Around Jan 18th,

Several folks are reporting odd queries hitting their DNS servers at a steady rate of about two per second.  The queries invariably ask for the name server of the domain “.” (NS query for a single dot).   Since “.” is a query for the root name servers, it has a very short query packet but a pretty long answer. Our current theory therefore is that this is a denial of service (DoS) attack in progress, where the DNS servers are used as “amplifiers” and unwittingly flood the (spoofed) source by providing a long answer to a system which never asked.
http://isc.sans.org/diary.html?storyid=5713

I noticed one of the servers I am responsible was getting hit with this query about four times a second. The server was already configured to reject the query, but with each one it logged a warning. named (bind DNS server) and syslogd were now the second and third largest resource users on the server.

I’m sure there are other system administrators dealing with the same problem, so I’m going to outline the process I went through to eventually drop them with iptables (the server is not protected by a hardware firewall, so I had to use the linux firewall iptables). Note, the system is Ubuntu Server 7.10, so the paths used here should be accurate for related systems.

First of all, to survey the damage:

thayward@sea1:~$ tail /var/log/syslog
Jan 24 11:52:28 sea1 named[23890]: client 206.71.158.30#43845: query (cache) './NS/IN' denied
Jan 24 11:52:29 sea1 named[23890]: client 206.71.158.30#43332: query (cache) './NS/IN' denied
Jan 24 11:52:29 sea1 named[23890]: client 206.71.158.30#23849: query (cache) './NS/IN' denied
Jan 24 11:52:29 sea1 named[23890]: client 206.71.158.30#65188: query (cache) './NS/IN' denied
Jan 24 11:52:29 sea1 named[23890]: client 206.71.158.30#45150: query (cache) './NS/IN' denied
Jan 24 11:52:30 sea1 named[23890]: client 206.71.158.30#1362: query (cache) './NS/IN' denied
Jan 24 11:52:31 sea1 named[23890]: client 206.71.158.30#39496: query (cache) './NS/IN' denied
Jan 24 11:52:31 sea1 named[23890]: client 206.71.158.30#27892: query (cache) './NS/IN' denied
Jan 24 11:52:31 sea1 named[23890]: client 206.71.158.30#52019: query (cache) './NS/IN' denied
Jan 24 11:52:32 sea1 named[23890]: client 206.71.158.30#36766: query (cache) './NS/IN' denied

You can see named goes to a lot of effort to get these denials logged. While I figure out how to drop the packets, let’s set bind’s log level to something that won’t log this attack. The system’s bind configuration file is located at /etc/bind/named.conf. I added these lines:

logging{
    channel default_syslog {
        syslog daemon;
        severity notice;
        };
};

This changes the default syslog behavior of bind from info to notice. This stops logging of the denial messages.

Okay, now that we’ve avoided the problem, let’s try to actually block it. The simple solution is to block the source IP address. In this case, that is spoofed as it is the IP address of the victim. Blocking this will keep me out of the attack for now, but when they choose a new victim I could begin sending more refusals.

To block the source IP, I issued this command for each of the offending IPs:

sudo iptables -I INPUT -s 206.71.158.30 -j DROP

This calmed things down a bit, but still wouldn’t protect me against future attacks. For this I would need to do some investigation and learn how to block the packets more specifically.

I started a packet capture on the server with tcpdump.

thayward@sea1:~$ sudo tcpdump -i eth0 -s 1500 -w dump4

eth0 specifies the network adapter to capture from; size of 1500 tells tcpdump to cature the full packet (by default, tcpdump only captures the first 68 bytes); and dump4 is the file I saved the capture to.

I downloaded dump4 and loaded it into Wireshark. A filter expression of “dns” filters out what I need.

