Source port 69From: email@example.com
- Previous message: George Milliken: "RE: Snort sensor placement"
- Next in thread: McCammon, Keith: "RE: Source port 69"
- Reply: McCammon, Keith: "RE: Source port 69"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <4F7882716A6FD311AC7000508B6F4AEA1A37ADE3@ranger.corp.cdw.com> From: firstname.lastname@example.org To: email@example.com Subject: Source port 69 Date: Thu, 27 Sep 2001 10:54:45 -0500
Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on
my edge routers since Nimda used TFTP to download part of the virus.
I didn't see any activity for a little while, but this week I have seen
several outbound packets getting blocked that were going back to UDP port
Here is an example log from an ACL for outbound traffic:
denied udp 12.32.90.x(53) -> 216.56.21.xxx(69), 1 packet
All the occurrences with this has been with my DNS servers. So, it looks
like somebody tried to query my DNS server with a source port of 69, so that
I would respond back at UDP port 69. If I were to have allowed this traffic
to go back out, then somebody could assume that I'm allowing TFTP out to the
internet. It looks like somebody may be scanning DNS servers to see if they
allow TFTP and compiling a list of those that allow it.
Has anybody seen this before? I read a couple things about DNS to try to
determine if it's ok for clients to source a DNS query at port 69, and I
think I've come to the conclusion that DNS queries from clients should NOT
come from port 69. Can anybody clarify this?
CDW Computer Centers, Inc.