8 Replies Latest reply: May 1, 2014 12:41 PM by MaxPat RSS

    UDP: Port Scan alert generated for DNS traffic

    MaxPat

      Hello:

       

      NSP its presenting this alert sometimes, when a DNS request is generated from a host, it returns this error:

       

      I masked the IP's, but the source IP is the DNS Server.

       

      I understand is the intended behavior, but Its there a fix to this?

       

        • 1. Re: UDP: Port Scan alert generated for DNS traffic
          tjaynes

          Check the thresholds set on the UDP: Port Scan alert/signature. if it's to low, then a few simple DNS queries (that run over UDP) will trigger it. You can always bring that threshold up if there are known systems within your environment that trigger this signature. You can also filter out your DNS system since this is intended network traffic typically.

          • 2. Re: UDP: Port Scan alert generated for DNS traffic
            vigie

            We have the same problem : answers from the DNS server are seen as UDP port scan to a specific host. Src port is always 53 : I understand and that is a false positive - it's legitimate DNS traffic but it seems that NSP doesn't see the whole DNS communication and considers answers of the DNS server as UDP port scan communication.

            I don't think it's a normal behavior. Could it be due to a limitation of supported connections on the NSP ?

             

            Any other thoughts ?

            • 3. Re: UDP: Port Scan alert generated for DNS traffic
              tjaynes

              Vigie,

               

              Is this occurring on one sensors? or multiple/all of your sensors? Did you just install these sensors? and what is the specific host that your DNS server is responding to? Is it known to have this much communication with your DNS server?

              • 4. Re: UDP: Port Scan alert generated for DNS traffic
                vigie

                Yes sensor is installed since a couple of weeks - we've seen this behavior during fine-tuning. So, we see alerts with source port 53 and destinations high-ports (1024+) to clients / PCs / servers. Yes the DNS server is pretty used. I definitely undertsand that we see answers of DNS requests.

                 

                We check the flows of the IPS and we are far from its maximum capacity :

                Active TCP Flows29447
                Total Syn Cookie Proxied Connections0
                Total flows processed since last device reboot1856333882
                Syn Cookie Inbound StatusInActive
                Flows In SYN State5577
                Flows In Time wait State5349
                Maximum flows Supported782828
                Active UDP Flows29234
                TCP Inactive Flows Count564930
                Free Flows718522
                Syn Cookie Outbound StatusInActive
                TCP Timed Out Flows Count699762942

                 

                I see two possibilities :

                - the IPS is in SPAN mode and receives traffic from multiples VLANs. It could be possible that one flow is inspected twice (VLAN source and VLAn desitnation are inspected) => the IPS doesn't like this since it has to keep states and it only sees one side of the communcation for specific flows..

                - the IPS receives traffic / VLANs through an aggregator from core switchs. For an obvious reason, if not all VLAN traffic is forwaded to the aggregator, it could be possible that IPS sees only one side of the communication (answer and not request)..

                • 5. Re: UDP: Port Scan alert generated for DNS traffic
                  tjaynes

                  What are you threshold settings at for the recon sig (UDP: Port scan)? As far as I can tell the rule doesn't specify/fire if the destination responds or not. Also, I don't believe this rule falls under the recon dos profiling; so  a DoS profile rebuild wouldn't fix this issue.

                  • 6. Re: UDP: Port Scan alert generated for DNS traffic
                    vigie

                    Thresholds are those by default. But anyway, do you agree that IPS keeps a state table and will know what are current connections. Therefore, it shouldn't trigger the DNS answer from the server for udp scan or udp sweep. Correct ?

                    • 7. Re: UDP: Port Scan alert generated for DNS traffic
                      tjaynes

                      "As far as I can tell the rule doesn't specify/fire if the destination responds or not." Since this is UDP, I don't think the rule triggers on "if multiple responses are seen"; it triggers on a source scanning UDP ports regardless of the destination responding to the scan.

                       

                      This is how I interpret what the Rule Description says:

                       

                      "A client sends a UDP datagram. If the target port is open, the server sends no response. If the target port is closed, the server responds with an ICMP port unreachable response. An alarm is raised if a set threshold of UDP packets sent to destination port is exceeded in a specified period of time. You can set a threshold for this attack by editing Reconnaissance Policy settings."

                      • 8. Re: UDP: Port Scan alert generated for DNS traffic
                        MaxPat

                        You can set a threshold limitation.

                         

                        I tried this an it worked.

                         

                        Be carefull with this settings if you have published DNS servers, because DNS is widely used for Dos and DDoS attacks.