I knew these packets would be port 53 because they are DNS queries. I also knew they would be UDP because it is a short DNS query. What I wanted to know was the length of the packet (the tiny packet length is what makes this attack work). I experimented with some of the values I found in Wireshark, I found one that matches iptables’ length rule:

Under Internet Protocol, I found Total Length to be 45, and used this in the iptables rule:

sudo iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP

This will drop all root DNS queries.

To test it out:

dig . NS @yourserver.com

If dig just hangs without returning a result, the request was dropped and it’s working.

I guess if Apple can’t do it properly I’ll just have to do it myself. I jailbreaked my iPod touch. This made it easy to copy over Mail.app and MobileMailSettings.bundle from the iPhone firmware. After a quick restart my iPod touch had full VPN support! Works like a charm on campus!

This makes my iPod about twice as useful—I hope Apple understands this and decides to put in a VPN client legitimately.

Update: Apple lied: No VPN client on iPod touch 

First of all, if you haven’t seen the new iPods (including lowered price for the iPhone), you’re missing out. Check them out: www.apple.com. Apple finally did it right: solid-state widescreen/touchscreen iPod. No more dead hard drives.

I just got off the phone with Apple. They confirmed for me that the iPod Touch indeed has the same VPN support as the iPhone.

When I ordered my 16GB iPod Touch last night I didn’t think about the fact that the software might be different than the iPhone. For the most part it’s not, but Apple has chosen to leave a few things out (like Mail, Stocks, and Weather). But would they leave out a system feature like VPN? No, apparently not. So it will work with campus Wi-Fi—perfect.

On a further note, I’ve heard that the software is exactly the same as the iPhone. This means that the missing applications should be easy to install with Installer.app once someone with an iPhone leaks them. Third-party iPhone apps should work too (like Sudoku and OpenSSH).

For years I’ve been using Linux on servers, but in the past few weeks I’ve found myself using it quite a bit more. If fact, this post comes to you from my newly Linux-loaded laptop.

 The other night I decided that although Vista has it’s place, it wasn’t on my laptop. Thinking about it, I’m surprised I held out on Vista for a whole six months—it never did run very well. Anyway, Ubuntu 7.04 is my laptop’s OS now. I was quite impressed by the install process. If you’ve ever installed Ubuntu before, you know that it’s a live cd, meaning you don’t have to install the OS to start running it and using applications—just pop in the CD. This is neat, but the best part is that it really works and everything is fully supported. I popped in the CD, waited 30 seconds, it found my laptop’s WiFi hardware, configured the drivers, and asked me which network I wanted to connect to. This amazed me. Even on Windows XP and Vista I had to search for drivers on the internet with another computer, then transfer them via USB thumb drive, before manually installing them. Bravo Ubuntu! More progress like this and you will be [more] mainstream in no time.

 Though not the primary operating system, Ubuntu 7.04 is now being virtualized on both my desktop and my work desktop (Mark (the boss) got was a little annoyed today when he couldn’t figure out how to get out of Linux mode) using VMware Server (newly free!). This works much better than I would have guessed. There’s a very slight delay between input and output, but it’s very usable and very convenient. The ability to boot Linux in a window within Windows eliminates all the short-comings of a dual-boot setup. At both work and home, I find myself using virtual Ubuntu almost as much as I do Windows. There just aren’t many things that can’t be done with Linux or can be done better by Windows.

 The other place I use Linux is the most interesting to me, but I’ll understand if most readers don’t share this passion. I’ve started working on an embedded Linux system at Harbortronics for—you guessed it—time lapse. So far it’s a neat little package, and easier to work with than I expected.  It’s basically just a circuit board based around a 180MHz computer-on-a-chip. It has USB, Ethernet, serial ports, a card reader: basically everything you need in a computer. It runs a form of Debian Linux (kernel 2.6). Currently, I have a web server, SSH server, LCD text output, and serial terminal running on it. I’m pretty optimistic about the future of this project, if I ever get some more development time. >

 Bleh: conclusion. So yeah, Linux, try it: ubuntu.com. It’s easier than you think and, did I mention, free?