[unisog] odd traffic on udp 53 (variation on thread)

Clarke Morledge chmorl at wm.edu
Sat Oct 18 03:24:11 GMT 2003

I don't think I've got the same thing going on udp port 53, but I am
seeing some awfully weird stuff with DNS.

We are seeing huge spikes of DNS queries from our official campus DNS
servers querying other DNS servers upstream.   From several hundred DNS
queries every 10 to 30 minutes or so to around 10,000 or more during the
same time period.  The sheer quantity bothers me.  These DNS storms last
about an hour before they die off.

But the most annoying part is that they are DoS'ing my PIX firewall.  The
huge surge of UDP "connections" burns up all of the resources on the PIX
-- pegging the CPU (running PIX version 6.3).

Is anybody seeing anything like this?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

On Wed, 8 Oct 2003, Gerry Sneeringer wrote:

> On Wed, 8 Oct 2003, Russell Fulton wrote:
> > Hi All,
> > 	Over the last few days I've spotted three or four systems doing lots of
> > traffic on udp port 53.  My first thought was that this was some worm or
> > trojan doing DNS lookups to find MX records (like sobig-f).  This turn
> > out not to be the case (well at least NAV failed to find any evidence of
> > infection).  The all the packets I observed carry bytes of data (NULLs
> > in the few packets I captured).  There are also lots of packets being
> > sent to on udp 30467, again 8 bytes of data.
> >
> > Occasionally we see small incoming udp packets to this machine.
> >
> > My best guess now is that is some sort of p2p protocol and the users are
> > being coy with us because they know that their use is against university
> > policy (unless they can convince us that the they are not breaching
> > anyone's copyright(.
> >
> > Anyone got any ideas?
> >
> > Below are various relevant bits of data about the system and the
> > traffic.
> Earthstation5 (www.earthstation5.com) boasts about the ability to
> use the DNS and NTP UDP ports to thrwart University network
> administrators.
> -Gerry
> ---
> Gerry Sneeringer, CISSP
> IT Security Officer
> University of Maryland

More information about the unisog mailing list