Security Incidents mailing list archives
Re: strange traffic on UDP port 53
From: Valdis.Kletnieks () vt edu
Date: Fri, 06 Jun 2003 21:04:03 -0400
On Fri, 06 Jun 2003 08:39:52 BST, Mike <mike () coenholdings ie> said:
belonged to our ISP. On querying them about this odd behavior the explanation given (and other evidence seems to bear this out) was that our mail server was performing DNS lookups for the delivery of mail and on behalf of our internal network as it was configured as a forwarder because it was behind a firewall. The IP address in question was merely replying to DNS queries which had been forwarded to it by our ISPs'
The scenario there would have your site sending packets with an ephemeral port number to the DNS server's port 53, and the return packets stopped at the firewall would have a *source* port 53 and an ephemeral destination. In the OP's case, the *destination* port was 53, which indicates that somebody thinks that the mail server target is also providing DNS service.
Attachment:
_bin
Description:
Current thread:
- Re: strange traffic on UDP port 53, (continued)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- IRC botnets Dayne Jordan (Jun 09)
- Re: IRC botnets Angelz (Jun 10)
- IRC botnets Dayne Jordan (Jun 09)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
- Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
- RE: strange traffic on UDP port 53 David Gillett (Jun 09)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- RE: strange traffic on UDP port 53 David Gillett (Jun 10)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)
- Re: strange traffic on UDP port 53 Anders Reed Mohn (Jun 12)