I've been reading around a bit, and everything I can find on this signature points to Linux hosts. In my case, this sig is firing as Atacker=W2K3 DNS server in my DMZ. It's our outside DNS server (SOA). So far - I can't find any reason NOT to be concerned - are there any false positives that could be causing this?
As per the benign trigger details for 4003-0:
"Many network management tools, such as HPs Open View, provide network mapping capabilities. This may include a mapping of available network services, so UDP port sweeps may be expected from these systems.
DNS (Port 53), LDAP (Port 389), and Active Direcory (Port 88) servers have been shown to cause false positive alarms when responding to numerous queries from the same host.
Due to the stateless nature of UDP traffic, this signature may fire on any application that makes multiple queries to the same UDP service on another system. Because the application often uses a different source port for each request, the responses from the service may be mistaken for a port scan by the sensor. If when examining the alarms for this signature it is determined that a known network service is the source port for this alarm, a filter can be used to eliminate the false postive alarms."
Additionally, from the Suggested Filters section:
"Exclude network management stations as sources and destinations. Exclude DNS / LDAP / Active Directory servers as sources."
If the signature has only recently started firing for that DNS server, then you might want to read http://isc.sans.org/diary.html?storyid=5713 which may be applicable.