|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: strange traffic on UDP port 53
Valdis.Kletnieks
vt.edu
Date: Thu Jun 05 2003 - 14:35:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 04 Jun 2003 21:13:47 -0000, Ronald Belchez <meukoneyahoo.co.uk> said:
> --logs starts here---
> denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet
> denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet
Somebody's got a b0rked network load balancer? Some of these will do
ICMP PING or DNS queries from multiple servers to figure out which one
is "closest". But in that case, you'll usually see a flurry of 2-5
packets from different places at the same time...
Or maybe you got a user that typed your *mail* server into his laptop's
config, right where it says "DNS Server address"... and they're on the
road and b0rked.
I've seen both of those scenarios before. In fact, unless there's clear and
obvious signs (like a malware payload), I no longer even *think* about a
"merely odd" logfile trace in terms of "trojan/worm" until I've ruled out
simple user stupidity....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+35uJcC3lWbTT17ARApPdAJ4ovuAMbO2rP+po5/Znqyqbh/RKUwCgyY9k
wJRbxINkYha9rxAkecIry5A=
=MjPl
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]