IP '8.8.8.8' currently has '1357' connections

[cDGo]

IP '8.8.8.8' currently has '1361' connections

Connection info for '8.8.8.8':
tcp 0 0 xxx.xxx.xxx.xx:36822 8.8.8.8:53 TIME_WAIT

Since a day or 3 I've seen these in the System load page.
Could it be that the IP adres is spoofed?
Can I safely block 8.8.8.8 in the firewall?

The CT_LIMIT in CSF is set to 150, how is this possible?

 

[zEitEr]

Hello,

# host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

You're free to block any IP of course at your own risk. But I would not block 8.8.8.8 on my own server if I use it as a resolver.

 

[cDGo]

Hi Alex,

Ofcourse, but I'm not sure if it would have an impact on the working of the server

 

[zEitEr]

if it would have an impact on the working of the server

Yes, it would, I believe. Your server is probably infected and attacking remote sites/server, hence there are so many requests to DNS (unless you don't use 8.8.8.8 as a resolver)

 

[cDGo]

Hi Alex,

It was a peak, now it's gone again.
So about the other question:
The CT_LIMIT in CSF is set to 150, how is this possible?
How can one IP use over a 1000 connections while CSF is set to only allow 150?

 

[zEitEr]

I believe you need to read the CSF documentation on the matter. I don't see any sense to copy/paste documentation about CT_LIMIT to the forums)

And you will be probably surprised to see results of the following commands:

csf -g 8.8.8.8

and

grep 'out|u=' /etc/csf/csf.allow

 

[Ohm J]

People around the world just using the public DNS Resolver, that meant if you block this, some people can't access all the domains in this server anymore.

 

[ccto]

People around the world just using the public DNS Resolver, that meant if you block this, some people can't access all the domains in this server anymore.

Visitors shall be able to access the websites hosted on that server (even the server blocked DNS resolver).

However, that server cannot (e.g.) send outbound email(s), dnf check-update , da custombuild , WordPress check update, etc.

 

[zEitEr]

However, that server cannot (e.g.) send outbound email(s), dnf check-update , da custombuild , WordPress check update, etc.

Change DNS resolver in the server's settings and/or stop attacks on/from your server.

 

[Richard G]

The CT_LIMIT in CSF is set to 150, how is this possible?
How can one IP use over a 1000 connections while CSF is set to only allow 150?

That is because it has to do with the CT_INTERVAL. So if you have the CT_INTERVAL too high, and it's possible for them to make 1000 connections before the CT_INTERVAL time is passed, then a 1000 can pass. Because the CT_LIMIT only scans every CT_INTERVAL time.

 

[zEitEr]

Because the CT_LIMIT only scans every CT_INTERVAL time.

Does CT_LIMIT limit outgoing connections? Will CT_LIMIT work for a whitelisted IP?

 

[Richard G]

Oeps, no sorry, it's incoming only indeed.

Will CT_LIMIT work for a whitelisted IP?

Incoming for an ip in csf.ignore yes if I'm correct. But I forgot we're talking outgoing traffic here.

 

[cDGo]

As for as I understand, it is incoming traffic, it is in the IP list which is accessing the server?

 

[Ohm J]

In this case, it's outgoing traffic that look like spamming from this server.

The monitor reported directly from port :53, I'm not sure it's coming from php-curl script or bind9(forwarders).

If you don't touch any named.conf, then it's probably php-curl script from some user that have the request-api to other server.... and his site don't have any caching mechanism.

 

[cDGo]

How to tell the difference between incomming and outgoing then?
Because for me it looks exactly the same as the incoming traffic

 

[zEitEr]

tcp 0 0 xxx.xxx.xxx.xx:36822 8.8.8.8:53 TIME_WAIT

Do you have TCP:36822 opened from outside? And why would Google's DNS try to connect to it?

 

[Ohm J]

you can see the port on both IPs,

xxx:36822 and 8.8.8.8:53

This should be outgoing because the port :53 is in the second column.
( Depend on the software, but this logics could use to read the basic information ).


Since I got attack ( Incoming ) from outside many times and see this when port :53 is in "xxx.xxx.xxx.xxx"

 

[cDGo]

I added the IP to CDF deny and restarted the server, still it appears in the listing, with high number of connections.
I check again by trying to add the IP through the GUI, but it then shows:
deny failed: 8.8.8.8 is in already in the deny file /etc/csf/csf.deny 1 times

And it's not one port but all kind of different ports:


IP '8.8.8.8' currently has '1091' connections

Connection info for '8.8.8.8':
tcp 0 0 xxx.xxx.xxx.xxx:47246 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:43470 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:44674 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:40138 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:47898 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:47568 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:45264 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:46774 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:47082 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:44274 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:42566 8.8.8.8:53 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:45160 8.8.8.8:53 TIME_WAIT

 

[zEitEr]

if you want to stop using 8.8.8.8 you should remove it from /etc/resolv.conf
and even if you do that, you're curing a symptom, but not a problem.

 

[cDGo]

Hi Alex,

So how do I find out what is the problem, causing this behavior?