All port scan attacks from DNS servers

  • From: "Becker1" <becker1@xxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 28 Nov 2001 13:06:21 -0800

ISA has been alerting me with port scan attacks originating from my DNS servers.
I contacted my provider and emailed them the IP log from ISA, here is their 
reply:

"Those are the replies to your DNS queries, sent to the UDP port that was the

source port for your query.

From RFC 2181:

4.2. Port Number Selection

Replies to all queries must be directed to the port from which they were

sent. When queries are received via TCP this is an inherent part of the

transport protocol. For queries received by UDP the server must take note of

the source port and use that as the destination port in the response.

Replies should always be sent from the port to which they were directed.

Except in extraordinary circumstances, this will be the well known port

assigned for DNS queries"

I'm looking for the reason why these DNS queries to my ISP are going out on 
ports like 2400 and up?

Here is an example of my log:

      #Fields: date
     time
     source-ip
     destination-ip
     protocol
     Source Port
     Dest Port
     
      11/28/2001
     16:21:10
     208.161.110.79
     198.107.60.138
     Udp
     53
     24161
     


Any takers?

John

Other related posts:

  • » All port scan attacks from DNS servers