Re: NT Compromise -- UPDATE (UDP Flood SRC=53)

From: Mike Lewinski (mikeat_private)
Date: Mon Dec 24 2001 - 13:39:27 PST

Next message: Bill Royds: "RE: NT Compromise -- Update -- SRC PORT: 53 traffic"

Previous message: Loki: "NT Compromise -- Update -- SRC PORT: 53 traffic"
In reply to: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I NEED to figure out what this traffic is as it is what originally gave us
the
> impression it was compromised. SOURCE PORT of 53? The only thing
> I can google on this is a bit of references to Stacheldraht.

BIND has a directive that allows the source port of all queries (i.e.
recursive lookups) to be specified. It's fairly common to set it to 53. This
makes for cleaner firewall setup.

It doesn't sound like that's what you're seeing now. However, if it is a DoS
tool, it may be assuming that every firewall is going to all UDP 53 through
and that's why.

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bill Royds: "RE: NT Compromise -- Update -- SRC PORT: 53 traffic"
Previous message: Loki: "NT Compromise -- Update -- SRC PORT: 53 traffic"
In reply to: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 25 2001 - 14:11:15 PST