Firewall blocking periodic UDP's from OpenDNS
Every two or three minutes I get a rash of UDP's (several per second) attempting to connect to a high numbered port. The attempts all appear to be coming from IP 208.67.222.222:53. Here is an example from my firewall log
Jun 21 16:22:04 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:54667 from 208.67.222.222:53
Jun 21 16:22:04 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:54667 from 208.67.222.222:53
Jun 21 16:22:05 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:54667 from 208.67.222.222:53
Jun 21 16:24:05 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:63104 from 208.67.222.222:53
Jun 21 16:24:05 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:63104 from 208.67.222.222:53
Jun 21 16:24:05 CHO-Mac-Pro ipfw: Stealth Mode connection attempt to UDP 192.168.1.65:63104 from 208.67.222.222:53
There is a pattern of trying each port three times, then moving on to the next port. Smacks of password guessing or somesuch.
I tried searching these forums for a similar problem, but had trouble thinking up keywords that would lead to anything useful. So a reference to discussions already ongoing on this topic would be appreciated.
For the record, I have been using OpenDNS a couple of years on my mac and have used the OpenDNS diagnostic utilities to insure that I'm nominally configured correctly. Pertinent local net info:
my mac: 1st gen macpro running Tiger
other macs: macbook Pro, macair (powered off while problem persists on my mac) ... Mountain Lion machines
network drive: Synology DSM 4.2 Server (powered off while problem persists)
ISP: att: Using gateway provided by att (2wire).
-
These are clearly DNS responses from OpenDNS for your DNS queries being reported by the firewall.
This has been reported more often on the old forums, e.g.
https://forums.opendns.com/comments.php?DiscussionID=7493
https://forums.opendns.com/comments.php?DiscussionID=9643
http://forums.opendns.com/comments.php?DiscussionID=11871
http://forums.opendns.com/comments.php?DiscussionID=13565It almost turned out that this is a badly behaving firewall which forgot that there's was an outstanding UDP response to a prior UDP request.
-
Helpful reading. Among other useful things, a nomenclature handle, 'UDP port scan' I can use to look further ... (I know ...."this is not a port scan problem" ... understood)
Actually mac Activity Monitor is showing regular 10 second bursts of traffic spaced at 20 second intervals ... the repetition rate is even higher than what shows up in the firewall log, but maybe only a portion of the outgoing packets are going to OpenDNS server on port 53? Activity monitor's defalut settings cause incoming packets to mask outgoing packets ... when I fixed that, it was obvious that the burst pattern consisted of two-way traffic ... and I'm guessing most of it initiated locally.
I am really a babe-in-the-woods when it comes to investigating what might be generating all of this traffic ... it's just my home computer. Could just as easily be ops normal, misconfiguration, malfeasance or a poorly designed firewall. I originally started using OpenDNS a few years back mainly because my ISP's (att) DNS would intermittently fail to find common used web sites, and OpenDNS offered a consistent level of performance. The only aspect of OpenDNS I know of that would periodically initiate traffic is the IP Updater ... but (naively?) I thought that would only trigger if my IP address changes (which I believe mostly just happens when I cycle power on my internet gateway ... nominally, once a day).
Recent investigation of this problem led me to find out more about basic OpenDNS services, and I did discover 2 two-year-old threat reports; one for webbot activity and one for malware. Not sure if these warnings mean my machine was a source of these problems or simply that attempts by these threats were thwarted by OpenDNS. But if the former, perhaps I suppose they could be the root cause of the periodic traffic bursts I'm seeing.
Other than that, I'm pretty stumped at how to look for what might be generating the periodic bursts. If you have any advice on how to get started, it would be helpful.
Thanks.
-
Connections to OpenDNS will have a destination port of 53, but the source port on your side will generally be a port in the 1024-65535 range. If the DNS response took longer then expected (due to slow upstream responses), you are simply making a lot of requests, or are making a lot and behind a NAT, these could all lead to getting packets on a closed port or where your router has "forgotten" the end machine that specific request was mapped to. As rotblitz mentioned, check your firewall settings, though I'd also recommended checking connection tracking settings if you are doing a lot of DNS requests or have other programs/systems running that make a lot of requests (bittorrent tends to be noisy for example.)
-
My ability to look at the things you mention is limited. I understand why you are reluctant to get into details of how to investigate internal system settings of client networks. my mac machine runs mac osx and I am familiar with using the 'Terminal' to investigate system behavior from a Unix shell. There probably is a way for me to use the terminal to investigate which processes are generating the traffic .. and examine control elements within the traffic to reveal other useful information. If you are reluctant to counsel me on how to proceed using some well known Unix services to investigate network traffic ("connection traffic settings"), I can understand that, and I'll ask elsewhere. Both my gateway (router/modem) and computer have firewalls with limited parametric controls that I can examine and modify so I'll take a look at these.
Thanks for the advice
Please sign in to leave a comment.
Comments
5 comments