[unisog] odd traffic on udp 53
sneeri at umd.edu
Wed Oct 8 18:37:39 GMT 2003
On Wed, 8 Oct 2003, Russell Fulton wrote:
> Hi All,
> Over the last few days I've spotted three or four systems doing lots of
> traffic on udp port 53. My first thought was that this was some worm or
> trojan doing DNS lookups to find MX records (like sobig-f). This turn
> out not to be the case (well at least NAV failed to find any evidence of
> infection). The all the packets I observed carry bytes of data (NULLs
> in the few packets I captured). There are also lots of packets being
> sent to 22.214.171.124 on udp 30467, again 8 bytes of data.
> Occasionally we see small incoming udp packets to this machine.
> My best guess now is that is some sort of p2p protocol and the users are
> being coy with us because they know that their use is against university
> policy (unless they can convince us that the they are not breaching
> anyone's copyright(.
> Anyone got any ideas?
> Below are various relevant bits of data about the system and the
Earthstation5 (www.earthstation5.com) boasts about the ability to
use the DNS and NTP UDP ports to thrwart University network
Gerry Sneeringer, CISSP
IT Security Officer
University of Maryland
More information about the unisog