Security Incidents mailing list archives

Unusual TCP port 53 scan

From: Keith Owens <kaos () ocs com au>
Date: Mon, 04 Jun 2001 22:46:12 +1000

Just got hit by a scan for TCP port 53.  It is unusual in that each SYN
packet has an associated RST packet with almost identical timestamp.
Any idea which vulnerability they are trying to use?  It smells like an
attack on some NAT box.  Logs are GMT.

2001/06/04-12:03:42.677548 216.207.243.167.2417 > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss 
1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF)
2001/06/04-12:03:42.687548 216.207.243.167.2417 > 203.34.97.5.53: R 0:0(0) win 0
2001/06/04-12:03:43.527483 216.207.243.167.2420 > 203.34.97.8.53: S 734717774:734717774(0) win 32120 <mss 
1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
2001/06/04-12:03:43.537478 216.207.243.167.2420 > 203.34.97.8.53: R 0:0(0) win 0
2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: S 736268655:736268655(0) win 32120 <mss 
1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: R 0:0(0) win 0
2001/06/04-12:03:43.557468 216.207.243.167.2422 > 203.34.97.10.53: S 737261904:737261904(0) win 32120 <mss 
1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
2001/06/04-12:03:43.567463 216.207.243.167.2422 > 203.34.97.10.53: R 0:0(0) win 0
2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: S 739120319:739120319(0) win 32120 <mss 
1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: R 0:0(0) win 0

etc.

Current thread:

Unusual TCP port 53 scan Keith Owens (Jun 04)
- RE: Unusual TCP port 53 scan Golden_Eternity (Jun 04)