Domain with a personal touch!
If you are seeing queries for this domain, than you are likely participating in DNS Amplification attacks and your DNS server is probably reachable from the internet and has recursion enabled.
If you are seeing responses for this domain.. unlucky. You are currently beeing DDOS-ed! Good luck.
IPtables:
There are two iptable rules available. If your distribution supports Iptables 'u32' module pick this one, otherwise use the 'string' rule.
U32:
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFFFDF=0x01540450 && 0x2c&0xDFDFDFFF=0x42554204 && 0x30&0xDFDFDFDF=0x494e464f && 0x34&0xFF000000=0x00000000" -j DROP -m comment --comment "DROP DNS Q t.pbub.info"
More U32 rules can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
String:
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 53 --algo bm --hex-string '|0174047062756204696e666f00|' -j DROP -m comment --comment "DROP DNS Q t.pbub.info"
More Iptables rules for the STRING module can be found here:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt
Source:
Source unknown.Attacked the following IP:
45,783x 186.2.161.7 - ddos-guard.net
Name server:
bub.info. 21600 IN NS c1.wpns.hosteurope.de.
bub.info. 21600 IN NS c1.wsns.hosteurope.de.
Response:
TXT 1
Rsize 3896
Very interesting response containing (almost) my blog name:
------------------
t.pbub.info. 86400 IN TXT "dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp li" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplification.blogspot. com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsampli" ">" "dnsamplific ation.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsampli" " >" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamp lification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blogspot. com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification.blogspot.com-d nsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplification.blog spot.com-dnsamplification.blogspot.com-dnsamplification.blogspot.com-dnsamplific ation.blogspot.com-dnsampli" ">" "dnsamplification.blogspot.com-dnsamplification .blogspot.com-dnsamplification.blogspot.com
------------
------------
Oh recognition at last! /sarcasm
Domain ID:D311-LRMS
Domain Name:BUB.INFO
Created On:25-Jul-2001 16:36:25 UTC
Last Updated On:20-Sep-2013 20:45:10 UTC
Expiration Date:25-Jul-2014 16:36:25 UTC
Trademark Name:BUB
Trademark Date:1979-12-05
Trademark Country:DE
Trademark Number:994458 Deutsches Patentamt Muenchen
Sponsoring Registrar:Mesh Digital Limited (R517-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:MNT87F29245123
Registrant Name:Stephan Sehlhoff
Registrant Organization:BUB Berater-Cooperation
Registrant Street1:Hauptstr. 340
Registrant Street2:BUB Berater-Cooperation
Registrant Street3:
Registrant City:Leopoldshoehe
Registrant State/Province:
Registrant Postal Code:33818
Registrant Country:DE
Registrant Phone:+49.520298360
Registrant Phone Ext.:
Registrant FAX:+49.5202983620
Registrant FAX Ext.:
Registrant Email:info@bauwirtschaft.de
Admin ID:MNT53F29245126
Admin Name:Stephan Sehlhoff
Admin Organization:BUB Berater-Cooperation
Admin Street1:Hauptstr. 340
Admin Street2:
Admin Street3:
Admin City:Leopoldshoehe
Admin State/Province:
Admin Postal Code:33818
Admin Country:DE
Admin Phone:+49.520298360
Admin Phone Ext.:
Admin FAX:+49.5202983620
Admin FAX Ext.:
Admin Email:info@bauwirtschaft.de
Billing ID:MNT2CF29245129
Billing Name:Hostmaster Domain-Registration
Billing Organization:Host Europe GmbH
Billing Street1:Welserstrasse 14
Billing Street2:Host Europe GmbH
Billing Street3:
Billing City:Koeln
Billing State/Province:NRW
Billing Postal Code:51149
Billing Country:DE
Billing Phone:+49.1805467838
