Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Mike Wilson (mwilsoncincinnatiequitable.com)
Date: Thu Sep 27 2001 - 12:44:39 CDT
A normal operating system DNS query would use an unprivileged source port (
>1024) to make the DNS request. I would concur that this type of traffic
seems suspicious. I don't know if it's a widespread occurance (I haven't
seen any show up in my logs), but your hypothesis seems fairly likely.
CCNP, CCDP, MCSE
Sr. Network Engineer
Cincinnati Equitable Insurance
From: shewittcdw.com [mailto:shewittcdw.com]
Sent: Thursday, September 27, 2001 11:44 AM
Subject: Source port 69
Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on
my edge routers since Nimda used TFTP to download part of the virus.
I didn't see any activity for a little while, but this week I have seen
several outbound packets getting blocked that were going back to UDP port
Here is an example log from an ACL for outbound traffic:
denied udp 12.32.90.x(53) -> 216.56.21.xxx(69), 1 packet
All the occurrences with this has been with my DNS servers. So, it looks
like somebody tried to query my DNS server with a source port of 69, so that
I would respond back at UDP port 69. If I were to have allowed this traffic
to go back out, then somebody could assume that I'm allowing TFTP out to the
internet. It looks like somebody may be scanning DNS servers to see if they
allow TFTP and compiling a list of those that allow it.
Has anybody seen this before? I read a couple things about DNS to try to
determine if it's ok for clients to source a DNS query at port 69, and I
think I've come to the conclusion that DNS queries from clients should NOT
come from port 69. Can anybody clarify this?
CDW Computer Centers, Inc.