Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: purvis on June 10, 2008, 08:38:43 AM
-
one of my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations
i did not have this problem until recently.
i did some updates from the server-manager.
on this sme server, i am the only one that has control over this machine.
right now the machine is not being use by anybody but me and i have had very little interaction with this sme server.
i was wandering if other where having the same problem.
the activity is very small but if there are a lot in the world, it can add up.
i use the wallwatcher program to watch activity of what goes out and in from the router hook up to the internet.
i do few updates to any server and it has probably been months before i did any updates to the server until the beginning of this month.
i will have to do a new install which is ok but will take some time.
-
one of my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations
What makes you say that?
-
do you want a log
-
do you want a log
No, I want you to describe what you have seen which lead you to conclude that your server is being used for a "DNS Backbone DDoS Attack".
My guess is that you have seen the SME server doing perfectly ordinary DNS lookups, just as it is designed to do.
-
here is a log created by wallwatcher and i scrubbed out all activity other than root-servers.net
from what i have seen this ida dos attach on those servers.
this sme server is a system that is running and the only ports going to it are 80 110 443 25 and maybe one other.
i will try to see what is happening at other locations
Charlie,
i do not do very much at all with this computer, basically i has been dormant in a sense.
i had worked with it very little and i was planning on using it as a email server sometime ago.
i place a few files on the server as just a backup to my computer many moons ago.
because i am now back to trying to figure out whether i want to use it as a email server i did updates from the server-manager.
maybe some computer attacked this server. i did not write down the when it did the update but it was about the time this all started.
i do not review logs very often, i had a employee going to myspace in a virtual machine that we use for accessing the internet.
i started monitoring the activity because i do not want any sites visited that do not have to do with business and the risk it brings on.
i am not sure whats happen but it would seem logical to first look at the updates if sme server is suppose to be a very secure sever.
in all honesty my admin password was not the most best.
i did some lookups on the internet and had seen quiet a few hits on "centos" and "root-server.net"
i will have to reinstall sme server soon, as i do not want to be the source of any bad things even if they do not damage my data or system.
but i wanted to see if i could identify the problem.
maybe i can some way show what addons i am running, it should be very few.
wallwatcher is free, but runs under windows.
i have wallwatcher running 3 locations with sme servers at those locations.
this is the first time and the only time i have seen any sme server doing outbound activity that did not seem write.
i do not like to bring problems to the table, but this is where i felt i should report it even if it did not come from updates
so that others can lookout for it too.
charlie thanks for the reply
i would not even mind giving you access to the server thru port 22 if you would like after i backup and erase any sensitive data.
the log has been cut down
i will trim it down after the discussion to reduce space used on the forum server
the server is attacking on port 53
""2008/06/09 07:57:20.32 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 45725""
""2008/06/09 07:58:16.02 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 44963""
""2008/06/09 07:58:16.02 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 15717""
""2008/06/09 07:58:16.02 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 9419""
""2008/06/09 07:58:16.02 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 62994""
""2008/06/09 07:58:16.02 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 63906""
""2008/06/09 08:00:07.56 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 4050""
""2008/06/09 08:00:07.56 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 52751""
""2008/06/09 08:00:07.56 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 12618""
""2008/06/09 08:00:07.56 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 6547""
""2008/06/09 08:00:41.81 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 38218""
""2008/06/09 08:01:34.31 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 23256""
""2008/06/09 08:01:34.31 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 14024""
""2008/06/09 08:01:34.31 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 60652""
""2008/06/09 08:01:34.31 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 35238""
""2008/06/09 08:01:46.56 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 61077""
""2008/06/09 08:02:46.48 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 63718""
""2008/06/09 08:02:46.48 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 23327""
""2008/06/09 08:03:46.56 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 27340""
""2008/06/09 08:06:46.53 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 1176""
""2008/06/09 08:08:46.50 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 62994""
