Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

ForumsSlingshot and CallPlusISPs role in unsolicited traffic
View this topic in a long page with up to 500 replies per page Create new topic
Prev1 | 2 
1278 posts

Uber Geek

Trusted
  Reply # 711375 3-Nov-2012 14:01 Send private message

Cloudflare had an interesting article on something similar a few days ago:

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack



75 posts

Master Geek
  Reply # 711376 3-Nov-2012 14:07 Send private message

insane: Cloudflare had an interesting article on something similar a few days ago:

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack


Well that's interesting considering the IP I was hitting is a Cloudfare one. Cheers for the link.

BDFL
43745 posts

Uber Geek

Administrator
Trusted
Geekzone
Subscriber
  Reply # 711380 3-Nov-2012 14:16 Send private message

I was just going to post about this. Just going back to the OP post:


mattie47: This is probably a pretty grey area, and probably something ISPs normally wouldn't have to deal with, other than customers ringing up complaining about why their data usage is through the roof when they haven't been doing anything.



mattie47:
mattie47: I also have an internal DNS server, but port 53 isn't forwarded from the firewall.


Wow I take that back. I was looking at my port forwarding rules which didn't show 53 anywhere so presumed was closed. I just did a capture on the internal NIC which showed the same traffic. This got me worried. A quick online port check showed 53 as open (what?).

Having a look again around PFSense showed there's a DNS forwarder page I must have skimmed over. Turns out I had "Enable DNS forwarder" ticked. Okay, that's port 53 traffic going to internal now dropped...


Now, a couple of comments, and please don't take it personally...

When running a network service the admin should not "skim over". Any open port with forward traffic may attract unsolicited "visitors". If the service is somehow valuable for them they will use it.

In this situation the service on port 53 can be easily used for a DDoS attack. Even if you don't have an infected computer in your network your devices are still active participants in attacks by simply offering the services and acting on requests from unauthorised users. That's the point above with the link to the DNS amplification attack as described by CloudFlare.

In this case I have to say Slingshot was REALLY NICE to you. The usage was not an error in their systems and they should have every right to charge your account for that. I'm pretty sure in their T&Cs somewhere there'll be a clause saying you're responsible for keeping your connection safe - that means not only safe from malware, but safe from unauthorised access and usage. Running a service and leaving it open it's not their problem, really.

That blog you link in the OP... That guy didn't get the "amplification" part of the attack. He seems to think the attack is directed at him, not at the response from his DNS to the spoofed IP.

Go read the Cloudflare blog again. Secure your network. Make sure to use an external scanner to identify any open ports/active services still lurking (Try GRC ShieldsUP!.

Changing IP addresses without making sure your vulnerabilities aren't protect won't save your bandwidth, as those idiots will find your network again pretty soon - port scanners are capable of going around entire IP blocks very quickly.









Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blogtechnology disclosure, my tweets, Web Performance Optimization

Geekzone Price comparison | Amazon Kindle order page | How to get the best out of Geekzone | New Zealand IT Jobs | Geekzone News | Jinglebugs 

2376 posts

Uber Geek

Trusted
Subscriber
  Reply # 711695 4-Nov-2012 12:09 Send private message

Hi Mattie,
Looking at your PFsense rules you have an allow all on the WAN. The way firewall rules work on PFsense is that the first rule it find that matches is applied. So the rules you have underneath that don't count at all. It definitely sounds like you are thus being used as an open relay.

What you should do is delete that first rule for allow all. Put your allow rules in place e.g. RDP, HTTP etc. then put a deny all underneath those.


Also, I believe because you are using private address space for your LAN, you should set your destination for the allow rules to be your WAN interface rather than 192.168.XX.XX.





Prev1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Gen-i and SAP partner in mobile business
Posted 23-May-2013 09:23

Ericsson to close down telecom cable manufacturing
Posted 23-May-2013 08:46

FaceToFace Communications and StarLeaf bring unique cloud-based videoconferencing to Australia and New Zealand
Posted 22-May-2013 09:12

IBM Watson finds a new job: customer services
Posted 22-May-2013 08:37

Microsoft unveils Xbox One
Posted 22-May-2013 08:11

InternetNZ and AUT University form strategic partnership
Posted 21-May-2013 09:29


Trending now »
Hot discussions in our forums right now:

Fecked up religious people strike again :-(
Created by Mark, last reply by nicnzl on 23-May-2013 16:41 (42 replies)
Pages... 2 3

Xbox One
Created by DjShadow, last reply by TwoSeven on 23-May-2013 17:19 (54 replies)
Pages... 2 3 4

Cannabis is illegal yet we have really strong 'legal highs' ?
Created by qwerty7, last reply by Klipspringer on 23-May-2013 14:56 (70 replies)
Pages... 3 4 5

A new project coming to Geekzone
Created by freitasm, last reply by jbard on 23-May-2013 17:31 (275 replies)
Pages... 17 18 19

Truenet Article - VoIP in New Zealand ----- Based on what Mr Butt ???
Created by maverick, last reply by maverick on 23-May-2013 14:28 (17 replies)
Pages... 2

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by wlfkfgkwlaktka on 23-May-2013 17:10 (1542 replies)
Pages... 101 102 103

"igov" online passport renewals
Created by Linuxluver, last reply by profrink on 22-May-2013 22:22 (29 replies)
Pages... 2

Orcon, Is this for real or a scam??
Created by old3eyes, last reply by DarthKermit on 22-May-2013 19:12 (29 replies)
Pages... 2


Geekzone Jobs »
Most recent NZ jobs in technology:

Proven Team Leader
Posted 23-May-2013 17:28

Web Administrator
Posted 23-May-2013 17:28

Business Analyst
Posted 23-May-2013 17:28

SAP Project Manager - 6 Month Contract
Posted 23-May-2013 17:28

Cold Fusion Developer
Posted 23-May-2013 17:28

Performance Reporting Analyst
Posted 23-May-2013 17:28

Data Analyst ? strong Data focus
Posted 23-May-2013 17:28


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.