[unisog] odd traffic on udp 53

Gerry Sneeringer sneeri at umd.edu
Wed Oct 8 18:37:39 GMT 2003

On Wed, 8 Oct 2003, Russell Fulton wrote:
> Hi All,
> 	Over the last few days I've spotted three or four systems doing lots of
> traffic on udp port 53.  My first thought was that this was some worm or
> trojan doing DNS lookups to find MX records (like sobig-f).  This turn
> out not to be the case (well at least NAV failed to find any evidence of
> infection).  The all the packets I observed carry bytes of data (NULLs
> in the few packets I captured).  There are also lots of packets being
> sent to on udp 30467, again 8 bytes of data.
> Occasionally we see small incoming udp packets to this machine.
> My best guess now is that is some sort of p2p protocol and the users are
> being coy with us because they know that their use is against university
> policy (unless they can convince us that the they are not breaching
> anyone's copyright(.
> Anyone got any ideas?
> Below are various relevant bits of data about the system and the
> traffic.

Earthstation5 (www.earthstation5.com) boasts about the ability to
use the DNS and NTP UDP ports to thrwart University network


Gerry Sneeringer, CISSP
IT Security Officer
University of Maryland

More information about the unisog mailing list