Scanning from source port 53

[Lois Lehman <LOIS.LEHMAN () ASU EDU>]

Has anyone else seen this trick recently for getting through your
routers?  The source port being used  for the scanning is port 53 as it
is looked upon as normal traffic.

Is there any legitimate application that would send out syn packets from
port 53?  Do I need to modify our snort rules?  

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] MISC source port 53 to <1024 [**]
09/09-04:12:06.271376 82.51.0.40:53 -> xxx.xxx.44.120:23
TCP TTL:45 TOS:0x0 ID:666 IpLen:20 DgmLen:40
******S* Seq: 0x29A  Ack: 0x4DB7A656  Win: 0x80  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] MISC source port 53 to <1024 [**]
09/09-04:12:06.282308 82.51.0.40:53 -> xxx.xxx.44.122:23
TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40
******S* Seq: 0x29A  Ack: 0x7080C6E8  Win: 0x80  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] MISC source port 53 to <1024 [**]
09/09-04:12:06.287327 82.51.0.40:53 -> xxx.xxx.44.124:23
TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40
******S* Seq: 0x29A  Ack: 0x8CE8278A  Win: 0x80  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

[**] MISC source port 53 to <1024 [**]
09/09-04:12:06.729872 82.51.0.40:53 -> xxx.xxx.68.113:23
TCP TTL:46 TOS:0x0 ID:666 IpLen:20 DgmLen:40
******S* Seq: 0x29A  Ack: 0x6DC47766  Win: 0x80  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.