RE: SYN/ACK to port 53

["Keith.Morgan" <Keith.Morgan () Terradon com>]

We've nailed this down.  Several of us got into some pretty in-depth
investigation on this matter starting about the middle of this month.

There is a company called "mirror-image."  See http://www.mirror-image.com.

They are using Cisco' distributed content director.  This calculates the
shortest distance between an http-get and and http reply.  For some insane
reason, they have decided to configure thier content director to poll on
port 53.  Every time one of your users browses to one of thier customer's
sites, you're going to get flooded with these syn-ack packets destined for
port 53.  I'm still awaiting some sort of answer from the folks at mirror
image.

One should note, that I don't believe Cisco's distributed content director
is configured to use port 53 by default.  My understanding is that it
normally uses high ports, but again, for unknown reasons, the folks at
mirror image (and possibly others) have decided to use port 53.

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142


> -----Original Message-----
> From: DeCamp, Paul [mailto:PDeCamp () MedManageSystems com]
> Sent: Thursday, May 24, 2001 2:33 PM
> To: INCIDENTS (E-mail)
> Subject: SYN/ACK to port 53
>
>
> OK, this is beginning to drive me nuts.  Since about February 
> of this year,
> our firewall has been periodically hit with what can only be a probe,
> attack, whatever to port 53.  Every time the scan exhibits 
> the same behavior
> and is from the same set of IP addresses.
>
> A SYN/ACK packet is sent to TCP port 53.  No SYN was sent 
> from our system.
> The SYN & ACK sequence numbers appear to be random, but the 
> ACK is always 1
> less than the SYN.  Our system responds with a RST to the ACK.
>
> I have searched books, the Internet (SANS, SecuityFocus, 
> etc.), and while I
> have found other reports of somewhat-simlar activity, I have 
> to this day
> found no coherent explanation as to what this is.  Based on 
> the SYN/ACK
> numbers, this is obviously some sort of malformed packet, but to what
> purpose?  To spoof our system into thinking that it has sent 
> a SYN when it
> hasn't?  Is it a type of SYN flood?  To hijack a port on our 
> system?  A scan
> for some trojan?
>
> Any assistance would be appreciated, and better yet, any 
> advice as to where
> on the Internet is a good location for looking up such 
> obviously abnormal
> activity and what possible explanations may be.  Thanks.
>
> ------------------
> Paul DeCamp, IT Operations Lead
> MedManage Systems Inc.
> Voice:  (425) 354-2212
> E-Mail: PDeCamp () medmanagesystems com