Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


SBS 2008 taking part in DDoS or what?

  • Please log in to reply
4 replies to this topic

#1 CtrlAltDale


  • Members
  • 2 posts
  • Local time:02:42 AM

Posted 24 March 2014 - 09:15 AM

Hi there. We've just installed a Cyberoam UTM and are getting some indications that the server is taking part in a ics.org DDoS attack. I'm used to dealing with malware on PCs but many server functions that would easily be flagged as suspicious from a desktop might just be normal on a server so I'm asking for a bit of clarification more than anything.


Anyway, I've installed the full trial of Malwarebytes to make sure nothing has been infected. The full scan comes up clean but it blocks a handful of things a day from dns.exe (outgoing port 50650) and edgetransport.exe (incoming port 25), probably 20 entries or so. Is this normal for a server?


However, the Cyberoam device is picking up a lot of "DNS isc.org DDoS" attacks (3307 hits in 2 days), appearing to be FROM the server which is worrying. Soo..


  • Is this normal?
  • Is there anything external that would cause the server to issue these attacks and if so , how do I block them (from SBS or the Cyberoam box)?
  • If there is something wrong with the SBS2008  DNS setup, how do I fix it?
  • If there's some DNS nasty on the system and malwarebytes can't see it, what else can (That's server friendly) and either free or modestly priced? The Cyberoam ought to be doing all the IPS/AV/AS scanning so we don't want to go overboard on the server with security products.

If anyone knows how to configure IPS on a Cyberoam UTM, could they please guide me through the things I need to do to block these things rather than just monitor them. Calling Cyberoam usually gets things on their devices fixed but they're not geared up for tuition.


Note that SBS 2008 is on the same subnet as all the PCs (as is usual for SBS). Server is also server for Exchange, DNS, DHCP and web (for RWW).


Edited by CtrlAltDale, 24 March 2014 - 09:20 AM.

BC AdBot (Login to Remove)



#2 JohnnyJammer


  • Members
  • 1,107 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:42 PM

Posted 24 March 2014 - 06:03 PM

I would first make sure you dont have WPAD running because that can be leveraged as a man in the middle attack vec tor, also how or what servers are set as the DNS forwarders? Always use the ISP ones provided. Another thign to do is to flush the cache and check to see what the go is.

Run a few of these commands (In a dos terminal/command promt)to see what comes of the dump

 Check to amke sure the PTR records are correct and DS container

dnscmd /info

Next check the stats, dump to txt file and read for errors

dnscmd /statistics >> C:\DnsStats.txt && notepad C:\DnsStats.txt

 Then flush cache

dnscmd /clearcache

then use Sysinternals TCPView to monitor whats going on as far as network traffic goes.

Edited by JohnnyJammer, 24 March 2014 - 06:04 PM.

#3 chromebuster


  • Members
  • 899 posts
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:42 PM

Posted 25 March 2014 - 11:36 AM

Not to cause conflicting advice, I'd recommend that you use the DNS servers of OpenDNS as your forwarders.  If you do that, then not only are you using reliable forwarders, but you are also helping your employees by not going to malware-laden sites accidentally.  OpenDNS are fantastic malware blockers. 

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge

#4 JohnnyJammer


  • Members
  • 1,107 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:42 PM

Posted 25 March 2014 - 10:45 PM

if you run your own DNS infurstructure, it always recommended to use the ISP's DNS. Use google if you want but just note any third party DNS provider might be more subjected to targeted attacks such as googles public dns service last week, yes thats right people might not be aware but googles dns servers where infected and re-directing to malware riddeled sites!.


Oh i forgot to add that OpenDNS has been used for DNS amplification attacks as well against cloudflare networks!

Edited by JohnnyJammer, 25 March 2014 - 10:47 PM.

#5 technonymous


  • Members
  • 2,468 posts
  • Gender:Male
  • Local time:06:42 PM

Posted 10 April 2014 - 09:12 PM

Best to use isp's dns. For instance Comcast has deployed dnssec in it's websites, website hosting, and the comcast.net search engine etc. OpenDNS however, has also deployed something similar called DNSCurve. Most places are getting on board with DNS crypto. Should do some monitoring on the dns server maybe it plays another role and it has some service open. There is generally a lot of bots out there that aren't specifically attacking just your system or network, they generally port scan wide ranges for a reply. Be sure to double up on security on it. Get some sonic firewall going on, or a double nat DMZ, or vlan. Try to change ports or port triggering to something else. Otherwise they will hammer and map your network all day and night. Sometimes I would open like port 22 for ssh on my server just for a simple test and BAM bots galore from China, Russia, Germany.

Edited by technonymous, 10 April 2014 - 09:23 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users