[CentOS] Server used in DOS attack on UDP port 0

Wed Nov 4 17:11:57 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, November 4, 2015 4:22 am, Andrew Holway wrote:
> Hi,
>
> One of our AWS machines was used in an DOS attack last night and I am
> looking for possible attack vectors.

Is it AWS as in Amazon Web Services?

> AWS tells me it was sending UDP port
> 0
> traffic to a cloudflare address.

Ironic, cloudflare is known as you can not get abused who hides behind
them (therefore some people just block all traffic to/from them), and now
they are becoming the victims of the same. I would recommend to block
traffic to cloudflare address blocks on the level of routing tables
(google that) - may help you in a future.

>
> This instance had an incorrectly configured AWS security group exposing
> all
> ports.
>
> The server in question is a Centos 7 based FreeIPA server, OpenVPN
> concentrator and DNS server.
>
> With a brief inspection before the instance was stopped no evidence of
> intrusion could be detected in the obvious places

As far as I know (someone correct me) regular user can send UDP packets
(regular user can not do UDP port scan but that is purely as root access
is necessary to _read_ raw socket, i.e. read response, sending is doable).
That is for this particular incident I wouldn't suspect root compromise
right away. Check which users were connected (run processes rather) at a
time in question, and check the activity. psacct (if enabled) is your
friend.

> and the machine is
> protected by standard SELinux policies.

Hm, I personally am a bit sceptical about SELinux. Its protection (of
vulnerable system) IMHO is grossly overestimated. It helps some, but I'd
rather have kernel without SELinux (not possible already, of course, the
tons of SELinux code _is_ already in the kernel, with all potential
bugs...)

Somebody already suggested nice tool (rootkit hunter). I would mention
http://www.chkrootkit.org/. I also would add to forensics (especially if
you didn't reboot yet) comparison of what you get internally (like open
ports, and whole tree of files on machine with file checksums) and
externally (like external port scan after you turned off machine firewall)
with list of files after you mount machine's drive(s) on sane box.

Good luck on forensics!

Valeri

>
> On this machine Firewalld is currently configured with a single zone with
> masquerade enabled
>
> firewalld config.
> public (default, active)
>   interfaces: eth0
>   sources:
>   services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp
> openvpn ssh
>   ports: 81/tcp
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> Thanks,
>
> Andrew
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++