Discussion:
pf: block drop not working
Axel Rau
2021-05-05 09:47:16 UTC
Permalink
Hi all,

in pf.conf, I have at the beginning:
- - -
table <black_hole> persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from <black_whole> flags any

fw1# pfctl -s rules | head -3
block drop in quick on em2 from <black_whole> to any

fw1# pfctl -t black_hole -T show
. . .
146.168.0.0/16
. . .

But responses still going out from my ns:

0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 63, id 10399, len 518)
0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG? pizzaseo.com.(30) (ttl 249, id 3922, len 58)
0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 63, id 38336, len 518)
0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG? pizzaseo.com.(30) (ttl 249, id 55913, len 58)
0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 62, id 53578, len 518)


What is wrong in my setup?

Thanks, Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Tom Smyth
2021-05-05 11:30:15 UTC
Permalink
black_whole vs black_hole

check the table name ...
Post by Axel Rau
Hi all,
- - -
table <black_hole> persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from <black_whole> flags any
fw1# pfctl -s rules | head -3
block drop in quick on em2 from <black_whole> to any
fw1# pfctl -t black_hole -T show
. . .
146.168.0.0/16
. . .
0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 63, id 10399, len 518)
0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG? pizzaseo.com.(30) (ttl 249, id 3922, len 58)
0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 63, id 38336, len 518)
0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG? pizzaseo.com.(30) (ttl 249, id 55913, len 58)
0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 62, id 53578, len 518)
What is wrong in my setup?
Thanks, Axel
---
--
Kindest regards,
Tom Smyth.
Axel Rau
2021-05-05 11:51:26 UTC
Permalink
Post by Tom Smyth
black_whole vs black_hole
check the table name 

Thanks a lot!
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Axel Rau
2021-05-05 13:57:53 UTC
Permalink
Post by Tom Smyth
black_whole vs black_hole
check the table name 

But even with the correct table name I had to flush states to get it working.

Does anyone has a script handy to update the table to black hole dns clients which repeat same query with high frequency?

Thanks, Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Stuart Henderson
2021-05-05 14:20:57 UTC
Permalink
Post by Axel Rau
check the table name …
But even with the correct table name I had to flush states to get it working.
That is expected. A state lookup is done before parsing the ruleset.
You can try clearing states with pfctl -k but there are some issues, it
doesn't always work.
Post by Axel Rau
Does anyone has a script handy to update the table to black hole dns clients which repeat same query with high frequency?
This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.
Axel Rau
2021-05-07 08:54:48 UTC
Permalink
Post by Stuart Henderson
This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.
Yes, I have this in place now, but I try to let the fw drop them:
This seems not working:
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload <bruteforce> flush global )'


pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"

Is this not possible with udp?

Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Tom Smyth
2021-05-07 09:19:37 UTC
Permalink
Hello Axel,

Check out fastnetmon if you have SFLOW (Preferably ) or Netflow
support on your switches /or routers facing external providers
you can put pps per second thresholds on .

but bear in mind if the amount of bandwdith being sent to your router
exceeds capacity you need to send a BGP community to
do remote Triggered Black Hole to your providers... RTBH ... (BGP
Communities) etc..

Best of Luck
Post by Axel Rau
Post by Stuart Henderson
This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload <bruteforce> flush global )'

pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"
Is this not possible with udp?
Axel
---
--
Kindest regards,
Tom Smyth.
Stuart Henderson
2021-05-07 10:14:34 UTC
Permalink
No this is not possible. UDP is trivially spoofed (which is probably why
you see the problem in the first place; the source IPs you see on the
packets are the *victims* not the attacker). Doing this for UDP opens an
easy DoS of your legitimate clients.
--
Sent from a phone, apologies for poor formatting.
Post by Axel Rau
Post by Stuart Henderson
This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload
<bruteforce> flush global )'

pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"
Is this not possible with udp?
Axel
---
John McGuigan
2021-05-05 14:02:58 UTC
Permalink
I think you've used "black_hole" and "black_whole" as table names. They
should all be the same.

John
Post by Axel Rau
Hi all,
- - -
table <black_hole> persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from <black_whole> flags any
fw1# pfctl -s rules | head -3
block drop in quick on em2 from <black_whole> to any
fw1# pfctl -t black_hole -T show
. . .
146.168.0.0/16
. . .
0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490)
(ttl 63, id 10399, len 518)
0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG?
pizzaseo.com.(30) (ttl 249, id 3922, len 58)
0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490)
(ttl 63, id 38336, len 518)
0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG?
pizzaseo.com.(30) (ttl 249, id 55913, len 58)
0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490)
(ttl 62, id 53578, len 518)
What is wrong in my setup?
Thanks, Axel
---
Loading...