Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    hundreds of requests to port 5353

    Scheduled Pinned Locked Moved
    Firewalling
    2
    5
    978
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wheel5up
      last edited by wheel5up

      I was updating suricata today and added a few more rules to my sid disable list

      # ET DNS Query for .to TLD
      # Seeing many of these from my machine from legitimate sites.
      # removed 20240417
      1:2027757

      # ET INFO Observed File Sharing Domain (roamresearch .com in TLS SNI)
      # I use Roamreseach. False positive.
      1:2037763

      Now I'm seeing a huge surge in the number of requests being sent to udp port 5353
      2bfc644d-1ca7-4bdd-bfe2-67a46b18eb35-image.png

      The large brown bar is my WAN IP. prior to this afternoon, nominal traffic, now, more than 1000 messages.

      Looking at the destination of these (below), i see, as expected 224.0.0.251, but looking at the spike, it's sending a messages to the entire CIDR range of IP's around my IP.
      f935548c-e192-4838-b46e-9b5096be6150-image.png

      It's possible I fat fingered something on suricata, but this looks really strange. Any suggestions?

      1 Reply Last reply Reply Quote 0
      • W
        wheel5up
        last edited by wheel5up

        I reboot, same behavior
        Rolled back config and reboot, same behavior.

        I have no idea why my WAN interface seems to be spewing UDP 5353 packages at neighboring CIDR addresses every 15 minutes. I don't see anything in crontab unusual. I tried to see if lsof would show the process generating these packets, but either they are kernel space or I wasn't fast enough.

        1 Reply Last reply Reply Quote 0
        • W
          wheel5up
          last edited by

          I've removed arpwatch and ntopng. This is resolved.
          110dfea5-e175-41f3-b6b9-3337a4930c07-image.png

          I turne on ntopng months ago. Not sure if that was the source of the issue or not.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Likely ntopng doing mDNS discovery and local name resolution as described here: https://book.hacktricks.xyz/network-services-pentesting/5353-udp-multicast-dns-mdns.

            There is a more detailed description of how ntopng performs network device discovery here in their official documentation: https://www.ntop.org/ntopng/network-device-discovery-part-1-active-discovery/

            1 Reply Last reply Reply Quote 1
            • W
              wheel5up
              last edited by

              Thank you. Great feedback. Few months ago I panicked shortly after setting up suricata as I saw SSH sessions from my pfsense, only later to realize that ntop-ng was generating these to test ssh version and warn of an old version.

              The thing that was odd about this is that is just seemed to appear. The only change I made that coincided with the mDNS (UDP port 5353) probes were to suricata. The other weird thing is that the outbound propes were from my WAN interface, not my LAN interface.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post