Author Topic: UDP port scan from DNS?  (Read 3669 times)

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
UDP port scan from DNS?
« on: July 15, 2006, 02:57:13 PM »
I'm running 2.3.0.20 and at the time, I was using the default rule set and I've still not meddled with the flood rates.

I encountered this entry in my CPF Log..

Quote
Date/Time :2006-07-16 01:44:47
Severity :High
Reporter :Network Monitor
Description: UDP Port ScanAttacker: 158.43.128.1
Ports: 32014, 29198, 1807, 2063, 29454, 2319, 29710, 2575, 29966, 30222,
2831, 55052, 30478, 3087, 30734, 30990, 3343, 3599, 54796, 31246, 3855,
31502, 4111, 31758, 4367, 3699, 9144, 0, 24512, 23390, 58763, 49757, 24,
17803, 35608, 2123, 21387, 35084, 35592, 4171, 20617, 35588, 5203, 18569,
35592, 6219, 20617, 35084, 4168, 49203
The attacker has been temporarily blocked

OK, that worked. But, 158.43.128.1 is my primary DNS. I have a secondary defined, so I didn't even notice it at the time (shouldn't CPF have told me?). Can I be scanned via my own DNS or would the DNS have a legitimate reason for doing this? And should CPF block a DNS? Actually, is CPF aware of the system defined DNS servers? Sorry for all the questions.. way too much coffee I guess. ;D
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: UDP port scan from DNS?
« Reply #1 on: July 15, 2006, 05:57:30 PM »
I'm running 2.3.0.20 and at the time, I was using the default rule set and I've still not meddled with the flood rates.

I encountered this entry in my CPF Log..

OK, that worked. But, 158.43.128.1 is my primary DNS. I have a secondary defined, so I didn't even notice it at the time (shouldn't CPF have told me?). Can I be scanned via my own DNS or would the DNS have a legitimate reason for doing this? And should CPF block a DNS? Actually, is CPF aware of the system defined DNS servers? Sorry for all the questions.. way too much coffee I guess. ;D

As far as i see from your logs, your DNS server sends lots of requests in a short period of time. This is a port scanning no matter where it comes from. It may not be an attacker but something else. I dont know. But even if CPF blocks the attacker temporarily, it block its incoming access to your host. So you will always be able to make your DNS queries with no problem. You can even transfer files etc. But tha attacker PC cant.

I am seeing port 24 probed. This log is suspcious. If the DNS server belongs to your local network, i recommend further analysis if you get this log frequently.

Egemen


Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: UDP port scan from DNS?
« Reply #2 on: July 15, 2006, 06:12:34 PM »
Thanks for your reply Egemem. I'll keep an eye on it.

Whilst the DNS was recommended to me by my provider, it is not actually within my provider's domain. The alternative DNS however, is within my provider's domain (they've been having a lot of problems with their DNS recently). I use the external DNS as the preferred one because it's a lot faster & more reliable than any of my provider's DNS. Sad huh?  :'(
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: UDP port scan from DNS?
« Reply #3 on: August 13, 2006, 09:36:26 AM »
It happened again. But, this time the DNS was my providers.

Quote
Date/Time :2006-08-13 12:05:20
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: 193.35.133.10
Ports: 36881, 30737, 30993, 31249, 31505, 31761, 32017, 32273, 32529, 32785, 33041, 33297,
33553, 33809, 34065, 34321, 34577, 34833, 35089, 35345, 35601, 35857, 36113, 36369, 36625,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked

And the Attacker is..

    Default Server:  bdp-grn-dns.orange.co.uk
    Address:  193.35.133.10

Hmm. Any comments or suggestions.. anybody?

On another front (which I probably should have started a new topic for), But it is sort of related (the same DNS was mentioned again.. I yes know.. slim).. CPF did say something that was a little.. off later. At the time I was running Firefox & I had just selected "Open Link in IE Tab", something that I hadn't done since updating Firefox to 1.5.0.6. So, CPF noticed.. But, it seemed to get confused as to what was happening. Because it generated the follwing 2 popups (these are log copies).

Quote
Date/Time :2006-08-13 12:51:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Remote: 127.0.0.1:12110
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.


Date/Time :2006-08-13 12:51:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe
through OLE Automation, which can be used to hijack other applications.

Now, B2.exe (an email client) was running minimized in the tray & may well have been active (checking for or downloading emails). But, I really don't believe it required CPF's attention. It certainly was not doing anything that had not been previously authorised by CPF.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline pandlouk

  • I love Comodo
  • Comodo's Hero
  • *****
  • Posts: 2240
  • Retired Mod
Re: UDP port scan from DNS?
« Reply #4 on: August 13, 2006, 09:46:36 AM »
It is very-very suspicious. I would recommend to add manually a different DNS server. They have no right in scanning you.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: UDP port scan from DNS?
« Reply #5 on: August 13, 2006, 10:02:27 AM »
It is very-very suspicious. I would recommend to add manually a different DNS server. They have no right in scanning you.

I agree, it is outrageous. But, it is Orange's (a Mobile Telco & now Internet Provider via acquisition) own DNS. Could it be another user spoofing the source?
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline SteveC

  • Comodo Family Member
  • ***
  • Posts: 89
Re: UDP port scan from DNS?
« Reply #6 on: August 13, 2006, 11:01:05 AM »
Im on Orange broadband UK and the DNS servers are:
195.92.195.94
195.92.195.95

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: UDP port scan from DNS?
« Reply #7 on: August 13, 2006, 11:06:42 AM »
Im on Orange broadband UK and the DNS servers are:
195.92.195.94
195.92.195.95


Thanks, I'll give them a whirl.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: UDP port scan from DNS?
« Reply #8 on: August 16, 2006, 02:55:46 PM »
Extra information..

Just prior to my DNS scan report (posted above), I had started ProcessExplorer from Sysinternals. Now, PE had been updated & CPF detected this..

Quote
Date/Time :2006-08-13 12:05:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (procexp.exe:193.35.134.10:dns(53))
Application: D:\ProcExp\procexp.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.134.10:dns(53)


Date/Time :2006-08-13 12:05:07
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (procexp.exe:193.35.133.10:dns(53))
Application: D:\ProcExp\procexp.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)

Why was PE accessing the DNS server? Well, it has a properties tab for each process & one those properties tabs is the processes networks connections. By default, PE will attempt to resolve the IP addresses. Thus, the DNS access.

So, given the time scale between PE's start & the UDP scan.. could these be related? Could it be possible that PE managed to get some requests by CPF (whilst it was waiting for me to respond.. only a few seconds) & that these inbound UDPs were nothing more than the responses to PE's resolve requests?
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek