Results 1 to 14 of 14
  1. #1
    Join Date
    May 2003
    behind your business

    Massive outgoing UDP traffic port 53

    During recent days I received a massive increase in outgoing UDP traffic port 53. My server connection is going very slow.

    How do we resolve the problem?
    Should we block outgoing UDP port 53 requests? What's the implication?

    Fyi this is cpanel server with external DNS server.

    Your advice will be greatly appreciated.

    Thank you very much.

  2. You can try closing the 53 port. You can also try to optimize the software that is using that port.

  3. #3
    Join Date
    Nov 2003
    Kherson, Ukraine
    First of all you need to find what is a source of traffic.
    Try something like
    netstat -a -n -p|grep :53
    Private remote administrator of Linux servers -
    Quality hosting -

  4. #4
    Join Date
    Nov 2005
    Someone is running a UDP flooding from your server looks like. You should try checking the netstat value and filter the active processes to understand who is doing this.
    Mellowhost - Providing High Quality Web Hosting Services since 2007
    SSD Cpanel Shared, SSD OpenVZ & KVM VPS Hosting
    A Hosting Provider with Complete SSD VPS & Shared Hosting.

  5. #5
    Join Date
    Mar 2003
    Quote Originally Posted by Jordan Jambazov View Post
    You can try closing the 53 port. You can also try to optimize the software that is using that port.
    Terrible advice. If you block or close port 53 then your DNS lookups will fail...

    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ - Security notices for the hosting community.

  6. #6
    Quote Originally Posted by Patrick View Post
    Terrible advice. If you block or close port 53 then your DNS lookups will fail...

    Well, yes and no.

    The real goal is to find out why there are so many outbound DNS queries.
    managed dns global failover and load balance (gslb)
    uptime report for

  7. #7
    In this case, the first thing to be done, is to check the netstat output and find the source for the connections through port 53.
    For any OneTime job like installation, configuring software, optimizing etc on linux can contact me!

  8. #8
    Join Date
    Jul 2009
    seems like the advices are reverse troubleshooting

    why dont you find out first what's using that port. Traditionally port 53 UDP is DNS query. So you said you are using external DNS's but you may have enabled recursion on your system (BIND im assuming) and now people are using you as a free dns server. Try setting it to listen to or better yet disable BIND. A quick nestat -ap should show you which program is using that port.

  9. #9
    Join Date
    May 2003
    behind your business
    bind has been disable since i am using external dns.
    it seems someone running a UDP flooding from my server.
    # lsof -i UDP:53
    httpd 15014 nobody 364u IPv4 10423569 UDP myhostname:57070->
    httpd 19780 nobody 364u IPv4 10423572 UDP myhostname:22285-> is Ip resolver.

    How to find out who is abusing my server?

  10. #10
    Join Date
    May 2005
    Bay Area
    Quote Originally Posted by plumsauce View Post
    Well, yes and no.
    lol there is no yes and no, it was bad advice.

  11. #11
    Join Date
    May 2002
    ps auxwwww | grep 15014 or 19780 may be show you path to malicious script.

    PS. If you using external DNS blocking outgoing 53 port shall not break your DNS.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  12. #12
    Join Date
    Mar 2009
    Use lsof:

    lsof -p PID
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  13. #13
    Join Date
    Apr 2009
    is this centos? freebsd got cool tool named 'sockstat' for this purpose

  14. #14

    * My server is being used/raped as DNS server ...

    Hi !

    My server seems to be infected with some kind of trojan or script.

    The process called <unknown> (according to MS network monitor 3.4) ... sends out on UDP 53 every 5 seconds or so to random IPs, the descriptions being "DNS sc . jfrmt . net" and varations of the subdomain.

    Also my server is sending to my router on UDP 53 with www . 99woool . com as description

    Now, jfrmt . net is registered to a bogus name and only some weeks old ...

    1) is there a simple way / small software to block UDP 53 (something that coexists with Windows Firewall) ? I don't run any DNS service whatsoever.

    2) How to find the culprit? Process <unkonwn> does not ring any bells ...

    Thanks very very much!

    PS: Win XP SP3 & XAMPP - I know, I know, but that's just how it is and worked for 7+ years.
    Last edited by Grent; 09-22-2011 at 02:48 PM.

Similar Threads

  1. UDP Port 26286
    By lyew in forum Dedicated Server
    Replies: 0
    Last Post: 12-21-2007, 09:54 AM
  2. [PHP] Ping a UDP Port?
    By HostVillage Sales in forum Programming Discussion
    Replies: 5
    Last Post: 10-30-2007, 06:14 PM
  3. allowing outgoing traffic to a port only for a script/user?
    By lwknet in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-21-2004, 07:50 AM
  4. UDP port and Hack
    By Serverplan in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-09-2003, 09:17 AM
  5. Block port 1434 UDP
    By BalAncE in forum Hosting Security and Technology
    Replies: 0
    Last Post: 01-27-2003, 01:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts