Per quanto riguarda i portscan, psad è veramente una manna dal cielo. Tale applicativo non fa altro che rimanere in “ascolto” sul server in attesa di intercettare eventuali pacchetti inviati ad un range di porte più o meno esteso.
Questa mattina, grazie al suddetto tool, ho ricevuto una caterva di email del tipo:
=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:56:55 2012 =-=-=-=-=-=-=-=-=-=-=-= Danger level: [2] (out of 5) Scanned UDP ports: [17565: 1 packets, Nmap: -sU] iptables chain: INPUT (prefix "Generic log entry:"), 1 packets Source: 188.237.169.123 DNS: host-static-188-237-169-123.moldtelecom.md Destination: 10.*.*.* DNS: [No reverse dns info available] Overall scan start: Mon Aug 20 08:59:05 2012 Total email alerts: 9 Complete UDP range: [1024-17565] Syslog hostname: * Global stats: chain: interface: TCP: UDP: ICMP: INPUT eth1 0 19 0 [+] Whois Information: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '188.237.168.0 - 188.237.175.255' inetnum: 188.237.168.0 - 188.237.175.255 netname: MOLDTELECOM-NET descr: JSC "Moldtelecom" S.A. descr: Chisinau, Moldova country: MD admin-c: MLA32-RIPE tech-c: MLA32-RIPE status: ASSIGNED PA remarks: INFRA-AW remarks: MaxFiber Users, IPMPLS Moldova mnt-by: MOLDTELECOM-MNT source: RIPE # Filtered role: Moldtelecom LIR Adminstrators remarks: address: JSC "Moldtelecom" S.A. address: 10, Stefan cel Mare ave. address: Chisinau, Moldova address: MD-2001 phone: +373 22570565 fax-no: +373 22542601 remarks: admin-c: VSM13-RIPE tech-c: NM2546-RIPE nic-hdl: MLA32-RIPE abuse-mailbox: cert.mtc@moldtelecom.md remarks: mnt-by: MOLDTELECOM-MNT source: RIPE # Filtered % Information related to '188.237.128.0/18AS8926' route: 188.237.128.0/18 descr: JSC "Moldtelecom" S.A. descr: 10, Stefan cel Mare ave., descr: MD-2001, Chisinau, Moldova origin: AS8926 mnt-by: MOLDTELECOM-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS2) =-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:56:55 2012 =-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:59:31 2012 =-=-=-=-=-=-=-=-=-=-=-= Danger level: [2] (out of 5) Scanned UDP ports: [17565: 1 packets, Nmap: -sU] iptables chain: INPUT (prefix "Generic log entry:"), 1 packets Source: 176.102.218.106 DNS: [No reverse dns info available] Destination: 10.*.*.* DNS: [No reverse dns info available] Overall scan start: Mon Aug 20 10:03:03 2012 Total email alerts: 15 Complete UDP range: [1024-17565] Syslog hostname: * Global stats: chain: interface: TCP: UDP: ICMP: INPUT eth1 0 32 0 [+] Whois Information: # # Query terms are ambiguous. The query is assumed to be: # "n 176.102.218.106" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=176.102.218.106?showDetails=true&showARIN=false&ext=netref2 # NetRange: 176.0.0.0 - 176.255.255.255 CIDR: 176.0.0.0/8 OriginAS: NetName: RIPE-176 NetHandle: NET-176-0-0-0-0 Parent: NetType: Allocated to RIPE NCC Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1993-05-01 Updated: 2010-05-18 Ref: http://whois.arin.net/rest/net/NET-176-0-0-0-0 OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/RIPE ReferralServer: whois://whois.ripe.net:43 OrgAbuseHandle: RNO29-ARIN OrgAbuseName: RIPE NCC Operations OrgAbusePhone: +31 20 535 4444 OrgAbuseEmail: hostmaster@ripe.net OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: hostmaster@ripe.net OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Found a referral to whois.ripe.net:43. