Autor Wątek: "Zapychanie łącza"  (Przeczytany 7097 razy)

0 użytkowników i 1 Gość przegląda ten wątek.

mr_brunatny

  • Początkujący
  • *
  • Wiadomości: 45
"Zapychanie łącza"
« dnia: Styczeń 14, 2015, 10:49:15 pm »
Witam

Mam serwer (OpenSuse 11.0) z dwoma kartami sieciowymi. Jego rola to brama do internetu, firewall, serwer www oraz poczty.
Od kilku dni wieczorami i w nocy obserwuję znaczy spadek prędkości łącza zewnętrznego. W iftop karty zewnętrznej pokazuje mi dziwne połączenia i znaczny ruch wychodzący. Iftop karty sieci wewnętrznej nie pokazuje takiego ruchu.
W logach w tym czasie mam:
/var/log/messages
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 216.239.38.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'clients4.google.com/A/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'clients4.google.com/A/IN': 216.239.32.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.34.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.36.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.38.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'clients4.google.com/A/IN': 216.239.34.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'clients4.google.com/A/IN': 216.239.36.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'clients4.google.com/A/IN': 216.239.38.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 199.212.0.73#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 200.10.60.53#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 203.119.86.101#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 193.0.9.5#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 193.0.9.1#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 196.216.169.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 192.134.0.49#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 192.5.4.1#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 202.12.29.59#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '155.119.254.8.in-addr.arpa/PTR/IN': 199.253.183.183#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'ssl.gstatic.com/A/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'ssl.gstatic.com/A/IN': 216.239.32.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 199.212.0.53#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 202.12.28.140#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 216.239.32.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 216.239.34.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 194.204.152.34#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.32.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'ssl.gstatic.com/A/IN': 216.239.34.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'ssl.gstatic.com/A/IN': 216.239.36.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'ssl.gstatic.com/A/IN': 216.239.38.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 216.239.36.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving '0.client-channel.google.com/A/IN': 216.239.38.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.34.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.36.10#53
Jan 12 19:13:05 server named[2661]: network unreachable resolving 'www.google.com/A/IN': 216.239.38.10#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 2.22.230.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 184.26.161.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 23.61.199.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 95.100.173.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 2.16.40.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 96.7.50.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 23.74.25.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 95.100.168.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 95.100.173.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 23.61.199.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 184.26.161.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 2.22.230.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 96.7.50.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 2.16.40.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 23.74.25.32#53
Jan 12 19:13:06 server named[2661]: network unreachable resolving '67.160.26.184.in-addr.arpa/PTR/IN': 95.100.168.32#53
Jan 12 19:13:08 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 194.204.152.34#53
Jan 12 19:13:08 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 46.165.193.40#53
Jan 12 19:13:08 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 217.115.140.84#53
Jan 12 19:13:08 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 95.211.75.200#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 193.0.9.5#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 192.134.0.49#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 192.5.4.1#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 202.12.29.59#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 199.212.0.53#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 202.12.28.140#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 193.0.9.5#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 192.134.0.49#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 192.5.4.1#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 202.12.29.59#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 199.212.0.53#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving '227.204.162.178.in-addr.arpa/PTR/IN': 202.12.28.140#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master13.teamviewer.com/A/IN': 194.204.152.34#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master13.teamviewer.com/A/IN': 46.165.193.40#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master13.teamviewer.com/A/IN': 217.115.140.84#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master13.teamviewer.com/A/IN': 95.211.75.200#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 194.204.152.34#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 46.165.193.40#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 217.115.140.84#53
Jan 12 19:13:09 server named[2661]: network unreachable resolving 'master15.teamviewer.com/A/IN': 95.211.75.200#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 194.204.152.34#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 46.165.193.40#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 217.115.140.84#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 95.211.75.200#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 194.204.152.34#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 46.165.193.40#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 217.115.140.84#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving 'master10.teamviewer.com/A/IN': 95.211.75.200#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 194.204.152.34#53
Jan 12 19:13:11 server named[2661]: network unreachable resolving '51.227.252.37.in-addr.arpa/PTR/IN': 193.0.9.5#53