""2008/06/09 08:08:46.50 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 7140""
""2008/06/09 08:11:46.57 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 40990""
""2008/06/09 09:04:46.10 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 63906""
""2008/06/09 09:05:46.12 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 12618""
""2008/06/09 09:05:46.12 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 35988""
""2008/06/09 09:05:46.12 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 45827""
""2008/06/09 09:06:46.09 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 61077""
""2008/06/09 09:06:46.09 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 6547""
""2008/06/09 09:06:46.09 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 32559""
""2008/06/09 09:07:46.12 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 62853""
""2008/06/09 09:07:46.12 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 60652""
""2008/06/09 09:08:46.17 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 40218""
""2008/06/09 09:08:46.17 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 9419""
""2008/06/09 09:09:46.14 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 6929""
""2008/06/09 09:09:46.14 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 34479""
""2008/06/09 09:12:46.14 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 63718""
""2008/06/09 09:14:45.33 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 7140""
""2008/06/09 09:14:45.33 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 35988""
""2008/06/09 09:14:45.33 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 41514""
""2008/06/09 09:15:48.52 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 56151""
""2008/06/09 09:16:48.48 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 50099""
""2008/06/09 09:16:48.48 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 62853""
""2008/06/09 09:17:45.16 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 27340""
""2008/06/09 09:17:45.18 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 40990""
""2008/06/09 09:18:53.51 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 52495""
""2008/06/09 09:18:53.52 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 61604""
""2008/06/09 09:19:53.50 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 32559""
""2008/06/09 09:20:53.43 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 6627""
""2008/06/09 09:24:57.38 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 45725""
""2008/06/09 10:13:29.95 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 28737""
""2008/06/09 10:15:30.03 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 45827""
""2008/06/09 10:15:30.03 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 53007""
""2008/06/09 10:16:29.96 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 4321""
""2008/06/09 10:17:30.05 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 34479""
""2008/06/09 10:18:22.19 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 1901""
""2008/06/09 10:18:22.19 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 52495""
""2008/06/09 10:18:22.19 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 61838""
""2008/06/09 10:18:22.19 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 40218""
""2008/06/09 10:18:22.19 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 64664""
""2008/06/09 10:19:36.16 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 50099""
""2008/06/09 10:21:36.13 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 53622""
""2008/06/09 10:22:22.69 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 6929""
""2008/06/09 10:26:37.48 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 64664""
""2008/06/09 10:27:37.49 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 54996""
""2008/06/09 10:33:38.34 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 28737""
""2008/06/09 11:21:37.79 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 33294""
""2008/06/09 11:23:37.79 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 4321""
""2008/06/09 11:24:12.79 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 41514""
""2008/06/09 11:24:12.79 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 10032""
""2008/06/09 11:24:12.79 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 61838""
""2008/06/09 11:24:12.79 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 19512""
""2008/06/09 11:24:12.79 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 42405""
""2008/06/09 11:24:48.15 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 61604""
""2008/06/09 11:24:48.15 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 56151""
""2008/06/09 11:24:48.15 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 12647""
""2008/06/09 11:25:27.61 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 1901""
""2008/06/09 11:25:27.61 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 42549""
""2008/06/09 11:25:58.00 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 46001""
""2008/06/09 11:26:36.53 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 53007""
""2008/06/09 11:26:36.53 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 22840""
""2008/06/09 11:26:36.53 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 53622""
""2008/06/09 11:26:36.53 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 31111""
""2008/06/09 11:28:01.53 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 6627""
""2008/06/09 11:29:01.46 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 22107""