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '176.102.192.0 - 176.102.223.255' inetnum: 176.102.192.0 - 176.102.223.255 netname: FOBOS-NET descr: Center for Information Technologies "Fobos" Ltd. country: UA org: ORG-FOBO2-RIPE admin-c: AP7848-RIPE tech-c: AP7848-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-lower: RIPE-NCC-END-MNT mnt-by: KUTS-MNT mnt-routes: KUTS-MNT mnt-domains: KUTS-MNT source: RIPE # Filtered organisation: ORG-FOBO2-RIPE org-name: Center for Information Technologies "Fobos" Ltd. org-type: OTHER address: 39800, Ukraine, Poltavsky reg. Komsomolsk, Lenina str., 40 mnt-ref: vissado-mnt mnt-by: vissado-mnt source: RIPE # Filtered person: Andrew Philonenko address: Lenina str., 41/185 address: Poltava reg address: 39800 Komsomolsk, Ukraine phone: +380633131008 fax-no: +380534830742 nic-hdl: AP7848-RIPE mnt-by: KUTS-MNT source: RIPE # Filtered % Information related to '176.102.192.0/19AS39822' route: 176.102.192.0/19 descr: FobosRoute origin: AS39822 mnt-by: KUTS-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS3) =-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:59:31 2012 =-=-=-=-=-=-=-=-=-=-=-= e ancora: =-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:45:10 2012 =-=-=-=-=-=-=-=-=-=-=-= Danger level: [2] (out of 5) Scanned UDP ports: [17565: 1 packets, Nmap: -sU] iptables chain: INPUT (prefix "Generic log entry:"), 1 packets Source: 178.238.218.219 DNS: [No reverse dns info available] Destination: 10.*.*.* DNS: [No reverse dns info available] Overall scan start: Mon Aug 20 08:59:30 2012 Total email alerts: 5 Complete UDP range: [1024-17565] Syslog hostname: * Global stats: chain: interface: TCP: UDP: ICMP: INPUT eth1 0 15 0 [+] Whois Information: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '178.238.218.0 - 178.238.218.255' inetnum: 178.238.218.0 - 178.238.218.255 netname: EUROLINK descr: Eurolink Bt. country: HU admin-c: LB1142-RIPE tech-c: LB1142-RIPE status: ASSIGNED PA mnt-by: DENINET-MNT source: RIPE # Filtered person: Lorant Budavari address: WLA Interservices Ltd. address: Margit u. 114. address: Budapest, 1165 address: Hungary phone: +36 1 9994294 fax-no: +36 1 4020274 nic-hdl: LB1142-RIPE source: RIPE # Filtered mnt-by: DENINET-MNT % Information related to '178.238.218.0/24AS33947' route: 178.238.218.0/24 descr: WLA Interservices Ltd. mnt-by: WLA-NET-MNT origin: AS33947 mnt-by: DENINET-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS1) =-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:45:10 2012 =-=-=-=-=-=-=-=-=-=-=-=
In soldoni, trattasi di 3 indirizzi IP dell’est Europa, ovvero:
1) 188.237.169.123 (Moldavo);
2) 176.102.218.106 (Ucraino);
3) 178.238.218.219 (Ungherese).
I suddetti portscan hanno come target il protocollo di trasporto UDP e le porte ad esso associate (non well-known, ovvero superiori alla 1023).
Il protocollo UDP viene utilizzato soprattutto nell’ambito del traffico audio/video e dell’instant messaging, poichè, non prevedendo meccanismi di controllo e ritrasmissione, consente elevate velocità di trasferimento.
Ma perchè prendere di mira proprio il suddetto protocollo? Bhè, suppongo per via del fatto che molti PBX VOIP software sono dei veri colabrodo… e che tali PBX usino proprio l’UDP per il trasporto.
La soluzione? 3 regolette da aggiungere alla chain INPUT di netfilter:
sudo iptables -A INPUT -i eth1 -s 188.237.169.123 -j DROP sudo iptables -A INPUT -i eth1 -s 176.102.218.106 -j DROP sudo iptables -A INPUT -i eth1 -s 178.238.218.219 -j DROP
Notate che ho parlato di crew, in quanto gli IP sorgenti dell’attacco non presentano servizi pubblicati all’esterno (a parte uno che è in ascolto sulla porta http/https, ma manca la index) e che si tratta molto probabilmente di semplici linee ADSL (un po’ come la nostra Alice). Infine, ad avallare la mia ipotesi vi è anche il fatto che non esistono nomi dominio associati agli IP in questione (a parte l’hostname ADSL).
In definitiva, mailare il loro ISP sarebbe completamente inutile, quindi non vi è (almeno per il momento) soluzione definitiva a questa piaga. Dunque lasciamo fare a psad il suo sporco lavoro ed interveniamo a tempo debito con qualche regola su netfilter.
A presto.