Someone thinks I'm a DNS server..

redarrow · May 30, 2014

My ADSL is connected via a Mikrotik router which does a PPPoE dialup through the ADSL modem, I've had this setup for years mainly cos it allows lots of control such as using multiple ADSL accounts.

When I logged into my RB yesterday to fix some stuff (it had frozen up for some reason and lost part of the configuration when I power cycled it) I noticed a constant flow of traffic on the ADSL link averaging maybe ~500Kbps which wasn't leaving the router on the LAN side, strange no? So upon "torching" the PPPoE interface I discovered loads of DNS requests coming from the internet! At this point it occurred to me that I had never firewalled incoming DNS requests, honestly it had never occurred to me that I should have.

I have blocked it now of course, but even this morning the requests are still coming in by the hundreds, my firewall has dropped over 170MB of requests since last night. The other thing is I have 2 ADSL accounts currently connected the second one being pretty new (signed up early April) and yet it's also getting hit with DNS requests, I'm wondering how it could've been discovered so quickly?

Now I'm trying to understand why on earth anyone would want to use my ADSL line for DNS requests? What advantage does it offer them? Is there something I don't know about and more importantly should I be worried about it?

Anyone with a clue?

Hectic · May 30, 2014

LoL at a great heading.

Chevron · May 30, 2014

redarrow said:
My ADSL is connected via a Mikrotik router which does a PPPoE dialup through the ADSL modem, I've had this setup for years mainly cos it allows lots of control such as using multiple ADSL accounts.

When I logged into my RB yesterday to fix some stuff (it had frozen up for some reason and lost part of the configuration when I power cycled it) I noticed a constant flow of traffic on the ADSL link averaging maybe ~500Kbps which wasn't leaving the router on the LAN side, strange no? So upon "torching" the PPPoE interface I discovered loads of DNS requests coming from the internet! At this point it occurred to me that I had never firewalled incoming DNS requests, honestly it had never occurred to me that I should have.

I have blocked it now of course, but even this morning the requests are still coming in by the hundreds, my firewall has dropped over 170MB of requests since last night. The other thing is I have 2 ADSL accounts currently connected the second one being pretty new (signed up early April) and yet it's also getting hit with DNS requests, I'm wondering how it could've been discovered so quickly?

Now I'm trying to understand why on earth anyone would want to use my ADSL line for DNS requests? What advantage does it offer them? Is there something I don't know about and more importantly should I be worried about it?

Anyone with a clue?

Switch of your router for 20min and you'll get a new IP.

Do you use DyDNS?

w1z4rd · May 30, 2014

Probably a DNS reflection/amplification attack. Your router is probably been used to attack someone else. Upgrade the firmware, make sure IPs outside your network can not use your router for DNS queries.

DrJohnZoidberg · May 30, 2014

The worrying part is why the router was allowing incoming connections on port 53 in the first place.

Have you checked to make sure that everything is blocked? You shouldn't need any open ports to the internet unless you use services like ssh, http, etc remotely.

redarrow · May 30, 2014

Chevron said:
Switch of your router for 20min and you'll get a new IP.

Well I've rebooted it several times since, made no diff. Though to be fair I never paid any attention to the IP so possibly I've still got the same one.. I'll try that again.

Chevron said:
Do you use DyDNS?

Nope.

ghoti said:
Probably a DNS reflection/amplification attack. Your router is probably been used to attack someone else. Upgrade the firmware, make sure IPs outside your network can not use your router for DNS queries.

Ah yea, thanks for reminding me.. I actually thought it was running the latest RouterOS but I see it's actually one update behind. Updating it right now.

What exactly is a reflection attack? Is it something to be worried about apart from it sucking up my data?

Thanks!

isie · May 30, 2014

redarrow said:
My ADSL is connected via a Mikrotik router which does a PPPoE dialup through the ADSL modem, I've had this setup for years mainly cos it allows lots of control such as using multiple ADSL accounts.

When I logged into my RB yesterday to fix some stuff (it had frozen up for some reason and lost part of the configuration when I power cycled it) I noticed a constant flow of traffic on the ADSL link averaging maybe ~500Kbps which wasn't leaving the router on the LAN side, strange no? So upon "torching" the PPPoE interface I discovered loads of DNS requests coming from the internet! At this point it occurred to me that I had never firewalled incoming DNS requests, honestly it had never occurred to me that I should have.

I have blocked it now of course, but even this morning the requests are still coming in by the hundreds, my firewall has dropped over 170MB of requests since last night. The other thing is I have 2 ADSL accounts currently connected the second one being pretty new (signed up early April) and yet it's also getting hit with DNS requests, I'm wondering how it could've been discovered so quickly?

Now I'm trying to understand why on earth anyone would want to use my ADSL line for DNS requests? What advantage does it offer them? Is there something I don't know about and more importantly should I be worried about it?

Anyone with a clue?

Hi Roy - can i call you Roy?

