cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1794
Views
0
Helpful
2
Replies

ISP DNS server is UPD port scanning my DNS server?

mpolce2
Level 1
Level 1

Hi,

I have been seeing reports from my IDS4210 that one of our ISPs DNS server is scanning our DNS server. The signatures look like this:

evAlert: eventId=1059933097389457874 severity=high

originator:

hostId: MAPCI-InetSensor-1

appName: sensorApp

appInstanceId: 916

time: 2003/10/03 06:52:36 2003/10/03 02:52:36 EST

interfaceGroup: 0

vlan: 0

signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37

participants:

attack:

attacker:

addr: locality=OUT 24.92.226.12

port: 53

victim:

addr: locality=OUT 207.198.45.102

port: 30005

port: 30007

port: 30009

port: 30011

port: 30013

port: 30015

port: 30017

port: 30019

Now, a little while later I will see another alert that shows the next range of ports like this:

evAlert: eventId=1059933097389457875 severity=high

originator:

hostId: MAPCI-InetSensor-1

appName: sensorApp

appInstanceId: 916

time: 2003/10/03 07:07:38 2003/10/03 03:07:38 EST

interfaceGroup: 0

vlan: 0

signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37

participants:

attack:

attacker:

addr: locality=OUT 24.92.226.12

port: 53

victim:

addr: locality=OUT 207.198.45.102

port: 30180

port: 30182

port: 30184

port: 30186

port: 30188

port: 30190

port: 30192

port: 30194

My question is this normal? I realize it is on port 53 which is DNS related, but what the heck are they doing?

Thanks,

Dan

2 Replies 2

mcerha
Level 3
Level 3

This is completely benign traffic. Your DNS server is apparently forwarding lots of different queries to the ISP DNS server. This is a common setup. The sensor is mistaking the numerous replies from the ISP DNS server as a port scan. This is a known benign trigger. You can eliminate these by filtering out your ISP DNS server as a source for signature 4003.

Mcerha,

THanks for the info. This makes sense and I will adjust accordingly. I am really just getting started with using the CSIDS sensor and want to make sure I understand what is going on.

Dan