Attack on UDP port 53 ?

[meukone]

Hi All,

We don't have a firewall and is just relying on Access-list on our border router. After i applied the new access-list I am continously receiving the logs showed below. The destination IP is our mail server (and its not running any DNS service) and I'm suspicious as to the pattern on the source port and destination port udp 53, however I am not aware of any trojan or worm using the below. I already tried searching google but cannot find the explanation... Please help.

PS;
I am continuosly monitoring these denied packets as continously hitting for the past 3 days now...

--logs starts here---
Jun 4 04:36:48.867 denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet
Jun 4 04:37:07.556 denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet
Jun 4 04:37:26.496 denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:37:45.120 denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:38:03.744 denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:38:07.888 denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:38:22.704 denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:38:41.380 denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets
Jun 4 04:39:00.132 denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:39:18.904 denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:39:33.772 denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets
Jun 4 04:39:37.616 denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets

 

[pansophic]

Are these unsolicited requests, or is the source IP address that of your primary DNS server? DNS uses both TCP and UDP for communication, and if this is one of your DNS servers, then they are probably legitimate responses to your DNS requests. You are probably still OK allowing both TCP and UDP traffic on port 53 from your primary, secondary and even tertiary DNS servers. Unless you have reason to believe that they are or could be compromised.

I'd still rather see a firewall there, but router ACLs are a decent start.


pansophic

 

[meukone]

Hi Pansophic,

Thanks for your response. The logs i posted earlier are unsolicited traffic. The source IP is not our DNS server and the destination IP is also not a DNS server but rather a mail server.

I am suspecting this as a DoS on our mail server or a worm.

If anyone have same experienced what exactly is this activity please let me know. Thanks.

 

[pansophic]

Your mail server does DNS (as a client) as well as every other machine on your network. If you are not running your own DNS server(s) internally, then your mail server would issue the request to the DNS server listed in its network configuration. That server would be on the Internet somewhere, but is generally from your ISP.

I'd be surprised if it were a worm, because I'd expect to see additional addresses that were being blocked, not just the mail server.

Have you attempted to do any reverse resolution on the IP to see who it is that is sending the requests?


pansophic

 

[SgtB]

You could always set up a sniffer to see what these packets contain. It'll probably shed some light on the subject. Find out who that IP belongs to as well. It'll help you find out whats going on.

I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org