Topic: SME server sending DNS queries to root name servers - is this normal?

[purvis]

one of  my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations
i did not have this problem until recently.
i did some updates from the server-manager.
on this sme server, i am the only one that has control over this machine.
right now the machine is not being use by anybody but me and i have had very little interaction with this sme server.

i was wandering if other where having the same problem.

the activity is very small but if there are a lot in the world, it can add up.

i use the wallwatcher program to watch activity of what goes out and in from the router hook up to the internet.
i do few updates to any server and it has probably been months before i did any updates to the server until the beginning of this month.
i will have to do a new install which is ok but will take some time.

[CharlieBrady]

one of  my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations

What makes you say that?

[purvis]

do you want a log

[CharlieBrady]

do you want a log

No, I want you to describe what you have seen which lead you to conclude that your server is being used for a "DNS Backbone DDoS Attack".

My guess is that you have seen the SME server doing perfectly ordinary DNS lookups, just as it is designed to do.

[purvis]

here is a log created by wallwatcher and i scrubbed out all activity other than root-servers.net
from what i have seen this ida dos attach on those servers.
this sme server is a system that is running and the only ports going to it are 80 110 443 25 and maybe one other.
i will try to see what is happening at other locations
Charlie,
i do not do very much at all with this computer, basically i has been dormant in a sense.
i had worked with it very little and i was planning on using it as a email server sometime ago.
i place a few files on the server as just a backup to my computer many moons ago.
because i am now back to trying to figure out whether i want to use it as a email server i did updates from the server-manager.
maybe some computer attacked this server.  i did not write down the when it did the update but it was about the time this all started.
i do not review logs very often, i had a employee going to myspace in a virtual machine that we use for accessing the internet.
i started monitoring the activity because i do not want any sites visited that do not have to do with business and the risk it brings on.


i am not sure whats happen but it would seem logical to first look at the updates if sme server is suppose to be a very secure sever.
in all honesty  my admin password was not the most best.
i did some lookups on the internet and had seen quiet a few hits on "centos" and "root-server.net"
i will have to reinstall sme server soon, as i do not want to be the source of any bad things even if they do not damage my data or system.
but i wanted to see if i could identify the problem.
maybe i can some way show what addons i am running, it should be very few.

wallwatcher is free, but runs under windows.
i have wallwatcher running 3 locations with sme servers at those locations.
this is the first time and the only time i have seen any sme server doing outbound activity that did not seem write.

i do not like to bring problems to the table, but this is where i felt i should report it even if it did not come from updates
so that others can lookout for it too.

charlie thanks for the reply
i would not even mind giving you access to the server thru port 22 if you would like after i backup and erase any sensitive data.

the log has been cut down
i will trim it down after the discussion to reduce space used on the forum server
the server is attacking on port 53

