I need some help putting the pieces of this puzzle together... First, in my firewall log (a SonicWall SOHO3 which I run in stealth mode) I have seen a lot of traffic from obviously spoofed IPs hammering my static IP on ports 53 and 137. What concerns me is that I have a PC on my network that at seemingly random times will try to send out UDP packets through our firewall on port 53. Usually, the log will capture 4 to 6 events from this PC. The destination IP of each event is that of our firewall and the destination port is 53. The weird thing is that, though the source IP is that of the suspect workstation, each of the events is sent from a different port. For instance, one group of events will have IP 192.xxx.xxx.xxx: PORT 2040, then 2043, then 2047, and then 2051, for example. After a small group of these occurrences in the log, the activity stops for awhile. Over the past holiday weekend there was a significant increase in the number of outbound attempts by the suspect PC. I run Symantec Enterprise Edition v8.0 on my network and I have real-time protection enabled on all workstations; in addition, I have all anti-virus clients set up to perform weekly scans and occasionally I’ll perform a virus sweep, just for good measure. The suspect PC has never reported a virus. I also have Pest Patrol installed on the PC and it has yet to report anything out of the ordinary. I have also manually inspected the machine for anything out of the ordinary and have even scanned it with the Bugbear removal utility from Symantec. Sooooo…..any suggestions???

The port 137 stuff sounds a lot like Opaserv. It goes crazy trying to send out requests. Also, you end up getting inbound requests roughly once every 2 minutes from somewhere on the internet, thanks to Opaserv. Check out this site for more Opaserv details http://www.computing.net/security/wwwboard/forum/3289.html But if you have an up to date virus checker on these machines...it'll definitely catch Opaserv...letting you know you've got it. As for the port 53. No clue. A quick search on google told this about port 53: 53 UDP for inbound and outbound traffic (used for DNS (Domain Name Service) to locate CINS on the internet, this port is also used by your web browser). Hope that helps Brad Peterson b_peterson@yahoo.com

See here re the Port 137 events : http://isc.incidents.org/ Lesley

Doofus T. Ingenious: 1. The outbound UDP traffic to port 53 from your PC's is perfectly normal. For example, this will occur any time you go browsing web sites from your PC, type in an address in your browser, then it will send a query to a DNS server to find out the ip address of the website you want to go to. There's no need to worry about this traffic as it is necessary for things to work! 2. The incoming traffic trying to connect to your computers on ports 137 (windows file sharing) and 53 is also common these days, often caused by various internet worms attempting to spread to vulnerable machines across the internet. There are exploits available against windows file sharing and also BIND/DNS, and there are various automated scanning tools which will scan entire an ISP's block of customer's ip addresses looking for vulnerable machines. At least you know your firewall is doing its job by blocking that traffic, and as such there is nothing to worry about because it the packets are dropped and blocked at your network perimeter/firewall. Hope this explanation helps, you can now relax :)

Thanks everyone.... The only thing that still remains questionable is: Why am I only seeing the outbound Port 53 traffic from only one workstation...I have about 15 with full-time internet access? And, I can think of no differentiation between that PC and the rest. I am following the checks for Opsrv just to be on the safe side. I have done a bit of reading on the recent upsurge of Port 53 and 137 scans and I understand that, for the most part, it is something we are just going to have to live with...but I have not been able to explain the Port 53 traffic on my LAN, or at least the fact that only one machine is causing my firewall to raise a red flag. Hmmm....

One stupid fix I can think of right off the bat is to install a free ZoneAlarm on that computer. ZoneAlarm will then start alerting you to every program that wants an internet connection. You should be able to find it that way Brad Peterson