Severe security problem IPFW help!

[labrocca]

I have this in my logs:

16:27:20.626762 IP smtp.as.ro.http > ns2.domain.com.51891: . 372412:373860(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628011 IP smtp.as.ro.http > ns2.domain.com.51891: . 373860:375308(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628039 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 375308 win 32580 <nop,nop,timestamp 1892617620 379626649>
16:27:20.629260 IP smtp.as.ro.http > ns2.domain.com.51891: . 375308:376756(1448) ack 1 win 1716 <nop,nop,timestamp 379626650 1892617292>
16:27:20.629288 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 376756 win 33304 <nop,nop,timestamp 1892617621 379626650>
16:27:20.630509 IP cpe-66-74-154-25.socal.res.rr.com.1156 > ns1.domain.com.http: P 1:1393(1392) ack 1 win 65535
16:27:20.640708 IP ns1.domain.com.http > 82.115.16.118.16812: . ack 1368 win 32148 <nop,nop,timestamp 1892617633 7362279>
16:27:20.644512 IP 78.140.130.213.http > ns2.domain.com.53910: . 2897:4345(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645755 IP 78.140.130.213.http > ns2.domain.com.53910: . 4345:5793(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645803 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 31856 <nop,nop,timestamp 1892617638 439326923>
16:27:20.645835 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 33304 <nop,nop,timestamp 1892617638 439326923>
16:27:20.647001 IP 78.140.130.213.http > ns2.domain.com.53910: . 5793:7241(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.648127 IP smtp.as.ro.http > ns2.domain.com.51891: . 376756:378204(1448) ack 1 win 1716 <nop,nop,timestamp 379626760 1892617403>
16:27:20.649377 IP smtp.as.ro.http > ns2.domain.com.56971: . 165072:166520(1448) ack 1 win 1716 <nop,nop,timestamp 379626663 1892617304>

As you can see...they are using my NS2 to do a LOT of traffic to hit other sites. I replaced my domain obviously but this server is both ns1.domain.com and ns2.domain.com The attack is from smtp.as.ro. It's bizarre because I can't figure out how they are passing my firewall.

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny tcp from any to any frag
00505 deny ip from any to any dst-port 32566-65534
01500 deny ip from table(1) to me
01600 check-state
01700 deny tcp from any to any established
01800 allow ip from any to any out keep-state
01900 allow icmp from any to any
02000 allow tcp from any to any dst-port 21 setup keep-state
02100 allow tcp from any to any dst-port 22 setup keep-state
02200 allow tcp from any to any dst-port 25 setup keep-state
02300 allow tcp from any to any dst-port 53 setup keep-state
02400 allow udp from any to any dst-port 53 keep-state
02500 allow tcp from any to any dst-port 80 setup keep-state
02600 allow tcp from any to any dst-port 110 setup keep-state
02700 allow tcp from any to any dst-port 143 setup keep-state
02800 allow tcp from any to any dst-port 443 setup keep-state
02900 allow tcp from any to any dst-port 2222 setup keep-state
03000 allow tcp from any to any dst-port 32555-32565 in setup keep-state
03100 deny log logamount 10 ip from any to any
65535 deny ip from any to any

There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.

Help is GREATLY appreciated.

 

[labrocca]

As an update...this is netstat output.

tcp4 0 0 66.36.xxx.xxx.80 85.15.52.226.38131 TIME_WAIT
tcp4 0 0 66.36.xxx.xxx.80 60.11.247.180.3940 ESTABLISHED
tcp4 0 0 66.36.xx.xx.57797 72.3.238.94.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 220.165.175.232.1935 TIME_WAIT
tcp4 0 0 66.36.xxx.xxx.80 61.161.48.194.1586 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61941 ESTABLISHED
tcp4 0 0 66.36.xxx.xxx.80 142.166.170.90.3153 LAST_ACK
tcp4 0 0 66.36.xx.xx.49371 74.220.207.178.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 58.46.171.13.58239 TIME_WAIT
tcp4 0 0 66.36.xxx.xxx.80 81.90.157.58.3617 TIME_WAIT
tcp4 0 0 66.36.xxx.xxx.80 67.159.44.103.51949 LAST_ACK
tcp4 0 0 66.36.xx.xx.64787 193.28.144.21.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 219.150.242.211.2052 LAST_ACK
tcp4 0 2320 66.36.xxx.xxx.80 58.147.169.191.1493 FIN_WAIT_1
tcp4 0 33580 66.36.xxx.xxx.80 125.96.131.241.3350 FIN_WAIT_1
tcp4 0 0 66.36.xx.xx.58623 74.220.207.178.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.64239 72.29.92.118.80 LAST_ACK
tcp4 0 32120 66.36.xxx.xxx.80 202.114.102.11.61846 FIN_WAIT_1
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61845 LAST_ACK
tcp4 0 0 66.36.xx.xx.59222 193.28.144.21.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.49243 74.220.207.178.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.64801 74.220.207.178.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 123.154.55.111.2771 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61795 ESTABLISHED
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61793 ESTABLISHED
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61791 ESTABLISHED
tcp4 0 33580 66.36.xxx.xxx.80 202.114.102.11.61790 FIN_WAIT_1
tcp4 0 0 66.36.xx.xx.60094 87.248.201.23.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61784 ESTABLISHED
tcp4 0 0 66.36.xx.xx.51380 74.220.207.178.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.52451 68.142.89.231.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 220.165.175.232.1259 LAST_ACK
tcp4 0 0 66.36.xx.xx.58361 87.248.201.58.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61783 ESTABLISHED
tcp4 0 0 66.36.xx.xx.59863 87.248.201.58.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49842 FIN_WAIT_2
tcp4 0 0 66.36.xx.xx.64667 202.177.195.248.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.62350 202.177.195.248.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49812 FIN_WAIT_2
tcp4 0 0 66.36.237.6.80 77.70.106.73.4403 TIME_WAIT
tcp4 0 0 66.36.xx.xx.58275 87.248.201.23.80 LAST_ACK
tcp4 0 31680 66.36.xxx.xxx.80 222.181.8.96.11862 FIN_WAIT_1
tcp4 0 0 66.36.xx.xx.53621 87.248.201.190.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 210.192.101.90.56245 ESTABLISHED
tcp4 0 0 66.36.xx.xx.55439 87.248.201.23.80 LAST_ACK
tcp4 0 0 66.36.xx.xx.56997 87.248.201.181.80 LAST_ACK
tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.63590 ESTABLISHED
tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49779 FIN_WAIT_2

