weird outbound traffic
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: weird outbound traffic

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    11

    weird outbound traffic

    i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732 . Can you guys help me figure out what connection is it? This traffic started from 20 July 12:22pm until now 22 July 2:10pm and never stops.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What is the destination port? Can you get a packet capture?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    i'm detected a lot of outboud traffic from my DNS server to single host (public IP) using UDP 46728 to 56732
    With the very limited information you have provided, I can tell you what it's not.

    1) It's not a DNS zone transfer.
    2) It's not a recursive lookup.

    Without a capture file as Tiger requested, we cannot tell you what this is, especially given the port range and the huge amount of info missing.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Just a thought, you do a whois on the host ip address?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    11
    The picture shows a portion of the incidents. This thing still happen until now.


  6. #6
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    Edit: I mixed up destination and source. >.<
    When death sleeps it dreams of you...

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    169.254.1.33 is a local ip address. You've probably got a loopback of some sort going on.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Junior Member
    Join Date
    Jun 2006
    Posts
    11
    Note that 169.254.1.33 is my DNS server. i didn't seen this weird traffic before this (i reviewed my firewall logs everyday).

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    /me hates incomplete firewall logs...

    What are the source/destination ports of the blocked traffic?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Junior Member
    Join Date
    Jun 2006
    Posts
    11
    Traffic to my DNS server.


    Traffic from my DNS server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •