Port 53 UDP Outgoing flood

1

I am experiencing very huge problem. I have 4 computers in network, and from each a lot of data is being sent to ISP name servers. Sometimes data is being sent a little from each computer in network, sometimes it is just a lot of data from one computer.

I have antivirus (Avast) and malware scan (SpyBot)

I know port 53 UDP is dns which resolves domain IP so its' needed.

Also I have read that ISP name server might have been infected.

So what is the best thing to do in this situation.

Also sometimes internet starts to lag really because of port 53

DanSpd

Posted 2010-05-25T04:40:39.967

Reputation: 13

Answers

0

Without having more detail it's difficult to know if you have a problem. Ideally, you would need to analyse the traffic to determine the nature, i.e. which names are being requested. This could be done by using something like Wireshark

If the volume is significantly large, it could be an indicator that one or more of your PC's has become part of a 'botnet' and is being actively used to send 'spam' I appreciate you have Avast and spybot, unfortunately, botnet activity can be very difficult to discover. It mosr cases more sophisticated utilities may be required for analysis. Scanning with GMER - Rootkit Detector and Remover would be a useful exercise.

Another option you could try is changing your DNS servers to one of the free services such as:

http://code.google.com/speed/public-dns/ or http://www.dyndns.com/

Pulse

Posted 2010-05-25T04:40:39.967

Reputation: 4 389

How can I use wireshark to determine if it's botnet? – DanSpd – 2010-05-25T05:12:34.430

I just changed DNS server to google ones and in router internet sessions i can see a lot of sessions open to google dns server now on port 53 – DanSpd – 2010-05-25T05:16:36.120

The wireshark analysis cold provide more insight into the nature of the traffic being generated. if you're using a firewall, can you configure it to log DNS traffic? It would be helpful to know which names are being resolved. You could also check your IP address against this database http://whatismyipaddress.com/blacklist-check

– Pulse – 2010-05-25T05:46:27.373

unplug each computer one at a time until you find the one doing all the spamming. Then run wireshark on it, then check the capture and see what the DNS queries are doing – frymaster – 2010-05-25T08:53:49.107

Asked: 2010-05-25T04:40:39.967

Viewed: 3 785 times

Active: 2010-05-25T05:07:19.870