Re: Strange traffic from ISP dns server
On Sun, Jan 13, 2002 at 08:52:36PM +0100, Peter Jönsson wrote:
> Ok..
>
> I pretty sure now that this is just snort reporting when the dns-server
> sends back the data from the lookup. The dns-server just happens to send
> it to some port that snort is looking for traffic on. But wont this make
> it very easy to hide your attempts to connect to a backdoor ( or
> something ), you spoof yourself as 10.0.0.1 and the person reading the
> logs will just ignore that since they know that it's just the dns-server?
>
> // peter
imho it's no attack at all. What you see is true, the target ports are the
same at these kinds of attack. BUT in this case the sender port (almost every time)
has to be over 1024, since it initiates a connection. Therefore, what you see means
that you've requested some arp calls, and the port numbers were randomly assigned
to these ports. (again, this time it was you, initiating the connection)
cheers
Feco
Reply to: