Author Topic: Alexa Top 1000 DNS Denial Of Service Attack. Avast doing this or a virus?  (Read 3785 times)

0 Members and 1 Guest are viewing this topic.

Offline michael230

  • Newbie
  • *
  • Posts: 19
Spent the last 3 days trying to figure out what on my PC is causing a denial of service attack to my router.  What is happening is the DNS server through the router/firewall is getting nailed at once with 1000 DNS queries, sees it as an attack (rightfully so) and locks out the port.  I recognize the list and it looks like the Alexa Top 1000.

So I performed a boot scan with Avast, scanned with Malwarebytes, Spybot, Windows Defender, Microsoft Safety Scanner and the MS Malicious Software Removal tool.  Wiped most programs off the PCs, scoured regedit/msconfig boot process and used CCleaner.  Nothing found.

I tried to find it using Process viewers but still can't find it since it is so illusive.  Turns out it waits until the PC goes to screen saver, idle or comes out of sleep.  When I try to view the process that is doing it my network logs show it stops right when I touch the keyboard.  Was just getting ready to reinstall Windows at this point.

I just found another thread here back in January that has one post mentioning Alexa Top 1000 and Avast Secure DNS.  I am however using the free version so I am not using secure DNS but is this Avast Free behavior with version 10.2.2218?
« Last Edit: July 18, 2015, 12:04:17 AM by michael230 »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33591
do you have any logs , screenshot of what you see that you can post ?

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79052
  • No support PMs thanks
Avast is checking for DNS poisoning or the DNS having been hacked. So it doesn't have to be using or have SecureDNS installed.

It checks on DNS, against most popular site (as these may be more prone to being poisoned/hacked) to see what is returned, e.g. does it match the expected/correct IP address.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline michael230

  • Newbie
  • *
  • Posts: 19
Avast is checking for DNS poisoning or the DNS having been hacked. So it doesn't have to be using or have SecureDNS installed.

It checks on DNS, against most popular site (as these may be more prone to being poisoned/hacked) to see what is returned, e.g. does it match the expected/correct IP address.

Does turning off "Home Network Security" disable it?   I turned it off and are waiting to see if it happens again.  It was happening every few hours before thus my router blocking internal traffic because of it. Making 1000 DNS queries in a matter of seconds every few hours seems excessive.

This really should be documented somewhere since I could only imagine how many people have wasted countless hours in troubleshooting only to find the traffic was coming from Avast.  I never would have guessed this was an internal attack and was busy pouring over logs looking at incoming traffic.  Took me a bit to find it was my internal PC causing the attack and then finding they were DNS queries.  Then days finally coming to the conclusion it was probably Avast.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79052
  • No support PMs thanks
Unfortunately as an avast user like yourself, I cant say why (other than checking your DNS Server is clear) or how frequently the DNS checks are done as my firewall doesn't raise any flags.

I wouldn't think disabling the Home Network Security would impact on this as in theory it is checking the home networks security (rather than external DNS. But I could be wrong.

You may find this helpful in the future for other info - the avastUI has a context sensitive help function - going to the area you are looking for some information and click the ? at the top right corner of the UI window.

I did this in the avastUI > Settings > Tools - which lists Home Network Security and clicked the ?
From the window that appears I found the "Home Network Security - Analyzes your home network for security risks. More..." The More... is clickable and produced the window (attached). This I would say confirms my suspicion that it doesn't do the DNS checking.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36101
  • 57 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
It was my understanding that the Network Security Scan was a scan not a part that's resident and,
only runs when requested.
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/ -- My Blog: http://bob3160.blogspot.com/ - Win 10 Pro v1703 64bit, 8 Gig Ram, AvastFree 17.6.2307, WinPatrol, Unchecky How to Successfully Install Avast http://goo.gl/VLXde

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79052
  • No support PMs thanks
It was my understanding that the Network Security Scan was a scan not a part that's resident and,
only runs when requested.

That I guess would be correct given the information in attached image of avast help.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline michael230

  • Newbie
  • *
  • Posts: 19
It has been over 24 hours since I turned off "Home Network Security" and I have yet to see the DNS server get hit with those 1000 queries. 

At one point I did update to version 10.3.2223 from 10.2.2218, but I am thinking it is likely turning off "Home Network Security" solved this issue.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79052
  • No support PMs thanks
It has been over 24 hours since I turned off "Home Network Security" and I have yet to see the DNS server get hit with those 1000 queries. 

At one point I did update to version 10.3.2223 from 10.2.2218, but I am thinking it is likely turning off "Home Network Security" solved this issue.

I think only time will tell on this, given what Bob said and what is in the related Help - it should only be an on-demand "Home Network Security" scan.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36101
  • 57 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
It has been over 24 hours since I turned off "Home Network Security" and I have yet to see the DNS server get hit with those 1000 queries. 

At one point I did update to version 10.3.2223 from 10.2.2218, but I am thinking it is likely turning off "Home Network Security" solved this issue.

I think only time will tell on this, given what Bob said and what is in the related Help - it should only be an on-demand "Home Network Security" scan.
I've sent an email to my contacts at Avast. Hope to get a reply but, this is still the weekend. :)
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/ -- My Blog: http://bob3160.blogspot.com/ - Win 10 Pro v1703 64bit, 8 Gig Ram, AvastFree 17.6.2307, WinPatrol, Unchecky How to Successfully Install Avast http://goo.gl/VLXde

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79052
  • No support PMs thanks
Thanks Bob, it would be nice to get clarification.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36101
  • 57 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Thanks Bob, it would be nice to get clarification.
You'll know as soon as I know. :)
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/ -- My Blog: http://bob3160.blogspot.com/ - Win 10 Pro v1703 64bit, 8 Gig Ram, AvastFree 17.6.2307, WinPatrol, Unchecky How to Successfully Install Avast http://goo.gl/VLXde

Offline sdel61

  • Newbie
  • *
  • Posts: 1
Re: Alexa Top 1000 DNS Denial Of Service Attack. Avast doing this or a virus?
« Reply #12 on: September 09, 2015, 04:19:53 PM »
I suspect I have the same problem identified earlier in this string. In an nutshell I would like to know how to disable the feature that initiates the AddDnsEntry process captured in the Avast "HDS.log". Disabling the Home Network Security option did not halt this query that happens at just over a 24 hours interval.

As described earlier there are approximately 1000 web sites identified for this AddDnsEntry process and I have packet captures that reflect IP and IPv6 DNS queries for each. It should be noted that of the approximately 2000 DNS queries there were no attempt to connect to any of the sites. The sites identified in the packet capture align with the sites and sequence listed on the Avast HDS.log. About 85% of these sites are present on the latest Alexa Top 1000 URL list so I suspect this process is using an older Alexa listing. One of the sites queried is chaseswing.eu which causes an Anubis-Sinkhole alarm on Alien Vault sensors. 

Any assistance would be appreciated.