Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
AW: AW: [suse-security] dns hijack attack
  • From: "Philipp Snizek" <mailinglists@xxxxxxxxx>
  • Date: Tue, 6 Feb 2001 08:26:52 +0100
  • Message-id: <000d01c0900e$2da73a90$b400000a@xxxxxxxxxxxxxxx>
Roman,

> > Feb 3 18:47:14 bridge kernel: Packet log: b1 DENY eth1 PROTO=17
> > 212.114.64.130:624 212.232.168.190:53 L=55 S=0x00 I=11152
> F=0x0000 T=45
>
> protocol (/etc/protocols) 17 is UDP.
> Length=55 bytes
> TTL=45 (from probably 64)
> Source port is 625
> Destination port is 53.

I was worried because of --sport and I field. I field shows normal dns
queries (a scan has a much wider range of I field numbers), while --sport is
unusual low for server or client dns queries. And so I wasn't sure what
queries these would be. A dns probe? Simply, it was the first time I saw a
dns server query from :1023 --> 53 udp. Moreover it was/still is trying both
dns servers .181 and .190. A reason more to believe it could be a dns probe.
But now I read Boris Lorenz' (Lanswehr & Partner, N├╝renberg) answer and it
seems that everything is ok.

> Now I just wonder why you filter these packets.

Because the --sport is too low. Normally clients and servers query from
1024: --> 53 udp. This is 99% of all cases. for 1% I will not open the
1:1023 ports.

> Those appear
> to be regular
> dns queries, destined for 212.232.168.181 (your address?
> PS14613-RIPE).

Yes, it is.

Philipp


< Previous Next >
Follow Ups
References