[Dshield] Abundant Port 53 scans

BarkerJr barkjr at home.com
Tue Jul 10 17:14:35 GMT 2001


I think the load balancing software would be run on remote servers that your server is
connecting to.  They would send packets to your server as pings.  But it there's 300+
machines, this probably isn't the case, unless your server connects to a large number of
machines.

-BarkerJr

----- Original Message -----
From: "Ryan J Betz" <ryanb at maumeepattern.com>
To: <dshield at dshield.org>
Sent: Tuesday, July 10, 2001 12:53 PM
Subject: Re: [Dshield] Abundant Port 53 scans


> I just find it hard to belive that 300+ machines would all be scanning just
> my one IP address, which doesn't even run BIND, all at the same exact time.
> I'm not aware of any load balancing software running on my machines, and
> wouldn't the software use a non-privlaged port on my end as DNS client
> requests are allowed through the firewall.  Just thought this was
> interesting.
>
> Thanks for the help,
> Ryan
>
>
> --__--__--
>
> Message: 1
> Date: Mon, 9 Jul 2001 10:56:30 -0400 (EDT)
> From: "Johannes B. Ullrich" <euclidian at euclidian.com>
> To: dshield at dshield.org
> Subject: Re: [Dshield] Abundant Port 53 scans
> Reply-To: dshield at dshield.org
>
>
> There are two main reasons for DNS lookups like this:
>
> - BIND, a very popular DNS server, has a rich history of security
>   problem. This could be an attempt to find a vulnerable server.
>
> - Some load balancing software, which attempts to find web servers
>   close to you, uses tcp packets to port 53 to measure the 'distance'
>   from you to various servers.
>
> Hard to tell which one of these you got here.
>
> ---
> Johannes Ullrich            Join http://www.dshield.org
> jullrich at sans.org
> ---
>
> On Mon, 9 Jul 2001, Ryan J Betz wrote:
>
> > I get this in my logs about once a day (xxx.xxx.xxx.xxx is my IP address):
> >
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 202.139.133.129:54491 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=241
> > (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 216.35.167.58:57060 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 209.249.97.40:40817 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 64.37.200.46:64732 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 216.33.35.214:37856 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=244
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 64.78.235.14:64258 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> >
> > It goes on for about 300 IP addresses.  This isn't my DNS server, it's a
> > web/mail server.  Should this be happening, I don't really know why this
> is
> > going on?
> >
> > Thanks,
> > Ryan




More information about the list mailing list