Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Something in the logs?

    Firewalling
    3
    8
    1237
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rands.rodriguez last edited by

      Hi there,

      I always see this thing on my logs.

      What should I do? Should I be alerted?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        Port 691 is used by Exchange Server - http://support.microsoft.com/kb/278339
        111.221.77.161 is a Microsoft IP address registered in Singapore - http://www.ip-tracker.org/lookup/whois-lookup.php?query=111.221.77.161
        So I guess it is (hopefully) not Microsoft trying to hack in  :) Do you have some Exchange Server that talks with Microsoft?

        1 Reply Last reply Reply Quote 0
        • R
          rands.rodriguez last edited by

          why there's a "saveroads.ru" thing?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis last edited by

            Looks like saveroads.ru is a dodgy site/IP that is the source of DNS Amplification attacks - http://dnsamplificationattacks.blogspot.com/2014/01/domain-saveroadsru.html So the packet source address is fake, and never really came from Microsoft Singapore. I guess they are trying to DDOS Microsoft - hoping that the query to an exchange server listening on that port will be answered with a reasonably large response that goes to that Microsoft address and eats up Microsoft bandwidth and processing power.
            pfSense is doing its job and blocking the queries, so it goes nowhere.
            I am not sure that there is much you can do about it - I would have hoped that a known source like this would have been shutdown by now.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Looks like a DNS reflection/amplification DDoS attempt. You blacked out the destination port but it's probably 53.

              If you're blocking it, there's nothing to worry about.

              1 Reply Last reply Reply Quote 0
              • R
                rands.rodriguez last edited by

                I see.. So someone is trying to DDoS our server at the moment. Hmmm.. I see a lots of that thing in our logs and I'm getting worried.

                Good to know that pfSense is blocking those attacks.

                Is there anything i can do to avoid it more?

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Not quite, someone is trying to use your server to DDoS someone else - they're trying to use you as a DNS server to burn your bandwidth to send the replies elsewhere.

                  1 Reply Last reply Reply Quote 0
                  • R
                    rands.rodriguez last edited by

                    I heard that i have this "recursion enabled" on my DNS server.

                    Hmmm.. checking my internal DNS Server, it is disabled.

                    Can i do something to stop or block the DDoS?

                    1 Reply Last reply Reply Quote 0

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy