Re: UDP connection attempts


Look,
first of all I block spoofed incoming packets on my external interface, so
traffic from 127.0.0.0/8 cannot pass through it no matter the protocol they use,
so spoofing for me is not the case.

When you say that it may be that my machine is trying to updates its
records, do you mean it tries to update the zone files my machine is
hosting? cos my server runs only as a master server, and from what i know
its records should be updated only when the administrator requests it
through rndc or by restarting bind.
To give you a more thorough idea of my dns server, I allow some IPs to
query it for any address, I allow the world to query me for my zones, I
don't use forwarders, and I don't have a slave dns (though I should have
:) ),

As far as your third part of your mail is concerned, no I don't have any
other log files, the only firewall present in my network is on the server
itself, there is of course a router between my server and my ISP, which
only routes packets (no packet filtering whatsoever).

Thx for your answer,

mamalos

On Wed, 19 Jul 2006, Network Security
wrote:

It's UDP, so who the *** knows where it's actually coming from. It
might not originate from your machines.

Remember, UDP packets destined to your address, with the
return address of your same server ise a common way to both DoS and peek
through a firewall.. Is your log by chance suppressing duplicate
entries?

The other option is your machine may be attempting to update it's
DNS records. But it's not a connection oriented protocol, so you don't
know who actually sent the packet.

Do you have a router or other firewall log?

-Brian





Brian J. Brandon
Network Security Consultant
Los Angeles, California
SecurityAdmin@xxxxxxxx
Tel. No. 310.925.2987
Fax. No. 325.204.7815




Wednesday, July 19, 2006, 2:07:08 AM, you wrote:


Hi everyone,
I administer this 5.2.1 Freebsd Box which runs a few services, among of
which are bind and postfix. On the same box I run ipfw as a firewall, and
have a default policy block for all incoming packets, except for those
that are for ports 53 (tcp and udp) and 25 (tcp).
I also have the following sysctl values enabled:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
In my security logs I keep on getting the following messages:
Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52291
Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP
myexternaladdress:52299 from myexternaladdress:53
Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP
myexternaladdress:52316 from myexternaladdress:53
Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52328
Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52354

I have googled these messages many times, but haven't still found a real
explanation of why these messages occur. The way I see it is that there is
no malicious behaviour behind theses messages, most probably there's
something that has to do with my firewall settings, and the keep state
option.
I present the excerpt from my firewall configuration file that relates to
the dns incoming traffic:
add 00389 allow udp from any to myexternaladdress 53 in via fxp0
keep-state

I would be greatful if someone could explain to me why these messages
keep showing, and if there is a way to prevent them from occuring in the
future.
Thank you all in advance,

mamalos
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"