[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?
Simon Kelley
simon at thekelleys.org.uk
Sun Nov 30 16:34:46 GMT 2014
On 28/11/14 21:44, Michael Rack wrote:
> Hi!
>
> My DNSMASQ Process was open to anyone on the Internet.
> Since few days, i had many service interruptions, so i did a
> network-monitoring and found, that DNSMASQ had many connections open.
>
> It looks like a DDoS - also it felt for me as one.
>
>> 91.205.14.65:domain <=> 46.38.227.66:http
>> 483MB 455Kb 460Kb 461Kb
>> 91.205.14.65 <=> 72.194.79.40
>> 13.1KB 760b 760b 760b
>> 91.205.14.65:domain <=> 72.194.79.40:2622
>> 134B 268b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:44836
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:48661
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:exce
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:15016
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:60409
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:46901
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:41296
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:31861
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47420
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:24221
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:29322
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:510
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:2555
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:40311
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:64537
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:27566
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:43125
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55887
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:netmon
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55651
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:44949
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:12310
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:25831
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:35779
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:28138
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:37074
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:46767
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:9027
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47533
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:19229
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:19487
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:20255
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:23830
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:64895
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:41186
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:59304
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:12911
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:51671
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:44285
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:36142
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:8859
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:13960
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:55017
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:61910
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:2498
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:23665
>> 67B 268b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:39752
>> 134B 0b 107b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:60709
>> 134B 0b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:64920
>> 134B 0b 54b 27b
>> 91.205.14.65:domain <=> 72.194.79.40:29023
>> 67B 0b 54b 13b
>> 91.205.14.65:domain <=> 72.194.79.40:47383
>> 67B 0b 54b 13b
>
> Why are there so many several ports that dnsmasq is connected to?
>
> I run dnsmasq version 2.59rc1. After stopping the process, it took over
> 8 Minutes before the traffic stopped passing my wan interface.
>
> Liebe Grüße aus Freilassing,
>
> Michael Rack
> RSM Freilassing
>
Dnsmasq will accept queries on any interface unless you configure it not
to. You need to add lines like
interface=eth0
to the dnsmasq configuration file, to tell dnsmasq which interfaces are
"internal" and allowed to accept queries. If you don't do that, then
dnsmasq can be used to mount a DNS amplification attack.
Simon.
More information about the Dnsmasq-discuss
mailing list