mail:524a3fe5and4zbsf@5225b4d0pi3627q9.privatewhois.net
Technical ID:INTEzihq17tjuf2q
Technical Name:Domain Administrator
Technical Organization:Fundacion Private Whois
Technical Address:Attn: pkts.asia
Technical Address2:Aptds. 0850-00056
Technical Address3:
Technical City:Panama
Technical State/Province:
Technical Country/Economy:PA
Technical Postal Code:Zona 15
Technical Phone:+507.65995877
Technical Phone Ext.:
Technical FAX:
Technical FAX Ext.:
Technical E-mail:524a3fe5ilbgz7g6@5225b4d0pi3627q9.privatewhois.net
Billing ID:INTElq2psm15rdqt
Billing Name:Domain Administrator
Billing Organization:Fundacion Private Whois
Billing Address:Attn: pkts.asia
Billing Address2:Aptds. 0850-00056
Billing Address3:
Billing City:Panama
Billing State/Province:
Billing Country/Economy:PA
Billing Postal Code:Zona 15
Billing Phone:+507.65995877
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing E-mail:524a3fe7w1y9heh2@5225b4d0pi3627q9.privatewhois.net
CED ID:INTEj09wxvky9cwv
CED CC Locality:AM
CED Type of Legal Entity:Natural Persons
CED Form of Identification:Passport or Citizenship ID
Operations and Notifications ID:INTEj09wxvky9cwv
Operations and Notifications Name:Domain Administrator
Operations and Notifications Organization:Fundacion Private Whois
Operations and Notifications Address:Attn: pkts.asia
Operations and Notifications Address2:Aptds. 0850-00056
Operations and Notifications Address3:
Operations and Notifications City:Panama
Operations and Notifications State/Province:
Operations and Notifications Country/Economy:PA
Operations and Notifications Postal Code:Zona 15
Operations and Notifications Phone:+507.65995877
Operations and Notifications Phone Ext.:
Operations and Notifications FAX:
Operations and Notifications FAX Ext.:
Operations and Notifications E-mail:524a3fe3bbnpgi8d@5225b4d0pi3627q9.privatewhois.net
Nameservers:NS1.PKTS.ASIA
Nameservers:NS2.PKTS.ASIA





12 comments:

  1. iptables --insert INPUT -p udp -m string --hex-string '|04706b7473046173696100|' --algo bm --to 65535 --dport 53 -j DROP
    worked for me the rule that was given here didn't block the packet on my server for some reason, I just had to change it a bit hope it can help anyone that is haveing problems as well.

    ReplyDelete
    Replies
    1. Works for me. Please provide me with a raw packet dump so I can make a rule! Matches my traffic.

      Delete
    2. I will try to get you a raw packet, I'm at uni untill thursday when I get home I should be able to get somthing.

      Delete
  2. Having the same issue, no command here is helping..

    ReplyDelete
  3. I believe the start and stop offsets may be incorrect.

    http://foxpa.ws/2013/10/16/more-fun-with-dns-amplification-attacks-pkts-asia-and-babywow-co-uk/

    ReplyDelete
    Replies
    1. The sig matches my traffic.. But perhaps you can change the start and stop a tiny bit. --from 35 --to 55 perhaps ? Give it a try and let me know.

      Delete
  4. I insist, this website is really, really, useful.
    A lot of traffic is being blocked by these iptables rules.
    a++++.

    ReplyDelete
  5. Hi, I've also start to experience these attacks specifically from pkts.asia....The follow rules drops the (tcpdump src port 53"....

    iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x04504b54 && 0x2c&0xDFFFDFDF=0x53044153 && 0x30&0xDFDFFFFF=0x49410000" -j DROP -m comment --comment "DROP DNS Q pkts.asia"

    but I still have a large amount of traffic on the "tcpdump dst port 53". Any idea how I can also block this.

