27 Jun
2017
27 Jun
'17
3:34 p.m.
All,
I looked at my router's system log and noticed two interesting messages:
[ 272.794578] conntrack: generic helper won't
handle protocol 47.
Please consider loading the specific helper module.
[367924.542265] TCP: request_sock_TCP: Possible SYN
flooding on port
53. Sending cookies. Check SNMP counters.
I realized I'm currently under a
"small" attack. About 2 p.p.s. are
causing my SYN_Flood rules to hit. What's interesting is:
- I don't run any GRE tunnels (most of the Protocol 47 packets are
coming from China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming
from 104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG.
from me?
73,
- Lynwood
KB3VWG
27 Jun
27 Jun
4:01 p.m.
On 27 Jun 2017, at 16:34, lleachii--- via 44Net
<44net(a)hamradio.ucsd.edu> wrote:
- I don't run any GRE tunnels (most of the Protocol 47 packets are coming from
China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming from
104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me?
My apologies if this is really obvious, but I hope you are aware that TCP is also used for
general DNS queries, not just
zone transfers,
Cheers,
Borja EA2EKH
4:06 p.m.
Lynwood,
The question that occurs to me is why do you have your DNS server exposed
to the network when likely no one is using it? It's not listed in the NS
records for the zones and so the only way to make use of your server is
to explicitly configure it as a server (in resolv.conf or its equivalent),
which, excuse me, I doubt very many people have done.
- Brian
On Tue, Jun 27, 2017 at 05:01:53PM +0200, Borja Marcos wrote:
On 27 Jun
2017, at 16:34, lleachii--- via 44Net <44net(a)hamradio.ucsd.edu> wrote:
- I don't run any GRE tunnels (most of the Protocol 47 packets are coming from
China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming from
104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me?
My apologies if this is really obvious, but I hope you are aware that TCP is also used for
general DNS queries, not just
zone transfers,
Cheers,
Borja EA2EKH
5:58 p.m.
Brian.
The question that occurs to me is why do you have your
DNS server exposed
to the network when likely no one is using it?
Actually, I have quite a few nodes
using the DNS services, it was in use
so much, that I coordinated with N1URO to make sure another DNS server
was available on the East Coast. It's been in use since I stood up
44.60.44.3 as a DNS many years ago. In addition, some of those nodes use
DNS TCP for requests. It's only accessible to 44/8 and TCP to all. NTP
is also widely used here.
but I hope you are aware that TCP is also used for
general DNS queries, not just
zone transfers
Borja,
Very true, I had reason to believe it may have been a zone transfer. I'm
inquiring about any DNS requests via TCP, though, to be clear.
Thanks,
- KB3VWG
On 06/27/2017 11:06 AM, Brian Kantor wrote:
It's not listed in the NS
records for the zones and so the only way to make use of your server is
to explicitly configure it as a server (in resolv.conf or its equivalent),
which, excuse me, I doubt very many people have done.
2501
days inactive
2501
days old
3 comments
3 participants
participants (3)
-
Borja Marcos -
Brian Kantor -
lleachii@aol.com