Security Incidents mailing list archives
Re: UDP scan from DNS server?
From: Chris Brenton <chris () altenet com>
Date: Tue, 29 May 2001 22:43:50 -0400
Michael Clark wrote:
Snort grabbed the following traces last night. The source is my ISP's DNS server. Any ideas? May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
I see this from time to time. _Usually_ the culprit is the target system thinks it already received a reply or timed-out the connection. The DNS server is still trying to reply and starts hitting incremental ports (remember DNS has no flags to work with so gracefully killing a UDP connection can get messy). Usually the attempt dies after and hour or so but it depends on the platform the DNS server is using. I've seen HP systems continue to retry for months. :) Best way to know for sure is to check your outbound logs and see if 192.168.1.1 initiated a query just before this pattern started. HTH, Chris -- ************************************** cbrenton () altenet com * Mastering Cisco Routers http://www.amazon.com/exec/obidos/ASIN/078212643X/ * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/
Current thread:
- UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)