Bryan Bradsby <Bryan.Bradsby@capnet.state.tx.us> wrote:
udp/1434 is not a reserved port. [...] legit traffic that picked a random port to use for an ad-hoc use.
it isn't legit for what i have in my network though :-)
i should clarify this - my data center has www/dns/ftp servers and a bunch of voip gateways (mostly cisco), so they all talk on the same udp ports (most of which are greater than 30000) my corporate lan does have a ms sql server or two (running on nt4), but there is no reason that those servers should be talking to anything outside of my network (or outside of their vlan)
Really? So you're blocking udp/1434 both in and out?
yep
Got any DNS servers on your network? Any of your desktop clients use DNS?
options { query-source * port 53 };
Recent versions of un*x BIND will pick a random port above 1024 for udp conversations. It can and has picked 1434.
destination port will be 53, i suppose it is possible that the client could pick 1434 for a source.....
DNS clients will eventually timeout and fall back to another server, so any problems would be transient, but the packets were legit, right?
on the off chance that someone's windows desktop picked 1434 for a source. those packets however will not be leaving my network. it may not be the best way to do all of it, but it keeps my network from being killed (it also helps that the lan admin keeps all the servers well patched)
-bryan bradsby Texas State Government Net
joshua (the grouchy ip/security/*nix guy sitting alone in the dark corner of the office) "Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence." - Stephen Hawking -