Source port 69

From: shewitt@cdw.com
Date: 09/27/01


Message-ID: <4F7882716A6FD311AC7000508B6F4AEA1A37ADE3@ranger.corp.cdw.com>
From: shewitt@cdw.com
To: focus-ids@securityfocus.com
Subject: Source port 69
Date: Thu, 27 Sep 2001 10:54:45 -0500

Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on
my edge routers since Nimda used TFTP to download part of the virus.

I didn't see any activity for a little while, but this week I have seen
several outbound packets getting blocked that were going back to UDP port
69.

Here is an example log from an ACL for outbound traffic:
denied udp 12.32.90.x(53) -> 216.56.21.xxx(69), 1 packet

All the occurrences with this has been with my DNS servers. So, it looks
like somebody tried to query my DNS server with a source port of 69, so that
I would respond back at UDP port 69. If I were to have allowed this traffic
to go back out, then somebody could assume that I'm allowing TFTP out to the
internet. It looks like somebody may be scanning DNS servers to see if they
allow TFTP and compiling a list of those that allow it.

Has anybody seen this before? I read a couple things about DNS to try to
determine if it's ok for clients to source a DNS query at port 69, and I
think I've come to the conclusion that DNS queries from clients should NOT
come from port 69. Can anybody clarify this?

--------------------------
Scott Hewitt
WEB/WAN Administrator
CDW Computer Centers, Inc.
shewitt@cdw.com



Relevant Pages

  • Source port 69
    ... Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on ... All the occurrences with this has been with my DNS servers. ...
    (Focus-Microsoft)
  • Re: Services & Firewall port settings
    ... > Because this definition of port numbers allowed I/O is a basic security ... Pretty much all of the Windows ... that file that causes some insecurity is the line about tftp. ... I would use a third party firewall instead, ...
    (microsoft.public.security)
  • Re: Downloading nk.bin to Target device without PB?
    ... Anyone you like that can be set to port 980. ... because that's the filename the bootloader tftp server expects to be ... should use a tftp client on the host. ... download use a slightly modified TFTP protocol (it uses port 980 rather ...
    (microsoft.public.windowsce.platbuilder)
  • RE: TFTP Scanner recommendation requested
    ... that port open, it needs to be checked regardless if there is an ... Subject: TFTP Scanner recommendation requested ... looking for open udp/69 ports with tftp requests being made on each ... I know that msblast opens up that ...
    (Pen-Test)
  • [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
    ... malware also exploits the RPC DCOM Buffer>Overflow,and instructs target ... systems to download its copy from the affected system using the TFTP ... Telnetting to this port seems to disconnected after 1-5 characters have been ... Barry Irwin ...
    (Full-Disclosure)