Quote:
Originally Posted by magpie17
I searched & found that It might be an attack. is that right ? if so, how to prevent it ?
thanks in advance
|
I have a vague and distant feeling that I have heard of some such (in fact it might be an attempt to exploit the Kaminsky flaw, which should be long patched and out of the way), but it probably isn't necessary to get bogged down in the details. Something unpleasant happening on port 53, make sure it doesn't go any further.
Quote:
Originally Posted by magpie17
P.S: no process is listening on port 53 (tcp or udp)
|
Err, that's one way of protecting against this attack. It isn't, on its own, the absolute safest thing to do (which I get the impression that you know, but we've arrived here 'by accident').
Conventionally, port 53 is used for DNS traffic. It sounds as if this box has no need for DNS traffic, so block it off with iptables (on this box), or maybe by firewalling somewhere else (if this is, eg, traffic coming from the outside world, and you have a perimeter firewall, you might also have the option of dropping the traffic there...if it
is internal traffic, then you should probably ask serious questions about why this is happening before proceeding).
It is unclear how you get your firewall ruleset, so I'll assume that you have mastery of that part, unless you add some further information.
At this point, I would say that the danger is that some time further down the line, when you have forgotten all about this incident, you do do something that opens up port 53. Even that probably isn't enough, on its own, to turn this in to an immediate and serious problem. So, whatever you do, document it so that either you or your successor doesn't do something that turns this irritation into a very significant issue.