RE: port scan from 53

["Mike Batchelor" <mikebat () tmcs net>]

> JK,
>
> > Does anyone have any idea what would cause a scan to originate from port
> 53
> > on an IRIX based server and destined for users on incrementing ports
> > starting in the 1000 range and continuing, in cases, to 4000 range.
>
> the attacker might be expecting that your ACL / packetfilter
> accepts/passes
> all packets originating from 53 UDP (DNS-lookups).  This is often the case
> on insecure packet-filter installations.

It could also be the result of improper filters on JK's gateway.  If he is
permitting outgoing packets to 53/UDP for DNS, but forgot to allow the
incoming replies from 53/UDP to pass back to his clients, then he would see
alerts just like the ones he posted.  When the client's resolver library
fails to see a reply and retransmits the query, the client port number
increments (on most platforms).

> > 2000/09/14,09:21:48 -5:00 GMT,
> > Server.IP.Address:53,Client.IP.Address:1038,UDP
>
> With kind regards,
>
> Maarten Van Horenbeeck
> OS2 & Unix System Administrator
> http://www.daemon.be
> maarten () daemon be