Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 12951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Firewall Being Flooded With UDP Packets

JustinWoolington

Okay I have a Sophos UTM 9 Firewall set up. I have built two BIND DNS servers; one internal for doing recursive queries and one for an external domain with no recursion (so it doesn't act as if it's an open resolver.) 

I've correctly configured DNATs for external as follows:

And the following Firewall Rule:

Everything works fine when turned on, except my Firewall log keeps getting hammered with traffic:

on port 53 from several different random public IPs.

 

I've done some research online, and have read in many cases that this is normal. I have IPS on and configured correctly. UDP flood protection on (in which I've set low to test.) 

I've also configured a group of these public IPs to DROP automatically via Firewall rule. Although the packets are being dropped, I'm still being flooded with UDP:53 attempts, and my firewall log keeps building up in the Gigabytes. However if I turned my NAT rule back on along with Firewall rule, these public IPs are able to get in, with the NAT rule taking precedence over the: 

 rule set.

I have millions of packets being filtered daily, all from random IPs on port 53. My CPU doesn't get pegged out, but everything is slow on the DNS side when these rules are turned back on. Should I be putting the external DNS in a DMZ even though it's recursion is turned off? 

 

Thank you for any ideas!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to JustinWoolington

    From a security standpoint, that makes sense and should protect you from most things on your internal network.  However, watch outbound traffic very closely from your DNS server if you go that route.  Harden it completely (CIS benchmark, plus BIND hardening) and monitor it very closely.  Again, since it is a heavily attacked service, it *could* lead to your IP getting blacklisted.  If your DNS is hosted on a dynamic address, it could also lead to it being blocked from some providers as well.  It really is a mixed bag and like Bob said, it is just not as easy as it was in the past.  It won't hurt at all to try for a bit, but I can tell you from experience, removing your (really, your ISP) ip address from blacklists of any sort is a giant PITA.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?