Security Incidents mailing list archives
UDP Scan port 53(dns) -> dst port <1024
From: Clinton Smith <security () esales iinet net au>
Date: Thu, 21 Feb 2002 15:03:44 +0800
Over the last few days we have seen some atypical traffic. Does anyone know of a tool that will generate packets like these (xprobe does not seem to fit the bill): external(possibly spoofed)host:53 -UDP-> localsystem:987 external(possibly spoofed)host:53 -UDP-> localsystem:988 external(possibly spoofed)host:53 -UDP-> localsystem:989 0E 8E 84 03 00 01 00 00 00 01 00 00 02 38 32 03 .............82. 32 30 30 03 31 36 38 03 31 39 32 07 69 6E 2D 61 200.168.192.in-a 64 64 72 04 61 72 70 61 00 00 0C 00 01 C0 13 00 ddr.arpa........ 06 00 01 00 01 51 80 00 36 09 62 6C 61 63 6B 68 .....Q..6.blackh 6F 6C 65 04 69 61 6E 61 03 6F 72 67 00 05 63 72 ole.iana.org..cr 61 69 6E 05 69 63 61 6E 6E C0 48 01 30 BD AE 00 ain.icann.H.0... 00 2A 30 00 00 03 84 00 09 3A 80 00 01 51 80 .*0......:...Q. It is detected by snort etc as: "MISC source port 53 to <1024". The content looks like a DNS packet, but my understanding of RFC 1035 (DNS) is that the target port should be either 53 or >1024. Is this what it appears to be (ie a slow moving UDP port scan), masquerading as DNS traffic? Kind regards, Clinton ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- UDP Scan port 53(dns) -> dst port <1024 Clinton Smith (Feb 22)
- <Possible follow-ups>
- Re: UDP Scan port 53(dns) -> dst port <1024 Robert Graham (Feb 24)
- Re: UDP Scan port 53(dns) -> dst port <1024 Clinton Smith (Feb 25)