Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Large DNS & Cyber Security service provider (Vercara) nuking my hobbyist tiny DNS server

BoogeymanBoogeyman Member
edited September 2024 in General

TL;DR I run a small DNS recursor which is being attacked by Vercara/Shadow Server/Neustar Security Services. They are a managed DNS, Cyber Security and other cloud related service provider. They are being acquired by DigiCert, another big name. This post about giving them credit and good PR about their cyber security practices that they deserve. :)

I built a tiny DNS server out of necessity because PDNS was failing me in some areas. Although can be achieved through some advanced config I decided to roll my own and to this day it is performing really well except I had to mitigate few small and one large attack earlier.

Recently I developed a SSH Honeytrap for my personal use and I was deploying this today. And while deploying this I found abnormal CPU usage on my VM and lo my DNS server was the criminal. I stopped the server and tried to check the log and I was presented with a 39GB pure BS. My poor server couldn't cry. :(

I am running sed (still processing) and current size is 29GB after removing error logs caused by other large recursors banning me.

https://ibb.co/wCK8JkQ
https://ibb.co/J54MJCK
https://ibb.co/h9xs93D


To my surprise they operate Shadow Server, a service similar to Shodan(Cisco stopped their funding). I still haven't processed this data and I don't want to either but some odd bits are DNS requests come from random ports but from my log they are using the same port. If anyone want sample of logs I can provide them by chunking to 1GB/10M lines per file. Just throw me a python/bash/go script to chunk this large BS.

Refs:
https://vercara.com/news/digicert-to-acquire-vercara-strengthening-its-position-as-a-leader-in-digital-trust
https://www.businesswire.com/news/home/20240821736820/en/Vercara-Data-186-Increase-in-DDoS-Attacks-in-First-Half-of-2024
https://www.shadowserver.org/who-we-are/
https://en.wikipedia.org/wiki/Shadowserver_Foundation
https://www.abuseipdb.com/check/146.88.241.188
https://www.abuseipdb.com/check/65.49.1.79
https://cleantalk.org/blacklists/as19905

Thanked by 1xvps

Comments

  • matey0matey0 Member
    edited September 2024

    So they were probing your dns server for vulnerabilities so much it generated a 30GB log file and caused significant performance issues? Pretty sure this is illegal in many jurisdictions, but hey when it's an "altruistic non-profit for internet security" it's fine I guess :D

    Other option that comes to mind is DNS amplification? Are you sure your server isn't vulnerable? But don't know why someone would attack their scanner IPs.

    I would just -j DROP their whole ASN.

    Thanked by 1Frameworks
  • MumblyMumbly Member
    edited September 2024

    My services are being scanned by this crap daily.

    [02.09.-10:03] <-psyBNC> Mon Sep  2 10:03:05 :Illecit Connection from azpdwsb41.stretchoid.com. Closing Connection.
[02.09.-10:59] <-psyBNC> Mon Sep  2 10:59:10 :Illecit Connection from 188.166.173.221. Closing Connection.
[02.09.-11:26] <-psyBNC> Mon Sep  2 11:26:46 :Illecit Connection from scan-66-5.shadowserver.org. Closing Connection.
[02.09.-11:26] <-psyBNC> Mon Sep  2 11:26:51 :Illecit Connection from scan-66-4.shadowserver.org. Closing Connection.
[02.09.-15:48] <-psyBNC> Mon Sep  2 15:48:07 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-15:48] <-psyBNC> Mon Sep  2 15:48:07 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-15:48] <-psyBNC> Mon Sep  2 15:48:07 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-18:03] <-psyBNC> Mon Sep  2 18:03:06 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-18:03] <-psyBNC> Mon Sep  2 18:03:06 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-18:03] <-psyBNC> Mon Sep  2 18:03:06 :Illecit Connection from 80.66.83.46. Closing Connection.
[02.09.-19:28] <-psyBNC> Mon Sep  2 19:28:32 :Illecit Connection from rnd.group-ib.com. Closing Connection.
[02.09.-20:08] <-psyBNC> Mon Sep  2 20:08:13 :Illecit Connection from 198.235.24.176. Closing Connection.
[02.09.-20:08] <-psyBNC> Mon Sep  2 20:08:13 :Illecit Connection from 198.235.24.176. Closing Connection.
[03.09.-00:32] <-psyBNC> Tue Sep  3 00:32:47 :Illecit Connection from 167.99.204.29. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:26 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:26 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:27 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:27 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:27 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:28 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:28 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:28 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:29 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-02:25] <-psyBNC> Tue Sep  3 02:25:29 :Illecit Connection from azpdwsc34.stretchoid.com. Closing Connection.
[03.09.-04:55] <-psyBNC> Tue Sep  3 04:55:13 :Illecit Connection from scan-18.shadowserver.org. Closing Connection.
[03.09.-04:55] <-psyBNC> Tue Sep  3 04:55:19 :Illecit Connection from scan-18.shadowserver.org. Closing Connection.
[03.09.-12:37] <-psyBNC> Tue Sep  3 12:37:37 :Illecit Connection from 198.235.24.41. Closing Connection.
[03.09.-12:37] <-psyBNC> Tue Sep  3 12:37:38 :Illecit Connection from 198.235.24.41. Closing Connection.
  • ChuckChuck Member

