Results 1 to 6 of 6

Thread: serious UDP activity originating from port 53

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    5

    serious UDP activity originating from port 53

    I hope i posted this in the right place.. don't neg me if I didn't.

    Some background: I'm using windows ME on a cable modem which appears to be static IP, at least it's stayed the same since I got the broadband about a week ago. I've had a firewall in place since the first day (maybe 4 hours without one) and I'm using AVG anti-virus with the latest updates to the virus definitions and nothing comes up infected after a complete scan.

    In the space of a little under 2 hours I received about 30-40 udp packets all originating from port 53 targeting my ports starting at about 3500 and went upwards though not sequentially to about 4500 however the 2nd to last packet originated from 137 targeting 137 and the last packet originated from 1039 targeting my port 53. The originating name for this IP is ns6.attbi.com.

    I start to put the pieces together a little bit after some research and this is what i come up with. I assume this to be a nameserver for a local ISP named attbi in California.. i checked out their website http://www.attbi.com/ . Why would a nameserver halfway across the country keep sending me packets, or are they legitimate. I don't think it could have gotten me confused for an authoritative nameserver or any other nameserver for that matter. I tried reading the RFC on DNS but it was very dry and more theoretical than the actual implementation, at least the parts that I grasped. I was under the impression that DNS doesn't normally talk to you unless you initiate the connection. It's the last 2 packets that make me scratch my head. 137 is netbios-ns then it tries MY 53. I'm definitely not running a nameserver of any sort or any services for that matter.

    My partly-educated guess is that its a scan of some nature, either a worm or an owned box. But I wanted to hear other's opinion before I mailed their sysadmin and looked like a fool in case it was legitimate activity. So needless to say I'm a little confused. Any opinions on this?
    Eat, drink and be merry for tomorrow we die. -Dave Matthews Band

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    Sounds like someone hax0red the the Attbi's name server and then used it for their own purposes, in this case port scanning around, likely trying to find other computers with vulnerabilities. Those kind of port scans aren't looked well by any ISP so feel free to report that, although I'm pretty sure they must've noticed this themselves if they keep even one eye in the log files sometimes. Include a part of your firewall's log file and some other data like the exact date and time if they're not in the log. Be polite and don't blame Attbi, just tell the facts and ask clearification.

    In short, this attack (or "attack") was most likely not targeted at you or anyone else individual and you're safe if your firewall was and is running (with high enough settings).

    Edit/Add: Full IP-port number listing: http://www.good-stuff.co.uk/useful/portfull.html
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Are you completely sure all these packets originating from port 53 to high port numbers weren't replies to your machine's DNS requests?

    That sounds like what they were to me. Obviously they could be something else, but DNS replies sounds like the favourite.

    If it's your not your own ISP's DNS then of course it might be an attack. But it sounds like normal DNS replies to me.

  4. #4
    Senior Member
    Join Date
    Jun 2002
    Posts
    352
    Who is your broadband provider? AT&T Broadband is not local to California, it's all over the US.
    One would hope that AT&T would have better security for their name servers.
    \"When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a communist.\" -- Dom Helder Camara

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    It's probably not an attack, even if it is I wouldn't worry about it. Want to see a clip just from today's firewall logs?

    Sub Seven Attack Dropped 65.93.98.61, 2290, WAN
    Senna Spy Attack Dropped 199.0.216.222, 53, WAN
    Sub Seven Attack Dropped 65.128.192.229, 2898, WAN
    Sub Seven Attack Dropped 65.66.18.160, 1942, WAN
    Probable TCP FIN scan 204.86.64.245, 443, WAN
    Probable TCP FIN scan 132.235.90.11, 80, WAN
    Probable TCP FIN scan 132.235.90.11, 80, WAN
    Probable TCP FIN scan 132.235.90.11, 80, WAN
    Probable TCP FIN scan 12.102.191.42, 80, WAN

    Plus 1432 dropped ICMP packets. All just today, so about 12 hours worth of traffic.

    My router isn't even high profile, i'd cringe to see the logs of somebody who runs a system that gets heavy traffic.

    You just can't escape that kind of thing on the internet, as long as the attack didn't penetrate you'll just have to accept it's going to come your way.
    -Shkuey
    Living life one line of error free code at a time.

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    5

    Unhappy it's time to eat crow.

    Well, I really don't like to admit to my own carelessness but I think I should in this case.

    Sometimes I forget the old rule "Keep It Simple, Stupid" My paranoia got the best of me. I wondered where all these udp hits were coming from that I had never recieved before so I automatically assume "Cracker or Script Kid". Normally, if I get a probe from a machine it doesn't really bother me unless it's repeated. This time i got about 30 hits so it set off a few warning buzzers. So i start doing some checking around and generally wasting my time. To make a long story short, when I woke up today (sleep is a reset switch, it helps greatly to clarify problems) I had the bright idea to try to actually check to see what MY nameserver was and SURE enough the machine that all the packets originated from was my nameserver. It never dawned on me to check this first, why I don't know. I can make excuses but excuses don't really serve much of a purpose. Why it sent packets to my 137 and 53 not originating from 53 I'm not sure about but I'll consign it to "Things to figure out later", perhaps some redundancy routines on the nameserver's part.
    This whole episode reminds me of when I put my first box together from scratch.. I Got everything plugged in and ready to go, hit the switch and nothing happened. After a few minutes of tearing my hair out I realized that I didn't connect the MB wire to the power switch and voila everything was OK.
    thanks to everyone who posted their opinions on this matter.

    So now it's time for my double helping of crow. Anybody got any catsup?
    Eat, drink and be merry for tomorrow we die. -Dave Matthews Band

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •