Educause Security Discussion mailing list archives
Scanning from source port 53
From: Lois Lehman <LOIS.LEHMAN () ASU EDU>
Date: Thu, 9 Sep 2004 18:19:02 -0700
Has anyone else seen this trick recently for getting through your routers? The source port being used for the scanning is port 53 as it is looked upon as normal traffic. Is there any legitimate application that would send out syn packets from port 53? Do I need to modify our snort rules? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] MISC source port 53 to <1024 [**] 09/09-04:12:06.271376 82.51.0.40:53 -> xxx.xxx.44.120:23 TCP TTL:45 TOS:0x0 ID:666 IpLen:20 DgmLen:40 ******S* Seq: 0x29A Ack: 0x4DB7A656 Win: 0x80 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] MISC source port 53 to <1024 [**] 09/09-04:12:06.282308 82.51.0.40:53 -> xxx.xxx.44.122:23 TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40 ******S* Seq: 0x29A Ack: 0x7080C6E8 Win: 0x80 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] MISC source port 53 to <1024 [**] 09/09-04:12:06.287327 82.51.0.40:53 -> xxx.xxx.44.124:23 TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40 ******S* Seq: 0x29A Ack: 0x8CE8278A Win: 0x80 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] MISC source port 53 to <1024 [**] 09/09-04:12:06.729872 82.51.0.40:53 -> xxx.xxx.68.113:23 TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40 ******S* Seq: 0x29A Ack: 0x6DC47766 Win: 0x80 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Lois Lehman College Network Security Manager Physical Sciences Computer Support Manager College of Liberal Arts & Sciences Arizona State University 480-965-3139 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Scanning from source port 53 Lois Lehman (Sep 09)
- <Possible follow-ups>
- Re: Scanning from source port 53 Dave Monnier (Sep 09)