Re: Strange traffic from ISP dns server

To: debian-firewall@lists.debian.org
Subject: Re: Strange traffic from ISP dns server
From: Raffael Ferenc <raffaelf@ieb.hu>
Date: Mon, 14 Jan 2002 10:41:26 +0100
Message-id: <[🔎] 20020114104126.C30716@localhost>
Reply-to: raffaelf@ieb.hu
In-reply-to: <[🔎] 3C41E584.2050900@telia.com>; from mindjiver@telia.com on Sun, Jan 13, 2002 at 08:52:36PM +0100
References: <[🔎] 3C41BC0D.7040300@telia.com> <[🔎] 3C41E584.2050900@telia.com>

On Sun, Jan 13, 2002 at 08:52:36PM +0100, Peter Jönsson wrote:

> Ok..
> 
> I pretty sure now that this is just snort reporting when the dns-server 
> sends back the data from the lookup. The dns-server just happens to send 
> it to some port that snort is looking for traffic on. But wont this make 
> it very easy to hide your attempts to connect to a backdoor ( or 
> something ), you spoof yourself as 10.0.0.1 and the person reading the 
> logs will just ignore that since they know that it's just the dns-server?
> 
> // peter

imho it's no attack at all. What you see is true, the target ports are the
same at these kinds of attack. BUT in this case the sender port (almost every time)
has to be over 1024, since it initiates a connection. Therefore, what you see means
that you've requested some arp calls, and the port numbers were randomly assigned
to these ports. (again, this time it was you, initiating the connection)

cheers

Feco

Reply to:

References:
- Strange traffic from ISP dns server
  - From: Peter Jönsson <mindjiver@telia.com>
- Re: Strange traffic from ISP dns server
  - From: Peter Jönsson <mindjiver@telia.com>

Prev by Date: Re: Is ipmasq worth it?
Next by Date: Re: Strange traffic from ISP dns server
Previous by thread: Re: Strange traffic from ISP dns server
Next by thread: Re: Strange traffic from ISP dns server
Index(es):
- Date
- Thread