2002-07-17-03:16:12 khatvi: > I'm seeing strange logs source and destination ports are both > domain-udp. > what does this mean? Means various things. Means that the IP packets in question are type 17, UDP; that the src and dst UDP port numbers are both 53, "domain". This the UDP port number used for DNS. In normal DNS traffic, the client is a resolver, either the resolver library in the system that implements things like gethostbyname(3), or a recursive resolver AKA caching nameserver. The client uses source ports typically allocated from some range of high port numbers (>1024), to destination port 53 on the server. The server always listens for requests on port 53 --- that's its well-known port. Its replies are originated from port 53; that's how the client expects to see the replies come back, with src & dst ports reversed from the query. If you're seeing both src and dst == 53 in the same packet, then either you've got an unusual resolver, one that is only capable of having one outstanding request to any given server (or one that doesn't care about the ambiguity of having multiple queries with the same ports), or else someone is playing silly games. When people build packet-filtering (as opposed to proxy bastion) firewalls, they often let srcport=53 and/or dstport=53 through, so that DNS will work; people have been known to take advantage of that to run things like CIPE <URL:http://www.inka.de/~bigred/devel/cipe.html> right through such firewalls. Oh, I just thought of another objective fact that can be gleaned from this; any packet w/ srcport < 1024 either originated from a process with privileges on the host, or else originated from a host that doesn't enforce the convention that only privileged processes are allowed to bind to ports <1024. -Bennett
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 09:36:48 PDT