DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2820 DoS on nameservers

  • mtcsltd
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
19 Sep 2013 10:06 #77724 by mtcsltd
2820 DoS on nameservers was created by mtcsltd
I keep getting notified every 5 minutes by a customers 2820n router of a port scan from Zen's nameservers. Here's a sample..

2013/09/19 06:14:40 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:24621][UDP][HLen=20, TLen=122]
2013/09/19 06:14:58 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:24806][UDP][HLen=20, TLen=122]
2013/09/19 06:15:52 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:25418][UDP][HLen=20, TLen=122]
2013/09/19 06:16:10 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:25517][UDP][HLen=20, TLen=122]
2013/09/19 06:17:04 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:26366][UDP][HLen=20, TLen=122]
2013/09/19 06:17:22 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:26488][UDP][HLen=20, TLen=122]
2013/09/19 06:18:16 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:27025][UDP][HLen=20, TLen=122]
2013/09/19 06:18:34 -- [DOS][Block][port_scan][212.23.3.100:53->82.69.23.100:27315][UDP][HLen=20, TLen=122]



I did a reverse lookup to see it was Zen's nameservers, and Zen is of course the customers ISP. The router is on firmware 3.3.7.3_232201 which I believe is the latest version.
Is this a problem with the router, or is Zen doing something it shouldn't? How can I prevent this from being classed as an error without turning off port scan detection in the firewall entirely? It's currently set to 150 packets per second.

Thanks for any advice.
Mike

Please Log in or Create an account to join the conversation.

More
14 Oct 2013 13:32 #77968 by dbames
Replied by dbames on topic Re: 2820 DoS on nameservers
I am seeing exactly the same behaviour from my 2820Vn (firmware: 3.3.7.4_232201). So far it's generated 1880-odd emails over a few days. Often when no devices are powered-on. No configuration changes have been made to the router since I put the firmware on - and that was a few months ago. Though this behaviour only began 2013/10/07 06:00:08. Router was last power-cycled 89 days ago, with an adsl uptime >40 days.

My router is configured to use Google's DNS servers - one of which is 8.8.4.4 - rather than my ISPs.

Latest batch:
Code:
2013/10/14 13:24:21 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:27672][UDP][HLen=20, TLen=122] 2013/10/14 13:24:23 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:27736][UDP][HLen=20, TLen=114] 2013/10/14 13:24:25 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:27766][UDP][HLen=20, TLen=120] 2013/10/14 13:24:43 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:27984][UDP][HLen=20, TLen=114] 2013/10/14 13:24:45 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:28048][UDP][HLen=20, TLen=120] 2013/10/14 13:25:41 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:28508][UDP][HLen=20, TLen=122] 2013/10/14 13:26:01 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:28626][UDP][HLen=20, TLen=122] 2013/10/14 13:26:03 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:28672][UDP][HLen=20, TLen=114] 2013/10/14 13:26:05 -- [DOS][Block][port_scan][8.8.4.4:53->93.96.224.xxx:28684][UDP][HLen=20, TLen=120]

Please Log in or Create an account to join the conversation.

More
17 Oct 2013 13:40 #78003 by dbames
Replied by dbames on topic Re: 2820 DoS on nameservers
And still my router is generating these emails - though at a lesser rate. Getting pretty annoying now... :(

Please Log in or Create an account to join the conversation.

More
24 Oct 2013 14:37 #78058 by dbames
Replied by dbames on topic Re: 2820 DoS on nameservers
Since sending my router for reboot, I've not had any further emails from it. If they return maybe I'll have to consider a reboot schedule on it (hardly a "solution" though!).

Please Log in or Create an account to join the conversation.

Moderators: Sami