Excessive Outbound DNS Traffic

Posted by user1318414 on Server Fault See other posts from Server Fault or by user1318414
Published on 2012-04-06T23:51:30Z Indexed on 2012/04/09 17:37 UTC
Read the original article Hit count: 279

Filed under:
|
|

I have a VPS system which I have had for 3 years on one host without issue. Recently, the host started sending an extreme amount of outbound DNS traffic to 31.193.132.138. Due to the way that Linode responded to this, I have recently left Linode and moved to 6sync. The server was completely rebuilt on 6sync with the exception of postfix mail configurations.

Currently, the daemons run are as follows:

sshd nginx postfix dovecot

php5-fpm (localhost only) spampd (localhost only) clamsmtpd (localhost only)

Given that the server was 100% rebuilt, I can't find any serious exploits against the above stated daemons, passwords have changed, ssh keys don't even exist on the rebuild yet, etc... it seems extremely unlikely that this is a compromise which is being used to DoS the address.

The provided IP is noted online as a known SPAM source. My initial assumption was that it was attempting to use my postfix server as a relay, and the bogus addresses it was providing were domains with that IP registered as their nameservers. I would imagine given my postfix configuration that DNS queries for things such as SPF information would come in with equal or greater amount than the number of attempted spam e-mails sent.

Both Linode and 6Sync have said that the outbound traffic is extremely disproportionate. The following is all the information I received from Linode regarding the outbound traffic:

21:28:28.647263 IP 97.107.134.33.32775 > 31.193.132.138.53: 28720 op8+% [b2&3=0x4134] [17267a] [30550q] [28773n] [14673au][|domain]
21:28:28.647264 IP 97.107.134.33 > 31.193.132.138: udp
21:28:28.647264 IP 97.107.134.33.32775 > 31.193.132.138.53: 28720 op8+% [b2&3=0x4134] [17267a] [30550q] [28773n] [14673au][|domain]
21:28:28.647265 IP 97.107.134.33 > 31.193.132.138: udp
21:28:28.647265 IP 97.107.134.33.32775 > 31.193.132.138.53: 28720 op8+% [b2&3=0x4134] [17267a] [30550q] [28773n] [14673au][|domain]
21:28:28.647266 IP 97.107.134.33 > 31.193.132.138: udp

6sync cannot confirm whether or not the recent spike in outbound traffic was to the same IP or over DNS, but I have presumed as such. For now my server is blocking the entire 31.0.0.0/8 subnet to help deter this while I figure it out.

Anyone have any idea what is going on?

© Server Fault or respective owner

Related posts about dns

Related posts about dos