Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp domain Domain Name Server
udp domain Domain Name Server
tcp ADMworm [trojan] ADM worm
tcp Lion [trojan] Lion
[get complete service list]

User Comment

Submitted By Date
Comment
Joe 2012-12-18 14:01:20
Am I the only one that has noticed a huge increase in DNS (UDP Port 53) traffic, particularly on DNS Sources, that began on Friday, December 14, 2012. I've been dealing with the same problem, and need to know if there is something that can be done to mitigate this DDOS Attack?
Alexander Dupuy 2009-12-10 18:41:48
Dell RACADM remote access controller command line interface uses TCP port 5869 to contact some (older) DRAC 3 & 4 management cards. See pages 30 & 32 of http://support.dell.com/support/edocs/software/smsom/6.0.1/en/ug/pdf/ug.pdf
Clarke Morledge 2005-10-14 00:44:13
If an America Online's Instant Messenger (AIM) client attempts to connect to port 5190 to reach a server and can not, it will go ahead and try to reach an AIM server on TCP port 53. Sometimes 5190/tcp is blocked by firewalls so the attempt to communicate on port 53, which is normally open for DNS, works to get around the firewall restriction (IMHO, this defeats the whole purpose of trying to associate an application protocol to a particular transport layer port).
2004-06-15 02:01:42
What does this mean ? User Comment - Port 53 back to port details Speedera's latency checking service is known to send port 53 UDP packets. See: http://archives.neohapsis.com/archives/snort/2002-07/0626.html ----- Submitted by: Tom Liston. Last update: Feb 10th 2004
Tom Liston 2004-02-10 21:24:25
Speedera's latency checking service is known to send port 53 UDP packets. See: http://archives.neohapsis.com/archives/snort/2002-07/0626.html
Marcus H. Sachs, SANS Institute 2003-10-10 00:35:36
SANS Top-20 Entry: U1 BIND Domain Name System http://isc.sans.org/top20.html#u1 The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of the Domain Name Service (DNS), a critical system that allows the conversion of hostnames (e.g. www.sans.org) into the registered IP address. The ubiquity and critical nature of BIND has made it a frequent target, especially in Denial of Service (DoS) attacks, which can result in a complete loss of accessibility to the Internet for services and hosts. Whilst BIND developers have historically been quick to repair vulnerabilities, an inordinate number of outdated, misconfigured and/or vulnerable servers remain in place.
Johannes Ullrich 2002-10-11 16:40:56
Port 53 is used by DNS (Domain Name System). DNS takes care of recolving human readable 'host names' into numeric IP addresses. A commonly used DNS server called BIND has had a rich history of security problems. As a result, BIND and port 53 are frequent targets and a couple worms used BIND exploits to propagate.
Add a comment

CVE Links

CVE # Description
CVE-1999-9 "Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases."
CVE-1999-532 "A DNS server allows zone transfers."
CVE-1999-532 "A DNS server allows zone transfers."
CVE-1999-833 "Buffer overflow in BIND 8.2 via NXT records."
CVE-2001-10 "Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges."
CVE-2001-10 "Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges."