search

pymumu / smartdns

A local DNS server to obtain the fastest website IP for the best Internet experience, support DoT, DoH. 一个本地DNS服务器,获取最快的网站IP,获得最佳上网体验,支持DoH,DoT。
https://pymumu.github.io/smartdns/
GNU General Public License v3.0
8.45k stars 1.08k forks source link

不知是不是我配置错误,导致了类似 DDoS 现象 #1469

Open CallMeR opened 1 year ago

CallMeR commented 1 year ago

问题现象

我用 Debian 12 服务器做了一个内网的 DNS ,但该服务器周期性出现类似 DDoS 现象。

运行环境

  1. 固件型号 - Debian 12 x86_64 Server

  2. 运营商 - 无关

  3. smartdns来源以及版本 - smartdns.1.2023.05.07-1641.x86_64-linux-all.tar.gz

  4. 涉及的配置 (注意去除个人相关信息)

conf-file /etc/smartdns/anti-ad-smartdns.conf
cache-file /tmp/smartdns.cache

bind [::]:53
bind-tcp [::]:53

serve-expired yes
serve-expired-ttl 86400
serve-expired-reply-ttl 3
prefetch-domain yes
serve-expired-prefetch-time 43200

speed-check-mode ping,tcp:80,tcp:443

force-qtype-SOA 65

log-level notice

server-tcp 119.29.29.29 -group dnspod -exclude-default-group
server-tcp 2402:4e00:: -group dnspod -exclude-default-group
nameserver /doh.pub/dnspod
nameserver /dot.pub/dnspod

server-tcp 223.5.5.5 -group alidns -exclude-default-group
server-tcp 2400:3200::1 -group alidns -exclude-default-group
nameserver /dns.alidns.com/alidns

server 172.16.1.1 -group intranet -exclude-default-group
server fdac::1 -group intranet -exclude-default-group
nameserver /fox.local/intranet
domain-rules /fox.local/ -speed-check-mode none -no-cache

server-tls dot.pub
server-tls dns.alidns.com

server-https https://doh.pub/dns-query
server-https https://dns.alidns.com/dns-query

重现步骤

  1. 我的主路由是 RouterOS 里面设置了 DDoS 检查防火墙,并开启了 tcp-syncookies
add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS SYN-ACK Flood" dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack log=yes log-prefix="[syn-ack-flood]"
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=256,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv6 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[ddos-ipv6]"

其中关于 dst-limit 的定义如下:

dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )

Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has its own limit. Flow is defined by a mode parameter. Parameters are written in the following format: rate[/time],burst,mode[/expire] .

  • rate - packet count per time interval per-flow to match
  • time - specifies the time interval in which the packet count rate per flow cannot be exceeded (optional, 1s will be used if not specified)
  • burst - initial number of packets per flow to match: this number gets recharged by one every time/rate, up to this number
  • mode - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port)
  • expire - specifies interval after which flow with no packets will be allowed to be deleted (optional)
  1. 让这个 DNS 服务器运行超过 24 小时,就会得到类似如下日志:
11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:55964->[2403:300:a41:d00::8]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:46466->[2403:300:a41:d0b::a]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:56670->[2403:300:a41:d0c::e]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:35212->[2403:300:a41:d02::b]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:36700->[2403:300:a41:d04::7]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:35362->[2403:300:a41:d0c::7]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:56132->[2403:300:a41:d04::10]:80, len 40

11:20:40 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:56754->[2403:300:a41:d01::d]:80, len 40

其中 7e:xx:xx:xx:xx:xx 为 DNS 服务器的 MAC 地址,240e:xx:xx:xx:xx:xxff:fexx:xx 为 DNS 服务器的 IPv6 地址。

这说明,这个 DNS 服务器,在这 10 秒中内,对同一个 IPv6 目标地址发出了超过 288 个 TCP (SYN) 包。

  1. 这个现象只在 IPv6 中出现,而且具有周期性,稳定出现。

  2. Debian 12 的额外内核参数如下:

kernel.panic = 20
kernel.panic_on_oops = 1

net.core.default_qdisc = fq_codel
net.ipv4.tcp_congestion_control = bbr

# Other adjustable system parameters

net.ipv4.conf.all.log_martians = 1

net.ipv4.igmp_max_memberships = 100

net.ipv4.tcp_challenge_ack_limit = 1000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_max_orphans = 4096
net.ipv4.tcp_max_tw_buckets = 4096
net.ipv4.tcp_syncookies = 1

net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
PikuZheng commented 1 year ago

随便查了一下2403:300:a41:d01::d 对应的是 api-edge.icloud.com。 ros的ipv6我不熟,但单看日志的话似乎是smartdns所在的服务器在对icloud进行ddos?

CallMeR commented 1 year ago

随便查了一下2403:300:a41:d01::d 对应的是 api-edge.icloud.com。 ros的ipv6我不熟,但单看日志的话似乎是smartdns所在的服务器在对icloud进行ddos?

我看了下昨天的日志,不仅是 icloud 的地址:

14:48:01 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:58530->[2403:300:a41:d04::10]:80, len 40

17:48:22 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:54532->[2620:149:208:305::1d]:80, len 40

17:48:22 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:58270->[2620:149:149:102a::7]:80, len 40

17:48:22 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:39994->[2620:149:208:430c::4]:80, len 40

17:48:22 - [ddos-ipv6] detect-ddos: in:bridge1 out:pppoe-out1, connection-state:new src-mac 7e:xx:xx:xx:xx:xx, proto TCP (SYN), [240e:xx:xx:xx:xx:xxff:fexx:xx]:59070->[2620:149:149:1031::8]:80, len 40

我内网一共有 2 台 DNS 服务器,一台装的是 SmartDNS 另外一台装的是 Adguard Home ,并且仅运行了 DNS 服务。

初步研究发现,SmartDNS 会出现这个情况,Adguard Home 不会发生这个情况(但是 Adguard Home 的乐观缓存没开)。

应该是在 SmartDNS 缓存预取 或者 缓存过期 时会触发的这个现象,而且都是 80 端口,怀疑和 speed-check-mode prefetch-domain 相关?

PikuZheng commented 1 year ago

感觉是测速