RE: port scan from 53

From: Mike Batchelor (mikebatat_private)
Date: Wed May 16 2001 - 15:50:42 PDT

  • Next message: Greg Owen: "Re: Strange email"

    > JK,
    >
    > > Does anyone have any idea what would cause a scan to originate from port
    > 53
    > > on an IRIX based server and destined for users on incrementing ports
    > > starting in the 1000 range and continuing, in cases, to 4000 range.
    >
    > the attacker might be expecting that your ACL / packetfilter
    > accepts/passes
    > all packets originating from 53 UDP (DNS-lookups).  This is often the case
    > on insecure packet-filter installations.
    
    It could also be the result of improper filters on JK's gateway.  If he is
    permitting outgoing packets to 53/UDP for DNS, but forgot to allow the
    incoming replies from 53/UDP to pass back to his clients, then he would see
    alerts just like the ones he posted.  When the client's resolver library
    fails to see a reply and retransmits the query, the client port number
    increments (on most platforms).
    
    >
    > > 2000/09/14,09:21:48 -5:00 GMT,
    > > Server.IP.Address:53,Client.IP.Address:1038,UDP
    >
    > With kind regards,
    >
    > Maarten Van Horenbeeck
    > OS2 & Unix System Administrator
    > http://www.daemon.be
    > maartenat_private
    >
    >
    



    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:56:50 PDT