Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 1619 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

High amount of requests to port udp/53 on internet interface

seroal

Hey,

 

I´m currently investigating an unusual phenomena. Last year, the graph of dropped packtets on one of my firewalls spiked by up to 400%. I took a look into the logging and today I can still see, that requests from more than 180000 host to the external interface of this firewall were made, this are about ~13 requests per second. DNS Resolver is not allowed on the external interface and all connections are dropped subsequently. The source addresses are from all over the world.

 

But where do all these requests result from? I have no logical answer different to, that this is kind of an DDoS. 

 

Any other ideas? What would you do? I could use a different external address, there is a unused one. The ISP also doesn´t have any clue....

 

Nice weekend!



This thread was automatically locked due to age.
Parents
  • 0

    i would ignore this. ... or ask why someone should try to DDOS a non existing DNS-Server.

    changing the ip would reduce a little bit of the UTM load. but bandwidth consuming stay.

    Possible a "drop without logging" rule for incoming DNS requests shorten the logfile... if packets are logged currently.

     

     

  • 0 in reply to dirkkotte

    Hi,

    thanks for your point of view. Regarding my DDoS Statement, yes, there is no dns service reachable, but I wanted to highlight the coordindated way, that this looks like. I really have no idea, what other reason this could result from.

    And yes, that´s a good idea with the rule avoid logging.

     

     

    BR

    Sebastian

Reply
  • 0 in reply to dirkkotte

    Hi,

    thanks for your point of view. Regarding my DDoS Statement, yes, there is no dns service reachable, but I wanted to highlight the coordindated way, that this looks like. I really have no idea, what other reason this could result from.

    And yes, that´s a good idea with the rule avoid logging.

     

     

    BR

    Sebastian

Children
No Data