DNS recursive attacks, DoS and DDoS : iptables -m recent is your friend

Got plenty of query (cache) 'isc.org/ANY/IN' denied in your bind9 logs? Like about 1 query per second from several IPs? Want to tell them to get lost? This entry may interest you then.

No extensive writing needed here, there is the essential:

$IPT -A INPUT -i $MAIN_IF -p udp --dport 53 -m recent --set

$IPT -A INPUT -i $MAIN_IF -p udp –dport 53 -m recent –update –seconds 30 –hitcount 10 -j DROP

$IPT -A INPUT -p udp –dport 53 -j ACCEPT

I put these rules before other INPUT rules, and restarted my firewall.

Now DNS access on my public IP is limited to 10 separate queries within a 30 seconds timeframe. It seems acceptable for the moment, and DNS fsckers generally get dropped within the first 15 seconds, which is correct for me. But feel free to experiment different values according to your needs.

I hope this will help :)

From 127.0.0.1: Time to live (almost) exceeded

It has been quite some time since I wrote something here, certainly due to laziness, or maybe just because this whole blog thing started to sound like « Meh ».

Life stuff

Nothing earth-shattering for you people since my last article, but quite an interesting and enlightening period for me.

I worked in Paris for 6 months for eNovance, a company focused on Open Source solutions and development. I used to work with wonderful people, and more importantly, I was able to share knowledge with about everyone out there. This intership has been one of the most interesting experience I ever had so far, even if the first three months were not easy. Thanks again to eNovance’s staff for giving me this opportunity.

I also had the chance to discover the /tmp/lab, the most important hackerspace in Paris. I walked in and met new (and very, very interesting) people. I wish to experience this again.

Since then, I went back to Belfort as an UTBM student again, and I had quite a hard time to get used to this sudden change. But now, I feel confident and motivated, and I do not intent to jeopardize the last (long) run to the engineering degree. Moreover, my internship has been ended as a complete success with an excellent feedback from both eNovance and the UTBM.

At the time of writing, I just went through a week of mid-term exams. I expect some surprising results, in both bad and good way. It is also about time to focus on the several projects I have to complete before the end of the semester. Hence this unexpected writing, before I consider myself too tight on schedule…

Geek thoughts

GRSEC and IP Blackhole feature:

Neat for servers without a firewall, not for a router, where I experienced major slowdown while transfering files over a Fast Ethernet link. I eventually decided to disable this feature.

PVST and PVST++ :

Per Vlan Spanning Tree… Cisco’s proprietary protocol that allow vlan specific STP settings. Seems neat and cool, unless you have heterogeneous appliances: A Cisco Catalyst WS-C2924-XL can’t « talk » PVST+ with a Cisco Small Business SLM2008, resulting in useless lines in the Catalyst configuration.

At least you can setup global STP setting within the VLAN 1 (Cisco’s default VLAN for the Ethernet protocol).Therefore STP settings are effectively propagated, since the SLM2008 use the same default VLAN, and

even if you change the administration VLAN.

Surprising fact, a Cisco Small Business WAP 4410 Wireless Access Point seems to be able to receive and certainly handle PVST+ packets… which is SO making sense for a single bridge between a radio interface and a wired interface…

Ubuntu 10.04 Lucid Lynx:

Best Ubuntu experience I ever had so far. Everything seems to work seamlessly on my Thinkpad X300. Canonical and the Ubuntu community worked hard on this one.

That’s all, folks!

Domain migration

chrooted-universe.org => chroot-me.in

I decided to move all my web stuff, svn, and other services to my new domain chroot-me.in. I’ll keep chrooted-universe.org, but I would be grateful if you update your bookmarks, rss subscriptions and yours links to my website :)

Thanks!

HOWTO: Using a GNU screen inside another GNU screen

I found this feature this morning, and the irc folks being enthusiastic, I decided to blag about it.

I use GNU screen on a daily basis for almost three years. Not only able to provide an almost complete terminal emulation, with detach and reattach abilities, extensive keyboard bindings, tabs (a.k.a windows) management, Gnu screen is a versatile tool, although surprisingly more than often ignored by a lot of people.

There is a little reminder of what GNU screen consists in.

Requirements, or at least highly recommended setup

It is highly recommended to have a screenrc that provides a hardstatus line, the only practical way to distinguish one screen from another.

Here is mine:

shell /bin/zsh
attrcolor b ".I"
termcapinfo xterm 'Co#256:AB=\E[48;5;%dm:AF=\E[38;5;%dm' 
defbce "on"
term screen-256color
maptimeout 5
termcapinfo xterm* ti@:te@
hardstatus alwayslastline
hardstatus string '%{= kG}[%{G}%H%{g} %l][%=%{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u
)%?%{r})%{w}%?%+Lw%?%?%=%{g}][%{B}%d/%m %{W}%c%{g}]'
defnonblock 5

Of course, you should adapt this to fit your needs, only the lines beginning with hardstatus are relevant there.

Now that your GNU screen is properly configured, I can highlight the bullet point of this howto :)

Pictures are said to help comprehension. I say LIES!

My X terminal emulator is Terminator. Combined with GNU screen, you can obtain … that…thing:

'what. the. heck?'

(click on the thumbnail to maximize)

Please bear with me, even if this caused some eye-melting :P

Some explanations: each zone delimited by light grey borders are in fact splits in Terminator. Gnu screen sessions are contained in the numbered splits.

1: err… not really a screen, I guess I’m tired and too lazy to correct the picture.

2: lwatch on dresda

3: lwatch on pandora

4: htop on dresda

5: htop on pandora

6: irssi on dresda

The only thing I had to do is to execute screen -e ^ee on pandora, therefore rebinding all default ^a (Ctrl+a) bindings to ^e (Ctrl+e).

Then you control the main screen with the default binding, while controlling the inner screen with these new binds (i.e ^ac to create a new window in the main screen, ^ec to do the same in the inner screen :)

Finally, the relevant part in man screen:

       -e xy
            specifies the command character to be x and the character generat‐
            ing a literal command character to y (when typed after the command
            character).  The default is "C-a" and `a', which can be  specified
            as  "-e^Aa".  When creating a screen session, this option sets the
            default command character. In a multiuser session all users  added
            will  start off with this command character. But when attaching to
            an already running session, this option changes only  the  command
            character  of  the  attaching  user.  This option is equivalent to
            either the commands "defescape" or "escape" respectively.

I really enjoy it, it’s like a Christmas present for all BOFHs, blinking like a Christmas Tree when some jerk is trying to mess with your servers/networks :D

Chrooted-timeout

chrooted-universe.org experienced a rather long blackout.

Indeed, the adsl line that usually allows my server to be reachable from the Internet faced a severe technical issue, resulting in a downtime of more than 5 days.

I can actually bear with it though, since the line is subscribed to a common-carrier, not a professional ISP.

Thus, I have decided to transfer chrooted-universe.org and some of its subdomains to a Gandi VPS.

The effective migration may happen this week, it will depend mostly on my available time (kind of busy this week).

I’ll give it a try for one month, but I am already quite surprised by the overall performance of a unique tiny share.

Sorry for the inconvenience.