DNS UDP port 0 activity
Hooker, Bruce
BruceH at DIS.WA.GOV
Tue Sep 5 17:07:59 UTC 2000
jc: It is UDP .... destination port 0.
> -----Original Message-----
> From: Jean-Christophe Smith [SMTP:jsmith at publichost.com]
> Sent: Friday, September 01, 2000 4:58 PM
> To: 'Hooker, Bruce '; 'bind-users at isc.org '
> Subject: RE: DNS UDP port 0 activity
>
> Sounds like a scan of some sort. Was it a TCP or UDP packet? if TCP, were
> the SYN and FIN flags set? (This is a popular type of scan that hackers
> use
> to detect what os you're running) The reason the destination port was 53
> was
> because:
> A. Many firewalls are configured to just allow DNS traffic through (Some
> inexperienced admins have difficulty getting firewalls to play nicely with
> DNS)
> B. Most admins will think its normal dns traffic
>
> I believe sending the SYN/FIN packet to port 0 creates anomolies on
> different oses that can be used to determine os type remotely.
>
> just a theory,
>
> -jc (jsmith at internet-security.com)
>
> -----Original Message-----
> From: Hooker, Bruce
> To: bind-users at isc.org
> Sent: 9/1/00 3:57 PM
> Subject: DNS UDP port 0 activity
>
> Howdy Folks,
>
> The staff who support the firewalls at my site have asked
> if I know anything about DNS/BIND sending queries from
> port 53 to port 0.
>
> Most of the DNS traffic monitored is the normal port 53 to
> port 53 and high ports to port 53 but a significant amount
> has a destination port of zero (0).
>
> Our firewall is Firewall-1 from Checkpoint.
>
> Any ideas?
>
> Bruce Hooker
More information about the bind-users
mailing list