[unisog] odd traffic on udp 53 (variation on thread)

Adam Getchell AdamG at hrrm.ucdavis.edu
Mon Oct 20 21:25:01 GMT 2003


I saw this a month ago for one of my dnscaches. I had originally increased
UDP session timeouts to 2700 seconds for AFS connectivity. Then one of my
dnscaches started sending out ~ 5000 requests every few minutes, which
pushed my state table on the firewall to well over 100,000 in a few minutes.

I had to throttle down UDP established timeouts on the firewall, and ended
up configuring a firewall on the DNS Server (OpenBSD + dnscache + pf). The
problem seemed to subside after a few weeks, but I'll be rebuilding my DNS
servers soon.

I'm interested in hearing other instances of this; for awhile I thought I
was the only one.

Adam Getchell			AdamG at hrrm.ucdavis.edu
System Architect/Programmer	(530) 752-1584
Human Resources			http://www.hr.ucdavis.edu/
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu


-----Original Message-----
From: Clarke Morledge [mailto:chmorl at wm.edu] 
Sent: Friday, October 17, 2003 8:24 PM
To: unisog at sans.org
Subject: Re: [unisog] odd traffic on udp 53 (variation on thread)

I don't think I've got the same thing going on udp port 53, but I am seeing
some awfully weird stuff with DNS.

We are seeing huge spikes of DNS queries from our official campus DNS
servers querying other DNS servers upstream.   From several hundred DNS
queries every 10 to 30 minutes or so to around 10,000 or more during the
same time period.  The sheer quantity bothers me.  These DNS storms last
about an hour before they die off.

But the most annoying part is that they are DoS'ing my PIX firewall.  The
huge surge of UDP "connections" burns up all of the resources on the PIX
-- pegging the CPU (running PIX version 6.3).

Is anybody seeing anything like this?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

On Wed, 8 Oct 2003, Gerry Sneeringer wrote:

> On Wed, 8 Oct 2003, Russell Fulton wrote:
> > Hi All,
> > 	Over the last few days I've spotted three or four systems doing 
> > lots of traffic on udp port 53.  My first thought was that this was 
> > some worm or trojan doing DNS lookups to find MX records (like 
> > sobig-f).  This turn out not to be the case (well at least NAV 
> > failed to find any evidence of infection).  The all the packets I 
> > observed carry bytes of data (NULLs in the few packets I captured).  
> > There are also lots of packets being sent to on udp 30467,
again 8 bytes of data.
> >
> > Occasionally we see small incoming udp packets to this machine.
> >
> > My best guess now is that is some sort of p2p protocol and the users 
> > are being coy with us because they know that their use is against 
> > university policy (unless they can convince us that the they are not 
> > breaching anyone's copyright(.
> >
> > Anyone got any ideas?
> >
> > Below are various relevant bits of data about the system and the 
> > traffic.
> Earthstation5 (www.earthstation5.com) boasts about the ability to use 
> the DNS and NTP UDP ports to thrwart University network 
> administrators.
> -Gerry
> ---
> Gerry Sneeringer, CISSP
> IT Security Officer
> University of Maryland

More information about the unisog mailing list