Security Incidents mailing list archives
RE: Strange UDP Activity
From: Joe Kattner <joe.kattner () adelphia com>
Date: Tue, 16 Apr 2002 12:53:59 -0400
These are root name servers. Do you have a name server running? UDP (and TCP in cases where the DNS response exceeds the size of UDP) responses from port 53 on a root name server wouldn't cause immediate suspicion. I'm guessing you have a recursive name server (or some other application attempting recursion) and these responses are part of normal DNS recursion. --Joe -----Original Message----- From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavelle () hp com] Sent: Tuesday, April 16, 2002 11:36 AM To: incidents () securityfocus com Subject: Strange UDP Activity Greetings to the List, I recently started seeing strange UDP traffic to my home DSL, which is included below. It has been active for the last 4 days at all hours. None of these IPs are DNS servers that I use, and much of the activity is when all of my computers are off. Google led me to port 1067 as being an SNMP port, but I have SNMP disabled on all devices at home, and the ACL blocks it anyway. Is there a new vulnerability going around that I missed? So far I have not read anything on the list that looks like this...any ideas? Thanks for listening, Mike ___________________________ Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53) -> X.X.55.121(1067), 5 packets Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) -> X.X.55.121(1067), 1 packet Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53) -> X.X.55.121(1067), 7 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) -> X.X.55.121(1067), 4 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53) -> X.X.55.121(1067), 6 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 3 packets ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- Re: Strange UDP Activity Ryan Russell (Apr 16)
- <Possible follow-ups>
- RE: Strange UDP Activity Joe Kattner (Apr 16)
- RE: Strange UDP Activity Rajiv Dighe (Apr 16)
- Re: Strange UDP Activity Valdis . Kletnieks (Apr 16)
- RE: Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- RE: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Stephen Friedl (Apr 16)