OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: dcol on February 08, 2018, 09:50:49 pm
-
Looking for some opinions on what I am experiencing here on a test server
I setup about 20 or so of the worst hacking countries in a GeoIP IPS User rule. I called the rule CountryDrop
Now I see constant port 53 blocks as per the alert sample below. This is flooding my alerts.
2018-02-08T13:29:36.929368-0700 blocked wan 89.238.172.15 53 98.100.100.100 36400 CountryDrop
2018-02-08T13:29:36.929368-0700 blocked wan 89.238.172.15 53 98.100.100.100 36400 CountryDrop
2018-02-08T13:29:35.102353-0700 blocked wan 52.16.170.168 53 98.100.100.100 42588 CountryDrop
2018-02-08T13:29:35.102353-0700 blocked wan 52.16.170.168 53 98.100.100.100 42588 CountryDrop
2018-02-08T13:29:35.099439-0700 blocked wan 52.16.170.168 53 98.100.100.100 61676 CountryDrop
2018-02-08T13:29:35.099439-0700 blocked wan 52.16.170.168 53 98.100.100.100 61676 CountryDrop
2018-02-08T13:29:34.094185-0700 blocked wan 52.211.135.60 53 98.100.100.100 48337 CountryDrop
2018-02-08T13:29:34.094185-0700 blocked wan 52.211.135.60 53 98.100.100.100 48337 CountryDrop
2018-02-08T13:29:34.090273-0700 blocked wan 52.211.98.161 53 98.100.100.100 60257 CountryDrop
2018-02-08T13:29:34.090273-0700 blocked wan 52.211.98.161 53 98.100.100.100 60257 CountryDrop
2018-02-08T13:29:33.088055-0700 blocked wan 52.211.135.60 53 98.100.100.100 18155 CountryDrop
2018-02-08T13:29:33.088055-0700 blocked wan 52.211.135.60 53 98.100.100.100 18155 CountryDrop
2018-02-08T13:29:33.083584-0700 blocked wan 52.211.98.161 53 98.100.100.100 52195 CountryDrop
2018-02-08T13:29:33.083584-0700 blocked wan 52.211.98.161 53 98.100.100.100 52195 CountryDrop
2018-02-08T13:29:30.076034-0700 blocked wan 52.16.170.168 53 98.100.100.100 58362 CountryDrop
2018-02-08T13:29:30.076034-0700 blocked wan 52.16.170.168 53 98.100.100.100 58362 CountryDrop
2018-02-08T13:29:30.072087-0700 blocked wan 52.211.135.60 53 98.100.100.100 35872 CountryDrop
2018-02-08T13:29:30.072087-0700 blocked wan 52.211.135.60 53 98.100.100.100 35872 CountryDrop
2018-02-08T13:29:27.067258-0700 blocked wan 52.16.170.168 53 98.100.100.100 43580 CountryDrop
2018-02-08T13:29:27.067258-0700 blocked wan 52.16.170.168 53 98.100.100.100 43580 CountryDrop
2018-02-08T13:29:27.056593-0700 blocked wan 52.211.135.60 53 98.100.100.100 16827 CountryDrop
2018-02-08T13:29:27.056593-0700 blocked wan 52.211.135.60 53 98.100.100.100 16827 CountryDrop
2018-02-08T13:29:24.049596-0700 blocked wan 52.16.170.168 53 98.100.100.100 48315 CountryDrop
2018-02-08T13:29:24.049596-0700 blocked wan 52.16.170.168 53 98.100.100.100 48315 CountryDrop
2018-02-08T13:29:24.038289-0700 blocked wan 52.211.98.161 53 98.100.100.100 36898 CountryDrop
2018-02-08T13:29:24.038289-0700 blocked wan 52.211.98.161 53 98.100.100.100 36898 CountryDrop
Most of this port 53 traffic is coming from Sweden and the Netherlands.
Is this a DOS attack from these countries, or is this legitimate traffic trying to probe for DNS info? By the way I do not have a DNS server running on this network. IP 98.100.100.100 would be my local workstation traffic.
If I remove the GeoIP ruleset from IPS, then this traffic would just end up in the firewall alerts if I used a GeoIP firewall rule. And I did not see this traffic yesterday. The only change I made today was to update to 18.1.12. And I already had the IPS -drop patch installed in 18.1.11 two days ago.
Just looking for some opinions on this traffic.
-
Thinking if blocking entire countries is a good idea.
Wouldn't you be safer to cover a selected number of attacking IPs from all over the world instead of countries?
Something like: https://iplists.firehol.org/
Found it to be more helpful (more dropped stuff and also better performance wise) than GeoIP blocking.
Firehol lists are very good IMO.
-
I agree, Firehol is great for IPS in a general use firewall.
I did an inspection of the last 25 or so IP's of the blocked country hits with GeoIP and none of them were in the firehol list. But I did move the Scandinavia countries to the firewall. That reduced my IPS hits by 50%. But could change tomorrow.
If I were running a firewall for internet users, I would open up all those countries and use a more conservative approach, but this firewall is for web and email servers that have no business outside the US and a few select countries. If I add a local workstation network to one of these firewalls, then I would use GeoIP in the firewall only to block traffic to the servers and firehol to block traffic to the workstations and not use GeoIP blocking in IPS at all.
