Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problems with outbound 53

Posted on 2008-10-01
21
Medium Priority
?
522 Views
Last Modified: 2013-11-30
My ISP keeps nagging me that there is a alot of traffic outbound via a few ports hitting SE Asia. One culpirt I found was someone using sharaza downloading. So that has been taken care of. The other is I get multiple reuqests outbound on port 53 to many of these sites. I use a barracuda for all internal email then spam sentinal as a backup and an Netvanta firewall for the rest, The problem lies in the logs of the netvanta.
I attached a screen shot. The Barracuda is the .80 and the nat is obviously the firewall. Can someone tell me how to stop this or find out who internal has a worm or bot sending this out.
Thanks.
0
Comment
Question by:jdwilliams1
  • 8
  • 7
  • 6
21 Comments
 
LVL 5

Expert Comment

by:valheru_m
ID: 22614422
Port 53 = DNS.  Somethign in your network is making a lot of DNS requests to the outside world.  I always configure my firewalls to only allow certain ports to access only the outside boxes they need, and DNS is a perfect example for this.  Configure a route in your firewall to only allow DNS traffic to one or two outside IP addresses, in this case your ISP's DNS servers.  This way, your firewall will not let any of that traffic to pass outside of your internal network unless the requests are made specifically to the DNS servers you authorized. This wont solve your worm problem, but at least it will stop your ISP from seeing any of the traffic generated by it.

As for finding the worm, I dont see the screenshot you said you attached, but your firewall logs should show you the internal IP address that is generating the traffic. After you have the internal IP address it shouldn't be too difficult to find the box in question.  If your internal DNS is setup correctly you can do a reverse DNS lookup on that address. If you use DHCP on your network, you can check the DHCP lease tables to find the DNS name of the machine if you have dynamic updating setup. If those fail, you can try:

nbtstat -A ip.addy.of.machine

If the machine is a windows machine and doesn't have windows firewall turned on that will give you the netbios name of the machine.

If none of those options work, it's time to start a manual inventory to find your problem child.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22614879


Any site should have outbound 53 requests if they are browsing the internet, is ther estill alot of traffic afer sharaza was disabled? There is no screen shot.

You said:
The other is I get multiple reuqests outbound on port 53 to many of these sites

What sites?, you will get a outbound 53 for any browsing activities if it is not already cached.

Do you have wireshark, try to identify the source if it is a problem,

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22615320
The ISP said many of the oubound requests are going to overseas sites. The shareaza port is 6436 or close so I stopped that. I am just wondering if the i a bot hitting the barrcuda first then - dest outbound on port 53 through the firewall. As for wireshark, are you suggesting eliminating the bara for a few minutes and listening on the nic of the main server that is natted ?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 32

Expert Comment

by:harbor235
ID: 22615582


Unless teh barrcuda can provide that, also you could use nslookup, point to the destination ip and see if it can resolve hostnames. this way we can see if it is legitimate DNS traffic.

nslookup <enter>
>server x.x.x.x      (x.x.x.x is a desitnation IP of the outbound %# request)
> google.com

see if it responds with valis google IPs

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616291
Yes, your complete restriction of the sharaza port solved that problem as far as your ISP is concerned.  That is why I suggested also restricting all DNS traffic to only a couple of authorized DNS servers.  This would prevent your ISP from seeing a bunch of DNS requests to oddball servers while still allowing yor internal users to use internet services properly, since any correctly configured client should onyl be using your authorized DNS servers anyway.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616428

I would not restrict DNS access to a few servers, being able to querry other DNS servers is definitely used to troublshoot DNS issues, your more savvy inernet users may have issues with that one. Also,
if you restrict access to only a few servers there are no options in case of multiple failures. I understand why but i think it would lead to additional problelms. Web designers, your DNS folks, etc would have issues. Your approved DNS servers may have corruption issues, there is no way to verify domain information from other DNS servers on the net. Be careful here, you may break more than you think

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616623
Power users and administrators might need access to more than the standard set of DNS servers, agreed. But the standard end user will almost never even need to create DNS traffic through the firewall, as most secure environments have the workstations setup to request DNS from an internal server which then forwards the requests out  to the appropriate DNS servers for domains it doesn't host.

