Re: port scan from 53

From: Maarten Van Horenbeeck (maartenat_private)
Date: Wed May 16 2001 - 10:57:08 PDT

Next message: Mike Batchelor: "RE: 'FrogEater'"

Previous message: Thomas Roessler: "Re: DNS Floods to personal firewalls"
Reply: Mike Batchelor: "RE: port scan from 53"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

JK,

> Does anyone have any idea what would cause a scan to originate from port
53
> on an IRIX based server and destined for users on incrementing ports
> starting in the 1000 range and continuing, in cases, to 4000 range.

the attacker might be expecting that your ACL / packetfilter accepts/passes
all packets originating from 53 UDP (DNS-lookups).  This is often the case
on insecure packet-filter installations.

> 2000/09/14,09:21:48 -5:00 GMT,
> Server.IP.Address:53,Client.IP.Address:1038,UDP

With kind regards,

Maarten Van Horenbeeck
OS2 & Unix System Administrator
http://www.daemon.be
maartenat_private

Next message: Mike Batchelor: "RE: 'FrogEater'"
Previous message: Thomas Roessler: "Re: DNS Floods to personal firewalls"
Reply: Mike Batchelor: "RE: port scan from 53"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 16 2001 - 15:25:58 PDT