Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

UDP FLOOD warnings suddenly appearing in Netgear router logs

Posted on 2011-09-21
11
Medium Priority
?
1,503 Views
Last Modified: 2012-05-12
Good evening all

I'm suddenly getting emails from my Netgear FVX538 security router that seem to be reporting  UDP flooding on port 53 originating from my 2003 SBS server; port 53, if I remember correctly, is the one used by DNS.

I attach a portion of the router log file,  the netstat -ano output for this activity that indicates that dns.exe (PID 1648) is generating the traffic, and a procmon log giving some path information for the transmitted UDP packets. I've substituted  my.server  for the actual server name.

My question is twofold, really - how do I interpret these logs, and how should I go about determining the cause?

I'm rather concerned that something bad is happening, particularly as my mail server is starting to appear on RBLs.

I've run a virus scan on the server with Eset's mail server product, and it came up clean.

Any help would be much appreciated. procmon.txt netstat-output.txt FVX538-log.txt
0
Comment
Question by:Perarduaadastra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
11 Comments
 
LVL 10

Expert Comment

by:Benjamin MOREAU
ID: 36576587
I think you don't have to worry. You SBS Server is the DNS Server for all your client Computers. So, each time a computer do a request on internet, this computer need to resolve some DNS host; the computer ask your SBS Server... and your SBS Server ask the ROOT DNS Server on internet. So, it's normal that your SBS run a lot of DNS request on internet (you can consider that SBS is a DNS Relay for your LAN Computers.)
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36576791
I'm worrying because this behaviour is unusual. Most commonly the routine 8-hourly status email says No Data Available, or reports two or three events. I haven't seen what the router calls a Rotated Security Log before, and the name suggests that the log has been filled to capacity. These rotated logs are arriving frequently too - less than an hour between some of them.

This Netgear FVX538 router has been deployed for more than two years, and this is the first time that I've seen such activity. Also, I don't want my mail server appearing on RBLs and it's on three of them already...
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36577164
Hi,

Try using wireshark to capture the traffic to see what DNS requests are being made and see if there are any that look out of place.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36578735
Here's a 20-second pcap from Wireshark version 1.4.2, taken this on my server this morning at about 7.45am (UK time), and it certainly isn't what I would expect, though I must confess that I'm not sure what is normal.
However, the domains listed in the trace aren't any that I've ever knowingly had any contact with, so my feeling is that there is something running on the server that doesn't have my best interests at heart.

The 192.168.x.2 address is the server, and the 192.168.x.252 is the FVX538 router.

I've had eight Rotated Logs between midnight and 8am this morning UK time.

How can I discover what is generating this traffic?
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36578749
Oops, here's the trace...

Pcap isn't an accepted file type, so I've saved it as a K12 text file. server-pcap-745am.txt
0
 
LVL 10

Expert Comment

by:Benjamin MOREAU
ID: 36579338
First, check if your mail server is not Open Relay : http://www.aupads.org/test-relay.html
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36579485
This is the first thing I checked, using the DNSStuff tool. I've used the link you've provided as well, and my server passed both tests.

However, I've done a bit more digging, as I suspected a rootkit might be the cause due to the complete lack of other symptoms and processes detectable by the usual methods.

I've run Gmer's rootkit detector on the server, and it has detected a hidden service running, implicating sbscrexe.exe; as far as I know this file is normally part of the licensing service on the server, so it appears to have been compromised somehow. The file itself passes a virus check, so presumably the rootkit presents the original file to the scanning engine.

The next question is, how do I remove this infection without breaking my server?
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36579746
Hmmm.... I may have been a little premature in my rootkit  assumption, at least as far as sbscrexe.exe is concerned- I've just run Gmer on another SBS 2003 server that is running without problems, and it's found exactly the same thing on that one.

Back to the drawing board...
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 36586252
I've addressed the symptom by blocking outbound UDP traffic on port 53 at the FVX538 firewall, but I'm still no closer to discovering what is causing this behaviour.

I've used Process Monitor and Process Explorer by Sysinternals to try and discover what's going on, but to no avail.

Any other suggestions?
0
 
LVL 15

Accepted Solution

by:
Perarduaadastra earned 0 total points
ID: 36709461
Well, mysteriously, the problem seems to have gone away, leaving no clue as to its origin.

I've also unblocked outbound UDP traffic again, with no issues.

I will monitor the situation for the next day or three, and if there is no recurrence of the UDP flooding I will close the question.
0
 
LVL 15

Author Closing Comment

by:Perarduaadastra
ID: 36954224
Essentially, the problem has vanished as mysteriously as it arrived, leaving me none the wiser.

Unfortunately none of the suggestions shed any light on the problem; in particular, there was no comment on any of the logs or traces that I submitted.

There has been no input from anyone apart from me for some weeks, so it's time to close the question.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question