cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: [security] The case of the open dns resolver
Date Tue, 24 Jun 2014 08:30:25 GMT
Hi,

I'm on 4.3/KVM/ADV+SG. The rules that I am talking about are the ones from within the VR and
they explicitly open port 53 to everyone.

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro


----- Original Message -----
From: "Erik Weber" <terbolous@gmail.com>
To: "dev" <dev@cloudstack.apache.org>
Sent: Monday, 23 June, 2014 9:02:23 PM
Subject: Re: [security] The case of the open dns resolver

On Mon, Jun 23, 2014 at 12:31 PM, Nux! <nux@li.nux.ro> wrote:

> Hi,
>
> Today I've been bitten again by the $subject and complaints were sent to
> my hoster's abuse email address; apparently someone used my VR in a DDOS
> attack.
> It is my fault as I knew about this issue, but I'd like to throw the blame
> on Cloudstack. :)
>
> So, the VR is accepting DNS requests from everybody on the interwebs and
> this should be changed, imho.
>
> I see there are already iptables rules concerning port 8080 of the VR and
> only the public IP ranges are allowed. Why isn't this the case for port 53
> as well?
>
> I have placed this script in my VR's rc.local, but it's not kosher at all.
>
> # disallows global DNS traffic and only allows it from the cloud public
> subnets
> for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I INPUT
> -s $i -p tcp -m tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i -p udp -m
> udp --dport 53 -j ACCEPT; done
> iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>
> This could be greatly improved and added in the official tree.
> Currently I'm getting the subnets by checking which IPs the 8080 rules
> apply, how can I retrieve this information in a more elegant way?
>


Which version are you running?

On a 4.3 installation I see no iptables rules that allow it on the public
interface, and testing it externally fails due to the default DROP rule.


-- 
Erik Weber

Mime
View raw message