Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 6847 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is going on if DNS packets from China get blocked?

StefanHeymans

Hi folks,


I read this in our weekly UTM9 report:

Most blocked source IP address is 42.120.221.11 (China), port 53 (DNS), 161.684 packets blocked.

Destination IP is the internet interface on the Sophos.

So what does that mean? Why are they sending that much packets?

Kind regards,


Stefan



This thread was automatically locked due to age.
  • 0

    I'm assuming ATP is blocking these packets?

    https://www.virustotal.com/en/ip-address/42.120.221.11/information/

    Check logs on your DNS server to see what website is being accessed at the time ATP is being triggered. 

  • 0 in reply to itsfruity

    Hi,


    Thanks for your answer.

    The packets are being blocked by the packet filter, not the ATP.

    I can't find anything special on the DNS server. The virustotal page mentions a type of virus that hasn't been reported last week, that's why I didn't mention it. Also, this would be traffic with a source IP inside the LAN, if it was a virus trying to contact that Chinese server.


    The only logs I find are the Packet Filter logs mentioning source IP 42.120.221.11 trying to contact our DNS server (port 53) via our internet interface. Every single packet was dropped, mentioning fwrule="60001" (Input Default Drop) as explained here: https://www.sophos.com/en-us/support/knowledgebase/115029.aspx

    So why were these 161.684 packets sent to us from Friday 19:00 till Sunday 07:00, if we didn't ask for it?

    Is this an attempt to DDOS? This started with a rate of 32 frames per second.

  • 0 in reply to StefanHeymans

    Probably not a DDOS as all packets came from the one IP.  Maybe a brute force attempt to poison your DNS cache - were all packets srcport="53" and dstport random?

    Cheers - Bob

  • 0 in reply to BAlfson

    Nope, destination port was always 28106...

    Time Action Rule Interface IN Interface OUT Source MAC Destination MAC Source IP Destination IP Protocol Length TTL Source Port Destination Port
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:32:13 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:35:42 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:40:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:47:26 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:50:05 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:50:59 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:30:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:32:13 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:35:42 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:40:44 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:47:26 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:50:05 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106
    2016:04:29-19:50:59 drop 60001 eth4.231 124 00:1f:9f:xx:xx:xx 00:1a:8c:xx:xx:xx 42.120.221.11 192.168.254.2 17 0x20 113 53 28106