[Dshield] Can you pros take a look?

Don Wilder Don at TheWilders.Org
Sat Jul 21 16:30:16 GMT 2001


Paul,

There are 2 plausible explanations:

1. Someone is trying to lookup DNS information using your IP address. The
UDP 53 part indicates that it is a DNS lookup as apposed to a TCP 53 which
is the old DNS Zone transfer request.

2. It could be that someone is scanning for DNS servers to try to
attack/exploit.

If your internal DNS servers are not listed as authoritative for your
domain... Nr 2. would most likely be the case. If your internal DNS servers
are listed with the InterNIC then these are someone attempting to lookup
information in the zone that your DNS servers are listed for and the traffic
could be valid.

> Johannes said in the -----Original Message-----
>
> To me, they look like harmless and necessary DNS server responses.
>
>
> On Fri, 20 Jul 2001, Paul Marsh wrote:
>
> >
> > 	Can you pro's take a look?  This is a little snap shot of my
> > firewall log, can anyone tell me what these are from?  Some
> days it's just a
> > few and other days there are a lot of them.
> >
> > Thanx, Paul
> >
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 3454, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 3602, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 3650, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 3853, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 3995, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 4088, LAN - 	 -
> > 	UDP packet dropped - 	Source:209.xxx.xx.x, 53, WAN -
> > Destination:192.xxx.x.xx, 4124, LAN - 	 -




More information about the list mailing list