Security Incidents mailing list archives

Re: UDP scan from DNS server?

From: Chris Brenton <chris () altenet com>
Date: Tue, 29 May 2001 22:43:50 -0400

Michael Clark wrote:


Snort grabbed the following traces last night. The source is my ISP's DNS
server. Any ideas?

May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP


I see this from time to time. _Usually_ the culprit is the target system
thinks it already received a reply or timed-out the connection. The DNS
server is still trying to reply and starts hitting incremental ports
(remember DNS has no flags to work with so gracefully killing a UDP
connection can get messy). Usually the attempt dies after and hour or so
but it depends on the platform the DNS server is using. I've seen HP
systems continue to retry for months. :)

Best way to know for sure is to check your outbound logs and see if
192.168.1.1 initiated a query just before this pattern started.

HTH,
Chris 
-- 
**************************************
cbrenton () altenet com

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/

Current thread:

UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)