Solved

Problems with outbound 53

Posted on 2008-10-01
21
510 Views
Last Modified: 2013-11-30
My ISP keeps nagging me that there is a alot of traffic outbound via a few ports hitting SE Asia. One culpirt I found was someone using sharaza downloading. So that has been taken care of. The other is I get multiple reuqests outbound on port 53 to many of these sites. I use a barracuda for all internal email then spam sentinal as a backup and an Netvanta firewall for the rest, The problem lies in the logs of the netvanta.
I attached a screen shot. The Barracuda is the .80 and the nat is obviously the firewall. Can someone tell me how to stop this or find out who internal has a worm or bot sending this out.
Thanks.
0
Comment
Question by:jdwilliams1
  • 8
  • 7
  • 6
21 Comments
 
LVL 5

Expert Comment

by:valheru_m
ID: 22614422
Port 53 = DNS.  Somethign in your network is making a lot of DNS requests to the outside world.  I always configure my firewalls to only allow certain ports to access only the outside boxes they need, and DNS is a perfect example for this.  Configure a route in your firewall to only allow DNS traffic to one or two outside IP addresses, in this case your ISP's DNS servers.  This way, your firewall will not let any of that traffic to pass outside of your internal network unless the requests are made specifically to the DNS servers you authorized. This wont solve your worm problem, but at least it will stop your ISP from seeing any of the traffic generated by it.

As for finding the worm, I dont see the screenshot you said you attached, but your firewall logs should show you the internal IP address that is generating the traffic. After you have the internal IP address it shouldn't be too difficult to find the box in question.  If your internal DNS is setup correctly you can do a reverse DNS lookup on that address. If you use DHCP on your network, you can check the DHCP lease tables to find the DNS name of the machine if you have dynamic updating setup. If those fail, you can try:

nbtstat -A ip.addy.of.machine

If the machine is a windows machine and doesn't have windows firewall turned on that will give you the netbios name of the machine.

If none of those options work, it's time to start a manual inventory to find your problem child.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22614879


Any site should have outbound 53 requests if they are browsing the internet, is ther estill alot of traffic afer sharaza was disabled? There is no screen shot.

You said:
The other is I get multiple reuqests outbound on port 53 to many of these sites

What sites?, you will get a outbound 53 for any browsing activities if it is not already cached.

Do you have wireshark, try to identify the source if it is a problem,

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22615320
The ISP said many of the oubound requests are going to overseas sites. The shareaza port is 6436 or close so I stopped that. I am just wondering if the i a bot hitting the barrcuda first then - dest outbound on port 53 through the firewall. As for wireshark, are you suggesting eliminating the bara for a few minutes and listening on the nic of the main server that is natted ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22615582


Unless teh barrcuda can provide that, also you could use nslookup, point to the destination ip and see if it can resolve hostnames. this way we can see if it is legitimate DNS traffic.

nslookup <enter>
>server x.x.x.x      (x.x.x.x is a desitnation IP of the outbound %# request)
> google.com

see if it responds with valis google IPs

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616291
Yes, your complete restriction of the sharaza port solved that problem as far as your ISP is concerned.  That is why I suggested also restricting all DNS traffic to only a couple of authorized DNS servers.  This would prevent your ISP from seeing a bunch of DNS requests to oddball servers while still allowing yor internal users to use internet services properly, since any correctly configured client should onyl be using your authorized DNS servers anyway.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616428

I would not restrict DNS access to a few servers, being able to querry other DNS servers is definitely used to troublshoot DNS issues, your more savvy inernet users may have issues with that one. Also,
if you restrict access to only a few servers there are no options in case of multiple failures. I understand why but i think it would lead to additional problelms. Web designers, your DNS folks, etc would have issues. Your approved DNS servers may have corruption issues, there is no way to verify domain information from other DNS servers on the net. Be careful here, you may break more than you think

harbor235 ;}
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22616623
Power users and administrators might need access to more than the standard set of DNS servers, agreed. But the standard end user will almost never even need to create DNS traffic through the firewall, as most secure environments have the workstations setup to request DNS from an internal server which then forwards the requests out  to the appropriate DNS servers for domains it doesn't host.

