Jump to content

DoS by my configured DNS servers??

TheFuzzyOne87
 Share

Recommended Posts

TheFuzzyOne87

TheFuzzyOne87

Posted
Posted

Not sure what is happening but I seem to see these every so often in my logs but not this many in one go!

 

[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:21
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:21
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:21
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:22
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:26
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:27
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:27
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:32
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:37
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:38
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:38
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:38
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:38
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:39
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:39
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:42
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:43
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:50
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:51
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:51
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:51
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:51
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:51
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:38:56
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:39:07
[DoS Attack: TCP/UDP Echo] from source: 8.8.8.8, port 53, Saturday, August 18, 2018 10:39:07
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:39:07
[DoS Attack: TCP/UDP Echo] from source: 1.0.0.1, port 53, Saturday, August 18, 2018 10:39:07
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:39:07
[DoS Attack: TCP/UDP Echo] from source: 1.1.1.1, port 53, Saturday, August 18, 2018 10:39:07
 

Anyone else noticed DoS Attack from their configured DNS servers?

 

Seems like these was DNS responses for DNS requests that was sent from my network, my only assumption is that what ever was sending the DNS requests was not receiving the responses so kept trying and all the DNS servers was trying to send the responses back???

 

Cheers,

 
Link to comment
Share on other sites
  • Administrators
Netduma Admin

Netduma Admin

Posted
  • Administrators
Posted

Hmm, we usually say to ignore the logs as it’s white noise most of the time, but there’s a pattern here. However, it’s most likely nothing to be concerned about. Could be something perfectly ordinary on your network.

 

I’m afraid I can’t offer any insight beyond what you concluded.

 

I recommend you keep monitoring it to see if it coincides with something you are doing on your network at the same time as that will probably explain the origin.

Link to comment
Share on other sites
BIG__DOG

BIG__DOG

Posted
Posted

port 53 is used by DNS queries and is nothing to be concerned about. With the impending deployment of DNSSEC and the eventual addition of IPv6 we will need to allow our firewalls for forward both TCP and UDP port 53 packets.

Link to comment
Share on other sites
TheFuzzyOne87

TheFuzzyOne87

Posted
  • Author
Posted

port 53 is used by DNS queries and is nothing to be concerned about. With the impending deployment of DNSSEC and the eventual addition of IPv6 we will need to allow our firewalls for forward both TCP and UDP port 53 packets.

 

Hey BIG__DOG,

 

Thanks for the reply, yep I know DNS uses tcp and udp ports 53, I was just more interested as to why it did what it did in the logs, it seems like what ever on my network was trying to make a DNS request was not receiving the responses back so kept on sending the requests out and then the router deemed it an attack due to the sheer amount of DNS responses coming back in.

 

If I see it too often I'll start to do some tcp dumps from the router and attached switch to see what is happening.

 

Only other assumption I can assume is that it's something to do with MTU size, I haven't changed the default MTU size of 1500 on the XR500 so should maybe get round to changing it to 1472 as per what I know can be achieved on the VDSL line when pinging the default gateway back to Sky.

 

These issues might explain those tiny red spikes of 'packet loss' I see on the Think Broadband graphs also, I notice you have them also when you posted a link to yours in the shoutbox (I am not stalking you I swear! :D)

 

Cheers,

Link to comment
Share on other sites
BIG__DOG

BIG__DOG

Posted
Posted

MTU sizes are normally 1492 which is the usual standard for VDSL however some ISP's use 1500 (mine which is talktalk). You could try lowering it to 1492 but you should do your homework as to what sky uses either by rummaging through their forum, or google it. As I said though it could be down to ipv6 issues.

Link to comment
Share on other sites
TheFuzzyOne87

TheFuzzyOne87

Posted
  • Author
Posted

MTU sizes are normally 1492 which is the usual standard for VDSL however some ISP's use 1500 (mine which is talktalk). You could try lowering it to 1492 but you should do your homework as to what sky uses either by rummaging through their forum, or google it. As I said though it could be down to ipv6 issues.

I’ll look around again, when I was testing when I 1st moved to this new setup I tested upto 1472 after that I wasnt able to ping websites etc, dont think it makes much of a difference as long as applications don’t have the ‘don’t fragment’ enabled, find it unlikely they would but you never know :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...