/var/log/firewall
Jan 12 20:39:34 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC= SRC=83.19.85.20 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:40:10 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:47:1c:60:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:41:35 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC= SRC=83.19.85.20 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:41:36 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:4b:da:e3:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:42:15 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:47:1c:60:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:43:41 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:4b:da:e3:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:43:44 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC= SRC=83.19.85.20 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:44:21 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:47:1c:60:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:44:54 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=201.229.31.19 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=14654 DF PROTO=TCP SPT=43408 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 12 20:44:57 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=201.229.31.19 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=14655 DF PROTO=TCP SPT=43408 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 12 20:45:46 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:4b:da:e3:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:45:49 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC= SRC=83.19.85.20 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:46:26 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:47:1c:60:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:47:37 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=183.155.139.237 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=63708 DF PROTO=TCP SPT=52576 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 12 20:47:40 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=183.155.139.237 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=63709 DF PROTO=TCP SPT=52576 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 12 20:47:46 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=183.155.139.237 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=63710 DF PROTO=TCP SPT=52576 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 12 20:47:48 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC= SRC=83.19.85.20 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:47:51 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:4b:da:e3:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jan 12 20:48:04 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=68.232.34.200 DST=83.19.85.20 LEN=93 TOS=0x00 PREC=0x00 TTL=59 ID=37650 DF PROTO=TCP SPT=443 DPT=50125 WINDOW=33 RES=0x00 ACK PSH FIN URGP=0
Jan 12 20:48:14 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=223.246.125.150 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52143 DF PROTO=TCP SPT=13135 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 12 20:48:23 server kernel: I_PKT_DRPD: IN=eth1 OUT= MAC=00:16:3e:50:61:aa:f8:8e:85:be:54:52:08:00 SRC=223.246.125.150 DST=83.19.85.20 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52145 DF PROTO=TCP SPT=13135 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 12 20:48:32 server kernel: I_PKT_DRPD: IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:15:17:47:1c:60:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

Wynik polecenia nmap z zewnątrz:
Starting Nmap 4.20 ( http://insecure.org ) at 2015-01-12 21:05 CET
sendto in send_ip_packet: sendto(4, packet, 40, 0, XX.XX.XX.XX, 16) => Operation not permitted
Offending packet: TCP 83.12.165.118:63512 > XX.XX.XX.XX:80 A ttl=54 id=12960 iplen=40  seq=2822446750 win=3072 ack=2512068254
sendto in send_ip_packet: sendto(4, packet, 40, 0, XX.XX.XX.XX, 16) => Operation not permitted
Offending packet: TCP 83.12.165.118:63513 > XX.XX.XX.XX:80 A ttl=44 id=57679 iplen=40  seq=1815813854 win=1024 ack=834346718
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.246 seconds

Czy na podstawie podanych danych można coś stwierdzić, ewentualnie jakich użyć narzędzi aby rozwiązać problem?

Z góry dziękuję za pomoc

Odnośnie network unreachable resolving 'www.google.com/A/IN': 216.239.34.10#53 znalazłem informację że w bind  jest włączona obsługa rozpoznawania nazw DNS przy IPv6. Zmodyfikowałem /etc/sysconfig/named i zobaczę co się zmieni.
« Ostatnia zmiana: Styczeń 14, 2015, 11:49:52 pm wysłana przez mr_brunatny »

mr_brunatny

  • Początkujący
  • *
  • Wiadomości: 45
Odp: "Zapychanie łącza"
« Odpowiedź #1 dnia: Styczeń 15, 2015, 03:05:35 pm »
Witam

Dzisiaj włączyłem wireshark'a i znalazłem pełno pakietów protokołu DNS przychodzących i wychodzących z serwera. Log poniżej.
W iptables podałem tylko dwa serwery DNS i przestał wysyłać. Natomiast przychodzi cały czas sporo tego. Zablokowałem adresy IP w łańcuchu INPUT. Ale po chwili zauważyłem że dalej przychodzą te same pakiety tyle że z innego IP. Ma ktoś może jakiś pomysł jak to zablokować raz a dobrze?

