OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: dcol on February 08, 2018, 09:50:49 pm

Title: Port 53 flood on IPS
Post by: dcol on February 08, 2018, 09:50:49 pm
Looking for some opinions on what I am experiencing here on a test server
I setup about 20 or so of the worst hacking countries in a GeoIP IPS User rule. I called the rule CountryDrop
Now I see constant port 53 blocks as per the alert sample below. This is flooding my alerts.

2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop

Most of this port 53 traffic is coming from Sweden and the Netherlands.
Is this a DOS attack from these countries, or is this legitimate traffic trying to probe for DNS info? By the way I do not have a DNS server running on this network. IP 98.100.100.100 would be my local workstation traffic.
If I remove the GeoIP ruleset from IPS, then this traffic would just end up in the firewall alerts if I used a GeoIP firewall rule. And I did not see this traffic yesterday. The only change I made today was to update to 18.1.12. And I already had the IPS -drop patch installed in 18.1.11 two days ago.

Just looking for some opinions on this traffic.
Title: Re: Port 53 flood on IPS
Post by: elektroinside on February 09, 2018, 05:06:50 pm
Thinking if blocking entire countries is a good idea.
Wouldn't you be safer to cover a selected number of attacking IPs from all over the world instead of countries?

Something like: https://iplists.firehol.org/

Found it to be more helpful (more dropped stuff and also better performance wise) than GeoIP blocking.

Firehol lists are very good IMO.
Title: Re: Port 53 flood on IPS
Post by: dcol on February 09, 2018, 06:14:34 pm
I agree, Firehol is great for IPS in a general use firewall.

I did an inspection of the last 25 or so IP's of the blocked country hits with GeoIP and none of them were in the firehol list. But I did move the Scandinavia countries to the firewall. That reduced my IPS hits by 50%. But could change tomorrow.

If I were running a firewall for internet users, I would open up all those countries and use a more conservative approach, but this firewall is for web and email servers that have no business outside the US and a few select countries. If I add a local workstation network to one of these firewalls, then I would use GeoIP in the firewall only to block traffic to the servers and firehol to block traffic to the workstations and not use GeoIP blocking in IPS at all.

My custom drop IPS rules gets rid of 95% of unwanted WAN traffic by dropping unused ports. Which IMO is the best approach in any environment that has a trusted internal network but does require close monitoring in the beginning. This paired with custom pass rules to match known good outbound ports and inbound IPs reduces stress on IPS. Now that OPNsense has better IPS monitoring, this approach is my favorite and simple to maintain in the long haul.

Ultimately the firewall configuration should match the usage. There really is no 'one size fits all' solution.
Title: Re: Port 53 flood on IPS
Post by: nqnguyen2 on February 10, 2018, 04:27:52 am
Without knowing additional details it's hard to tell why you see that in IPS.

The closest thing I've seen on my network regarding port 53 was when I ran DNS benchmark tools on my desktop. There must've been faulty TTL or something because after the test was completed, I saw tons of blocked DNS entries in my firewall log as if the DNS traffic finally came back after the states were closed.

I also see a lot of DNS traffic when using Chrome without browsing to any websites.
Title: Re: Port 53 flood on IPS
Post by: dcol on February 10, 2018, 09:06:40 pm
But what I am really curious about is if this DNS traffic could be legit. Maybe it is other DNS servers doing legit queries to the OPNsense DNS Resolver. Although most of these IP's are from the top 10 hacker countries.
Should I allow port 53 from any external IP outer than my own ISP DNS servers?
By the way there are no computers running on the source port, only OPNsense.
Title: Re: Port 53 flood on IPS
Post by: elektroinside on February 10, 2018, 09:40:16 pm
No way, you should never allow access to your DNS server from the internet. Never ever :) The proper way to access your internal DNS server, if needed, is via a VPN (if coming from the internet)...
Title: Re: Port 53 flood on IPS
Post by: dcol on February 10, 2018, 10:49:33 pm
Not running a DNS server on that IP unless you consider OPNsense a DNS server. I thought that the DNS Resolver was just for internal queries. I use the ISP for external.

Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.
Title: Re: Port 53 flood on IPS
Post by: elektroinside on February 11, 2018, 01:13:11 am
It is for internal queries, that is why it should never be opened to the internet. But it also forwards queries to your upstream DNS servers (as all DNS servers do), so theoretically it could be used from the internet.

