[Dshield] UDP scans of 18000+ ports

Stephane Grobety security at admin.fulgan.com
Tue Feb 3 15:50:12 GMT 2004


Thse UDP packets looks like a DNS server answering to a client.
Without looking into the packet, it's hard to tell for sure but,
assuming these ARE DNS answers, it could mean two things:

That client somehow is configured to use a DNS server that is outside
your perimeter (that 209.253.113.2 machine) and you're simply blocking
the answers (not the requests, mind you). Check that machine's
configuration or your firewall DNS rules.

This client is the target of a "DNS bounce" DDoS attack: someone if
forging DNS queries to the DNS server in question with your client's
IP address in an attempt to amplify his bandwidth and saturate yours.
This seems quite unlikely since all packets comes from the two unique
sources (looks like primary and secondary DNS).

Now, if wwe look at the source IPs:

209.253.113.18 PTR chcgilwuh53ns01.mcleodusa.net
209.253.113.2  PTR hstbtxqph00ns01.mcleodusa.net

Now, looking for the NS of the mcleodusa.net domain, we find:

ns3.mcleodusa.net       internet address = 209.253.113.18
ns2.mcleodusa.net       internet address = 209.253.113.10
ns1.mcleodusa.net       internet address = 209.253.113.2

Most likely, your client has configured his machine with the data from
his home machine.

Good luck,
Stephane


tR> I realize all these were blocked but I'm trying to learn about what they're
tR> searching for. Anyone with "useful" information please reply.

tR> I see the source port is 53 and the dest port is in the higher 18100+ range. 
tR> What are looking for?
tR> Also drill down toward the bottom and see that this client started getting 
tR> TCP FIN attempts to high ports.

tR> This firewall has been operational for over a year and these just started 
tR> yesterday.






More information about the list mailing list