Over the last few days we have seen some atypical traffic. Does anyone know of a tool that will generate packets like these (xprobe does not seem to fit the bill): external(possibly spoofed)host:53 -UDP-> localsystem:987 external(possibly spoofed)host:53 -UDP-> localsystem:988 external(possibly spoofed)host:53 -UDP-> localsystem:989 0E 8E 84 03 00 01 00 00 00 01 00 00 02 38 32 03 .............82. 32 30 30 03 31 36 38 03 31 39 32 07 69 6E 2D 61 200.168.192.in-a 64 64 72 04 61 72 70 61 00 00 0C 00 01 C0 13 00 ddr.arpa........ 06 00 01 00 01 51 80 00 36 09 62 6C 61 63 6B 68 .....Q..6.blackh 6F 6C 65 04 69 61 6E 61 03 6F 72 67 00 05 63 72 ole.iana.org..cr 61 69 6E 05 69 63 61 6E 6E C0 48 01 30 BD AE 00 ain.icann.H.0... 00 2A 30 00 00 03 84 00 09 3A 80 00 01 51 80 .*0......:...Q. It is detected by snort etc as: "MISC source port 53 to <1024". The content looks like a DNS packet, but my understanding of RFC 1035 (DNS) is that the target port should be either 53 or >1024. Is this what it appears to be (ie a slow moving UDP port scan), masquerading as DNS traffic? Kind regards, Clinton ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 11:56:18 PST