""2008/06/09   07:57:20.32   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   45725""
""2008/06/09   07:58:16.02   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   44963""
""2008/06/09   07:58:16.02   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   15717""
""2008/06/09   07:58:16.02   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   9419""
""2008/06/09   07:58:16.02   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   62994""
""2008/06/09   07:58:16.02   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   63906""
""2008/06/09   08:00:07.56   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   4050""
""2008/06/09   08:00:07.56   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   52751""
""2008/06/09   08:00:07.56   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   12618""
""2008/06/09   08:00:07.56   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   6547""
""2008/06/09   08:00:41.81   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   38218""
""2008/06/09   08:01:34.31   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   23256""
""2008/06/09   08:01:34.31   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   14024""
""2008/06/09   08:01:34.31   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   60652""
""2008/06/09   08:01:34.31   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   35238""
""2008/06/09   08:01:46.56   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   61077""
""2008/06/09   08:02:46.48   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   63718""
""2008/06/09   08:02:46.48   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   23327""
""2008/06/09   08:03:46.56   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   27340""
""2008/06/09   08:06:46.53   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   1176""
""2008/06/09   08:08:46.50   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   62994""
""2008/06/09   08:08:46.50   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   7140""
""2008/06/09   08:11:46.57   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   40990""
""2008/06/09   09:04:46.10   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   63906""
""2008/06/09   09:05:46.12   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   12618""
""2008/06/09   09:05:46.12   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   35988""
""2008/06/09   09:05:46.12   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   45827""
""2008/06/09   09:06:46.09   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   61077""
""2008/06/09   09:06:46.09   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   6547""
""2008/06/09   09:06:46.09   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   32559""
""2008/06/09   09:07:46.12   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   62853""
""2008/06/09   09:07:46.12   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   60652""
""2008/06/09   09:08:46.17   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   40218""
""2008/06/09   09:08:46.17   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   9419""
""2008/06/09   09:09:46.14   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   6929""
""2008/06/09   09:09:46.14   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   34479""
""2008/06/09   09:12:46.14   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   63718""
""2008/06/09   09:14:45.33   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   7140""
""2008/06/09   09:14:45.33   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   35988""
""2008/06/09   09:14:45.33   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   41514""
""2008/06/09   09:15:48.52   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   56151""
""2008/06/09   09:16:48.48   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   50099""
""2008/06/09   09:16:48.48   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   62853""
""2008/06/09   09:17:45.16   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   27340""
""2008/06/09   09:17:45.18   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   40990""
""2008/06/09   09:18:53.51   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   52495""
""2008/06/09   09:18:53.52   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   61604""
""2008/06/09   09:19:53.50   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   32559""
""2008/06/09   09:20:53.43   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   6627""
""2008/06/09   09:24:57.38   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   45725""
""2008/06/09   10:13:29.95   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   28737""
""2008/06/09   10:15:30.03   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   45827""
""2008/06/09   10:15:30.03   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   53007""
""2008/06/09   10:16:29.96   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   4321""
""2008/06/09   10:17:30.05   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   34479""
""2008/06/09   10:18:22.19   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   1901""
""2008/06/09   10:18:22.19   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   52495""
""2008/06/09   10:18:22.19   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   61838""
""2008/06/09   10:18:22.19   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   40218""
""2008/06/09   10:18:22.19   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   64664""
""2008/06/09   10:19:36.16   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   50099""
""2008/06/09   10:21:36.13   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   53622""
""2008/06/09   10:22:22.69   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   6929""
""2008/06/09   10:26:37.48   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   64664""
""2008/06/09   10:27:37.49   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   54996""
""2008/06/09   10:33:38.34   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   28737""
""2008/06/09   11:21:37.79   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   33294""
""2008/06/09   11:23:37.79   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   4321""
""2008/06/09   11:24:12.79   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   41514""
""2008/06/09   11:24:12.79   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   10032""
""2008/06/09   11:24:12.79   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   61838""
""2008/06/09   11:24:12.79   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   19512""
""2008/06/09   11:24:12.79   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   42405""
""2008/06/09   11:24:48.15   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   61604""
