check this out, what is RR doing and what are these ports?

[FiberOptik]

Hey all, I'm pasting part of a list of my firewall log. The following IPs are all RR DNS servers. Why are they trying to connect to my on such strange port #s? Are they looking for some type of fileshareing port open?

Dec 14 15:17:43 UDP Source = 24.94.165.25:53 Dest = Port 1029 (Ref=212-1683-4000-251 - Rule #9)
Dec 14 15:17:44 UDP Source = 24.94.163.34:53 Dest = Port 1029 (Ref=76-7274-0000-124 - Rule #9)
Dec 14 15:17:46 UDP Source = 24.94.163.33:53 Dest = Port 1029 (Ref=76-54860-0000-124 - Rule #9)
Dec 14 15:17:47 UDP Source = 24.94.163.34:53 Dest = Port 1029 (Ref=76-9961-0000-124 - Rule #9)
Dec 14 15:17:47 UDP Source = 24.94.165.25:53 Dest = Port 1029 (Ref=212-1684-4000-251 - Rule #9)
Dec 14 15:17:50 UDP Source = 24.94.163.33:53 Dest = Port 1029 (Ref=76-56739-0000-124 - Rule #9)
Dec 14 15:17:51 UDP Source = 24.94.165.25:53 Dest = Port 1029 (Ref=212-1685-4000-251 - Rule #9)
Dec 14 15:17:51 UDP Source = 24.94.163.34:53 Dest = Port 1029 (Ref=76-13220-0000-124 - Rule #9)
Dec 14 15:18:03 UDP Source = Dest = Port 63497 65.26.128.159:27015 (Ref=37-18863-0000-86 - Rule #13)
Dec 14 15:18:03 UDP Source = 24.94.163.33:53 Dest = Port 1029 (Ref=76-60508-0000-124 - Rule #9)
Dec 14 15:18:04 UDP Source = 24.94.163.34:53 Dest = Port 1029 (Ref=76-24322-0000-124 - Rule #9)
Dec 14 15:18:04 UDP Source = 24.94.165.25:53 Dest = Port 1029 (Ref=212-1686-4000-251 - Rule #9)
Dec 14 15:18:05 UDP Source = 24.94.163.33:53 Dest = Port 1029 (Ref=76-62594-0000-124 - Rule #9)
Dec 14 15:18:08 UDP Source = 24.94.163.33:53 Dest = Port 1029 (Ref=76-589-0000-124 - Rule #9)
Dec 14 15:18:08 UDP Source = 24.94.163.34:53 Dest = Port 1029 (Ref=76-28209-0000-124 - Rule #9)
Dec 14 15:18:08 UDP Source = 24.94.165.25:53 Dest = Port 1029 (Ref=212-1687-4000-251 - Rule #9)
Dec 14 15:24:53 UDP Source = 24.94.163.34:53 Dest = Port 1034 (Ref=104-11345-0000-124 - Rule #9)
Dec 14 15:24:54 UDP Source = 24.94.163.33:53 Dest = Port 1034 (Ref=104-57292-0000-124 - Rule #9)
Dec 14 15:24:56 UDP Source = 24.94.163.34:53 Dest = Port 1034 (Ref=104-14270-0000-124 - Rule #9)
Dec 14 15:24:56 UDP Source = 24.94.165.25:53 Dest = Port 1034 (Ref=286-19646-4000-251 - Rule #9)
Dec 14 15:24:56 UDP Source = 24.94.163.33:53 Dest = Port 1034 (Ref=104-58812-0000-124 - Rule #9)
Dec 14 15:25:00 UDP Source = 24.94.163.33:53 Dest = Port 1034 (Ref=104-62330-0000-124 - Rule #9)
Dec 14 15:25:00 UDP Source = 24.94.163.34:53 Dest = Port 1034 (Ref=104-18067-0000-124 - Rule #9)
Dec 14 15:25:00 UDP Source = 24.94.165.25:53 Dest = Port 1034 (Ref=268-19647-4000-251 - Rule #9)

 

[Santa]

I have crossreferenced the port and come up with ICQ, and bugbear virus, trojan port for latinus and net spy.

It maybe a worm or virus that has infected that machine or a spoof of that machine IP.

 

[FiberOptik]

The weird part is that I am being scanned by the IP that RR's DNS servers sit on. So either someone is spoofing the IP of the DNS servers which might be poisoning my ARP cache? That might explain why my connection is very unstable right now. I have made another posting with a listing of all the IPs that are currently port scanning me. I realize that port scans happen all the time but I've never been hit with this many port scans in a period of just a few minutes, it struck me as rather odd. I certainly didn't expect to see the IP of RR's DNS servers port scanning me!

 

[stash]

No need to post the same question twice.

 

[alrox]

those are dns lookups. source port 53, dest port is a port > 1024 on your box. what is rule #9 in your ruleset?

 

[FiberOptik]

rule #9 on my firewall is:

DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 501:2099

 

[Garion]

Not only are those DNS lookups, those are probably responses to your DNS queries..

Your box is using a port (like 1029) to open a UDP connection to port 53 on your ISP's DNS server. Remember, UDP is connectionless, so there really isn't any "relation" between the request and the reply packet. When RR DNS replies, it sends it back from port 53 to the port that you used to send the request - 1029. It trips your firewall and bang. Off you go.

What might be happening that's tripping your firewall is that you could be sending a DNS request to a server on one IP, and that server is sending it back to you from another IP address. There are various network scenarios where this can happen - Load balanced servers, servers with multiple NIC's, etc.

Nothing to worry about, except your firewall could be blocking traffic you actually need to use the network.

- G

 

[FiberOptik]

You have an excellent point but read my other post. Why would I need network traffic from all those comps that are hitting me back on a set range of ports? If I run netstat I don't have any open connections that might lead me to believe that I'm inadvertantly sending out traffic.

 

[alrox]

Originally posted by: FiberOptik
rule #9 on my firewall is:

DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 501:2099

that looks like a pretty crappy rule but I'm not sure how your consumer level router does rules. Allow outbound udp to port 53 and those entries will go away.