Problems with outbound 53

My ISP keeps nagging me that there is a alot of traffic outbound via a few ports hitting SE Asia. One culpirt I found was someone using sharaza downloading. So that has been taken care of. The other is I get multiple reuqests outbound on port 53 to many of these sites. I use a barracuda for all internal email then spam sentinal as a backup and an Netvanta firewall for the rest, The problem lies in the logs of the netvanta.
I attached a screen shot. The Barracuda is the .80 and the nat is obviously the firewall. Can someone tell me how to stop this or find out who internal has a worm or bot sending this out.
Thanks.
jdwilliams1Asked:
Who is Participating?
 
valheru_mConnect With a Mentor Commented:
Yeah that's definitely odd.  Your server isn't providing an additional NAT for any of your client machines, is it? Other than the server being compromised or the server's IP being spoofed, that's the only other reason I can think of that would cause all of those requests to appear to originate from the server (I'm assuming the .80 address is the server?)

The log you sent doesn't have timestamps on the entries so I can't tell how often they happen, but I would find some after hours time to take down the server and monitor the firewall logs while the server is off.  This will ensure that it really is the server and not some IP address spoofing client.  If the suspect traffic ceases when the server is off, you know the problem is the server.  If that's the case, make sure you have a good backup of anything important on the server, cause it's time for a rebuild.

Also, when I requested a copy of your log, I asked you for a sanitized copy if you were going to post it publicly.  You'll want to see if you can remove that ASAP, as that log contains a lot of information that would be useful to someone interested in hacking into your network.
0
 
valheru_mCommented:
Port 53 = DNS.  Somethign in your network is making a lot of DNS requests to the outside world.  I always configure my firewalls to only allow certain ports to access only the outside boxes they need, and DNS is a perfect example for this.  Configure a route in your firewall to only allow DNS traffic to one or two outside IP addresses, in this case your ISP's DNS servers.  This way, your firewall will not let any of that traffic to pass outside of your internal network unless the requests are made specifically to the DNS servers you authorized. This wont solve your worm problem, but at least it will stop your ISP from seeing any of the traffic generated by it.

As for finding the worm, I dont see the screenshot you said you attached, but your firewall logs should show you the internal IP address that is generating the traffic. After you have the internal IP address it shouldn't be too difficult to find the box in question.  If your internal DNS is setup correctly you can do a reverse DNS lookup on that address. If you use DHCP on your network, you can check the DHCP lease tables to find the DNS name of the machine if you have dynamic updating setup. If those fail, you can try:

nbtstat -A ip.addy.of.machine

If the machine is a windows machine and doesn't have windows firewall turned on that will give you the netbios name of the machine.

If none of those options work, it's time to start a manual inventory to find your problem child.
0
 
harbor235Commented:


Any site should have outbound 53 requests if they are browsing the internet, is ther estill alot of traffic afer sharaza was disabled? There is no screen shot.

You said:
The other is I get multiple reuqests outbound on port 53 to many of these sites

What sites?, you will get a outbound 53 for any browsing activities if it is not already cached.

Do you have wireshark, try to identify the source if it is a problem,

harbor235 ;}
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
jdwilliams1Author Commented:
The ISP said many of the oubound requests are going to overseas sites. The shareaza port is 6436 or close so I stopped that. I am just wondering if the i a bot hitting the barrcuda first then - dest outbound on port 53 through the firewall. As for wireshark, are you suggesting eliminating the bara for a few minutes and listening on the nic of the main server that is natted ?
0
 
harbor235Commented:


Unless teh barrcuda can provide that, also you could use nslookup, point to the destination ip and see if it can resolve hostnames. this way we can see if it is legitimate DNS traffic.

nslookup <enter>
>server x.x.x.x      (x.x.x.x is a desitnation IP of the outbound %# request)
> google.com

see if it responds with valis google IPs

harbor235 ;}
0
 
valheru_mCommented:
Yes, your complete restriction of the sharaza port solved that problem as far as your ISP is concerned.  That is why I suggested also restricting all DNS traffic to only a couple of authorized DNS servers.  This would prevent your ISP from seeing a bunch of DNS requests to oddball servers while still allowing yor internal users to use internet services properly, since any correctly configured client should onyl be using your authorized DNS servers anyway.
0
 
harbor235Commented:

