Replies to DNS queries should be coming FROM port 53, not (necessarily) addressed TO port 53. David Gillett > -----Original Message----- > From: Mike [mailto:mikeat_private] > Sent: June 6, 2003 00:40 > To: 'Ronald Belchez'; incidentsat_private > Subject: RE: strange traffic on UDP port 53 > > > After deploying a new mail server/internet gateway (behind a > firewall) I > found a similar problem with packets being stopped by our firewall. > After performing an nslookup on the "offending" IP address I found it > belonged to our ISP. On querying them about this odd behavior the > explanation given (and other evidence seems to bear this out) was that > our mail server was performing DNS lookups for the delivery > of mail and > on behalf of our internal network as it was configured as a forwarder > because it was behind a firewall. The IP address in question > was merely > replying to DNS queries which had been forwarded to it by our ISPs' > primary DNS server and as the firewall would only allow DNS replies > through from certain IP addresses it was stopping any others. The > incrementing of the source ports you are seeing is due to the > fact that > when the DNS reply is not acknowledged by the target system it tries > again on the next available port. > It is only usually a minor inconvenience (although the other day one > server filled my firewall log 4 times and I was alerted to > possible port > scans a number of times during the day). If it bothers you > too much try > filtering the logs to remove the offending entries or you can > allow all > port 53 traffic in (unless like me you suffer from paranoid delusions > that everyone on the internet is out to get you). > > -----Original Message----- > From: Ronald Belchez [mailto:meukoneat_private] > Sent: 04 June 2003 22:14 > To: incidentsat_private > Subject: strange traffic on UDP port 53 > > > > Hi All, > > We don't have a firewall and is just relying on Access-list on our > border > > router. After i applied the new access-list I am continously > receiving > > the logs showed below. The destination IP is our mail server (not > running > > any DNS service) while the source IP (unsolicited and using > source port > > with some sort of incremental patterm, the denied packets > logs is also > > continuous now for about 4 days) I am not aware of any trojan or worm > > using the below. I already tried searching google but cannot find the > > explanation or something that might help me understand the below.... > > Please advise. > > > > --logs starts here--- > > denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet > > denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet > > denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets > > denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets > > denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets > > -------------------------------------------------------------- > ---------- > ---- > -------------------------------------------------------------- > ---------- > ---- > > > ############################################################## > ####################### > Note: > This message is for the named person's use only. It may > contain confidential, > proprietary or legally privileged information. No > confidentiality or privilege > is waived or lost by any mistransmission. If you receive > this message in error, > please immediately delete it and all copies of it from your > system, destroy any > hard copies of it and notify the sender. You must not, > directly or indirectly, > use, disclose, distribute, print, or copy any part of this > message if you are not > the intended recipient. Coen Holdings Ltd. and any of its > subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > > Any views expressed in this message are those of the > individual sender, except where > the message states otherwise and the sender is authorized to > state them to be the > views of any such entity. > > Thank You. > ############################################################## > ####################### > > -------------------------------------------------------------- > -------------- > -------------------------------------------------------------- > -------------- > ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 08:58:35 PDT