[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?
Michael Rack
michael.rack at rsm-freilassing.de
Fri Nov 28 21:44:14 GMT 2014
Hi!
My DNSMASQ Process was open to anyone on the Internet.
Since few days, i had many service interruptions, so i did a
network-monitoring and found, that DNSMASQ had many connections open.
It looks like a DDoS - also it felt for me as one.
> 91.205.14.65:domain <=> 46.38.227.66:http
> 483MB 455Kb 460Kb 461Kb
> 91.205.14.65 <=> 72.194.79.40
> 13.1KB 760b 760b 760b
> 91.205.14.65:domain <=> 72.194.79.40:2622
> 134B 268b 54b 27b
> 91.205.14.65:domain <=> 72.194.79.40:44836
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:48661
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:exce
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:15016
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:60409
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:46901
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:41296
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:31861
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:47420
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:24221
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:29322
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:510
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:2555
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:40311
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:64537
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:27566
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:43125
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:55887
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:netmon
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:55651
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:44949
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:12310
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:25831
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:35779
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:28138
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:37074
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:46767
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:9027
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:47533
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:19229
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:19487
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:20255
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:23830
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:64895
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:41186
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:59304
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:12911
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:51671
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:44285
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:36142
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:8859
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:13960
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:55017
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:61910
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:2498
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:23665
> 67B 268b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:39752
> 134B 0b 107b 27b
> 91.205.14.65:domain <=> 72.194.79.40:60709
> 134B 0b 54b 27b
> 91.205.14.65:domain <=> 72.194.79.40:64920
> 134B 0b 54b 27b
> 91.205.14.65:domain <=> 72.194.79.40:29023
> 67B 0b 54b 13b
> 91.205.14.65:domain <=> 72.194.79.40:47383
> 67B 0b 54b 13b
Why are there so many several ports that dnsmasq is connected to?
I run dnsmasq version 2.59rc1. After stopping the process, it took over
8 Minutes before the traffic stopped passing my wan interface.
Liebe Grüße aus Freilassing,
Michael Rack
RSM Freilassing
--
RSM Freilassing Tel.: +49 8654 607110
Nocksteinstr. 13 Fax.: +49 8654 670438
D-83395 Freilassing www.rsm-freilassing.de
More information about the Dnsmasq-discuss
mailing list