• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 87
  • Last Modified:

DNS massive portscan


Our firewall is reporting that more than 3000 packets have been marked as portscan attacks. Source port is 53 and it is from our ISP IP range  and destination port is range between 59000 and 61000.

I have already reported to our ISP but I just want to know what security issues might be related to this sort of portscan.
2 Solutions
Without packet capture, I think you are mistaken as to the direction and the source.

Doubled check to see whether the source IP you see is your ISPs DNS servers. If they are, using network capturing tool, I suspect that all those are responses.
If you have an internal DNS server/s double check that you are not using forwarders to those IPs. And see if the issue persists.

Capturing packets and determining what they are will go a long way to determining what is going on.
When a TCP/IP session is opened a source port is used, however there is always a response port as well. See http://www.tcpipguide.com/free/t_TCPIPClientEphemeralPortsandClientServerApplicatio-3.htm.

What you are seeing are the responses by your ISP for forward lookup requests (as it using the response port carrying the source port; exception being spoofed reply floods).

The question is what is causing your internal DNS to send out so many forward lookup requests? The main suspicion here would be an infected client or server that is being used to send out a massive mail bomb (spam).

Instead of foccusing your monitoring on the responses, assume that they are legit and monitor  your own dns server to see which source is requesting all these forward lookups.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now