[Dshield] Abundant Port 53 scans

Johannes B. Ullrich euclidian at euclidian.com
Mon Jul 9 14:56:30 GMT 2001


There are two main reasons for DNS lookups like this:

- BIND, a very popular DNS server, has a rich history of security
  problem. This could be an attempt to find a vulnerable server.

- Some load balancing software, which attempts to find web servers
  close to you, uses tcp packets to port 53 to measure the 'distance'
  from you to various servers.

Hard to tell which one of these you got here. 

---
Johannes Ullrich            Join http://www.dshield.org
jullrich at sans.org
---

On Mon, 9 Jul 2001, Ryan J Betz wrote:

> I get this in my logs about once a day (xxx.xxx.xxx.xxx is my IP address):
> 
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 202.139.133.129:54491 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=241
> (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 216.35.167.58:57060 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 209.249.97.40:40817 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 64.37.200.46:64732 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 216.33.35.214:37856 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=244 (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 64.78.235.14:64258 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> 
> It goes on for about 300 IP addresses.  This isn't my DNS server, it's a
> web/mail server.  Should this be happening, I don't really know why this is
> going on?
> 
> Thanks,
> Ryan
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
> 




More information about the list mailing list