Hello! About a month ago, I started getting intrusion detection (all port scan attack) from our external DNS servers. The log shows: 2003-09-11 17:53:04 205.151.222.250 207.253.44.2 Udp 53 61396 BLOCKED 207.253.44.2 I get about 15 alerts a day. I contacted the ISP that tells me the problem appears when they try to do a query for their own clients. I was under the impression the DNS queries must be made using UDP port 53 in AND out. In this case, they are trying to get in using port 61396 (it is random but always above 60000). Any insights? Fred ______________________________ Frédéric Giroux Administrateur réseau CyberCap fgiroux@xxxxxxxxxxxxxx http://www.cybercap.qc.ca 33 rue Prince Suite 301 Montréal, Qc H3C 2M7 (514) 861-7700 poste 303 Fax : (514) 861-7700