Re: UDP Scan port 53(dns) -> dst port <1024

From: Robert Graham (meat_private)
Date: Fri Feb 22 2002 - 14:04:14 PST

Next message: Paul Gear: "Re: strange telnet behavior"

Previous message: David Carmean: "Virus/trojan tunnel out from behind firewall?"
Maybe in reply to: Clinton Smith: "UDP Scan port 53(dns) -> dst port <1024"
Next in thread: Clinton Smith: "Re: UDP Scan port 53(dns) -> dst port <1024"
Reply: Clinton Smith: "Re: UDP Scan port 53(dns) -> dst port <1024"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>external(possibly spoofed)host:53  -UDP->  localsystem:987
>external(possibly spoofed)host:53  -UDP->  localsystem:988
>external(possibly spoofed)host:53  -UDP->  localsystem:989

These are probably replies to queries from your own machines
who are behind a NAT:

http://www.robertgraham.com/pubs/firewall-seen.html#1.9

This is a PTR response to resolve the IP address of
192.168.200.82. Since this is a private address, it points
to one machine behind your NAT resolving the IP address
of another machine behind your NAT.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Gear: "Re: strange telnet behavior"
Previous message: David Carmean: "Virus/trojan tunnel out from behind firewall?"
Maybe in reply to: Clinton Smith: "UDP Scan port 53(dns) -> dst port <1024"
Next in thread: Clinton Smith: "Re: UDP Scan port 53(dns) -> dst port <1024"
Reply: Clinton Smith: "Re: UDP Scan port 53(dns) -> dst port <1024"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 20:54:22 PST