有趣的防污染DNS反射攻击

70 views
Skip to first unread message

Yifan Gao

unread,
Dec 16, 2015, 11:10:42 AM12/16/15
to ustc...@googlegroups.com
最近LUG的防污染DNS上行流量显著大于下行流量(下行大约20KB/s,上行大约300KB/s),怀疑遇到了反射攻击。

请问大家有没有什么能阻止bind被用于反射攻击的办法?。

P.S. 目前bind已作查询速率限制(20 request per second)

--------------

另外,在网卡上抓包发现一件有趣的事情(大家看看就好。。。不要扯到政治上。。。):

反射攻击的目标是144.122.95.253:53位于土耳其,这没什么特别之处。有意思的是查询的域名——freeinfosys.com.

解析freeinfosys.com.  返回:

freeinfosys.com. 0 IN TXT "as ever. Four years ago, the FCC tried to implement rules that would protect net neutrality with little to no impact on the telecommunications companies that make important investments in our economy. After the rules were challenged, the court reviewing t" "he rules agreed with the FCC that net neutrality was essential for preserving an environment that encourages new investment in the network, new online services and content, and everything else that makes up the Internet as we now know it. Unfortunately, t" "he court ultimately struck down the rules   not because it disagreed with the need to protect net neutrality, but because it believed the FCC had taken the wrong legal apprdddoach"
freeinfosys.com. 0 IN TXT "To be current, these rules must also build on the lessons of the past. For almost a century, our law has recognized that companies who connect you to the world have special obligations not to exploit the monopoly they enjoy over access in and out of your " "home or business. That is why a phone call from a customer of one phone company can reliably reach a customer of a different one, and why you will not be penalized solely for calling someone who is using another provider. It is common sense that the same " "philosophy should guide any service that is based on the transmission of information"
freeinfosys.com. 0 IN TXT "That's what President Obama believes, and what he means when he says there should be no gatekeepers between you and your favorite online sites and services"
freeinfosys.com. 0 IN TXT "When I was a can didate for this office, I made clear my commitment to a free and open Internet, and my commitment remains as strong as ever. Four years ago, the FCC tried to implement rules that would protect net neutrality with little to no impact on th" "e telecommunications companies that make important investments in our economy. After the rules were challenged, the court reviewing the rules agreed with the FCC that net neutrality was essential for preserving an environment that encourages new investmen" "t in the network, new online services and content, and everything else that makes up the Internet as we now know it. Unfortunately, the court ultimately struck down the rules   not because it disagreed with the need to protect net neutrality, but because " "it believed the FCC had taken the wrong legal approach"
freeinfosys.com. 0 IN TXT "porations, and that access to a high school student's blog shouldn't be unfairly slowed down to make way for advertisers with more money"
freeinfosys.com. 0 IN TXT "That's a principle known as  net neutrality    and it says that an entrepreneur's fledgling company should have the same chance to succeed as established cor"
freeinfosys.com. 0 IN TXT "More than any other invention of our time, the Internet has unlocked possibilities we could just barely imagine a generation ago. And here's a big reason we've seen such incredible growth and innovation: Most Internet providers have treated Internet traff" "ic equally"


似乎是奥巴马关于网络中立的一篇演讲



signature.asc

Guo, Jiahua

unread,
Dec 16, 2015, 12:56:10 PM12/16/15
to ustc...@googlegroups.com
53 端口……
那岂不是正好被我过滤掉了……

--
-- 来自USTC LUG
请使用gmail订阅,不要灌水。
更多信息more info:http://groups.google.com/group/ustc_lug?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "USTC_LUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ustc_lug+u...@googlegroups.com.
To post to this group, send email to ustc...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

蒲肖肖

unread,
Dec 16, 2015, 12:58:54 PM12/16/15
to USTC_LUG
试试这个?  https://github.com/smurfmonitor/dns-iptables-rules

在 2015年12月17日星期四 UTC+8上午12:10:42,Yifan Gao写道:

gaoyichuan

unread,
Dec 16, 2015, 6:30:32 PM12/16/15
to gjh...@gmail.com, ustc...@googlegroups.com

在bind上禁止掉该域名的解析是否会有所帮助?

在 "Guo, Jiahua" <gjh...@gmail.com>,2015年12月17日 上午1:56写道:

gaoyichuan

unread,
Dec 16, 2015, 6:32:47 PM12/16/15
to gjh...@gmail.com, ustc...@googlegroups.com

这个长度的TXT记录显然是为了流量放大的方便。。

在 gaoyichuan <gaoyi...@eduno1.com>,2015年12月17日 上午7:30写道:

Yifan Gao

unread,
Dec 16, 2015, 11:35:58 PM12/16/15
to ustc...@googlegroups.com
这是个好办法,我去试试
signature.asc

Yifan Gao

unread,
Dec 17, 2015, 9:48:20 AM12/17/15
to ustc...@googlegroups.com
这个列表似乎不太全。在生产服务器上没有取得显著效果。
signature.asc

Yifan Gao

unread,
Dec 17, 2015, 9:50:27 AM12/17/15
to ustc...@googlegroups.com
这个思路是可行的。
不过,攻击者能够很容易得通过改变域名绕过防护,我想找找有没有更加智能的方案。
signature.asc

gaoyichuan

unread,
Dec 17, 2015, 6:21:08 PM12/17/15
to i...@yfgao.com, ustc...@googlegroups.com

限制单次查询返回的响应数据包长度呢?一般反射攻击都会出现特别大的响应数据包

在 Yifan Gao <i...@yfgao.com>,2015年12月17日 下午10:50写道:

Yifan Gao(高一凡)

unread,
Dec 18, 2015, 2:12:24 AM12/18/15
to ustc...@googlegroups.com
不仅过滤掉了53,还过滤掉了所有大包...

Zhang Zhengjun

unread,
Dec 18, 2015, 2:41:45 AM12/18/15
to ustc...@googlegroups.com

窝觉得限制大包的发送频率比较靠谱。bind也应该可以限制发包频率。

Reply all
Reply to author
Forward
0 new messages