?
Solved

UDP FLOOD warnings suddenly appearing in Netgear router logs

Posted on 2011-09-21
11
Medium Priority
?
1,484 Views
Last Modified: 2012-05-12
Good evening all

I'm suddenly getting emails from my Netgear FVX538 security router that seem to be reporting  UDP flooding on port 53 originating from my 2003 SBS server; port 53, if I remember correctly, is the one used by DNS.

I attach a portion of the router log file,  the netstat -ano output for this activity that indicates that dns.exe (PID 1648) is generating the traffic, and a procmon log giving some path information for the transmitted UDP packets. I've substituted  my.server  for the actual server name.

My question is twofold, really - how do I interpret these logs, and how should I go about determining the cause?

I'm rather concerned that something bad is happening, particularly as my mail server is starting to appear on RBLs.

I've run a virus scan on the server with Eset's mail server product, and it came up clean.

Any help would be much appreciated. procmon.txt netstat-output.txt FVX538-log.txt
0
Comment
Question by:Perarduaadastra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
11 Comments
 
LVL 9

Expert Comment

by:Benjamin MOREAU
ID: 36576587
I think you don't have to worry. You SBS Server is the DNS Server for all your client Computers. So, each time a computer do a request on internet, this computer need to resolve some DNS host; the computer ask your SBS Server... and your SBS Server ask the ROOT DNS Server on internet. So, it's normal that your SBS run a lot of DNS request on internet (you can consider that SBS is a DNS Relay for your LAN Computers.)
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36576791
I'm worrying because this behaviour is unusual. Most commonly the routine 8-hourly status email says No Data Available, or reports two or three events. I haven't seen what the router calls a Rotated Security Log before, and the name suggests that the log has been filled to capacity. These rotated logs are arriving frequently too - less than an hour between some of them.

This Netgear FVX538 router has been deployed for more than two years, and this is the first time that I've seen such activity. Also, I don't want my mail server appearing on RBLs and it's on three of them already...
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36577164
Hi,

Try using wireshark to capture the traffic to see what DNS requests are being made and see if there are any that look out of place.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36578735
Here's a 20-second pcap from Wireshark version 1.4.2, taken this on my server this morning at about 7.45am (UK time), and it certainly isn't what I would expect, though I must confess that I'm not sure what is normal.
However, the domains listed in the trace aren't any that I've ever knowingly had any contact with, so my feeling is that there is something running on the server that doesn't have my best interests at heart.

The 192.168.x.2 address is the server, and the 192.168.x.252 is the FVX538 router.

I've had eight Rotated Logs between midnight and 8am this morning UK time.

How can I discover what is generating this traffic?
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36578749
Oops, here's the trace...

Pcap isn't an accepted file type, so I've saved it as a K12 text file. server-pcap-745am.txt
0
 
LVL 9

Expert Comment

by:Benjamin MOREAU
ID: 36579338
First, check if your mail server is not Open Relay : http://www.aupads.org/test-relay.html
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36579485
This is the first thing I checked, using the DNSStuff tool. I've used the link you've provided as well, and my server passed both tests.

However, I've done a bit more digging, as I suspected a rootkit might be the cause due to the complete lack of other symptoms and processes detectable by the usual methods.

I've run Gmer's rootkit detector on the server, and it has detected a hidden service running, implicating sbscrexe.exe; as far as I know this file is normally part of the licensing service on the server, so it appears to have been compromised somehow. The file itself passes a virus check, so presumably the rootkit presents the original file to the scanning engine.

The next question is, how do I remove this infection without breaking my server?
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36579746
Hmmm.... I may have been a little premature in my rootkit  assumption, at least as far as sbscrexe.exe is concerned- I've just run Gmer on another SBS 2003 server that is running without problems, and it's found exactly the same thing on that one.

Back to the drawing board...
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36586252
I've addressed the symptom by blocking outbound UDP traffic on port 53 at the FVX538 firewall, but I'm still no closer to discovering what is causing this behaviour.

I've used Process Monitor and Process Explorer by Sysinternals to try and discover what's going on, but to no avail.

Any other suggestions?
0
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 0 total points
ID: 36709461
Well, mysteriously, the problem seems to have gone away, leaving no clue as to its origin.

I've also unblocked outbound UDP traffic again, with no issues.

I will monitor the situation for the next day or three, and if there is no recurrence of the UDP flooding I will close the question.
0
 
LVL 15

Author Closing Comment

by:Perarduaadastra
ID: 36954224
Essentially, the problem has vanished as mysteriously as it arrived, leaving me none the wiser.

Unfortunately none of the suggestions shed any light on the problem; in particular, there was no comment on any of the logs or traces that I submitted.

There has been no input from anyone apart from me for some weeks, so it's time to close the question.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question