Is this a denial of service attack?

MultiformeIngegno asked:

I have my kern.log flooded by these lines:

Jan  4 03:00:57 myhost kernel: [9040601.809740] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=33285 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:01:09 myhost kernel: [9040613.699425] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=62996 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:01:21 myhost kernel: [9040625.584770] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=26121 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:01:33 myhost kernel: [9040637.471088] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=59140 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:01:45 myhost kernel: [9040649.352450] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=33805 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:01:56 myhost kernel: [9040661.237910] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=33285 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:02:08 myhost kernel: [9040673.116958] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=14341 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:02:20 myhost kernel: [9040685.003337] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=22793 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:02:32 myhost kernel: [9040696.886561] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=32783 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:02:44 myhost kernel: [9040708.770251] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=14854 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:02:56 myhost kernel: [9040720.652454] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=56844 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:03:08 myhost kernel: [9040732.530823] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=4373 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:03:20 myhost kernel: [9040744.409373] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=62989 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:03:32 myhost kernel: [9040756.417865] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=4116 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:03:44 myhost kernel: [9040769.008748] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=16136 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:03:57 myhost kernel: [9040782.192103] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=9476 PROTO=UDP SPT=25345 DPT=53 LEN=44 
Jan  4 03:04:10 myhost kernel: [9040795.020864] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=55553 PROTO=UDP SPT=25345 DPT=53 LEN=44 

Is this a DoS attack? Of course xx.xx.xx.xx is my IP address (destination).

EDIT: I have a lot of requests from other IPs too, same port though.

My answer:


No, it’s not a DDoS, and it’s not even obvious that it’s any kind of attack at all.

What it is, is a single IP address attempting to contact UDP port 53 on your server. This is the port used by DNS.

Most likely you have recently moved into this server and just got this IP address, and some previous user of the IP address had a DNS server on it.

Since you aren’t running a DNS server, you can safely ignore it.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.