UDP connection attempts

Wed Jul 19 08:53:08 UTC 2006

Look,
first of all I block spoofed incoming packets on my external interface, so
traffic from 127.0.0.0/8 cannot pass through it no matter the protocol they use,
so spoofing for me is not the case.

When you say that it may be that my machine is trying to updates its
records, do you mean it tries to update the zone files my machine is
hosting? cos my server runs only as a master server, and from what i know
its records should be updated only when the administrator requests it
through rndc or by restarting bind.
To give you a more thorough idea of my dns server, I allow some IPs to
query it for any address, I allow the world to query me for my zones, I
don't use forwarders, and I don't have a slave dns (though I should have
:) ),

As far as your third part of your mail is concerned, no I don't have any
other log files, the only firewall present in my network is on the server
itself, there is of course a router between my server and my ISP, which
only routes packets (no packet filtering whatsoever).

Thx for your answer,

mamalos

On Wed, 19 Jul 2006, Network Security
wrote:

> It's  UDP,  so  who the fuck knows where it's actually coming from. It
> might not originate from your machines.
>
> Remember,    UDP    packets   destined   to   your  address,  with the
> return  address  of your same server ise a common way to both DoS and peek
> through  a  firewall..  Is  your  log  by  chance suppressing duplicate
> entries?
>
> The   other   option  is your machine may be attempting to update it's
> DNS records. But it's not a connection oriented protocol, so you don't
> know who actually sent the packet.
>
> Do you have a router or other firewall log?
>
> -Brian
>
>
>
>
>
> Brian J. Brandon
> Network Security Consultant
> Los Angeles, California
> SecurityAdmin at Hush.com
> Tel. No. 310.925.2987
> Fax. No. 325.204.7815
>
>
>
>
> Wednesday, July 19, 2006, 2:07:08 AM, you wrote:
>
>
> Hi everyone,
> I administer this 5.2.1 Freebsd Box which runs a few services, among of
> which are bind and postfix. On the same box I run ipfw as a firewall, and
> have a default policy block for all incoming packets, except for those
> that are for ports 53 (tcp and udp) and 25 (tcp).
> I also have the following sysctl values enabled:
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> In my security logs I keep on getting the following messages:
> Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
> 127.0.0.1:52291
> Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP
> myexternaladdress:52299 from myexternaladdress:53
> Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP
> myexternaladdress:52316 from myexternaladdress:53
> Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
> 127.0.0.1:52328
> Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
> 127.0.0.1:52354
>
> I have googled these messages many times, but haven't still found a real
> explanation of why these messages occur. The way I see it is that there is
> no malicious behaviour behind theses messages, most probably there's
> something that has to do with my firewall settings, and the keep state
> option.
> I present the excerpt from my firewall configuration file that relates to
> the dns incoming traffic:
> add 00389 allow udp from any to myexternaladdress 53 in via fxp0
> keep-state
>
> I would be greatful if someone could explain to  me why these messages
> keep showing, and if there is a way to prevent them from occuring in the
> future.
> Thank you all in advance,
>
> mamalos
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>
>