OT:Please excuse the noise
oberman at es.net
Mon Aug 18 23:34:08 CDT 2008
> From: "Joe Blanchard" <joe at sumless.net>
> Date: Mon, 18 Aug 2008 23:50:08 -0400
> I'm dealing with Hughsnet and have observed the following issue/
> SOA is me for testing 184.108.40.206
> Upstream router seems to be a public IP
> Number: 15942
> Date: 18Aug2008
> Time: 23:03:21
> Product: FireWall-1
> Interface: eth0
> Origin: rockgate (192.168.1.1)
> Type: Log
> Action: Accept
> Protocol: udp
> Service: 2016
> Source: upstream_router (220.127.116.11)
> Destination: Firewall_external (18.104.22.168)
> Rule: 10
> Source Port: domain-udp (53)
> Problem is that target port is not 53, in otherwords asking for a DNS
> response on an odd port while sourcing port 53.
> Is this normal, am I missing something that a bigger ISP knows? This would
> be Hughesnet. so I should be concerned? I have a ticket opened with them,
> #15048812 but am getting the run around with them.
> I understand that the normal recourse is to "Reboot the modem" but in this
> case I think it's a bit more than that.
> Can anyone point me in the right direction? Thanks in advance,
Are they asking for a DNS or is this a reply?
Replies are from 53 to an ephemeral destination. If your firewall is set
up correctly and not losing state too quickly for DNS responses, this may
be backscatter. I see a bit of this from time to time and dark space
monitoring systems see a lot of it. With the cache poisoning attacks,
I'd expect to see more t it.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 224 bytes
Desc: not available
More information about the NANOG