构建安全的dDoS(拒绝分布式DoS攻击) dns服务

近日发现DNS bind9.9.1  存在严重的安全漏洞　.

tail -f dns.log　发现大量不同网段ip 请求whbl.com 域名 .打开该网站看了看是个国外新闻网站.　同过日志分析发现攻击者使用了DoS攻击,采用了大量僵死云向我们服务器发起dns请求,请求频率超过２次/秒.　网上查了,有的出来个补丁但是都是针对9.3.2以下版本的.　


　这些请求占用了带宽.在9.9.1P下服务还挺得住,CPU没升.但请求频繁也耗网络带宽,经过分析编写了反DoS拒绝服务.很好的解决了系统bug .dns垃圾请求被过滤.

　原理很简单.　用机器人检测到攻击者ip ,自动拦截填入 blackhole,然后系统自动reload. 则再次请求就被拒绝.有多少僵死,绑定多少,然后咱也吹嘘一番,不怕DoS.哈哈哈


1) 增加blackhole dosip
2)讲请求的目标dns 禁止transfer　,禁止query .虽然禁止了但仍然会传递到父级dns
zone "whbl.com" IN {
    type master;
    file "fuqit.zone";
    allow-update { none; };
    allow-query { none; };
    allow-transfer { none; };

};


完整的named.conf 如下

options {
 
    directory "C:\WINDOWS\system32\dns\etc";
  
    forwarders {
58.60.188.178;
58.60.188.179;

    };
   
    version "DDos SMG 2012";

    allow-query { any; };
    //allow-query-cache { any; };
    allow-recursion { none; };
   
    blackhole {
  
#SMG Robert added dosips automaticly,donot Remove the follow NOTE
#Robert Start
##DoS
176.31.228.8;
13.104.128.167;
209.105.239.166;
#Robert END


};


};

//DNS
zone "." {
    type hint;
    file "named.root";
};

// localhost
zone "localhost" IN {
    type master;
    file "localhost.zone";
    allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;    
        file "named.local"; 
        allow-update { none; };
};



zone "fuqit.net" IN {
    type master;
    file "fuqit.zone";
    allow-update { none; };
};


zone "59.61.37.121.in-addr.arpa" in { 
        type master; 
        file "fuqit.local";            
        allow-update { none; };
};


zone "whbl.com" IN {
    type master;
    file "fuqit.zone";
    allow-update { none; };
    allow-query { none; };
    allow-transfer { none; };

};


logging {
channel warning
{
file "C:\WINDOWS\system32\dns\log\warning.log" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{
file "C:\WINDOWS\system32\dns\log\dns.log" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};



# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "UBAzaol7wLYvsj/kKDaqlQ==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};


# End of rndc.conf
# End of named.conf


部分源码如下:因为挂接的SMG引擎　是java代码　仅供参考

思路在hole中添加一特标记　##DoS
程序查找该标记　每次检测几组ip ,依次检测更新到named.conf .如果有更新就relaod 否则,休息.　以上代码编写打包测试我用了２个小时左右.


#file:HandleDDoSBindMap.java

package cpgmt;

import com.hotmail.walksing.module.file.Wfile;
import com.hotmail.walksing.module.string.Wregex;
import com.hotmail.walksing.module.string.wsString;

import app.HandleMap;
import app.PPGMain;
import app.Putter;
import app.Admin;

/*******************************************************************************
* HandleDDoSBindMap map request,response
*
* DenyDoS avaiable bind9.91
* parseDNSLog ,find request to whbl.com ,get DoSip ->store bindconf->reload named
* @author runus
* @version 1.0.0
* @date 20120708
*
*/

public class HandleDDoSBindMap implements HandleMap {

/***************************************************************************

* parseDNSLog ,get DoSip ->store bindconf->reload named
* @param p
* @return
*/
public static String dnslogfid=null;
public static String dnsconf=null;
public int mapRequest(Putter p) {
p=new Putter();
p.set("bindReload", PPGMain.props.getProperty("bindReload","rndc reload"));
if(dnslogfid==null){
dnslogfid=PPGMain.props.getProperty("bindlog","");
dnsconf=PPGMain.props.getProperty("bindconf","");
app.PPGMain.echo("MORNITORING dnslogfid {"+dnslogfid+"}");
app.PPGMain.echo("MORNITORING dnsconf {"+dnsconf+"}");
}
String retmsg = null;
String logcmd="tail -5 "+dnslogfid;
retmsg=Admin.exec(logcmd);

String dosIp=parseDoSIP(retmsg);
if(dosIp.length()==0){
try {
Thread.sleep(120000);
return 2;
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
app.PPGMain.echo("----parsed DoSips---\n"+dosIp);
boolean isupdated=setNamed(dnsconf,dosIp);
int rt=0;
String retcode = "2";
if(isupdated){
retmsg=Admin.exec(p.get("bindReload"));
PPGMain.echo("exec "+p.get("bindReload")+"|response===>" + retmsg);

if(Wregex.eregi("result 0|successful",retmsg ))
retcode="2";
else
retcode="3";
p.set("retcode", retcode);
PPGMain.echo("response:" + retcode);
p.set("retmsg", retmsg);
}else{
Wfile.dln("setNamed:"+isupdated);
rt=2;
}

if (Wregex.eregi("^[0-9]{1,}$", retcode)) {
return Integer.parseInt(retcode);
} else {
return -1;
}
}

