Domain-Name-System
來自外部 IP 埠 80 的 DNS 攻擊,怎麼會發生這種情況?
剛剛從我的 DNS 伺服器的日誌中註意到,顯示有人通過埠 80 攻擊我的伺服器:
/var/log/bind.log:31-Jul-2020 03:25:50.536 query-errors: client @0x7f63345948a0 185.107.80.2#36045 (PEACECORPS.GOV): view internet: query failed (REFUSED) for PEACECORPS.GOV/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:31-Jul-2020 05:31:41.446 query-errors: client @0x7f63347273e0 144.217.34.151#53799 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:31-Jul-2020 11:28:20.928 query-errors: client @0x7f63345948a0 2.57.122.193#45066 (.): view internet: query failed (REFUSED) for ./IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:31-Jul-2020 14:21:50.516 query-errors: client @0x7f63345638a0 193.9.17.2#59905 (wzb.eu): view internet: query failed (REFUSED) for wzb.eu/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 07:51:58.756 query-errors: client @0x7f6334718db0 89.248.168.17#37241 (cpsc.gov): view internet: query failed (REFUSED) for cpsc.gov/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 18:09:37.112 query-errors: client @0x7f633801db20 83.97.20.164#21544 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:03.982 query-errors: client @0x7f6334689490 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:04.263 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:04.333 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:04.708 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:22.091 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:22.534 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:23.634 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:12:26.022 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:01.519 query-errors: client @0x7f63347d8eb0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:02.432 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:19.174 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:20.556 query-errors: client @0x7f633801db20 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:35.657 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:39.615 query-errors: client @0x7f633c0da830 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:51.414 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:13:57.623 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:07.363 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:15.991 query-errors: client @0x7f6334771730 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:25.212 query-errors: client @0x7f63347ca880 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:32.046 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:43.583 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:14:50.684 query-errors: client @0x7f6338289e50 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:01.011 query-errors: client @0x7f633c0da830 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:08.899 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:17.051 query-errors: client @0x7f63347e74e0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:26.382 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:33.001 query-errors: client @0x7f63347ca880 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:44.613 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:15:49.267 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:02.472 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:04.881 query-errors: client @0x7f6338289e50 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:20.139 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:21.184 query-errors: client @0x7f6334718db0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:37.295 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:37.725 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:53.255 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:16:55.799 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:09.169 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:14.215 query-errors: client @0x7f6334771730 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:25.206 query-errors: client @0x7f63347d8eb0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:31.728 query-errors: client @0x7f633827b820 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:40.997 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:50.548 query-errors: client @0x7f633827b820 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145 /var/log/bind.log:01-Aug-2020 19:17:57.181 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145想知道他們怎麼能做到?
我的 DNS 伺服器只允許埠 53 和 22 進入,並且還有程序通過 firewall-cmd 命令監控和阻止這些類型的 IP,如下所示:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="37.49.224.64" drop' --permanent這通常適用於大多數攻擊,但不適用於此 IP,嘗試將區域從公共更改為阻止,將操作從丟棄更改為拒絕,沒有任何效果。
最後我必須從外部防火牆阻止這個IP,然後最後把它拿出來。
想知道有人見過這種攻擊嗎?他們如何繞過本地防火牆?
任何建議將不勝感激!
您正在查看客戶端查詢日誌,通常客戶端會從一個臨時埠中選擇一個讓您的 DNS 伺服器響應。是的,您的伺服器正在偵聽埠 53,但您的客戶端很可能會通過埠 49152 到 65535 從您的 DNS 伺服器接收響應。事實上,您的查詢流量源選擇使用埠 80 作為回程埠是.. . 奇怪,但實際上無關緊要。我確信這是在客戶端繞過網路安全的某種方法。或者任何試圖濫用您的 DNS 伺服器的軟體的開發人員並不特別關心使用臨時埠。誰知道。
至於您的防火牆,您需要執行其中一個
firewalld-cmd --reload或firewalld-cmd --complete-reload之後執行以確保規則得到處理。編輯:
這個IP每次進去都可以獲得本地80埠。
需要明確的是,日誌中的埠 80 根本不是指您的 DNS 伺服器。這純粹是指數據包返回客戶端所需的回程。當你看到這個:
37.49.224.64#80這意味著 DNS 響應將返回到 37.49.224.64:80,就像您在日誌的第一行中看到的一樣:
185.107.80.2#36045您的 DNS 伺服器滿足的任何 DNS 查詢都返回到 185.107.80.2:36045
重申一下:沒有流量通過埠 80 進入您的伺服器,就像沒有流量通過埠 36045 進入您的伺服器一樣。這些回程埠與您完全、完全、絕對無關。
從本質上講,這是防火牆配置錯誤。通過 firewalld 區域、介面、規則排序或重新載入問題。