OT:Please excuse the noise

Kevin Oberman oberman at es.net
Mon Aug 18 23:34:08 CDT 2008


> From: "Joe Blanchard" <joe at sumless.net>
> Date: Mon, 18 Aug 2008 23:50:08 -0400
> 
> 
> I'm dealing with Hughsnet and have observed the following issue/
> 
> SOA is me for testing 72.169.156.122
> 
> Upstream router seems to be a public IP 
> Number:      	15942
> Date:            	18Aug2008
> Time:           	23:03:21
> Product:       	FireWall-1
> Interface:     	eth0
> Origin:         	rockgate (192.168.1.1)
> Type:           	Log
> Action:         	Accept
> Protocol:      	udp
> Service:       	2016
> Source:        	upstream_router (72.169.156.121)
> Destination: 	Firewall_external (72.169.156.122)
> Rule:            	10
> Source Port:	domain-udp (53)
> 
> 
> Problem is that target port is not 53, in otherwords asking for a DNS
> response on an odd port while sourcing port 53.
> Is this normal, am I missing something that a bigger ISP knows? This would
> be Hughesnet. so I should be concerned? I have a ticket opened with them,
> #15048812 but am getting the run around with them. 
> I understand that the normal recourse is to "Reboot the modem" but in this
> case I think it's a bit more than that. 
> Can anyone point me in the right direction? Thanks in advance,

Are they asking for a DNS or is this a reply? 

Replies are from 53 to an ephemeral destination. If your firewall is set
up correctly and not losing state too quickly for DNS responses, this may
be backscatter. I see a bit of this from time to time and dark space
monitoring systems see a lot of it. With the cache poisoning attacks,
I'd expect to see more t it.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080818/c4c9505e/attachment.bin>


More information about the NANOG mailing list