Re: strange traffic on UDP port 53

[Ronald Belchez <meukone () yahoo co uk>]

In-Reply-To: <m19PS3d-000B44C () proven weird com>

Hello All,

Sorry for my late reply. 
Provided below is the captured info. as per Ethereal packet analyser. 

1. Using the same src_IP:port# to dst_IP:port# (as earlier provided) it 
is using DNS query to PTR 48.1.1.192.in-addr.arpa

2. Then our mail server replying to the same Source IP, using ICMP (0x01) 
destination unreachable.

(I don't know the good way to dump the rest of the captured packets here, 
if anyone is interested i can send the captured file.) The same pattern 
is being repeated and banging my ACL on the router, please take note that 
only this specific source IP is hitting the ACL. The rest of the log is 
clean except for occasional denied port 80 access on that subnet. 

PS: We tried deploying firewall before ( Netscreen ) but it did not work 
on our network as the traffic coming on our network are mostly forwarding 
traffic. We are a service provider for VSAT networks. (Our client 
internet requests go via their normal connection and the Internet forward 
it to us then we transmit it to the satellite at a very fast speed). This 
topic is a bit non related to the issue above, but I know a lot of you 
(actually some suggest) that we just implement firewall so that I just 
dont rely on the router ACL. 

If anyone have the explanation to the above captured traffic, which is 
constantly (for 2 weeks now) being logged on our router ACL please 
advise. (it looks to me that it could be a DoS but I am not sure). Thanks 
in advance.

Client was already contacted but no response yet was received.


> Received: (qmail 19521 invoked from network); 10 Jun 2003 18:15:34 -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 10 Jun 2003 18:15:34 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 217738F31F; Tue, 10 Jun 2003 12:11:30 -0600 (MDT)
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Received: (qmail 21798 invoked by uid 0); 9 Jun 2003 17:11:22 -0000
> Message-Id: <m19PS3d-000B44C () proven weird com>
> Date: Mon, 9 Jun 2003 15:11:53 -0400 (EDT)
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> X-Face: ;j3Eth2XV8h1Yfu<eXd9JL+"t;iT8?{X]Fjm`Qb]>*uL{<:dQ$#E
[DB0gemGZJ"J#4fH*][
> lz;@-iwMv_u\6uIEKR0KY"=MzoQH#CrqBN`nG_5B@rrM8,f~Gr&h5a\=<t0loVf0$}bP=]
i3OMh"n_
> _@m4/,~2`V=(-9LyW.)'`@E_fE^<4y7)BIe`A''/j-Y#gDNZERh%CCij'q-
NA4F<|yjznEhd7=l^xH
> 2.qD3o0IanGHERTW+z$G
> From: "Greg A. Woods" <woods () weird com>
> To: <gillettdavid () fhda edu>
> Cc: "'Mike'" <mike () coenholdings ie>,
>       "'Ronald Belchez'" <meukone () yahoo co uk>,
>       <incidents () securityfocus com>
> Subject: RE: strange traffic on UDP port 53
> In-Reply-To: <042501c32eb6$46e4ef40$6e811299@gillett>
> References: <m19PPxH-000B44C () proven weird com>
>       <042501c32eb6$46e4ef40$6e811299@gillett>
> X-Mailer: VM 7.07 under Emacs 21.2.1
> Organization: Planix, Inc.; Toronto, Ontario; Canada
>
> [ On Monday, June 9, 2003 at 11:38:08 (-0700), David Gillett wrote: ]
> > Subject: RE: strange traffic on UDP port 53
> >
> > > -----Original Message-----
> > > From: Greg A. Woods [mailto:woods () weird com]
> > >
> > > [ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ]
> > > > Subject: RE: strange traffic on UDP port 53
> > > >
> > > >   Replies to DNS queries should be coming FROM port 53,
> > >
> > > True, though unfortunately it's not always the case.
> >
> >   ... but your further paragraph argues that it is hardly unfortunate 
at
> > all, since it's *practically always* the case.
>
> Indeed -- I was confusing "replies to DNS queries" with "DNS 
queries".   :-)
> (because usually I avoid the confusion by calling then "DNS replies")
>
> DNS queries should have a source port of 53, but often don't.
>
> DNS queries MUST have a destination port of 53.
>
> DNS replies simply swap the source and destination (addresses and port
> numbers together) and out they go.
>
> >   If a UDP packet is FROM and ephemeral port TO port 53, it's almost
> > certainly a DNS *request*, and not a *reply*.  And that's the pattern
> > reported in this case.
>
> Indeed it is!
>
> -- 
>                                                               Greg A. 
Woods
> +1 416 218-0098;            <g.a.woods () ieee org>;           
<woods () robohack ca>
> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird 
<woods () weird com>
> -------------------------------------------------------------------------
---
> -------------------------------------------------------------------------
---
>

----------------------------------------------------------------------------
----------------------------------------------------------------------------