From: "Joe Blanchard" <joe@sumless.net> Date: Mon, 18 Aug 2008 23:50:08 -0400
I'm dealing with Hughsnet and have observed the following issue/
SOA is me for testing 72.169.156.122
Upstream router seems to be a public IP Number: 15942 Date: 18Aug2008 Time: 23:03:21 Product: FireWall-1 Interface: eth0 Origin: rockgate (192.168.1.1) Type: Log Action: Accept Protocol: udp Service: 2016 Source: upstream_router (72.169.156.121) Destination: Firewall_external (72.169.156.122) Rule: 10 Source Port: domain-udp (53)
Problem is that target port is not 53, in otherwords asking for a DNS response on an odd port while sourcing port 53. Is this normal, am I missing something that a bigger ISP knows? This would be Hughesnet. so I should be concerned? I have a ticket opened with them, #15048812 but am getting the run around with them. I understand that the normal recourse is to "Reboot the modem" but in this case I think it's a bit more than that. Can anyone point me in the right direction? Thanks in advance,
Are they asking for a DNS or is this a reply? Replies are from 53 to an ephemeral destination. If your firewall is set up correctly and not losing state too quickly for DNS responses, this may be backscatter. I see a bit of this from time to time and dark space monitoring systems see a lot of it. With the cache poisoning attacks, I'd expect to see more t it. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751