I thought it would be wise to check if there are any unnecessary services running which listen on public interface. And guess what?
#netstat -anutp
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1015/systemd-resolv
What the heck is that?
Do I realy need a local DNS server exposed to the world?
Quick reserch:
https://www.cvedetails.com/cve/CVE-2017-9217/
https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/
Good God ... how not to hate systemd?
Kill it with fire!!!
# systemctl stop systemd-resolved
# systemctl disable systemd-resolved
# systemctl mask systemd-resolved
# echo "nameserver your-gateway-router-ip" > /etc/resolv.conf
