Re: UDP scan from DNS server?

From: David Luyer (david_luyerat_private)
Date: Tue May 29 2001 - 19:35:14 PDT

Next message: John: "Re: Linux Worms"

Previous message: Tim Yocum: "Re: PORT 137"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Snort grabbed the following traces last night. The source is my ISP's DNS
> server. Any ideas?
> 
> May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
> May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP
[...]

That, most likely, your IDS has no clue.  Your ISP is responding to your
DNS requests, and you're detecting them as an "attack".

What's more, users of these broken IDSs often firewall their ISP's DNS
servers, and then ring the ISP and say "why can't I web browse anymore?"

*sigh*

David.
-- 
David Luyer                                        Phone:   +61 3 9674 7525
Engineering Projects Manager   P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF

Next message: John: "Re: Linux Worms"
Previous message: Tim Yocum: "Re: PORT 137"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 29 2001 - 22:03:44 PDT