fail2ban + dns = fail
Posted by Nico Golde in
Wednesday, May 26. 2010
fail2ban is used by many people to prevent certain types of DoS attacks. I use it myself to reduce trackback spam a little bit.
While this tool becomes quite handy in such situations it is also not generally recommend because you can shoot yourself in the foot. If one of the used filters has a bug and results in incorrect parsing your fail2ban installation might end up banning arbitrary IP addresses or even your own IP range (not even mentioning IP spoofing).
There existed at least two bugs of this kind to my knowledge and since regex might not always be easy I'm sure there will be more in the future.
Since I didn't want to look for a specific regex bug in one of the filters I thought about IP spoofing again and looked at fail2bans filters. What I needed was a filter processing log entries of a service listening on a UDP socket as TCP/IP spoofing over the internet doesn't really work well these days. Finding such a filter would mean an instant win situation. To my surprise there is such a filter: config/filter.d/named.conf
This filter is used to parse log entries consisting of denied DNS queries produced by bind. Interestingly there is even an article at debian-administration describing how to setup fail2ban to mitigate a DNS DDoS attack. This is of course a bad idea and I have no idea why this filter is shipped in a default fail2ban installation. DoSing abritary IP addresses with this filter in use becomes as easy as firing up scapy and querying the server with a forged source IP:
>>> send(IP(dst="81.169.172.197",src="xx.46.63.71")/UDP()/DNS(rd=1,qd=DNSQR(qname="foao.modprobe.de")))
.
Sent 1 packets.
This ends up as:
May 26 22:32:22 modprobe named[30245]: client xx.46.63.71#53: query 'foao.modprobe.de/A/IN' denied
in the bind logs which in turn results in:
2010-05-26 22:32:05,551 fail2ban.actions: WARNING [named-refused] Ban xx.46.63.71
In this example the spoofed IP was xx.46.63.71 which is not under my control.
Mission statement: don't use fail2ban unless you really want to shoot yourself in the foot or know pretty well what you're doing
While this tool becomes quite handy in such situations it is also not generally recommend because you can shoot yourself in the foot. If one of the used filters has a bug and results in incorrect parsing your fail2ban installation might end up banning arbitrary IP addresses or even your own IP range (not even mentioning IP spoofing).
There existed at least two bugs of this kind to my knowledge and since regex might not always be easy I'm sure there will be more in the future.
Since I didn't want to look for a specific regex bug in one of the filters I thought about IP spoofing again and looked at fail2bans filters. What I needed was a filter processing log entries of a service listening on a UDP socket as TCP/IP spoofing over the internet doesn't really work well these days. Finding such a filter would mean an instant win situation. To my surprise there is such a filter: config/filter.d/named.conf
This filter is used to parse log entries consisting of denied DNS queries produced by bind. Interestingly there is even an article at debian-administration describing how to setup fail2ban to mitigate a DNS DDoS attack. This is of course a bad idea and I have no idea why this filter is shipped in a default fail2ban installation. DoSing abritary IP addresses with this filter in use becomes as easy as firing up scapy and querying the server with a forged source IP:
>>> send(IP(dst="81.169.172.197",src="xx.46.63.71")/UDP()/DNS(rd=1,qd=DNSQR(qname="foao.modprobe.de")))
.
Sent 1 packets.
This ends up as:
May 26 22:32:22 modprobe named[30245]: client xx.46.63.71#53: query 'foao.modprobe.de/A/IN' denied
in the bind logs which in turn results in:
2010-05-26 22:32:05,551 fail2ban.actions: WARNING [named-refused] Ban xx.46.63.71
In this example the spoofed IP was xx.46.63.71 which is not under my control.
Mission statement: don't use fail2ban unless you really want to shoot yourself in the foot or know pretty well what you're doing
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
I guess I should take all the blame for this:
commit 042e160eeb3d7a09b0bb8dcda92f284bc3889f1d
Author: lostcontrol
Date: Wed Aug 8 22:21:15 2007 +0000
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
But I wonder why for "bad ... idea why this filter is shipped in a default fail2ban installation" I see no new bug report among
http://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=fail2ban;submitter=nion%40debian.org
This one indeed should be highly unadvised (and removed from jails.conf shipped with Debian) unless ignoreip can cover the range of valuable not-to-DoS for sure IPs ... or may be there is another precaution (matching incoming IPs based on interfaces on gateways etc) you have in mind?
anyways, awaiting for a bug report
P.S. I still consider 'rm' to be the most dangerous command of all times... god bless zsh and its protective powers
commit 042e160eeb3d7a09b0bb8dcda92f284bc3889f1d
Author: lostcontrol
Date: Wed Aug 8 22:21:15 2007 +0000
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
But I wonder why for "bad ... idea why this filter is shipped in a default fail2ban installation" I see no new bug report among
http://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=fail2ban;submitter=nion%40debian.org
This one indeed should be highly unadvised (and removed from jails.conf shipped with Debian) unless ignoreip can cover the range of valuable not-to-DoS for sure IPs ... or may be there is another precaution (matching incoming IPs based on interfaces on gateways etc) you have in mind?
anyways, awaiting for a bug report
P.S. I still consider 'rm' to be the most dangerous command of all times... god bless zsh and its protective powers
excuse my lazyness, I was too lazy to report this as a bug. Imho the whole fail2ban package should ship with a big fat warning for unexperienced users. anyway, I filed one now.
