Juniper SSG5 UDP Flood Port 53, DNS Proxy module has more concurrent client requests than allowed
About two days ago one of your retail locations called complaining about slow web browsing or no connectivity to the web. I logged into the Juniper to see what could be causing the issue and noticed a high number of UDP request being sent to port 53.
Here are the errors and warnings from the SSG5, I am not sure where to begin with troubleshooting to resolve this issue. Any assistance would be greatly appreciated. Thanks
"DNS Proxy module has more concurrent client requests than allowed."
==========================
System Event Log (Current system time: Wed, 15 Oct 2014 10:08:25)
==========================
Date Time Module level Type Description
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 78.112.104.150:6274 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 78.112.104.150:31474 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 95.107.68.127:343 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 80.159.7.30:42588 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 57.177.142.172:16 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 101.90.218.242:41896 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 121.70.197.255:46733 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 24.72.157.4:52116 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 38.215.133.121:53543 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:6277 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:27199 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 206.190.153.228:16125 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:59762 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.239.245.20:37108 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 84.52.218.31:32905 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 13.70.124.171:38199 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 78.112.104.150:8157 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 71.84.230.6:29360 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
Here are the errors and warnings from the SSG5, I am not sure where to begin with troubleshooting to resolve this issue. Any assistance would be greatly appreciated. Thanks
"DNS Proxy module has more concurrent client requests than allowed."
==========================
System Event Log (Current system time: Wed, 15 Oct 2014 10:08:25)
==========================
Date Time Module level Type Description
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 78.112.104.150:6274 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 78.112.104.150:31474 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 95.107.68.127:343 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 80.159.7.30:42588 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 57.177.142.172:16 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 101.90.218.242:41896 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:24 system crit 00430 Dst IP session limit! From 121.70.197.255:46733 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 24.72.157.4:52116 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 38.215.133.121:53543 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:6277 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:27199 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 206.190.153.228:16125 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.112.104.150:59762 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 78.239.245.20:37108 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:23 system crit 00430 Dst IP session limit! From 84.52.218.31:32905 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 13.70.124.171:38199 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 78.112.104.150:8157 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
2014-10-15 10:08:22 system crit 00430 Dst IP session limit! From 71.84.230.6:29360 to xxx.xxx.xxx.xxx:53, proto UDP (zone Untrust, int ethernet0/0). Occurred 1 times.
Sanga Collins
If this is DUP53 traffic coming from the untrust zone into your trust zone, I would make a rule that rejects the traffic. There is no reason unless you are hosting a DNS server for this traffic to occur.
ASKER
Thanks for the quick reply, could you elaborate on how to create this rule to block this unwanted traffic.
If you got to the web interface for your Juniper,
You can go to Policy > Policies.
Change "from" field to untrust and "to" field to trust then click "new" in the top right corner.
You can then configure the policy as shown in the attachment. Take note of the service section. I made the service DNS (you can make more customized ones if needed) I also set the action to "reject" instead of deny so that the traffic is dropped. Very important as well is to enable logging so that you can view whats happening on your device.
security-policy.jpg
You can go to Policy > Policies.
Change "from" field to untrust and "to" field to trust then click "new" in the top right corner.
You can then configure the policy as shown in the attachment. Take note of the service section. I made the service DNS (you can make more customized ones if needed) I also set the action to "reject" instead of deny so that the traffic is dropped. Very important as well is to enable logging so that you can view whats happening on your device.
security-policy.jpg
ASKER
I have made the changes to add this policy with the settings you recommended, nothing shows in the log and I am still receiving the alerts...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.