Articles

Solved Extremely slow connection. DNS server flooding?

January 28, 2013 at 09:03:37
Specs: Windows SBS2011

Hello,

This is my first post to this forum, I've searched my issue extensively and put over 20 hours into trying to fix this issue thus far. I am not an IT expert and I apologize if I am doing something incorrectly or use the wrong vocabulary.
Anyways, onto my problem:

About a month ago we've been experiencing extremely slow ping, up and down rates, 1000ms ping, .05 down, .01 up; however it lasts about 1-3 hours, never actually disconnects, and then goes back up to normal service rates of 15 down 1 up, etc...
I've worked with AT&T extensively and eliminated any line or hardware issues on their end.
Our network is run through a server running Small Business Server 2011 with two NIC's, one for static local ip's and one for our remote access server. Our DNS is routed through it as well.

I've begun to suspect that something with the server is either being flooded or stuck in a loop, causing the server to use all of our available bandwidth. I started running WinShark program and find that we're getting over 5000 packets every ~20 seconds. I don't know if that is high or not, but it seems high.

Please help me in figuring this out or at least try to understand this issue.

Here is a screencap of my WinShark report:
[URL=http://imgur.com/2HdrNRc]Screenshot[/URL]

Thank you very much,
-Mike


See More: Extremely slow connection. DNS server flooding?

Report •


✔ Best Answer
February 4, 2013 at 15:38:31

Your dns server should not be responding to internet based requests. It's a local dns server not a internet dns server. This makes me suspect its been configured to recieve zone updates which it should not be.

You are not routing dns. Your dns server only sends unresolved local requests to your internet designated dns server which you placed in the dns forwarders.

This traffic should never make it past the router. Your wireshark capture shows its hitting your network

There are a number of links on the internet if you google isc.org dns attack but the solutions I have found dealt with *nix OS using snort or iptables..

A good router should be able to block this.

http://foxpa.ws/2010/07/21/thwartin...

http://www.snort.org/

http://technet.microsoft.com/en-us/...

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's



#1
January 28, 2013 at 10:33:06

What firewall setup do you have? It looks like someone from Turkey is probing your DNS config, so the question becomes should someone from Turkey be allowed to probe your DNS? If these servers are private and you don't host email, I'd suspect not.

Honestly, I'm not seeing much beyond normal Internet background noise.

How To Ask Questions The Smart Way


Report •

#2
January 28, 2013 at 12:34:53

Is there a router between the SBS and the internet?

There should be.

Who is authorized to logon remotely to your server? When and how many?

Do understand any user remotely conecting to the serve is using 2x the bandwidth for that single connection if they are then going out to the internet. Coupld of users doing that will saturate your bandwidth.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#3
January 28, 2013 at 13:46:51

We have no employees outside of the United States; so, someone from Turkey doesn't need to be probing our DNS.

Our ISP is AT&T, U-Verse, which uses a proprietary modem/router combination device: the Motorola NVG-510. Manual here: Link

We have a total of 4 employees, at most two would be access at any time. We deal mostly with files in the less than 2mb range. The error also occurs when no-one is logged into the remote server.

AT&T has left me up a certain creek, stating that something on our end is eating all the bandwidth. The NVG510 software is very poorly designed and I struggled with getting it to operate properly. Is there a program I can run that will tell me how much bandwidth each process is consuming?


Report •

Related Solutions

#4
February 4, 2013 at 07:37:58

I believe I'm being used as a reflector for a DoS attack; I block the offending IP's, but they just change a few minutes later. How can I stop foreign IP addresses from doing a "Standard Query" on my server?

Report •

#5
February 4, 2013 at 08:15:01

You use your firewall. You do have one, do you not?

How To Ask Questions The Smart Way


Report •

#6
February 4, 2013 at 08:29:38

No one is probing your DNS server. There is no point in that. They do want to control your server.

But first lets gets some stats so we know what bandwidth issue we are dealing with.

Connect a pc/laptop to the gateway and disconnect the server an all other devices. Do a speedtest.net test and post the results for review.

Next connect the server to the gateway. Run the same exact test to the same exact source and post those results.

I would expect to see a difference.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#7
February 4, 2013 at 14:32:01

When there isn't an IP bombarding our end, the server gets the following:
39ms
10.83 down
.94 up

A PC connected directly to the gateway gets:
25ms
10.88 down
.95 up

I could not replicate the attack with a pc directly connected; however, I had to disable the static IP in order to connect one of the client machines to the gateway (using DHCP instead of static).

When there IS a flood on the DNS, these are the speeds:
783ms
.03 down
.03 up

I believe it may be a firewall setting on the server at this point, the floods are coming in through port 53; but don't I need this open for the DNS server to function properly?


Report •

#8
February 4, 2013 at 15:38:31
✔ Best Answer

Your dns server should not be responding to internet based requests. It's a local dns server not a internet dns server. This makes me suspect its been configured to recieve zone updates which it should not be.

You are not routing dns. Your dns server only sends unresolved local requests to your internet designated dns server which you placed in the dns forwarders.

This traffic should never make it past the router. Your wireshark capture shows its hitting your network

There are a number of links on the internet if you google isc.org dns attack but the solutions I have found dealt with *nix OS using snort or iptables..

A good router should be able to block this.

http://foxpa.ws/2010/07/21/thwartin...

http://www.snort.org/

http://technet.microsoft.com/en-us/...

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#9
February 5, 2013 at 06:07:34

Okay, that makes quite a bit of sense. Unfortunately I was not the one who set up this server and network; I'm only coming into it after the company had dropped the group that set it up.

I found in the router settings that port 53 was forwarded, and also that there was an IP Passthrough setting of "default server" routed towards the network server. This was sending all externally initiated IP traffic to the "default host", being the server box. I've disabled this, and hopefully that was the source of the hole in the firewall.

What are your thoughts on this?

Also, thank you very much for your help thus far! IT is not my first job...


Report •

#10
February 5, 2013 at 06:31:02

Not to slight your IT skills, but have you considered brining in a local reputable network admin to audit your network security?

How To Ask Questions The Smart Way


Report •

#11
February 5, 2013 at 08:19:58

I think those corrections are a good start. Is wireshark capture looking better?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •


Ask Question