DNS massive portscan

Hi,

Our firewall is reporting that more than 3000 packets have been marked as portscan attacks. Source port is 53 and it is from our ISP IP range  and destination port is range between 59000 and 61000.

I have already reported to our ISP but I just want to know what security issues might be related to this sort of portscan.
EducadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Without packet capture, I think you are mistaken as to the direction and the source.

Doubled check to see whether the source IP you see is your ISPs DNS servers. If they are, using network capturing tool, I suspect that all those are responses.
If you have an internal DNS server/s double check that you are not using forwarders to those IPs. And see if the issue persists.

Capturing packets and determining what they are will go a long way to determining what is going on.
0
DrAtomicCommented:
When a TCP/IP session is opened a source port is used, however there is always a response port as well. See http://www.tcpipguide.com/free/t_TCPIPClientEphemeralPortsandClientServerApplicatio-3.htm.

What you are seeing are the responses by your ISP for forward lookup requests (as it using the response port carrying the source port; exception being spoofed reply floods).

The question is what is causing your internal DNS to send out so many forward lookup requests? The main suspicion here would be an infected client or server that is being used to send out a massive mail bomb (spam).

Instead of foccusing your monitoring on the responses, assume that they are legit and monitor  your own dns server to see which source is requesting all these forward lookups.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.