port 53 under attack

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Jun 4 17:52:21 UTC 2015

On 04/06/2015 18:32, Dennis Glatting wrote:
>> I am NOT running a dns server. So all these inbound hits on port 53 is 
>> > just bad guys fishing for a open dns server and blocking them like I am 
>> > doing is the correct thing to do?

> Don't send ICMP failures. Just drop the packets.

200k packets per day to port 53 when there's nothing listening there is
quite a lot.  You may be unlucky in that your IP is similar to an IP
where a DNS server is running and the script kiddies have somehow made a
paste-o and got your address.

Even though its a bit more than the usual quantity, this is pretty much
usual 'background radiation' for the internet.  You'll find any number
of scoundrel-written bots searching for ssh or ftp servers to try and
brute-force and speculative attempts to exploit various web server
vulnerabilities (got to love those people that try and use IIS exploits
against nginx...) and so forth.  None of it is likely to be directed at
you specifically.

Like Dennis said: just drop it all at your firewall.  *Drop* rather than
block, so all the traffic just disappears into a black-hole.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150604/7fe58ceb/attachment.sig>

More information about the freebsd-questions mailing list