RE: strange traffic on UDP port 53
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 06/06/03
- Previous message: Rajkumar S: "Strange CONNECT entries in apache logs"
- In reply to: Mike: "RE: strange traffic on UDP port 53"
- Next in thread: Greg A. Woods: "RE: strange traffic on UDP port 53"
- Reply: Greg A. Woods: "RE: strange traffic on UDP port 53"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Mike'" <mike@coenholdings.ie>, "'Ronald Belchez'" <meukone@yahoo.co.uk>, <incidents@securityfocus.com> Date: Fri, 6 Jun 2003 10:35:34 -0700
Replies to DNS queries should be coming FROM port 53, not
(necessarily) addressed TO port 53.
David Gillett
> -----Original Message-----
> From: Mike [mailto:mike@coenholdings.ie]
> Sent: June 6, 2003 00:40
> To: 'Ronald Belchez'; incidents@securityfocus.com
> Subject: RE: strange traffic on UDP port 53
>
>
> After deploying a new mail server/internet gateway (behind a
> firewall) I
> found a similar problem with packets being stopped by our firewall.
> After performing an nslookup on the "offending" IP address I found it
> belonged to our ISP. On querying them about this odd behavior the
> explanation given (and other evidence seems to bear this out) was that
> our mail server was performing DNS lookups for the delivery
> of mail and
> on behalf of our internal network as it was configured as a forwarder
> because it was behind a firewall. The IP address in question
> was merely
> replying to DNS queries which had been forwarded to it by our ISPs'
> primary DNS server and as the firewall would only allow DNS replies
> through from certain IP addresses it was stopping any others. The
> incrementing of the source ports you are seeing is due to the
> fact that
> when the DNS reply is not acknowledged by the target system it tries
> again on the next available port.
> It is only usually a minor inconvenience (although the other day one
> server filled my firewall log 4 times and I was alerted to
> possible port
> scans a number of times during the day). If it bothers you
> too much try
> filtering the logs to remove the offending entries or you can
> allow all
> port 53 traffic in (unless like me you suffer from paranoid delusions
> that everyone on the internet is out to get you).
>
> -----Original Message-----
> From: Ronald Belchez [mailto:meukone@yahoo.co.uk]
> Sent: 04 June 2003 22:14
> To: incidents@securityfocus.com
> Subject: strange traffic on UDP port 53
>
>
>
> Hi All,
>
> We don't have a firewall and is just relying on Access-list on our
> border
>
> router. After i applied the new access-list I am continously
> receiving
>
> the logs showed below. The destination IP is our mail server (not
> running
>
> any DNS service) while the source IP (unsolicited and using
> source port
>
> with some sort of incremental patterm, the denied packets
> logs is also
>
> continuous now for about 4 days) I am not aware of any trojan or worm
>
> using the below. I already tried searching google but cannot find the
>
> explanation or something that might help me understand the below....
>
> Please advise.
>
>
>
> --logs starts here---
>
> denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet
>
> denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet
>
> denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets
>
> denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets
>
> denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets
>
> --------------------------------------------------------------
> ----------
> ----
> --------------------------------------------------------------
> ----------
> ----
>
>
> ##############################################################
> #######################
> Note:
> This message is for the named person's use only. It may
> contain confidential,
> proprietary or legally privileged information. No
> confidentiality or privilege
> is waived or lost by any mistransmission. If you receive
> this message in error,
> please immediately delete it and all copies of it from your
> system, destroy any
> hard copies of it and notify the sender. You must not,
> directly or indirectly,
> use, disclose, distribute, print, or copy any part of this
> message if you are not
> the intended recipient. Coen Holdings Ltd. and any of its
> subsidiaries each reserve
> the right to monitor all e-mail communications through its networks.
>
> Any views expressed in this message are those of the
> individual sender, except where
> the message states otherwise and the sender is authorized to
> state them to be the
> views of any such entity.
>
> Thank You.
> ##############################################################
> #######################
>
> --------------------------------------------------------------
> --------------
> --------------------------------------------------------------
> --------------
>
----------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Rajkumar S: "Strange CONNECT entries in apache logs"
- In reply to: Mike: "RE: strange traffic on UDP port 53"
- Next in thread: Greg A. Woods: "RE: strange traffic on UDP port 53"
- Reply: Greg A. Woods: "RE: strange traffic on UDP port 53"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
