Great increase in activity on port 53

[zebulebu]

I'm on Telewest and have seen a huge increase in the past month or so in traffic to port 53 from Chinese IP addresses.

I always had this in the past, and wasn't overly concerned, as it seemed to be just part of the regular background noise of the net (I presumed it was automated tools looking for unprotected DNS servers, attempting to force a zone transfer)

However, in the past month or so, I have gone from seeing an average of around 10 per hour to almost 200. They all take the same basic form (four or five knocks on UDP port 53 initiated from a random high port, followed by three or four to TCP 53 initiated from a lower, but seemingly still random series of ports - eg:

61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 62383 - 53 - UDP
61.135.158.211 - 2288 - 53 - TCP
61.135.158.211 - 2310 - 53 - TCP
61.135.158.211 - 2341 - 53 - TCP
61.135.158.211 - 4020 - 53 - TCP

Lookups indicate that all the offenders are Chinese boxes - presumably compromised by something that is running automated scans.

Should I be overly concerned about this?

I contacted telewest, who couldn't give a monkeys, and just chastened me for running a DNS server on my cable line! When i suggested that they just take a look at my logs and block the (obviously compromised) boxes that are trying to connect to me they again scoffed at the idea.

It does seem odd that there should all of a sudden be so much more activity, especially since I've been scanning newsgroups & the like for a while to see if there are any new vulnerabilities I should be wary of.

Thanks, in advance

PS: I am aware of the DDoS attempt on the root servers yesterday - sure it's nothing to do with that though as it's been going on for a month or so now.

[awibble]

If your not running a DNS server i wouldnt worry about it too much, if you saw some of the server logs i see on a daily basis, theres always background noise on the internet. If you really want to do something, keep all the logs and report it to the ISP that owns the IP addresses.

[rikur]

Are you running a DNS server?

It is normal for the source port to be pseudo random, that's how IP generally works.

If you are running a DNS server, what are the queries being sent? or is it just a connection with no query?

[zebulebu]

Cheers fellas

Yes, I am running a DNS server - internal only for my domain, forwarding to Telewest's for upstream resolution.

The scans appear to just be connection attempts - there's no query.

I know how DNS works (I work in IT) and am fully aware of the regular basckground noise. its just that I only used to see an average of around 10 an hour - which meant connection/recon attempts to port 53 came below messenger spam, Slammer activity, NetBIOS enum attempts and even knocks looking for open VNC servers on 5900. However, I've gone from around 10 an hour in December to well over 200 now.

Also, all of them are from Chinese IP addresses - obviously something is being bounced off them or they've been compromised - so reporting owt to their abuse addresses wouldn't solve anything.

Since I AM running a DNS server, but not seeing anything get through, I'm worried that someone has managed to footprint me somehow without me noticing and is now making a concerted effort to hack me. I'm planning on pulling my network tomorrow for a few hours and just sticking a box on the other end of line and running Ethereal to see what i can capture. This is one of the main reasons I made an earlier post enquiring about the possibility of running two routers off the same modem - one that I run my regular stuff through and one that I can use for traffic analysis.

What i might do is stick a hub in front of my exterior router and sniff the traffic using a machine hanging off that - i.e. before it gets to my 'real' network. Only thing with that is that I'm a but paranoid about someone compromising the sniffer and using it as a platform to launch further attacks on my LAN from

[The Jackal]

LOL funny thread.

Drop the packets and be done with it.

Also since you work in IT you should be aware not to advertise an open DNS server, check your lamers log too.

[zebulebu]

Quote:

Originally Posted by CrC-3rr0r

LOL funny thread.

Drop the packets and be done with it.

Also since you work in IT you should be aware not to advertise an open DNS server, check your lamers log too.

Who said it was an open DNS server?

It isn't

[The Jackal]

Quote:

Originally Posted by zebulebu

Who said it was an open DNS server?

It isn't

Suggestions.

What type of nameserver is it ? Windows ? ISC ? If its a proper ISC named then post me the named.conf and I'll fix it for you.

If it's windows I'll leave you to your devices.

[zebulebu]

S'OK - I've figured out what it was anyhoo. Stuck a box outside the firewall this afternoon and captured the traffic - looks like its just noise (no queries made, just knocks)

Just seemed a bit strange that the activity should jump so quickly - and seem so concerted, all coming from one place

[The Jackal]

Quote:

Originally Posted by zebulebu

S'OK - I've figured out what it was anyhoo. Stuck a box outside the firewall this afternoon and captured the traffic - looks like its just noise (no queries made, just knocks)

? ?

What are you capturing the packets with ? A UDP query to a nameserver should be a full packet unlike a TCP/IP connection state and so you should have got the full query.

[zebulebu]

Just running Wireshark on a box and capturing the packets as they hit the WAN interface of the router.

The packets showed no query - like I said earlier, they all took the form of a series of TCP SYN packets sent to port 53 - however, looks like I was misreading the logs, as there weren't any UDP scans concurrent with them (my bad)

[The Jackal]

not to worry - as I said previously ' drop all the packets ' - dont worry yourself as no one is going to be interested.

[zebulebu]

LOL - cheers, guess I'm just being paranoid.

BTW - whats lamers.log - is that a BIND thing?

Can't you just tell I'm a Windoze kid...