Probably they got in using brute force attempts
try the following scripts from the Wiki to stop that:

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

redarrow · May 30, 2014

DrJohnZoidberg said:
The worrying part is why the router was allowing incoming connections on port 53 in the first place.

Have you checked to make sure that everything is blocked? You shouldn't need any open ports to the internet unless you use services like ssh, http, etc remotely.

I've always had stuff like SSH blocked but not every port no. I honestly never thought about blocking other ports as my LAN is behind a NAT anyway.

redarrow · May 30, 2014

isie said:
Hi Roy - can i call you Roy?

Who's Roy? :O

isie said:
Probably they got in using brute force attempts
try the following scripts from the Wiki to stop that:

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

I doubt anyone actually got into my router.. SSH has always been blocked and FTP/Weblogin is completely disabled since forever.
Also the log would show login attempts of which I don't see any.

w1z4rd · May 30, 2014

redarrow said:
Ah yea, thanks for reminding me.. I actually thought it was running the latest RouterOS but I see it's actually one update behind. Updating it right now.

What exactly is a reflection attack? Is it something to be worried about apart from it sucking up my data?

Thanks!

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack has a break down.

redarrow · May 30, 2014

ghoti said:
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack has a break down.

Thanks!

Edit: Interesting read, so basically using my net for DDOS type attacks.

Keegan · May 30, 2014

Yup DoS attack,
I know if you on IS network, they actually pick it up and request that you block DNS port from the internet.

w1z4rd · May 30, 2014

redarrow said:
Thanks!

Edit: Interesting read, so basically using my net for DDOS type attacks.

Just check if you have an open DNS resolver. If you do, disable outside access to port 53 or the service.

redarrow · May 30, 2014

Keegan said:
Yup DoS attack,
I know if you on IS network, they actually pick it up and request that you block DNS port from the internet.

Hmm, isn't OpenWeb on IS network?

ghoti said:
Just check if you have an open DNS resolver. If you do, disable outside access to port 53 or the service.

It was yea.. blocked now.

irBosOtter · May 30, 2014

Also happened on all my RB's that I used a few years back, not on port 53 but on others, chucked them all out and replaced them with real firewalls as managing the RB's just became a nightmare.

Rickster · May 30, 2014

All of a sudden:

Code:

[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:22:24
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:21:24
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:20:24
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:19:24
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:08:36
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:07:36
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:07:20
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:06:36
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 09:05:36
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:57:21
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:34:12
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:33:12
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:32:12
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:31:12
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:29:32
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 08:19:35
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:55:00
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:48:12
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:44:59
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:38:08
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:28:14
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:13:07
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:12:07
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:11:07
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:10:07
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:05:39
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:04:39
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:03:39
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:02:39
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:01:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 07:00:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:59:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:58:31
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:37:47
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:35:23
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:34:23
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:33:23
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:32:23
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 06:27:49
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:36:59
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:26:59
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:26:34
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:25:34
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:24:58
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:24:34
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:23:34
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 05:14:59
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:36:54
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:35:54
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:34:54
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:33:54
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:30:46
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 04:29:38
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 03:48:10
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 03:38:10
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 03:31:41
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 03:30:41
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 02:32:14
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 01:52:01
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 01:51:01
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 01:50:01
[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, May 30,2014 01:49:01

The_Unbeliever · May 30, 2014

Get a proper firewall (smoothwall/ipcop/pfsense)...

w1z4rd · May 30, 2014

Keegan said:
Yup DoS attack,
I know if you on IS network, they actually pick it up and request that you block DNS port from the internet.

We get those all the time from IS. I got one the other day from a business DSL client we have on IS`s network. They said the router they supplied was been used. They asked me to sort it out, so I replied back that I have no access to the router as its one they administrate, not me.

Keegan · May 30, 2014

ghoti said:
We get those all the time from IS. I got one the other day from a business DSL client we have on IS`s network. They said the router they supplied was been used. They asked me to sort it out, so I replied back that I have no access to the router as its one they administrate, not me.

Yeah, I saw it twice so far,
But not for BDSL, that's strange tho, they should've checked that first lol.

They soo annoying with all those download and spam abuse. But those DNS abuse does make sense.
Those are worth getting alerted about.

Keegan · May 30, 2014

redarrow said:
Hmm, isn't OpenWeb on IS network?

Hmmm, not 100% sure, but if they are.
Then it is OpenWeb's responsibility to forward the email to the end user. (You).

Join the MyBroadband community

Get started

Someone thinks I'm a DNS server..

Expert Member

Executive Member

Serial breaker of phones

Karmic Sangoma

Honorary Master

Expert Member

Honorary Master

Expert Member

Expert Member

Karmic Sangoma

Expert Member

Expert Member

Karmic Sangoma

Expert Member

Expert Member

EVGA Fanatic

Honorary Master

Karmic Sangoma

Expert Member

Expert Member