Log z wireshark'a
No.     Time        Source                Destination           Protocol Info
     
     30 0.218934    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     31 0.219629    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     32 0.219825    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     33 0.235779    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     34 0.250051    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     35 0.255230    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     36 0.256074    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     37 0.263384    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     38 0.263549    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     39 0.263557    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     40 0.263702    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     41 0.264886    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     42 0.264895    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     43 0.264899    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     44 0.265052    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     45 0.265064    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     46 0.303611    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     47 0.304851    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     52 0.340934    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     53 0.345081    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     61 0.454315    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     62 0.502847    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     63 0.503157    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     64 0.503648    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     65 0.525445    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     66 0.525964    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     67 0.526207    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     68 0.526215    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     69 0.526219    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     70 0.526223    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     71 0.526227    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     72 0.526231    14.203.95.112         XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     73 0.543496    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     74 0.548165    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
     80 0.632857    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     81 0.633418    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     82 0.633685    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     83 0.633692    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     84 0.633696    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     85 0.633700    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     86 0.633703    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     87 0.633706    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     88 0.633985    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     89 0.633993    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     90 0.634017    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     91 0.634022    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     92 0.634158    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     93 0.634164    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     94 0.634167    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     95 0.636718    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     96 0.637367    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     97 0.637565    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     98 0.637572    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
     99 0.637575    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    100 0.637579    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    101 0.637582    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    102 0.637585    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    103 0.637588    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    104 0.637773    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    105 0.637780    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    106 0.637784    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    107 0.637791    113.17.140.201        XX.XX.XX.XX           DNS      Standard query ANY ohhr.ru
    110 0.656667    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    111 0.658867    196.217.178.25        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    112 0.663129    180.52.213.239        XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    114 0.667153    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    115 0.667702    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    116 0.667783    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru
    117 0.667907    67.215.4.72           XX.XX.XX.XX           DNS      Standard query ANY fkfkfkfz.guru

Fisiu

  • Geeko's friend
  • Maniak SUSE
  • *
  • Wiadomości: 4632
      • la manzana
Odp: "Zapychanie łącza"
« Odpowiedź #2 dnia: Styczeń 15, 2015, 10:58:17 pm »

mr_brunatny

  • Początkujący
  • *
  • Wiadomości: 45
Odp: "Zapychanie łącza"
« Odpowiedź #3 dnia: Styczeń 16, 2015, 04:59:17 pm »
Dziękuję za odpowiedź.

Dodałem regułę do iptables
iptables -A INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|046f6868720272750000ff|' -j DROP -m comment --comment "DROP DNS Q ohhr.ru"
Ale nadal przepuszcza pakiety z ohhr.ru

iptables pokazuje odnośnie tego:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/SYN state NEW
DROP       udp  --  anywhere             anywhere            udp dpt:domain STRING match "|046f6868720272750000ff|" ALGO name bm FROM 40 TO 51 /* DROP DNS Q ohhr.ru */

Czy źle wpisuję czy może jeszcze w jakimś miejscu powinienem coś dodać?

Niestety dalej na serwer przychodzi bardzo dużo pakietów z ohhr.ru, fkfkfkfz.guru i <root>. Zacząłem blokować ręcznie adresy IP z jakich to przychodzi ale to w sumie robota głupiego :embarrassed:. Ponieważ --sport tych pakietów jest zmienna ale --dport to 53 myślałem że
iptables -A udp_p -p udp -m udp --sport 1024:65535 --dport 53 -j DROP
załatwi sprawę. Niestety to nie działa.

Czy spotkał się ktoś z takim problem lub ewentualnie ma jakieś sugestie?
Będę wdzięczny za jakąkolwiek pomoc lub podpowiedź.

« Ostatnia zmiana: Styczeń 18, 2015, 09:25:53 pm wysłana przez mr_brunatny »