i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732 . Can you guys help me figure out what connection is it? This traffic started from 20 July 12:22pm until now 22 July 2:10pm and never stops.
Printable View
i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732 . Can you guys help me figure out what connection is it? This traffic started from 20 July 12:22pm until now 22 July 2:10pm and never stops.
What is the destination port? Can you get a packet capture?
With the very limited information you have provided, I can tell you what it's not.Quote:
i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732
1) It's not a DNS zone transfer.
2) It's not a recursive lookup.
Without a capture file as Tiger requested, we cannot tell you what this is, especially given the port range and the huge amount of info missing.
--TH13
Just a thought, you do a whois on the host ip address?
The picture shows a portion of the incidents. This thing still happen until now.
http://ser4.imgdump.net/images/s4_f5137a22b11d1.jpg
Edit: I mixed up destination and source. >.<
169.254.1.33 is a local ip address. You've probably got a loopback of some sort going on.
Note that 169.254.1.33 is my DNS server. i didn't seen this weird traffic before this (i reviewed my firewall logs everyday).
/me hates incomplete firewall logs...
What are the source/destination ports of the blocked traffic?
Traffic to my DNS server.
http://ser4.imgdump.net/images/07252...7f1ff3b115.bmp
Traffic from my DNS server.
http://ser4.imgdump.net/images/07252...9f4f9c2053.bmp