> JK,
>
> > Does anyone have any idea what would cause a scan to originate from port
> 53
> > on an IRIX based server and destined for users on incrementing ports
> > starting in the 1000 range and continuing, in cases, to 4000 range.
>
> the attacker might be expecting that your ACL / packetfilter
> accepts/passes
> all packets originating from 53 UDP (DNS-lookups). This is often the case
> on insecure packet-filter installations.

It could also be the result of improper filters on JK's gateway. If he is
permitting outgoing packets to 53/UDP for DNS, but forgot to allow the
incoming replies from 53/UDP to pass back to his clients, then he would see
alerts just like the ones he posted. When the client's resolver library
fails to see a reply and retransmits the query, the client port number
increments (on most platforms).

>
> > 2000/09/14,09:21:48 -5:00 GMT,
> > Server.IP.Address:53,Client.IP.Address:1038,UDP
>
> With kind regards,
>
> Maarten Van Horenbeeck
> OS2 & Unix System Administrator
> http://www.daemon.be
> maartendaemon.be
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]