IP '8.8.8.8' currently has '1357' connections

cDGo

Verified User
Joined
Sep 21, 2012
Messages
103
IP '8.8.8.8' currently has '1361' connections

Connection info for '8.8.8.8':
tcp 0 0 xxx.xxx.xxx.xx:36822 8.8.8.8:53 TIME_WAIT

Since a day or 3 I've seen these in the System load page.
Could it be that the IP adres is spoofed?
Can I safely block 8.8.8.8 in the firewall?

The CT_LIMIT in CSF is set to 150, how is this possible?
 
Hello,

Bash:
# host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

You're free to block any IP of course at your own risk. But I would not block 8.8.8.8 on my own server if I use it as a resolver.
 
  • Like
Reactions: Hek
Hi Alex,

It was a peak, now it's gone again.
So about the other question:
The CT_LIMIT in CSF is set to 150, how is this possible?
How can one IP use over a 1000 connections while CSF is set to only allow 150?
 
I believe you need to read the CSF documentation on the matter. I don't see any sense to copy/paste documentation about CT_LIMIT to the forums)

And you will be probably surprised to see results of the following commands:

Code:
csf -g 8.8.8.8

and

Code:
grep 'out|u=' /etc/csf/csf.allow
 
People around the world just using the public DNS Resolver, that meant if you block this, some people can't access all the domains in this server anymore.
 
People around the world just using the public DNS Resolver, that meant if you block this, some people can't access all the domains in this server anymore.

Visitors shall be able to access the websites hosted on that server (even the server blocked DNS resolver).

However, that server cannot (e.g.) send outbound email(s), dnf check-update , da custombuild , WordPress check update, etc.
 
The CT_LIMIT in CSF is set to 150, how is this possible?
How can one IP use over a 1000 connections while CSF is set to only allow 150?
That is because it has to do with the CT_INTERVAL. So if you have the CT_INTERVAL too high, and it's possible for them to make 1000 connections before the CT_INTERVAL time is passed, then a 1000 can pass. Because the CT_LIMIT only scans every CT_INTERVAL time.
 
As for as I understand, it is incoming traffic, it is in the IP list which is accessing the server?
 
In this case, it's outgoing traffic that look like spamming from this server.

The monitor reported directly from port :53, I'm not sure it's coming from php-curl script or bind9(forwarders).

If you don't touch any named.conf, then it's probably php-curl script from some user that have the request-api to other server.... and his site don't have any caching mechanism.
 
How to tell the difference between incomming and outgoing then?
Because for me it looks exactly the same as the incoming traffic
 
you can see the port on both IPs,

xxx:36822 and 8.8.8.8:53

This should be outgoing because the port :53 is in the second column.
( Depend on the software, but this logics could use to read the basic information ).


Since I got attack ( Incoming ) from outside many times and see this when port :53 is in "xxx.xxx.xxx.xxx"
 
Back
Top