LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-08-2015, 03:13 AM   #1
magpie17
LQ Newbie
 
Registered: May 2015
Posts: 1

Rep: Reputation: Disabled
UDP: bad checksum on port 53


Hi,
using debian 7 (as server), I'm getting a lot of bad checksum errors in syslog (on port 53)

Code:
May  8 01:28:21 *** kernel: [ 3111.047686] UDP: bad checksum. From *.*.*.*:28986 to *.*.*.*:53 ulen 53
May  8 01:28:22 *** kernel: [ 3111.622675] UDP: bad checksum. From *.*.*.*:29078 to *.*.*.*:53 ulen 49
May  8 01:28:22 *** kernel: [ 3111.623165] UDP: bad checksum. From *.*.*.*:65256 to *.*.*.*:53 ulen 49
May  8 01:28:23 *** kernel: [ 3112.786033] UDP: bad checksum. From *.*.*.*:53202 to *.*.*.*:53 ulen 55
May  8 01:28:24 *** kernel: [ 3114.092479] UDP: bad checksum. From *.*.*.*:6454 to *.*.*.*:53 ulen 49
I searched & found that It might be an attack. is that right ? if so, how to prevent it ?
thanks in advance

P.S: no process is listening on port 53 (tcp or udp)
 
Old 05-08-2015, 04:27 AM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by magpie17 View Post

I searched & found that It might be an attack. is that right ? if so, how to prevent it ?
thanks in advance
I have a vague and distant feeling that I have heard of some such (in fact it might be an attempt to exploit the Kaminsky flaw, which should be long patched and out of the way), but it probably isn't necessary to get bogged down in the details. Something unpleasant happening on port 53, make sure it doesn't go any further.

Quote:
Originally Posted by magpie17 View Post
P.S: no process is listening on port 53 (tcp or udp)
Err, that's one way of protecting against this attack. It isn't, on its own, the absolute safest thing to do (which I get the impression that you know, but we've arrived here 'by accident').

Conventionally, port 53 is used for DNS traffic. It sounds as if this box has no need for DNS traffic, so block it off with iptables (on this box), or maybe by firewalling somewhere else (if this is, eg, traffic coming from the outside world, and you have a perimeter firewall, you might also have the option of dropping the traffic there...if it is internal traffic, then you should probably ask serious questions about why this is happening before proceeding).

It is unclear how you get your firewall ruleset, so I'll assume that you have mastery of that part, unless you add some further information.

At this point, I would say that the danger is that some time further down the line, when you have forgotten all about this incident, you do do something that opens up port 53. Even that probably isn't enough, on its own, to turn this in to an immediate and serious problem. So, whatever you do, document it so that either you or your successor doesn't do something that turns this irritation into a very significant issue.
 
Old 05-08-2015, 02:31 PM   #3
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,105

Rep: Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638Reputation: 3638
Either attack, faulty processing time, or checksum offloading.

http://translate.google.com/translat...48&prev=search

Decide if it is part of an internal attack in progress. Might boot to some live media and see if this continues.

More likely that you are a victim of the constant automated hackers. Iptables may help. Using as many best practices as you can to help reduce risk.

Last edited by jefro; 05-08-2015 at 02:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] UDP: bad checksum. From x.x.x.x:1234 to y.y.y.y:1234 ulen 100 vdx Linux - Networking 3 11-30-2013 03:43 AM
UDP Checksum Algorithm mattd9 Linux - Networking 5 11-24-2010 05:02 AM
Enable UDP checksum rafismx Linux - Newbie 0 02-29-2008 06:44 PM
UDP checksum icortazar3 Linux - Networking 1 12-19-2007 02:13 AM
UDP: Short Packets: and UDP bad checksum: entries in dmesg minutes2memories Linux - Networking 2 02-26-2006 07:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration