Strange firewall entries udp53

O'Neil,Kevin oneil at oclc.org
Tue Nov 5 23:16:02 UTC 2002 


Simon...

"Benevolent ping used by SpeedEra.net to find closest cache for you."

Kevin Darcy was on the correct track.  See:

http://www.snort.org/snort-db/sid.html?id=3D480

I found it by doing a Google search "213.61.6.2".

This led me to http://www.laukas.com/snort/213/61/6/src213.61.6.2.html =
then
to=20
http://www.laukas.com/snort/sig/sigsid-480.html and then to the link =
above.

Almost all the IP addresses in your log are in the list there.

...Kevin O'Neil


-----Original Message-----
From: Simon Johnson [mailto:nomail at isc.org]
Sent: Monday, October 28, 2002 9:13 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Strange firewall entries udp53


On Tue, 29 Oct 2002 00:30:21 GMT, Kevin Darcy hunched over the =
keyboard,
flexed their fingers and thumped:=20

[snip]

> Well, they look like they might be probes of some sort. Maybe someone
> sees -- don't ask me how -- that your address has started sending and
> receiving DNS packets and based on that information is probing you on
> the offchance that you're running a vulnerable version of BIND
> listening to external queries.
>=20
>=20
> - Kevin
>=20

I was a little rushed when describing the problem and didn't get across
all the required information.=20

The entries all appear in the firewall log at the same time (all within
one second). First I receive an ICMP echo request, 3 packets per host.
Next I receive a udp 53, 2 packets per host.=20

Given that 8 independent hosts send these packets at precisely the same
time, and on at least a daily basis, I don't think this is some sort of
idle probe. I have also observed that its not always the same hosts
sending these packets.=20

I'm not sure if I have something mis-configured somewhere, or if this =
is
expected behaviour for my configuration.=20

I guess the next step is to capture some of these packets and find out =
a
little more about what they are. I'll post up whatever I find.=20


--=20
Simon

Optus Cable Traffic Monitor
http://members.optusnet.com.au/trafficstats/arp/
037=B049'00"S	144=B058'00"E	GMT +10:00

More information about the bind-users mailing list