Something in the logs?
-
Hi there,
I always see this thing on my logs.
What should I do? Should I be alerted?
-
Port 691 is used by Exchange Server - http://support.microsoft.com/kb/278339
111.221.77.161 is a Microsoft IP address registered in Singapore - http://www.ip-tracker.org/lookup/whois-lookup.php?query=111.221.77.161
So I guess it is (hopefully) not Microsoft trying to hack in :) Do you have some Exchange Server that talks with Microsoft? -
why there's a "saveroads.ru" thing?
-
Looks like saveroads.ru is a dodgy site/IP that is the source of DNS Amplification attacks - http://dnsamplificationattacks.blogspot.com/2014/01/domain-saveroadsru.html So the packet source address is fake, and never really came from Microsoft Singapore. I guess they are trying to DDOS Microsoft - hoping that the query to an exchange server listening on that port will be answered with a reasonably large response that goes to that Microsoft address and eats up Microsoft bandwidth and processing power.
pfSense is doing its job and blocking the queries, so it goes nowhere.
I am not sure that there is much you can do about it - I would have hoped that a known source like this would have been shutdown by now. -
Looks like a DNS reflection/amplification DDoS attempt. You blacked out the destination port but it's probably 53.
If you're blocking it, there's nothing to worry about.
-
I see.. So someone is trying to DDoS our server at the moment. Hmmm.. I see a lots of that thing in our logs and I'm getting worried.
Good to know that pfSense is blocking those attacks.
Is there anything i can do to avoid it more?
-
Not quite, someone is trying to use your server to DDoS someone else - they're trying to use you as a DNS server to burn your bandwidth to send the replies elsewhere.
-
I heard that i have this "recursion enabled" on my DNS server.
Hmmm.. checking my internal DNS Server, it is disabled.
Can i do something to stop or block the DDoS?