8

I manage a few dozen servers that are publicly accessible and must remain so. I see very large volumes of malicious traffic on all of these servers. The malicious traffic starts as port scans (identified by scanlogd) and progresses to a combination of ssl vulnerability and web server exploit attempts on port 443 (identified by the nginx error log) and ssh login dictionary attacks on the ssh port (identified by the sshd journal logs). The attacks are so far not successful, because we keep our OS and webserver up to date with security patches, and sshd expects key (rather than password) logins. Additionally, I have nftables configured to drop packets from any IP that engages in the probe activity described above. The systems I manage continue to log IP addresses of deflected/dropped traffic. I store that data in a central db so that I can analyse it in order to understand the threats faced by these systems.

I am working to reduce the attack surfaces by moving the ssh port behind a Wireguard interface on each instance. However, the malicious traffic I see is incessant. Most of it originates from IP blocks owned by ChinaNet which don't respond to IP abuse reports and clearly are happy for their network addresses to be used in this illegal and unethical manner. The volumes I see range from a hundred thousand to a million daily attack probes originating from each of about 50 to 100 different ChinaNet IP addresses, with a total volume of about 3 or 4 million attack probes daily. There is a not insignificant amount of bandwidth consumed by these probes which I must pay for, even when I drop the packets.

I would like to know if there is a DNS provider who can drop or misdirect (to an IP that I maintain) DNS queries that originate from specific subnets. I currently use Cloudflare and Route 53 DNS services but cannot find a way to configure either one to reroute malicious inbound traffic. Route 53 only provides configurability for outbound. I am considering running my own DNS in order to achieve this but does someone know how to do this?

grenade
  • 183
  • 6
  • 1
    What you describe is not a "firewall", so I edited the title. And questions asking for products/services are off-topic, so I reworded the end of your question. – schroeder Jun 30 '23 at 09:02
  • 1
    Why don't you use CloudFlare to block traffic from undesired IPs? https://stackoverflow.com/questions/34560058/how-to-block-countries-from-server-when-using-cloudflare – schroeder Jun 30 '23 at 09:03
  • much appreciated. cheers! – grenade Jun 30 '23 at 12:24
  • 6
    The IPv4 address space simply isn't that big. It doesn't take that long to just try every address. If your server is exposed the the internet it will be found, it will be port scanned, and it will be attacked, DNS or no. – Miles Budnek Jun 30 '23 at 18:00
  • i'm not worried about being found. these servers are intentionally highly visible. i simply want to drop inbound packets from known subnets before they reach their destination and put a burden on resources. – grenade Jun 30 '23 at 23:17
  • Look into fail2ban which will check the sshd/nginx logs and block IPs of repeated offenders for a while. – Guntram Blohm Jul 03 '23 at 05:50

3 Answers3

14

I would like to know if there is a DNS provider who can drop or misdirect (to an IP that I maintain) DNS queries that originate from specific subnets.

DNS is a distributed directory service. This means clients don't usually query the origin DNS server, but instead some DNS server nearby which then might ask another upstream or the origin server etc. Apart from that an attacker might just use some other DNS server which queries from a source IP you consider sufficiently trusted. Therefore any attempts to filter DNS queries by source IP at the origin server (i.e. the one within your control) will be a) incomplete and b) can have the unintended side effect of over-blocking.

Apart from that there is no need to even use DNS to reach your server. It can simply be done by directly accessing the IP address without knowledge of connected domain names. DNS is only used to map a domain name to this IP address but the connection is ultimately done using the IP address.

The proper way to filter incoming traffic is not by using DNS, but by using a firewall with an appropriate deny-list for specific source IP addresses.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • 1
    doh! of course, you're right. i had forgotten about the distribution aspect. – grenade Jun 30 '23 at 10:27
  • Don't forget that attacks are also often implemented by distributed botnets. I'd expect the bots to use their own DNS, not the DNS of the C&C. – Barmar Jul 01 '23 at 18:40
  • @Barmar They'll build their own list, updating from multiple sources, including public DNS. – Nelson Jul 03 '23 at 04:51
2

A dynamic firewall may be what you need, one that collects reports of "bad" IPs from many machines and then blocks them. Take a look at CrowdSec https://docs.crowdsec.net/docs/intro

CrowdSec Security Engine is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various levels (infrastructural, system, applicative).

To achieve this, the Security Engine reads logs from different sources (files, streams ...) to parse, normalize and enrich them before matching them to threats patterns called scenarios.

And checkout the CloudFlare Bouncer, "A bouncer that syncs the decisions made by CrowdSec with CloudFlare's firewall. Manages multi user, multi account, multi zone setup. Supports IP, Country and AS scoped decisions." https://docs.crowdsec.net/docs/bouncers/cloudflare/

BlueDogRanch
  • 121
  • 3
  • yes, that's a lot like what i now do with the servers sharing information with each other and dropping packets with nftables. it works well. the motive behind looking for a dns solution was to prevent the traffic from reaching individual servers. – grenade Jul 01 '23 at 05:33
  • 1
    Checkout https://docs.crowdsec.net/docs/bouncers/cloudflare/ That will stop traffic at the CloudFlare network layer. – BlueDogRanch Jul 01 '23 at 14:42
1

Attackers do not have to use your DNS. Or anyone’s for that matter. They can just use somebody else’s DNS or run their own, or send packet to the numeric IP.
This is common for circumventing DNS blocking in authoritarian states (like several EU countries too, sadly).
I run my own instance of bind (set to resolve everything itself) on my home server for that very reason. (And I’m blocking DoH as it is factually circumventing backdoor.)

You can of course block certain IPs from even obtaining the IP for your domain, if you ultimately run the DNS for your domain. But the DNS has to run on something. Which has to have an IP. And you’re back to square one.
Also, it only takes one successful attempt, e.g. via a source IP that stays legitimate and unblocked (like a good VPN), to lose the game. All you can do then, is change you IP again, and lose any users until their DNS caches have been updated with it.

The correct way to solve this, it to be better about telling good from malicious traffic earlier and with fewer resources.

There are several shortcomings with your current setup:

You seem to use a (costly and never complete) blacklist approach for situations where a (cheap) whitelist would be more appropriate. E.g. clearly, the ISP or general area or IP block these attacks are coming from requires a whitelist approach. Any legitimate user will know he’s in a shady network area. Because everybody’s already blocking them. Many web sites even require a CAPTCHA, before even re-enabling their services for a bad IP/block. (There are lists of bad IP blocks online. Be careful though, as those can be abused to serve lies too.) And then if the entire block is bad, they also only whitelist that one IP and only for 24h, and not the entire block.

You could use port knocking for non-public ports like SSH ports, making them completely non-existent from the attacker’s perspective. And require the first packet to be preceded by a magical packed encrypted by a pre-shared key, to even get a response, even after knocking. Both of those are very efficient and fast. For e-mail, greylisting cuts out 90% of all malicious traffic for almost zero resource costs.

Of course you can not block new connections from new IP blocks that haven’t demonstrated malicious intent yet, even if they DOS your servers. But then you can still cache those pages on a fast static server. (And add CAPTCHAS.) This is precisely what Cloudflare does, and does well. IFF you trust them (which is a big if).

I think that covers all bases.