For the power users, I create firewall rules that allow them extra access as needed on a case by case basis.  However, using any policy of "allow outbound unless specifically restricted" is asking for trouble.

I stand by my recommendation of restriction, and if you have certain users than need more access, then add them to a group of users or workstations with enhanced access based on that need.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616711

I don't disagree, just trying to give a different perspective ;}  

valheru_m, wouldn't it be better if you were riding a seedoo instead or working?  Good stuff though!

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22616872
My DNS server points forwards to my ISP DNS servers. As for the nslookup, I only get non-existant domains.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616933

So the destination is not a valid DNS server? if so i would be concerned and lock it down as valheru_m
states.

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616984
hehe.  Google is your friend?  ;)

While I wish I could be riding a Seadoo, my membership on seadoo forums is the unfortunate result of a melted piston and a cracked block.  I wont be riding any time soon.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22617026

yeah, I love trying to see who I am talking to. I am a boater only I am on the Chesapeake Bay.  ;}

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22617123
Maybe I am a little confused. All of the internal nics uses the local dns server for resolution. The barracuda is only forwarded SMTP traffic. It also analyzes outbound smtp traffic, the rest is taken place at the firewall. Why is the barr sending back out different ports, to dest ports 53 , then NAT at a different port. Sorry I'm not an expert.
Thanks
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22617329
Are you sure it's the barracuda that is sending out the requests on 53?  Sounds to me more like you have a zombied windows box on your LAN that would be sending out requests like that.

Also, maybe I missed something, but what do you mean when you say NAT at a different port?
0
 

Author Comment

by:jdwilliams1
ID: 22617908
Ok for the time being I eliminated the barracudda and just have all email traffic routing though the server,
then the firewall. If I look at the firewall logs most traffic hits email server ip then dest ip is anything with mainly a port 53 attached then it lists the nat address of the public.
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22618170
If I'm inderstanding you correctly, the firewall shows packets originating on the IP of your mail server with a seemingly random destination IP, mostly on port 53? If that is truly the case and you are reading your logs correctly, that's not good at all. Is your mail server a windows box? It's possible that the mail server itself is compromised.

I hope that's not the case, but if it is you need to start looking at your backups. I don't want to get too far ahead of the situation though without confirming. It's hard to accurately determine at this point without analyzing some of the log. Can you sanitize a few lines of it and post them, or perhaps just send a copy to me offline?  You can use the email addy in my profile.
0
 

Author Comment

by:jdwilliams1
ID: 22618365
Which logs do  you want the firewall , server,or domino.I am assuming firewall correct ?
0
 

Author Comment

by:jdwilliams1
ID: 22618594
I can give you the dump files from wireshark on the servers NIC
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22619054
I just want to see these mysterious DNS calls in the firewall log.
0
 

Author Comment

by:jdwilliams1
ID: 22626778
Here you go
CAPTURE1.TXT
0
 
LVL 5

Accepted Solution

by:
valheru_m earned 2000 total points
ID: 22633755
Yeah that's definitely odd.  Your server isn't providing an additional NAT for any of your client machines, is it? Other than the server being compromised or the server's IP being spoofed, that's the only other reason I can think of that would cause all of those requests to appear to originate from the server (I'm assuming the .80 address is the server?)

The log you sent doesn't have timestamps on the entries so I can't tell how often they happen, but I would find some after hours time to take down the server and monitor the firewall logs while the server is off.  This will ensure that it really is the server and not some IP address spoofing client.  If the suspect traffic ceases when the server is off, you know the problem is the server.  If that's the case, make sure you have a good backup of anything important on the server, cause it's time for a rebuild.

Also, when I requested a copy of your log, I asked you for a sanitized copy if you were going to post it publicly.  You'll want to see if you can remove that ASAP, as that log contains a lot of information that would be useful to someone interested in hacking into your network.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There was an incident about the POP3 issue for the double read receipts and delivery receipts in Exchange 2013.  There was huge research been done and found solution for the duplicate mails. Especially when the user gets  duplicate mails.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month6 days, 21 hours left to enroll

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question