Re: Interesting DNS Traffic

The Unicorn (unicornblackhats.org)
Mon, 31 May 1999 14:59:18 +0200

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mayne, Peter: "RE: Port Cheat Sheet"
• Previous message: Sandy Green: "Re: Firewall-Wizards Digest V1 #311"

On Fri, May 28, 1999 at 09:49:29PM -0500, Andrew Fessler wrote:
> I have seen some unusual things on my Cisco.
>
> I have some access-lists setup.
>
> I permit, SMTP, WWW, POP, IMAP, ECHO,ICMP and a few other ports as
> well as 1024-65535 for inbound.
>
> That theroetically should cover any inbound traffic.
>
> However, I see DNS requests and WWW requests come in where the souce
> port on the packet originates in the 800 range rather than the
> standard 1024-65535 range. Therefore the reply back is denied.
>
> Example.
>
> xxx.xxx.xxx.xxx (879) --> 204.253.83.10 (53)
>
> meaning a packet came in from the internet going to my DNS, however
> the source port of the packet was 879.
>
> I cant find any reason why they are having abnormal source ports,
> should I worry about this? Should I open the 800 range ports? Seems
> like opening my network more than I want to.

Could it be that the site asking for DNS info is using (heavily used)
Windows boxen? I have seen similar requests (originating from a low
order port) coming form Windows systems... Seems to be an implementation
"feature" from Micr$oft.

> TIA
> Andrew Fessler
> Allegro
>
---end quoted text---

Ciao,
Unicorn.

-- 
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays   PGP: 64 07 5D 4C 3F 81 22 73
    ;; //  `--;     Leapfrog With A Unicorn...        52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======

• Next message: Mayne, Peter: "RE: Port Cheat Sheet"
• Previous message: Sandy Green: "Re: Firewall-Wizards Digest V1 #311"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT