[Snort-users] [**] MISC source port 53 to <1023 [**]

Phil Wood cpw at ...440...
Wed Mar 14 22:37:21 EST 2001

On Wed, Mar 14, 2001 at 08:33:45PM -0500, Erik Fichtner wrote:
> Hash: SHA1
> On Wed, Mar 14, 2001 at 04:30:21PM -0800, Ian Campbell wrote:
> > Can anyone give me more info on this particular rule or the details of any
> > exploits it's supposed to catch?
> If you had a stateless firewall, say something like a bunch of cisco router
> access-lists, you would probably allow queries from some machines to port 53,
> because you would want to make DNS requests..  And since your packet filter
> would be stateless, you would want to allow replies from the nameservers,
> which is using source port 53.  
> Right?
> Okay.. so this sort of thing was conceived back in the day when you could be
> fairly certain that the Average Guy couldn't come along and craft a custom
> packet.  But now, Average Guy can create all manner of crap on the wire, and
> making his packets claim to be from port 53 might just get them through your
> wimpy stateless firewall, if you happen to have that.
> And thus, why there's a rule to catch that kind of thing...  Except that
> it falses a lot.

Around 32% of all alerts for today fall in to the port 53 to 137.  I know for
a fact that the destination hosts (in our address space) are not sending packets
from 137 to 53.  One might classify it as a braindead DOS on our infrastructure.But, there just aren't enough of them.  My guess is that some newbie net
admin has used our address space for some network behind a broken nat that
is exuding packets from our address space which these poor nameservers get
to reply to.  (Our network address is  Maybe the newbie dropped
the 8 from 168.

 IP                     Hostname                            Occurances          ksdns.seed.net.tw                   63           customer-148-235-0-19.uninet.net.mx 18         ns1.us.prserv.net                   18        ns1.ix.netcom.com                    3          dns1.dwx.com                         3          dns2.dwx.com                         3

> - -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> =ofJF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list