[Dshield] Strange port 53 scan

Francois Gouget fgouget at free.fr
Mon May 14 21:50:45 GMT 2001

On Mon, 30 Apr 2001, Francois Gouget wrote:

>    I'm still getting these strange scans. I got one more last saturday
> and another one this morning despite the fact that my DSL connection
> broke and that I thus got a new IP address. So I assume they scan the
> whole IP block.

   (reminder, I detected occasional series of 4/8 scans of my DNS port
coming from 23 different addresses all within a 30 second time period)

   Well, I investigated this a bit more, tried to identify the points of
contact for these addresses, contacted them and one of the contacts
(Bill Cabell) was very nice and forwarded me the following:

>  ----- Original Message -----
>  From: "Joe DeFelice" <joe at mirrorimage.net>
>  Cc: <networks at mirror-image.com>; "Burt Adjoodani" <burta at rbxinc.com>
>  Sent: Monday, April 16, 2001 12:49 PM
>  Subject: Re: [networks] FW: Firewall Log Info
>  The activity you describe is a result of our global load balancer. When a
> client behind our  DNS server makes a request to one of our customer's
> sites, our load balancer has all of our sites send out an rtt packet to see 
> which site is closest to the client's DNS server. The decision is then made 
> as to which site the client's request will be sent. This is a function of
> Cisco's Distributed Director and in no way an attempt to disrupt your 
> network. In fact, the clients requests are answered quicker and their web
> pages delivered much quicker as a result. A handshake is not required by the
> Distributed Director, since the original request is from one of your
> clients. This is why the Distributed Director treats it as if it were an
> established connection, hence the ACK ....
> I hope this clarifies things. If you have any further questions, please
> direct them to networks at mirror-image.com
> We apologize for any confusion,
>  Joe DeFelice - Sr Network Engineer - Mirror Image Internet
>  v:781 376-1919  -- f:781 376-1110 -- p:888 919-7255
>                  www.mirror-image.com

   That seems to explain it... although I'm not quite sure why they have
to set the ACK bit and if their goal is to mesure the RTT why they send
a packet to port 53 and not an ICMP Echo Request packet. Also since I
drop such packets I guess it does not help me very much.

   Anyway, that explanation seems good enough to me.

   One thing I noticed is that all the addresses in my scans are listed
as scan sources in the DShield database. Of course that's not surprising
but it means that their should be a way to mark those as trusted /
innocent for certain types of scans to avoid having too many false

   One cool feature would be to make this information available on the
web site. For instance, say I look for scans originating from
'' in the DShield database. It would be nice if on the
result page I had some sort of note that said 'Ignoring port 53 scans
for this address, because it is part of a Cisco Distributed Director
network', with a link to a more detailed explanation.

Francois Gouget         fgouget at free.fr        http://fgouget.free.fr/
                Linux: It is now safe to turn on your computer.

More information about the list mailing list