I would not restrict DNS access to a few servers, being able to querry other DNS servers is definitely used to troublshoot DNS issues, your more savvy inernet users may have issues with that one. Also,
if you restrict access to only a few servers there are no options in case of multiple failures. I understand why but i think it would lead to additional problelms. Web designers, your DNS folks, etc would have issues. Your approved DNS servers may have corruption issues, there is no way to verify domain information from other DNS servers on the net. Be careful here, you may break more than you think

harbor235 ;}
0
 
valheru_mCommented:
Power users and administrators might need access to more than the standard set of DNS servers, agreed. But the standard end user will almost never even need to create DNS traffic through the firewall, as most secure environments have the workstations setup to request DNS from an internal server which then forwards the requests out  to the appropriate DNS servers for domains it doesn't host.

For the power users, I create firewall rules that allow them extra access as needed on a case by case basis.  However, using any policy of "allow outbound unless specifically restricted" is asking for trouble.

I stand by my recommendation of restriction, and if you have certain users than need more access, then add them to a group of users or workstations with enhanced access based on that need.
0
 
harbor235Commented:

I don't disagree, just trying to give a different perspective ;}  

valheru_m, wouldn't it be better if you were riding a seedoo instead or working?  Good stuff though!

harbor235 ;}
0
 
jdwilliams1Author Commented:
My DNS server points forwards to my ISP DNS servers. As for the nslookup, I only get non-existant domains.
0
 
harbor235Commented:

So the destination is not a valid DNS server? if so i would be concerned and lock it down as valheru_m
states.

harbor235 ;}
0
 
valheru_mCommented:
hehe.  Google is your friend?  ;)

While I wish I could be riding a Seadoo, my membership on seadoo forums is the unfortunate result of a melted piston and a cracked block.  I wont be riding any time soon.
0
 
harbor235Commented:

yeah, I love trying to see who I am talking to. I am a boater only I am on the Chesapeake Bay.  ;}

harbor235 ;}
0
 
jdwilliams1Author Commented:
Maybe I am a little confused. All of the internal nics uses the local dns server for resolution. The barracuda is only forwarded SMTP traffic. It also analyzes outbound smtp traffic, the rest is taken place at the firewall. Why is the barr sending back out different ports, to dest ports 53 , then NAT at a different port. Sorry I'm not an expert.
Thanks
0
 
valheru_mCommented:
Are you sure it's the barracuda that is sending out the requests on 53?  Sounds to me more like you have a zombied windows box on your LAN that would be sending out requests like that.

Also, maybe I missed something, but what do you mean when you say NAT at a different port?
0
 
jdwilliams1Author Commented:
Ok for the time being I eliminated the barracudda and just have all email traffic routing though the server,
then the firewall. If I look at the firewall logs most traffic hits email server ip then dest ip is anything with mainly a port 53 attached then it lists the nat address of the public.
0
 
valheru_mCommented:
If I'm inderstanding you correctly, the firewall shows packets originating on the IP of your mail server with a seemingly random destination IP, mostly on port 53? If that is truly the case and you are reading your logs correctly, that's not good at all. Is your mail server a windows box? It's possible that the mail server itself is compromised.

I hope that's not the case, but if it is you need to start looking at your backups. I don't want to get too far ahead of the situation though without confirming. It's hard to accurately determine at this point without analyzing some of the log. Can you sanitize a few lines of it and post them, or perhaps just send a copy to me offline?  You can use the email addy in my profile.
0
 
jdwilliams1Author Commented:
Which logs do  you want the firewall , server,or domino.I am assuming firewall correct ?
0
 
jdwilliams1Author Commented:
I can give you the dump files from wireshark on the servers NIC
0
 
valheru_mCommented:
I just want to see these mysterious DNS calls in the firewall log.
0
 
jdwilliams1Author Commented:
Here you go
CAPTURE1.TXT
0
All Courses

From novice to tech pro — start learning today.