hosted by liquidweb

Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Massive outgoing UDP traffic port 53

Forum Jump

Massive outgoing UDP traffic port 53

Reply Post New Thread In Hosting Security and Technology Subscription
Send news tip View All Posts Thread Tools Search this Thread Display Modes
Join Date: May 2003
Location: behind your business
Posts: 69

Massive outgoing UDP traffic port 53

During recent days I received a massive increase in outgoing UDP traffic port 53. My server connection is going very slow.

How do we resolve the problem?
Should we block outgoing UDP port 53 requests? What's the implication?

Fyi this is cpanel server with external DNS server.

Your advice will be greatly appreciated.

Thank you very much.

Sponsored Links
Join Date: Oct 2010
Posts: 11
You can try closing the 53 port. You can also try to optimize the software that is using that port.

Web Hosting Guru
Join Date: Nov 2003
Location: Kherson, Ukraine
Posts: 267
First of all you need to find what is a source of traffic.
Try something like
netstat -a -n -p|grep :53

Private remote administrator of Linux servers -
Quality hosting -

Sponsored Links
a lazy evangelist ...
Join Date: Nov 2005
Location: /etc/fstab
Posts: 1,176
Someone is running a UDP flooding from your server looks like. You should try checking the netstat value and filter the active processes to understand who is doing this.

Mellowhost - Affordable Cpanel and WHM Reseller Hosting
R1Soft, RVSitebuilder, RVSkin, Softaculous, Fantastico, Domain Reseller and many more ...

Security Ninja
Join Date: Mar 2003
Location: Canada
Posts: 8,826
Originally Posted by Jordan Jambazov View Post
You can try closing the 53 port. You can also try to optimize the software that is using that port.
Terrible advice. If you block or close port 53 then your DNS lookups will fail...


Patrick William | RACK911 Labs | Software Security Auditing
400+ Vulnerabilities Found - Get a Quote @ - Security notices for the hosting community.

******* Unleaded
Join Date: Feb 2004
Posts: 3,830
Originally Posted by Patrick View Post
Terrible advice. If you block or close port 53 then your DNS lookups will fail...

Well, yes and no.

The real goal is to find out why there are so many outbound DNS queries.

managed dns global failover and load balance (gslb)
uptime report for

WHT Addict
Join Date: Apr 2010
Posts: 123
In this case, the first thing to be done, is to check the netstat output and find the source for the connections through port 53.

For any OneTime job like installation, configuring software, optimizing etc on linux can contact me!

Junior Guru
Join Date: Jul 2009
Posts: 237
seems like the advices are reverse troubleshooting

why dont you find out first what's using that port. Traditionally port 53 UDP is DNS query. So you said you are using external DNS's but you may have enabled recursion on your system (BIND im assuming) and now people are using you as a free dns server. Try setting it to listen to or better yet disable BIND. A quick nestat -ap should show you which program is using that port.

Join Date: May 2003
Location: behind your business
Posts: 69
bind has been disable since i am using external dns.
it seems someone running a UDP flooding from my server.
# lsof -i UDP:53
httpd 15014 nobody 364u IPv4 10423569 UDP myhostname:57070->
httpd 19780 nobody 364u IPv4 10423572 UDP myhostname:22285-> is Ip resolver.

How to find out who is abusing my server?

Web Hosting Master
Join Date: May 2005
Location: Bay Area
Posts: 1,211
Originally Posted by plumsauce View Post
Well, yes and no.
lol there is no yes and no, it was bad advice.

Telecommunication operator
Join Date: May 2002
Location: Russia, Moscow
Posts: 1,487
ps auxwwww | grep 15014 or 19780 may be show you path to malicious script.

PS. If you using external DNS blocking outgoing 53 port shall not break your DNS.

Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

Aspiring Evangelist
Join Date: Mar 2009
Location: /home/khunj
Posts: 405
Use lsof:

lsof -p PID

★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.

Web Hosting Master
Join Date: Apr 2009
Posts: 829
is this centos? freebsd got cool tool named 'sockstat' for this purpose

New Member
Join Date: Sep 2011
Posts: 1
* My server is being used/raped as DNS server ...

Hi !

My server seems to be infected with some kind of trojan or script.

The process called <unknown> (according to MS network monitor 3.4) ... sends out on UDP 53 every 5 seconds or so to random IPs, the descriptions being "DNS sc . jfrmt . net" and varations of the subdomain.

Also my server is sending to my router on UDP 53 with www . 99woool . com as description

Now, jfrmt . net is registered to a bogus name and only some weeks old ...

1) is there a simple way / small software to block UDP 53 (something that coexists with Windows Firewall) ? I don't run any DNS service whatsoever.

2) How to find the culprit? Process <unkonwn> does not ring any bells ...

Thanks very very much!

PS: Win XP SP3 & XAMPP - I know, I know, but that's just how it is and worked for 7+ years.

Last edited by Grent; 09-22-2011 at 02:48 PM.

Similar Threads
Thread Thread Starter Forum Replies Last Post
UDP Port 26286 lyew Dedicated Server 0 12-21-2007 09:54 AM
[PHP] Ping a UDP Port? HostVillage Sales Programming Discussion 5 10-30-2007 06:14 PM
allowing outgoing traffic to a port only for a script/user? lwknet Hosting Security and Technology 1 10-21-2004 07:50 AM
UDP port and Hack Serverplan Hosting Security and Technology 4 04-09-2003 09:17 AM
Block port 1434 UDP BalAncE Hosting Security and Technology 0 01-27-2003 01:41 PM

Related posts from
Title Type Date Posted

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Log in with your username and password

Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Web Hosting News:
WHT Membership
WHT Membership



Welcome to

Create your username to jump into the discussion! is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.

(4 digit year)

Already a member?