It's not! This is common behavior of personal firewalls (of most vendors) when handling traffic from a very slow or otherwise misconfigured domain name server. These "attacks" are always inbound UDP request from port 53 on the ISP's machine to increasing ports on your machine. This is legitimate traffic that is being mischaracterized by your firewall as an "attack."
Here's what's happening:
When your computer sends out a domain name request to your ISP's DNS server (say, to look up the IP address for "www.dslreports.com"), your firewall makes note of this request so when the response arrives, it's able to recognize it as being associated with the original request and permits it to return. You couldn't surf the web (or do much of anything else on the Internet) without these DNS queries and responses.
Not all DNS requests actually get responses. Sometimes the request gets lost on the way out, sometimes the server fails to respond for whatever reason and sometimes the response itself is lost. If the firewall decided to wait forever for all responses, it would find that its table of pending requests would grow every time one got lost.
To prevent this, an internal (and invisible to you) table attaches a "timeout" to each waiting connection, and if so much time elapses without a response, the firewall simply discards the information. For responses that were truly lost, this is exactly the right thing to do.
But once in a while a DNS server is misconfigured or horridly busy and sends back responses after the firewall has discarded its memory of the request. This UDP datagram is otherwise well formed -- it answers the question you asked -- but since the firewall isn't expecting it any longer, it reports an "attack."
We could hardly be more clear: you are not in any conceivable way being "attacked." At most, you should ignore these reports, and many advise adding your ISP's nameserver to your trusted zone. By relying on these servers to translate names to IP addresses, you are already granting enormous trust to these machines, so adding a bit more trust to silence your firewall seems like a minor concession.
In theory, there may be some way to adjust the timeouts used by the firewall, but we don't know how in any particular case.
Ignore these reports.
 feedback form
 feedback form
by Steve  edited by JMGullett
last modified: 2007-06-11 16:39:58 |
