Re: Interesting DNS Traffic

David Gillett (davidggenmagic.com)
Thu, 3 Jun 1999 11:49:40 -0700

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: dreamwvr: "Re: Firewall-Wizards Digest V1 #311"
• Previous message: Dallas N Bishoff: "IP Source Routing in NT4 -- SP5"

On 1 Jun 99, at 13:09, Ryan Russell wrote:

>
> >However, I see DNS requests and WWW requests come in where the souce
> >port on the packet originates in the 800 range rather than the
> >standard 1024-65535 range. Therefore the reply back is denied.
> >
> >Example.
> >
> >xxx.xxx.xxx.xxx (879) --> 204.253.83.10 (53)
> >
> >meaning a packet came in from the internet going to my DNS, however
> >the source port of the packet was 879.
>
> This means someone has an internal DNS server behind a Firewall-1
> that is doing hide NAT, and you've borken his ability to do DNS lookups
> to your site.
>
> My opinion is that trying to derive any kind of security posture from
> source ports of machines you don't control is pointless.

  While we don't (yet) block on it, I log a security alert if the source port
is 0 or 65535. In a couple of instances, it has been obvious that the latter
was showing up on "attack" packets, where the sender was clearly not waiting
for a reply and three-way handshake process.
  Unfortunately, this value also occasionally shows up in legitimate traffic.

David G

• Next message: dreamwvr: "Re: Firewall-Wizards Digest V1 #311"
• Previous message: Dallas N Bishoff: "IP Source Routing in NT4 -- SP5"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT