Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISP DNS server is UPD port scanning my DNS server?

Hi,

I have been seeing reports from my IDS4210 that one of our ISPs DNS server is scanning our DNS server. The signatures look like this:

evAlert: eventId=1059933097389457874 severity=high

originator:

hostId: MAPCI-InetSensor-1

appName: sensorApp

appInstanceId: 916

time: 2003/10/03 06:52:36 2003/10/03 02:52:36 EST

interfaceGroup: 0

vlan: 0

signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37

participants:

attack:

attacker:

addr: locality=OUT 24.92.226.12

port: 53

victim:

addr: locality=OUT 207.198.45.102

port: 30005

port: 30007

port: 30009

port: 30011

port: 30013

port: 30015

port: 30017

port: 30019

Now, a little while later I will see another alert that shows the next range of ports like this:

evAlert: eventId=1059933097389457875 severity=high

originator:

hostId: MAPCI-InetSensor-1

appName: sensorApp

appInstanceId: 916

time: 2003/10/03 07:07:38 2003/10/03 03:07:38 EST

interfaceGroup: 0

vlan: 0

signature: sigId=4003 sigName=Nmap UDP Port Sweep subSigId=0 version=S37

participants:

attack:

attacker:

addr: locality=OUT 24.92.226.12

port: 53

victim:

addr: locality=OUT 207.198.45.102

port: 30180

port: 30182

port: 30184

port: 30186

port: 30188

port: 30190

port: 30192

port: 30194

My question is this normal? I realize it is on port 53 which is DNS related, but what the heck are they doing?

Thanks,

Dan

2 REPLIES
Bronze

Re: ISP DNS server is UPD port scanning my DNS server?

This is completely benign traffic. Your DNS server is apparently forwarding lots of different queries to the ISP DNS server. This is a common setup. The sensor is mistaking the numerous replies from the ISP DNS server as a port scan. This is a known benign trigger. You can eliminate these by filtering out your ISP DNS server as a source for signature 4003.

Community Member

Re: ISP DNS server is UPD port scanning my DNS server?

Mcerha,

THanks for the info. This makes sense and I will adjust accordingly. I am really just getting started with using the CSIDS sensor and want to make sure I understand what is going on.

Dan

666
Views
0
Helpful
2
Replies
CreatePlease to create content