DOS Attact Message or Just a Simple Query”?

5 pts.
Tags:
DNS queries
DOS
DOS Attack
I have checked firewall alert message everyday from my organization firewall equipment, and it returns an alert message "anomaly: udp_src_session, 1001 > threshold 1000, repeated 214 times" Starting from 172.10.2.45:51158 to 210.181.1.24:53.

I wanna know whether it's really infected and indicates DOS attack or just simple DNS query. I hope someone can help me. Thanks in advance Jason.



Software/Hardware used:
FortiGate

Answer Wiki

Thanks. We'll let you know when a new response is added.

Is the 172.10.2.45 client a machine you have access to or ownership? If it is a Windows machine or a machine where you can run the netstat command, I would run that (in Windows) using the <b>-ano</b> switches. The -a says display all connections; -n means use numbers for addresses rather than names; -o displays the owning process for the connection. This would permit you to see what process is running on port 51158 on that client. You might also want to capture some packets using <a href=”http://www.wireshark.org”>Wireshark</a> or something similar and see what this client is requesting.

It might interest you to know that the 210.181.1.24 address belongs to <a href=”http://network-tools.com/default.asp?prog=express&host=210.181.1.24″>ns.cjdream.net, a server in Korea</a>. So, if this is unexpected traffic from this client to this DNS server, it may be true that this client is infected with some malware.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following