""2008/06/09   11:24:48.15   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   56151""
""2008/06/09   11:24:48.15   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   12647""
""2008/06/09   11:25:27.61   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   1901""
""2008/06/09   11:25:27.61   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   42549""
""2008/06/09   11:25:58.00   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   46001""
""2008/06/09   11:26:36.53   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   53007""
""2008/06/09   11:26:36.53   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   22840""
""2008/06/09   11:26:36.53   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   53622""
""2008/06/09   11:26:36.53   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   31111""
""2008/06/09   11:28:01.53   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   6627""
""2008/06/09   11:29:01.46   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   22107""
""2008/06/09   11:30:01.47   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   33294""
""2008/06/09   11:30:01.47   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   47408""
""2008/06/09   11:31:01.46   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   64526""
""2008/06/09   11:33:01.45   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   42549""
""2008/06/09   11:43:01.13   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   12647""
""2008/06/09   11:45:01.11   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   10032""
""2008/06/09   12:32:01.36   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   14808""
""2008/06/09   12:33:01.37   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   20599""
""2008/06/09   12:33:01.37   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   22107""
""2008/06/09   12:33:19.58   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   64526""
""2008/06/09   12:33:19.59   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   19512""
""2008/06/09   12:33:19.59   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   51508""
""2008/06/09   12:34:06.91   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   31111""
""2008/06/09   12:34:06.92   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   59659""
""2008/06/09   12:34:06.92   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   60232""
""2008/06/09   12:34:06.92   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   22711""
""2008/06/09   12:35:06.92   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   22840""
""2008/06/09   12:35:06.92   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   16519""
""2008/06/09   12:35:06.92   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   42405""
""2008/06/09   12:35:06.94   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   15065""
""2008/06/09   12:36:06.89   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   46001""
""2008/06/09   12:36:06.89   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   31748""
""2008/06/09   12:37:54.89   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   17982""
""2008/06/09   12:37:54.89   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   14808""
""2008/06/09   12:37:54.89   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   15065""
""2008/06/09   12:38:20.86   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   7103""
""2008/06/09   12:39:20.80   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   54996""
""2008/06/09   12:41:30.40   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   31058""
""2008/06/09   12:41:30.40   B      255.255.255.255   f.root-servers.net   138   192.168.0.70   138""
""2008/06/09   12:45:30.48   B      255.255.255.255   f.root-servers.net   138   192.168.0.70   138""
""2008/06/09   12:53:30.45   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   20599""
""2008/06/09   13:06:59.27   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   21895""
""2008/06/09   13:07:53.46   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   22711""
""2008/06/09   13:07:53.46   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   51508""
""2008/06/09   13:07:53.46   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   36422""
""2008/06/09   13:07:53.46   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   63934""
""2008/06/09   13:08:05.04   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   62647""
""2008/06/09   13:09:04.98   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   16519""
""2008/06/09   13:10:04.99   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   31748""
""2008/06/09   13:10:04.99   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   7103""
""2008/06/09   13:10:04.99   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   47408""
""2008/06/09   13:11:04.99   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   19148""
""2008/06/09   13:11:04.99   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   19462""
""2008/06/09   13:11:04.99   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   20856""
""2008/06/09   13:12:04.98   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   2991""
""2008/06/09   13:13:54.22   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   59659""
""2008/06/09   13:13:54.22   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   31058""
""2008/06/09   13:13:54.22   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   17002""
""2008/06/09   13:13:54.22   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   39375""
""2008/06/09   13:16:04.95   O      192.58.128.30   j.root-servers.net   53   192.168.0.190   21895""
""2008/06/09   18:22:22.34   O      192.228.79.201   b.root-servers.net   53   192.168.0.190   60232""
""2008/06/09   18:25:22.23   O      192.112.36.4   g.root-servers.net   53   192.168.0.190   17982""
""2008/06/09   18:56:21.58   O      192.203.230.10   e.root-servers.net   53   192.168.0.190   36422""
""2008/06/09   18:56:21.58   O      128.63.2.53   h.root-servers.net   53   192.168.0.190   63934""
""2008/06/09   18:56:21.58   O      192.33.4.12   c.root-servers.net   53   192.168.0.190   62647""
""2008/06/09   18:58:21.48   O      128.8.10.90   d.root-servers.net   53   192.168.0.190   19148""
""2008/06/09   18:58:21.48   O      198.41.0.4   a.root-servers.net   53   192.168.0.190   19462""
""2008/06/09   18:59:21.46   O      193.0.14.129   k.root-servers.net   53   192.168.0.190   20856""
""2008/06/09   19:00:21.32   O      202.12.27.33   m.root-servers.net   53   192.168.0.190   2991""
""2008/06/09   19:01:33.16   O      192.36.148.17   i.root-servers.net   53   192.168.0.190   17002""
""2008/06/09   19:02:33.16   O      192.5.5.241   f.root-servers.net   53   192.168.0.190   39375""

