Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Rogers DNS servers - possible security issue?

Go to solution
Double_K
I'm a reliable contributor

‎02-13-2017 09:43 AM - last edited on ‎02-13-2017 11:22 AM by Moderator

@CommunityHelps

 

I'm seeing a significant amount of unsolicited inbound traffic from Rogers' DNS servers, trying to establish a UDP connection on multiple ports on my internet connection from port 53 on the servers.

Note: this is not response traffic to an outbound query - this is unsolicited inbound targetting multiple IANA User Ports & Dynamic Ports.  My firewall is successfully blocking these "attacks".

 

This is from the past two hours:

 

Servers:

67.231.208.232:53
pub-cdns7-ym-eth1.rpub.net.rogers.com

 

209.148.131.39:53
pub-cdns4-mtnk-eth1.rpub.net.rogers.com

 

67.231.208.234:53
pub-cdns9-ym-eth1.rpub.net.rogers.com

 

67.231.208.235:53
pub-cdns10-ym-eth1.rpub.net.rogers.com

 

67.231.208.226:53
pub-cdns1-ym-eth1.rpub.net.rogers.com

 

209.148.131.42:53
pub-cdns7-mtnk-eth1.rpub.net.rogers.com

 

209.148.131.43:53
pub-cdns8-mtnk-eth1.rpub.net.rogers.com

 

209.148.131.38:53
pub-cdns3-mtnk-eth1.rpub.net.rogers.com

 

67.231.208.231:53
pub-cdns6-ym-eth1.rpub.net.rogers.com

 

67.231.208.233:53
pub-cdns8-ym-eth1.rpub.net.rogers.com

 

67.231.208.230:53
pub-cdns5-ym-eth1.rpub.net.rogers.com

 

209.148.131.44:53
pub-cdns9-mtnk-eth1.rpub.net.rogers.com

 

209.148.131.45:53
pub-cdns10-mtnk-eth1.rpub.net.rogers.com

 

209.148.131.41:53
pub-cdns6-mtnk-eth1.rpub.net.rogers.com

 

67.231.208.229:53
pub-cdns4-ym-eth1.rpub.net.rogers.com

 

209.148.131.40:53
pub-cdns5-mtnk-eth1.rpub.net.rogers.com

 

67.231.208.228:53
pub-cdns3-ym-eth1.rpub.net.rogers.com

 

209.148.131.36:53
pub-cdns1-mtnk-eth1.rpub.net.rogers.com

 

67.231.208.227:53
pub-cdns2-ym-eth1.rpub.net.rogers.com

 

209.148.131.37:53
pub-cdns2-mtnk-eth1.rpub.net.rogers.com

 

Please advise.

 

*Edited Labels*

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Rogers DNS servers - possible security issue?

Go to solution
Double_K
I'm a reliable contributor
In response to Double_K

‎02-14-2017 06:31 AM

Just to close this off for anyone else reading this in the future.

 

This was not a security issue.

 

The Rogers DNS team has investigated and it appears it's a load-balancer/caching server timing issue for non-existent domains and the fact that my firewall rejects responses from servers it doesn't initiate contact with.

 

@RogersMoin can you please close this thread?

View solution in original post

0 Likes
6 REPLIES 6

Re: Rogers DNS servers - possible security issue?

Go to solution
RogersDave
Retired Support
Retired Support

‎02-13-2017 11:09 AM

Hi @Double_K,

 

I started discussing this with our DNS engineering team and they are asking if you would have a traffic capture available for that.

 

If you can, reach out to me via PM and we'll see how you can sent that out to me.

 

Dave

Re: Rogers DNS servers - possible security issue?

Go to solution
Double_K
I'm a reliable contributor
In response to RogersDave

‎02-13-2017 11:26 AM

PM Sent
0 Likes

Re: Rogers DNS servers - possible security issue?

Go to solution
Double_K
I'm a reliable contributor
In response to Double_K

‎02-14-2017 06:31 AM

Just to close this off for anyone else reading this in the future.

 

This was not a security issue.

 

The Rogers DNS team has investigated and it appears it's a load-balancer/caching server timing issue for non-existent domains and the fact that my firewall rejects responses from servers it doesn't initiate contact with.

 

@RogersMoin can you please close this thread?

0 Likes

Re: Rogers DNS servers - possible security issue?

Go to solution
LouisQ37
I've been here awhile
In response to Double_K

‎03-11-2017 12:48 PM - last edited on ‎03-11-2017 04:22 PM by Retired Moderator

Hello

after a vulnerability scan ...  found that rogers modem has many of open access /port that could expose customers to bad guys..     

Could Rogers explains why many ports  are open and why  the firewall are set to auto forwarding event if you block it.

 

see bellow :

 

DNS Server Cache Snooping Remote Information Disclosure

suggested Solution by  NESSUS scanner

Contact the vendor of the DNS software for a fix
 
 
 
***Edited Labels***

Re: Rogers DNS servers - possible security issue?

Go to solution
AW10
I've been here awhile
In response to LouisQ37

‎11-27-2019 05:43 PM - last edited on ‎11-27-2019 05:49 PM by Retired Moderator

I'd like to reopen this issue as I've been the victim of a traffic hijack, though I cannot provide any technical information unless given the instructions to retrieve my traffic history, or something to that effect (it's been a while since I did anything to this effect), but I do have my Avast report.

Click here for details

* Avast Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, November 14, 2019 3:22:10 AM
*

11/20/2019 11:53:59 AM superdupercontests.com/pixeliframe.aspx?cnid=2200416  [L] HTML:Iframe-inf [Susp] (0)
11/20/2019 11:54:00 AM trckr.global/p.ashx?a=78&e=24&r=23565-429264405&t=13020275&fb=1   [L] URL:Blacklist (0)

The URL that slipped through was;

Click here for details
dealsonline24-7.com/lp/13f2f8cb557d267fa5cc1a9eeb8f29dc/757b505cfd34c64c85ca5b5690ee5293.html?browser={browser}&p=1&lpkey=156974ff262e902507&uclick=bza2k2b4fe#  

For the time being I've switched from Rogers DNS to OpenDNS to avoid further incidents, and while up to this point I've been happy with my service, being the victim of a fraud attempt has shaken me considerably.

0 Likes

Re: Rogers DNS servers - possible security issue?

Go to solution
RogersAndy
Retired Moderator
Retired Moderator
In response to LouisQ37

‎11-28-2019 05:32 PM

Hi @AW10.

 

Welcome to the Community!

 

Seeing any form of notification from an Anti-Virus can definitely come as a shock. In this case though this particular issue would not be related to Rogers DNS server. As per your alternative post "here" the issue appears to stem purely from a phishing attempt. I would recommend taking the appropriate actions if any personal information was provided (contacting credit card company etc.) and ensuring a full system scan is done to rule out or remove any intrusive malware.

 

@RogersAndy

0 Likes
Topic Stats
  • 6 replies
  • ‎02-13-2017 09:43 AM
  • 6696 views
  • 5 Likes
  • 5 in conversation
Copyright © 2024 Khoros, LLC