Named Tracking hit

[keat63]

I've come in to work this morning to absolutely hundreds of these.

Mar 9 09:27:28 xxxxxx kernel: [4030020.000033] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.18.96 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=1919 PROTO=UDP SPT=40446 DPT=53 LEN=68 UID=25 GID=25
Mar 9 09:27:28 xxxxxx kernel: [4030020.000161] Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=xxx.xxx.xxx.xx DST=54.77.36.154 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=16401 PROTO=UDP SPT=48644 DPT=53 LEN=68 UID=25 GID=25

From what I can gather unopened source ports on my server have been trying to connect to port 53 on servers elsewhere.
But why ??

Incidentally, 99% of them seem to be going to 54.x.x.x
IP Lookup would indicate Amazonaws

 

[keat63]

These are continuing evey few minutes.

 

[cPanelMichael]

Hello

Could you elaborate the difference between this and your earlier report? The previous thread is found at:

What is UDP_OUT Blocked in Log

Thank you.

 

[keat63]

The difference between this and my earlier report, is this instance contains thousands of these entries

 

[keat63]

I don't profess to understand any of this stuff, but I ran
netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It showed by 3 results, one of which had 11 connections.
I did a quick whois on the IP and it resulted back to CN, so I put a temporary block on CN in CSF.

It's too early to say if this was the cause, but i was seeing these every 5 minutes, Its now been about 30 minutes since, and still watching to see if another one hits.

 

[keat63]

I obviously spoke too soon as they are still coming in, however, not as frequent.

 

[keat63]

Thinking it might be some sort of DNS sppof I checked recursive DNS, but this is reporting as OK.

Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.

I'm stumped.

 

[keat63]

After spending countless hours, trying many ssh commands from untold forums etc, I think I may have found this.
It seems that we have a CSF entry 54.77.0.0/16 in a vain attempt to blockout some of these AmazonAWS things we keep seeing.
I'm assuming that 54.77.x.x must also contain a number of DNS servers, and it's these servers that my DNS is unable to talk to because of the firewall rule.

It makes sense I guess, so I removed the rule and will monitor for a few hours.