Solved

UDP FLOOD warnings suddenly appearing in Netgear router logs

Posted on 2011-09-21
11
1,426 Views
Last Modified: 2012-05-12
Good evening all

I'm suddenly getting emails from my Netgear FVX538 security router that seem to be reporting  UDP flooding on port 53 originating from my 2003 SBS server; port 53, if I remember correctly, is the one used by DNS.

I attach a portion of the router log file,  the netstat -ano output for this activity that indicates that dns.exe (PID 1648) is generating the traffic, and a procmon log giving some path information for the transmitted UDP packets. I've substituted  my.server  for the actual server name.

My question is twofold, really - how do I interpret these logs, and how should I go about determining the cause?

I'm rather concerned that something bad is happening, particularly as my mail server is starting to appear on RBLs.

I've run a virus scan on the server with Eset's mail server product, and it came up clean.

Any help would be much appreciated. procmon.txt netstat-output.txt FVX538-log.txt
0
Comment
Question by:Perarduaadastra
  • 8
  • 2
11 Comments
 
LVL 9

Expert Comment

by:Benjamin MOREAU
Comment Utility
I think you don't have to worry. You SBS Server is the DNS Server for all your client Computers. So, each time a computer do a request on internet, this computer need to resolve some DNS host; the computer ask your SBS Server... and your SBS Server ask the ROOT DNS Server on internet. So, it's normal that your SBS run a lot of DNS request on internet (you can consider that SBS is a DNS Relay for your LAN Computers.)
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
I'm worrying because this behaviour is unusual. Most commonly the routine 8-hourly status email says No Data Available, or reports two or three events. I haven't seen what the router calls a Rotated Security Log before, and the name suggests that the log has been filled to capacity. These rotated logs are arriving frequently too - less than an hour between some of them.

This Netgear FVX538 router has been deployed for more than two years, and this is the first time that I've seen such activity. Also, I don't want my mail server appearing on RBLs and it's on three of them already...
0
 
LVL 17

Expert Comment

by:rochey2009
Comment Utility
Hi,

Try using wireshark to capture the traffic to see what DNS requests are being made and see if there are any that look out of place.
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
Here's a 20-second pcap from Wireshark version 1.4.2, taken this on my server this morning at about 7.45am (UK time), and it certainly isn't what I would expect, though I must confess that I'm not sure what is normal.
However, the domains listed in the trace aren't any that I've ever knowingly had any contact with, so my feeling is that there is something running on the server that doesn't have my best interests at heart.

The 192.168.x.2 address is the server, and the 192.168.x.252 is the FVX538 router.

I've had eight Rotated Logs between midnight and 8am this morning UK time.

How can I discover what is generating this traffic?
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
Oops, here's the trace...

Pcap isn't an accepted file type, so I've saved it as a K12 text file. server-pcap-745am.txt
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 9

Expert Comment

by:Benjamin MOREAU
Comment Utility
First, check if your mail server is not Open Relay : http://www.aupads.org/test-relay.html
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
This is the first thing I checked, using the DNSStuff tool. I've used the link you've provided as well, and my server passed both tests.

However, I've done a bit more digging, as I suspected a rootkit might be the cause due to the complete lack of other symptoms and processes detectable by the usual methods.

I've run Gmer's rootkit detector on the server, and it has detected a hidden service running, implicating sbscrexe.exe; as far as I know this file is normally part of the licensing service on the server, so it appears to have been compromised somehow. The file itself passes a virus check, so presumably the rootkit presents the original file to the scanning engine.

The next question is, how do I remove this infection without breaking my server?
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
Hmmm.... I may have been a little premature in my rootkit  assumption, at least as far as sbscrexe.exe is concerned- I've just run Gmer on another SBS 2003 server that is running without problems, and it's found exactly the same thing on that one.

Back to the drawing board...
0
 
LVL 15

Author Comment

by:Perarduaadastra
Comment Utility
I've addressed the symptom by blocking outbound UDP traffic on port 53 at the FVX538 firewall, but I'm still no closer to discovering what is causing this behaviour.

I've used Process Monitor and Process Explorer by Sysinternals to try and discover what's going on, but to no avail.

Any other suggestions?
0
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 0 total points
Comment Utility
Well, mysteriously, the problem seems to have gone away, leaving no clue as to its origin.

I've also unblocked outbound UDP traffic again, with no issues.

I will monitor the situation for the next day or three, and if there is no recurrence of the UDP flooding I will close the question.
0
 
LVL 15

Author Closing Comment

by:Perarduaadastra
Comment Utility
Essentially, the problem has vanished as mysteriously as it arrived, leaving me none the wiser.

Unfortunately none of the suggestions shed any light on the problem; in particular, there was no comment on any of the logs or traces that I submitted.

There has been no input from anyone apart from me for some weeks, so it's time to close the question.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now