ISP DNS server is UPD port scanning my DNS server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2003 08:01 AM - edited 03-09-2019 05:02 AM
Hi,
I have been seeing reports from my IDS4210 that one of our ISPs DNS server is scanning our DNS server. The signatures look like this:
evAlert: eventId=1059933097389457874 severity=high
originator:
hostId: MAPCI-InetSensor-1
appName: sensorApp
appInstanceId: 916
time: 2003/10/03 06:52:36 2003/10/03 02:52:36 EST
interfaceGroup: 0
vlan: 0
signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37
participants:
attack:
attacker:
addr: locality=OUT 24.92.226.12
port: 53
victim:
addr: locality=OUT 207.198.45.102
port: 30005
port: 30007
port: 30009
port: 30011
port: 30013
port: 30015
port: 30017
port: 30019
Now, a little while later I will see another alert that shows the next range of ports like this:
evAlert: eventId=1059933097389457875 severity=high
originator:
hostId: MAPCI-InetSensor-1
appName: sensorApp
appInstanceId: 916
time: 2003/10/03 07:07:38 2003/10/03 03:07:38 EST
interfaceGroup: 0
vlan: 0
signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37
participants:
attack:
attacker:
addr: locality=OUT 24.92.226.12
port: 53
victim:
addr: locality=OUT 207.198.45.102
port: 30180
port: 30182
port: 30184
port: 30186
port: 30188
port: 30190
port: 30192
port: 30194
My question is this normal? I realize it is on port 53 which is DNS related, but what the heck are they doing?
Thanks,
Dan
- Labels:
-
Other Security Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2003 10:11 PM
This is completely benign traffic. Your DNS server is apparently forwarding lots of different queries to the ISP DNS server. This is a common setup. The sensor is mistaking the numerous replies from the ISP DNS server as a port scan. This is a known benign trigger. You can eliminate these by filtering out your ISP DNS server as a source for signature 4003.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2003 04:13 AM
Mcerha,
THanks for the info. This makes sense and I will adjust accordingly. I am really just getting started with using the CSIDS sensor and want to make sure I understand what is going on.
Dan
