Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthornowshining
    • CommentTimeJan 12th 2007
     permalink
    I have comodo firewall and lately I have been getting a port scan from 208.67.222.222 in and comodo blocks it, it is an UDP scan as reported by Comodo firewall.. :(
    • CommentAuthorpencoyd
    • CommentTimeJan 12th 2007
     permalink
    OpenDNS does not scan anything, or make any queries at all: it responds to queries with DNS information.

    What is likely happening is that you have some process making a DNS request to our server at 208.67.222.222 and it's returning a response.

    We'd like to understand more... do you have logs? Can you see what is triggering the original request?

    John Roberts
    OpenDNS
    • CommentAuthornowshining
    • CommentTimeJan 12th 2007
     permalink
    yes I have logs, however I have UDP OUT allowed only on your ips going out, and the UDP attack is incoming, I also have TCP out any.. :)

    My Setup in comodo is:

    TCP in block any any
    Block TCP/UDP in/out any range 224.0.0.0-239.255.255.255
    Allow UDP out any 127.0.0.1
    Allow UDP In (and your dns addresses here)
    Deny UDP in/out any any
    Allow tcp out any any
    Block icmp in/out where message is any
    Block IP in/out any any
    ........
    This has been happening even if I just have a web browser open and hasn't been happening before I switched to your DNS servers and didn't happen until lately and I have a dynamic IP and so far each IP I have signed on got the attack or UDP scan
    The log sample is below from whince I wrote this Reply..
    ...........

    Comodo Firewall Logs



    Date Created: 05:04:52 12-01-2007


    Log Scope: Today


    Date/Time :2007-01-12 05:03:04
    Severity :Medium
    Reporter :Network Monitor
    Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    Protocol:ICMP Outgoing
    Source: 4.245.99.115
    Destination: 208.67.220.220
    Message: PORT UNREACHABLE
    Reason: Network Control Rule ID = 6

    Date/Time :2007-01-12 05:01:58
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 120.54.18.57:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value

    Date/Time :2007-01-12 05:01:43
    Severity :High
    Reporter :Network Monitor
    Description: UDP Port Scan
    Attacker: 208.67.222.222
    Ports: 34322, 35346, 35858, 36626, 38162, 34834, 35090, 38674, 35602, 39186, 39442, 36114, 36370, 39698, 36882, 37138, 37394, 37650, 37906, 38418, 38930
    The attacker has been temporarily blocked

    Date/Time :2007-01-12 04:56:09
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 67.51.7.4:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value

    Date/Time :2007-01-12 04:55:29
    Severity :Medium
    Reporter :Network Monitor
    Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    Protocol:ICMP Outgoing
    Source: 4.245.99.115
    Destination: 208.67.220.220
    Message: PORT UNREACHABLE
    Reason: Network Control Rule ID = 6

    Date/Time :2007-01-12 04:55:09
    Severity :Medium
    Reporter :Network Monitor
    Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    Protocol:ICMP Outgoing
    Source: 4.245.99.115
    Destination: 208.67.220.220
    Message: PORT UNREACHABLE
    Reason: Network Control Rule ID = 6

    Date/Time :2007-01-12 04:53:09
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 138.218.104.69:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value


    End of The Report
    ..........................................
    • CommentAuthornowshining
    • CommentTimeJan 12th 2007
     permalink
    your IP of 208.67.220.220 reports BOGUS at www.DNSSTUFF.com
    however the WHOIS reports you and your address.. :(
    • CommentAuthornowshining
    • CommentTimeJan 12th 2007
     permalink
    YOU GUYS ARE CROOKS AREN't you...:( well how come I now get port scan from your IPs, and never had this attack before with my local IP or Copper.nets IP...and a bit ago I could post 155 + - characters and now I can't....... Due to this I can't post my next log file from your IP port scanning me...I am changing back to copper.nets dns ips..slower but WAY safer...and to think I was going to recommend you to others..:cry:
    • CommentAuthorpencoyd
    • CommentTimeJan 12th 2007
     permalink
    nowshining, hang on there! We're looking at all the info you posted... it's Friday morning in San Francisco, so we haven't had a chance yet to go over your posts.

    Our two nameserver IPs of 208.67.222.222 and 208.67.220.220 actually point to many different servers in many different locations. That on purpose. That's anycast http://en.wikipedia.org/wiki/Anycast So, there are no A records for those IPs on purpose, which is all that DNSstuff is reporting.

    Which web browser are you using? Do you have any toolbars installed that might be making requests when you visit new websites, either as reputation managers or the like? Are any of those toolbars out of date?

    I'm speculating here.

    Another possibility is simply that someone is spoofing our nameserver IP address(es) for their port scan, since our nameserver addresses are well publicized (we hope! :smile: ).

    I'll have a more technical colleague take a look, too.

    John Roberts
    OpenDNS
    Thankful People: adrian, vlz, trichotomous
    • CommentAuthordrsox
    • CommentTimeJan 12th 2007
     permalink
    Wow this guy doesnt know how to configure a firewall ;)

    I have in the past - had zonealarm detect dns replies as attacks.
    Could it be possible that..

