RE: Source port 69
From: Kutulu (kutulu@kutulu.org)Date: 09/28/01
- Previous message: Mark Challender: "RE: Open Guest Share question"
- In reply to: Mike Wilson: "RE: Source port 69"
- Next in thread: abuse: "RE: Source port 69"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <5.1.0.14.0.20010927160156.00a1c0b0@127.0.0.1> Date: Thu, 27 Sep 2001 18:19:36 -0400 To: Mike Wilson <mwilson@cincinnatiequitable.com> From: Kutulu <kutulu@kutulu.org> Subject: RE: Source port 69
At 01:44 PM 09/27/2001 -0400, Mike Wilson wrote:
>A normal operating system DNS query would use an unprivileged source port (
> >1024) to make the DNS request. I would concur that this type of traffic
Or else, it would use port 53. Since DNS servers reply to the same port
the request came in on, recursed queries (server <-> server) would be
sourced on port 53, so the reply would go back that way. My snort logs
certainly show hundreds of port 53 -> port 53 UDP packets to my DNS server
from remote DNS servers, and they all get logged because the snort rule is
just what you specified: source port 0:1023, destination port 53.
Nonetheless, you are absolutely correct that source-port 69 is highly
unusual. It's also a rather sneaky way to portscan a DNS server for open
UDP ports. Guess I should put the above-mentioned noisy snort rule back.
--K
- Previous message: Mark Challender: "RE: Open Guest Share question"
- In reply to: Mike Wilson: "RE: Source port 69"
- Next in thread: abuse: "RE: Source port 69"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
