Community discussions

MikroTik App
 
apestalménos
just joined
Topic Author
Posts: 14
Joined: Wed Sep 16, 2020 8:22 pm

Port 53 attack

Fri Apr 23, 2021 3:03 am

Can anyone explain what kind of attack this is? How could an attacker discover my router's local private DNS address given router's outbound traffic is NATed via a masquerade rule? My firewall is blocking this traffic, but I'm currious.

Drop_WAN_Input input: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53), len 52

Thanks
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Port 53 attack  [SOLVED]

Fri Apr 23, 2021 9:01 am

Attacker targets router's public address (screened part in log entry), and NAT translates this request to private - 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53). Attacker don't see internal IP, if request would be answered, it's source IP would be router's public IP.
 
lufer
just joined
Posts: 7
Joined: Wed Apr 14, 2021 5:54 pm
Location: Valencia, Spain
Contact:

Re: Port 53 attack

Fri Apr 23, 2021 9:20 am

They dont really see the private IP they're attacking, its the router who brings the data to the port redirect.
 
apestalménos
just joined
Topic Author
Posts: 14
Joined: Wed Sep 16, 2020 8:22 pm

Re: Port 53 attack

Fri Apr 23, 2021 3:14 pm

Thanks. That explains it.

Who is online

Users browsing this forum: Guntis, Josephny, svmk and 89 guests