This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

High amount of requests to port udp/53 on internet interface

Hey,

I´m currently investigating an unusual phenomena. Last year, the graph of dropped packtets on one of my firewalls spiked by up to 400%. I took a look into the logging and today I can still see, that requests from more than 180000 host to the external interface of this firewall were made, this are about ~13 requests per second. DNS Resolver is not allowed on the external interface and all connections are dropped subsequently. The source addresses are from all over the world.

But where do all these requests result from? I have no logical answer different to, that this is kind of an DDoS.

Any other ideas? What would you do? I could use a different external address, there is a unused one. The ISP also doesn´t have any clue....

Nice weekend!

This thread was automatically locked due to age.

0 dirkkotte over 8 years ago

i would ignore this. ... or ask why someone should try to DDOS a non existing DNS-Server.

changing the ip would reduce a little bit of the UTM load. but bandwidth consuming stay.

Possible a "drop without logging" rule for incoming DNS requests shorten the logfile... if packets are logged currently.
Cancel
Vote Up 0 Vote Down

Cancel
0 seroal over 8 years ago in reply to dirkkotte

Hi,

thanks for your point of view. Regarding my DDoS Statement, yes, there is no dns service reachable, but I wanted to highlight the coordindated way, that this looks like. I really have no idea, what other reason this could result from.

And yes, that´s a good idea with the rule avoid logging.

BR

Sebastian
Cancel
Vote Up 0 Vote Down

Cancel