[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?

Simon Kelley simon at thekelleys.org.uk
Sun Nov 30 16:34:46 GMT 2014


On 28/11/14 21:44, Michael Rack wrote:
> Hi!
> 
> My DNSMASQ Process was open to anyone on the Internet.
> Since few days, i had many service interruptions, so i did a
> network-monitoring and found, that DNSMASQ had many connections open.
> 
> It looks like a DDoS - also it felt for me as one.
> 
>> 91.205.14.65:domain            <=> 46.38.227.66:http               
>> 483MB   455Kb   460Kb   461Kb
>> 91.205.14.65                   <=> 72.194.79.40                   
>> 13.1KB   760b    760b    760b
>> 91.205.14.65:domain            <=> 72.194.79.40:2622               
>> 134B    268b     54b     27b
>> 91.205.14.65:domain            <=> 72.194.79.40:44836               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:48661               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:exce                
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:15016               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:60409               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:46901               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:41296               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:31861               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:47420               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:24221               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:29322               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:510                 
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:2555                
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:40311               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:64537               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:27566               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:43125               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:55887               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:netmon              
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:55651               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:44949               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:12310               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:25831               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:35779               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:28138               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:37074               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:46767               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:9027                
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:47533               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:19229               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:19487               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:20255               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:23830               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:64895               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:41186               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:59304               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:12911               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:51671               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:44285               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:36142               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:8859                
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:13960               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:55017               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:61910               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:2498                
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:23665               
>> 67B    268b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:39752              
>> 134B      0b    107b     27b
>> 91.205.14.65:domain            <=> 72.194.79.40:60709              
>> 134B      0b     54b     27b
>> 91.205.14.65:domain            <=> 72.194.79.40:64920              
>> 134B      0b     54b     27b
>> 91.205.14.65:domain            <=> 72.194.79.40:29023               
>> 67B      0b     54b     13b
>> 91.205.14.65:domain            <=> 72.194.79.40:47383               
>> 67B      0b     54b     13b
> 
> Why are there so many several ports that dnsmasq is connected to?
> 
> I run dnsmasq version 2.59rc1. After stopping the process, it took over
> 8 Minutes before the traffic stopped passing my wan interface.
> 
> Liebe Grüße aus Freilassing,
> 
> Michael Rack
> RSM Freilassing
> 

Dnsmasq will accept queries on any interface unless you configure it not
to. You need to add lines like

interface=eth0

to the dnsmasq configuration file, to tell dnsmasq which interfaces are
"internal" and allowed to accept queries. If you don't do that, then
dnsmasq can be used to mount a DNS amplification attack.


Simon.




More information about the Dnsmasq-discuss mailing list