UDP Scan port 53(dns) -> dst port <1024

From: Clinton Smith (security@esales.iinet.net.au)
Date: 02/21/02 

Date: Thu, 21 Feb 2002 15:03:44 +0800
From: Clinton Smith <security@esales.iinet.net.au>
To: incidents@securityfocus.com

Over the last few days we have seen some atypical traffic.

Does anyone know of a tool that will generate
packets like these (xprobe does not seem to fit the bill):

external(possibly spoofed)host:53 -UDP-> localsystem:987
external(possibly spoofed)host:53 -UDP-> localsystem:988
external(possibly spoofed)host:53 -UDP-> localsystem:989

0E 8E 84 03 00 01 00 00 00 01 00 00 02 38 32 03 .............82.
32 30 30 03 31 36 38 03 31 39 32 07 69 6E 2D 61 200.168.192.in-a
64 64 72 04 61 72 70 61 00 00 0C 00 01 C0 13 00 ddr.arpa........
06 00 01 00 01 51 80 00 36 09 62 6C 61 63 6B 68 .....Q..6.blackh
6F 6C 65 04 69 61 6E 61 03 6F 72 67 00 05 63 72 ole.iana.org..cr
61 69 6E 05 69 63 61 6E 6E C0 48 01 30 BD AE 00 ain.icann.H.0...
00 2A 30 00 00 03 84 00 09 3A 80 00 01 51 80 .*0......:...Q.

It is detected by snort etc as: "MISC source port 53 to <1024".

The content looks like a DNS packet, but my understanding of RFC 1035 (DNS)
is that the target port should be either 53 or >1024.

Is this what it appears to be (ie a slow moving UDP port scan), masquerading
as DNS traffic?

Kind regards,
Clinton

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Cant Resolve Certain internet DNS names
    ... Our firewall was already using 1500 MTU, but the Checkpoint SmartDefense ... Why are some websites using non-RFC compliant packets for DNS? ... > DNS server, but this reduces DNS efficiency because queries that won't fit ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email
    ... emails being sent to AOL and Comcast plus a few other mom and pops to hang ... I have that there is no way that a DNS inspect command could cause only ... long responses have the response dropped, ... 1500 byte packets these days, that they can just send back longer ...
    (comp.dcom.sys.cisco)
  • A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vu
    ... DNS transaction ID (OpenBSD ported BIND 9 into their code tree, ... fragmentation ID normalization feature (e.g. "scrub out random- ... packets and raw IP packets. ...
    (Bugtraq)
  • Re: IP Tables DNS issues
    ... >I'm having problem with my IP tables allowing DNS queries, ... ># Log packets with impossible source addresses ... There is significant discussion of the merits of DROP verses DENY ... (send RESET or ICMP Type 3). ...
    (comp.security.firewalls)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
    (freebsd-questions)