any IOS'ers out there ?

Additional operating system/hardware discussion (Windows, Linux, *BSD and others)
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

any IOS'ers out there ?

Unread postby hamei » Sat Oct 03, 2015 8:14 pm

The web certainly is one big shitpile these days ...

Okay le, for a while now I've been blocking the worst offenders with dns. The 3660 is in charge of dns and is the start of authority for our domain / lan. IOS is 12.3(24), no can't go much newer since there's not enough memory and I don't feel like adding more to this elderly router and no I'm not going to buy a new one, this works real well.

For quite a while it was pretty simple to block faceblob, tweeter, youflub, boogle, buysellturds, etc by merely setting their domains to 127.0.0.1 That wasn't perfect because there was a delay between the connection not being made and fireflop giving up, but it was okay.

Currently, tho, the enemy has developed a new tactic that we need to counter. The hosts list in our dns has exploded. Quantserve, google, and a bunch of others have figured some way past the basic acl and dns blocking. They are filling the hosts list with dozens of ip's, which the router tries to connect to, which we do not want. Waiting for all their behind-your-back disgustingness has our network on its knees.

Zo ... strategy #2 ... how about setting the router as start of authority for those other domains as well ? Then use a lightweight local http server to return "404 page not found" messages quickly to the despicable camera-in-the-toilet-bowl firewhore ? It seems like this should kill two birds with one rock but it's a lot of effort wasted if I am wrong :(

What am I missing ?
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
Kumba
Posts: 235
Joined: Mon May 24, 2004 12:14 am
Location: Byzantine Secundus

Re: any IOS'ers out there ?

Unread postby Kumba » Sat Oct 03, 2015 8:43 pm

Tried this hosts file yet?:
http://winhelp2002.mvps.org/hosts.htm

I believe the trick now is to use 0.0.0.0 instead of 127.0.0.1 and :: for IPv6.
:Onyx2: 4x R14000 :Tezro: 4x R16000 :Fuel: 1x R16000 :Octane: 2x R14000 :O2+: RM7000 :O2: R10000 :O2: RM5200 :Indigo: R4400 :Indigo2IMP: R10000 :Indigo2: R8000 :O3x0: 4x R14000 :Indy: R5000

"The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between."
--Emperor Turhan, Centauri Republic

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: any IOS'ers out there ?

Unread postby robespierre » Sat Oct 03, 2015 11:05 pm

I've noticed that one underhanded trick that apple/google/etc/ are playing now is to connect to hosts with a dns ttl of a few seconds.
so when you look at your dns cache you don't find them. the only purpose for this seems to be naughty stuff, so filtering out any dns response with a ttl less than 60 is unlikely to affect anything legitimate.

You said you set the router as SOA. why not just proxy all dns lookups? Redirect any port 53 outgoing packet to the router. (my router calls this "destination NAT" but I'm sure there are other ways to achieve it).
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: any IOS'ers out there ?

Unread postby hamei » Sun Oct 04, 2015 4:25 am

robespierre wrote:I've noticed that one underhanded trick that apple/google/etc/ are playing now is to connect to hosts with a dns ttl of a few seconds.
so when you look at your dns cache you don't find them. the only purpose for this seems to be naughty stuff, so filtering out any dns response with a ttl less than 60 is unlikely to affect anything legitimate.

You said you set the router as SOA. why not just proxy all dns lookups? Redirect any port 53 outgoing packet to the router. (my router calls this "destination NAT" but I'm sure there are other ways to achieve it).

Thanks, Kumba and Robes ...

About 0.0.0.0, that was interesting. The "indeterminate ip" works differently in a hosts file than on a router, but I gave it a try anyhow. The result was interesting : if I entered one of the evil domains in the url line of a brower, my lan http server immediately bopped back a "not found" message. So the router was saying "0.0.0.0, okay, anybody on an inside interface want to answer this ?" It was kind of uncontrolled but entertaining.

So I thought "hmm, maybe this will work, even tho it's not exactly kosher." But after a while, those poisonous dns hits came creeping in on little cat feet. The Cisco IOS dns is a forwarding and caching dns but apparently, just because you have the domain cached, that doesn't mean it won't ever go upstream for a more specific subdomain. Or if there is more than one ip, it will eventually get the others even if you don't want them.

Easy to just block all those ip's but they change too often for that to be effective.

I'm going to try the soa setting for those domains just for the heck of it - it seems like that should restrict the dns server from looking higher. And it's an easy trick to try.

Also, that's interesting about apple and google - so thoughtful of them to jam that rich internet experience down our throat - but the cisco dns server caches the results. So they shouldn't disappear so quickly from the local cache. I think. Maybe it does pay attention to the ttl directive, but I think you can over-ride it ? research required.

Don't need to proxy the dns, I think. All dns is directed through the router. Every host on the lan has a single dns server, and that's the router. Evil companies on the internet dictate bad practices. I did discover that this IOS has "context-based access control" - it apparently eats router cpu cycles but that's better than waiting forever for the African killer bees to attack my soft white underbelly. Supposedly you can filter packets based on what they are.

So we'll try two different strategies - soa the domains first, cuz that's easy. Then look into the context-based filtering. Maybe can filter out any dns requests going to the evil domains.

It's war, I tell ya. War. Nice way to waste a Sunday, eh ?

Oh. One rather discouraging item I came across : Cisco bought OpenDNS. Offer people enough money and they have no morals whatsoever. Here's a quarter, babe ! Spread 'em !

That was probably the plan from the beginning :cry:
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
Kumba
Posts: 235
Joined: Mon May 24, 2004 12:14 am
Location: Byzantine Secundus

Re: any IOS'ers out there ?