I have replaced my ns1 IP with xxx.xxx and the NS2 IP with xx.xx.

You should notice that only NS2 has the problems. Is there maybe something with BIND that causes this? I am VERY concerned about this traffic. Something just doesn't look right.

This might be more readable.

tcp4 0 0 ns1.http 202.114.102.11.63426 ESTABLISHED
tcp4 0 0 ns1.http 81.199.198.189.r.40105 FIN_WAIT_2
tcp4 0 0 ns1.http 202.114.102.11.63418 ESTABLISHED
tcp4 0 0 ns1.http 202.114.102.11.63419 ESTABLISHED
tcp4 0 0 ns1.http 202.114.102.11.63403 LAST_ACK
tcp4 0 0 ns1.http 202.114.102.11.63402 LAST_ACK
tcp4 0 0 ns2.52610 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 202.114.102.11.63390 LAST_ACK
tcp4 0 846 ns1.http 81.199.198.189.r.40085 FIN_WAIT_1
tcp4 0 0 ns2.52089 maxcash6.cavecre.http LAST_ACK
tcp4 0 0 ns2.59516 216-73-107-28.oc.http LAST_ACK
tcp4 0 0 ns2.61047 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 143.90.204.121.b.3171 LAST_ACK
tcp4 0 0 ns1.http 202.114.102.11.63274 ESTABLISHED
tcp4 0 0 ns2.62668 216-73-107-28.oc.http LAST_ACK
tcp4 0 0 ns2.50681 srv.p2.netsons.c.http LAST_ACK
tcp4 0 0 ns1.http 122.3.245.132.pl.36030 FIN_WAIT_2
tcp4 0 0 ns2.64889 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 62-47-237-19.ads.49362 FIN_WAIT_2
tcp4 0 0 ns2.61987 72-29-92-118.sta.http FIN_WAIT_2
tcp4 0 0 ns1.http 122.3.245.132.pl.36008 FIN_WAIT_2
tcp4 0 0 ns2.61387 216-73-107-27.oc.http LAST_ACK
tcp4 0 0 ns2.62083 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 77.31.160.232.16532 FIN_WAIT_1
tcp4 0 0 ns1.http 210.41.108.156.3387 LAST_ACK
tcp4 0 0 ns1.http 122.3.245.132.pl.36001 FIN_WAIT_2
tcp4 0 0 ns2.50734 88.85.70.129.http LAST_ACK
tcp4 0 1302 ns1.http CPE-203-51-133-2.60907 FIN_WAIT_1
tcp4 0 0 ns1.http 123.122.96.54.1169 LAST_ACK
tcp4 0 0 ns1.http 123.122.96.54.1150 LAST_ACK
tcp4 0 0 ns2.50561 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 123.122.96.54.1066 LAST_ACK
tcp4 0 0 ns1.http 123.122.96.54.1040 LAST_ACK
tcp4 0 0 ns2.63616 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 123.122.96.54.2005 LAST_ACK
tcp4 0 0 ns1.http 125.96.131.241.4448 LAST_ACK
tcp4 0 0 ns1.http 123.122.96.54.1913 LAST_ACK
tcp4 0 0 ns1.http 122.3.245.132.pl.35985 FIN_WAIT_2
tcp4 0 0 ns2.59709 38.97.225.161.http LAST_ACK
tcp4 0 0 ns2.56017 88.85.70.129.http LAST_ACK
tcp4 0 0 ns1.http 202.114.102.11.62996 LAST_ACK
tcp4 0 0 ns2.62929 88.85.70.129.http LAST_ACK
tcp4 0 0 ns2.63431 fmt2-orion-1202..http LAST_ACK
tcp4 0 0 ns1.http 122.3.245.132.pl.35973 FIN_WAIT_2
tcp4 0 10090 ns1.http pool-71-108-186-.50817 FIN_WAIT_1

 

[Chrysalis]

doesnt look like a ipfw log.

ns2.domain.com is just the reverse dns name telling you what ip is the source, I expect they not actually doing it via bind.

what does sockstat show you?

 

[chatwizrd]

Do you have recursion no; in named.conf under options?

 

[labrocca]

Yeah I got some help at WHT stating these are rDNS lookups. Thanks for help with my paranoia.

 

[Spetterpoep]

Seems it have something to do with the ACK?

The only parameter that has something to do with the ACK is the 'setup' one. U should consider that.

The problem is I don't really see what kind of attack they are useing on you're NS2.

Could u do a ipfw show