Off the hook

It has been more than a month that I couldn’t write a single post. Previously I was able to find time to do some experiments when I come home. However after the recent silly attack to my poor RtooDtoo.net server, it took me really time to bring it back on its feet. I have still a list of security measures to do/improve on the server and firewall configuration etc but hectic life is sometimes preventing you from being prolific. In the mean time, temporarily I have put rtoodtoo.net server behind a Firefly Perimeter firewall and activated IDP service. It has been running around a week now and it has already blocked 15 BASH code injection attempts. I don’t really mind giving the list of my attack statistics actually. Here is the list;

root@fw1> show security idp attack table 
IDP attack statistics:

  Attack name                                  #Hits
  DNS:AUDIT:AAAA-RR                            21639      
  DNS:TRAFFIC-UDP                              13197      
  HTTP:AUDIT:HTTP-VER-1.0                      3904       
  HTTP:AUDIT:HTTP-1.0-HOST-HEADER              3898       
  HTTP:INFO:SPIDER-ROBOT                       3620       
  HTTP:UA:MOBILE                               3283       
  HTTP:UA:GOOGLEBOT                            1707       
  DNS:REQUEST-RRTYPE-ANY                       1493       
  HTTP:AUDIT:REMOTE-URL-IN-VAR                 1261       
  HTTP:INFO:HTTPPOST-GETSTYLE                  1143       
  HTTP:UA:MSN-BINGBOT                          890        
  HTTP:AUDIT:ROBOTS.TXT                        422        
  HTTP:SQL:INJ:GENERIC                         197        
  HTTP:STC:SRVRSP:COMPRESSED                   46         
  HTTP:AUDIT:UNWISE-CHAR                       24         
  HTTP:PROXY:HTTP-PROXY-GET                    21         
  HTTP:CGI:BASH-CODE-INJECTION                 15         
  HTTP:DIR:PARAMETER-TRAVERSE                  8          
  HTTP:EXPLOIT:SMALL-FIRST-DATA                7          
  DNS:REQUEST:REVERSE-LOOKUP                   6          
  HTTP:PASSWD:COMMON                           6          
  HTTP:UA:WGET                                 5          
  HTTP:PHP:WP-BRUTE-FORCE-LOGIN                4          
  HTTP:PHP:WP-SLIDER-REV-AFD                   4          
  HTTP:UA:CRAZY-BROWSER                        3          
  HTTP:UA:CURL                                 3          
  HTTP:CGI:NULL-ENCODING                       2          
  HTTP:AUDIT:FW1-SCHEME-OF                     1          
  HTTP:AUDIT:GENERIC-FMT-STR                   1          
  HTTP:EXPLOIT:D-LINK-ADMIN-PW                 1          
  HTTP:OVERFLOW:MISSING-VER-BO                 1          
  HTTP:PHP:JOOMLA-ADMIN-SCAN                   1          
  HTTP:PHP:WP-README-SCAN                      1          
  HTTP:PHP:WP-XML-RPC-PINGBACK-PP              1          
  HTTP:REQERR:BIN-DATA-HEADER                  1          
  HTTP:SQL:INJ:HEADER-1                        1          
  HTTP:TUNNEL:PROXY                            1          

I am not blocking all of them of course. Otherwise site wouldn’t even run properly. Real attacks are blocked though. Title of the post is off the hook but I am not there yet. I have a bunch of things that I would like to write about. As soon as possible, I would like to write again. Maybe in a couple of days. Time will tell me.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


6 thoughts on “Off the hook”

  1. Glad to see you are back on your feet. I see you are getting hit with dns record attacks too. I have been fighting these back against China for the last few months using Cisco Asa’s. I found it easier too block 99% of APNIC and RIPE. I then go back and will add very specific filters to allow valid caching or cdn servers located around the world. I don’t know yet how anyone COULD get a shell shock attack to work against my servers from the WAN but I have confirmed my Linux servers are vulnerable internally. I am very surprised someone with your experience and skill had an attack tasks you down for any length of time. Keep fighting the good fight and keep us posted on what you learn. Cheers!

  2. Hi Joe,
    I am not blocking these apps actually. The list contains the identified applications as well and I am blocking a few of them. As I am also keeping DNS server of rtoodtoo.net, the number of requests keep increasing slowly.

  3. I see. I also noticed your hosting location and realize it would not be ideal for you to block RIPE’s networks like it is for me in the USA.

    I’ve been following your site for awhile and would like the change to work with you. With your level of knowledge with Juniper equipment, are you available for any consulting opportunities at this time? If you don’t already know, Juniper is looking to hire for perm positions focusing on Junos Space. You have my email so if you are interested let me know through there.

  4. Oh I just did some more searching and now realize you are already with Juniper. That makes sense.

    1. Anders,
      As I was testing the policy config, I have used the default web server policy templates coming with the IDP installation. Nothing special.

      Genco.

Leave a Reply to Joe Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.