Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problems with outbound 53

Posted on 2008-10-01
21
Medium Priority
?
520 Views
Last Modified: 2013-11-30
My ISP keeps nagging me that there is a alot of traffic outbound via a few ports hitting SE Asia. One culpirt I found was someone using sharaza downloading. So that has been taken care of. The other is I get multiple reuqests outbound on port 53 to many of these sites. I use a barracuda for all internal email then spam sentinal as a backup and an Netvanta firewall for the rest, The problem lies in the logs of the netvanta.
I attached a screen shot. The Barracuda is the .80 and the nat is obviously the firewall. Can someone tell me how to stop this or find out who internal has a worm or bot sending this out.
Thanks.
0
Comment
Question by:jdwilliams1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 6
21 Comments
 
LVL 5

Expert Comment

by:valheru_m
ID: 22614422
Port 53 = DNS.  Somethign in your network is making a lot of DNS requests to the outside world.  I always configure my firewalls to only allow certain ports to access only the outside boxes they need, and DNS is a perfect example for this.  Configure a route in your firewall to only allow DNS traffic to one or two outside IP addresses, in this case your ISP's DNS servers.  This way, your firewall will not let any of that traffic to pass outside of your internal network unless the requests are made specifically to the DNS servers you authorized. This wont solve your worm problem, but at least it will stop your ISP from seeing any of the traffic generated by it.

As for finding the worm, I dont see the screenshot you said you attached, but your firewall logs should show you the internal IP address that is generating the traffic. After you have the internal IP address it shouldn't be too difficult to find the box in question.  If your internal DNS is setup correctly you can do a reverse DNS lookup on that address. If you use DHCP on your network, you can check the DHCP lease tables to find the DNS name of the machine if you have dynamic updating setup. If those fail, you can try:

nbtstat -A ip.addy.of.machine

If the machine is a windows machine and doesn't have windows firewall turned on that will give you the netbios name of the machine.

If none of those options work, it's time to start a manual inventory to find your problem child.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22614879


Any site should have outbound 53 requests if they are browsing the internet, is ther estill alot of traffic afer sharaza was disabled? There is no screen shot.

You said:
The other is I get multiple reuqests outbound on port 53 to many of these sites

What sites?, you will get a outbound 53 for any browsing activities if it is not already cached.

Do you have wireshark, try to identify the source if it is a problem,

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22615320
The ISP said many of the oubound requests are going to overseas sites. The shareaza port is 6436 or close so I stopped that. I am just wondering if the i a bot hitting the barrcuda first then - dest outbound on port 53 through the firewall. As for wireshark, are you suggesting eliminating the bara for a few minutes and listening on the nic of the main server that is natted ?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 32

Expert Comment

by:harbor235
ID: 22615582


Unless teh barrcuda can provide that, also you could use nslookup, point to the destination ip and see if it can resolve hostnames. this way we can see if it is legitimate DNS traffic.

nslookup <enter>
>server x.x.x.x      (x.x.x.x is a desitnation IP of the outbound %# request)
> google.com

see if it responds with valis google IPs

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616291
Yes, your complete restriction of the sharaza port solved that problem as far as your ISP is concerned.  That is why I suggested also restricting all DNS traffic to only a couple of authorized DNS servers.  This would prevent your ISP from seeing a bunch of DNS requests to oddball servers while still allowing yor internal users to use internet services properly, since any correctly configured client should onyl be using your authorized DNS servers anyway.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616428

I would not restrict DNS access to a few servers, being able to querry other DNS servers is definitely used to troublshoot DNS issues, your more savvy inernet users may have issues with that one. Also,
if you restrict access to only a few servers there are no options in case of multiple failures. I understand why but i think it would lead to additional problelms. Web designers, your DNS folks, etc would have issues. Your approved DNS servers may have corruption issues, there is no way to verify domain information from other DNS servers on the net. Be careful here, you may break more than you think

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616623
Power users and administrators might need access to more than the standard set of DNS servers, agreed. But the standard end user will almost never even need to create DNS traffic through the firewall, as most secure environments have the workstations setup to request DNS from an internal server which then forwards the requests out  to the appropriate DNS servers for domains it doesn't host.

