[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Re: UDP packets
From:       Robert Hartman <robert () roberthartman ! net>
Date:       2002-12-31 4:15:32
[Download RAW message or body]

Sounds like soure port scanning for tftp servers.  Often times UDP 
scans utilize
port 53 to get through ACLs and other filters.

Have you made sure that tftp is not running on that host?

Rob

On Monday, December 30, 2002, at 03:10 PM, Otto Kretzer wrote:

> Over the last weekend one of my IDS sensors has triggered an alarm on 
> UDP
> packets coming from Numerous source ip address ( 7 pages worth of 
> different
> ip addresses) against one of my external translated addresses all 
> having a
> source port of 53 and a destination port of 69. Im thinking this is a 
> false
> positive of some kind but not sure what would trigger such a false 
> positive,
> im also thinking if it was a legitimate intrusion attempt it would be 
> from
> one or a few source ip addresses not like 100 different ip addresses 
> like it
> is. Can anyone shed any more light on this, a UDP packet with a source 
> port
> of 53 (dns) going to a destination port of 69 (tftp)?
>
> thanks
>
> Otto H. Kretzer
........................................................................
Robert Hartman
Mobile: 703/980/3476
AIM: gmurob


[prev in list] [next in list] [prev in thread] [next in thread]