    1) His computer sends the query to his router eg.. 192.168.0.1
    2) The router then goes a quirk and sends the query to OpenDNS BUT!! sends the response directly back to his pc?
    3) His PC goes "wait a minute.. I didnt send a query to OpenDNS.. I sent it to 192.168.0.1" and flags up a "port scan" warning (as outgoing port for DNS queries is random?)

    Thats my ideas anyway.

    Tom - www.mouselike.org
    • CommentAuthorpencoyd
    • CommentTimeJan 12th 2007
     permalink
    A more technical colleague took a look.

    You should contact support@comodo.com to find out why DNS responses are getting reported as a port scan.

    Here's a walkthrough of the logs you sent.

    YOU
    Date/Time :2007-01-12 05:03:04
    Severity :Medium
    Reporter :Network Monitor
    Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    Protocol:ICMP Outgoing
    Source: 4.245.99.115
    Destination: 208.67.220.220
    Message: PORT UNREACHABLE
    Reason: Network Control Rule ID = 6

    DETAIL
    This is normal ICMP traffic. It was sent to OpenDNS by his computer. This rule in his firewall configuration is overly aggressive and should be removed: "Block icmp in/out where message is any"

    YOU
    Date/Time :2007-01-12 05:01:58
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 120.54.18.57:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value

    DETAIL
    We are neither the source or destination here. Not related to OpenDNS.

    YOU
    Date/Time :2007-01-12 05:01:43
    Severity :High
    Reporter :Network Monitor
    Description: UDP Port Scan
    Attacker: 208.67.222.222
    Ports: 34322, 35346, 35858, 36626, 38162, 34834, 35090, 38674, 35602, 39186, 39442, 36114, 36370, 39698, 36882, 37138, 37394, 37650, 37906, 38418, 38930
    The attacker has been temporarily blocked

    DETAIL
    These are most likely replies to DNS queries that his firewall is incorrectly interpreting as a port scan. The OpenDNS anycast IP addresses never send anything except replies to DNS queries we receive. Even when we communicate with other DNS servers to find answers, that is done via different IP addresses in each location.

    YOU
    Date/Time :2007-01-12 04:56:09
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 67.51.7.4:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value

    DETAIL
    We are neither the source or destination here. Not related to OpenDNS.

    YOU
    Date/Time :2007-01-12 04:55:29
    Severity :Medium
    Reporter :Network Monitor
    Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    Protocol:ICMP Outgoing
    Source: 4.245.99.115
    Destination: 208.67.220.220
    Message: PORT UNREACHABLE
    Reason: Network Control Rule ID = 6

    DETAIL
    This is his computer again sending us an ICMP packet that should be allowed by the firewall.

    YOU
    Date/Time :2007-01-12 04:53:09
    Severity :High
    Reporter :Network Monitor
    Description: Blocked by Protocol Analysis (Bad UDP Checksum)
    Direction: UDP Incoming
    Source: 138.218.104.69:30344
    Destination: 4.245.99.115:1026
    Reason: The packet has an invalid UDP checksum value

    DETAIL
    We are neither the source or destination here. Not related to OpenDNS.


    Hope this helps allay any and all concerns about OpenDNS.

    John Roberts
    OpenDNS
    • CommentAuthorpencoyd
    • CommentTimeJan 24th 2007
     permalink
    Here is some useful support information about Comodo

    Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
    http://forums.comodo.com/index.php/topic,5367.msg39766.html
    Thankful People: fred
    • CommentAuthorfred
    • CommentTimeFeb 4th 2007
     permalink
    When you send a DNS request to the OpenDNS servers, then you get a DNS reply from the OpenDNS servers.

    [client]----->[server]
    [client]<-----[server]
    • CommentAuthorfroussy
    • CommentTimeFeb 11th 2007
     permalink
    use Your ISP dns.. and take a look to your firewall.. you will see the same thing from your ISP dns ip's...
    • CommentAuthorrcoates
    • CommentTimeMay 21st 2007
     permalink
    I am also getting port scans supposedly from the opendns servers.
    The ports are random -- 2189, 2378, 3505, 3528, 3859, 3873, etc.
    Wouldn't you be sending and receiving on 53?
    • CommentAuthornoeldude
    • CommentTimeMay 21st 2007
     permalink
    These are DNS responses, not port scans. Your software is reporting false information.
    • CommentAuthorahoier
    • CommentTimeMay 21st 2007 edited
     permalink
    personal firewalls are snake oil...

    http://samspade.org/d/firewalls.html
    • CommentAuthorpencoyd
    • CommentTimeMay 21st 2007
     permalink
    @rcoates -- just DNS requests which are invalid, and therefore getting the IP of our Guide page (http://guide.opendns.com/).
    • CommentAuthorMatt
    • CommentTimeJun 14th 2007
     permalink
    Snort also notes these in the logs, but allows them... I just manually deleted the rule from the oink file

This discussion has been inactive for longer than 30 days, and is thus closed.