From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 08:53:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B19616A517 for ; Wed, 19 Jul 2006 08:53:08 +0000 (UTC) (envelope-from mamalos@lan.gr) Received: from ns1.lan.gr (ns1.lan.gr [212.251.2.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 806C543DA4 for ; Wed, 19 Jul 2006 08:52:59 +0000 (GMT) (envelope-from mamalos@lan.gr) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id D0E0B289C1; Wed, 19 Jul 2006 12:39:13 +0300 (EEST) X-Virus-Scanned: amavisd-new at lan.gr Received: from ns1.lan.gr ([127.0.0.1]) by localhost (ns1.lan.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SD0-89ijXyyQ; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Received: by ns1.lan.gr (Postfix, from userid 1001) id 5929D289C0; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by ns1.lan.gr (Postfix) with ESMTP id 49961289B9; Wed, 19 Jul 2006 12:39:11 +0300 (EEST) Date: Wed, 19 Jul 2006 12:39:11 +0300 (EEST) From: George Mamalakis To: Network Security In-Reply-To: <49756892.20060719013144@hush.com> Message-ID: <20060719122822.L19153@ns1.lan.gr> References: <20060719114613.N18979@ns1.lan.gr> <49756892.20060719013144@hush.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 08:53:08 -0000 Look, first of all I block spoofed incoming packets on my external interface, so traffic from 127.0.0.0/8 cannot pass through it no matter the protocol they use, so spoofing for me is not the case. When you say that it may be that my machine is trying to updates its records, do you mean it tries to update the zone files my machine is hosting? cos my server runs only as a master server, and from what i know its records should be updated only when the administrator requests it through rndc or by restarting bind. To give you a more thorough idea of my dns server, I allow some IPs to query it for any address, I allow the world to query me for my zones, I don't use forwarders, and I don't have a slave dns (though I should have :) ), As far as your third part of your mail is concerned, no I don't have any other log files, the only firewall present in my network is on the server itself, there is of course a router between my server and my ISP, which only routes packets (no packet filtering whatsoever). Thx for your answer, mamalos On Wed, 19 Jul 2006, Network Security wrote: > It's UDP, so who the fuck knows where it's actually coming from. It > might not originate from your machines. > > Remember, UDP packets destined to your address, with the > return address of your same server ise a common way to both DoS and peek > through a firewall.. Is your log by chance suppressing duplicate > entries? > > The other option is your machine may be attempting to update it's > DNS records. But it's not a connection oriented protocol, so you don't > know who actually sent the packet. > > Do you have a router or other firewall log? > > -Brian > > > > > > Brian J. Brandon > Network Security Consultant > Los Angeles, California > SecurityAdmin@Hush.com > Tel. No. 310.925.2987 > Fax. No. 325.204.7815 > > > > > Wednesday, July 19, 2006, 2:07:08 AM, you wrote: > > > Hi everyone, > I administer this 5.2.1 Freebsd Box which runs a few services, among of > which are bind and postfix. On the same box I run ipfw as a firewall, and > have a default policy block for all incoming packets, except for those > that are for ports 53 (tcp and udp) and 25 (tcp). > I also have the following sysctl values enabled: > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > In my security logs I keep on getting the following messages: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 > Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52328 > Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52354 > > I have googled these messages many times, but haven't still found a real > explanation of why these messages occur. The way I see it is that there is > no malicious behaviour behind theses messages, most probably there's > something that has to do with my firewall settings, and the keep state > option. > I present the excerpt from my firewall configuration file that relates to > the dns incoming traffic: > add 00389 allow udp from any to myexternaladdress 53 in via fxp0 > keep-state > > I would be greatful if someone could explain to me why these messages > keep showing, and if there is a way to prevent them from occuring in the > future. > Thank you all in advance, > > mamalos > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >