Results 1 to 15 of 15
  1. #1
    Join Date
    Sep 2013
    Posts
    35

    Port 53 DDoS, But port is 53 closed ...

    So lets little explain this:

    1, I did -->
    nmap -v -sT 1.2.3.4 where 1.2.3.4 is my server ip and i got:
    Not shown: 1669 closed ports
    PORT STATE SERVICE
    21/tcp filtered ftp
    22/tcp filtered ssh
    25/tcp filtered smtp
    43/tcp filtered whois
    80/tcp filtered http
    110/tcp filtered pop3
    143/tcp filtered imap
    443/tcp filtered https
    993/tcp filtered imaps
    995/tcp filtered pop3s
    3306/tcp filtered mysql

    Nmap finished: 1 IP address (1 host up) scanned in 11.207 seconds
    Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

    There is not listed port 53 because i not run any of named/bind service also in ps aux no named exists, clearly its not running.

    2, i did tcpdump -n udp dst port 53, the output is -->
    17:48:00.783942 IP 178.85.39.17.62933 > 1.2.3.4.53: 7490+ [1au] ANY? isc.org. (36)
    17:48:00.829811 IP 90.58.136.93.62933 > 1.2.3.4.53: 7490+ [1au] ANY? isc.org. (36)
    ... and repeat millions of times ...

    IP 178.85.39.17 and 90.58.136.93 are that only two that ddos, its also being reported for that to local ISP

    3, Finally did iftop -f udp:
    http://i.imgur.com/3OV8Wnb.png


    So whats now ? Any way to stop it ? I also added those 2 ips into ip route blackhole/nullroute, anything more i can do ?

  2. #2
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    Blackhole it upstream as far as possible really is all you can do. Open a dialog to the owners of the DNS resolvers, and if they seem to be inexperienced, educate them about the dangers of not securing it. You might end up escalating it to their network provider if they don't respond.

  3. #3
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    As long as the attack stays as small as this one, it's really nothing to worry about. Even if you don't run anything on port 53, packets destinated to that port still reach your server, which is why you see them in tcpdump. As @tchen already suggested, you could ask your hosting provider to put an ACL which blocks port 53 for your IP, but as I said, that's not required if it's only 2 IPs and very low traffic.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  4. #4
    By default all of your ports are open, so did you manually close port 53? what you demonstrated there is that there are no services running on that port. But onto the main problem, have you tried fail2ban?

  5. #5
    Join Date
    Nov 2013
    Posts
    103
    This is an attempt of DNS amplification attack. The "source" IPs are forged (they're the victim of the attack). Your IP address probably had DNS service in the past. Blocking the port upstream or changing the IP address is the only thing you can do. Or just block it at your firewall and ignore unless you think it's eating significant portion of your inbound bandwidth.

  6. #6
    Join Date
    Sep 2013
    Posts
    35
    Quote Originally Posted by Buycpanel-Kevin View Post
    By default all of your ports are open, so did you manually close port 53? what you demonstrated there is that there are no services running on that port. But onto the main problem, have you tried fail2ban?
    We run reverse proxy so access to real ip is blocked so no open ports, only one open to the world is port 80 and ONLY thats opened only for reverse proxy IP. Port 53 does NOT listen as no named/bind service running, also its blocked by DROP rule for port 53.

    Thx but fail2ban for what ? This wont help.

    ---------------------------------

    Okay our patience is on the END.

    My company will going report every single IP with provided LOG.

    Also check this lol, as of today:

    ------ --------------
    COUNT IP
    ------ --------------
    1274 31.220.0.149

    So http://who.is/whois-ip/ip-address/31.220.0.149

    descr: "KODDOS" which belongs to koddos.com so someone buy anti-ddos hosting to ddos lol, WE PROMISE WE BRING SOME OF THESE TO JAIL, IF NOT TO JAIL THEY WILL PAY FOR IT HARDLY!

    Oh and dont tell me IP 31.220.0.149 is NOT the real source of ATACK/DDOS since see http://www.yougetsignal.com/tools/open-ports/ and check open port like 80,53 all is closed for ATTACKER SECURITY lol.

    So IP 31.220.0.149 is REAL DDoSER and not victim of the attack in this case.

    oh and just ot be clear about that IP here is a log:
    10:48:28.585758 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.697443 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.732150 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.763467 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.789871 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.820721 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.848814 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.886737 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.913342 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.933194 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.965454 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:28.985428 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.011876 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.083258 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.143503 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.186846 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.237900 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.312881 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.348373 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.386166 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.434093 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.481930 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.502511 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.522001 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.544689 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.571193 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.596710 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.622638 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.657137 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.692219 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.713943 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.734866 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.771217 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.806216 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.818784 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.830648 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.846355 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.862341 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.884668 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.920331 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.947670 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    10:48:29.983145 IP 31.220.0.149.62933 > OUR.SERVER.53: 7490+ [1au] ANY? isc.org. (36)
    Last edited by todd001; 12-13-2013 at 04:36 AM.

  7. #7
    Join Date
    Nov 2013
    Posts
    103
    Before you start wasting your time logging and reporting spoofed IP for sending 1274 udp packets your way (lol), learn about "DNS Amplification attack" (1), how it works, and why is "ANY isc.org" (2) a common vector in such an attack.