For the power users, I create firewall rules that allow them extra access as needed on a case by case basis.  However, using any policy of "allow outbound unless specifically restricted" is asking for trouble.

I stand by my recommendation of restriction, and if you have certain users than need more access, then add them to a group of users or workstations with enhanced access based on that need.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616711

I don't disagree, just trying to give a different perspective ;}  

valheru_m, wouldn't it be better if you were riding a seedoo instead or working?  Good stuff though!

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22616872
My DNS server points forwards to my ISP DNS servers. As for the nslookup, I only get non-existant domains.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616933

So the destination is not a valid DNS server? if so i would be concerned and lock it down as valheru_m
states.

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616984
hehe.  Google is your friend?  ;)

While I wish I could be riding a Seadoo, my membership on seadoo forums is the unfortunate result of a melted piston and a cracked block.  I wont be riding any time soon.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22617026

yeah, I love trying to see who I am talking to. I am a boater only I am on the Chesapeake Bay.  ;}

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22617123
Maybe I am a little confused. All of the internal nics uses the local dns server for resolution. The barracuda is only forwarded SMTP traffic. It also analyzes outbound smtp traffic, the rest is taken place at the firewall. Why is the barr sending back out different ports, to dest ports 53 , then NAT at a different port. Sorry I'm not an expert.
Thanks
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22617329
Are you sure it's the barracuda that is sending out the requests on 53?  Sounds to me more like you have a zombied windows box on your LAN that would be sending out requests like that.

Also, maybe I missed something, but what do you mean when you say NAT at a different port?
0
 

Author Comment

by:jdwilliams1
ID: 22617908
Ok for the time being I eliminated the barracudda and just have all email traffic routing though the server,
then the firewall. If I look at the firewall logs most traffic hits email server ip then dest ip is anything with mainly a port 53 attached then it lists the nat address of the public.
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22618170
If I'm inderstanding you correctly, the firewall shows packets originating on the IP of your mail server with a seemingly random destination IP, mostly on port 53? If that is truly the case and you are reading your logs correctly, that's not good at all. Is your mail server a windows box? It's possible that the mail server itself is compromised.

I hope that's not the case, but if it is you need to start looking at your backups. I don't want to get too far ahead of the situation though without confirming. It's hard to accurately determine at this point without analyzing some of the log. Can you sanitize a few lines of it and post them, or perhaps just send a copy to me offline?  You can use the email addy in my profile.
0
 

Author Comment

by:jdwilliams1
ID: 22618365
Which logs do  you want the firewall , server,or domino.I am assuming firewall correct ?
0
 

Author Comment

by:jdwilliams1
ID: 22618594
I can give you the dump files from wireshark on the servers NIC
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22619054
I just want to see these mysterious DNS calls in the firewall log.
0
 

Author Comment

by:jdwilliams1
ID: 22626778
Here you go
CAPTURE1.TXT
0
 
LVL 5

Accepted Solution

by:
valheru_m earned 2000 total points
ID: 22633755
Yeah that's definitely odd.  Your server isn't providing an additional NAT for any of your client machines, is it? Other than the server being compromised or the server's IP being spoofed, that's the only other reason I can think of that would cause all of those requests to appear to originate from the server (I'm assuming the .80 address is the server?)

The log you sent doesn't have timestamps on the entries so I can't tell how often they happen, but I would find some after hours time to take down the server and monitor the firewall logs while the server is off.  This will ensure that it really is the server and not some IP address spoofing client.  If the suspect traffic ceases when the server is off, you know the problem is the server.  If that's the case, make sure you have a good backup of anything important on the server, cause it's time for a rebuild.

Also, when I requested a copy of your log, I asked you for a sanitized copy if you were going to post it publicly.  You'll want to see if you can remove that ASAP, as that log contains a lot of information that would be useful to someone interested in hacking into your network.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question