Re: strange traffic on UDP port 53

From: Valdis.Kletnieksat_private
Date: Thu Jun 05 2003 - 12:35:37 PDT

Next message: John Costa: "RE: Dameware Malcode? Is anyone aware of it?"

Previous message: Florin Andrei: "Re: Hmm....901"
In reply to: Ronald Belchez: "strange traffic on UDP port 53"
Next in thread: Dayne Jordan: "IRC botnets"
Next in thread: Rodney Green: "Re: strange traffic on UDP port 53"
Reply: Dayne Jordan: "IRC botnets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 04 Jun 2003 21:13:47 -0000, Ronald Belchez <meukoneat_private>  said:

> --logs starts here---
> denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet
> denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet

Somebody's got a b0rked network load balancer?  Some of these will do
ICMP PING or DNS queries from multiple servers to figure out which one
is "closest".  But in that case, you'll usually see a flurry of 2-5
packets from different places at the same time...

Or maybe you got a user that typed your *mail* server into his laptop's
config, right where it says "DNS Server address"...  and they're on the
road and b0rked.

I've seen both of those scenarios before.  In fact, unless there's clear and
obvious signs (like a malware payload), I no longer even *think* about a
"merely odd" logfile trace in terms of "trojan/worm" until I've ruled out
simple user stupidity....

application/pgp-signature attachment: stored

Next message: John Costa: "RE: Dameware Malcode? Is anyone aware of it?"
Previous message: Florin Andrei: "Re: Hmm....901"
In reply to: Ronald Belchez: "strange traffic on UDP port 53"
Next in thread: Dayne Jordan: "IRC botnets"
Next in thread: Rodney Green: "Re: strange traffic on UDP port 53"
Reply: Dayne Jordan: "IRC botnets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 08:46:01 PDT