Технически непонятная абуза - как реагировать?

Пришла следующая абуза - как не неё нужно реагировать? Сервер чист, зловредов на нем нет. Сервер - VPS.

Time: 2013-11-07-18-40-06 PDT (UTC-7)

(Year-Month-Day-Hour-Minute-Second)



Attacking IP(s):

IP сервера



Attacking Port(s): 53



Victim IP(s):

IP другого сервера



Log Files:

http://www.skial.com/doslogs/2013-11-07-18-40-06.pcap - PCAP logs

http://www.skial.com/doslogs/2013-11-07-18-40-06.log - Text logs



The pcap log file can be opened with Wireshark or Tcpdump. To filter

out only your IPs, simply use the filter "src or dst your_ip".



Please investigate for compromised servers or abusive users. Common

problems include:



(1) Port 53 UDP (DNS) - DNS servers should not allow recursion to the

public. They should also be rate limited.



How to disable recursion:

http://www.team-cymru.org/Services/Resolvers/instructions.html



How to rate limit with bind:

http://www.redbarn.org/dns/ratelimits



How to rate limit with iptables:

iptables -A INPUT -p udp --dport 53 -m hashlimit --hashlimit-name dns --hashlimit-mode srcip --hashlimit-srcmask 29 --hashlimit-above 2/sec --hashlimit-burst 20 --hashlimit-htable-expire 5000 -j DROP



(2) Port 161,162 UDP (SNMP) - SNMP servers should not be open to the

public. They are used for configuring network devices including routers

and firewalls like SonicWall and pose a threat to your own network as

well.



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!NOTICE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



Some routers/firewalls/gateways DO NOT LOG their own SNMP traffic and

you may falsely believe you are being spoofed. If this IP is a

router/firewall/gateway you need to check the device itself, not

inside your network.



To check that you are not being spoofed, run these commands on another

computer.



tcpdump -i eth0 "port 161 || port 162" -X

snmpbulkget -v2c -t 60 -c public YOUR_IP



It may take as long as 60 seconds for the response to show up on tcpdump

because you are being heavily exploited for DDoS attacks!



(3) Port 19 UDP (Chargen) - This feature generates random text and can

safely be blocked from the Internet. It is often found on printers.



(4) Any other UDP servers - They should be blocked from the Internet

or rate limit requests per IP.



If you are not able to remove or fix the server, we request null

routing to our IP if you are not a residential ISP. A list of our IPs

can be found here: http://www.skial.com/api/serversrawip.php



If you do not own this IP, please check to see if they are your customer.

If you do not own this ASN, it is because your peer is not responding or

does not have a functional abuse email.



This email was automatically generated and sent to thousands of

attackers so we may not be able to respond to every email.



================ FREQUENTLY ASKED QUESTIONS ========================



- Where are the logs?



Links to the logs are available at the top of the email.



- I only see 1-2 lines from our server, how can this be an attack?



Hackers spread the load among many servers so you do not suspect you

are being used. Also because of the size of the attacks we only capture

traffic for a brief time and many of the times the attack is larger than

our bandwidth. This means it is highly likely you sent more packets

than shown in the logs.



- It looks like you are attacking us.



Hackers spoof our IP so your servers reply to us with a much larger

packet. Please read this article to learn about amplified DDOS

attacks:



http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack



If you look at our packet dump you will see we did not send any

packets to your server.



- We do not own this IP / Why do you send reports by ASN?



First check if you are hosting this IP range for a customer.

Many employees do not know your company is hosting IPs for a

customer. According to public records you are the ASN responsible

for this IP block.



Just because they are listed as the owners of the IP block does not

mean you as the host are not responsible for their actions.



Also most of the customers who don\'t own their own ASN do not

understand what to do with these reports. We received many questions

and were asked to provide support. But it is NOT our job to provide

support for YOUR customers. You are ultimately reponsible for

preventing DDoS attacks from your network.



You can take measures like informing and locking your customers.

Also it is very important that you see what is going on in

your network, as every once in a while the customer is not responsible

for the problem. Sometimes it is a problem that can only be fixed by you.



Finally it is extremely difficult to get the abuse contacts from the whois

servers. All registries have low rate limits and make it impossible

to query every single address. Therefore we have to cache based on ASN.



- This looks like a regular DNS query to me?



We do not use any DNS server except Google and OpenDNS.



- We don\'t have these ports open on our server?



It is highly unlikely these packets were spoofed because the attacker

would be wasting bandwidth they could use to amplify bandwidth from

another server.



We have found that many firewalls and routers do not log their own

SNMP traffic and hide their port from NMAP. They also take upwards

of 60 seconds to respond because they are being hammered by attack

servers.



We suggest you use tcpdump and an SNMP client to test.



- We already have rate limits and recursion disabled on our server?



Thank you for maintaining your server. It is not possible for us to

legally know if your server is rate limited. Even with rate limits the

amplification on SNMP and DNS is very high and the traffic is still

being used to DDoS us. Protocols like these are fundamentally flawed.



- Can you attach a personally tailored text log with only our IPs?



Because there are thousands of attackers, we use a program to generate

these reports and we are unable to customize reports or have the

manpower to do it manually.



Some hosts do not accept edited text to be "evidence" because they

claim they can easily be faked. Some hosts also refuse to open

attachments or are unable to open attachments due to size or company

policy.



We have found this configuration to maximize the number of responses

over the past year of sending reports like these.



- Can you send 1 email per IP?



No because some networks may have hundreds of attacking IPs, we may

get blocked for spam. Several networks have told us they refuse to

investigate more than a few emails a time.



- Why did you send to this email? / This is the wrong department.



We use WHOIS to automatically find a contact email based on the ASN

of the IP. Unfortunately these records have different layouts and

people attempting to obfuscate abuse emails leading our program to

choose another email in the record. This makes it very difficult to

locate a proper abuse email.



- Where is the port number?



If the port number is not shown, the packet from your IP was either

too large and fragmented or it was using a protocol that does not have

a port number like ICMP.



- How do I find out what vulnerabilities my server has?



Use nmap.org to scan your IP for any vulnerabilities listed above.

Simply run "nmap -sU your_ip".



To detect SNMP on firewalls or routers that hide ports and do not log

their own traffic, use these 2 commands from a different computer.

Be aware it may take up to 60 seconds for you to see a reply.



tcpdump -i eth0 "port 161 || port 162" -X

snmpbulkget -v2c -t 60 -c public YOUR_IP



- Why should I do anything?



Being part of a DDoS attack not only drains resources from your

network but it can also be a security hazard for yourself for

protocols such as SNMP.



DDoS attacks are also illegal in many countries and knowingly allowing

it to continue may hold you liable in a court of law.

Я так понял, то ли подменили IP на наш сервер, и от его имени атаковали кого-то, то ли ломанули DNS на сервере? Сразу по этому письму отключили рекурсию в BIND. Что еще нужно предпринять?

P.S. Можно ли на VPS вообще удалить BIND (yum erase named)? Для чего он нужен? Будет ли без него работать?