Scott,

A normal operating system DNS query would use an unprivileged source port (
>1024) to make the DNS request. I would concur that this type of traffic
seems suspicious. I don't know if it's a widespread occurance (I haven't
seen any show up in my logs), but your hypothesis seems fairly likely.

Regards,

Mike Wilson
CCNP, CCDP, MCSE
Sr. Network Engineer
Cincinnati Equitable Insurance
513-621-1826 x350

-----Original Message-----
From: shewittcdw.com [mailto:shewittcdw.com]
Sent: Thursday, September 27, 2001 11:44 AM
To: focus-mssecurityfocus.com
Subject: Source port 69

Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on
my edge routers since Nimda used TFTP to download part of the virus.

I didn't see any activity for a little while, but this week I have seen
several outbound packets getting blocked that were going back to UDP port
69.

Here is an example log from an ACL for outbound traffic:
denied udp 12.32.90.x(53) -> 216.56.21.xxx(69), 1 packet

All the occurrences with this has been with my DNS servers. So, it looks
like somebody tried to query my DNS server with a source port of 69, so that
I would respond back at UDP port 69. If I were to have allowed this traffic
to go back out, then somebody could assume that I'm allowing TFTP out to the
internet. It looks like somebody may be scanning DNS servers to see if they
allow TFTP and compiling a list of those that allow it.

Has anybody seen this before? I read a couple things about DNS to try to
determine if it's ok for clients to source a DNS query at port 69, and I
think I've come to the conclusion that DNS queries from clients should NOT
come from port 69. Can anybody clarify this?

--------------------------
Scott Hewitt
WEB/WAN Administrator
CDW Computer Centers, Inc.
shewittcdw.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]