[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?

Michael Rack michael.rack at rsm-freilassing.de
Fri Nov 28 21:44:14 GMT 2014


Hi!

My DNSMASQ Process was open to anyone on the Internet.
Since few days, i had many service interruptions, so i did a
network-monitoring and found, that DNSMASQ had many connections open.

It looks like a DDoS - also it felt for me as one.

> 91.205.14.65:domain            <=> 46.38.227.66:http               
> 483MB   455Kb   460Kb   461Kb
> 91.205.14.65                   <=> 72.194.79.40                   
> 13.1KB   760b    760b    760b
> 91.205.14.65:domain            <=> 72.194.79.40:2622               
> 134B    268b     54b     27b
> 91.205.14.65:domain            <=> 72.194.79.40:44836               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:48661               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:exce                
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:15016               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:60409               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:46901               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:41296               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:31861               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:47420               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:24221               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:29322               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:510                 
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:2555                
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:40311               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:64537               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:27566               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:43125               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:55887               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:netmon              
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:55651               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:44949               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:12310               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:25831               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:35779               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:28138               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:37074               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:46767               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:9027                
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:47533               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:19229               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:19487               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:20255               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:23830               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:64895               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:41186               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:59304               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:12911               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:51671               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:44285               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:36142               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:8859                
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:13960               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:55017               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:61910               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:2498                
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:23665               
> 67B    268b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:39752              
> 134B      0b    107b     27b
> 91.205.14.65:domain            <=> 72.194.79.40:60709              
> 134B      0b     54b     27b
> 91.205.14.65:domain            <=> 72.194.79.40:64920              
> 134B      0b     54b     27b
> 91.205.14.65:domain            <=> 72.194.79.40:29023               
> 67B      0b     54b     13b
> 91.205.14.65:domain            <=> 72.194.79.40:47383               
> 67B      0b     54b     13b

Why are there so many several ports that dnsmasq is connected to?

I run dnsmasq version 2.59rc1. After stopping the process, it took over
8 Minutes before the traffic stopped passing my wan interface.

Liebe Grüße aus Freilassing,

Michael Rack
RSM Freilassing
-- 
RSM Freilassing                 Tel.: +49 8654 607110
Nocksteinstr. 13                Fax.: +49 8654 670438
D-83395 Freilassing            www.rsm-freilassing.de 




More information about the Dnsmasq-discuss mailing list