Security Incidents mailing list archives

Re: UDP Scan port 53(dns) -> dst port <1024

From: Robert Graham <me () robertgraham com>
Date: Fri, 22 Feb 2002 17:04:14 -0500 (EST)

external(possibly spoofed)host:53  -UDP->  localsystem:987
external(possibly spoofed)host:53  -UDP->  localsystem:988
external(possibly spoofed)host:53  -UDP->  localsystem:989


These are probably replies to queries from your own machines
who are behind a NAT:

http://www.robertgraham.com/pubs/firewall-seen.html#1.9

This is a PTR response to resolve the IP address of
192.168.200.82. Since this is a private address, it points
to one machine behind your NAT resolving the IP address
of another machine behind your NAT.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

UDP Scan port 53(dns) -> dst port <1024 Clinton Smith (Feb 22)
- <Possible follow-ups>
- Re: UDP Scan port 53(dns) -> dst port <1024 Robert Graham (Feb 24)
  - Re: UDP Scan port 53(dns) -> dst port <1024 Clinton Smith (Feb 25)