lost and found ( for me ? )

続の続(Final?): BIND9 脆弱性: Dynamic Update DoS

Protect against DDNS DoS w/ iptables ( ( not rage against the machine ! )

こんなコメントみつけた。

the exploit is clearly in active use ってコメント気になる。。

| iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Works for me, but no guaranty. I have added a second rule which logs
said dnsupdate packets and i already got several such packets from the
outside world, so the exploit is clearly in active use and the least you
can do is to try the iptables rule.


テスト構成図
DDNS iptablesでDrop
arizona ( DDNS ,192.168.1.150) --------> alaska ( BIND 9.6.1 , 192.168.1.200 )

その前に、alaska マシンには、必要な perl module(Net::DNS)がなかった。
CPANじゃなくて、yum で perl modules をインストールしよう。

両マシンとも Fedora

[root@arizona ~]# cat /etc/redhat-release
Fedora release 11 (Leonidas)
[root@arizona ~]# uname -r
2.6.29.6-213.fc11.i686.PAE


[root@alaska ~]# cat /etc/redhat-release
Fedora release 11 (Leonidas)
[root@alaska ~]# uname -r
2.6.29.6-213.fc11.i686.PAE
[root@alaska ~]#

[root@alaska ~]# LANG=C yum grouplist
Loaded plugins: refresh-packagekit
Setting up Group Process
Installed Groups:
Administration Tools
Arabic Support
Armenian Support

Virtualization
Web Server
X Software Development
X Window System
Available Groups:
Afrikaans Support

Perl Development

Zulu Support
Done
[root@alaska ~]#

[root@alaska ~]# yum -y groupinstall "Perl Development"

あっ、肝心の Net::DNS インストールされてない。。

[root@alaska ~]# ./localhost_sleep_tight_bind9.pl
Can't locate Net/DNS.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl .) at ./localhost_sleep_tight_bind9.pl line 3.
BEGIN failed--compilation aborted at ./localhost_sleep_tight_bind9.pl line 3.

別マシン ( arizona )はインストールされてたなー。もしかして smokeping インストールしたときに Net::DNS インストールされたような気がしないわけでもないような気がする今日この頃。

[root@alaska ~]# perl -MCPAN -e shell
cpan[1]> install Net::DNS

脆弱性のあるバージョン

[root@alaska ~]# named -v
BIND 9.6.1

[root@alaska ~]# named

[root@alaska ~]# ./localhost_sleep_tight_bind9.pl

alaska named[11883]: db.c:649: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
alaska named[11883]: exiting (due to assertion failure)

では、やっとこ iptables へ。

[root@alaska ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@alaska ~]# iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

追加された。

[root@alaska ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:domain u32 0x1e>>0x1b&0xf=0x5


では try again !

[root@alaska ~]# named
[root@alaska ~]# iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

こんなイメージで DDNS を arizona から alaska へ。

DDNS Drop
arizona ( DDNS , 192.168.1.150 ) --------> alaska ( BIND 9.6.1 , 192.168.1.200 )

[root@arizona ~]# ./localhost_sleep_tight_bind9.pl
[root@arizona ~]# ./ptr.localhost_sleep_tight_bind9.pl
[root@arizona ~]# ./foo.bar_sleep_tight_bind9.pl
[root@arizona ~]# ./ptr.foo.bar_sleep_tight_bind9.pl

BIND上でキャプチャ

[root@alaska ~]# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 192.168.1.150 -> 192.168.1.200 DNS Dynamic update SOA localhost
113.579449 192.168.1.150 -> 192.168.1.200 DNS Dynamic update SOA 0.0.127.in-addr.arpa
122.431512 192.168.1.150 -> 192.168.1.200 DNS Dynamic update SOA foo.bar
135.062697 192.168.1.150 -> 192.168.1.200 DNS Dynamic update SOA 0.168.192.in-addr.arpa

おっ、BIND いきてる。ドロップしているみたい。
iptables のログの出しかた忘れたー。

[root@alaska ~]# rndc status
version: 9.6.1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

iptables が有効がきいているかどうか、iptables の情報をフラッシュして、トライ。
これでBINDがダウンすれば、iptables の効果がきいていると考えられる。

[root@alaska ~]# iptables -F
[root@alaska ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@alaska ~]#

arizona から攻撃、。

[root@arizona ~]# ./localhost_sleep_tight_bind9.pl

alaska ( BIND ) チェック。

しんだっぽい。

[root@alaska ~]# rndc status
rndc: connect failed: 127.0.0.1#953: connection refused

おー、やっぱり iptables ではじいてたみたいだ。

alaska named[12162]: db.c:649: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
alaska named[12162]: exiting (due to assertion failure)

iptables 勉強しよう、、かな、、いや、、面倒。。。

Cheers!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.