""2008/06/09 11:30:01.47 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 33294""
""2008/06/09 11:30:01.47 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 47408""
""2008/06/09 11:31:01.46 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 64526""
""2008/06/09 11:33:01.45 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 42549""
""2008/06/09 11:43:01.13 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 12647""
""2008/06/09 11:45:01.11 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 10032""
""2008/06/09 12:32:01.36 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 14808""
""2008/06/09 12:33:01.37 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 20599""
""2008/06/09 12:33:01.37 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 22107""
""2008/06/09 12:33:19.58 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 64526""
""2008/06/09 12:33:19.59 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 19512""
""2008/06/09 12:33:19.59 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 51508""
""2008/06/09 12:34:06.91 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 31111""
""2008/06/09 12:34:06.92 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 59659""
""2008/06/09 12:34:06.92 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 60232""
""2008/06/09 12:34:06.92 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 22711""
""2008/06/09 12:35:06.92 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 22840""
""2008/06/09 12:35:06.92 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 16519""
""2008/06/09 12:35:06.92 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 42405""
""2008/06/09 12:35:06.94 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 15065""
""2008/06/09 12:36:06.89 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 46001""
""2008/06/09 12:36:06.89 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 31748""
""2008/06/09 12:37:54.89 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 17982""
""2008/06/09 12:37:54.89 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 14808""
""2008/06/09 12:37:54.89 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 15065""
""2008/06/09 12:38:20.86 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 7103""
""2008/06/09 12:39:20.80 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 54996""
""2008/06/09 12:41:30.40 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 31058""
""2008/06/09 12:41:30.40 B 255.255.255.255 f.root-servers.net 138 192.168.0.70 138""
""2008/06/09 12:45:30.48 B 255.255.255.255 f.root-servers.net 138 192.168.0.70 138""
""2008/06/09 12:53:30.45 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 20599""
""2008/06/09 13:06:59.27 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 21895""
""2008/06/09 13:07:53.46 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 22711""
""2008/06/09 13:07:53.46 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 51508""
""2008/06/09 13:07:53.46 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 36422""
""2008/06/09 13:07:53.46 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 63934""
""2008/06/09 13:08:05.04 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 62647""
""2008/06/09 13:09:04.98 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 16519""
""2008/06/09 13:10:04.99 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 31748""
""2008/06/09 13:10:04.99 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 7103""
""2008/06/09 13:10:04.99 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 47408""
""2008/06/09 13:11:04.99 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 19148""
""2008/06/09 13:11:04.99 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 19462""
""2008/06/09 13:11:04.99 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 20856""
""2008/06/09 13:12:04.98 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 2991""
""2008/06/09 13:13:54.22 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 59659""
""2008/06/09 13:13:54.22 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 31058""
""2008/06/09 13:13:54.22 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 17002""
""2008/06/09 13:13:54.22 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 39375""
""2008/06/09 13:16:04.95 O 192.58.128.30 j.root-servers.net 53 192.168.0.190 21895""
""2008/06/09 18:22:22.34 O 192.228.79.201 b.root-servers.net 53 192.168.0.190 60232""
""2008/06/09 18:25:22.23 O 192.112.36.4 g.root-servers.net 53 192.168.0.190 17982""
""2008/06/09 18:56:21.58 O 192.203.230.10 e.root-servers.net 53 192.168.0.190 36422""
""2008/06/09 18:56:21.58 O 128.63.2.53 h.root-servers.net 53 192.168.0.190 63934""
""2008/06/09 18:56:21.58 O 192.33.4.12 c.root-servers.net 53 192.168.0.190 62647""
""2008/06/09 18:58:21.48 O 128.8.10.90 d.root-servers.net 53 192.168.0.190 19148""
""2008/06/09 18:58:21.48 O 198.41.0.4 a.root-servers.net 53 192.168.0.190 19462""
""2008/06/09 18:59:21.46 O 193.0.14.129 k.root-servers.net 53 192.168.0.190 20856""
""2008/06/09 19:00:21.32 O 202.12.27.33 m.root-servers.net 53 192.168.0.190 2991""
""2008/06/09 19:01:33.16 O 192.36.148.17 i.root-servers.net 53 192.168.0.190 17002""
""2008/06/09 19:02:33.16 O 192.5.5.241 f.root-servers.net 53 192.168.0.190 39375""
-
the server is attacking on port 53
No. It is using port 53 of the root name servers for name lookup. Those computers exist so that DNS resolver software can query them to look up addresses. Please go and educate yourself about recursive name servers. SME server includes one, called dnscache.
