|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: OT:Please excuse the noise
> From: "Joe Blanchard" <[email protected]> > Date: Mon, 18 Aug 2008 23:50:08 -0400 > > > I'm dealing with Hughsnet and have observed the following issue/ > > SOA is me for testing 72.169.156.122 > > Upstream router seems to be a public IP > Number: 15942 > Date: 18Aug2008 > Time: 23:03:21 > Product: FireWall-1 > Interface: eth0 > Origin: rockgate (192.168.1.1) > Type: Log > Action: Accept > Protocol: udp > Service: 2016 > Source: upstream_router (72.169.156.121) > Destination: Firewall_external (72.169.156.122) > Rule: 10 > Source Port: domain-udp (53) > > > Problem is that target port is not 53, in otherwords asking for a DNS > response on an odd port while sourcing port 53. > Is this normal, am I missing something that a bigger ISP knows? This would > be Hughesnet. so I should be concerned? I have a ticket opened with them, > #15048812 but am getting the run around with them. > I understand that the normal recourse is to "Reboot the modem" but in this > case I think it's a bit more than that. > Can anyone point me in the right direction? Thanks in advance, Are they asking for a DNS or is this a reply? Replies are from 53 to an ephemeral destination. If your firewall is set up correctly and not losing state too quickly for DNS responses, this may be backscatter. I see a bit of this from time to time and dark space monitoring systems see a lot of it. With the cache poisoning attacks, I'd expect to see more t it. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [email protected] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 Attachment:
pgp00012.pgp
|