dhaselhorst
join:2002-06-03
Falls Church, VA
| [northeast] Verizon Name Server Port Scan?
I have been experiencing what looks like a port scan originating from a verizon name server at 71.252.0.12,53.
The IP appears to be a Verizon name server in Reston, VA. I am getting 20 - 25 UDP packets a second for days and days at a time, flooding my router. It then stops for a couple of days and then starts again.
It sometimes goes on for a week or more.
I realize that it doesn't make a lot of sense that the Name Server would be port scanning me, but I am unable to determine why I am being flooded with traffic.
Logs attached below.
Any help would be greatly appreciated. I cannot get past Verizon tier one support to reach anyone with real answers.
FIOS Customer, ActionTech router behind a Netgear router. Actiontech is bridged to allow VOD etc.
Any insights would be appreciated.
192.168.1.1 02/25/09 09:30:51 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19781 - [Receive] "
192.168.1.1 02/25/09 09:30:51 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19780 - [Receive] "
192.168.1.1 02/25/09 09:30:51 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19779 - [Receive] "
192.168.1.1 02/25/09 09:30:51 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19778 - [Receive] "
192.168.1.1 02/25/09 09:30:51 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19777 - [Receive] "
192.168.1.1 02/25/09 09:30:50 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19776 - [Receive] "
192.168.1.1 02/25/09 09:30:50 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19775 - [Receive] "
192.168.1.1 02/25/09 09:30:50 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19774 - [Receive] "
192.168.1.1 02/25/09 09:30:50 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19773 - [Receive] "
192.168.1.1 02/25/09 09:30:50 02/25/09 10:31:41 local 7 Notice (FVS328-fa-e9-be) "71.191.54.238 UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19772 - [Receive] " |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Most likely just a false positive in your firewall software. If your nameserver is setup as 71.252.0.12, then I'm 99% sure it's just the software firewall flagging it because the requests are either a) too frequent or b) delayed due to network congestion or other queuing and are arriving later and triggering the firewall.
--
He who is not contented with what he has, would not be contented with what he would like to have. -Socrates |
|
dhaselhorst
join:2002-06-03
Falls Church, VA
| I appreciate the reply, but would that account for the ports incrementing one by one? The inbound requests are literally incrementing though thousands and thousands of ports over multiple days, all appearing to come from the name server.
The scan is not being flagged by any software. The internet light on the router shows continuous activity while there is no other activity on the WAN side either via the lights or via the log.
I agree with what you are saying if there would be a few inbound or delayed requests, but I can't understand what would run through thousands of ports, one by one.
Thanks for any suggestions. |
|
mayersj1
join:2008-09-10
Beaverton, OR | reply to dhaselhorst
Doing an nslookup on that IP returns the following name:
pool-71-191-54-238.washdc.fios.verizon.net
I don't think this is a DNS server. This looks like a regular user machine in the DHCP pool. |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| That's his IP, not the server's. The server's IP is 71.252.0.12, which does appear to be a nameserver:
floyd@pflog:~% host 71.252.0.12
12.0.252.71.in-addr.arpa domain name pointer nsrest01.verizon.net.
floyd@pflog:~% dig A google.com @71.252.0.12
; <<>> DiG 9.4.2-P2 <<>> A google.com @71.252.0.12
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16164
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 72 IN A 209.85.171.100
google.com. 72 IN A 74.125.67.100
google.com. 72 IN A 74.125.45.100
;; Query time: 11 msec
;; SERVER: 71.252.0.12#53(71.252.0.12)
;; WHEN: Thu Feb 26 15:20:15 2009
;; MSG SIZE rcvd: 76
--
He who is not contented with what he has, would not be contented with what he would like to have. -Socrates |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| reply to dhaselhorst
Well, it's possible that nameserver thinks you are a nameserver and is trying to AFXR to you or something. Or use you as an auth nameserver for it's lookups.
The only real way to tell would be to get a packet dump of the activity with something like wireshark or tcpdump with as much verbosity as possible, so we can see what the traffic actually is. If it's a real DNS query or a valid zone transfer, wireshark should be able to decode that.
If you're up for running wireshark, I can help walk you through it so we can get a packet capture. 
--
He who is not contented with what he has, would not be contented with what he would like to have. -Socrates |
|
mayersj1
join:2008-09-10
Beaverton, OR | reply to deblin
Yep, my bad. Not looking well enough at the log. Sorry. |
|
dhaselhorst
join:2002-06-03
Falls Church, VA
1 edit | I'm up for Wireshark. I would really like to understand what's going on. I have IP tools currently installed if that would work.
I'm a little unsure of how to monitor the link between the router and the ISP. Just insert a switch? Seems like there might be IP issues? (DHCP vs.fixed)? Who hands them out?
I'm happy to try wireshark and again appreciate the help.
Follow-up - Wireshark installed. |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Are the log messages you provided in the original post from your router or from your PC? If they're on your PC, then you should be able to just open up wireshark, then hit ctrl-k to start capturing.
A window should pop up with options:
- pick the proper interface (e.g. if you have wireless AND wired, pick the one you're currently connected on)
- Next to the capture filter button, in the text area, put: port 53 and ip host 71.252.0.12
Then click "Start".
Wait a while for some of the packets to appear, then when you're finished, hit ctrl-E to stop the trace.
