[unisog] odd traffic on udp 53

Gerry Sneeringer sneeri at umd.edu
Wed Oct 8 18:37:39 GMT 2003


On Wed, 8 Oct 2003, Russell Fulton wrote:
> Hi All,
> 	Over the last few days I've spotted three or four systems doing lots of
> traffic on udp port 53.  My first thought was that this was some worm or
> trojan doing DNS lookups to find MX records (like sobig-f).  This turn
> out not to be the case (well at least NAV failed to find any evidence of
> infection).  The all the packets I observed carry bytes of data (NULLs
> in the few packets I captured).  There are also lots of packets being
> sent to 119.0.0.0 on udp 30467, again 8 bytes of data.
>
> Occasionally we see small incoming udp packets to this machine.
>
> My best guess now is that is some sort of p2p protocol and the users are
> being coy with us because they know that their use is against university
> policy (unless they can convince us that the they are not breaching
> anyone's copyright(.
>
> Anyone got any ideas?
>
> Below are various relevant bits of data about the system and the
> traffic.

Earthstation5 (www.earthstation5.com) boasts about the ability to
use the DNS and NTP UDP ports to thrwart University network
administrators.

-Gerry


---
Gerry Sneeringer, CISSP
IT Security Officer
University of Maryland





More information about the unisog mailing list