Unreachable port

Peter Dambier peter at peter-dambier.de
Tue Oct 9 08:10:01 UTC 2007


One reason could be that horrible forced disconnect, done by many ISPs
to prevent people from running servers. You get disconnected and when
your PC reconnects it gets a new IPv4 address. So when you reply later
your answer hits a different host. (very likely)

Your system might be used as a DoS amplifier. Short queries resulting
in long answers are sent with spoofed originating address. (not with
simple MX and A queries. Is it a resolver or an authoritative system?)

I dont know a NAT box that is not broken one way or the other.

Port unreachable could be a blocked port either blocked by the
NAT box or by the ISP to take care of local security holes.

Kind regards
Peter and Karin


Paul Kosinski wrote:
> Since upgrading to BIND 9.4.1-P1 -- which has been running fine since
> Sep 1 -- I have been logging queries on one of my lightly loaded
> servers. I doing so, I notice that several times per day I get a
> query which, when I reply to it, I get back ICMP Port Unreachable
> (reported via iptables logging). These happen on both A and MX
> queries, and come from various IP blocks. 
> 
> The ICMP packets claim to come from the same IP address that sent the
> request. This is peculiar, as it suggests that that computer is still
> running -- so why doesn't it accept the reply? 
> 
> I suppose it could be that the requesting process terminated before
> the reply came back -- but the ICMP comes back within a second of the
> DNS query having arrived at my server. 
> 
> Alternatively, if the requesting computer were on a NAT-ed subnet
> (and went down), the NAT gateway ought to be replying Host
> Unreachable, not Port Unreachable.
> 
> The only other explanation I can think of is that people are spoofing
> the source IP in DNS queries in order to cause trouble. But the load
> on *my* server is almost not noticeable, so it would have to be that
> they are targeting the DNS reply-to IP. But that is a pretty random
> port number, which might be blocked except when expecting a reply.
> 
> Does anyone have any thoughts on this? 
> 
> Paul Kosinski
> 


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.arl.pirates
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/



More information about the bind-users mailing list