From owner-freebsd-questions Wed Sep 26 13:30:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id 93F4237B40E for ; Wed, 26 Sep 2001 13:30:40 -0700 (PDT) Received: (qmail 38284 invoked from network); 26 Sep 2001 20:41:54 -0000 Received: from unknown (HELO ) (151.201.71.153) by mail.the-i-pa.com with SMTP; 26 Sep 2001 20:41:54 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Bill Moran To: Kent Stewart , Michael MacKinnon Subject: Re: @home DNS server seems to be scanning my ports? Date: Wed, 26 Sep 2001 20:17:37 +0000 X-Mailer: KMail [version 1.2] Cc: freebsd-questions@FreeBSD.ORG References: <20010926131955.2B95537B418@hub.freebsd.org> <5.0.2.1.0.20010926121341.00a5de40@netmail.home.com> <3BB22965.9AAEA6AB@owt.com> In-Reply-To: <3BB22965.9AAEA6AB@owt.com> MIME-Version: 1.0 Message-Id: <01092620173702.02034@> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 26 September 2001 19:15, Kent Stewart wrote: > Michael MacKinnon wrote: > > I keep getting these messages on my freebsd system: > > > > "Connection attempt to UDP :X from 24.69.255.196:53 > > > > where X is some port number. It's usually different. The latest ones > > were, in series, ports 1034, 1036, 1037. > > Yes, deny their ip address. You aren't supposed to be running a server > and they are testing for it. I have a friend in Oceanside that is > scanned the same way. Are you sure? That's really wild! 1034, 1036 and 1037 aren't even officially used for anything. On UPD? What kind of server would you run on UDP? Streaming media or something? > > Tech Support said that it was the DHCP server trying to renew, but would > > that be on port 53? I do agree that this is bull. 53 is DNS. My first guess would be that their DNS server is boogered up and trying to talk to long dropped connections. You wouldn't normally originate a connection attempt _from_ port 53. Normally, the system would originate a DNS query FROM a port > 1024 connecting TO port 53. Does it ever try to connect to a port below 1024? Like to 80 or 22 or 24 or any other well-known port? If so, then Kent might be right about the port- scanning. How weird ... -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message