Security Incidents mailing list archives
RE: strange traffic on UDP port 53
From: Quarantine <Quarantine () GSCCCA ORG>
Date: Mon, 9 Jun 2003 11:55:52 -0400
Win2K/XP machines will by default register themselves with WINS and DNS servers (assuming WINS/DNS is configured in your network settings). To my knowledge, there's no preference. By default, they will try to *resolve* a name through DNS before WINS. To prevent your Win2K/XP machines from trying to register themselves with DNS servers, uncheck "Register this connection's addresses in DNS" in your TCP/IP configuration. Matt -----Original Message----- From: Roger A. Grimes [mailto:rogerg () cox net] Sent: Friday, June 06, 2003 12:47 PM To: Mike; 'Ronald Belchez'; incidents () securityfocus com Mike's right. This is a very common false-positive event when people first setup ACLs or firewalls. Another common reason why DNS servers might be appearing to port-scan your network is due to misconfigured W2K boxes. Since W2K would rather use DNS than NetBIOS to register themselves, if you configure their primary DNS as your ISP's DNS servers, your W2K boxes will try to register themselves with the ISP's server. Most will not take the registration, rightly so, and will send back an NACK message. This message ends up banging against the inbound filter. Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode **************************************************************************** ************* ----- Original Message ----- From: "Mike" <mike () coenholdings ie> To: "'Ronald Belchez'" <meukone () yahoo co uk>; <incidents () securityfocus com> Sent: Friday, June 06, 2003 3:39 AM Subject: RE: strange traffic on UDP port 53
After deploying a new mail server/internet gateway (behind a firewall) I found a similar problem with packets being stopped by our firewall. After performing an nslookup on the "offending" IP address I found it belonged to our ISP. On querying them about this odd behavior the explanation given (and other evidence seems to bear this out) was that our mail server was performing DNS lookups for the delivery of mail and on behalf of our internal network as it was configured as a forwarder because it was behind a firewall. The IP address in question was merely replying to DNS queries which had been forwarded to it by our ISPs' primary DNS server and as the firewall would only allow DNS replies through from certain IP addresses it was stopping any others. The incrementing of the source ports you are seeing is due to the fact that when the DNS reply is not acknowledged by the target system it tries again on the next available port. It is only usually a minor inconvenience (although the other day one server filled my firewall log 4 times and I was alerted to possible port scans a number of times during the day). If it bothers you too much try filtering the logs to remove the offending entries or you can allow all port 53 traffic in (unless like me you suffer from paranoid delusions that everyone on the internet is out to get you). -----Original Message----- From: Ronald Belchez [mailto:meukone () yahoo co uk] Sent: 04 June 2003 22:14 To: incidents () securityfocus com Subject: strange traffic on UDP port 53 Hi All, We don't have a firewall and is just relying on Access-list on our border router. After i applied the new access-list I am continously receiving the logs showed below. The destination IP is our mail server (not running any DNS service) while the source IP (unsolicited and using source port with some sort of incremental patterm, the denied packets logs is also continuous now for about 4 days) I am not aware of any trojan or worm using the below. I already tried searching google but cannot find the explanation or something that might help me understand the below.... Please advise. --logs starts here--- denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ ----
############################################################################ #########
Note: This message is for the named person's use only. It may contain
confidential,
proprietary or legally privileged information. No confidentiality or
privilege
is waived or lost by any mistransmission. If you receive this message in
error,
please immediately delete it and all copies of it from your system,
destroy any
hard copies of it and notify the sender. You must not, directly or
indirectly,
use, disclose, distribute, print, or copy any part of this message if you
are not
the intended recipient. Coen Holdings Ltd. and any of its subsidiaries
each reserve
the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender,
except where
the message states otherwise and the sender is authorized to state them to
be the
views of any such entity. Thank You.
############################################################################ #########
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------
--
---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IRC botnets, (continued)
- IRC botnets Dayne Jordan (Jun 09)
- Re: IRC botnets Angelz (Jun 10)
- IRC botnets Dayne Jordan (Jun 09)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
- Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
- RE: strange traffic on UDP port 53 David Gillett (Jun 09)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- RE: strange traffic on UDP port 53 David Gillett (Jun 10)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)
- Re: strange traffic on UDP port 53 Anders Reed Mohn (Jun 12)