    BTW I lol at your 1274 packets because we run DNS servers and have hundreds of thousands of such requests daily. Of course they all get dropped at the firewall level (3).

    (1) https:/google.com/search?q=DNS+amplification+attack
    (2) https:/google.com/search?q=ANY+isc.org
    (3) For example: http://blog.dataforce.org.uk/2013/08...amplification/

  8. #8
    Join Date
    Sep 2013
    Posts
    35
    It was 1274 as low but those low meant not the DDoS but to probe server for open dns recusion, so that IP is ones for scanning, and once your open to the world the real ddos start ...

    Also rules:
    iptables -A INPUT -p udp --dport 53 -j DROP
    iptables -A OUTPUT -p udp --dport 53 -j DROP
    iptables -A FORWARD -p udp --dport 53 -j DROP


    556409 from just one ip is not low number, and we dont waste our time

    Some already being closed for ddosing

    Also here are more:
    ------ --------------
    COUNT IP
    ------ --------------
    123 93.115.210.101
    1187 63.223.89.201
    1761 199.233.236.213
    33190 31.220.0.108
    79930 5.254.103.183
    132496 31.220.0.92
    354764 82.57.46.159
    556409 90.58.136.93

    ------ --------------
    COUNT IP
    ------ --------------
    1 80.82.70.233
    1 89.248.172.9
    1 93.174.93.191
    1 94.102.49.100
    1 94.102.49.150
    11741 171.99.2.147
    213707 90.58.136.93
    248955 178.85.39.17
    Last edited by todd001; 12-13-2013 at 07:13 AM.

  9. #9
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    Quote Originally Posted by todd001 View Post
    It was 1274 as low but those low meant not the DDoS but to probe server for open dns recusion, so that IP is ones for scanning, and once your open to the world the real ddos start ...
    That's not how DNS recursion attacks work.

    http://www.us-cert.gov/ncas/alerts/TA13-088A

    Quote Originally Posted by us-cert.gov
    attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the targetís address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, ďANY,Ē which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.
    They're not using you as the open recursor. You're the spoofed target.

  10. #10
    Join Date
    Sep 2013
    Posts
    35
    I know they attack our server ...

    Those 2 ip are used to ddos.

    Also we have added:
    ip route add blackhole some.ip

    Our server just receive not sending nothing out except google ...
    http://i.imgur.com/RSiunJm.png

  11. #11

  12. #12
    Join Date
    Sep 2013
    Posts
    35
    See, you are the owner of anti-ddos hosting, which allows other to ddos, not funny ?

    Your ips are involved: 31.220.0.149, 31.220.0.107, you should check it If you have logs you can check the time and compare to verify we do not lie ...

    ------ --------------
    COUNT IP
    ------ --------------
    1 176.9.140.166
    242 1.220.0.107
    389 198.50.139.165
    894 209.141.39.141
    970 31.220.0.107
    1291 31.220.0.149
    1720 198.251.81.165
    7586 192.184.93.165
    10734 184.95.39.68
    22872 207.244.74.132
    27448 209.141.39.198
    79987 204.12.214.59
    296336 178.85.39.17
    325263 223.219.4.192
    652816 90.58.136.93
    Last edited by todd001; 12-13-2013 at 02:41 PM.

  13. #13
    Join Date
    Nov 2013
    Posts
    103
    Quote Originally Posted by todd001 View Post
    556409 from just one ip is not low number, and we dont waste our time
    Depends on the time frame. Per second? Sure, it's gonna blow a figurative fuse in one router or another. Per day? It's a yawn.

    I'm still convinced that your IP is being used (at least attempted to) to amplify DNS attack against the spoofed sources. If you never ran DNS service on that IP, I'm convinced that the previous owner did.

    This tcpdump lines you quoted show DNS requests, not responses, so you're not at a receiving end of an amplification attack.

  14. #14
    Join Date
    Jan 2011
    Location
    Canada
    Posts
    934
    Ack, my bad on that one.

  15. #15
    Quote Originally Posted by todd001 View Post
    See, you are the owner of anti-ddos hosting, which allows other to ddos, not funny ?

    Your ips are involved: 31.220.0.149, 31.220.0.107, you should check it If you have logs you can check the time and compare to verify we do not lie ...

    ------ --------------
    COUNT IP
    ------ --------------
    1 176.9.140.166
    242 1.220.0.107
    389 198.50.139.165
    894 209.141.39.141
    970 31.220.0.107
    1291 31.220.0.149
    1720 198.251.81.165
    7586 192.184.93.165
    10734 184.95.39.68
    22872 207.244.74.132
    27448 209.141.39.198
    79987 204.12.214.59
    296336 178.85.39.17
    325263 223.219.4.192
    652816 90.58.136.93
    As wndml told our two ips were spoofed and we were not sending ddos attacks.

Similar Threads

  1. Replies: 24
    Last Post: 05-19-2013, 07:48 PM
  2. Replies: 2
    Last Post: 05-12-2009, 02:07 PM
  3. Replies: 0
    Last Post: 04-08-2009, 07:21 AM
  4. Replies: 0
    Last Post: 11-22-2008, 07:38 AM
  5. How to closed port:6666
    By GraphicsInc in forum Dedicated Server
    Replies: 5
    Last Post: 02-08-2006, 03:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •