Port scanning by Plusnet DNS server?

JayG · ‎30-10-2011

My trusty Netgear DG834 v4 is set to email me with details of any attempted port scan or DoS attack, and I get probably one alert every few weeks containing IP addresses from all over the globe.
Last night, earlier this morning, and currently I have had a few dozen emails, some of which relate to the usual suspects, but many are as follows:
[DOS] UDP Packet - Source:212.159.6.10,53 Destination:XX.XXX.XXX.43,55014 (my current IP address)
The source appears to be PlusNet's own "additional DNS" servers which seems pretty weird to me - does anyone have any idea what might be going on here?
The router is set to use 8.8.8.8 and 8.8.4.4. and has been for years - nothing else has been tweaked or altered either.

JayG · ‎30-10-2011

Still getting security alerts of DoS attacks, hundreds still from PlusNet (:212.159.6.9) but now several hundred individual attacks from Apple (17.173.254.222) this morning.
Could a member of the PlusNet support team please check whether this is a 'feature' of my current IP address, which I obviously don't want to post here?
I shall try to obtain a new address if you believe that may solve the problem.

AndyH · ‎27-10-2012

This is their DNS servers - 212.159.6.10 It's not port scanning you, it's respond to your DNS lookup request.
17.173.254.222 is Apple's iMessage server I believe.

JayG · ‎30-10-2011

Quote from: AndyH
This is their DNS servers - 212.159.6.10 It's not port scanning you, it's respond to your DNS lookup request.

The router is set to only use Google DNS servers - why would it be trying to look up using PN servers?

AndyH · ‎27-10-2012

Not sure - but port 53 and 212.159.6.10 is a DNS lookup request I think.
Are you sure the router is set to use Plusnet's DNS servers?

JayG · ‎30-10-2011

The router (and the Win7 PC) is set to use the two Google DNS servers as listed in my original post.

npr · ‎21-01-2013

That, coming from port 53, looks very much like a dns reply.
Have you rechecked the dns settings in your trusty netgear?
Is it running custom firmware by any chance?

JayG · ‎30-10-2011

Router settings definitely as stated (primary and secondary respectively.)
No custom firmware (currently 5.01.16 although I note that 5.01.17 was released earlier this year which "fixed TCP port 32764 issue", which I must admit is way beyond my level of IT knowledge to be able to understand the possible implications of it!)

npr · ‎21-01-2013

Have you tried the following commands, in a windows PC, to check what the network adapter thinks it's using for dns.
ipconfig /all
Also the router may well be using the dns servers (plusnet's) assigned via dhcp for it's own internal lookups. eg to resolve things set in the router like the time server etc.

AndyH · ‎27-10-2012

Can you work out which machine (from the IP) is querying the PN DNS server? If you can (and it's a Windows machine), go Start > run > cmd (enter) > ipconfig /all | findstr /R "DNS\ Servers then post what your results are.

JayG · ‎30-10-2011

OK, I've successfully flashed the Netgear with the latest firmware, which of course automatically disconnected and then (thankfully :D) reconnected with a new IP address.
If I continue to have problems I'll be trying your suggestions - thanks very much for your help so far.

Port scanning by Plusnet DNS server?

Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?

Re: Port scanning by Plusnet DNS server?