From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 05:18:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A313537B401 for ; Mon, 14 Apr 2003 05:18:03 -0700 (PDT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EE5E43FA3 for ; Mon, 14 Apr 2003 05:18:02 -0700 (PDT) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h3ECHiZT000932 for ; Mon, 14 Apr 2003 14:17:47 +0200 (CEST) Message-Id: <5.1.1.6.0.20030414135946.00aaaa68@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 14 Apr 2003 14:12:16 +0200 To: freebsd-security@freebsd.org From: "Guy P." In-Reply-To: <20030414113127.GB3861@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavis-milter (http://www.amavis.org/) Subject: Re: strange connection attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 12:18:03 -0000 At 13:31 14/04/2003, GiZmen wrote: >I have turned on sysctls variables: >net.inet.tcp.log_in_vain: 1 >net.inet.udp.log_in_vain: 1 > >And i have plenty of strange connection attempts on udp protocol > > Connection attempt to UDP xx.xx.x.xxx:55414 from > 192.43.172.34:53 > Apr 13 23:56:53 pals /kernel: Connection attempt to UDP > xx.xx.x.xxx:55414 from 192.43.172.34:53 > Connection attempt to UDP xx.xx.x.xxx:12545 from > 192.42.93.36:53 > Apr 13 23:56:54 pals /kernel: Connection attempt to UDP xx.xx..xxx:12545 > from 192.42.93.36:53 > Connection attempt to UDP xx.xx.x.xxx:44308 from 192.42.93.36:53 > >i know that those connections are from dns but why kernel logs such thing. >I have statufull firewall and all trafic to any port on UDP protocol are >deny and >only those UDP datagrams from my resolver are passed back through dynamics >rules. >These connections are caused by returned queruies from dns servers. >Is it normal to have such type connection attempts ? > >Can anybody help me solve my problem. Yes it is normal. What happens is : 1) your system have to resolve a name. So it send querys to all(?) the multiple NS listed in /etc/resolv.conf 2) as soon it got the reply from one of the queried NS, it unbind the udp socket(s) it was listening on. 3) the slower-answering NS packets are still forwarded back by your statefull firewall, but as your resolver process is no longer listening, these latter replys are logged as unattended connection attempts. This could also happen if some timeout value was reached. Take this just as a wild guess on my side, as i'm not familiar with the internal resolver lib intrinsecs. Nothing to care about as long these "connection attempts" come from the NS that are listed in your resolv.conf If you mind about these "false positives", i'd suggest using a log analyzer utility such as /usr/ports/security/logcheck and instruct it to ignore these log entries. -- Guy