Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am fairly new to running web services on a VPS but have set up three in the past few months and so far so good.
I watch things very closely and have become fairly confident in my ability to understand my traffic and logs.
Most bots, probes and other anal traffic I recognize and manage as well as can be. But I have begun to see an ICMP packet that I do not understand and have not been able to find much help with through searches. I do not see them with great frequency, but I do see them on all my VPS web interfaces.
It is an ICMP "reply" to a non-existent DNS query as far as I can tell:
My first guess is that it is some reconnaisance probe such as discussed here, but if so I do not see how it would work as it would elicit no response as far as I know.
The other likely possibility I can see is that someone is spoofing my IP as the source when probing other sites, so I receive the response. But that does not benefit the actual sender and is poor as a DDOS attack as far as I can see.
Am I missing something? Or can someone add to, or correct my understanding of these packets, please.
it looks to me like DNS is being blocked. the VPS provider probably requires that your VPS instance use their DNS caching server for lookups instead of recursing it yourself.
The problem is that there was no outgoing DNS request from my VPS interface to result in the ICMP response. In other words, all I ever see is the "response" which makes me think that my address is being spoofed in a DNS request sent from somewhere else.
Just to be sure that I was not unintentionally filtering some originating DNS request, I have been running a capture of everything except my own ssh session and just saw this one...
Code:
10:58:59.541656 IP (tos 0x0, ttl 48, id 184, offset 0, flags [none], proto ICMP (1), length 86)
oo.oo.oo.oo > xx.xx.xx.xx: ICMP oo.oo.oo.oo udp port 11326 unreachable, length 66
IP (tos 0x0, ttl 243, id 17, offset 0, flags [none], proto UDP (17), length 58)
xx.xx.xx.xx.50994 > oo.oo.oo.oo.11326: [udp sum ok] UDP, length 30
0x0000: 4500 0056 00b8 0000 3001 6bb6 6ff8 4102 E..V....0.k.o.A.
0x0010: 2d38 4007 0303 1b6e 0000 0000 4500
oo.oo.oo.oo = Src IP
xx.xx.xx.xx = VPS IP
So it is not only in "response" to DNS requests, but more like port scanning.
But there is no "originating" outgoing packet corresponding to this ICMP response.
Just so you know:
1. some ISPs scan their network. Comcast does this in my area.
2. some breakers (media calls them 'hackers' because they are ignorant of the true meaning) also do this. If they are discovered, the ISP may block them. (Do not count on that, many ISP do not care as long as the check clears the bank.)
I routinely block such, and run services on non-standard ports. It helps, somewhat.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.