The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Flood UDP on port 53

Discussion in 'General Discussion' started by danyb, Feb 16, 2006.

  1. danyb

    danyb Member
    PartnerNOC

    Joined:
    Jan 22, 2006
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    WHM DNS Cluster
    WHM 10.8.0 cPanel 10.8.1-S114
    CentOS 3.6 i686

    On our machine we have installed IPTRAF (http://iptraf.seul.org/) to monitor our IP Network, but since few days we are victim of massive FLOOD UDP on the port 53, the IPTRAF logs shows (X : is the attacker Y : i our IP) :

    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:36929 to YYY.YYY.YYY.155:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:59239 to YYY.YYY.YYY.10:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:6652 to YYY.YYY.YYY.112:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:3453 to YYY.YYY.YYY.137:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:36763 to YYY.YYY.YYY.113:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:29403 to YYY.YYY.YYY.11:53
    Thu Feb 16 07:12:00 2006; UDP; eth2; 68 bytes; from XXX.XXX.XXX.XXX:37611 to YYY.YYY.YYY.143:53

    We have thousand and thousand of these lines PER SECOND, when its happen, our link get full and unreachable, the ping reply reach 1200 MS. Named on each server get the most used process (top command)

    We have try few thing with iptable like :

    iptables -A INPUT -i eth2 -p udp -m udp --dport 53 -m conntrack --ctstate NEW –m recent --set --name dns_limit --rsource
    iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 100 --name dns_limit --rsource -j DROP

    And no success :(

    Anyone have an idea to block these kind of attack ? We are completly out of idea right now.

    Thank you very much for your support.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You should really ask your NOC to block such attacks at the router. Anything you do on the server is going to be of limited use as it's likely to adversely affect performance and is often a moving target.
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Port 53 is how your servers communicate their DNS information and
    since you said that you are running in a DNS Cluster configuration
    then you are naturally going to have a lot of local traffic on that port.

    I personally don't recommend IP monitoring for that particular port as
    there are better ways of sniffing out DNS attacks but if you must use
    basic port monitoring for that then I would whitelist the IP addresses
    from each of your own servers so that their own traffic is ignored.
     
Loading...

Share This Page