ISP linked DNS server is port scanning.

I am getting these port scans maybe every couple of hours each day. The log entry is from Comodo Pro. Unfortunately I am not sure why there should be a scan from my primary DNS server. I was advised to contact my ISP (Telkom) about this, but from past experience I know that this would be fruitless.
My computer is clean. Scans with NOD32, SAS, AVG AS, a2 and RkUnhooker show no infections. Router is Netgear. Using Proxomitron localhost.
Any ideas ?

Date/Time :2007-03-24 12:12:02Severity :High Reporter :Network Monitor Description: UDP Port ScanAttacker: 196.25.1.11 Ports: 9733, 61700, 62468, 63236, 64004, 64772, 65284, 261, 517, 1029, 1285, 1797, 2309, 3077, 3845, 4357, 5125, 5637, 5893, 6405, 6661, 7173, 7685, 8453, 9221, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 The attacker has been temporarily blocked




And the Whois:

% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '196.25.1.0 - 196.25.1.255'

inetnum: 196.25.1.0 - 196.25.1.255
netname: IPNET-SRV
descr: Telkom SA Limited
descr: Integrated Network Planning
descr: Private Bag X74
descr: Pretoria
descr: Gauteng
descr: 0001
country: ZA
admin-c: MST95-AFRINIC
tech-c: JDU24-AFRINIC
tech-c: PB455-AFRINIC
status: ASSIGNED PA
remarks: noc e-mail: <nnoc@saix.net>, phone: +27-12-680-0224
remarks: abuse e-mail: <abuse@saix.net>, phone: +27-12-680-7561
mnt-by: TELKOM-SA-IPNET-MNT
source: AFRINIC # Filtered
parent: 196.25.0.0 - 196.25.255.255

person: Markus Stoltz
address: Integrated Network Planning
address: Private Bag X74
address: Pretoria
address: Gauteng
address: 0001
address: ZA
phone: +27 12 680 7816
e-mail: stoltzmr@telkom.co.za
nic-hdl: MST95-AFRINIC
source: AFRINIC # Filtered

.....Snipped the rest.

 

I think this may be a problem/bug with comodo, see this post,
I dont know if the issue was looked into by comodo?

 

Many thanks Stem. I did see that post and quite a few others re. the same/similar topic on Comodo forums. So, nothing to worry about ? - your reassurance will guarantee a good nights sleep for me !

 

Hi Ocky,

As these reported scans are from your ISP,.... Personally, I would be more worried about the fact my DNS servers where being blocked.

 

Meaning what exactly Stem - that the servers are themselves compromised ?
As the scans are being blocked, I suppose I can still count on a good nights sleep.

 

No, the fact that comodo was blocking my DNS servers.

Are they scans? or late DNS replies? or just a problem with comodo?.


Out of interest, who told you to contact your ISP about this?

 

I posted on the Comodo forum. See here, and scroll down:-
http://forums.comodo.com/index.php?PHPSESSID=11eeac89e171205e6c267a7a9f54ce18&topic=7376.0
I appreciate your interest - hopefully one can track the scans
to either a problem with Comodo or something like delayed DNS replies as you mentioned.

 

I will try and find time later tonight, or tomorrow, to set up to see if I can find a possible cause/explanation for this.

 

A slow DNS server can result in false alerts since late responses may be misinterpreted as new incoming connection attempts. The best way to check this is to review the outgoing traffic logs to see if your PC had previously made outgoing DNS connections where the local ports correspond with the ports listed on the alert.

I'd ordinarily pass this off as an overly-sensitive firewall but the port listing in the alert seems a little odd (for late replies, I'd expect a list showing increasing values in the 1024-5000 range, though if you're running Vista this apparently has changed). The repeated 0's seem particularly odd and could well be a symptom of a bug.

 

Hello Ocky,

I have installed version 2.4.18.184
From my quick test, Up to now the "alerts" show have been correct. Any late/unauthorized UDP would show as either "Inbound policy violation" or "DDOS attack(UDP Flood)" ~ (depending on amount of packets and your settings within comodo). UDP scans are recognised.