    Sue them for causing global warming. They make your servers to work harder = consume more energy.

  • tentortentor Member, Host Rep
    edited September 2024

    @Boogeyman said: I run a small DNS recursor which is being attacked by Vercara/Shadow Server/Neustar Security Services
    Received query: 146.88.241.188:1900 uwgb.edu. 255

    I guess you are a victim of DNS amplification attack (and you are the amplificator)

  • BoogeymanBoogeyman Member
    edited September 2024

    @matey0 said: Other option that comes to mind is DNS amplification?

    @tentor said: I guess you are a victim of DNS amplification attack (and you are the amplificator)

    It's def amplification. What else would be ANY/TXT(255 is ANY in miekg/dns library) other than this? But the question is if this was some random script kiddie did that for fun. But they are a managed DNS and cyber security service provider. Is this norm in cyber security to make honest buck to first steal and then selling locks?

  • tentortentor Member, Host Rep

    @Boogeyman said: the question is if this was some random script kiddie did that for fun. But they are a managed DNS and cyber security service provider. Is this norm in cyber security to make honest buck to first steal and then selling locks?

    I am sure someone with source IP address spoofing targets whoever you see in your logs.

    Also, I would recommend you to not allow recursion unless serving requests from within LAN you control.

  • BoogeymanBoogeyman Member
    edited September 2024

    @tentor said: I am sure someone with source IP address spoofing targets whoever you see in your logs.

    Also, I would recommend you to not allow recursion unless serving requests from within LAN you control.

    I know PDNS has all this but I needed some custom control. Looks like My DNS server isn't safe out there until I implement some more features. For now I will keep this behind DNSDist. Which would still serve my purpose.

    This could be either spoof or an inside job, Who knows. Can't spend much on hobby.

  • tentortentor Member, Host Rep

    @Boogeyman said: My DNS server isn't safe out there until I implement some more features.

    Given that you have said that your DNS server is recursor (if you meant "only"), you will be safe to discard any traffic from global Internet to 53/udp. Only allow traffic from LAN interface coming to 53/udp port. This will prevent any further abuse of your DNS server.

  • BoogeymanBoogeyman Member

    @Boogeyman said: My DNS server isn't safe out there until I implement some more features.

    @tentor said: > Given that you have said that your DNS server is recursor (if you meant "only"), you will be safe to discard any traffic from global Internet to 53/udp. Only allow traffic from LAN interface coming to 53/udp port. This will prevent any further abuse of your DNS server.

    Just that I can have my own DOT/DOH on a random network. It's those I roll everything on my own situation. I need to implement rate limit/custom DSL for this. Also wanted to share with some friends/families.

  • dedicadosdedicados Member

    @Mumbly said:
    My services are being scanned by this crap daily.

    [02.09.-10:03] <-psyBNC> Mon Sep  2 10:03:05 :Illecit Connection from azpdwsb41.stretchoid.com. Closing Connection.
[02.09.-10:59] <-psyBNC> Mon Sep  2 10:59:10 :Illecit Connection from 188.166.173.221. Closing Connection.
[02.09.-11:26] <-psyBNC> Mon Sep  2 11:26:46 :Illecit Connection from scan-66-5.shadowserver.org. Closing Connection.
[02.09.-11:26] <-psyBNC> Mon Sep  2 11:26:51 :Illecit Connection from scan-66-

    you should change your psybnc port and add a firewall to that server.

  • MumblyMumbly Member

    @dedicados said: you should change your psybnc port

    Each of my BNCs has a random port in the 4xxxx–5xxxxx range. I can change it, but I don’t bother since I have so many BNCs scattered around that don’t stay permanently on a specific server. :)
    Connection to the BNC isn't possible due to allowed hosts restrictions. That's just noise.

  • xx00xxxx00xx Member

    neustar has strong cia ties.

Sign In or Register to comment.