[Snort-users] [**] MISC source port 53 to <1023 [**]

Phil Wood cpw at ...440...
Wed Mar 14 22:37:21 EST 2001


On Wed, Mar 14, 2001 at 08:33:45PM -0500, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> > Can anyone give me more info on this particular rule or the details of any
> > exploits it's supposed to catch?
> 
> If you had a stateless firewall, say something like a bunch of cisco router
> access-lists, you would probably allow queries from some machines to port 53,
> because you would want to make DNS requests..  And since your packet filter
> would be stateless, you would want to allow replies from the nameservers,
> which is using source port 53.  
> 
> Right?
> 
> Okay.. so this sort of thing was conceived back in the day when you could be
> fairly certain that the Average Guy couldn't come along and craft a custom
> packet.  But now, Average Guy can create all manner of crap on the wire, and
> making his packets claim to be from port 53 might just get them through your
> wimpy stateless firewall, if you happen to have that.
> 
> And thus, why there's a rule to catch that kind of thing...  Except that
> it falses a lot.

Around 32% of all alerts for today fall in to the port 53 to 137.  I know for
a fact that the destination hosts (in our address space) are not sending packets
from 137 to 53.  One might classify it as a braindead DOS on our infrastructure.But, there just aren't enough of them.  My guess is that some newbie net
admin has used our address space for some network behind a broken nat that
is exuding packets from our address space which these poor nameservers get
to reply to.  (Our network address is 192.16.1.0/24)  Maybe the newbie dropped
the 8 from 168.

 IP                     Hostname                            Occurances		
 139.175.10.20          ksdns.seed.net.tw                   63
 148.235.0.19           customer-148-235-0-19.uninet.net.mx 18
 165.87.194.244         ns1.us.prserv.net                   18
 199.182.120.203        ns1.ix.netcom.com                    3
 207.206.192.1          dns1.dwx.com                         3
 207.206.192.2          dns2.dwx.com                         3

>  
> - -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjqwG/gACgkQQ7EzrewLMS0wIQCbBwRLVWrL0ItXRm23jA3UX4km
> xl0AoLPSKIBNnRZR3EubxVEoFZa9kUzY
> =ofJF
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list