> JK, > > > Does anyone have any idea what would cause a scan to originate from port > 53 > > on an IRIX based server and destined for users on incrementing ports > > starting in the 1000 range and continuing, in cases, to 4000 range. > > the attacker might be expecting that your ACL / packetfilter > accepts/passes > all packets originating from 53 UDP (DNS-lookups). This is often the case > on insecure packet-filter installations. It could also be the result of improper filters on JK's gateway. If he is permitting outgoing packets to 53/UDP for DNS, but forgot to allow the incoming replies from 53/UDP to pass back to his clients, then he would see alerts just like the ones he posted. When the client's resolver library fails to see a reply and retransmits the query, the client port number increments (on most platforms). > > > 2000/09/14,09:21:48 -5:00 GMT, > > Server.IP.Address:53,Client.IP.Address:1038,UDP > > With kind regards, > > Maarten Van Horenbeeck > OS2 & Unix System Administrator > http://www.daemon.be > maartenat_private > >
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:56:50 PDT