This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: PROTOCOL-DNS DNS query amplification attempt

Wondering if anyone else is seeing this...

I get these warnings from only one client's UTM.  The logs show that these blocks have occurred since installation in 2016

1657 attacks from 75 IPs in 2017
9282 from 63 in 2018
16915 from 54 in 2019
18111 from 80 in 2020
5212 from 57 so far in 2021

A total of 61366 attacks from 343 different IPs since installation.  This feels like a botnet, but I'm not familiar with the attempted exploit.  Maybe preparation fro a DDoS, but why would it be over 4 years in preparation?

Cheers - Bob



This thread was automatically locked due to age.
  • Hello,

    Is there any DNS Server being exposed to the Internet ?

    Also, this is the XG Forum, not the UTM.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Arrgh!  Something moved the entire UTM Network Protection forum to the community.sophos.com/xg-firewall directory.  I've messaged FloSupport about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Oh, FloSupport fixed it within two hours after I sent the PM.  Go Florentino!

    Thanks, Prism, that hint made me analyse the client's DNS Proxy configuration - the person that set it up hadn't read my DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA