Security Incidents mailing list archives
RE: SYN/ACK to port 53
From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Thu, 24 May 2001 16:59:34 -0400
We've nailed this down. Several of us got into some pretty in-depth investigation on this matter starting about the middle of this month. There is a company called "mirror-image." See http://www.mirror-image.com. They are using Cisco' distributed content director. This calculates the shortest distance between an http-get and and http reply. For some insane reason, they have decided to configure thier content director to poll on port 53. Every time one of your users browses to one of thier customer's sites, you're going to get flooded with these syn-ack packets destined for port 53. I'm still awaiting some sort of answer from the folks at mirror image. One should note, that I don't believe Cisco's distributed content director is configured to use port 53 by default. My understanding is that it normally uses high ports, but again, for unknown reasons, the folks at mirror image (and possibly others) have decided to use port 53. Keith T. Morgan Chief of Information Security Terradon Communications keith.morgan () terradon com 304-755-8291 x142
-----Original Message----- From: DeCamp, Paul [mailto:PDeCamp () MedManageSystems com] Sent: Thursday, May 24, 2001 2:33 PM To: INCIDENTS (E-mail) Subject: SYN/ACK to port 53 OK, this is beginning to drive me nuts. Since about February of this year, our firewall has been periodically hit with what can only be a probe, attack, whatever to port 53. Every time the scan exhibits the same behavior and is from the same set of IP addresses. A SYN/ACK packet is sent to TCP port 53. No SYN was sent from our system. The SYN & ACK sequence numbers appear to be random, but the ACK is always 1 less than the SYN. Our system responds with a RST to the ACK. I have searched books, the Internet (SANS, SecuityFocus, etc.), and while I have found other reports of somewhat-simlar activity, I have to this day found no coherent explanation as to what this is. Based on the SYN/ACK numbers, this is obviously some sort of malformed packet, but to what purpose? To spoof our system into thinking that it has sent a SYN when it hasn't? Is it a type of SYN flood? To hijack a port on our system? A scan for some trojan? Any assistance would be appreciated, and better yet, any advice as to where on the Internet is a good location for looking up such obviously abnormal activity and what possible explanations may be. Thanks. ------------------ Paul DeCamp, IT Operations Lead MedManage Systems Inc. Voice: (425) 354-2212 E-Mail: PDeCamp () medmanagesystems com
Current thread:
- SYN/ACK to port 53 DeCamp, Paul (May 24)
- Re: SYN/ACK to port 53 Daniel Martin (May 25)
- Re: SYN/ACK to port 53 Ryan Russell (May 25)
- RE: SYN/ACK to port 53 Golden_Eternity (May 26)
- <Possible follow-ups>
- Re: SYN/ACK to port 53 Bill_Royds (May 25)
- RE: SYN/ACK to port 53 Steve Halligan (May 25)
- RE: SYN/ACK to port 53 DeCamp, Paul (May 25)
- RE: SYN/ACK to port 53 Keith.Morgan (May 25)