Community discussions

MUM Europe 2020
 
quark
just joined
Topic Author
Posts: 2
Joined: Tue Apr 22, 2014 2:01 pm

Huge log file

Tue Apr 22, 2014 2:14 pm

Hello,

I started to log packets and in my log file I found thousand lines like these:
dns,packet pack: <iorr.ru:A:27894=123.123.123.156> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.179> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.27> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.57> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.145> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.185> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.150> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.215> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.24> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns1.reg.ru> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.8> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns2.reg.ru> 2014-04-22 13:52
dns,packet pack: authority: 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns1.reg.ru> 2014-04-22 13:52
dns,packet pack: <iorr.ru:NS:27894=ns2.reg.ru> 2014-04-22 13:52
dns,packet pack: --- got query from 91.109.3.170:5153: 2014-04-22 13:52
dns,packet pack: id:f064 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2014-04-22 13:52
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 13:52
dns,packet pack: additional: 2014-04-22 13:52
dns,packet pack: <:UNKNOWN (41):0=rawbytes:0> 2014-04-22 13:52
dns,packet pack: --- sending reply to 91.109.3.170:5153: 2014-04-22 13:52
dns,packet pack: id:f064 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 2014-04-22 13:52
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 13:52
dns,packet pack: answer: 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.154> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.84> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.75> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.217> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.101> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.91> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.220> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.12> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.155> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.129> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.67> 2014-04-22 13:52
dns,packet pack: <iorr.ru:SOA:27894=serial:1398061729 refresh:14400 retry:3600 expire:604800 min:43200 > 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.236> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.77> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.43> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.182> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.235> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.131> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.139> 2014-04-22 13:52
dns,packet pack: <iorr.ru:A:27894=123.123.123.96> 2014-04-22 13:52
...
dns,packet pack: <iorr.ru:A:27110=123.123.123.117> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.146> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.19> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns2.reg.ru> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.9> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns1.reg.ru> 2014-04-22 14:05
dns,packet pack: authority: 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns2.reg.ru> 2014-04-22 14:05
dns,packet pack: <iorr.ru:NS:27110=ns1.reg.ru> 2014-04-22 14:05
dns,packet pack: --- got query from 80.5.24.20:77: 2014-04-22 14:05
dns,packet pack: id:7938 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2014-04-22 14:05
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 14:05
dns,packet pack: additional: 2014-04-22 14:05
dns,packet pack: <:UNKNOWN (41):0=rawbytes:0> 2014-04-22 14:05
dns,packet pack: --- sending reply to 80.5.24.20:77: 2014-04-22 14:05
dns,packet pack: id:7938 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 2014-04-22 14:05
dns,packet pack: question: iorr.ru:ALL:IN 2014-04-22 14:05
dns,packet pack: answer: 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.97> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.55> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.46> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.30> 2014-04-22 14:05
dns,packet pack: <iorr.ru:A:27110=123.123.123.187> 2014-04-22 14:05
What it means? Can affect the router performances or security? What actions should I take?
Thank you in advance for your support.

Ioan
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24337
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Huge log file

Tue Apr 22, 2014 2:39 pm

I started to log packets
This explains it. Why did you start to log packets then?
No answer to your question? How to write posts
 
quark
just joined
Topic Author
Posts: 2
Joined: Tue Apr 22, 2014 2:01 pm

Thousand log entries from single domain

Tue Apr 22, 2014 3:34 pm

This explains it. Why did you start to log packets then?
Your answer didn't helped because you read only the subject line, not till the end of my post... so I'll rephrase the question and I'll modify the subject to be more accurate:
The problem isn't the log file size but: is it normal to be so many records / second coming from a single IP class - only from iorr.ru? What it means? Can affect the router performances or security? What actions should I take?
Thank you.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Huge log file

Tue Apr 22, 2014 10:50 pm

Is the DNS server at your router accessible from the WAN? looks a bit like someone tries to abuse it for a DNS Amplification Attack.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
mousa1983
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Mon Apr 21, 2014 2:36 pm
Location: ilam-iran

Re: Huge log file

Wed Apr 23, 2014 10:52 pm

Hi
add a rule to firewall and drop ip range of=> 123.123.123.0/24
I think, it isn't normal.
Last edited by mousa1983 on Thu May 08, 2014 3:27 pm, edited 1 time in total.
 
toysoft
just joined
Posts: 1
Joined: Mon May 05, 2014 1:17 am

Re: Huge log file

Mon May 05, 2014 1:20 am

It's a DDoS, so removing the original IP address will not be enough, you have to tag the string with something constant and in iptables drop it.

TS

Who is online

Users browsing this forum: No registered users and 33 guests