[Snort-users] [**] MISC source port 53 to <1023 [**]
cpw at ...440...
Wed Mar 14 22:37:21 EST 2001
On Wed, Mar 14, 2001 at 08:33:45PM -0500, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> > Can anyone give me more info on this particular rule or the details of any
> > exploits it's supposed to catch?
> If you had a stateless firewall, say something like a bunch of cisco router
> access-lists, you would probably allow queries from some machines to port 53,
> because you would want to make DNS requests.. And since your packet filter
> would be stateless, you would want to allow replies from the nameservers,
> which is using source port 53.
> Okay.. so this sort of thing was conceived back in the day when you could be
> fairly certain that the Average Guy couldn't come along and craft a custom
> packet. But now, Average Guy can create all manner of crap on the wire, and
> making his packets claim to be from port 53 might just get them through your
> wimpy stateless firewall, if you happen to have that.
> And thus, why there's a rule to catch that kind of thing... Except that
> it falses a lot.
Around 32% of all alerts for today fall in to the port 53 to 137. I know for
a fact that the destination hosts (in our address space) are not sending packets
from 137 to 53. One might classify it as a braindead DOS on our infrastructure.But, there just aren't enough of them. My guess is that some newbie net
admin has used our address space for some network behind a broken nat that
is exuding packets from our address space which these poor nameservers get
to reply to. (Our network address is 184.108.40.206/24) Maybe the newbie dropped
the 8 from 168.
IP Hostname Occurances
220.127.116.11 ksdns.seed.net.tw 63
18.104.22.168 customer-148-235-0-19.uninet.net.mx 18
22.214.171.124 ns1.us.prserv.net 18
126.96.36.199 ns1.ix.netcom.com 3
188.8.131.52 dns1.dwx.com 3
184.108.40.206 dns2.dwx.com 3
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
Phil Wood, cpw at ...440...
More information about the Snort-users