    [root@ ~]# tcpdump dst port 53
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    01:15:07.750951 IP crapouillou.com.33476 > fake.domain.co.uk.domain: 55331+ [1au] ANY? pkts.asia. (38)
    01:15:07.751315 IP fake.domain.co.uk.41767 > google-public-dns-b.google.com.domain: 32406+ PTR? 41.149.56.81.in-addr.arpa. (43)
    01:15:07.764264 IP fake.domain.co.uk.49643 > google-public-dns-b.google.com.domain: 38412+ PTR? 4.4.8.8.in-addr.arpa. (38)
    01:15:07.925364 IP ..30938 > fake.domain.co.uk.domain: 55364+ [1au] ANY? pkts.asia. (38)
    01:15:07.925429 IP fake.domain.co.uk.56685 > google-public-dns-b.google.com.domain: 7934+ PTR? 232.47.197.69.in-addr.arpa. (44)
    01:15:08.005995 IP ..25504 > fake.domain.co.uk.domain: 43557+ [1au] ANY? pkts.asia. (38)
    01:15:08.021970 IP ..23178 > fake.domain.co.uk.domain: 37557+ [1au] ANY? pkts.asia. (38)
    01:15:08.586150 IP ..56117 > fake.domain.co.uk.domain: 62663+ [1au] ANY? pkts.asia. (38)
    01:15:08.954354 IP 189.1.169.13.35423 > fake.domain.co.uk.domain: 42941+ [1au] ANY? pkts.asia. (38)
    01:15:08.954414 IP fake.domain.co.uk.47497 > google-public-dns-b.google.com.domain: 22056+ PTR? 13.169.1.189.in-addr.arpa. (43)
    01:15:08.954559 IP c-24-60-73-3.hsd1.ma.comcast.net.14183 > fake.domain.co.uk.domain: 42304+ [1au] ANY? pkts.asia. (38)
    01:15:08.954885 IP 88-191-241-45.rev.poneytelecom.eu.15315 > fake.domain.co.uk.domain: 23253+ [1au] ANY? pkts.asia. (38)
    01:15:08.967298 IP fake.domain.co.uk.49036 > google-public-dns-b.google.com.domain: 46756+ PTR? 3.73.60.24.in-addr.arpa. (41)
    01:15:08.980359 IP fake.domain.co.uk.59557 > google-public-dns-b.google.com.domain: 1687+ PTR? 45.241.191.88.in-addr.arpa. (44)
    01:15:09.418914 IP 88-191-241-45.rev.poneytelecom.eu.46611 > fake.domain.co.uk.domain: 46880+ [1au] ANY? pkts.asia. (38)
    01:15:09.419077 IP c-68-52-195-233.hsd1.tn.comcast.net.5189 > fake.domain.co.uk.domain: 48610+ [1au] ANY? pkts.asia. (38)
    01:15:09.419136 IP fake.domain.co.uk.52947 > google-public-dns-b.google.com.domain: 16085+ PTR? 233.195.52.68.in-addr.arpa. (44)
    01:15:09.887223 IP c-24-60-73-3.hsd1.ma.comcast.net.48753 > fake.domain.co.uk.domain: 18908+ [1au] ANY? pkts.asia. (38)

    ReplyDelete
    Replies
    1. Well, I am seeing a lot of queries just for pkts.asia and a lot of reverse DNS queries for each of the incoming queries as you have not used the '-n' flag for tcpdump

      Try this tcpdump command:

      tcpdump -n udp and dst port 53 and dst host

      Cheers,

      Delete
  6. Hi there,

    I removed a lot of duplicates....

