Security Incidents mailing list archives

Re: UDP scan from DNS server?

From: "Jonathan Bloomquist" <jsbloom () adelphia net>
Date: Mon, 28 May 2001 23:02:27 -0400

      Snort should be configured to ignore DNS servers:

      Portscan Ignorehosts



Another module from Patrick Mullen that modifies the portscan detection
system's operation.  If you have servers which tend to trip off the portscan
detector (such as NTP, NFS, and DNS servers), you can tell portscan to
ignore TCP SYN and UDP portscans from certain hosts.   The arguments to this
module are a list of IPs/CIDR blocks to be ignored.

Format:

  portscan-ignorehosts: <host list>
My snort config file contains these lines:

var DNS_SERVERS [x.x.x.x/32,x.x.x.x/32]
and
preprocessor portscan-ignorehosts: $DNS_SERVERS



From: "Michael Clark" <mdc () ivc com>
To: <incidents () securityfocus com>
Sent: Tuesday, May 29, 2001 1:44 PM
Subject: UDP scan from DNS server?

Snort grabbed the following traces last night. The source is my ISP's DNS
server. Any ideas?

May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61069 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61070 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61071 UDP
May 28 21:42:43 111.222.333.444:53 -> 192.168.1.1:61072 UDP
May 28 21:42:44 111.222.333.444:53 -> 192.168.1.1:61073 UDP
May 28 21:42:53 111.222.333.444:53 -> 192.168.1.1:61074 UDP
May 28 21:48:32 111.222.333.444:53 -> 192.168.1.1:61074 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61075 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61076 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61078 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61079 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61077 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61081 UDP
May 28 21:48:33 111.222.333.444:53 -> 192.168.1.1:61082 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61083 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61084 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61085 UDP
May 28 21:48:34 111.222.333.444:53 -> 192.168.1.1:61086 UDP
May 28 21:48:35 111.222.333.444:53 -> 192.168.1.1:61080 UDP
May 28 21:51:23 111.222.333.444:53 -> 192.168.1.1:61094 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61095 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61096 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61097 UDP
May 28 21:51:24 111.222.333.444:53 -> 192.168.1.1:61098 UDP
May 28 21:55:44 111.222.333.444:53 -> 192.168.1.1:61107 UDP
May 28 21:55:45 111.222.333.444:53 -> 192.168.1.1:61108 UDP
May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61109 UDP
May 28 21:55:46 111.222.333.444:53 -> 192.168.1.1:61110 UDP
May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61111 UDP
May 28 21:55:47 111.222.333.444:53 -> 192.168.1.1:61112 UDP
May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61113 UDP
May 28 21:56:02 111.222.333.444:53 -> 192.168.1.1:61114 UDP
May 28 21:56:05 111.222.333.444:53 -> 192.168.1.1:61115 UDP
May 28 21:56:07 111.222.333.444:53 -> 192.168.1.1:61116 UDP
May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61117 UDP
May 28 21:56:18 111.222.333.444:53 -> 192.168.1.1:61118 UDP
May 28 21:57:06 111.222.333.444:53 -> 192.168.1.1:61118 UDP
May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61119 UDP
May 28 21:57:07 111.222.333.444:53 -> 192.168.1.1:61120 UDP
May 28 21:57:08 111.222.333.444:53 -> 192.168.1.1:61121 UDP
May 28 21:57:09 111.222.333.444:53 -> 192.168.1.1:61122 UDP
May 28 21:57:11 111.222.333.444:53 -> 192.168.1.1:61123 UDP
May 28 23:16:51 111.222.333.444:53 -> 192.168.1.1:61139 UDP
May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61140 UDP
May 28 23:16:52 111.222.333.444:53 -> 192.168.1.1:61141 UDP
May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61142 UDP
May 28 23:16:54 111.222.333.444:53 -> 192.168.1.1:61143 UDP
May 28 23:16:55 111.222.333.444:53 -> 192.168.1.1:61144 UDP
May 28 23:16:56 111.222.333.444:53 -> 192.168.1.1:61145 UDP
May 28 23:17:12 111.222.333.444:53 -> 192.168.1.1:61146 UDP
May 28 23:17:15 111.222.333.444:53 -> 192.168.1.1:61147 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61156 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61157 UDP
May 29 06:14:56 111.222.333.444:53 -> 192.168.1.1:61158 UDP
May 29 06:14:57 111.222.333.444:53 -> 192.168.1.1:61159 UDP
May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61160 UDP
May 29 06:14:59 111.222.333.444:53 -> 192.168.1.1:61161 UDP
May 29 06:15:00 111.222.333.444:53 -> 192.168.1.1:61162 UDP
May 29 06:15:02 111.222.333.444:53 -> 192.168.1.1:61163 UDP
May 29 06:15:15 111.222.333.444:53 -> 192.168.1.1:61164 UDP
May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61165 UDP
May 29 06:15:19 111.222.333.444:53 -> 192.168.1.1:61166 UDP

Michael

Current thread:

UDP scan from DNS server? Michael Clark (May 29)
- Re: UDP scan from DNS server? Chris Brenton (May 29)
- RE: UDP scan from DNS server? dmuz (May 29)
- Re: UDP scan from DNS server? David Luyer (May 30)
- Re: UDP scan from DNS server? Jonathan Bloomquist (May 30)
- <Possible follow-ups>
- Re: UDP scan from DNS server? Michael Clark (May 31)