Michael Clark wrote: > > Snort grabbed the following traces last night. The source is my ISP's DNS > server. Any ideas? > > May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP > May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP > May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP I see this from time to time. _Usually_ the culprit is the target system thinks it already received a reply or timed-out the connection. The DNS server is still trying to reply and starts hitting incremental ports (remember DNS has no flags to work with so gracefully killing a UDP connection can get messy). Usually the attempt dies after and hour or so but it depends on the platform the DNS server is using. I've seen HP systems continue to retry for months. :) Best way to know for sure is to check your outbound logs and see if 192.168.1.1 initiated a query just before this pattern started. HTH, Chris -- ************************************** cbrentonat_private * Mastering Cisco Routers http://www.amazon.com/exec/obidos/ASIN/078212643X/ * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 21:22:28 PDT