[Dshield] Abundant Port 53 scans

Ryan J Betz ryanb at maumeepattern.com
Tue Jul 10 16:53:59 GMT 2001


I just find it hard to belive that 300+ machines would all be scanning just
my one IP address, which doesn't even run BIND, all at the same exact time.
I'm not aware of any load balancing software running on my machines, and
wouldn't the software use a non-privlaged port on my end as DNS client
requests are allowed through the firewall.  Just thought this was
interesting.

Thanks for the help,
Ryan


--__--__--

Message: 1
Date: Mon, 9 Jul 2001 10:56:30 -0400 (EDT)
From: "Johannes B. Ullrich" <euclidian at euclidian.com>
To: dshield at dshield.org
Subject: Re: [Dshield] Abundant Port 53 scans
Reply-To: dshield at dshield.org


There are two main reasons for DNS lookups like this:

- BIND, a very popular DNS server, has a rich history of security
  problem. This could be an attempt to find a vulnerable server.

- Some load balancing software, which attempts to find web servers
  close to you, uses tcp packets to port 53 to measure the 'distance'
  from you to various servers.

Hard to tell which one of these you got here.

---
Johannes Ullrich            Join http://www.dshield.org
jullrich at sans.org
---

On Mon, 9 Jul 2001, Ryan J Betz wrote:

> I get this in my logs about once a day (xxx.xxx.xxx.xxx is my IP address):
>
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 202.139.133.129:54491 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=241
> (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 216.35.167.58:57060 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
(#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 209.249.97.40:40817 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
(#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 64.37.200.46:64732 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 216.33.35.214:37856 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=244
(#29)
> Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> 64.78.235.14:64258 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
>
> It goes on for about 300 IP addresses.  This isn't my DNS server, it's a
> web/mail server.  Should this be happening, I don't really know why this
is
> going on?
>
> Thanks,
> Ryan




More information about the list mailing list