Unread postby Kumba » Sun Oct 04, 2015 2:35 pm

hamei wrote:About 0.0.0.0, that was interesting. The "indeterminate ip" works differently in a hosts file than on a router, but I gave it a try anyhow. The result was interesting : if I entered one of the evil domains in the url line of a brower, my lan http server immediately bopped back a "not found" message. So the router was saying "0.0.0.0, okay, anybody on an inside interface want to answer this ?" It was kind of uncontrolled but entertaining.

Oh, a router eh? Hmm, why not see what it does for Class D and Class E addresses. I.e., how does it behave with 255.255.255.254? Most routers should refuse to route multicast or reserved addresses over unicast. Dunno about Cisco, though.


hamei wrote:Also, that's interesting about apple and google - so thoughtful of them to jam that rich internet experience down our throat - but the cisco dns server caches the results. So they shouldn't disappear so quickly from the local cache. I think. Maybe it does pay attention to the ttl directive, but I think you can over-ride it ? research required.

Do you have any capability to inspect the IPv4/IPv6 header and drop the packet if the TTL is within the range you've observed to be tied to Google and/or Apple?
:Onyx2: 4x R14000 :Tezro: 4x R16000 :Fuel: 1x R16000 :Octane: 2x R14000 :O2+: RM7000 :O2: R10000 :O2: RM5200 :Indigo: R4400 :Indigo2IMP: R10000 :Indigo2: R8000 :O3x0: 4x R14000 :Indy: R5000

"The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between."
--Emperor Turhan, Centauri Republic

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: any IOS'ers out there ?

Unread postby robespierre » Sun Oct 04, 2015 3:36 pm

I think on RouterOS (which is not IOS, but more similar than oranges to apples, all hail the command line) it is possible with "L7 filters".
I'd be shocked if IOS can't do it, it's rudimentary DPI in relation to what has been available for several years from many companies.

Some hardware now has regular expression support at the hardware level with 40-gigabit+ throughput. Two guesses as to who's buying that stuff, lol.

(oh, one quibble: I'm talking about the DNS TTL response field, not the IP TTL.)
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: any IOS'ers out there ?

Unread postby hamei » Sun Oct 04, 2015 6:59 pm

progress report ...

Ah-ha ! Enterprise IOS'es after about 11.something have a feature called Distributed Director. Basically, it's load-sharing for dns and the model for Akamai's (gag barf spit) patent which never should have been granted. The whole imaginary property thing is such boolshit : :(

http://caselaw.findlaw.com/us-federal-c ... 70863.html

Anyway, using the features of Distributed Director you can set other routers to act as authoritative for other domains. Distributing the load is the purpose but it appears to work if you use the same router to do dns for the assigned domains. And it's simpler than an soa statement (altho not much, so the other way would most likely work just as well.)

All it requires is

Code: Select all

conf t
ip host domain ww.xx.yy.zz
ip host domain ns nameserver
ctrl-z

for the domain you want to hijack. Altho there's a lot more you can do if you want :

http://www.cisco.com/c/en/us/support/do ... ation.html

One thing about Cisco - it does have features. And with the older systems there's none of that web interface crap.

I think if you used 0.0.0.0 in the first line, the nameserver assigned in the second line would fill in the ip with numbers, because 0.0.0.0 on a router means 'anything' rather than the 'nothing' it would mean in a hosts file. But I could easily be mistaken about that. Where's ipaddict when you need him ?

I just used the address of an http server we run, which will immediately return "no such numbah, no such phone" replies to any request for a sterpid flocking google font. I am hoping that will be faster than firewhore waiting by the phone forever for a call that ain't never gonna come.

Supposedly in about:config you could set the timeouts to a really low number (didn't solve the problem for me) but if you did that, slower sites would time out too, when what you really want is to block buysellads.com and other trash. So a tiny little http server dumping those ads to the circular file should work well. Someone could make this into a service, you know .... instead of fighting with hosts files in ten computers, just do it globally for the entire lan. Like OpenDNS, except it would be ad-free instead of Save the Children ! :P

Of course your own name server has to be the ns described in the statement. In fact ... hmmm .... at one point some isp found my open dns server and swamped us. We weren't even trying to steal anyone's packets. After five years of being open to the 'net I had to put acl's on incoming dns requests. We never minded if it was just a few hits but when it went to 30,000 an hour, that was unreasonable. But ... we could have hijacked those requests easily, couldn't we ?

At any rate, so far so good. And I have an old SOHO 97, so maybe I'll add another set of blinkenlights to the rack and let an external router dump all those domains to ground, just for fun.

Networking is a trip. It ain't as simple as people would have you think .... I bet there's an easier way to do this, too. But I haven't found it yet :(

Crap. I just deleted my own earlier discussion of Kumba's and Robes' suggestions. The essence was, an ASA does support regular expressions so you could easily block entire domains but I don't have an ASA. 6U of router is probably enough for a dinky little office :) Oh well. This is the current sitchiation and it seems to be working. So far, anyway.
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: any IOS'ers out there ?

Unread postby hamei » Mon Oct 05, 2015 7:33 pm

^ bump, shoulda hit quote instead of edit :oops:
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
hamei
Posts: 10435
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: any IOS'ers out there ?

Unread postby hamei » Fri Oct 09, 2015 7:05 am

Update : this seems to work. It appears that Distributed Director is intended to spread the dns load among several servers but it's a pretty simple way to lock a domain to a particular dns server. I haven't had my dns cache polluted for a week now. No more 300 entries for various google / doubleclick / quantserve / etc schmutz. No more TXT and MX records in the dns cache (how the heck did they get in there ?)

Hooray. Another battle won in the fight to own our own computers (temporarily, at least.)
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered


Return to “Miscellaneous Operating Systems/Hardware”

Who is online

Users browsing this forum: No registered users and 1 guest