Solved

DNS rebinding attack

Posted on 2014-02-14
5
702 Views
1 Endorsement
Last Modified: 2014-02-15
I am getting a lot of alerts in the Sonic Wall 205 with 'DNS rebinding attack' logs.  It appears to be inbound from the Comcast dns servers.  

The dns setting is to set to log attack only and I tried changing it to log and drop but after several days, it caused dns to not resolve at all.  I changed it.  I think this is causing a performance issue with our internet circuit.  We have a 100MB circuit but the speedtest.net shows only 27MB at times.

I also tried switching it to a openDNS (208.67.222.222) and that didn't seem to help.

Just wondering how I can go about resolving this.
1
Comment
Question by:LateNaite
  • 3
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Technodweeb
ID: 39860507
Drop all inbound port 53 requests on the outside interface. This will at least relieve the firewall from having to process the packet and thus might improve performance. No way to prevent the traffic from coming to you but if there is no service responding, they might go away because it is a waste of time to keep hitting your link.
0
 

Author Comment

by:LateNaite
ID: 39860600
Would the source port be udp 53 or destination be udp 53?
0
 

Author Comment

by:LateNaite
ID: 39860603
What about dns replies to users issuing a dns query?  Would those traffic be blocked too?
0
 
LVL 11

Accepted Solution

by:
Technodweeb earned 500 total points
ID: 39861311
Replies to a request originating from your router/firewall should not be blocked. Your router/firewall configuration may require tweaking to avoid this problem but generally it should not block them. The only thing that should be blocked is traffic not originating from your LAN on port 53.

The DST port is 53. The source port will most always be random...
0
 

Author Comment

by:LateNaite
ID: 39862276
Main performance issue was related to ISP.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now