This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: PROTOCOL-DNS DNS query amplification attempt

Wondering if anyone else is seeing this...

I get these warnings from only one client's UTM. The logs show that these blocks have occurred since installation in 2016

1657 attacks from 75 IPs in 2017
9282 from 63 in 2018
16915 from 54 in 2019
18111 from 80 in 2020
5212 from 57 so far in 2021

A total of 61366 attacks from 343 different IPs since installation. This feels like a botnet, but I'm not familiar with the attempted exploit. Maybe preparation fro a DDoS, but why would it be over 4 years in preparation?

Cheers - Bob

This thread was automatically locked due to age.

Top Replies

Prism over 4 years ago +1

Hello, Is there any DNS Server being exposed to the Internet ? Also, this is the XG Forum, not the UTM.

Parents

Prism over 4 years ago

Hello,

Is there any DNS Server being exposed to the Internet ?

Also, this is the XG Forum, not the UTM.
Cancel
Vote Up +1 Vote Down

Cancel
BAlfson over 4 years ago in reply to Prism

Arrgh! Something moved the entire UTM Network Protection forum to the community.sophos.com/xg-firewall directory. I've messaged FloSupport about this.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 4 years ago in reply to BAlfson

Oh, FloSupport fixed it within two hours after I sent the PM. Go Florentino!

Thanks, Prism, that hint made me analyse the client's DNS Proxy configuration - the person that set it up hadn't read my DNS best practice.

Cheers - Bob
Cancel
Vote Up +1 Vote Down

Cancel

Reply

BAlfson over 4 years ago in reply to BAlfson

Oh, FloSupport fixed it within two hours after I sent the PM. Go Florentino!

Thanks, Prism, that hint made me analyse the client's DNS Proxy configuration - the person that set it up hadn't read my DNS best practice.

Cheers - Bob
Cancel
Vote Up +1 Vote Down

Cancel

Children

No Data