hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Massive outgoing UDP traffic port 53
Reply

Forum Jump

Massive outgoing UDP traffic port 53

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Disabled
 
Join Date: May 2003
Location: behind your business
Posts: 69

Massive outgoing UDP traffic port 53


During recent days I received a massive increase in outgoing UDP traffic port 53. My server connection is going very slow.

How do we resolve the problem?
Should we block outgoing UDP port 53 requests? What's the implication?

Fyi this is cpanel server with external DNS server.

Your advice will be greatly appreciated.

Thank you very much.



Sponsored Links
  #2  
Old
Newbie
 
Join Date: Oct 2010
Posts: 11
You can try closing the 53 port. You can also try to optimize the software that is using that port.

  #3  
Old
Web Hosting Guru
 
Join Date: Nov 2003
Location: Kherson, Ukraine
Posts: 267
First of all you need to find what is a source of traffic.
Try something like
netstat -a -n -p|grep :53

__________________
Private remote administrator of Linux servers - www.petrov.ks.ua
Quality hosting - Host-Web-Site.com

Sponsored Links
  #4  
Old
a lazy evangelist ...
 
Join Date: Nov 2005
Location: /etc/fstab
Posts: 1,174
Someone is running a UDP flooding from your server looks like. You should try checking the netstat value and filter the active processes to understand who is doing this.

__________________
Mellowhost - Affordable Cpanel and WHM Reseller Hosting
R1Soft, RVSitebuilder, RVSkin, Softaculous, Fantastico, Domain Reseller and many more ...
Learn Hosting

  #5  
Old
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,753
Quote:
Originally Posted by Jordan Jambazov View Post
You can try closing the 53 port. You can also try to optimize the software that is using that port.
Terrible advice. If you block or close port 53 then your DNS lookups will fail...

.
.

__________________
Patrick William | RACK911 Labs | Software Security Auditing
300+ Vulnerabilities Found - Get a Quote @ http://www.RACK911Labs.com

www.HostingSecList.com - Security notices for the hosting community.

  #6  
Old
******* Unleaded
 
Join Date: Feb 2004
Posts: 3,829
Quote:
Originally Posted by Patrick View Post
Terrible advice. If you block or close port 53 then your DNS lookups will fail...

.
.
Well, yes and no.

The real goal is to find out why there are so many outbound DNS queries.

__________________
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com

  #7  
Old
WHT Addict
 
Join Date: Apr 2010
Posts: 123
In this case, the first thing to be done, is to check the netstat output and find the source for the connections through port 53.

__________________
For any OneTime job like installation, configuring software, optimizing etc on linux servers..you can contact me!
Email: sysdm4@gmail.com

  #8  
Old
Junior Guru
 
Join Date: Jul 2009
Posts: 237
seems like the advices are reverse troubleshooting

why dont you find out first what's using that port. Traditionally port 53 UDP is DNS query. So you said you are using external DNS's but you may have enabled recursion on your system (BIND im assuming) and now people are using you as a free dns server. Try setting it to listen to 127.0.0.1 or better yet disable BIND. A quick nestat -ap should show you which program is using that port.

  #9  
Old
Disabled
 
Join Date: May 2003
Location: behind your business
Posts: 69
bind has been disable since i am using external dns.
it seems someone running a UDP flooding from my server.
Quote:
# lsof -i UDP:53
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 15014 nobody 364u IPv4 10423569 UDP myhostname:57070->xxx.xxx.xxx.xxx:domain
httpd 19780 nobody 364u IPv4 10423572 UDP myhostname:22285->xxx.xxx.xxx.xxx:domain
xxx.xxx.xxx.xxx is Ip resolver.

How to find out who is abusing my server?

  #10  
Old
Web Hosting Master
 
Join Date: May 2005
Location: Bay Area
Posts: 1,203
Quote:
Originally Posted by plumsauce View Post
Well, yes and no.
lol there is no yes and no, it was bad advice.

  #11  
Old
Telecommunication operator
 
Join Date: May 2002
Location: Russia, Moscow
Posts: 1,482
ps auxwwww | grep 15014 or 19780 may be show you path to malicious script.

PS. If you using external DNS blocking outgoing 53 port shall not break your DNS.

__________________
Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  #12  
Old
Aspiring Evangelist
 
Join Date: Mar 2009
Location: /home/khunj
Posts: 392
Use lsof:

Code:
lsof -p PID

__________________
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.

  #13  
Old
Web Hosting Master
 
Join Date: Apr 2009
Posts: 829
is this centos? freebsd got cool tool named 'sockstat' for this purpose

  #14  
Old
New Member
 
Join Date: Sep 2011
Posts: 1
* My server is being used/raped as DNS server ...

Hi !

My server seems to be infected with some kind of trojan or script.

The process called <unknown> (according to MS network monitor 3.4) ... sends out on UDP 53 every 5 seconds or so to random IPs, the descriptions being "DNS sc . jfrmt . net" and varations of the subdomain.

Also my server is sending to my router on UDP 53 with www . 99woool . com as description

Now, jfrmt . net is registered to a bogus name and only some weeks old ...

1) is there a simple way / small software to block UDP 53 (something that coexists with Windows Firewall) ? I don't run any DNS service whatsoever.

2) How to find the culprit? Process <unkonwn> does not ring any bells ...


Thanks very very much!

PS: Win XP SP3 & XAMPP - I know, I know, but that's just how it is and worked for 7+ years.


Last edited by Grent; 09-22-2011 at 02:48 PM.
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
UDP Port 26286 lyew Dedicated Server 0 12-21-2007 09:54 AM
[PHP] Ping a UDP Port? HostVillage Sales Programming Discussion 5 10-30-2007 06:14 PM
allowing outgoing traffic to a port only for a script/user? lwknet Hosting Security and Technology 1 10-21-2004 07:50 AM
UDP port and Hack Serverplan Hosting Security and Technology 4 04-09-2003 09:17 AM
Block port 1434 UDP BalAncE Hosting Security and Technology 0 01-27-2003 01:41 PM

Related posts from TheWhir.com
Title Type Date Posted
South Korea, Hong Kong Provide Fastest Internet Speeds: Akamai Report Web Hosting News 2014-10-03 09:40:14
UltraDNS Mitigates Massive DDoS Attack Web Hosting News 2014-05-02 09:28:08
Defense.Net Launches DDoS Mitigation Solution for Massive Attacks Web Hosting News 2014-01-31 11:05:21
Prolexic Stops Massive DNS Reflection Attack Web Hosting News 2013-05-30 15:50:21
Dutch Web Host Protagonist Offers SpamExperts Spam Email Filtering Service Web Hosting News 2014-05-01 08:22:33


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?