[CharlieBrady]

the server is attacking on port 53

No. It is using port 53 of the root name servers for name lookup. Those computers exist so that DNS resolver software can query them to look up addresses. Please go and educate yourself about recursive name servers. SME server includes one, called dnscache.

[purvis]

charlie
you know more than i do and probably will in the world of networking.
but i find it hard to believe  that in this case something is not wrong.
why.
because we have nobody going thru the server to access the internet.
we do not have a webpage setup other that the default and i am allowing port 80 to as well as the other ports mentioned above.
this activity has never been seen before.
i am not receiving any email other than when i do very little testing, which i am not doing now or the last 4 weeks.
i do understand there may be some suspicious activity trying to sign in to webmail and pop3, but i do not see much of that.
so i have ask, why would such activity occur so often.
if i stop the port forwarding from my router on all ports going to the smeserver, then you are telling me this activity will still exist.
they why at other locations has this not occurred.
if i am missing something else i am sorry.
there is another sme server on the same network with the same subnet and ip range, i do not see the same activity with it to these sites.
i will probably install a new server with the new version to see what happens.
all my sme servers are 7.1 or higher.
i am going to stop forwarding all ports to that computer and see what happens.
i appreciate your help charlie and i hope you will continue to be open to my observations.

[Stefano]

maybe is the server itself that makes traffic?

for example for:
- clamav updates
- spamassassin updates
- use of the BL with mail

As Charlie said, it's normal traffic.. do you want to avoid it? well, use the dns server of your isp or... unplug your ethernet cable from SME

Ciao
Stefano

[zatnikatel]

they are both correct if you want to test to see if it stop dissable clamav and spam spamassassin and see if it stops

[CharlieBrady]

one of  my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations

It's not. Please edit the subject of your thread - it is false and rather alarming. I suggest you change it to something like:

SME server sending DNS queries to root name servers - is this normal?

Sending 146 queries across about a dozen servers in 12 hours does not constitute a DoS attack.

[purvis]

i believe this problem is coming from freshclam having problems updating from certain sites
here is a cutout of a freshclam log.
would it be better to remove freshcam and then reinstall it
i do have my system to check for virus but not quarentine the files.
paul





ClamAV update process started at Sun Jun  8 18:10:13 2008
2008-06-08 18:10:33.618119500 WARNING: Can't query current.cvd.clamav.net
2008-06-08 18:10:33.618161500 WARNING: Invalid DNS reply. Falling back to HTTP mode.
2008-06-08 18:10:33.618429500 Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary DNS error
2008-06-08 18:10:53.620232500 WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
2008-06-08 18:10:53.620325500 Trying again in 5 secs...
2008-06-08 18:10:58.621607500 ClamAV update process started at Sun Jun  8 18:10:58 2008
2008-06-08 18:11:18.626490500 WARNING: Can't query current.cvd.clamav.net

[CharlieBrady]

would it be better to remove freshcam and then reinstall it

No, that would make any difference.

[purvis]

i am not at the servers location but i am in the process of backing up the server for a reinstall.
i do like the 20 minute install by the way.
that is one reason i run the sme server,  it is fast to install a file server and restore files.

[CharlieBrady]

i am not at the servers location but i am in the process of backing up the server for a reinstall.

Why?

[arne]

The basic nature of a dos attack is as far as I know to send a series of packets against one certain taget ie an ip or an server.
The packets can be ordinary packets or modified or spoofed packets for the certain purpose.

When more than one or a series of attacking machines does send out coordinated series of packets against the same target/ip, one can speak of a ddos attach. (Distributed dos attack.) 

The log above shows some series of connections where the target ip is changing all the time. There should be no reason to believe that there log shows an dos attach. The log should rather show quite clearly that it is not a question of a dos attach. There should be even less reason to believe that this is part of a ddos attach.

Since when where ddos attachs performed from one attacher against a series of targets ? This must actually be the oposite of a dos attach, rather something like a centralized dos attack, a cdos with a max rate of 2 packets per second per target. (Yes, cdos is a new term.)