If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x03414d50 && 0x2c&0xFFDFDFDF=0x0a435241 && 0x30&0xDFDFFFDF=0x434b2d5a && 0x34&0xDFDFDFFF=0x4f4e4502 && 0x38&0xDFDFFF00=0x52550000" -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 59 --algo bm --hex-string '|03616d700A637261636b2d7a6f6e6502727500|' -j DROP -m comment --comment "DROP DNS Q amp.crack-zone.ru"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
94.102.51.228
Name server:
;; ANSWER SECTION:
crack-zone.ru. 51518 IN NS jim.ns.cloudflare.com.
crack-zone.ru. 51518 IN NS fay.ns.cloudflare.com.
;; ADDITIONAL SECTION:
fay.ns.cloudflare.com. 72548 IN A 173.245.58.115
jim.ns.cloudflare.com. 85943 IN A 173.245.59.125
jim.ns.cloudflare.com. 85943 IN AAAA 2400:cb00:2049:1::adf5:3b7d
fay.ns.cloudflare.com. 72548 IN AAAA 2400:cb00:2049:1::adf5:3a73
Response:
TXT 3
Rsize 9226
Whois
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: CRACK-ZONE.RU
nserver: fay.ns.cloudflare.com.
nserver: jim.ns.cloudflare.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2013.06.22
paid-till: 2014.06.22
free-date: 2014.07.23
source: TCI
You all should watch the IP: 217.12.199.205 which points to xsrv.net.
ReplyDeleteI had to block the IP because of being ddosed from this IP on four servers on port 53.
Can anyone confirm this?
ReplyDeleteAttacks from 66.29.212.73 on the domains google.com and iana.org. Request "ANY".
66.29.212.73 points to host73.212.29.66.static.maximumasp.com
Domain Name: MAXIMUMASP.COM
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS1.MAXIMUMASP.COM
Name Server: NS2.MAXIMUMASP.COM
Status: ok
Updated Date: 07-may-2013
Creation Date: 05-jun-2000
Expiration Date: 05-jun-2014
Successfully stopped it by using hex string because I don#t know how to make it work with module u32
# google.com ANY
iptables -I INPUT -p udp -m string --hex-string "|0000000006676f6f676c6503636f6d00|" --algo bm --dport 53 -j DROP
# iana.org ANY
iptables -I INPUT -p udp -m string --hex-string "|000000000469616e61036f72670000ff|" --algo bm --dport 53 -j DROP
It would be nice if the maintainer of this blog would answer. Thanks in advance
It goes on and on...
ReplyDeleteAgain new attack...
Domain: nrc.gov
Response:
ANY
IP: 125.139.223.250
canonical name -
aliases
addresses 125.139.223.250
% Information related to '125.128.0.0 - 125.159.255.255'
inetnum: 125.128.0.0 - 125.159.255.255
netname: KORNET
descr: Korea Telecom
descr: Network Management Center
country: KR
admin-c: IM76-AP
tech-c: IM76-AP
descr: ************************************************
descr: Allocated to KRNIC Member.
descr: If you would like to find assignment
descr: information in detail please refer to
descr: the KRNIC Whois Database at:
descr: "http://whois.nic.or.kr/english/index.html"
descr: ************************************************
status: Allocated Portable
mnt-by: MNT-KRNIC-AP
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20050822
source: APNIC
person: IP Manager
nic-hdl: IM76-AP
e-mail: kornet_ip@kt.com
address: Seoul
address: 206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do
address: 463-711
phone: +82-2-500-6630
fax-no: +82-2-3674-5721
country: KR
changed: hostmaster@nic.or.kr 20111229
mnt-by: MNT-KRNIC-AP
source: APNIC
Stopped it with string module...
# nrc.gov ANY
iptables -I INPUT -p udp -m string --hex-string "|00000001036e726303676f760000ff00|" --algo bm --dport 53 -j DROP