For the power users, I create firewall rules that allow them extra access as needed on a case by case basis.  However, using any policy of "allow outbound unless specifically restricted" is asking for trouble.

I stand by my recommendation of restriction, and if you have certain users than need more access, then add them to a group of users or workstations with enhanced access based on that need.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616711

I don't disagree, just trying to give a different perspective ;}  

valheru_m, wouldn't it be better if you were riding a seedoo instead or working?  Good stuff though!

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22616872
My DNS server points forwards to my ISP DNS servers. As for the nslookup, I only get non-existant domains.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22616933

So the destination is not a valid DNS server? if so i would be concerned and lock it down as valheru_m
states.

harbor235 ;}
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:valheru_m
ID: 22616984
hehe.  Google is your friend?  ;)

While I wish I could be riding a Seadoo, my membership on seadoo forums is the unfortunate result of a melted piston and a cracked block.  I wont be riding any time soon.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22617026

yeah, I love trying to see who I am talking to. I am a boater only I am on the Chesapeake Bay.  ;}

harbor235 ;}
0
 

Author Comment

by:jdwilliams1
ID: 22617123
Maybe I am a little confused. All of the internal nics uses the local dns server for resolution. The barracuda is only forwarded SMTP traffic. It also analyzes outbound smtp traffic, the rest is taken place at the firewall. Why is the barr sending back out different ports, to dest ports 53 , then NAT at a different port. Sorry I'm not an expert.
Thanks
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22617329
Are you sure it's the barracuda that is sending out the requests on 53?  Sounds to me more like you have a zombied windows box on your LAN that would be sending out requests like that.

Also, maybe I missed something, but what do you mean when you say NAT at a different port?
0
 

Author Comment

by:jdwilliams1
ID: 22617908
Ok for the time being I eliminated the barracudda and just have all email traffic routing though the server,
then the firewall. If I look at the firewall logs most traffic hits email server ip then dest ip is anything with mainly a port 53 attached then it lists the nat address of the public.
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22618170
If I'm inderstanding you correctly, the firewall shows packets originating on the IP of your mail server with a seemingly random destination IP, mostly on port 53? If that is truly the case and you are reading your logs correctly, that's not good at all. Is your mail server a windows box? It's possible that the mail server itself is compromised.

I hope that's not the case, but if it is you need to start looking at your backups. I don't want to get too far ahead of the situation though without confirming. It's hard to accurately determine at this point without analyzing some of the log. Can you sanitize a few lines of it and post them, or perhaps just send a copy to me offline?  You can use the email addy in my profile.
0
 

Author Comment

by:jdwilliams1
ID: 22618365
Which logs do  you want the firewall , server,or domino.I am assuming firewall correct ?
0
 

Author Comment

by:jdwilliams1
ID: 22618594
I can give you the dump files from wireshark on the servers NIC
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22619054
I just want to see these mysterious DNS calls in the firewall log.
0
 

Author Comment

by:jdwilliams1
ID: 22626778
Here you go
CAPTURE1.TXT
0
 
LVL 5

Accepted Solution

by:
valheru_m earned 500 total points
ID: 22633755
Yeah that's definitely odd.  Your server isn't providing an additional NAT for any of your client machines, is it? Other than the server being compromised or the server's IP being spoofed, that's the only other reason I can think of that would cause all of those requests to appear to originate from the server (I'm assuming the .80 address is the server?)

The log you sent doesn't have timestamps on the entries so I can't tell how often they happen, but I would find some after hours time to take down the server and monitor the firewall logs while the server is off.  This will ensure that it really is the server and not some IP address spoofing client.  If the suspect traffic ceases when the server is off, you know the problem is the server.  If that's the case, make sure you have a good backup of anything important on the server, cause it's time for a rebuild.

Also, when I requested a copy of your log, I asked you for a sanitized copy if you were going to post it publicly.  You'll want to see if you can remove that ASAP, as that log contains a lot of information that would be useful to someone interested in hacking into your network.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The most common mistakes I hear or read about email usually begin with people talking about POP3 and IMAP, so let's clear those off the table: POP3 and IMAP have absolutely nothing to do with sending or receiving email, so get that notion out of you…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now