Security Incidents mailing list archives

Re: strange traffic on UDP port 53

From: Valdis.Kletnieks () vt edu
Date: Fri, 06 Jun 2003 21:04:03 -0400

On Fri, 06 Jun 2003 08:39:52 BST, Mike <mike () coenholdings ie>  said:

belonged to our ISP. On querying them about this odd behavior the
explanation given (and other evidence seems to bear this out) was that
our mail server was performing DNS lookups for the delivery of mail and
on behalf of our internal network as it was configured as a forwarder
because it was behind a firewall. The IP address in question was merely
replying to DNS queries which had been forwarded to it by our ISPs'


The scenario there would have your site sending packets with an ephemeral
port number to the DNS server's port 53, and the return packets stopped
at the firewall would have a *source* port 53 and an ephemeral destination.

In the OP's case, the *destination* port was 53, which indicates that somebody
thinks that the mail server target is also providing DNS service.

Attachment: _bin
Description:

Current thread:

Re: strange traffic on UDP port 53, (continued)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
  - IRC botnets Dayne Jordan (Jun 09)
    - Re: IRC botnets Angelz (Jun 10)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
  - Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
  - RE: strange traffic on UDP port 53 David Gillett (Jun 09)
    - RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
    - RE: strange traffic on UDP port 53 David Gillett (Jun 10)
    - RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
  - Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)
- RE: strange traffic on UDP port 53 Quarantine (Jun 10)
- Re: strange traffic on UDP port 53 Ronald Belchez (Jun 11)
  - Re: strange traffic on UDP port 53 Anders Reed Mohn (Jun 12)