RE: strange traffic on UDP port 53

• Previous message: Rajkumar S: "Strange CONNECT entries in apache logs"
• In reply to: Mike: "RE: strange traffic on UDP port 53"
• Next in thread: Greg A. Woods: "RE: strange traffic on UDP port 53"
• Next in thread: Valdis.Kletnieksat_private: "Re: strange traffic on UDP port 53"
• Reply: Greg A. Woods: "RE: strange traffic on UDP port 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Replies to DNS queries should be coming FROM port 53, not
(necessarily) addressed TO port 53.

David Gillett


> -----Original Message-----
> From: Mike [mailto:mikeat_private]
> Sent: June 6, 2003 00:40
> To: 'Ronald Belchez'; incidentsat_private
> Subject: RE: strange traffic on UDP port 53
> 
> 
> After deploying a new mail server/internet gateway (behind a 
> firewall) I
> found a similar problem with packets being stopped by our firewall.
> After performing an nslookup on the "offending" IP address I found it
> belonged to our ISP. On querying them about this odd behavior the
> explanation given (and other evidence seems to bear this out) was that
> our mail server was performing DNS lookups for the delivery 
> of mail and
> on behalf of our internal network as it was configured as a forwarder
> because it was behind a firewall. The IP address in question 
> was merely
> replying to DNS queries which had been forwarded to it by our ISPs'
> primary DNS server and as the firewall would only allow DNS replies
> through from certain IP addresses it was stopping any others. The
> incrementing of the source ports you are seeing is due to the 
> fact that
> when the DNS reply is not acknowledged by the target system it tries
> again on the next available port.
> It is only usually a minor inconvenience (although the other day one
> server filled my firewall log 4 times and I was alerted to 
> possible port
> scans a number of times during the day). If it bothers you 
> too much try
> filtering the logs to remove the offending entries or you can 
> allow all
> port 53 traffic in (unless like me you suffer from paranoid delusions
> that everyone on the internet is out to get you).
> 
> -----Original Message-----
> From: Ronald Belchez [mailto:meukoneat_private] 
> Sent: 04 June 2003 22:14
> To: incidentsat_private
> Subject: strange traffic on UDP port 53
> 
> 
> 
> Hi All,
> 
> We don't have a firewall and is just relying on Access-list on our
> border 
> 
> router. After i applied the new access-list I am continously 
> receiving 
> 
> the logs showed below. The destination IP is our mail server (not
> running 
> 
> any DNS service) while the source IP (unsolicited and using 
> source port 
> 
> with some sort of incremental patterm, the denied packets 
> logs is also 
> 
> continuous now for about 4 days) I am not aware of any trojan or worm 
> 
> using the below. I already tried searching google but cannot find the 
> 
> explanation or something that might help me understand the below.... 
> 
> Please advise.
> 
> 
> 
> --logs starts here---
> 
> denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet
> 
> denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet
> 
> denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets
> 
> denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets
> 
> denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets
> 
> --------------------------------------------------------------
> ----------
> ----
> --------------------------------------------------------------
> ----------
> ----
> 
> 
> ##############################################################
> #######################
> Note:
> This message is for the named person's use only.  It may 
> contain confidential,
> proprietary or legally privileged information.  No 
> confidentiality or privilege
> is waived or lost by any mistransmission.  If you receive 
> this message in error,
> please immediately delete it and all copies of it from your 
> system, destroy any
> hard copies of it and notify the sender.  You must not, 
> directly or indirectly,
> use, disclose, distribute, print, or copy any part of this 
> message if you are not
> the intended recipient. Coen Holdings Ltd. and any of its 
> subsidiaries each reserve
> the right to monitor all e-mail communications through its networks.
> 
> Any views expressed in this message are those of the 
> individual sender, except where
> the message states otherwise and the sender is authorized to 
> state them to be the
> views of any such entity.
> 
> Thank You.
> ##############################################################
> #######################
> 
> --------------------------------------------------------------
> --------------
> --------------------------------------------------------------
> --------------
> 

----------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Robert Hajime Lanning: "Re: Japanese "IPv6" group allocating for IPv4 spamming?"
• Previous message: Rajkumar S: "Strange CONNECT entries in apache logs"
• In reply to: Mike: "RE: strange traffic on UDP port 53"
• Next in thread: Greg A. Woods: "RE: strange traffic on UDP port 53"
• Next in thread: Valdis.Kletnieksat_private: "Re: strange traffic on UDP port 53"
• Reply: Greg A. Woods: "RE: strange traffic on UDP port 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 08:58:35 PDT