近日发现DNS bind9.9.1 存在严重的安全漏洞 .
tail -f dns.log 发现大量不同网段ip 请求whbl.com 域名 .打开该网站看了看是个国外新闻网站. 同过日志分析发现攻击者使用了DoS攻击,采用了大量僵死云向我们服务器发起dns请求,请求频率超过2次/秒. 网上查了,有的出来个补丁但是都是针对9.3.2以下版本的.
这些请求占用了带宽.在9.9.1P下服务还挺得住,CPU没升.但请求频繁也耗网络带宽,经过分析编写了反DoS拒绝服务.很好的解决了系统bug .dns垃圾请求被过滤.
原理很简单. 用机器人检测到攻击者ip ,自动拦截填入 blackhole,然后系统自动reload. 则再次请求就被拒绝.有多少僵死,绑定多少,然后咱也吹嘘一番,不怕DoS.哈哈哈
1) 增加blackhole dosip
2)讲请求的目标dns 禁止transfer ,禁止query .虽然禁止了但仍然会传递到父级dns
zone "whbl.com" IN {
type master;
file "fuqit.zone";
allow-update { none; };
allow-query { none; };
allow-transfer { none; };
};
完整的named.conf 如下
options {
directory "C:\WINDOWS\system32\dns\etc";
forwarders {
58.60.188.178;
58.60.188.179;
};
version "DDos SMG 2012";
allow-query { any; };
//allow-query-cache { any; };
allow-recursion { none; };
blackhole {
#SMG Robert added dosips automaticly,donot Remove the follow NOTE
#Robert Start
##DoS
176.31.228.8;
13.104.128.167;
209.105.239.166;
#Robert END
};
};
//DNS
zone "." {
type hint;
file "named.root";
};
// localhost
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "fuqit.net" IN {
type master;
file "fuqit.zone";
allow-update { none; };
};
zone "59.61.37.121.in-addr.arpa" in {
type master;
file "fuqit.local";
allow-update { none; };
};
zone "whbl.com" IN {
type master;
file "fuqit.zone";
allow-update { none; };
allow-query { none; };
allow-transfer { none; };
};
logging {
channel warning
{
file "C:\WINDOWS\system32\dns\log\warning.log" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{
file "C:\WINDOWS\system32\dns\log\dns.log" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "UBAzaol7wLYvsj/kKDaqlQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of rndc.conf
# End of named.conf
部分源码如下:因为挂接的SMG引擎 是java代码 仅供参考
思路在hole中添加一特标记 ##DoS
程序查找该标记 每次检测几组ip ,依次检测更新到named.conf .如果有更新就relaod 否则,休息. 以上代码编写打包测试我用了2个小时左右.
#file:HandleDDoSBindMap.java
package cpgmt;
import com.hotmail.walksing.module.file.Wfile;
import com.hotmail.walksing.module.string.Wregex;
import com.hotmail.walksing.module.string.wsString;
import app.HandleMap;
import app.PPGMain;
import app.Putter;
import app.Admin;
/*******************************************************************************
* HandleDDoSBindMap map request,response
*
* DenyDoS avaiable bind9.91
* parseDNSLog ,find request to whbl.com ,get DoSip ->store bindconf->reload named
* @author runus
* @version 1.0.0
* @date 20120708
*
*/
public class HandleDDoSBindMap implements HandleMap {
/***************************************************************************
* parseDNSLog ,get DoSip ->store bindconf->reload named
* @param p
* @return
*/
public static String dnslogfid=null;
public static String dnsconf=null;
public int mapRequest(Putter p) {
p=new Putter();
p.set("bindReload", PPGMain.props.getProperty("bindReload","rndc reload"));
if(dnslogfid==null){
dnslogfid=PPGMain.props.getProperty("bindlog","");
dnsconf=PPGMain.props.getProperty("bindconf","");
app.PPGMain.echo("MORNITORING dnslogfid {"+dnslogfid+"}");
app.PPGMain.echo("MORNITORING dnsconf {"+dnsconf+"}");
}
String retmsg = null;
String logcmd="tail -5 "+dnslogfid;
retmsg=Admin.exec(logcmd);
String dosIp=parseDoSIP(retmsg);
if(dosIp.length()==0){
try {
Thread.sleep(120000);
return 2;
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
app.PPGMain.echo("----parsed DoSips---\n"+dosIp);
boolean isupdated=setNamed(dnsconf,dosIp);
int rt=0;
String retcode = "2";
if(isupdated){
retmsg=Admin.exec(p.get("bindReload"));
PPGMain.echo("exec "+p.get("bindReload")+"|response===>" + retmsg);
if(Wregex.eregi("result 0|successful",retmsg ))
retcode="2";
else
retcode="3";
p.set("retcode", retcode);
PPGMain.echo("response:" + retcode);
p.set("retmsg", retmsg);
}else{
Wfile.dln("setNamed:"+isupdated);
rt=2;
}
if (Wregex.eregi("^[0-9]{1,}$", retcode)) {
return Integer.parseInt(retcode);
} else {
return -1;
}
}
