PIX UDP questions

[abovebrd]

I'm seeing some strange UDP activity.

Seeing stuff like this :

UDP out xxxx :12105 in yyyy:12105 idle 0:00:46 flags D
UDP out xxxx :14133 in yyyy:14133 idle 0:00:37 flags D
UDP out xxxx :13290 in yyyy:13290 idle 0:00:36 flags D

xxxx = ISP DNS server
yyyy= Internal DNS

Appears to be DNS queries, but is this normal?
Does the PIX perform a fix up on out bound UPD ?
I would expect to see port 53 on the xxxx side ?

Help





-Danny
dan@snoboarder.net

 

[yizhar]

HI.

I've seen that also.

> yyyy= Internal DNS
What OS and DNS server software are you using?
I've seen Liunux machines with such behavior.
It could also be queries from the mail/web server software if you have one also on the same machine "yyyy".



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[dopehead]

Weird, DNS queries should always be on 53 udp, or tcp for zone transfers

Jan

 

[abovebrd]

>What OS and DNS server software are you using?

Microsoft NT 4.0 SP6 / Microsoft DNS
This box does nothing more than server up internal DNS. No other servers running on this box (http, smtp etc ..)

I thought it might be some sort of DDOS attack. Could never verify it.

I guess its possible it could have been zone tranfers I was watching ? The UDP ports is the only weird thing

Very strange

-Danny
dan@snoboarder.net

 

[dopehead]

Nope, zone transfers rely on TCP connections, not UDP. You should get yourself some software to check what process is using what port, and what process is listening in what port.

Jan