Hi everyone, I administer this 5.2.1 Freebsd Box which runs a few services, among of which are bind and postfix. On the same box I run ipfw as a firewall, and have a default policy block for all incoming packets, except for those that are for ports 53 (tcp and udp) and 25 (tcp). I also have the following sysctl values enabled: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 In my security logs I keep on getting the following messages: Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52291 Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP myexternaladdress:52299 from myexternaladdress:53 Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP myexternaladdress:52316 from myexternaladdress:53 Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52328 Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52354 I have googled these messages many times, but haven't still found a real explanation of why these messages occur. The way I see it is that there is no malicious behaviour behind theses messages, most probably there's something that has to do with my firewall settings, and the keep state option. I present the excerpt from my firewall configuration file that relates to the dns incoming traffic: add 00389 allow udp from any to myexternaladdress 53 in via fxp0 keep-state I would be greatful if someone could explain to me why these messages keep showing, and if there is a way to prevent them from occuring in the future. Thank you all in advance, mamalos
Look, first of all I block spoofed incoming packets on my external interface, so traffic from 127.0.0.0/8 cannot pass through it no matter the protocol they use, so spoofing for me is not the case. When you say that it may be that my machine is trying to updates its records, do you mean it tries to update the zone files my machine is hosting? cos my server runs only as a master server, and from what i know its records should be updated only when the administrator requests it through rndc or by restarting bind. To give you a more thorough idea of my dns server, I allow some IPs to query it for any address, I allow the world to query me for my zones, I don't use forwarders, and I don't have a slave dns (though I should have :) ), As far as your third part of your mail is concerned, no I don't have any other log files, the only firewall present in my network is on the server itself, there is of course a router between my server and my ISP, which only routes packets (no packet filtering whatsoever). Thx for your answer, mamalos On Wed, 19 Jul 2006, Network Security wrote:> It's UDP, so who the fuck knows where it's actually coming from. It > might not originate from your machines. > > Remember, UDP packets destined to your address, with the > return address of your same server ise a common way to both DoS and peek > through a firewall.. Is your log by chance suppressing duplicate > entries? > > The other option is your machine may be attempting to update it's > DNS records. But it's not a connection oriented protocol, so you don't > know who actually sent the packet. > > Do you have a router or other firewall log? > > -Brian > > > > > > Brian J. Brandon > Network Security Consultant > Los Angeles, California > SecurityAdmin@Hush.com > Tel. No. 310.925.2987 > Fax. No. 325.204.7815 > > > > > Wednesday, July 19, 2006, 2:07:08 AM, you wrote: > > > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >
I get similar messages to these:> Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP myexternaladdress:52316 from myexternaladdress:53occasionally when a DNS server takes a long time to respond because a UDP "keep state" *has* to time out eventually, and if the configured interval is less than the DNS server response time the returning DNS response will not match any "kept" entry. Tuning the interval will reduce the messages, and allow the response packets through, but it will still happen *sometimes*. -- David Pick
Hi, $ grep "\<512/udp" /etc/services biff 512/udp comsat #used by mail system to notify users So basicly you got a process (most likely your local MTA) sending notifications for incoming new mails to the comsat service (which by default is disabled in /etc/inetd.conf). Either adjust your firewall to allow such notifications (UDP packets towards port 512 on subnet 127.0.0.0/8 through lo0 interface) or disable notification from your mail delivery agent. Best regards, Adrian Penisoara Ady (@freebsd.ady.ro) On 7/19/06, George Mamalakis <mamalos@lan.gr> wrote:> > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >
George Mamalakis wrote:> Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291If you have net.inet.ip.check_interface=1 or your firewall block packets with 127/8 addresses arriving via non-loopback interface then the source address isn't spoofed. Then - it's local comunication. You should search for a local program causing this type of communication. The packet content (use tcpdump -s1500 -X -i lo0 dst port 512) may (or may not) help you.> Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53It's probably DNS response to nonexistent or expired question. In the first cast - it's an sort of attack. As you configured system to report attacks, you want to see those messages. Please note the source address may be forged and there is no way to determine true source of it without upstream ISP cooperation. In the second case - the packet is "too late response" - the process which send's DNS question no longer wait for it. Unless the source address spoofed, it's local-to-local DNS request. May be the program sending it has too short timeout or it's 'question-related' problem (you asked for a DNS record but apropriate DNS server responded slowly or didn't respond at all). You should identify the local program sending those questions and/or the question trigerring those messages. Please note, that NAT on myexternaladdress host nay cause that some non-local communication appear to be local (e.g., some non-local process communication look as local-process communication). But, your local computers has no reason to contact your DNS server over external address (I assume they use apropriate internal address), so it shouldn't complicate your analysis. In that case you can block DNS question to myexternaladdress for all internal interfaces - just for sure. Dan
On Wed, 2006-Jul-19 12:07:08 +0300, George Mamalakis wrote:>In my security logs I keep on getting the following messages: >Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:52291As others have mentioned, this is sendmail trying to notify biff that the user has new mail but you aren't running biff. To stop it, add the following lines to your sendmail.mc file, rebuild sendmail.cf and restart sendmail: dnl Disable biff notification define(`LOCAL_MAILER_ARGS', `mail.local -Bl') -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060719/45d491ff/attachment.pgp