Re: UDP scan from DNS server?

[Michael Clark <mdc () ivc com>]

Thanks to all who replied to my query. Actually, I'm not quite as naive as my 
post may have suggested. I have a *basic* understanding of DNS. The thing 
that threw me on this one was the rapid bursts of packets to incremental high 
ports.  I still don't quite understand it but Mr. Brenton shed some light on 
the issue:

"I see this from time to time. _Usually_ the culprit is the target system
thinks it already received a reply or timed-out the connection. The DNS
server is still trying to reply and starts hitting incremental ports
(remember DNS has no flags to work with so gracefully killing a UDP
connection can get messy). Usually the attempt dies after and hour or so
but it depends on the platform the DNS server is using. I've seen HP
systems continue to retry for months. :)"

I have taken the advice that most of you provided, and excluded my DNS server 
from in the preprocessor directives for Snort.

Now, if most IDS's have the same attribute, it occurs to me that hijacking a 
DNS server would be an ideal way to launch attacks against other machines in 
a network.....

Thanks again for helping me to understand this stuff. 

Michael




On Tuesday 29 May 2001 13:44, I wrote:
> Snort grabbed the following traces last night. The source is my ISP's DNS
> server. Any ideas?
>
> May 28 21:42:40 111.222.333.444:53 -> 192.168.1.1:61068 UDP