-
charlie
you know more than i do and probably will in the world of networking.
but i find it hard to believe that in this case something is not wrong.
why.
because we have nobody going thru the server to access the internet.
we do not have a webpage setup other that the default and i am allowing port 80 to as well as the other ports mentioned above.
this activity has never been seen before.
i am not receiving any email other than when i do very little testing, which i am not doing now or the last 4 weeks.
i do understand there may be some suspicious activity trying to sign in to webmail and pop3, but i do not see much of that.
so i have ask, why would such activity occur so often.
if i stop the port forwarding from my router on all ports going to the smeserver, then you are telling me this activity will still exist.
they why at other locations has this not occurred.
if i am missing something else i am sorry.
there is another sme server on the same network with the same subnet and ip range, i do not see the same activity with it to these sites.
i will probably install a new server with the new version to see what happens.
all my sme servers are 7.1 or higher.
i am going to stop forwarding all ports to that computer and see what happens.
i appreciate your help charlie and i hope you will continue to be open to my observations.
-
maybe is the server itself that makes traffic?
for example for:
- clamav updates
- spamassassin updates
- use of the BL with mail
As Charlie said, it's normal traffic.. do you want to avoid it? well, use the dns server of your isp or... unplug your ethernet cable from SME
Ciao
Stefano
-
they are both correct if you want to test to see if it stop dissable clamav and spam spamassassin and see if it stops
-
one of my sme server is apparently sending DNS Backbone DDoS Attacks to the all of the root-server.net locations
It's not. Please edit the subject of your thread - it is false and rather alarming. I suggest you change it to something like:
SME server sending DNS queries to root name servers - is this normal?
Sending 146 queries across about a dozen servers in 12 hours does not constitute a DoS attack.
-
i believe this problem is coming from freshclam having problems updating from certain sites
here is a cutout of a freshclam log.
would it be better to remove freshcam and then reinstall it
i do have my system to check for virus but not quarentine the files.
paul
ClamAV update process started at Sun Jun 8 18:10:13 2008
2008-06-08 18:10:33.618119500 WARNING: Can't query current.cvd.clamav.net
2008-06-08 18:10:33.618161500 WARNING: Invalid DNS reply. Falling back to HTTP mode.
2008-06-08 18:10:33.618429500 Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary DNS error
2008-06-08 18:10:53.620232500 WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
2008-06-08 18:10:53.620325500 Trying again in 5 secs...
2008-06-08 18:10:58.621607500 ClamAV update process started at Sun Jun 8 18:10:58 2008
2008-06-08 18:11:18.626490500 WARNING: Can't query current.cvd.clamav.net
-
would it be better to remove freshcam and then reinstall it
No, that would make any difference.
-
i am not at the servers location but i am in the process of backing up the server for a reinstall.
i do like the 20 minute install by the way.
that is one reason i run the sme server, it is fast to install a file server and restore files.
-
i am not at the servers location but i am in the process of backing up the server for a reinstall.
Why?
-
The basic nature of a dos attack is as far as I know to send a series of packets against one certain taget ie an ip or an server.
The packets can be ordinary packets or modified or spoofed packets for the certain purpose.
When more than one or a series of attacking machines does send out coordinated series of packets against the same target/ip, one can speak of a ddos attach. (Distributed dos attack.)
The log above shows some series of connections where the target ip is changing all the time. There should be no reason to believe that there log shows an dos attach. The log should rather show quite clearly that it is not a question of a dos attach. There should be even less reason to believe that this is part of a ddos attach.
Since when where ddos attachs performed from one attacher against a series of targets ? This must actually be the oposite of a dos attach, rather something like a centralized dos attack, a cdos with a max rate of 2 packets per second per target. (Yes, cdos is a new term.)
