possible UDP attack on BIND?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Waleed Hamra on Server Fault See other posts from Server Fault or by Waleed Hamra
Published on 2012-11-17T10:55:52Z Indexed on 2012/11/17 11:07 UTC
Read the original article Hit count: 333

Filed under:
|
|
|

hello everyone,

i was surprised last month when my EC2 instance (ubuntu precise server), that is supposed to be under the free tier still, accumulated lots of traffic... today, while checking my current billing statement, i noticed i already have tons of traffic, while still in the middle of the month, and i'm fearing what my bill by the end of the month is going to be...

i installed bandwidthd, and after few minutes, i noticed lots of UDP traffic to "108.162.233.15". this is apparently a cloudflare IP, and i don't have anything using cloudflare (as far as i know).

so i ran "iftop" to see what ports are being used, and i saw the UDP traffic coming from port 80 to my port 53... why would a webserver query dns?

so i stopped bind on my server, and ran it in foreground debugging mode, and saw the following query, being repeated continuously:

17-Nov-2012 12:30:58.216 client 108.162.233.15#80: UDP request
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: request is not signed
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: recursion available
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: query
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: query (cache) 'isc.org/ANY/IN' approved
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: send
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: sendto
17-Nov-2012 12:30:58.216 client 108.162.233.15#80: senddone
17-Nov-2012 12:30:58.217 client 108.162.233.15#80: next
17-Nov-2012 12:30:58.217 client 108.162.233.15#80: endrequest
17-Nov-2012 12:30:58.217 client @0x7fbee05126e0: udprecv
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: UDP request
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: request is not signed
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: recursion available
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: query
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: query (cache) 'isc.org/ANY/IN' approved
17-Nov-2012 12:30:58.343 client 108.162.233.15#80: send
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: sendto
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: senddone
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: next
17-Nov-2012 12:30:58.344 client 108.162.233.15#80: endrequest

my question is... is this normal? should i be worried? or is this completely irrelevant to my data charges, and i should wait to see more data from bandwidthd?

thank you in advance.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about ubuntu

Related posts about amazon-ec2

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle