From owner-freebsd-questions@FreeBSD.ORG Thu Jun 4 17:52:21 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9044948C for ; Thu, 4 Jun 2015 17:52:21 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F7081682 for ; Thu, 4 Jun 2015 17:52:21 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from liminal.local ([192.168.100.2]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t54HqBIm005512 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 4 Jun 2015 18:52:11 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t54HqBIm005512 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1433440331; bh=47QT9eVA/nwn3RSFbouvhCymCc8Z6YqYwTURX9XT8tI=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Thu,=2004=20Jun=202015=2018:52:11=20+0100|From:=20Matthew =20Seaman=20|To:=20freebsd-questi ons@freebsd.org|Subject:=20Re:=20port=2053=20under=20attack|Refere nces:=20<556F87A6.8090105@a1poweruser.com>=20<556FF291.7070007@Fre eBSD.org>=20<55706FCF.9050904@gmail.com>=20<1433439162.48400.0.cam el@pki2.com>|In-Reply-To:=20<1433439162.48400.0.camel@pki2.com>; b=Qlgd9ZapgMGXOgMW2DCVAGFW0Sxfjh8D0OAXtU0gmEFTr2YtobyMj6avR8UErZdrz UouKJ6tz3qju8H8VmFh3Hym4gokebWFxD4d851Rqr2OOsI5nyShPbH26z5L7V8uzrA dToVpfDSQSrVWbCRRutC6bMhnBEPrCJ41EQuWK7g= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host [192.168.100.2] claimed to be liminal.local Message-ID: <5570904B.6020606@infracaninophile.co.uk> Date: Thu, 04 Jun 2015 18:52:11 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: port 53 under attack References: <556F87A6.8090105@a1poweruser.com> <556FF291.7070007@FreeBSD.org> <55706FCF.9050904@gmail.com> <1433439162.48400.0.camel@pki2.com> In-Reply-To: <1433439162.48400.0.camel@pki2.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s2Bx18eWoJWqm6VT5O9r10wKbMPcdQw5M" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2015 17:52:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --s2Bx18eWoJWqm6VT5O9r10wKbMPcdQw5M Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 04/06/2015 18:32, Dennis Glatting wrote: >> I am NOT running a dns server. So all these inbound hits on port 53 is= =20 >> > just bad guys fishing for a open dns server and blocking them like I= am=20 >> > doing is the correct thing to do? > Don't send ICMP failures. Just drop the packets. 200k packets per day to port 53 when there's nothing listening there is quite a lot. You may be unlucky in that your IP is similar to an IP where a DNS server is running and the script kiddies have somehow made a paste-o and got your address. Even though its a bit more than the usual quantity, this is pretty much usual 'background radiation' for the internet. You'll find any number of scoundrel-written bots searching for ssh or ftp servers to try and brute-force and speculative attempts to exploit various web server vulnerabilities (got to love those people that try and use IIS exploits against nginx...) and so forth. None of it is likely to be directed at you specifically. Like Dennis said: just drop it all at your firewall. *Drop* rather than block, so all the traffic just disappears into a black-hole. Cheers, Matthew --s2Bx18eWoJWqm6VT5O9r10wKbMPcdQw5M Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJVcJBLXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT4hkP+wTTW/CiUulACvUVcsyLwVkX YfAvrp8f8YbQEA9NLF3+WN1Zk1PhtZhjuQQ81272+ibTxqJdvjAGV0etA2IeDHPh Pwhc2temAc/AjfHe5OhxWweYHX9/iZ6fZRGRhOIwfDZAuHR6xC3hQdkFsiY1yTPM z0Y6ykCWqRMRzK97406TBoal4xOrQjt2W0uaV6CZdwHKyS5aIw7PU6bBnUuxL8MI CT5yZtnMB0pKyeYjSDlJ/B4TgGFjaEVNvoyyvx8o8Ftn/1+hjula74KtCFpw2IN6 gp+CXBtGwbIZhbIBuJ3nTbNyn+D0FDEJFpeXhez4jS3vjU3s/8/LXI5x/IZEiptG cAx0XMZAczeH5BhKrKuaXz+An6sAYzHdRqgnjzEkQYM1Rlt6vSj/2BXFuFEekfDT 1eZ8Fsz51nvQ2PBWjlxhbXDvtg8GGwi6zIo4PApHKOoJDvNB8rD3jVk2LNT+VSEp xtPuBfyVofNFFcX8Ex1LHUz+9NjVH+6DV8q6nKr/AIn/em+s2xmBDcHLuBMGg13G r/6BixE6vP36mLbTJmQ6w0kbY9hO+A0ATIMIwf6XWmlirVAhvPlW/lsrI49J7vLC nM4jJ7gDKyx+n4vGEaSxfM+kEZnC8i722b3iL0l3m8aZBatoEG06wcEo+9y08mkw IwN4Vq0JyZH9TLNVzFMP =ueTS -----END PGP SIGNATURE----- --s2Bx18eWoJWqm6VT5O9r10wKbMPcdQw5M--