Results 1 to 14 of 14
  1. #1
    Join Date
    May 2003
    Location
    behind your business
    Posts
    69

    Massive outgoing UDP traffic port 53

    During recent days I received a massive increase in outgoing UDP traffic port 53. My server connection is going very slow.

    How do we resolve the problem?
    Should we block outgoing UDP port 53 requests? What's the implication?

    Fyi this is cpanel server with external DNS server.

    Your advice will be greatly appreciated.

    Thank you very much.

  2. You can try closing the 53 port. You can also try to optimize the software that is using that port.

  3. #3
    Join Date
    Nov 2003
    Location
    Kherson, Ukraine
    Posts
    267
    First of all you need to find what is a source of traffic.
    Try something like
    netstat -a -n -p|grep :53
    Private remote administrator of Linux servers - www.petrov.ks.ua
    Quality hosting - Host-Web-Site.com

  4. #4
    Join Date
    Nov 2005
    Location
    /etc/fstab
    Posts
    1,207
    Someone is running a UDP flooding from your server looks like. You should try checking the netstat value and filter the active processes to understand who is doing this.
    Mellowhost - Affordable Cpanel and WHM Reseller Hosting
    R1Soft, RVSitebuilder, RVSkin, Softaculous, Fantastico, Domain Reseller and many more ...

  5. #5
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,873
    Quote Originally Posted by Jordan Jambazov View Post
    You can try closing the 53 port. You can also try to optimize the software that is using that port.
    Terrible advice. If you block or close port 53 then your DNS lookups will fail...

    .
    .
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Free Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  6. #6
    Quote Originally Posted by Patrick View Post
    Terrible advice. If you block or close port 53 then your DNS lookups will fail...

    .
    .
    Well, yes and no.

    The real goal is to find out why there are so many outbound DNS queries.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  7. #7
    In this case, the first thing to be done, is to check the netstat output and find the source for the connections through port 53.
    For any OneTime job like installation, configuring software, optimizing etc on linux servers..you can contact me!
    Email: sysdm4@gmail.com

  8. #8
    Join Date
    Jul 2009
    Posts
    240
    seems like the advices are reverse troubleshooting

    why dont you find out first what's using that port. Traditionally port 53 UDP is DNS query. So you said you are using external DNS's but you may have enabled recursion on your system (BIND im assuming) and now people are using you as a free dns server. Try setting it to listen to 127.0.0.1 or better yet disable BIND. A quick nestat -ap should show you which program is using that port.

  9. #9
    Join Date
    May 2003
    Location
    behind your business
    Posts
    69
    bind has been disable since i am using external dns.
    it seems someone running a UDP flooding from my server.
    # lsof -i UDP:53
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    httpd 15014 nobody 364u IPv4 10423569 UDP myhostname:57070->xxx.xxx.xxx.xxx:domain
    httpd 19780 nobody 364u IPv4 10423572 UDP myhostname:22285->xxx.xxx.xxx.xxx:domain
    xxx.xxx.xxx.xxx is Ip resolver.

    How to find out who is abusing my server?

  10. #10
    Join Date
    May 2005
    Location
    Bay Area
    Posts
    1,211
    Quote Originally Posted by plumsauce View Post
    Well, yes and no.
    lol there is no yes and no, it was bad advice.

  11. #11
    Join Date
    May 2002
    Location
    Russia, Moscow
    Posts
    1,490
    ps auxwwww | grep 15014 or 19780 may be show you path to malicious script.

    PS. If you using external DNS blocking outgoing 53 port shall not break your DNS.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  12. #12
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    417
    Use lsof:

    Code:
    lsof -p PID
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  13. #13
    is this centos? freebsd got cool tool named 'sockstat' for this purpose

  14. #14

    * My server is being used/raped as DNS server ...

    Hi !

    My server seems to be infected with some kind of trojan or script.

    The process called <unknown> (according to MS network monitor 3.4) ... sends out on UDP 53 every 5 seconds or so to random IPs, the descriptions being "DNS sc . jfrmt . net" and varations of the subdomain.

    Also my server is sending to my router on UDP 53 with www . 99woool . com as description

    Now, jfrmt . net is registered to a bogus name and only some weeks old ...

    1) is there a simple way / small software to block UDP 53 (something that coexists with Windows Firewall) ? I don't run any DNS service whatsoever.

    2) How to find the culprit? Process <unkonwn> does not ring any bells ...


    Thanks very very much!

    PS: Win XP SP3 & XAMPP - I know, I know, but that's just how it is and worked for 7+ years.
    Last edited by Grent; 09-22-2011 at 02:48 PM.

  15. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. UDP Port 26286
    By lyew in forum Dedicated Server
    Replies: 0
    Last Post: 12-21-2007, 09:54 AM
  2. [PHP] Ping a UDP Port?
    By HostVillage Sales in forum Programming Discussion
    Replies: 5
    Last Post: 10-30-2007, 06:14 PM
  3. allowing outgoing traffic to a port only for a script/user?
    By lwknet in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-21-2004, 07:50 AM
  4. UDP port and Hack
    By Serverplan in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-09-2003, 09:17 AM
  5. Block port 1434 UDP
    By BalAncE in forum Hosting Security and Technology
    Replies: 0
    Last Post: 01-27-2003, 01:41 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •