[Dshield] Abundant Port 53 scans

Lowell Hamilton lhamilton at vistavdi.com
Tue Jul 10 17:28:06 GMT 2001


I've had a couple cases where someone registered a domain or moved their
nameserver and typoed the name server ip, sending a few hundred requests
a minute to a mail server of mine.  I solved it by capturing some of the
packets to see if it's trying to resolve a specific domain, and checking
internic's whois ... sure enough a nameserver had been set to my mail
server ip on accident.  A little note to the admin of the nameserver
will usually fix things quickly since you could take over any domain
pointed to you

---
Lowell Hamilton, Head of Network Operations
Vista Voice and Data, Inc.



Ryan J Betz wrote:
> 
> I just find it hard to belive that 300+ machines would all be scanning just
> my one IP address, which doesn't even run BIND, all at the same exact time.
> I'm not aware of any load balancing software running on my machines, and
> wouldn't the software use a non-privlaged port on my end as DNS client
> requests are allowed through the firewall.  Just thought this was
> interesting.
> 
> Thanks for the help,
> Ryan
> 
> --__--__--
> 
> Message: 1
> Date: Mon, 9 Jul 2001 10:56:30 -0400 (EDT)
> From: "Johannes B. Ullrich" <euclidian at euclidian.com>
> To: dshield at dshield.org
> Subject: Re: [Dshield] Abundant Port 53 scans
> Reply-To: dshield at dshield.org
> 
> There are two main reasons for DNS lookups like this:
> 
> - BIND, a very popular DNS server, has a rich history of security
>   problem. This could be an attempt to find a vulnerable server.
> 
> - Some load balancing software, which attempts to find web servers
>   close to you, uses tcp packets to port 53 to measure the 'distance'
>   from you to various servers.
> 
> Hard to tell which one of these you got here.
> 
> ---
> Johannes Ullrich            Join http://www.dshield.org
> jullrich at sans.org
> ---
> 
> On Mon, 9 Jul 2001, Ryan J Betz wrote:
> 
> > I get this in my logs about once a day (xxx.xxx.xxx.xxx is my IP address):
> >
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 202.139.133.129:54491 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=241
> > (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 216.35.167.58:57060 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 209.249.97.40:40817 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 64.37.200.46:64732 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 216.33.35.214:37856 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=244
> (#29)
> > Jul  9 09:53:13 gateway kernel: Packet log: input DENY eth0 PROTO=6
> > 64.78.235.14:64258 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245 (#29)
> >
> > It goes on for about 300 IP addresses.  This isn't my DNS server, it's a
> > web/mail server.  Should this be happening, I don't really know why this
> is
> > going on?
> >
> > Thanks,
> > Ryan
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list