Security Incidents mailing list archives

RE: strange traffic on UDP port 53

From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 6 Jun 2003 10:35:34 -0700

  Replies to DNS queries should be coming FROM port 53, not
(necessarily) addressed TO port 53.

David Gillett

-----Original Message-----
From: Mike [mailto:mike () coenholdings ie]
Sent: June 6, 2003 00:40
To: 'Ronald Belchez'; incidents () securityfocus com
Subject: RE: strange traffic on UDP port 53

After deploying a new mail server/internet gateway (behind a 
firewall) I
found a similar problem with packets being stopped by our firewall.
After performing an nslookup on the "offending" IP address I found it
belonged to our ISP. On querying them about this odd behavior the
explanation given (and other evidence seems to bear this out) was that
our mail server was performing DNS lookups for the delivery 
of mail and
on behalf of our internal network as it was configured as a forwarder
because it was behind a firewall. The IP address in question 
was merely
replying to DNS queries which had been forwarded to it by our ISPs'
primary DNS server and as the firewall would only allow DNS replies
through from certain IP addresses it was stopping any others. The
incrementing of the source ports you are seeing is due to the 
fact that
when the DNS reply is not acknowledged by the target system it tries
again on the next available port.
It is only usually a minor inconvenience (although the other day one
server filled my firewall log 4 times and I was alerted to 
possible port
scans a number of times during the day). If it bothers you 
too much try
filtering the logs to remove the offending entries or you can 
allow all
port 53 traffic in (unless like me you suffer from paranoid delusions
that everyone on the internet is out to get you).

-----Original Message-----
From: Ronald Belchez [mailto:meukone () yahoo co uk] 
Sent: 04 June 2003 22:14
To: incidents () securityfocus com
Subject: strange traffic on UDP port 53

Hi All,

We don't have a firewall and is just relying on Access-list on our
border 

router. After i applied the new access-list I am continously 
receiving 

the logs showed below. The destination IP is our mail server (not
running 

any DNS service) while the source IP (unsolicited and using 
source port 

with some sort of incremental patterm, the denied packets 
logs is also 

continuous now for about 4 days) I am not aware of any trojan or worm 

using the below. I already tried searching google but cannot find the 

explanation or something that might help me understand the below.... 

Please advise.

--logs starts here---

denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet

denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet

denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets

denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets

denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets

--------------------------------------------------------------
----------
----
--------------------------------------------------------------
----------
----

##############################################################
#######################
Note:
This message is for the named person's use only.  It may 
contain confidential,
proprietary or legally privileged information.  No 
confidentiality or privilege
is waived or lost by any mistransmission.  If you receive 
this message in error,
please immediately delete it and all copies of it from your 
system, destroy any
hard copies of it and notify the sender.  You must not, 
directly or indirectly,
use, disclose, distribute, print, or copy any part of this 
message if you are not
the intended recipient. Coen Holdings Ltd. and any of its 
subsidiaries each reserve
the right to monitor all e-mail communications through its networks.

Any views expressed in this message are those of the 
individual sender, except where
the message states otherwise and the sender is authorized to 
state them to be the
views of any such entity.

Thank You.
##############################################################
#######################

--------------------------------------------------------------
--------------
--------------------------------------------------------------
--------------


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

strange traffic on UDP port 53 Ronald Belchez (Jun 05)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
  - IRC botnets Dayne Jordan (Jun 09)
    - Re: IRC botnets Angelz (Jun 10)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
  - Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
  - RE: strange traffic on UDP port 53 David Gillett (Jun 09)
    - RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
    - RE: strange traffic on UDP port 53 David Gillett (Jun 10)
    - RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
  - Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)
- <Possible follow-ups>
- RE: strange traffic on UDP port 53 Quarantine (Jun 10)
- Re: strange traffic on UDP port 53 Ronald Belchez (Jun 11)
  - Re: strange traffic on UDP port 53 Anders Reed Mohn (Jun 12)