Security Incidents mailing list archives
Re: UDP scan from DNS server?
From: David Luyer <david_luyer () pacific net au>
Date: Wed, 30 May 2001 12:35:14 +1000
Snort grabbed the following traces last night. The source is my ISP's DNS server. Any ideas? May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP
[...] That, most likely, your IDS has no clue. Your ISP is responding to your DNS requests, and you're detecting them as an "attack". What's more, users of these broken IDSs often firewall their ISP's DNS servers, and then ring the ISP and say "why can't I web browse anymore?" *sigh* David. -- David Luyer Phone: +61 3 9674 7525 Engineering Projects Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF
Current thread:
- UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)