Discussion:
[dns-operations] udp/49153
Sam Norris
2008-12-01 22:10:34 UTC
Permalink
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?

Thx,
Sam
Robert Edmonds
2008-12-01 22:12:56 UTC
Permalink
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?
the IANA dynamic and/or private ports are 49152 - 65535.

a poorly randomized ephemeral resolver?
--
Robert Edmonds
edmonds at gtisc.gatech.edu
Sidney Faber
2008-12-01 23:35:59 UTC
Permalink
Windows Vista and 2008 now use the IANA-recommended ephemeral port range of
49152 - 65535; earlier versions used 1024-5000 (see KB#929851,
http://support.microsoft.com/kb/929851/). From what I've observed, even
Microsoft ISA used the 1024-5k range by default. As windows resolvers are
upgraded, we should see the migration of most 1024+ traffic to 49152+.

This only applies to Microsoft machines not patched with MS08-037; once the
DNS source port randomization patch is applied, 49152 won't be preferred any
more than 65535. (see http://support.microsoft.com/kb/953230, "What is the
effective port range when the value of the MaxUserPort registry entry is set
explicitly?"

Mac OS X and others also use the 49152-65535 range, but I'd bet a majority
of what you're seeing is out-of-the-box Vista installs.

-----Original Message-----
From: dns-operations-bounces at mail.dns-oarc.net
[mailto:dns-operations-bounces at mail.dns-oarc.net] On Behalf Of Sam Norris
Sent: Monday, December 01, 2008 5:11 PM
To: dns-operations at mail.dns-oarc.net
Subject: [dns-operations] udp/49153

Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?

Thx,
Sam

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4732 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20081201/6b12a4c1/attachment.bin>
Duane Wessels
2008-12-01 23:51:20 UTC
Permalink
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?
Hi Sam,

I assume you're saying that 49153 is the destination port for what
appears to be DNS messages hitting your authoritative nameservers,
right?

If so, can you show us how it looks in tcpdump (or wireshark?)

DW
Sam Norris
2008-12-02 00:00:38 UTC
Permalink
Post by Duane Wessels
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?
Hi Sam,
I assume you're saying that 49153 is the destination port for what
appears to be DNS messages hitting your authoritative nameservers,
right?
If so, can you show us how it looks in tcpdump (or wireshark?)
DW
These are requests coming _to_ destination port 49153, not source ports.
This is why they stuck out, they are querying the wrong port for DNS. I
will put together some packet captures to share shortly. My guess is a
broken NAT or proxy device somewhere. I was trying to determine the user
agent so we could look into it more.

Sam
Ken A
2008-12-02 01:06:10 UTC
Permalink
Post by Sam Norris
Post by Duane Wessels
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153.
Does anyone know what resolver is using this port, and why ?
Hi Sam,
I assume you're saying that 49153 is the destination port for what
appears to be DNS messages hitting your authoritative nameservers,
right?
If so, can you show us how it looks in tcpdump (or wireshark?)
DW
These are requests coming _to_ destination port 49153, not source ports.
This is why they stuck out, they are querying the wrong port for DNS. I
will put together some packet captures to share shortly. My guess is a
broken NAT or proxy device somewhere. I was trying to determine the
user agent so we could look into it more.
isc.sans.org says they might be SCADA related.
http://isc.sans.org/port.html?port=49153

Ken
Post by Sam Norris
Sam
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Ken Anderson
http://www.pacific.net/
Marcin Antkiewicz
2008-12-02 06:21:49 UTC
Permalink
Post by Ken A
isc.sans.org says they might be SCADA related.
http://isc.sans.org/port.html?port=49153
Good evening,

If the traffic is modbus ascii, the frames should begin with 0x3A and
end with 0x0D0A, with values from 0x30 to 0x45 as payload.

I would love to get the dumps.

Given the number of sources, that (in my experience) PLCs are almost
always installed in private IP space and that modbus ascii is very
rare, I doubt this traffic is a case of data leak from a sensor
network.

--
Marcin Antkiewicz
Sebastian Castro Avila
2008-12-02 00:08:20 UTC
Permalink
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?
During the analysis of traces from the root servers collected in DITL
2006 and 2007 I remember seeing the source port 49152 (and nearby
vicinity) as an interesting point.

The graph is here.
Loading Image...

I don't know if data from 2008 behaves on the same way.

Kind Regards
Sebastian
Post by Sam Norris
Thx,
Sam
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Duane Wessels
2008-12-05 22:08:25 UTC
Permalink
Post by Sam Norris
Just taking a quick poll about dns queries coming in on udp/49153. Does
anyone know what resolver is using this port, and why ?
I ran tcpdump on the OARC nameserver and captured a few but they
dont look like DNS to me:

20:59:46.132091 IP xx.xxx.xxx.xxx.32771 > 149.20.58.65.49153: UDP, length 50
0x0000: 4500 004e 45dc 0000 3411 b6fc .... ....
0x0010: 9514 3a41 8003 c001 003a 3d40 6c69 6e6b
0x0020: 7072 6f6f 662e 7072 6f78 696d 6974 792e
0x0030: 6164 7661 6e63 6564 0000 0000 0000 0000
0x0040: 0000 0000 0000 0000 0000 0000 0000

Following the UDP header is the character string "linkproof.proximity.advanced"
which seems to be associated with a product by Radware.

DW
Sam Norris
2008-12-05 23:14:33 UTC
Permalink
Post by Duane Wessels
I ran tcpdump on the OARC nameserver and captured a few but they
20:59:46.132091 IP xx.xxx.xxx.xxx.32771 > 149.20.58.65.49153: UDP, length 50
0x0000: 4500 004e 45dc 0000 3411 b6fc .... ....
0x0010: 9514 3a41 8003 c001 003a 3d40 6c69 6e6b
0x0020: 7072 6f6f 662e 7072 6f78 696d 6974 792e
0x0030: 6164 7661 6e63 6564 0000 0000 0000 0000
0x0040: 0000 0000 0000 0000 0000 0000 0000
Following the UDP header is the character string
"linkproof.proximity.advanced"
which seems to be associated with a product by Radware.
Today there is definately not as many as last week, and I can't find any
that are actual DNS payload as I did before.

0000 00 30 48 56 3c 19 00 04 23 bd f7 da 08 00 45 00 .0HV<...#.....E.
0010 00 4e 2b 14 00 00 33 11 6b c7 55 0a 24 02 cc 10 .N+...3.k.U.$...
0020 ab a7 8a e8 c0 01 00 3a cb 5d 6c 69 6e 6b 70 72 .......:.]linkpr
0030 6f 6f 66 2e 70 72 6f 78 69 6d 69 74 79 2e 61 64 oof.proximity.ad
0040 76 61 6e 63 65 64 00 00 00 00 00 00 00 00 00 00 vanced..........
0050 00 00 00 00 00 00 00 00 00 00 00 00 ............

The one I just saw is the same as your snippet. Previously the ones I
witnessed (without keeping captures dang it) were actual spamhaus RBL
queries coming to a mirror here. I am only seeing onsey twoseys now whereas
last week I was seeing hundreds of thousands from lots of sources.

Sam

Continue reading on narkive:
Loading...