Results 1 to 14 of 14
-
10-24-2010, 12:19 PM #1Disabled
- Join Date
- May 2003
- Location
- behind your business
- Posts
- 70
Massive outgoing UDP traffic port 53
During recent days I received a massive increase in outgoing UDP traffic port 53. My server connection is going very slow.
How do we resolve the problem?
Should we block outgoing UDP port 53 requests? What's the implication?
Fyi this is cpanel server with external DNS server.
Your advice will be greatly appreciated.
Thank you very much.
-
10-24-2010, 02:23 PM #2Newbie
- Join Date
- Oct 2010
- Posts
- 11
You can try closing the 53 port. You can also try to optimize the software that is using that port.
-
10-24-2010, 03:00 PM #3Web Hosting Guru
- Join Date
- Nov 2003
- Location
- Kherson, Ukraine
- Posts
- 267
First of all you need to find what is a source of traffic.
Try something like
netstat -a -n -p|grep :53Private remote administrator of Linux servers - www.petrov.ks.ua
Quality hosting - Host-Web-Site.com
-
10-24-2010, 08:11 PM #4Web Hosting Master
- Join Date
- Nov 2005
- Location
- /etc/fstab
- Posts
- 1,342
Someone is running a UDP flooding from your server looks like. You should try checking the netstat value and filter the active processes to understand who is doing this.
Mellowhost - Providing High Quality Web Hosting Services since 2007
SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
A Hosting Provider with Complete SSD VPS & Shared Hosting.
-
10-24-2010, 09:30 PM #5Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
10-24-2010, 11:58 PM #6******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
10-25-2010, 12:13 AM #7WHT Addict
- Join Date
- Apr 2010
- Posts
- 123
In this case, the first thing to be done, is to check the netstat output and find the source for the connections through port 53.
For any OneTime job like installation, configuring software, optimizing etc on linux servers..you can contact me!
Email: sysdm4@gmail.com
-
10-25-2010, 12:26 PM #8Junior Guru
- Join Date
- Jul 2009
- Posts
- 240
seems like the advices are reverse troubleshooting
why dont you find out first what's using that port. Traditionally port 53 UDP is DNS query. So you said you are using external DNS's but you may have enabled recursion on your system (BIND im assuming) and now people are using you as a free dns server. Try setting it to listen to 127.0.0.1 or better yet disable BIND. A quick nestat -ap should show you which program is using that port.
-
10-26-2010, 02:37 AM #9Disabled
- Join Date
- May 2003
- Location
- behind your business
- Posts
- 70
bind has been disable since i am using external dns.
it seems someone running a UDP flooding from my server.
# lsof -i UDP:53
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 15014 nobody 364u IPv4 10423569 UDP myhostname:57070->xxx.xxx.xxx.xxx:domain
httpd 19780 nobody 364u IPv4 10423572 UDP myhostname:22285->xxx.xxx.xxx.xxx:domain
How to find out who is abusing my server?
-
11-02-2010, 11:18 PM #10Web Hosting Master
- Join Date
- May 2005
- Location
- Bay Area
- Posts
- 1,211
-
11-03-2010, 06:32 PM #11Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
ps auxwwww | grep 15014 or 19780 may be show you path to malicious script.
PS. If you using external DNS blocking outgoing 53 port shall not break your DNS.TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
11-03-2010, 10:49 PM #12Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
Use lsof:
Code:lsof -p PID
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
11-04-2010, 09:00 AM #13Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 865
is this centos? freebsd got cool tool named 'sockstat' for this purpose
-
09-22-2011, 02:40 PM #14New Member
- Join Date
- Sep 2011
- Posts
- 1
My server is being used/raped as DNS server ...
Hi !
My server seems to be infected with some kind of trojan or script.
The process called <unknown> (according to MS network monitor 3.4) ... sends out on UDP 53 every 5 seconds or so to random IPs, the descriptions being "DNS sc . jfrmt . net" and varations of the subdomain.
Also my server is sending to my router on UDP 53 with www . 99woool . com as description
Now, jfrmt . net is registered to a bogus name and only some weeks old ...
1) is there a simple way / small software to block UDP 53 (something that coexists with Windows Firewall) ? I don't run any DNS service whatsoever.
2) How to find the culprit? Process <unkonwn> does not ring any bells ...
Thanks very very much!
PS: Win XP SP3 & XAMPP - I know, I know, but that's just how it is and worked for 7+ years.Last edited by Grent; 09-22-2011 at 02:48 PM.
Similar Threads
-
UDP Port 26286
By lyew in forum Dedicated ServerReplies: 0Last Post: 12-21-2007, 09:54 AM -
[PHP] Ping a UDP Port?
By HostVillage Sales in forum Programming DiscussionReplies: 5Last Post: 10-30-2007, 06:14 PM -
allowing outgoing traffic to a port only for a script/user?
By lwknet in forum Hosting Security and TechnologyReplies: 1Last Post: 10-21-2004, 07:50 AM -
UDP port and Hack
By Serverplan in forum Hosting Security and TechnologyReplies: 4Last Post: 04-09-2003, 09:17 AM -
Block port 1434 UDP
By BalAncE in forum Hosting Security and TechnologyReplies: 0Last Post: 01-27-2003, 01:41 PM