Portal Home > Knowledgebase > Articles Database > Many UDP:53 outbound traffic
Many UDP:53 outbound traffic
| Posted by EMido, 03-09-2014, 12:54 PM |
| Hi all,
OS: Centos
Services : Apache , Mysql ( was have sendmail but we remove it after having this problem)
We facing a problem since last week that's the server has lot of outgoing sessions on UDP 53 and we have much http process running that's not normal at all .we just have 3 sites thats not loaded that much
after searching some about i try to check the processes and lsof -p to check if any upnormal scripts or trojan ( we use clamav to scan)
any tips to know the reason of this many UDP 53 sessions ?
Thanks
|
| Posted by ovais, 03-09-2014, 01:07 PM |
| Dns Amplification attack. You should check your Dns server configuration for open resolver.
For further information :- https://www.watchguard.com/infocente...rial/41649.asp
|
| Posted by fabin, 03-09-2014, 01:10 PM |
| Did you identify to which DNS server this packets are going?
A typical case is that you have lot of visitors or a mild ddos on your website. Your website might have some code that needs a domain resolution done, which will create DNS traffic to the name servers set for your server.
|
| Posted by EMido, 03-09-2014, 01:16 PM |
| the UDP 53 traffic always have destination to my (resolv.conf) IPs
as i am using google dns.
Some of my sites pages allow people to add comments and then send a mail to the admin by the comment (i remove sendmail recently) i think thats may be the cause of this traffic can it be?
|
| Posted by fabin, 03-09-2014, 02:27 PM |
| I do not think the comment and mailing features create such issues.
Did you check if DNS recursion is enabled in DNS server?
If you stop your web service for sometime does it stop the UDP traffic?
Also check for the presence of any malicious scripts.
|
| Posted by eth00, 03-09-2014, 02:54 PM |
| Figuring out what the requests are will really help figure out what is going on.
Are they all *outbound* 53? That means they are originating on your server and something on your server is performing the lookup. DNS is plaintext and you could fire up tcpdump to take a quick look at the requests. As others have said it could be a DNS attack or it could be something simple like a script on your server doing multiple lookups for each user. Knowing what the queries are should help track the source.
|
| Posted by steven99, 03-09-2014, 03:33 PM |
| If the port 53 traffic is indeed all outbound, DNS lookups from the server, it could be apache trying to do name resolution for logs via the HostnameLookups setting. Set that to off in httpd.conf and see if that helps.
As for the many apache processes running, it might crawling of the sites / DoS of the apache service and doing:
will help to determine if there is an IP that has a lot of connections.
|
| Posted by EMido, 03-09-2014, 04:46 PM |
| fabin: 1) you mean dns entry in server resolv.com or my registering server?
2)if i stop httpd the dns traffic stop
@eth00: all the sessions source is the server udp :53
@steven99: the hostnamelookup is off in the apache configuration and when i trying this command its give the connections ip except 1 entry looks like that:
1 xx.xx.xx.xx.xx
4 xxx.xxx.xxx.xx
29
the last entry without ip which be the largest one
i will try the suggestion and update the post soon
thanks
forget to say that its a wordpress site
Last edited by EMido; 03-09-2014 at 04:57 PM.
|
Add to Favourites 
Print this Article
Also Read
