HMA VPN DDoS Botnet Complaint

jkomar · December 19, 2015, 10:22pm

I have a RB 751G-2HnD with a HMA VPN connection over OpenVPN. I had my HMA account temporarily suspended the other day due to a complaint that my VPN connection was used in a DDoS attack. I have the connection set up as per the guide here…

https://support.hidemyass.com/hc/en-us/articles/204558497-Mikrotik-Client-Setup

I’m using packet marking to limit which devices connect over the VPN. The only device I have set up to use the VPN connection is a Roku TV box.

Here is an excerpt from their log that they sent me when I asked for more information on the attack.

############################################################
2015-12-07 18:21:00.162022 IP (tos 0x0, ttl 55, id 17853, offset 0, flags [+],
proto UDP (17), length 1500) 204.45.246.44.53 > 74.91.121.x.58336: 1355|
22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05dc 45bd 2000 3711 91ee cc2d f62c E…E…7…-.,
0x0010: 4a5b 79b0 0035 e3e0 1007 3b9e 054b 8380 J[y..5…;..K..
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f …cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 4ae7 v…J.
0x0040: 011c 0002 0702 0000 5460 566e 3191 5664 …TVn1.Vd
0x0050: e901 ..
2015-12-07 18:21:00.167952 IP (tos 0x0, ttl 55, id 17854, offset 0, flags [+],
proto UDP (17), length 1500) 204.45.246.44.53 > 74.91.121.x.58336: 1355|
22/0/0 cpsc.gov. RRSIG[|domain]
0x0000: 4500 05dc 45be 2000 3711 91ed cc2d f62c E…E…7…-.,
0x0010: 4a5b 79b0 0035 e3e0 1007 9fb5 054b 8380 J[y..5…K..
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f …cpsc.go
0x0030: 7600 00ff 0001 c00c 002e 0001 0000 4ae7 v…J.
0x0040: 011c 0030 0702 0000 5460 566e 3191 5664 …0…TVn1.Vd
0x0050: e901 ..
2015-12-07 18:21:00.173804 IP (tos 0x0, ttl 55, id 17855, offset 0, flags [+],
proto UDP (17), length 1500) 204.45.246.44.53 > 74.91.121.x.58336: 1355|
22/0/0 cpsc.gov. TXT[|domain]
0x0000: 4500 05dc 45bf 2000 3711 91ec cc2d f62c E…E…7…-.,
0x0010: 4a5b 79b0 0035 e3e0 1007 fbd4 054b 8380 J[y..5…K..
0x0020: 0001 0016 0000 0000 0463 7073 6303 676f …cpsc.go
0x0030: 7600 00ff 0001 c00c 0010 0001 0000 4ae7 v…J.
0x0040: 0051 5076 3d73 7066 3120 6970 343a 3633 .QPv=spf1.ip4:63
0x0050: 2e37
##############################################################

I’m not really sure what I am looking at here as to what they were exploiting. It looks to me like port 1355 over UDP. I’m guessing that HMA does not firewall from their end to limit what traffic can reach my router over the VPN connection. I have searched for hours on how to firewall the connection to keep this from happening again, but haven’t found much. Can I just duplicate my WAN connection firewall rules specifying the OpenVPN interface rather than the WAN interface?

Thanks,

Jason

ConnectivityEngineer · December 22, 2015, 6:23am

Simple Firewall Rules for the VPN should work.
I do not see your setup - so it is a bit difficult to figure out where the fault 100% is.

Are you allowing Anyone to access your router and then use it ?
(even by accident? )

Be happy to view your config if needed - chances are someone or something is using your connection.

It appears perhaps that your Mikrotik may be doing a simple DNS Reflection

Looking at the log I see 204.45.246.44.53 (the last .53 is the port most likely)

If you have in the router for anyone to use your Mikrotik for DNS - the requests are being pushed through the VPN.

I would start by Dropping port 53 udp from wan and tarpit tcp on port 53

Justin Wilson, President of the new http://midwest-ix.com has an excellent blog post about this http://www.mtin.net/blog/?p=297

In short - blocking Ports 53 incoming will block this junk for the most part simply because after making a request the reply will come back on a different port.

BTW - I am a fan of OpenVPN vs PPTP simply because it is a bit more secure.
PPTP does not provide any encryption - and thus someone if they were listening could possibly find out the user/pass or other sensitive information