The only error I have seen (up to now) is the port list shown in the scan alert(log), as this is incorrect, (so ignore the list of ports scanned).

I will have another look tomorrow (when I have more time).

 

This does look like a bug. Any scans I make give a list similar to the one posted (even though I did not scan port 0)

 

Thank you Paranoid, and Stem for taking the time to run some tests. My log alert level is set to low, and the only other alerts I have noticed are ICMP outbound policy violations from my LAN router port to either the primary or secondary DNS server. There are no inbound policy violations or flood attacks thus ruling out late responses as mentioned by Stem.

So the UDP port scans by the DNS server are normal and only the list of ports scanned is suspect maybe due a Comodo bug ?

Regards.

 

No, not normal.

Interesting. You are on a LAN?. More info on your setup please.

 

Some info. Windows XP SP2 Home. Netgear DG834v3 Firewall ADSL router. One port connected to my ethernet card, one port connected to a Netgear wireless access point for wife's laptop (downstairs). No network, no file/printer sharing, netbios over TCP/IP disabled. RPC locator disabled.
Seconfig XP settings (for home) applied as shown. Must reiterate that both computers are clean and working tip-top. Things are starting to get confusing for a near novice like me What other info would be pertinent to the Comodo logging conundrum ?

 

Hi Ocky,

Any external scans, be it from an online test site, your ISP or wherever outside your LAN would be intercepted (made against) your router. So your PC firewall should not see these (if they are made)

Go to Shields UP and perform an online scan. Then check comodo logs to see if the scans are passing the router.

 

Stem, I went to Shields Up - my firewall did not see the scans. Passed, see below:

GRC Port Authority Report created on UTC: 2007-03-25 at 12:57:13

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

EDIT: My PC Firewall did not see the scans ( as it should be)

 

Have you tried using alternate DNS servers such as OpenDNS or TreeWalk? This might help you narrow down your problem by determining if the problem is indeed with your firewall or your ISP's DNS servers. Try using OpenDNS first by adding their server addresses to your router. Then reboot everything.

http://www.opendns.com/start/at_home.php


I use TreeWalk DNS (free program) to do my lookups (I have no router) and it uses about 6MB of ram on my system. If you decide to try it, here are some tips for this program.

1. You need to allow full bi-directional access (both client and server rights) to the "Named.exe" process and the "Dig.exe" process when your firewall alerts you. You should still test "all stealth" when running a port scan.

2. You need to update your root hints from ICANN (this is very easy to do). Just click start, all programs, treewalk, config, and then update from ICANN.

3. If this program does not work for you and you uninstall it, you need to stop the local DNS service first. Just go to treewalk in the all programs menu (same steps as above) and stop the service before you uninstall.

http://ntcanuck.com/index.htm

This is something to try and may help you track down the problem......good luck.

 

Hi Ocky,

Good to hear.
If you where the only user of comodo to report this, then I would of maybe thought for you to have your router checked, but as you are not,... I would think this is a bug in comodo.

 

Stem, many thanks again. I suppose the decent thing to do would be for me to refer Comodo to this thread, unless there are other avenues still to be explored ? Also, I have a spare router, Netgear DG834 ( not v3) and there is no difference in Comodo logging those ubiquitous DNS server UDP scans.
BTW. What is your opinion on bigkatt74's suggestion (post #17 above) ?

@bigkatt74
New to me, but interesting, especially opendns which looks/is easy peasy to setup. Would appreciate Stems comment on it.
PS. Your security setup is practically identical to mine. Only difference is I use Opera and don't use TreeWalk DNS.

Regards.

 

Hi Ocky,
I dont think it is a problem with your DNS servers. (they would not be able to scan passed the router)
What you could try is place a fixed IP into your PC, then set the DNS server as the router. You could also disable the DNS client in windows.

As for DNS alternatives, I have never looked into this (never a need), but I certainly prefer not to install a program with server rights to make DNS lookups.

 

OK, Stem. At least I now have some idea, but please one last question. Do you mean the DNS client service in mmc ?

Regards and thanks.

 

Yes, the DNS service.