thousands of dns.exe UDP connections, what to do?

Hi,

I have a firewall, (linksys, with DDos protection) and Windows 2003, with
synattack etc options on and behind it a two DNS servers on Windows 2003
SP1.

However, according to tcpview.exe (from sysinternals) there are an
uncountable number of DNS UDP connections.

Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
what can I do more to protect the server against an overflow of connections?

(ps: I run two registered ns servers, to maintain my own websites).

Thanks..

In message <7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com> "Egbert
Nierop" <egbert_nierop@nospam.invalid> wrote:

>I have a firewall, (linksys, with DDos protection) and Windows 2003, with
>synattack etc options on and behind it a two DNS servers on Windows 2003
>SP1.
>
>However, according to tcpview.exe (from sysinternals) there are an
>uncountable number of DNS UDP connections.

I'm not sure about "uncountable", the number is probably around 2500 or
so. This is normal.

>Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
>what can I do more to protect the server against an overflow of connections?

Overflow of connections? Do you know how DNS works? (Free hint: Those
2500 UDP ports, are connectionless)

"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
news:sfvu94pubv91aaen5dp43f5qf8tbt58ab0@4ax.com...
> In message <7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com> "Egbert
> Nierop" <egbert_nierop@nospam.invalid> wrote:
>
>>I have a firewall, (linksys, with DDos protection) and Windows 2003, with
>>synattack etc options on and behind it a two DNS servers on Windows 2003
>>SP1.
>>
>>However, according to tcpview.exe (from sysinternals) there are an
>>uncountable number of DNS UDP connections.
>
> I'm not sure about "uncountable", the number is probably around 2500 or
> so. This is normal.

tcpview crashes.

>>Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
>>what can I do more to protect the server against an overflow of
>>connections?
>
> Overflow of connections? Do you know how DNS works? (Free hint: Those
> 2500 UDP ports, are connectionless)

Thanks but you can leave out your sarcasm...
If you feel superior because of knowlegde; free hint: you are not.

In message <OYvU1z4#IHA.3344@TK2MSFTNGP04.phx.gbl> "Egbert Nierop"
<egbert_nierop@nospam.invalid> wrote:

>
>"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
>news:sfvu94pubv91aaen5dp43f5qf8tbt58ab0@4ax.com...
>> In message <7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com> "Egbert
>> Nierop" <egbert_nierop@nospam.invalid> wrote:
>>
>>>I have a firewall, (linksys, with DDos protection) and Windows 2003, with
>>>synattack etc options on and behind it a two DNS servers on Windows 2003
>>>SP1.
>>>
>>>However, according to tcpview.exe (from sysinternals) there are an
>>>uncountable number of DNS UDP connections.
>>
>> I'm not sure about "uncountable", the number is probably around 2500 or
>> so. This is normal.
>
>tcpview crashes.

And yet, this is still normal operation.

http://msmvps.com/blogs/alunj/archiv...9/1641409.aspx discusses
this behaviour.

>>>Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
>>>what can I do more to protect the server against an overflow of
>>>connections?
>>
>> Overflow of connections? Do you know how DNS works? (Free hint: Those
>> 2500 UDP ports, are connectionless)
>
>Thanks but you can leave out your sarcasm...

Not sarcasm, an honest question -- At $DAYJOB I pretty regularly see
people following the advice of security consultants or auditing software
blindly without understanding the implications of their changes,
resulting in something between failure and chaos depending on the day.

Since the ~2500-listening-ports DNS issue is UDP, and UDP is
connectionless, there is no such thing as an "overflow of connections"
in this situation.

>If you feel superior because of knowlegde; free hint: you are not.

Maybe not, but I am nonetheless correct.

"Egbert Nierop" <egbert_nierop@nospam.invalid> wrote in message
news:7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com...
> Hi,
>
> I have a firewall, (linksys, with DDos protection) and Windows 2003, with
> synattack etc options on and behind it a two DNS servers on Windows 2003
> SP1.
>
> However, according to tcpview.exe (from sysinternals) there are an
> uncountable number of DNS UDP connections.
>
> Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
> what can I do more to protect the server against an overflow of
> connections?
>
> (ps: I run two registered ns servers, to maintain my own websites).
>
> Thanks..

