[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1519
  • Last Modified:

UDP FLOOD warnings suddenly appearing in Netgear router logs

Good evening all

I'm suddenly getting emails from my Netgear FVX538 security router that seem to be reporting  UDP flooding on port 53 originating from my 2003 SBS server; port 53, if I remember correctly, is the one used by DNS.

I attach a portion of the router log file,  the netstat -ano output for this activity that indicates that dns.exe (PID 1648) is generating the traffic, and a procmon log giving some path information for the transmitted UDP packets. I've substituted  my.server  for the actual server name.

My question is twofold, really - how do I interpret these logs, and how should I go about determining the cause?

I'm rather concerned that something bad is happening, particularly as my mail server is starting to appear on RBLs.

I've run a virus scan on the server with Eset's mail server product, and it came up clean.

Any help would be much appreciated. procmon.txt netstat-output.txt FVX538-log.txt
0
Perarduaadastra
Asked:
Perarduaadastra
  • 8
  • 2
1 Solution
 
Benjamin MOREAUProject ManagerCommented:
I think you don't have to worry. You SBS Server is the DNS Server for all your client Computers. So, each time a computer do a request on internet, this computer need to resolve some DNS host; the computer ask your SBS Server... and your SBS Server ask the ROOT DNS Server on internet. So, it's normal that your SBS run a lot of DNS request on internet (you can consider that SBS is a DNS Relay for your LAN Computers.)
0
 
PerarduaadastraAuthor Commented:
I'm worrying because this behaviour is unusual. Most commonly the routine 8-hourly status email says No Data Available, or reports two or three events. I haven't seen what the router calls a Rotated Security Log before, and the name suggests that the log has been filled to capacity. These rotated logs are arriving frequently too - less than an hour between some of them.

This Netgear FVX538 router has been deployed for more than two years, and this is the first time that I've seen such activity. Also, I don't want my mail server appearing on RBLs and it's on three of them already...
0
 
rochey2009Commented:
Hi,

Try using wireshark to capture the traffic to see what DNS requests are being made and see if there are any that look out of place.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
PerarduaadastraAuthor Commented:
Here's a 20-second pcap from Wireshark version 1.4.2, taken this on my server this morning at about 7.45am (UK time), and it certainly isn't what I would expect, though I must confess that I'm not sure what is normal.
However, the domains listed in the trace aren't any that I've ever knowingly had any contact with, so my feeling is that there is something running on the server that doesn't have my best interests at heart.

The 192.168.x.2 address is the server, and the 192.168.x.252 is the FVX538 router.

I've had eight Rotated Logs between midnight and 8am this morning UK time.

How can I discover what is generating this traffic?
0
 
PerarduaadastraAuthor Commented:
Oops, here's the trace...

Pcap isn't an accepted file type, so I've saved it as a K12 text file. server-pcap-745am.txt
0
 
Benjamin MOREAUProject ManagerCommented:
First, check if your mail server is not Open Relay : http://www.aupads.org/test-relay.html
0
 
PerarduaadastraAuthor Commented:
This is the first thing I checked, using the DNSStuff tool. I've used the link you've provided as well, and my server passed both tests.

However, I've done a bit more digging, as I suspected a rootkit might be the cause due to the complete lack of other symptoms and processes detectable by the usual methods.

I've run Gmer's rootkit detector on the server, and it has detected a hidden service running, implicating sbscrexe.exe; as far as I know this file is normally part of the licensing service on the server, so it appears to have been compromised somehow. The file itself passes a virus check, so presumably the rootkit presents the original file to the scanning engine.

The next question is, how do I remove this infection without breaking my server?
0
 
PerarduaadastraAuthor Commented:
Hmmm.... I may have been a little premature in my rootkit  assumption, at least as far as sbscrexe.exe is concerned- I've just run Gmer on another SBS 2003 server that is running without problems, and it's found exactly the same thing on that one.

Back to the drawing board...
0
 
PerarduaadastraAuthor Commented:
I've addressed the symptom by blocking outbound UDP traffic on port 53 at the FVX538 firewall, but I'm still no closer to discovering what is causing this behaviour.

I've used Process Monitor and Process Explorer by Sysinternals to try and discover what's going on, but to no avail.

Any other suggestions?
0
 
PerarduaadastraAuthor Commented:
Well, mysteriously, the problem seems to have gone away, leaving no clue as to its origin.

I've also unblocked outbound UDP traffic again, with no issues.

I will monitor the situation for the next day or three, and if there is no recurrence of the UDP flooding I will close the question.
0
 
PerarduaadastraAuthor Commented:
Essentially, the problem has vanished as mysteriously as it arrived, leaving me none the wiser.

Unfortunately none of the suggestions shed any light on the problem; in particular, there was no comment on any of the logs or traces that I submitted.

There has been no input from anyone apart from me for some weeks, so it's time to close the question.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now