This question comes up from time to time. After much research and worrying, it usually turns out to be the results of a class of tools represented by a product called Big IP. This tool is sold to companies that want to tailor the browsing experience of their visitors by positioning Web Servers around the net, and then pointing the browser to the "nearest" server. To do this, they flood you with a type of "ping" request to get a round trip time. You usually get hit by a few packets from a bunch of servers, all within a very short period of time. The quickest response wins, and you get redirected to that server. They have been using port 53 lately. If you review your logs, you'll find that these most often occur when you were browsing, and probably got one of those #$%# popup ads.
Sean > Thanks. > Very clear and informative!! > > More comments inline > > > I´m havin a lot of dnyed packets on port 53, like this one: > > > Mar 14 13:46:13 tptrtr kernel: Packet log: input DENY eth0 PROTO=6 > > 202.139.133.129:46069 200.45.110.178:53 L=44 S=0x00 I=0 > > F=0x0000 T=237 (#65) > > > The results of lising the rule are > > > # ipchains -nvL --line-numbers > > > 65 520 24564 DENY all ----l- 0xFF 0x00 eth0 > > 0.0.0.0/0 0.0.0.0/0 n/a > > > > This is the "catch all" rule, which blocks any inbound traffic on the > > external interface that hasn't explicitly been allowed. > Perfect!!! > > > > > Can anyone help figuring out what's wrong (or may be right) > > The packets are TCP (protocol 6) with a source port of 46069 and a > > destination port of 53. This is pretty wierd. Port 53 is > > for DNS, but > > typically DNS queries only use UDP. TCP packets to/from port > > 53 *ARE* used > > to do zone transfers, and occasionally to transfer > Fun is I have a DNS server but I have disallowed zone transfers. > Its an internal caching DNS (W2K) > > > particularly large DNS > > queries/responses. The high source port number of 46069 > > would lead me to > > believe the remote end initiated the connection. > Why should this happend?? Any threat?? > > > > If you're not running a DNS server, I'd say the traffic is > > some sort of scan > > or probe, and should be denied. If you're actually running a > > DNS server, > I DO (see above) but I (mis?)understand that if zone transfers are > not allowed (nor wanted) why will someone try to do a transfer to my > system??? Looking for bind?? > > > this traffic isn't so unusual...you should look into > > references on packet > > filtering and securing your DNS server...if you simply drop > > inbound TCP > > queries, you can cause delays in name resolution for your > > domains, but fully > > securing DNS is beyond the scope of this e-mail, and your > > original question. > Where and how?? Some pointers (links may be?) > > > HTH, > Helped a LOT!!! > > Thanks Charles > > Sergio > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