//08-七月-2012 8:17:48.076 queries: info: client 24.180.162.231#16958 (whbl.com): query: whbl.com IN TXT +E (121.37.61.59)
public String parseDoSIP(String r){
String ip=null;
int st=0,ed=0;
String filter=PPGMain.props.getProperty("bindDoSFilter","whbl\\.com"); //whbl\\.com|xxx\\.net
String ptr=" client ";
if(!Wregex.eregi(filter, r))
return "";
StringBuffer ips=new StringBuffer();
String[] l = r.split("\n");
for(int i=0;i<l.length;i++){
if(l[i]==null||!Wregex.eregi(filter, l[i])) continue;
r=l[i];
st = r.indexOf(ptr);
if(st==-1) continue;
st+=ptr.length();
ed=r.indexOf("#",st);
if(ed>-1){
ip=r.substring(st,ed);
if(ips.indexOf(ip)==-1) ips.append(ip+";\n");
}
}
return ips.toString();
}
public boolean setNamed(String conf,String dosIp){
String s=Wfile.openToString(conf);
int st=0;
String ptr="##DoS";
Wfile.dln("bindconf length:"+s.length());
st = s.indexOf(ptr);
if(st==-1){
Wfile.dln("setNamed::error:: cannot find partner:"+ptr);
return false;
}
StringBuffer b=new StringBuffer();
st+=ptr.length()+1;//skip \n
b.append(s.substring(0, st));
s=s.substring(st);
String[] l=dosIp.split("\n");
for(int i=0;i<l.length;i++){
if(l[i]==null || s.indexOf(l[i])>-1) continue;
b.append(l[i]).append("\n");
}
b.append(s);
//Wfile.dln(s);
Wfile.writeFile(conf, b.toString());
b=null;
s=null;
return true;
}
}
系统配置如下smg3/conf/ppg.properties
cfgJobs=cpgmt.HandleDDoSBindMap:30000,
#DDoS bind Start
bindDoSFilter=whbl\\.com|xx\\.com
bindReload=rndc reload
bindlog=C:/WINDOWS/system32/dns/log/dns.log
bindconf=C:/WINDOWS/system32/dns/etc/named.conf
#DDoS bind End
该脚本支持多filter domain检测 .很容易扩展为自动根据访问频繁的记录进行绑定.
部署完成后,高枕无忧.管你什么dos随便来.
----------------------
以下为广告时间,不要走开,精彩在后头.
本站提供DDNS服务,速度快捷,不会断线.断线瞬间绑定;支持dDoS (防分布式拒绝DoS攻击)
年费:800 ,免安装程序url自动更新.可免7天试用.
网址:www.fuqit.net 不诚勿扰qq站内找
另外:本站提供云支付服务 smg-ves
转载,请保留链接版权 runusws AT gmail.com
广告之后继续...
------------
DoS攻击日志如下:
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:48.395 queries: info: client 108.41.10.44#37760 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.364 queries: info: client 108.41.10.44#59190 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.535 queries: info: client 108.41.10.44#50452 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.598 queries: info: client 108.41.10.44#43158 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.364 queries: info: client 108.41.10.44#26214 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.535 queries: info: client 108.41.10.44#49879 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.582 queries: info: client 108.41.10.44#10113 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:12:04.332 queries: info: client 121.37.61.59#64838 (www.oanda.co
m): query: www.oanda.com IN A + (121.37.61.59)
08-七月-2012 20:12:14.598 queries: info: client 121.37.61.59#64030 (www.oanda.co
m): query: www.oanda.com IN A + (121.37.61.59)
08-七月-2012 20:12:16.332 queries: info: client 74.125.18.158#58000 (www.fuqit.n
et): query: www.fuqit.net IN A - (121.37.61.59)
08-七月-2012 20:12:44.207 queries: info: client 121.37.61.59#53088 (dx.ggsafe.co
m): query: dx.ggsafe.com IN A + (121.37.61.59)
--------------
看到攻击ip 108.41.10.44
smg03 引擎日志执行如下:
INFO | jvm 1 | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 ----parsed DoSips-
--
INFO | jvm 1 | 2012/07/08 20:15:24 | 108.41.10.44;
INFO | jvm 1 | 2012/07/08 20:15:24 |
INFO | jvm 1 | 2012/07/08 20:15:24 | bindconf length:1938
INFO | jvm 1 | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 exec rndc reload|r
esponse===>#rndc reload
INFO | jvm 1 | 2012/07/08 20:15:24 |
INFO | jvm 1 | 2012/07/08 20:15:24 | server reload successful
INFO | jvm 1 | 2012/07/08 20:15:24 | result:0
INFO | jvm 1 | 2012/07/08 20:15:24 |
INFO | jvm 1 | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 response:2
------------
看到108.41.10.44 被拦截
写入成功;到此reload成功. 复观察dns.log该ip被拒绝.至此大功告成.
构建安全的dDoS(拒绝分布式DoS攻击) dns服务
猜你喜欢
转载自runus.iteye.com/blog/1581883
今日推荐
周排行