Security Incidents mailing list archives

Re: UDP scan from DNS server?

From: David Luyer <david_luyer () pacific net au>
Date: Wed, 30 May 2001 12:35:14 +1000

Snort grabbed the following traces last night. The source is my ISP's DNS
server. Any ideas?

May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP

[...]

That, most likely, your IDS has no clue.  Your ISP is responding to your
DNS requests, and you're detecting them as an "attack".

What's more, users of these broken IDSs often firewall their ISP's DNS
servers, and then ring the ISP and say "why can't I web browse anymore?"

*sigh*

David.
-- 
David Luyer                                        Phone:   +61 3 9674 7525
Engineering Projects Manager   P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF

Current thread:

UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)