Then just save the trace file somewhere and zip it and attach here if it's small enough. If not, drop me an IM and I can give you a place to upload it on my biz fios connection and I can post it here for others to look at as well.
If the logs are from the Actiontec or another router, you'll need to setup a forwarding rule for UDP port 53 to the LAN IP address of the computer you will be running wireshark on. You can also setup a forward for TCP port 53, too, just in case.
--
He who is not contented with what he has, would not be contented with what he would like to have. -Socrates |
|
dhaselhorst
join:2002-06-03
Falls Church, VA
1 edit | The logs are from the router itself being piped to the PC (behind the firwall) with a syslog reader/catcher on the PC.
Regarding the port forward, is the inbound traffic headed for port 53 or coming on 53 from 71.252.0.12?
See below:
UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,19781 - [Receive] "
I thought the log was saying the traffic was originating on 71.252.0.12,53 and headed to my-ip,portx, my-ip,port x+1, my-ip portx+2, etc. etc. Perhaps I am reading it wrong.
I am happy to try the forwarding, but want to make sure I capture the traffic.
I guess I could monitor in front of the router, but I am unsure if I would need an IP on that segment to monitor. Perhaps the NIC in promiscuous mode would still see the traffic?
I can try the forward if that is the simplest.
Thanks,
Update - Tried forwarding port 53 UDP and TCP to Wireshark PC, but not seeing the same questionable traffic as via router logging. I'm not sure I capturing the traffic on the outside of the firewall, even with the port53 UPC and TCP forwarding. .....
|
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Oops, yeah the source port is 53, so forwarding that won't help.
I guess the only way to do it would be to DMZ that particular host or similar.
--
He who is not contented with what he has, would not be contented with what he would like to have. -Socrates |
|
dhaselhorst
join:2002-06-03
Falls Church, VA
| Thanks for following up.
I tried the DMZ as well. Via the router, I put the PC with Wireshark in the DMZ. I do see a lot of traffic, but I am not seeing traffic that was sent to the router 192.168.1.1 from outside the firewall.
I am wondering if the router is not forwarding packets into the DMZ that are specifically addressed to it at 192.168.1.1.
i.e.
[Sat, 2009-02-28 12:22:10] - UDP Packet - Source:71.252.0.12,53 - Destination:192.168.1.1,61806 - [Receive]
Can I get on the same segment on the "outside" of the router? I don't think the FIOS ONT will give me an IP as well as the router. I thought I might be able to put in a switch between the ONT and the router, but I'm not sure I will be able to monitor without an IP address for the Wireshark PC.
Any thoughts? |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA
 ·Bay Area Internet ..
| said by dhaselhorst  :Can I get on the same segment on the "outside" of the router? I don't think the FIOS ONT will give me an IP as well as the router. I thought I might be able to put in a switch between the ONT and the router, but I'm not sure I will be able to monitor without an IP address for the Wireshark PC. If you use a switch, you need one that supports port mirroring, otherwise use a hub to make sure all packets are passed to the Wireshark PC.
The Wireshark PC doesn't need a WAN IP address. Wireshark should be able to enter promiscuous mode of the NIC even if the NIC has a link-local address (169.254.x.x). |
|
dhaselhorst
join:2002-06-03
Falls Church, VA | Thanks for the tip. I was trying to monitor with a switch and got the exact conditions you are describing. Trying to locate a simple hub. |
|
dhaselhorst
join:2002-06-03
Falls Church, VA
| Following up to close the thread and to help anyone else who might have a similar problem.
I was able to sniff the line between the router and the FIOS ONT. The previous posts from More Fiber are correct about switches and hubs.
You need a hub and not all hubs are created equal. Many devices labeled hubs are indeed switches and will route the packets you are interested in seeing around the port you are plugged into. One hub that is actually a hub is the NetGear DS104. $20 on Ebay. I tried newer Netgear switches. Some posts reported that port one mirrors all the other ports by default. I could not get that to work. The NetGear DS104 does allow sniffing as a simple plug in and go hub.
Once I was able to sniff the connection between the router and ONT, I could see dozens of DNS requests being generated every second going from my router to the Verizon name server. The request were going out on increasing port numbers. The inbound responses in the original posts are the DNS server responding.
Sniffing behind the firewall did not show the routers request, just the Name Servers response, making it look like a port scan (because it was incrementing the port number one by one on the request).
This did not solve the problem of who was making the request.
Turns out, I left a VPN policy running on the router for which the other end of the VPN connection no longer existed. The VPN connection was doing a DNS lookup to resolve a domain name to a dynamic ip address. Because there was no one updating the name server with the new dynamic IP (the other connection had been disconnected a couple of months ago), the DNS request just kept going and going.
Disabling the VPN policy solved the problem.
Thanks to Deblin and More Fiber and the rest of the group for the tips and tricks that allowed me to diagnose this problem. Couldn't have done it without the help! |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | Glad you got things situated! Appreciate the follow-up, too, as I was curious what was going on. |
|
druber
join:2000-04-11
Marlborough, MA | boy, that was an odd one! good job nailing it! |
|
More Fiber
Premium,MVM
join:2005-09-26
West Chester, PA |  reply to dhaselhorst
Thanks for posting back that you found the problem. |
|
jordanair
join:2000-08-15
Wylie, TX | that was awesome troubleshooting , no finger pointing just trying to resolve the issue.. I applaud everyone involved.. I enjoyed reading and learning from this post |
|
