News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: What can be done against massive DNS port scan ?
Pages: [1]
Topic: What can be done against massive DNS port scan ?  (Read 1219 times)
« on: August 05, 2014, 10:36:12 »
jstrebel *
Posts: 31
Hi,
this monowall (1.8.1) is under a massive DNS scan. I determined sometimes up to 50 scans per second.
The issue I have is that this scan produces significant uplink traffic on the relatively slow the ADSL uplink. Sometime it got congests. This was resulting in buffer overflow messages in the log file.
Q: Is there any danger for monowall ?
Is there anything we can do?

Thanks for you help
Jakob

Log of this scan:
09:05:44.686179   WAN   147.237.72.182, port 59203   217.193.x.x, port 53   UDP
09:05:41.764087   WAN   147.237.72.77, port 56501   217.193.x.x, port 53   UDP
09:05:39.067656   WAN   147.237.72.36, port 1878   217.193.x.x, port 53   UDP
09:05:34.644158   WAN   147.237.72.215, port 49345   217.193.x.x, port 53   UDP
09:05:31.605097   WAN   147.237.72.228, port 42830   217.193.x.x, port 53   UDP
09:05:31.099089   WAN   147.237.72.58, port 59761   217.193.x.x, port 53   UDP
09:05:29.730911   WAN   147.237.72.59, port 46621   217.193.x.x, port 53   UDP
09:05:24.682200   WAN   147.237.72.147, port 57283   217.193.x.x, port 53   UDP
09:05:22.832662   WAN   147.237.72.9, port 36979   217.193.x.x, port 53   UDP
09:05:12.290071   WAN   147.237.72.253, port 35844   217.193.x.x, port 53   UDP
09:05:12.107540   WAN   147.237.72.97, port 6656   217.193.x.x, port 53   UDP
09:05:07.141826   WAN   147.237.72.71, port 57737   217.193.x.x, port 53   UDP
09:05:01.422551   WAN   147.237.72.214, port 58256   217.193.x.x, port 53   UDP
09:05:00.401463   WAN   147.237.72.13, port 29356   217.193.x.x, port 53   UDP
09:05:00.134915   WAN   147.237.72.244, port 30678   217.193.x.x, port 53   UDP
« Last Edit: August 05, 2014, 12:37:33 by jstrebel »
« Reply #1 on: August 05, 2014, 16:46:06 »
Fred Grayson *****
Posts: 994
I don't think there is anything you can do with m0n0wall that will mitigate this attack. If you aren't running a DNS server that requires public access from the WAN you should contact your upstream provider and have them filter this out for you. That will keep this traffic off your link.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: August 05, 2014, 17:29:07 »
Lee Sharp *****
Posts: 517
You might want to ask why the Israeli government is attacking you. Smiley

Assuming you are not in Israel, having the upstream filter that entire ASN.  You can mitigate the impact by NATing that port to an unused IP so there is no response like what a "Block" gives.
« Reply #3 on: August 05, 2014, 18:02:27 »
Fred Grayson *****
Posts: 994
Since the type of packet is UDP, it's entirely possible the source address is forged as no handshake with originator, regardless of the source, is required to send these packets.
--
Google is your friend and Bob's your uncle.
« Reply #4 on: August 07, 2014, 18:39:49 »
jstrebel *
Posts: 31
Thank you all, was very helpful.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines