OMG !! Combating DNS flood - botnets, infection, and spam ?
RouterOS general discussion

12 posts   •   Page 1 of 1
User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

OMG !! Combating DNS flood - botnets, infection, and spam ?

by NetworkPro » Sat Feb 12, 2011 5:40 pm

Hello.

I want to thank omega-00 for his article http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking viewtopic.php?f=9&t=30614


On to my current issue:

There is an infection of some sort that makes too much DNS requests for random domains:

Image

So far I am detecting this with these rules:
/ip firewall mangle
add action=add-dst-to-address-list address-list=DNS_Junk address-list-timeout=1w chain=postrouting comment="Catch the DNS Junk senders and save to address-list for later spanking" content="\81\83" disabled=no \
dst-address-list=DNS_Junk_stage5 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage5 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage4 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage4 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage3 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage3 address-list-timeout=4s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage2 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage2 address-list-timeout=5s chain=postrouting comment="" content="\81\83" dst-address-list=DNS_Junk_stage1 protocol=udp src-port=53
add action=add-dst-to-address-list address-list=DNS_Junk_stage1 address-list-timeout=10s chain=postrouting comment="" content="\81\83" dst-address-list=!DNS_Junk protocol=udp src-port=53


These rules make an address-list for DNS offenders that receive too many replies for not-found DNS entries in a period of time.

Someone has any idea

- How to protect our DNS servers and MikroTik routers from this DNS flooding? Cache is getting fileld up with N entries.
- What is this virus and how to block the traffic of the virus? How to combat it?

Thank you!!!
Last edited by NetworkPro on Fri Feb 25, 2011 9:51 pm, edited 2 times in total.
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: OMG !! Combating infection spread, DNS flood and spam

by fewi » Sat Feb 12, 2011 8:31 pm

- depending on the DNS server uses you cab set aggressive timeouts on misses
- block the user from being able to reach the DNS servers in the first place
- it's very likely a botnet infected machine looking for a CC (command and control) server. Clients have built in rules to build DNA names to query for until they find a CC. That way the bot herder can rapidly rotate the CCs and the bots follow after some time
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

Re: OMG !! Combating infection spread, DNS flood and spam

by NetworkPro » Fri Feb 25, 2011 9:48 pm

Thank you fewi your answer is awesome.

So far we have not found a cheap way to deal with this so right now we are supporting networks to serve botnets hurray :(


P.S. I modified my script above to save CPU.
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

User avatar
mves
Frequent Visitor
Frequent Visitor
 
Posts: 84
Joined: Tue Jan 11, 2011 9:15 pm
Location: Serbia

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by mves » Thu Apr 28, 2011 5:54 pm

Hi... I'm testing this and so far it's doing fine. It kicked out flooding with N entries from cache and also listing origin of this flood and IP destination.

Code: Select all
/ip firewall nat
add action=add-src-to-address-list address-list=DNS address-list-timeout=1d chain=dstnat comment=\
    "DNS Flood - Test" disabled=no dst-address-list=!Server dst-port=53 in-interface=xxx protocol=udp
add action=add-dst-to-address-list address-list=DNS-dst address-list-timeout=1d chain=dstnat comment="" \
    disabled=no dst-address-list=!Server dst-port=53 in-interface=xxx protocol=udp
add action=redirect chain=dstnat comment="" disabled=no dst-address-list=!Server dst-port=53 in-interface=\
    xxx protocol=udp to-ports=2


Code: Select all
/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server
add address=xxx.xxx.xxx.xxx comment="" disabled=no list=Server


Server list are IP addresses of allowed DNS servers... 4 entries in my case. Also, scheduled 15 minutes flushing DNS cache is additional helping. Change xxx to fit your settings.

