UDP connection attempts

Look,
first of all I block spoofed incoming packets on my external
interface, so
traffic from 127.0.0.0/8 cannot pass through it no matter
the protocol they use,
so spoofing for me is not the case.

When you say that it may be that my machine is trying to
updates its
records, do you mean it tries to update the zone files my
machine is
hosting? cos my server runs only as a master server, and
from what i know
its records should be updated only when the administrator
requests it
through rndc or by restarting bind.
To give you a more thorough idea of my dns server, I allow
some IPs to
query it for any address, I allow the world to query me for
my zones, I
don't use forwarders, and I don't have a slave dns (though
I should have
 ),

As far as your third part of your mail is concerned, no I
don't have any
other log files, the only firewall present in my network is
on the server
itself, there is of course a router between my server and my
ISP, which
only routes packets (no packet filtering whatsoever).

Thx for your answer,

mamalos

On Wed, 19 Jul 2006, Network Security
wrote:

> It's  UDP,  so  who the fuck knows where it's
actually coming from. It
> might not originate from your machines.
>
> Remember,    UDP    packets   destined   to   your 
address,  with the
> return  address  of your same server ise a common way
to both DoS and peek
> through  a  firewall..  Is  your  log  by  chance
suppressing duplicate
> entries?
>
> The   other   option  is your machine may be attempting
to update it's
> DNS records. But it's not a connection oriented
protocol, so you don't
> know who actually sent the packet.
>
> Do you have a router or other firewall log?
>
> -Brian
>
>
>
>
>
> Brian J. Brandon
> Network Security Consultant
> Los Angeles, California
> SecurityAdminHush.com
> Tel. No. 310.925.2987
> Fax. No. 325.204.7815
>
>
>
>
> Wednesday, July 19, 2006, 2:07:08 AM, you wrote:
>
>
> Hi everyone,
> I administer this 5.2.1 Freebsd Box which runs a few
services, among of
> which are bind and postfix. On the same box I run ipfw
as a firewall, and
> have a default policy block for all incoming packets,
except for those
> that are for ports 53 (tcp and udp) and 25 (tcp).
> I also have the following sysctl values enabled:
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> In my security logs I keep on getting the following
messages:
> Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP
127.0.0.1:512 from
> 127.0.0.1:52291
> Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP
> myexternaladdress:52299 from myexternaladdress:53
> Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP
> myexternaladdress:52316 from myexternaladdress:53
> Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP
127.0.0.1:512 from
> 127.0.0.1:52328
> Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP
127.0.0.1:512 from
> 127.0.0.1:52354
>
> I have googled these messages many times, but haven't
still found a real
> explanation of why these messages occur. The way I see
it is that there is
> no malicious behaviour behind theses messages, most
probably there's
> something that has to do with my firewall settings, and
the keep state
> option.
> I present the excerpt from my firewall configuration
file that relates to
> the dns incoming traffic:
> add 00389 allow udp from any to myexternaladdress 53 in
via fxp0
> keep-state
>
> I would be greatful if someone could explain to  me why
these messages
> keep showing, and if there is a way to prevent them
from occuring in the
> future.
> Thank you all in advance,
>
> mamalos
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
> To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
>
>
>
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"