Security Incidents mailing list archives
RE: port scan from 53
From: "Mike Batchelor" <mikebat () tmcs net>
Date: Wed, 16 May 2001 15:50:42 -0700
JK,Does anyone have any idea what would cause a scan to originate from port53on an IRIX based server and destined for users on incrementing ports starting in the 1000 range and continuing, in cases, to 4000 range.the attacker might be expecting that your ACL / packetfilter accepts/passes all packets originating from 53 UDP (DNS-lookups). This is often the case on insecure packet-filter installations.
It could also be the result of improper filters on JK's gateway. If he is permitting outgoing packets to 53/UDP for DNS, but forgot to allow the incoming replies from 53/UDP to pass back to his clients, then he would see alerts just like the ones he posted. When the client's resolver library fails to see a reply and retransmits the query, the client port number increments (on most platforms).
2000/09/14,09:21:48 -5:00 GMT, Server.IP.Address:53,Client.IP.Address:1038,UDPWith kind regards, Maarten Van Horenbeeck OS2 & Unix System Administrator http://www.daemon.be maarten () daemon be
Current thread:
- port scan from 53 JKruser (May 16)
- Re: port scan from 53 Maarten Van Horenbeeck (May 16)
- RE: port scan from 53 Mike Batchelor (May 17)
- Re: port scan from 53 Maarten Van Horenbeeck (May 16)