Security Incidents mailing list archives
Re: strange traffic on UDP port 53
From: Valdis.Kletnieks () vt edu
Date: Thu, 05 Jun 2003 15:35:37 -0400
On Wed, 04 Jun 2003 21:13:47 -0000, Ronald Belchez <meukone () yahoo co uk> said:
--logs starts here--- denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet
Somebody's got a b0rked network load balancer? Some of these will do ICMP PING or DNS queries from multiple servers to figure out which one is "closest". But in that case, you'll usually see a flurry of 2-5 packets from different places at the same time... Or maybe you got a user that typed your *mail* server into his laptop's config, right where it says "DNS Server address"... and they're on the road and b0rked. I've seen both of those scenarios before. In fact, unless there's clear and obvious signs (like a malware payload), I no longer even *think* about a "merely odd" logfile trace in terms of "trojan/worm" until I've ruled out simple user stupidity....
Attachment:
_bin
Description:
Current thread:
- strange traffic on UDP port 53 Ronald Belchez (Jun 05)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- IRC botnets Dayne Jordan (Jun 09)
- Re: IRC botnets Angelz (Jun 10)
- IRC botnets Dayne Jordan (Jun 09)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
- Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
- RE: strange traffic on UDP port 53 David Gillett (Jun 09)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- RE: strange traffic on UDP port 53 David Gillett (Jun 10)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)