From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 09:27:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51D3816A4DD for ; Wed, 19 Jul 2006 09:27:26 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B194F43D4C for ; Wed, 19 Jul 2006 09:27:24 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [172.20.1.20] (muff.kolej.mff.cuni.cz [195.113.24.6]) by smtp1.kolej.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k6J9SHJc002136 for ; Wed, 19 Jul 2006 11:28:19 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <44BDFAF8.8020108@obluda.cz> Date: Wed, 19 Jul 2006 11:27:20 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 SeaMonkey/1.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20060719114613.N18979@ns1.lan.gr> In-Reply-To: <20060719114613.N18979@ns1.lan.gr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: UDP connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 09:27:26 -0000 George Mamalakis wrote: > Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from > 127.0.0.1:52291 If you have net.inet.ip.check_interface=1 or your firewall block packets with 127/8 addresses arriving via non-loopback interface then the source address isn't spoofed. Then - it's local comunication. You should search for a local program causing this type of communication. The packet content (use tcpdump -s1500 -X -i lo0 dst port 512) may (or may not) help you. > Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP > myexternaladdress:52299 from myexternaladdress:53 > Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP > myexternaladdress:52316 from myexternaladdress:53 It's probably DNS response to nonexistent or expired question. In the first cast - it's an sort of attack. As you configured system to report attacks, you want to see those messages. Please note the source address may be forged and there is no way to determine true source of it without upstream ISP cooperation. In the second case - the packet is "too late response" - the process which send's DNS question no longer wait for it. Unless the source address spoofed, it's local-to-local DNS request. May be the program sending it has too short timeout or it's 'question-related' problem (you asked for a DNS record but apropriate DNS server responded slowly or didn't respond at all). You should identify the local program sending those questions and/or the question trigerring those messages. Please note, that NAT on myexternaladdress host nay cause that some non-local communication appear to be local (e.g., some non-local process communication look as local-process communication). But, your local computers has no reason to contact your DNS server over external address (I assume they use apropriate internal address), so it shouldn't complicate your analysis. In that case you can block DNS question to myexternaladdress for all internal interfaces - just for sure. Dan