serious UDP activity originating from port 53
I hope i posted this in the right place.. don't neg me if I didn't.
Some background: I'm using windows ME on a cable modem which appears to be static IP, at least it's stayed the same since I got the broadband about a week ago. I've had a firewall in place since the first day (maybe 4 hours without one) and I'm using AVG anti-virus with the latest updates to the virus definitions and nothing comes up infected after a complete scan.
In the space of a little under 2 hours I received about 30-40 udp packets all originating from port 53 targeting my ports starting at about 3500 and went upwards though not sequentially to about 4500 however the 2nd to last packet originated from 137 targeting 137 and the last packet originated from 1039 targeting my port 53. The originating name for this IP is ns6.attbi.com.
I start to put the pieces together a little bit after some research and this is what i come up with. I assume this to be a nameserver for a local ISP named attbi in California.. i checked out their website http://www.attbi.com/ . Why would a nameserver halfway across the country keep sending me packets, or are they legitimate. I don't think it could have gotten me confused for an authoritative nameserver or any other nameserver for that matter. I tried reading the RFC on DNS but it was very dry and more theoretical than the actual implementation, at least the parts that I grasped. I was under the impression that DNS doesn't normally talk to you unless you initiate the connection. It's the last 2 packets that make me scratch my head. 137 is netbios-ns then it tries MY 53. I'm definitely not running a nameserver of any sort or any services for that matter.
My partly-educated guess is that its a scan of some nature, either a worm or an owned box. But I wanted to hear other's opinion before I mailed their sysadmin and looked like a fool in case it was legitimate activity. So needless to say I'm a little confused. Any opinions on this? :confused: