Contact our honeypot department if you are desperate to get blacklisted.

Wednesday, October 9, 2013

Blocking DNS requests with iptables

iptables -I INPUT 1 -p udp -m udp --dport 53 -m string --hex-string "|333032353904696e666f|" --algo kmp --from 30  --to 65535 -m comment --comment "drop 30259.info" -j DROP

Unfortunately that string is in hex, so you'll need to run a tcpdump to extract the hex-encoded domain name like so:
[bob@host01 ~]# tcpdump -nnX -c 10 -s 0 -l port 53 
05:18:53.307390 IP nnn.nnn.nnn.nnn.32825 > xxx.xxx.xxx.xxx.53:  7117+ [1au] ANY? 30259.info. (51)
        0x0000:  4500 004f 0000 4000 3f11 df23 cd86 d638  E..O..@.?..#...8
        0x0010:  d8b1 e009 8039 0035 003b 34c9 1bcd 0100  .....9.5.;4.....
        0x0020:  0001 0000 0000 0001 0533 3032 3539 0469  .........30259.i
        0x0030:  6e66 6f00 00ff 0001 0000 2910 0000 0000  nfo.......).....
        0x0040:  0000 0c50 fa00 0800 0120 000b 5dfb ed    ...P........]..

Notice that this happens to be a QTYPE 255: A request for all records (all cached records, not an AXFR which is type 252. I dunno if this QTYPE is useful in the real world or just a vector for attack. You can view all queries with QTYPE=255 with
tcpdump -c 10 -s 0 -l port 53 and ether[len - 3] == 0xff

Tuesday, June 11, 2013

find your public IP from behind a NAT device in linux

[me@host ~]# curl http://checkip.dyndns.org/
Current IP CheckCurrent IP Address: 4.2.2.2
username, hostname and IP address have been changed to protect the innocent.