1000 blocked connections/h sounds to me as a targeted attack at least, if not flood. If I were you, I would also verify the LAN clients, check if there's a malware somewhere sending data to the outside world... It is definitely way above normal traffic "noise".
Title: Re: Port 53 flood on IPS
Post by: dcol on February 11, 2018, 09:56:42 pm
There are no LAN users on that firewall, yet. And it is the LAN IP that is getting hit, not the server IP.
DNS has outbound access to forward queries and that seems to be working ok as are internal queries.
They keep on coming. You would think it would stop since they aren't getting any response. And it is always a different IP from those hacking countries.
Title: Re: Port 53 flood on IPS
Post by: elektroinside on February 11, 2018, 11:24:20 pm
Well.. the US is a heavily targeted country, many attacks go there... The attackers must like your IP :P
Title: Re: Port 53 flood on IPS
Post by: nqnguyen2 on February 14, 2018, 06:29:04 am
Strange that you're being targeted as if you're highly valued target.

I agree that you should keep blocking those inbound DNS traffic. DNS queries should be stateful in the firewall in this order; LAN to WAN to LAN. DNS in practice shouldn't be accepted if unsolicited from WAN.
Title: Re: Port 53 flood on IPS
Post by: dcol on February 14, 2018, 03:59:34 pm
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server. So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
Title: Re: Port 53 flood on IPS
Post by: phoenix on February 14, 2018, 05:17:47 pm
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server.
No, they should not.

So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
Yes, you should block all inbound port 53 and ,as already been said, you should never allow a ;local DNS server be seen by anything on the internet. I run a local DNS server and I have no specific ports open (inbound or outbound) that relate to DNS, my systems all work fine.

Just out of interest, is your DNS server located on the LAN or WAN interface?
Title: Re: Port 53 flood on IPS
Post by: dcol on February 14, 2018, 08:31:58 pm
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
Title: Re: Port 53 flood on IPS
Post by: phoenix on February 14, 2018, 08:44:26 pm
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
You should not need to 'allow' and DNS servers access to anything inside your network. As I mentioned, I use a DNS Authoritative Server and DNS Recursor inside my lan and no external server needs specific access my my recursor.
Title: Re: Port 53 flood on IPS
Post by: hutiucip on February 15, 2018, 02:01:34 am
I will ... allow only traffic from the ISP DNS servers

Why would you do that?

1. Since you lack an authoritative public DNS server, you don't need to publish one/ any DNS service outside.
2. In a stateful router world, you only care about FW rules matching requests, you may ignore replies completely because the firewall will dynamically "open" ports for those and only for those packets matching an open/ active state/ connection.

Getting together 1. & 2., I strongly advise you to close that explicitly open port on WAN ASAP! (!) (And any other port, for that matter, not being used for a NAT associated FW rule, or for a published service in a public IP range perimeter.)

Quote
Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.

Most likely you've got to be heavily hit on 53 just because it is (was) open, and not at all because you are flooded, nor considered of a very high interest target: bots are crawling continuously, day and night, non stop, blindly poking IPs (and ports on each IP) as much as possible. When they do find an open port on a particular IP, that IP & port is recorded in a log. From that moment on, the record might be either passed to a more "specialized" bot, one trying only exploits for that particular port, repeatedly and heavily on that particular IP address, or, maybe a human black hat is collecting the record from the log and tries different attack techniques, tools and exploits on that IP & port.

Either way, from a particular moment on, you struggle to understand what particular change you've made triggered that constant bombardment, but it's not a change, it's a non-change... ;) It's a for enough long time open 'hole' being discovered.

Close that (those) freakin' port(s) already, would you?! :)
Title: Re: Port 53 flood on IPS
Post by: dcol on February 15, 2018, 04:00:41 pm
What I ended up doing was allow port 53 through IPS and then used a floating firewall rule to block them. That way I don't flood the logs. I used pftop to identify the traffic and saw that it was outbound traffic to port 53 as well as inbound, which is a normal transaction for DNS queries.
Here is a pic of what I saw. the 68.105 IP's are the legitimate DNS from the ISP. The 208.76 is not.
Also here is the floating rule I used for DNS
Title: Re: Port 53 flood on IPS
Post by: hutiucip on February 16, 2018, 10:51:42 am
From your first image I only see legitimate traffic:

1. Absolutely all IN traffic is from your internal clients - no need for 53 UDP to be open/ NATed.
2. Absolutely all OUT traffic is from OPNsense to forwarders. - no need for 53 UDP to be open/ NATed.
3. You have to figure it out why there is a DNS resolving request toward 208.76... (maybe an internal client with manual DNS settings different than OPNsense's IP address, maybe a host/ domain override?!?!...)

If there is nothing left out in your DNS config, I maintain my opinion: you should keep the port 53 closed (not-published) on WAN/ NAT.