//08-七月-2012 8:17:48.076 queries: info: client 24.180.162.231#16958 (whbl.com): query: whbl.com IN TXT +E (121.37.61.59)
public String parseDoSIP(String r){
String ip=null;
int st=0,ed=0;
String filter=PPGMain.props.getProperty("bindDoSFilter","whbl\\.com"); //whbl\\.com|xxx\\.net
String ptr=" client ";
if(!Wregex.eregi(filter, r))
return "";
StringBuffer ips=new StringBuffer();
String[] l = r.split("\n");

for(int i=0;i<l.length;i++){
if(l[i]==null||!Wregex.eregi(filter, l[i])) continue;

r=l[i];
st = r.indexOf(ptr);
if(st==-1) continue;
st+=ptr.length();
ed=r.indexOf("#",st);
if(ed>-1){
ip=r.substring(st,ed);
if(ips.indexOf(ip)==-1) ips.append(ip+";\n");
}

}
return ips.toString();
}

public boolean setNamed(String conf,String dosIp){

String s=Wfile.openToString(conf);

int st=0;
String ptr="##DoS";
Wfile.dln("bindconf length:"+s.length());
st = s.indexOf(ptr);
if(st==-1){
Wfile.dln("setNamed::error:: cannot find partner:"+ptr);
return false;
}
StringBuffer b=new StringBuffer();
st+=ptr.length()+1;//skip \n

b.append(s.substring(0, st));
s=s.substring(st);
String[] l=dosIp.split("\n");
for(int i=0;i<l.length;i++){
if(l[i]==null || s.indexOf(l[i])>-1) continue;
b.append(l[i]).append("\n");
}
b.append(s);
//Wfile.dln(s);
Wfile.writeFile(conf, b.toString());
b=null;
s=null;
return true;
}


}


系统配置如下smg3/conf/ppg.properties

cfgJobs=cpgmt.HandleDDoSBindMap:30000,

#DDoS bind Start
bindDoSFilter=whbl\\.com|xx\\.com
bindReload=rndc reload
bindlog=C:/WINDOWS/system32/dns/log/dns.log
bindconf=C:/WINDOWS/system32/dns/etc/named.conf
#DDoS bind End


该脚本支持多filter domain检测 .很容易扩展为自动根据访问频繁的记录进行绑定.
部署完成后,高枕无忧.管你什么dos随便来.

----------------------
以下为广告时间,不要走开,精彩在后头.

本站提供DDNS服务,速度快捷,不会断线.断线瞬间绑定;支持dDoS (防分布式拒绝DoS攻击)
年费:800 ,免安装程序url自动更新.可免７天试用.
网址:www.fuqit.net 不诚勿扰qq站内找

另外:本站提供云支付服务　smg-ves

转载,请保留链接版权　runusws AT gmail.com

广告之后继续...
------------
DoS攻击日志如下:
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:48.395 queries: info: client 108.41.10.44#37760 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.364 queries: info: client 108.41.10.44#59190 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.535 queries: info: client 108.41.10.44#50452 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:50.598 queries: info: client 108.41.10.44#43158 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.364 queries: info: client 108.41.10.44#26214 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.535 queries: info: client 108.41.10.44#49879 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:11:52.582 queries: info: client 108.41.10.44#10113 (whbl.com): q
uery: whbl.com IN TXT +E (121.37.61.59)
08-七月-2012 20:12:04.332 queries: info: client 121.37.61.59#64838 (www.oanda.co
m): query: www.oanda.com IN A + (121.37.61.59)
08-七月-2012 20:12:14.598 queries: info: client 121.37.61.59#64030 (www.oanda.co
m): query: www.oanda.com IN A + (121.37.61.59)
08-七月-2012 20:12:16.332 queries: info: client 74.125.18.158#58000 (www.fuqit.n
et): query: www.fuqit.net IN A - (121.37.61.59)
08-七月-2012 20:12:44.207 queries: info: client 121.37.61.59#53088 (dx.ggsafe.co
m): query: dx.ggsafe.com IN A + (121.37.61.59)

--------------
看到攻击ip 108.41.10.44


smg03 引擎日志执行如下:

INFO   | jvm 1    | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 ----parsed DoSips-
--
INFO   | jvm 1    | 2012/07/08 20:15:24 | 108.41.10.44;
INFO   | jvm 1    | 2012/07/08 20:15:24 |
INFO   | jvm 1    | 2012/07/08 20:15:24 | bindconf length:1938
INFO   | jvm 1    | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 exec rndc reload|r
esponse===>#rndc reload
INFO   | jvm 1    | 2012/07/08 20:15:24 |
INFO   | jvm 1    | 2012/07/08 20:15:24 | server reload successful
INFO   | jvm 1    | 2012/07/08 20:15:24 | result:0
INFO   | jvm 1    | 2012/07/08 20:15:24 |
INFO   | jvm 1    | 2012/07/08 20:15:24 | 2012-07-08 20:15:24 response:2
------------

看到108.41.10.44　被拦截
写入成功;到此reload成功.　复观察dns.log该ip被拒绝.至此大功告成.