    [root@ ~]# tcpdump -n udp and dst port 53 and dst host A.B.C.D
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:14:25.162374 IP 95.141.37.197.24655 > A.B.C.D.domain: 3740+ [1au] ANY? lrc-pipec.com. (42)
    09:14:25.162486 IP 95.141.37.197.24655 > A.B.C.D.domain: 3740+ [1au] ANY? lrc-pipec.com. (42)
    09:14:25.389488 IP 94.199.178.239.43593 > A.B.C.D.domain: 20480+ [1au] ANY? cheatsharez.com. (44)
    09:14:25.391413 IP 94.199.178.239.42307 > A.B.C.D.domain: 6696+ [1au] ANY? cheatsharez.com. (44)
    09:14:25.433340 IP 94.199.178.239.25199 > A.B.C.D.domain: 21348+ [1au] ANY? cheatsharez.com. (44)
    09:14:25.568961 IP 94.199.178.239.27108 > A.B.C.D.domain: 60264+ [1au] ANY? cheatsharez.com. (44)
    09:14:25.588581 IP 94.199.178.239.sns-dispatcher > A.B.C.D.domain: 1997+ [1au] ANY? cheatsharez.com. (44)
    09:14:26.043824 IP 94.155.227.229.64881 > A.B.C.D.domain: 27762+ [1au] ANY? cheatsharez.com. (44)
    09:14:26.043837 IP 94.155.227.229.37210 > A.B.C.D.domain: 55697+ [1au] ANY? cheatsharez.com. (44)
    09:14:26.044869 IP 94.155.227.229.65053 > A.B.C.D.domain: 36952+ [1au] ANY? cheatsharez.com. (44)
    09:14:26.252277 IP 94.155.227.229.47671 > A.B.C.D.domain: 5461+ [1au] ANY? cheatsharez.com. (44)
    09:14:33.025488 IP 137.116.32.32.31189 > A.B.C.D.domain: 42889+ [1au] ANY? cheatsharez.com. (44)
    09:14:33.420294 IP 110.174.22.45.24373 > A.B.C.D.domain: 16919+ [1au] ANY? cheatsharez.com. (44)
    09:14:34.809907 IP 137.116.32.32.25599 > A.B.C.D.domain: 42316+ [1au] ANY? cheatsharez.com. (44)
    09:14:34.812262 IP 137.116.32.32.15913 > A.B.C.D.domain: 5154+ [1au] ANY? cheatsharez.com. (44)
    09:14:34.812609 IP 137.116.32.32.34280 > A.B.C.D.domain: 14515+ [1au] ANY? cheatsharez.com. (44)
    09:14:35.354013 IP 137.116.32.32.5089 > A.B.C.D.domain: 2186+ [1au] ANY? cheatsharez.com. (44)
    09:14:35.409168 IP 201.102.7.130.14682 > A.B.C.D.domain: 44462+ [1au] ANY? cheatsharez.com. (44)
    09:14:37.625933 IP 178.33.179.46.43577 > A.B.C.D.domain: 15151+ [1au] ANY? lrc-pipec.com. (42)
    09:14:37.626032 IP 178.33.179.46.43577 > A.B.C.D.domain: 15151+ [1au] ANY? lrc-pipec.com. (42)
    09:14:38.826729 IP 108.93.194.66.60874 > A.B.C.D.domain: 32656+ [1au] ANY? cheatsharez.com. (44)
    09:14:38.833243 IP 108.93.194.66.24822 > A.B.C.D.domain: 22495+ [1au] ANY? cheatsharez.com. (44)
    09:14:38.834943 IP 108.93.194.66.39475 > A.B.C.D.domain: 5075+ [1au] ANY? cheatsharez.com. (44)
    09:14:41.078861 IP 202.169.196.43.24865 > A.B.C.D.domain: 35471+ [1au] ANY? cheatsharez.com. (44)
    09:14:41.188558 IP 108.93.194.66.46421 > A.B.C.D.domain: 14265+ [1au] ANY? cheatsharez.com. (44)
    09:14:42.446516 IP 95.141.37.197.27925 > A.B.C.D.domain: 31566+ [1au] ANY? lrc-pipec.com. (42)
    09:14:42.477169 IP 95.141.37.197.12083 > A.B.C.D.domain: 43313+ [1au] ANY? lrc-pipec.com. (42)
    09:14:42.498212 IP 202.169.196.43.64679 > A.B.C.D.domain: 13757+ [1au] ANY? cheatsharez.com. (44)
    09:14:42.628305 IP 202.169.196.43.49432 > A.B.C.D.domain: 42298+ [1au] ANY? cheatsharez.com. (44)
    09:14:42.801017 IP 108.93.194.66.31911 > A.B.C.D.domain: 35449+ [1au] ANY? cheatsharez.com. (44)
    09:14:43.004615 IP 95.211.180.224.6949 > A.B.C.D.domain: 42718+ [1au] ANY? cheatsharez.com. (44)
    09:14:43.298922 IP 95.211.180.224.5685 > A.B.C.D.domain: 62530+ [1au] ANY? cheatsharez.com. (44)


    Thx
    Nev

    ReplyDelete
    Replies
    1. I have updated the rule for cheatsharez.com. It has a typo in it. Get it from github!

      Delete