@zsh, I do agree
Even though I once rmed my /etc when trying to show the zsh asking for the deletion and I missed that it only does on /etc/*
@zsh, I do agree
Even though I once rmed my /etc when trying to show the zsh asking for the deletion and I missed that it only does on /etc/*
"for unexperienced users" I bet noone really would run a serious targetted DoS attack, but some automated script junkies looking looking for easy targets and doing dictionary attacks. And that is where (and thus for whom) fail2ban shines. DNS issue though is a bit closer to the reality of admins, and they better be experienced, and if they are not, such DoS would be the gentle lesson... may be I should advocate it as an educational tool then
but point is taken -- I might add some warning (thought about it myself as well)
but point is taken -- I might add some warning (thought about it myself as well)
yes i agree on that though in the case of dns providing a filter for udp really doesn't make sense not saying fail2ban sucks, i'm using it as well for some special purposes
not saying fail2ban sucks, i'm using it as well for some special purposes
What do you think about syslog lines like theses (counted by logwatch in a single day):
client 62.141.52.x query (cache) 'isc.org/ANY/IN' denied: 3438 Time(s)
client 62.141.60.x query (cache) 'isc.org/ANY/IN' denied: 5414 Time(s)
client 63.223.80.x query (cache) 'isc.org/ANY/IN' denied: 3847 Time(s)
client 76.73.68.x query (cache) 'isc.org/ANY/IN' denied: 3541 Time(s)
client 82.165.131.x query (cache) 'isc.org/ANY/IN' denied: 1006 Time(s)
client 84.19.180.x query (cache) 'isc.org/ANY/IN' denied: 1342 Time(s)
client 84.19.190.x query (cache) 'isc.org/ANY/IN' denied: 1639 Time(s)
client 87.106.177.x query (cache) 'isc.org/ANY/IN' denied: 2366 Time(s)
Doesn't someone is trying to use my DNS to DDOS someone?
client 62.141.52.x query (cache) 'isc.org/ANY/IN' denied: 3438 Time(s)
client 62.141.60.x query (cache) 'isc.org/ANY/IN' denied: 5414 Time(s)
client 63.223.80.x query (cache) 'isc.org/ANY/IN' denied: 3847 Time(s)
client 76.73.68.x query (cache) 'isc.org/ANY/IN' denied: 3541 Time(s)
client 82.165.131.x query (cache) 'isc.org/ANY/IN' denied: 1006 Time(s)
client 84.19.180.x query (cache) 'isc.org/ANY/IN' denied: 1342 Time(s)
client 84.19.190.x query (cache) 'isc.org/ANY/IN' denied: 1639 Time(s)
client 87.106.177.x query (cache) 'isc.org/ANY/IN' denied: 2366 Time(s)
Doesn't someone is trying to use my DNS to DDOS someone?
Add Comment
Calendar
|
November '15 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | ||||||
Quicksearch
Support
Recent Entries
- E-Plus GSM privacy/TMSI allocation leak
- Thursday, October 11 2012
- Exploiting the Ubiquisys/SFR femtocell webserver (wsal/shttpd/mongoose/yassl embedded webserver)
- Wednesday, August 3 2011
- So what happened recently...
- Wednesday, April 6 2011
- Sunday, February 6 2011
- exim remote vulnerability
- Thursday, December 9 2010
- Will my Phone Show An Unencrypted Connection?
- Wednesday, September 8 2010
- smpCTF 2010 quals writeups
- Sunday, August 8 2010
- protocol design fail: MMS notification
- Wednesday, July 28 2010
- acrobat reader stealing my passwords
- Tuesday, June 29 2010
- UnrealIRCd backdoored
- Saturday, June 12 2010
Syndicate This Blog
Categories
Tag cloud
23c3 acpi advertising annouce announce april argh art awards bash blogging bugs c cli code conferences config configuration data mining debconf debian dell dns documentation email errm? events exploit fail fail2ban filesharing films flame fun gcc google graphs grml gsm hacking hacks hardware heise images information installation internet irc knowledge libacpi links linux mobile phones network news newsbeuter omg open source opera passwords php power privacy programming qa random blurb rant release releases rss scripts security service setup shell sms software spam ssh stfl stuff terminal tests text mode tip tips tools troubleshooting unix user video vim.editing web web 2.0 websites wordpress wtf www youtube zsh