-
This must actually be the oposite of a dos attach, rather something like a centralized dos attack, a cdos with a max rate of 2 packets per second per target. (Yes, cdos is a new term.)
As is often the case, you are spouting rubbish, Arne. The logs show SME server sending a few DNS queries to the root name servers. That is perfectly normal SME server operation. It's how DNS works.
-
Charlie,
i am going to reinstall because my time to do it should be minimum
i wanted to split up my internet email services anyway for the file server.
and i want to setup a web server on its own also.
i want to also create a backup server.
also i had change the servers name and the internet name on the computer(or what ever it is called), those changes left some unwanted footprints on my machine.
also i going to provide a new stronger password
back to the subject
after shutting down internet access to the computer and setting ClamAV to not do a virus scan the problem went away.
i have now just started letting the internet access the computer.
i will probably start the ClamAv if i do not see any more problems to see if ClamAV is what is causing the activity.
-
i will probably start the ClamAv if i do not see any more problems to see if ClamAV is what is causing the activity.
Why are you worried about the activity at all?
Or, if you really can't control your curiousity and want to know what DNS queries are triggering the root server lookups, why don't you look in the dnscache logs?
-
thanks Charlie
i did look through some logs
i like to know what my systems are doing, specially when they are sending information outside of my location.
i will look into dnscache.
thanks for the heads up.
paul
Charlie, i cannot understand why anybody would not be concerned about internet activity.
when you administrate some computers, you should know what is going on, period, when it comes to traffic being generated on the internet from your location.
anything else in my view where a person does not try to find out such things and it is under their control, well, they simply are not doing their jobs.
-
Charlie, i cannot understand why anybody would not be concerned about internet activity.
when you administrate some computers, you should know what is going on, period, when it comes to traffic being generated on the internet from your location.
anything else in my view where a person does not try to find out such things and it is under their control, well, they simply are not doing their jobs.
Its also under your control to understand exactly the how and why of the DNS resolver software;
so as Charlie pointed out ;... Please go and educate yourself about recursive name servers. SME server includes one, called dnscache.
Then you will be in Control :lol:
-
CharieBrady ->
Arne: This must actually be the oposite of a dos attach, rather something like a centralized dos attack, a cdos with a max rate of 2 packets per second per target. (Yes, cdos is a new term.)
CharieBrady: As is often the case, you are spouting rubbish, Arne. The logs show SME server sending a few DNS queries to the root name servers. That is perfectly normal SME server operation. It's how DNS works.
Well this was intended to be a joke. The central part of the joke was that anybody should understand that you are right, and that this is only normaly activity as you actually do mention.
Except for the joke in could be interesting to look into or discuss what a dos or a ddos attach actually is and why a log entry should indicate or not indicate that a dos or a ddos attach is going on. This should be important for anybody to know something about, I think. Even I should know about it, as long as I have some servers, and a sme server running.
It should by the way be rather easy to mention a few friendly words about how the dns (cache) server of the sme server work. With two or tree happy words about this theme, there should be no need to send people for further "education".
To clarify: There is as far as I know nothing called a cdos attach, this was a joke. Some times rubbish and non rubbish leads to technically the same conclusions, but different kind of humor.
By the way, I'm very pleased with the sme server, and I think developers and maintainers does a great job.
-
By the way, what a dos and a ddos attach is, and how it might look in the log, and how a caching dns server works, this is actually network communications and network security on its first and basic entry level.
Why not discuss basic network stuff as the technical stuff it actually is, to spread some light on this, rather than bring some hard feelings into that anyone like to understand what happen and whats going on ?
As I would see it technical stuff is best and most easy treated as technical stuff.
To give an explanation about how a dos or a ddos attach is carried out, how you eventually can see it in the log, and what to look for, and how the caching dns server works, this should actually require a few lines of explanations in this tread, and it should require no hard feelings at all.