My custom drop IPS rules gets rid of 95% of unwanted WAN traffic by dropping unused ports. Which IMO is the best approach in any environment that has a trusted internal network but does require close monitoring in the beginning. This paired with custom pass rules to match known good outbound ports and inbound IPs reduces stress on IPS. Now that OPNsense has better IPS monitoring, this approach is my favorite and simple to maintain in the long haul.
Ultimately the firewall configuration should match the usage. There really is no 'one size fits all' solution.
-
Without knowing additional details it's hard to tell why you see that in IPS.
The closest thing I've seen on my network regarding port 53 was when I ran DNS benchmark tools on my desktop. There must've been faulty TTL or something because after the test was completed, I saw tons of blocked DNS entries in my firewall log as if the DNS traffic finally came back after the states were closed.
I also see a lot of DNS traffic when using Chrome without browsing to any websites.
-
But what I am really curious about is if this DNS traffic could be legit. Maybe it is other DNS servers doing legit queries to the OPNsense DNS Resolver. Although most of these IP's are from the top 10 hacker countries.
Should I allow port 53 from any external IP outer than my own ISP DNS servers?
By the way there are no computers running on the source port, only OPNsense.
-
No way, you should never allow access to your DNS server from the internet. Never ever :) The proper way to access your internal DNS server, if needed, is via a VPN (if coming from the internet)...
-
Not running a DNS server on that IP unless you consider OPNsense a DNS server. I thought that the DNS Resolver was just for internal queries. I use the ISP for external.
Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.
-
It is for internal queries, that is why it should never be opened to the internet. But it also forwards queries to your upstream DNS servers (as all DNS servers do), so theoretically it could be used from the internet.
1000 blocked connections/h sounds to me as a targeted attack at least, if not flood. If I were you, I would also verify the LAN clients, check if there's a malware somewhere sending data to the outside world... It is definitely way above normal traffic "noise".
-
There are no LAN users on that firewall, yet. And it is the LAN IP that is getting hit, not the server IP.
DNS has outbound access to forward queries and that seems to be working ok as are internal queries.
They keep on coming. You would think it would stop since they aren't getting any response. And it is always a different IP from those hacking countries.
-
Well.. the US is a heavily targeted country, many attacks go there... The attackers must like your IP :P
-
Strange that you're being targeted as if you're highly valued target.
I agree that you should keep blocking those inbound DNS traffic. DNS queries should be stateful in the firewall in this order; LAN to WAN to LAN. DNS in practice shouldn't be accepted if unsolicited from WAN.
-
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server. So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
-
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server.
No, they should not.
So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
Yes, you should block all inbound port 53 and ,as already been said, you should never allow a ;local DNS server be seen by anything on the internet. I run a local DNS server and I have no specific ports open (inbound or outbound) that relate to DNS, my systems all work fine.
Just out of interest, is your DNS server located on the LAN or WAN interface?
-
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
-
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
You should not need to 'allow' and DNS servers access to anything inside your network. As I mentioned, I use a DNS Authoritative Server and DNS Recursor inside my lan and no external server needs specific access my my recursor.
-
I will ... allow only traffic from the ISP DNS servers
Why would you do that?
1. Since you lack an authoritative public DNS server, you don't need to publish one/ any DNS service outside.
2. In a stateful router world, you only care about FW rules matching requests, you may ignore replies completely because the firewall will dynamically "open" ports for those and only for those packets matching an open/ active state/ connection.
Getting together 1. & 2., I strongly advise you to close that explicitly open port on WAN ASAP! (!) (And any other port, for that matter, not being used for a NAT associated FW rule, or for a published service in a public IP range perimeter.)
Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.
Most likely you've got to be heavily hit on 53 just because it is (was) open, and not at all because you are flooded, nor considered of a very high interest target: bots are crawling continuously, day and night, non stop, blindly poking IPs (and ports on each IP) as much as possible. When they do find an open port on a particular IP, that IP & port is recorded in a log. From that moment on, the record might be either passed to a more "specialized" bot, one trying only exploits for that particular port, repeatedly and heavily on that particular IP address, or, maybe a human black hat is collecting the record from the log and tries different attack techniques, tools and exploits on that IP & port.
Either way, from a particular moment on, you struggle to understand what particular change you've made triggered that constant bombardment, but it's not a change, it's a non-change... ;) It's a for enough long time open 'hole' being discovered.
Close that (those) freakin' port(s) already, would you?! :)
-
What I ended up doing was allow port 53 through IPS and then used a floating firewall rule to block them. That way I don't flood the logs. I used pftop to identify the traffic and saw that it was outbound traffic to port 53 as well as inbound, which is a normal transaction for DNS queries.
Here is a pic of what I saw. the 68.105 IP's are the legitimate DNS from the ISP. The 208.76 is not.
Also here is the floating rule I used for DNS
-
From your first image I only see legitimate traffic:
1. Absolutely all IN traffic is from your internal clients - no need for 53 UDP to be open/ NATed.
2. Absolutely all OUT traffic is from OPNsense to forwarders. - no need for 53 UDP to be open/ NATed.
3. You have to figure it out why there is a DNS resolving request toward 208.76... (maybe an internal client with manual DNS settings different than OPNsense's IP address, maybe a host/ domain override?!?!...)
If there is nothing left out in your DNS config, I maintain my opinion: you should keep the port 53 closed (not-published) on WAN/ NAT.