DNS port question

• From: "Frederic Giroux" <fgiroux@xxxxxxxxxxxxxx>
• To: "ISA Mailing list (E-mail)" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 11 Sep 2003 14:10:56 -0400

Hello!

        About a month ago, I started getting intrusion detection (all port scan 
attack) from our external DNS servers.  The log shows:

2003-09-11      17:53:04        205.151.222.250 207.253.44.2    Udp     53      
61396   BLOCKED 207.253.44.2


        I get about 15 alerts a day.  I contacted the ISP that tells me the 
problem appears when they try to do a query for their own clients.

        I was under the impression the DNS queries must be made using UDP port 
53 in AND out.  In this case, they are trying to get in using port 61396 (it is 
random but always above 60000).

        Any insights?

        Fred

______________________________ 
Frédéric Giroux
Administrateur réseau
CyberCap
 
fgiroux@xxxxxxxxxxxxxx 
http://www.cybercap.qc.ca
 
33 rue Prince
Suite 301
Montréal, Qc
H3C 2M7
 
(514) 861-7700 poste 303
Fax : (514) 861-7700
 

        

Other related posts:

• » DNS port question

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---