This is a result of the latest DNS hotfix KB951748 to protect against the
new vulnerability. It reserves 2500 UDP DNS emphemeral ports.;

Here you go, you can read up on the hotfix:

MS08-037: Description of the security update for DNS in Windows Server 2003,
in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
news:8m00a4hfq7fo768alktu4t2vck9tjtcuof@4ax.com...
> In message <OYvU1z4#IHA.3344@TK2MSFTNGP04.phx.gbl> "Egbert Nierop"
> <egbert_nierop@nospam.invalid> wrote:
>
>>
>>"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
>>news:sfvu94pubv91aaen5dp43f5qf8tbt58ab0@4ax.com...
>>> In message <7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com> "Egbert
>>> Nierop" <egbert_nierop@nospam.invalid> wrote:
>>>
>>>>I have a firewall, (linksys, with DDos protection) and Windows 2003,
>>>>with
>>>>synattack etc options on and behind it a two DNS servers on Windows 2003
>>>>SP1.
>>>>
>>>>However, according to tcpview.exe (from sysinternals) there are an
>>>>uncountable number of DNS UDP connections.
>>>
>>> I'm not sure about "uncountable", the number is probably around 2500 or
>>> so. This is normal.
>>
>>tcpview crashes.
>
> And yet, this is still normal operation.
>
> http://msmvps.com/blogs/alunj/archiv...9/1641409.aspx discusses
> this behaviour.
>
>>>>Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
>>>>what can I do more to protect the server against an overflow of
>>>>connections?
>>>
>>> Overflow of connections? Do you know how DNS works? (Free hint: Those
>>> 2500 UDP ports, are connectionless)
>>
>>Thanks but you can leave out your sarcasm...
>
> Not sarcasm, an honest question -- At $DAYJOB I pretty regularly see
> people following the advice of security consultants or auditing software
> blindly without understanding the implications of their changes,
> resulting in something between failure and chaos depending on the day.

If I would be a network admin, I would and I do normally, get everything
very clean and secure by doing _manual_ health checks.

fyi, I maintain a web server, since Windows 2000 went RTM. In the beginning,
there even was no firewall.

Still, even if most % is a moron on advice, this does not apply to each of
'us'.

> Since the ~2500-listening-ports DNS issue is UDP, and UDP is
> connectionless, there is no such thing as an "overflow of connections"
> in this situation.

So you are a nerd, uh? right? Pointing to someones inperfectness of words.
In fact, it seems that my notification, is right and new behavior indeed.

That's was all I needed to know, not a sermon on UDP which is connectionless
indeed.

http://msmvps.com/blogs/alunj/archiv...9/1641409.aspx

"Ace Fekay [MVP Direcrtory Services]" wrote:

>
> "Egbert Nierop" <egbert_nierop@nospam.invalid> wrote in message
> news:7FF4BFBB-9A2C-4B05-9857-DFFA69FEBD14@microsoft.com...
> > Hi,
> >
> > I have a firewall, (linksys, with DDos protection) and Windows 2003, with
> > synattack etc options on and behind it a two DNS servers on Windows 2003
> > SP1.
> >
> > However, according to tcpview.exe (from sysinternals) there are an
> > uncountable number of DNS UDP connections.
> >
> > Now, I have used QoS, to set the network traffic to just 1Kbit/s up/down
> > what can I do more to protect the server against an overflow of
> > connections?
> >
> > (ps: I run two registered ns servers, to maintain my own websites).
> >
> > Thanks..
>
> This is a result of the latest DNS hotfix KB951748 to protect against the
> new vulnerability. It reserves 2500 UDP DNS emphemeral ports.;
>
> Here you go, you can read up on the hotfix:
>
> MS08-037: Description of the security update for DNS in Windows Server 2003,
> in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
> http://support.microsoft.com/?id=951748
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>

In news:6A22DC4A-2C8B-41D7-93DD-3A411161B04C@microsoft.com,
DennisC <DennisC@discussions.microsoft.com> requesting assistance, typed the
following:
> "Ace Fekay [MVP Direcrtory Services]" wrote:
>
Hi Dennis,

I didn't see a response in your post, just a copy of my previous post. Did
you have a question to ask?

Ace