Cupholder
just joined
 
Posts: 6
Joined: Sun Apr 17, 2011 11:46 pm

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by Cupholder » Thu Apr 28, 2011 10:37 pm

NetworkPro wrote:Hello.
There is an infection of some sort that makes too much DNS requests for random domains:


It might just be a user starting up their Google Chrome web browser. If so, nothing to worry about: http://isc.sans.edu/diary.html?storyid=10312

User avatar
mves
Frequent Visitor
Frequent Visitor
 
Posts: 84
Joined: Tue Jan 11, 2011 9:15 pm
Location: Serbia

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by mves » Fri Apr 29, 2011 12:40 am

Cupholder wrote:
NetworkPro wrote:Hello.
There is an infection of some sort that makes too much DNS requests for random domains:


It might just be a user starting up their Google Chrome web browser. If so, nothing to worry about: http://isc.sans.edu/diary.html?storyid=10312


O yes? That could really be true but that actually does not helping with the fact that this thing can actually kill DNS cache on mikrotik. From one source, ok, just set flushing cache every 15 minutes and you'll probably won't even notice it. If there is more than one source for that and constant flooding with this... you're in a problem.

User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by NetworkPro » Fri Apr 29, 2011 2:31 pm

Thanks for sharing, mves, but clearing cache slows down DNS resolving.

And I don't see how you catch the offenders with those rules.
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

User avatar
mves
Frequent Visitor
Frequent Visitor
 
Posts: 84
Joined: Tue Jan 11, 2011 9:15 pm
Location: Serbia

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by mves » Fri Apr 29, 2011 5:31 pm

O, but it does catching them. At least, not directly. This botnets usually using different DNS server than your default so I killed everything that's not going through designated DNS. I found couple of users with this issue and this thing successfully removed invalid DNS attempts and also removed that problem. Also, allow remote requests for DNS cache is turned on. Everything else is blocked and that indirectly included flooding problem. And, I just blast that lines in and it worked... at least for me and my network problems.

And clearing cache... I don't know, you're probably right but this helped me on occasional router freeze during DNS flooding. Probably issues with older ROS on some of the routers.

User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by NetworkPro » Fri Apr 29, 2011 6:27 pm

Thanks for clarifying.

I imagine the following working best in my case:

- catch infected hosts with my rules
- block their Internet access and send their web requests to my company's HTTPS site with valid verifiable certificate
- on that page - tell them to run a certain Anti-Virus solution that I know for sure would clean the infection, like Microsoft Malicious Software Removal Tool

But how can I be sure if a certain simple Anti-Virus tool would clean it?

:)
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

User avatar
mves
Frequent Visitor
Frequent Visitor
 
Posts: 84
Joined: Tue Jan 11, 2011 9:15 pm
Location: Serbia

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by mves » Fri Apr 29, 2011 7:18 pm

You can't know... and usually this stuff can be removed only by reinstalling windows and in extreme cases you have to do a low level format of all hard drives. Microsoft Malicious Software Removal Tool usually crash windows because it delete infected files instead of fixing them. Well, at least, that used to be with that "tool". On the other hand, I find that Kaspersky is quite helpful in solving virus outbreaks. I also tried Avast as a free solution.

User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by NetworkPro » Fri Apr 29, 2011 7:26 pm

Microsoft Malicious Software Removal Tool cleaned an infected wininit.exe for me once. How about that hmm ? :) WITHOUT THE NEED TO REBOOT
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

User avatar
mves
Frequent Visitor
Frequent Visitor
 
Posts: 84
Joined: Tue Jan 11, 2011 9:15 pm
Location: Serbia

Re: OMG !! Combating DNS flood - botnets, infection, and spa

by mves » Fri Apr 29, 2011 7:44 pm

NetworkPro wrote:Microsoft Malicious Software Removal Tool cleaned an infected wininit.exe for me once. How about that hmm ? :) WITHOUT THE NEED TO REBOOT


Niceee... and how about svchost.exe, rundll32.exe, services.exe or maybe winlogon.exe or explorer.exe? :lol:
Safest way for your network and for your customer is to recommend windows reinstall by someone who knows how to do it (since who ever got a hands on a windows installation disk becomes a self named "professional").

12 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Basdno, marrold, SomeYoungGuy, Yahoo [Bot] and 58 guests

It is currently Wed Nov 26, 2014 3:35 pm