[rwth-security] Re: Benutzung von Nameservern

Am 14.10.21 um 23:02 schrieb Jens Hektor:

Gelistet sind die Top Adressen mit den Flows bzgl. Ziel Port 53, Quelle RWTH

--------------- (proto UDP and dst port 53) and (( src net 134.130.0.0/16 or src net 137.226.0.0/16 or src net 134.61.0.0/16 or src net 2a00:8a60::/32 ) ) ) Top 10 IP Addr ordered by flows: Date first seen          Duration Proto                                 IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp 2021-10-13 07:59:44.123 32705.825 any                                   8.8.8.8    8.8 M(19.9)    9.3 M(19.3)  694.3 M(13.1)      283   169826    74 Google 2021-10-13 07:59:50.379 32699.565 any                       2a00:8a60:0:f012::2    6.6 M(15.1)    6.6 M(13.8)  780.2 M(14.8)      202   190886   117 RWTH DNS als Client 2021-10-13 07:59:48.340 32701.598 any                       2a00:8a60:0:f013::2    6.6 M(15.0)    6.6 M(13.8)  777.8 M(14.7)      202   190269   117 RWTH DNS als Client 2021-10-13 07:59:57.617 32692.331 any                              137.226.35.6    6.3 M(14.4)    6.6 M(13.8)  451.8 M( 8.5)      202   110554    68 bondig.de als CLient 2021-10-13 07:59:43.255 32706.695 any                             134.130.5.214    5.0 M(11.4)    5.0 M(10.5)  663.9 M(12.6)      154   162400   131 RWTH DNS als Client 2021-10-13 07:59:46.852 32703.096 any                             134.130.5.210    4.9 M(11.2)    5.0 M(10.4)  657.0 M(12.4)      152   160711   132 RWTH DNS als Client 2021-10-13 07:59:43.255 32706.695 any                            54.194.223.253    3.1 M( 7.1)    3.2 M( 6.6)  586.3 M(11.1)       96   143400   185 Sophos 2021-10-13 07:59:50.364 32699.561 any                          2a00:8a60:0:5::1    3.0 M( 6.8)    6.0 M(12.5)  753.5 M(14.3)      184   184348   125 RWTH DNS als Server, hier fragt der Physik-Cluster 2021-10-13 07:59:27.799 32722.152 any                                   1.1.1.1    1.9 M( 4.4)    2.2 M( 4.6)  188.9 M( 3.6)       68    46185    84 Cloudflare 2021-10-13 07:59:48.340 32701.563 any                        2600:1480:e800::c0    1.5 M( 3.3)    1.5 M( 3.1)  167.3 M( 3.2)       44    40934   113 Hoho. Was isn das?

Summary: total flows: 43913285, total bytes: 5.3 G, total packets: 48.0 M, avg bps: 1.3 M, avg pps: 1467, avg bpp: 110 Time window: 2021-10-08 12:16:14 - 2021-10-13 17:04:59 ---------------

Hm. Das war mangelhaft, Jens. Wir wollten die Top *Destination* Adressen! Isjajut. Bitte schön: --------------- (proto UDP and dst port 53) and (( src net 134.130.0.0/16 or src net 137.226.0.0/16 or src net 134.61.0.0/16 or src net 2a00:8a60::/32 ) ) ) Top 10 Dst IP Addr ordered by flows: Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 2021-10-13 07:59:44.123 32705.825 any 8.8.8.8 8.8 M(19.9) 9.3 M(19.3) 694.3 M(13.1) 283 169826 74 2021-10-13 07:59:43.255 32706.695 any 54.194.223.253 3.1 M( 7.1) 3.2 M( 6.6) 586.3 M(11.1) 96 143400 185 2021-10-13 07:59:50.364 32699.561 any 2a00:8a60:0:5::1 3.0 M( 6.8) 6.0 M(12.5) 753.5 M(14.3) 184 184348 125 2021-10-13 07:59:27.799 32722.152 any 1.1.1.1 1.9 M( 4.4) 2.2 M( 4.6) 188.9 M( 3.6) 68 46185 84 2021-10-13 07:59:48.340 32701.563 any 2600:1480:e800::c0 1.5 M( 3.3) 1.5 M( 3.1) 167.3 M( 3.2) 44 40934 113 2021-10-13 07:59:50.613 32699.301 any 54.170.50.200 1.4 M( 3.2) 1.4 M( 3.0) 261.8 M( 5.0) 43 64040 183 2021-10-13 07:59:49.644 32700.297 any 8.8.4.4 926016( 2.1) 942551( 2.0) 75.3 M( 1.4) 28 18429 79 2021-10-13 07:59:50.406 32699.493 any 95.100.173.129 386380( 0.9) 387106( 0.8) 42.6 M( 0.8) 11 10414 109 2021-10-13 07:59:50.479 32699.199 any 2a01:111:4000::c9 382731( 0.9) 383722( 0.8) 50.9 M( 1.0) 11 12446 132 2021-10-13 07:59:50.999 32698.800 any 2001:4860:4802:38::a 363041( 0.8) 364074( 0.8) 45.8 M( 0.9) 11 11200 125 Summary: total flows: 43913285, total bytes: 5.3 G, total packets: 48.0 M, avg bps: 1.3 M, avg pps: 1467, avg bpp: 110 Time window: 2021-10-08 12:16:14 - 2021-10-13 17:04:59 ---------------