All,
I looked at my router's system log and noticed two interesting messages:
[ 272.794578] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
[367924.542265] TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies. Check SNMP counters.
I realized I'm currently under a "small" attack. About 2 p.p.s. are causing my SYN_Flood rules to hit. What's interesting is:
- I don't run any GRE tunnels (most of the Protocol 47 packets are coming from China) - The only tcp/53 I have open is AMPR DNS (most connections are coming from 104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me?
73,
- Lynwood KB3VWG
On 27 Jun 2017, at 16:34, lleachii--- via 44Net 44net@hamradio.ucsd.edu wrote:
- I don't run any GRE tunnels (most of the Protocol 47 packets are coming from China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming from 104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me?
My apologies if this is really obvious, but I hope you are aware that TCP is also used for general DNS queries, not just zone transfers,
Cheers,
Borja EA2EKH
Lynwood,
The question that occurs to me is why do you have your DNS server exposed to the network when likely no one is using it? It's not listed in the NS records for the zones and so the only way to make use of your server is to explicitly configure it as a server (in resolv.conf or its equivalent), which, excuse me, I doubt very many people have done. - Brian
On Tue, Jun 27, 2017 at 05:01:53PM +0200, Borja Marcos wrote:
On 27 Jun 2017, at 16:34, lleachii--- via 44Net 44net@hamradio.ucsd.edu wrote:
- I don't run any GRE tunnels (most of the Protocol 47 packets are coming from China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming from 104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me?
My apologies if this is really obvious, but I hope you are aware that TCP is also used for general DNS queries, not just zone transfers, Cheers, Borja EA2EKH
Brian.
The question that occurs to me is why do you have your DNS server exposed to the network when likely no one is using it?
Actually, I have quite a few nodes using the DNS services, it was in use so much, that I coordinated with N1URO to make sure another DNS server was available on the East Coast. It's been in use since I stood up 44.60.44.3 as a DNS many years ago. In addition, some of those nodes use DNS TCP for requests. It's only accessible to 44/8 and TCP to all. NTP is also widely used here.
but I hope you are aware that TCP is also used for general DNS queries, not just zone transfers
Borja,
Very true, I had reason to believe it may have been a zone transfer. I'm inquiring about any DNS requests via TCP, though, to be clear.
Thanks,
- KB3VWG
On 06/27/2017 11:06 AM, Brian Kantor wrote:
It's not listed in the NS records for the zones and so the only way to make use of your server is to explicitly configure it as a server (in resolv.conf or its equivalent), which, excuse me, I doubt very many people have done.
-
Borja Marcos -
Brian Kantor -
lleachii@aol.com