Re: UDP connection attempts

George Mamalakis wrote:
Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52291

If you have net.inet.ip.check_interface=1 or your firewall block packets with 127/8 addresses arriving via non-loopback interface then the source address isn't spoofed.

Then - it's local comunication.

You should search for a local program causing this type of communication.

The packet content (use tcpdump -s1500 -X -i lo0 dst port 512) may (or may not) help you.

Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP
myexternaladdress:52299 from myexternaladdress:53
Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP
myexternaladdress:52316 from myexternaladdress:53

It's probably DNS response to nonexistent or expired question.

In the first cast - it's an sort of attack. As you configured system to report attacks, you want to see those messages. Please note the source address may be forged and there is no way to determine true source of it without upstream ISP cooperation.

In the second case - the packet is "too late response" - the process which send's DNS question no longer wait for it. Unless the source address spoofed, it's local-to-local DNS request. May be the program sending it has too short timeout or it's 'question-related' problem (you asked for a DNS record but apropriate DNS server responded slowly or didn't respond at all).

You should identify the local program sending those questions and/or the question trigerring those messages.

Please note, that NAT on myexternaladdress host nay cause that some non-local communication appear to be local (e.g., some non-local process communication look as local-process communication). But, your local computers has no reason to contact your DNS server over external address (I assume they use apropriate internal address), so it shouldn't complicate your analysis. In that case you can block DNS question to myexternaladdress for all internal interfaces - just for sure.

Dan

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: DCpromo issue. Health check on AD and group policy.
    ... We have also had intermittent issues with some workstations on the domain not ... The problem is I tryed to DCpromo this server yesterday and couldn't remove ... Single label AD DNS domain name. ... Otherwise, if you need additional specific assistance to get communication working, we'll need specific config info from your machines. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help on DNS
    ... Subject: Help on DNS ... Kumar, Praveen (cahoot) ... of the hosts for www.test.com and some other hosts like this with our ... If you wish to confirm the origin or content of this communication, ...
    (AIX-L)
  • Re: Asynchronous vs Synchronous network communication
    ... For dns probably you won't get any benefit from async. ... > communication class switchable between asynchronous and synchronous. ... > many state objects passing through (and a high object churn rate). ...
    (microsoft.public.dotnet.general)
  • Re: Configure DNS
    ... Subject: Configure DNS ... Default Server: ns1.methodisthealth.org ... When i have configured one of the win2k box as a DNS client, ... If you wish to confirm the origin or content of this communication, ...
    (AIX-L)
  • Re: Configure DNS
    ... As you said the bind has been installed and the named daemon is also ... When i have configured one of the win2k box as a DNS client, ... It would be great if someone can give steps to configure a DNS server. ... If you wish to confirm the origin or content of this communication, ...
    (AIX-L)