('binary' encoding is not supported, stored as-is) In-Reply-To: <m19PS3d-000B44Cat_private> Hello All, Sorry for my late reply. Provided below is the captured info. as per Ethereal packet analyser. 1. Using the same src_IP:port# to dst_IP:port# (as earlier provided) it is using DNS query to PTR 48.1.1.192.in-addr.arpa 2. Then our mail server replying to the same Source IP, using ICMP (0x01) destination unreachable. (I don't know the good way to dump the rest of the captured packets here, if anyone is interested i can send the captured file.) The same pattern is being repeated and banging my ACL on the router, please take note that only this specific source IP is hitting the ACL. The rest of the log is clean except for occasional denied port 80 access on that subnet. PS: We tried deploying firewall before ( Netscreen ) but it did not work on our network as the traffic coming on our network are mostly forwarding traffic. We are a service provider for VSAT networks. (Our client internet requests go via their normal connection and the Internet forward it to us then we transmit it to the satellite at a very fast speed). This topic is a bit non related to the issue above, but I know a lot of you (actually some suggest) that we just implement firewall so that I just dont rely on the router ACL. If anyone have the explanation to the above captured traffic, which is constantly (for 2 weeks now) being logged on our router ACL please advise. (it looks to me that it could be a DoS but I am not sure). Thanks in advance. Client was already contacted but no response yet was received. >Received: (qmail 19521 invoked from network); 10 Jun 2003 18:15:34 -0000 >Received: from outgoing2.securityfocus.com (205.206.231.26) > by mail.securityfocus.com with SMTP; 10 Jun 2003 18:15:34 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 217738F31F; Tue, 10 Jun 2003 12:11:30 -0600 (MDT) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 21798 invoked by uid 0); 9 Jun 2003 17:11:22 -0000 >Message-Id: <m19PS3d-000B44Cat_private> >Date: Mon, 9 Jun 2003 15:11:53 -0400 (EDT) >MIME-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >X-Face: ;j3Eth2XV8h1Yfu<eXd9JL+"t;iT8?{X]Fjm`Qb]>*uL{<:dQ$#E [DB0gemGZJ"J#4fH*][ > lz;@-iwMv_u\6uIEKR0KY"=MzoQH#CrqBN`nG_5B@rrM8,f~Gr&h5a\=<t0loVf0$}bP=] i3OMh"n_ > _@m4/,~2`V=(-9LyW.)'`@E_fE^<4y7)BIe`A''/j-Y#gDNZERh%CCij'q- NA4F<|yjznEhd7=l^xH > 2.qD3o0IanGHERTW+z$G >From: "Greg A. Woods" <woodsat_private> >To: <gillettdavidat_private> >Cc: "'Mike'" <mikeat_private>, > "'Ronald Belchez'" <meukoneat_private>, > <incidentsat_private> >Subject: RE: strange traffic on UDP port 53 >In-Reply-To: <042501c32eb6$46e4ef40$6e811299@gillett> >References: <m19PPxH-000B44Cat_private> > <042501c32eb6$46e4ef40$6e811299@gillett> >X-Mailer: VM 7.07 under Emacs 21.2.1 >Organization: Planix, Inc.; Toronto, Ontario; Canada > >[ On Monday, June 9, 2003 at 11:38:08 (-0700), David Gillett wrote: ] >> Subject: RE: strange traffic on UDP port 53 >> >> > -----Original Message----- >> > From: Greg A. Woods [mailto:woodsat_private] >> > >> > [ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ] >> > > Subject: RE: strange traffic on UDP port 53 >> > > >> > > Replies to DNS queries should be coming FROM port 53, >> > >> > True, though unfortunately it's not always the case. >> >> ... but your further paragraph argues that it is hardly unfortunate at >> all, since it's *practically always* the case. > >Indeed -- I was confusing "replies to DNS queries" with "DNS queries". :-) >(because usually I avoid the confusion by calling then "DNS replies") > >DNS queries should have a source port of 53, but often don't. > >DNS queries MUST have a destination port of 53. > >DNS replies simply swap the source and destination (addresses and port >numbers together) and out they go. > >> If a UDP packet is FROM and ephemeral port TO port 53, it's almost >> certainly a DNS *request*, and not a *reply*. And that's the pattern >> reported in this case. > >Indeed it is! > >-- > Greg A. Woods > >+1 416 218-0098; <g.a.woodsat_private>; <woodsat_private> >Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private> > >------------------------------------------------------------------------- --- >------------------------------------------------------------------------- --- > > ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jun 11 2003 - 15:22:30 PDT