Security Incidents mailing list archives

RE: UDP scan from DNS server?

From: "dmuz" <dmuz () angrypacket com>
Date: Tue, 29 May 2001 19:18:02 -0700
Hi,

<snip: from my snort 1.8b5 snort.conf>
# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...
var DNS_SERVERS $HOME_NET
[...]
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS
</snip>

99.9% chance this is legitimate traffic. Most people add their DNS servers
to portscan-ignorehosts variable. This will prevent these from being logged.

bye,
dmuz

-----Original Message-----
From: Michael Clark [mailto:mdc () ivc com]
Sent: Tuesday, May 29, 2001 10:44 AM
To: incidents () securityfocus com
Subject: UDP scan from DNS server?


Snort grabbed the following traces last night. The source is my ISP's DNS
server. Any ideas?

May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61072 UDP
May 28 21:42:44 111.222.333.444:53 -> 192.168.1.1:61073 UDP
May 28 21:42:53 111.222.333.444:53 -> 192.168.1.1:61074 UDP
May 28 21:48:32 111.222.333.444:53 -> 192.168.1.1:61074 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61075 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61076 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61078 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61079 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61077 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61081 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61082 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61083 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61084 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61085 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61086 UDP
May 28 21:48:35 111.222.333.444:53 -> 192.168.1.1:61080 UDP
May 28 21:51:23 111.222.333.444:53 -> 192.168.1.1:61094 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61095 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61096 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61097 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61098 UDP
May 28 21:55:44 111.222.333.444:53 -> 192.168.1.1:61107 UDP
May 28 21:55:45 111.222.333.444:53 -> 192.168.1.1:61108 UDP
May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61109 UDP
May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61110 UDP
May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61111 UDP
May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61112 UDP
May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61113 UDP
May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61114 UDP
May 28 21:56:05 111.222.333.444:53 -> 192.168.1.1:61115 UDP
May 28 21:56:07 111.222.333.444:53 -> 192.168.1.1:61116 UDP
May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61117 UDP
May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61118 UDP
May 28 21:57:06 111.222.333.444:53 -> 192.168.1.1:61118 UDP
May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61119 UDP
May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61120 UDP
May 28 21:57:08 111.222.333.444:53 -> 192.168.1.1:61121 UDP
May 28 21:57:09 111.222.333.444:53 -> 192.168.1.1:61122 UDP
May 28 21:57:11 111.222.333.444:53 -> 192.168.1.1:61123 UDP
May 28 23:16:51 111.222.333.444:53 -> 192.168.1.1:61139 UDP
May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61140 UDP
May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61141 UDP
May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61142 UDP
May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61143 UDP
May 28 23:16:55 111.222.333.444:53 -> 192.168.1.1:61144 UDP
May 28 23:16:56 111.222.333.444:53 -> 192.168.1.1:61145 UDP
May 28 23:17:12 111.222.333.444:53 -> 192.168.1.1:61146 UDP
May 28 23:17:15 111.222.333.444:53 -> 192.168.1.1:61147 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61156 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61157 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61158 UDP
May 29 06:14:57 111.222.333.444:53 -> 192.168.1.1:61159 UDP
May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61160 UDP
May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61161 UDP
May 29 06:15:00 111.222.333.444:53 -> 192.168.1.1:61162 UDP
May 29 06:15:02 111.222.333.444:53 -> 192.168.1.1:61163 UDP
May 29 06:15:15 111.222.333.444:53 -> 192.168.1.1:61164 UDP
May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61165 UDP
May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61166 UDP

Michael
Current thread:

UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)