Port 53 flood on IPS

Started by dcol, February 08, 2018, 09:50:49 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 08, 2018, 09:50:49 PM Last Edit: February 08, 2018, 10:14:39 PM by dcol
Looking for some opinions on what I am experiencing here on a test server
I setup about 20 or so of the worst hacking countries in a GeoIP IPS User rule. I called the rule CountryDrop
Now I see constant port 53 blocks as per the alert sample below. This is flooding my alerts.

2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:36.929368-0700   blocked   wan   89.238.172.15   53   98.100.100.100   36400   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.102353-0700   blocked   wan   52.16.170.168   53   98.100.100.100   42588   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:35.099439-0700   blocked   wan   52.16.170.168   53   98.100.100.100   61676   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.094185-0700   blocked   wan   52.211.135.60   53   98.100.100.100   48337   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:34.090273-0700   blocked   wan   52.211.98.161   53   98.100.100.100   60257   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.088055-0700   blocked   wan   52.211.135.60   53   98.100.100.100   18155   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:33.083584-0700   blocked   wan   52.211.98.161   53   98.100.100.100   52195   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop   
2018-02-08T13:29:30.076034-0700   blocked   wan   52.16.170.168   53   98.100.100.100   58362   CountryDrop
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:30.072087-0700   blocked   wan   52.211.135.60   53   98.100.100.100   35872   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.067258-0700   blocked   wan   52.16.170.168   53   98.100.100.100   43580   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:27.056593-0700   blocked   wan   52.211.135.60   53   98.100.100.100   16827   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.049596-0700   blocked   wan   52.16.170.168   53   98.100.100.100   48315   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop   
2018-02-08T13:29:24.038289-0700   blocked   wan   52.211.98.161   53   98.100.100.100   36898   CountryDrop

Most of this port 53 traffic is coming from Sweden and the Netherlands.
Is this a DOS attack from these countries, or is this legitimate traffic trying to probe for DNS info? By the way I do not have a DNS server running on this network. IP 98.100.100.100 would be my local workstation traffic.
If I remove the GeoIP ruleset from IPS, then this traffic would just end up in the firewall alerts if I used a GeoIP firewall rule. And I did not see this traffic yesterday. The only change I made today was to update to 18.1.12. And I already had the IPS -drop patch installed in 18.1.11 two days ago.

Just looking for some opinions on this traffic.
February 09, 2018, 05:06:50 PM #1
Thinking if blocking entire countries is a good idea.
Wouldn't you be safer to cover a selected number of attacking IPs from all over the world instead of countries?

Something like: https://iplists.firehol.org/

Found it to be more helpful (more dropped stuff and also better performance wise) than GeoIP blocking.

Firehol lists are very good IMO.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 09, 2018, 06:14:34 PM #2
I agree, Firehol is great for IPS in a general use firewall.

I did an inspection of the last 25 or so IP's of the blocked country hits with GeoIP and none of them were in the firehol list. But I did move the Scandinavia countries to the firewall. That reduced my IPS hits by 50%. But could change tomorrow.

If I were running a firewall for internet users, I would open up all those countries and use a more conservative approach, but this firewall is for web and email servers that have no business outside the US and a few select countries. If I add a local workstation network to one of these firewalls, then I would use GeoIP in the firewall only to block traffic to the servers and firehol to block traffic to the workstations and not use GeoIP blocking in IPS at all.

My custom drop IPS rules gets rid of 95% of unwanted WAN traffic by dropping unused ports. Which IMO is the best approach in any environment that has a trusted internal network but does require close monitoring in the beginning. This paired with custom pass rules to match known good outbound ports and inbound IPs reduces stress on IPS. Now that OPNsense has better IPS monitoring, this approach is my favorite and simple to maintain in the long haul.

Ultimately the firewall configuration should match the usage. There really is no 'one size fits all' solution.
February 10, 2018, 04:27:52 AM #3
Without knowing additional details it's hard to tell why you see that in IPS.

The closest thing I've seen on my network regarding port 53 was when I ran DNS benchmark tools on my desktop. There must've been faulty TTL or something because after the test was completed, I saw tons of blocked DNS entries in my firewall log as if the DNS traffic finally came back after the states were closed.

I also see a lot of DNS traffic when using Chrome without browsing to any websites.
February 10, 2018, 09:06:40 PM #4 Last Edit: February 10, 2018, 09:18:17 PM by dcol
But what I am really curious about is if this DNS traffic could be legit. Maybe it is other DNS servers doing legit queries to the OPNsense DNS Resolver. Although most of these IP's are from the top 10 hacker countries.
Should I allow port 53 from any external IP outer than my own ISP DNS servers?
By the way there are no computers running on the source port, only OPNsense.
February 10, 2018, 09:40:16 PM #5
No way, you should never allow access to your DNS server from the internet. Never ever :) The proper way to access your internal DNS server, if needed, is via a VPN (if coming from the internet)...
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 10, 2018, 10:49:33 PM #6
Not running a DNS server on that IP unless you consider OPNsense a DNS server. I thought that the DNS Resolver was just for internal queries. I use the ISP for external.

Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.
February 11, 2018, 01:13:11 AM #7
It is for internal queries, that is why it should never be opened to the internet. But it also forwards queries to your upstream DNS servers (as all DNS servers do), so theoretically it could be used from the internet.

1000 blocked connections/h sounds to me as a targeted attack at least, if not flood. If I were you, I would also verify the LAN clients, check if there's a malware somewhere sending data to the outside world... It is definitely way above normal traffic "noise".
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 11, 2018, 09:56:42 PM #8
There are no LAN users on that firewall, yet. And it is the LAN IP that is getting hit, not the server IP.
DNS has outbound access to forward queries and that seems to be working ok as are internal queries.
They keep on coming. You would think it would stop since they aren't getting any response. And it is always a different IP from those hacking countries.
February 11, 2018, 11:24:20 PM #9
Well.. the US is a heavily targeted country, many attacks go there... The attackers must like your IP :P
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 14, 2018, 06:29:04 AM #10
Strange that you're being targeted as if you're highly valued target.

I agree that you should keep blocking those inbound DNS traffic. DNS queries should be stateful in the firewall in this order; LAN to WAN to LAN. DNS in practice shouldn't be accepted if unsolicited from WAN.
February 14, 2018, 03:59:34 PM #11
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server. So I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
February 14, 2018, 05:17:47 PM #12
Quote from: dcol on February 14, 2018, 03:59:34 PM
Problem is some may be responses to my DNS queries from OPNsense Unbound. I do not run a DNS server.
No, they should not.

Quote from: dcol on February 14, 2018, 03:59:34 PMSo I now let them in but hardened my GeoIP block and added filehol. Should I really just block all inbound port 53? Except of course my own ISP DNS IP's.
Yes, you should block all inbound port 53 and ,as already been said, you should never allow a ;local DNS server be seen by anything on the internet. I run a local DNS server and I have no specific ports open (inbound or outbound) that relate to DNS, my systems all work fine.

Just out of interest, is your DNS server located on the LAN or WAN interface?
Regards


Bill
February 14, 2018, 08:31:58 PM #13
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
February 14, 2018, 08:44:26 PM #14
Quote from: dcol on February 14, 2018, 08:31:58 PM
Don't have a DNS server I use Outbound (DNS Resolver) and the IPS DNS.
I will shut down port 53 and allow only traffic from the ISP DNS servers
You should not need to 'allow' and DNS servers access to anything inside your network. As I mentioned, I use a DNS Authoritative Server and DNS Recursor inside my lan and no external server needs specific access my my recursor.
Regards


Bill
Print
Go Up Pages1 2
User actions