話說小弟家有一台 tp-link 的 router,型號係 wrt1043nd,其實我幾鐘意呢個 router,一、性價比高。二、可以安裝 3rd party firmware。幾年前我係安裝 ddwrt,但後來唔知點解佢做唔到我想要o既嘢,但家陣唔記得係咩 function,就膽粗粗自己走去裝個 openwrt,呀,點知又 work 喎。以我半桶水o既性格,用得都不亦樂乎。
既然用得 openwrt,就梗係調下 wifi settings、做下小小 firewall、port forwarding、起下 vpn pptp server、開埋 ddns service to update ddns 之類。。。
早幾日,細妹投訴話屋企上網好慢,有時仲 load 唔到網頁,youtube 又睇唔到,甚至 smartone 個勁慢o既無限 3G plan 都快過用 wifi 連去 netvigator 200M。有咩可能?小弟又要出動去 check 下咩事。。。
唔 check 好地地,一 check 就覺得怪怪地:
Tue Feb 24 10:31:01 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:12 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:24 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
Tue Feb 24 10:31:30 2015 daemon.warn dnsmasq[6244]: Maximum number of concurrent DNS queries reached (max: 150)
一開頭唔識睇,心諗,屋企最多二台 desktop,一台 NAS,三部手提電話,計落都係 6 台 device,有咩理由會打爆 150 limit。咁我咪 click 入去 dhcp and dns setting 去睇下。依然無頭緒。咁咪逐個 setting 睇下囉,點知又俾我咁啱 click 咗:
Write received DNS requests to syslog咁我返轉頭再睇下個 system log,嘩,不得了,俾啲 log 嚇傻咗:
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 70.234.253.75
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.239.253.115
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 109.108.209.151
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.239.253.115
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 109.108.209.151
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 67.240.130.123
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: query[ANY] fkfkfkfz.guru from 70.234.253.75
Tue Feb 24 10:32:55 2015 daemon.info dnsmasq[6322]: forwarded fkfkfkfz.guru to 219.76.98.90
無端端係咁 query url,一睇個網址就知古怪喇,第一時間我以為係有嘢中毒,或者係 NAS 中咗招,咁我二話不說就 remote power off 台 HP N40L。點知 check log 都係一樣。咁我咪試下改個 dns port 做其他,咦,即係無事喎,無晒啲無聊 query。咁以為自己搞掂喇,點知打番屋企一問,屋企人投訴上唔到網就知出事,估計係改咗 dns port 連 lan 內o既 device/PC 都 lookup 唔到 dns,咁即係改 port 方法行唔通。咁唯有上網搵料。上網一查原來呢個係叫做 dns amplification attack,即係不斷咁問 dns server 去解個網址,俾人係咁問,唔識就 forward 去自己個 dns server,再 reply 去目標電腦,jam 到目標無晒反應,做到 DoS,唔係 Disk Operation System,係 denial of service。
搵咗一大輪,又話要 set firewall,加句 iptables 咩咩咩咁,又要係 specify 係 drop 咩網址o既 packet 又成,搞到頭都大,加上呢個攻擊應該係 update 咗,上網都唔多搵到呢個 fkfkfkfz.guru o既資訊,類近網址就搵到o的。最終都係唔成功,礙於第二日要早起返工,唯有暫時放棄唔整住,但個心都係好唔安樂。
第二日,返工嗰時有時間都繼續搵下料。俾我搵到小小線索:原來係 OpenWRT 有個小問題,就係佢個 dnsmasq service default 係會 listen 所有 interface,即係 lan 同 wan o既 dns query 都會應機。頂,有無咁痴線呀,街外 dns query 關你鬼事咩,多餘。咁咪睇下有咩 setting 要整。
/etc/config/dhcp
under
config dnsmasq
加句
list notinterface 'wan'
意思係唔再 listen 來自 wan o既 dns query。叫做成功解決咗問題,router loading 由 3x% 跌番去 less than 10%。好彩 netvigator 無 blacklist 我咋,做咗'助攻'成兩個幾月都唔知道。最衰都係 OpenWRT,佢 dnsmasq default 應該要 list notinterface 'wan'喇,仲要 gui 無得俾人 set,下下要 telnet 入去改 config 檔,大老呀,真係唔係個個識整。故寫下此文,希望有緣人能 search 到,幫到手、用得著。
所以話,久唔久要睇下 log,真係好緊要。同埋,唔好隨便開 server 俾街入到嚟,唔係中咗招都唔知咩事。
No comments:
Post a Comment