Billing Phone Ext.:
Billing FAX:+49.1805663233
Billing FAX Ext.:
Billing Email:support@hosteurope.de
Tech ID:MNT48029245132
Tech Name:Hostmaster Domain-Registration
Tech Organization:Host Europe GmbH
Tech Street1:Welserstrasse 14
Tech Street2:Host Europe GmbH
Tech Street3:
Tech City:Koeln
Tech State/Province:NRW
Tech Postal Code:51149
Tech Country:DE
Tech Phone:+49.1805467838
Tech Phone Ext.:
Tech FAX:+49.1805663233
Tech FAX Ext.:
Tech Email:support@hosteurope.de
Name Server:C1.WPNS.HOSTEUROPE.DE
Name Server:C1.WSNS.HOSTEUROPE.DE
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server
Whois
Domain ID:D311-LRMS
Domain Name:BUB.INFO
Created On:25-Jul-2001 16:36:25 UTC
Last Updated On:20-Sep-2013 20:45:10 UTC
Expiration Date:25-Jul-2014 16:36:25 UTC
Trademark Name:BUB
Trademark Date:1979-12-05
Trademark Country:DE
Trademark Number:994458 Deutsches Patentamt Muenchen
Sponsoring Registrar:Mesh Digital Limited (R517-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:MNT87F29245123
Registrant Name:Stephan Sehlhoff
Registrant Organization:BUB Berater-Cooperation
Registrant Street1:Hauptstr. 340
Registrant Street2:BUB Berater-Cooperation
Registrant Street3:
Registrant City:Leopoldshoehe
Registrant State/Province:
Registrant Postal Code:33818
Registrant Country:DE
Registrant Phone:+49.520298360
Registrant Phone Ext.:
Registrant FAX:+49.5202983620
Registrant FAX Ext.:
Registrant Email:info@bauwirtschaft.de
Admin ID:MNT53F29245126
Admin Name:Stephan Sehlhoff
Admin Organization:BUB Berater-Cooperation
Admin Street1:Hauptstr. 340
Admin Street2:
Admin Street3:
Admin City:Leopoldshoehe
Admin State/Province:
Admin Postal Code:33818
Admin Country:DE
Admin Phone:+49.520298360
Admin Phone Ext.:
Admin FAX:+49.5202983620
Admin FAX Ext.:
Admin Email:info@bauwirtschaft.de
Billing ID:MNT2CF29245129
Billing Name:Hostmaster Domain-Registration
Billing Organization:Host Europe GmbH
Billing Street1:Welserstrasse 14
Billing Street2:Host Europe GmbH
Billing Street3:
Billing City:Koeln
Billing State/Province:NRW
Billing Postal Code:51149
Billing Country:DE
Billing Phone:+49.1805467838
Billing Phone Ext.:
Billing FAX:+49.1805663233
Billing FAX Ext.:
Billing Email:support@hosteurope.de
Tech ID:MNT48029245132
Tech Name:Hostmaster Domain-Registration
Tech Organization:Host Europe GmbH
Tech Street1:Welserstrasse 14
Tech Street2:Host Europe GmbH
Tech Street3:
Tech City:Koeln
Tech State/Province:NRW
Tech Postal Code:51149
Tech Country:DE
Tech Phone:+49.1805467838
Tech Phone Ext.:
Tech FAX:+49.1805663233
Tech FAX Ext.:
Tech Email:support@hosteurope.de
Name Server:C1.WPNS.HOSTEUROPE.DE
Name Server:C1.WSNS.HOSTEUROPE.DE
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server
Instead of copy/paste the iptables rules, you could also use this script http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py
ReplyDeleteFor instance:
python generate-netfilter-u32-dns-rule.py --qname t.pbub.info
I actually use most of that script to generate the rules. I call it as part of my script to create and submit these blogposts. But have changed it to return a full IPtable rule.
DeleteThere is however a bug in it that breaks the IPrule when there is a non alphabetical char in it. It happens when you loop through you labels.
Script:
for char in label:
hexstring.append("%02x" % ord(char))
maskstring.append("DF")
The maskstring should be 0xDF when it is a letter. But there is no such thing as a capital '1', _ or -. And it will thus break when matching network traffic.
I added the following if statement:
for char in label:
hexstring.append("%02x" % ord(char))
if char in 'abcdefghijklmnopqrstuvwxyz':
maskstring.append("DF")
else:
maskstring.append("FF")
Great script though was very usefull!
Cheers,