Solaris in.routed (udp 520) reflected ddos

Another service being exploited…
this time instead of chargen or the usual dns (UDP 53) the sources of the attack appeared to be running Solaris in.routed service (source port UDP 520)

if you are running an unsecured box please CLOSE THAT FUCKING PORT (IN UDP 520) or at least do some proper rate limiting!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR FUCKING DOORS FOR GOOD!

read more for additional details and logs

Continue reading “Solaris in.routed (udp 520) reflected ddos”

Chargen (UDP port 19) – Reflected ddos

Lately I’m seeing chargen service being abused a lot to execute distributed denial of service attacks.
It’s not just “standard ddos”… it’s a reflected ddos with a massive amplification rate!!!
(Amplification rate can be as high as 512x… that means with that just a 100mbit pipe a malicius attacker could easely accomplish a 10gbit+ ddos!)

What is chargen?

From wikipedia:
In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host.

Apparently there’s absolutely no handshake at all with chargen… only the TCP version (obviously) requires handshake…

How are hosts running chargen (UDP) used as botnets?

To execute the attack people are sending spoofed UDP packets with a forged source IP address to hundreds of hosts running chargen (and there are many of them!).
These hosts just reply to the apparent source of such packet as they are intendend to do… the problem is that they are replying to the forged IP address… that host has never requested something to them!

Is my machine vulnerable?

To test if your machine could be exploited just run:

echo t | nc -u X.X.X.X 19

replace X.X.X.X with an IP running chargen… If you got a reply you just found a host that can be used as part of a ddos botnet…

How can I make my machine secure?

disable chargen service:
(please be aware of another weak point of chargen: looks like it can also be used to let machines running chargen attack each-other… guess what happens when you have two chargen sending packets each other with to&from port 19 udp… we got a loop! :D)

if you are running chargen on one of your hosts: CLOSE THAT PORT (IN UDP 19)!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR DOORS FOR GOOD!

ktnxbye

read more for additional details and logs

Continue reading “Chargen (UDP port 19) – Reflected ddos”

Upgrading munin from 1.4.6 to 1.4.7 – re-enabling lost plugins

Upgrading munin on CentOS/RHEL/Scientific Linux using the rpm from EPEL repositories results in an empty plugin list on the nodes:

ls -al /etc/munin/plugins/

easy fix:

munin-node-configure --suggest --shell | sh ; service munin-node restart

to verify what was detected just run:

ls -al /etc/munin/plugins/

Linux fix wrong date/time hwclock

If your clock is wrong you might have a wrong hwclock set…

yum install ntp
ntpdate -s it.pool.ntp.org
hwclock -w

on a side note to change the timezone on RHEL 6.x adjust the clock settings config file:

nano -w /etc/sysconfig/clock

set it as you wish:

ZONE="Europe/Rome"

then set the localtime

cp /usr/share/zoneinfo/Europe/Rome /etc/localtime

BFD vsftpd script

BFD is an easy to use brute force detection script that plays very nicely when combined with APF…

currently it does support certain daemons out of the box… but vspftd is not one of those ๐Ÿ™
This a *very basic* (it does not pass the offending username to bfd) script to add VSFTPD support to BFD.

You just need to create a file named “vsftpd” into the BFD ./rules/ directory and paste this content into it:

REQ="/usr/sbin/vsftpd"
 
if [ -f "$REQ" ]; then
 LP="/var/log/vsftpd.log"
 TLOG_TF="vsftpd"
 
 #Mon Mar 28 23:57:38 2011 [pid 9897] [asdasd] FAIL LOGIN: Client "127.0.0.1"
 
 ## VSFTPD
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | sed -r 's/^.{0,}Client .//' | sed 's/"/:vsftpd/g'`
fi

This script refers to the standard vsftpd rhel/centos installation…
If the logfile is placed elsewhere (vsftpd_log_file) or if the option “syslog_enable” in vsftpd.conf has been enabled it needs to be adjusted ๐Ÿ™‚

PS: this was a NON-WORKING test (usernames with a space in it where making it fail):

ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | awk '{print $12":"$8}' | tr '[]"'`