homepage Welcome to WebmasterWorld Guest from 54.242.188.217
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library : Charter : Moderators: phranque

Website Technology Issues Forum

    
Avg of 2 dropped connections per minute - correct order of firewall rules?
caribguy




msg:3986777		 6:11 pm on Sep 9, 2009 (gmt 0)

I have started adding certain ranges of "known bad neighborhoods" to ipfilter. I temporarily enabled logging of the first incoming packet that is dropped by each rule and am surprised by the vast number of dropped connection attempts.

We run our own nameservers, and most of the drops are on port 53 UDP. These connection attempts come in waves of up to 50 from the same address over a short period of time.

I'm wondering if I should change the order of rules... e.g. by moving up this one:

pass in quick proto udp from any to <thishost> port = 53 keep state

Current sequence of rules on the public facing interface is as follows:

1. Allow in specific connections from known hosts
2. Deny in everything that is known to be invalid or bad
3. Allow in what has not been blocked so far and tries to access a valid, existing service
4. Deny in anything else
5. Outbound rules

Blocked example (section #2):
xyz0 @0:76 b 203.162.4.nnn,61492 -> aaa.bbb.ccc.ddd,53 PR udp len 20 63 IN

I'm wondering if allowing access to the nameserver (only for domains we are authoritative for) will merely shift the problem down to the next rule section or if it would bring down the number of failed attempts.

Or, I can just stop logging - since I already know these are bad ranges :)

Any experiences out there?

 

encyclo




msg:3997699		 2:01 pm on Sep 29, 2009 (gmt 0)

As for the excessive traffic on port 53 UDP, is your vserion of BIND (or whatever DNS server) up to date? Last year's DNS exploit could possibly still be doing the rounds.

It's not an answer as such, but I would simply not log at all if you, as you say, already "know these are bad ranges".

caribguy




msg:3997888		 5:47 pm on Sep 29, 2009 (gmt 0)

Version 9.4.3 - ISC seems to have 9.5.2 as its production release.

I might just follow your advice, it would cut the log files down to 5% of their current size...

Maybe I'll log a few packets first just to find out what their purpose is supposed to be, but looking at the source countries I doubt it's anything I'd want to let in.

Thanks Encyclo!

encyclo




msg:3997895		 6:00 pm on Sep 29, 2009 (gmt 0)

You need to ensure that you have at least the 9.4.3-P3 version of BIND which includes the vital patch for the dynamic-update DoS attack. This is not to say that your BIND install is being actively attacked, but you still need to firmly close that security hole if it is not done already. :)
caribguy




msg:3997910		 6:22 pm on Sep 29, 2009 (gmt 0)

Aw great :(

# named -v
BIND 9.4.3-P2

encyclo




msg:3997931		 7:02 pm on Sep 29, 2009 (gmt 0)

Happy compiling ;) You could watch your logs for a while after the update just to see if it makes any difference (very possibly it won't, but you've got to do the update anyway). Do you run BIND in a chroot jail, or has it been hardened at all?
caribguy




msg:3997967		 7:54 pm on Sep 29, 2009 (gmt 0)

Wanna guess?

# ps -auxww ¦ fgrep named
#*$!#*$!#*$! 89226 0.0 0.9 17396 8936 ? Is 30Jul09 1:25.37 /usr/sbin/named -c /etc/namedb/named.conf

Seems like I've got to get crankin'

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved