i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732 . Can you guys help me figure out what connection is it? This traffic started from 20 July 12:22pm until now 22 July 2:10pm and never stops.
Printable View
i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732 . Can you guys help me figure out what connection is it? This traffic started from 20 July 12:22pm until now 22 July 2:10pm and never stops.
What is the destination port? Can you get a packet capture?
With the very limited information you have provided, I can tell you what it's not.Quote:
i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732
1) It's not a DNS zone transfer.
2) It's not a recursive lookup.
Without a capture file as Tiger requested, we cannot tell you what this is, especially given the port range and the huge amount of info missing.
--TH13
Just a thought, you do a whois on the host ip address?
The picture shows a portion of the incidents. This thing still happen until now.
http://ser4.imgdump.net/images/s4_f5137a22b11d1.jpg
Edit: I mixed up destination and source. >.<
169.254.1.33 is a local ip address. You've probably got a loopback of some sort going on.
Note that 169.254.1.33 is my DNS server. i didn't seen this weird traffic before this (i reviewed my firewall logs everyday).
/me hates incomplete firewall logs...
What are the source/destination ports of the blocked traffic?
Traffic to my DNS server.
http://ser4.imgdump.net/images/07252...7f1ff3b115.bmp
Traffic from my DNS server.
http://ser4.imgdump.net/images/07252...9f4f9c2053.bmp
By chance have dual NIC cards (or more)? 169.254 is the default IP addr used by many versions of Microsoft windows for an unconfigured NIC...
Basically it looks to me like your system is getting the DNS request in on one interface and then for some reason a response is being picked up on the unconfigured NIC and being properly dropped by the firewall...I would check and make sure all non-configured interfaces are disabled, that you haven't enabled IPforwarding, and then have a look again...
We can look at the firewall logs but we'll never figure out what is happening.
Kitaserupa2000: Please use a sniffer to analyse your traffic, cross-reference that with your firewall logs.
Without knowing what's really "on the wire" you'll be guessing till the cows come home ;)