[Dshield] UDP scans of 18000+ ports
security at admin.fulgan.com
Tue Feb 3 15:50:12 GMT 2004
Thse UDP packets looks like a DNS server answering to a client.
Without looking into the packet, it's hard to tell for sure but,
assuming these ARE DNS answers, it could mean two things:
That client somehow is configured to use a DNS server that is outside
your perimeter (that 188.8.131.52 machine) and you're simply blocking
the answers (not the requests, mind you). Check that machine's
configuration or your firewall DNS rules.
This client is the target of a "DNS bounce" DDoS attack: someone if
forging DNS queries to the DNS server in question with your client's
IP address in an attempt to amplify his bandwidth and saturate yours.
This seems quite unlikely since all packets comes from the two unique
sources (looks like primary and secondary DNS).
Now, if wwe look at the source IPs:
184.108.40.206 PTR chcgilwuh53ns01.mcleodusa.net
220.127.116.11 PTR hstbtxqph00ns01.mcleodusa.net
Now, looking for the NS of the mcleodusa.net domain, we find:
ns3.mcleodusa.net internet address = 18.104.22.168
ns2.mcleodusa.net internet address = 22.214.171.124
ns1.mcleodusa.net internet address = 126.96.36.199
Most likely, your client has configured his machine with the data from
his home machine.
tR> I realize all these were blocked but I'm trying to learn about what they're
tR> searching for. Anyone with "useful" information please reply.
tR> I see the source port is 53 and the dest port is in the higher 18100+ range.
tR> What are looking for?
tR> Also drill down toward the bottom and see that this client started getting
tR> TCP FIN attempts to high ports.
tR> This firewall has been operational for over a year and these just started
More information about the list