OT:Please excuse the noise

From: "Joe Blanchard" <joe@sumless.net>
Date: Mon, 18 Aug 2008 23:50:08 -0400

I'm dealing with Hughsnet and have observed the following issue/

SOA is me for testing

Upstream router seems to be a public IP
Number: 15942
Date: 18Aug2008
Time: 23:03:21
Product: FireWall-1
Interface: eth0
Origin: rockgate (
Type: Log
Action: Accept
Protocol: udp
Service: 2016
Source: upstream_router (
Destination: Firewall_external (
Rule: 10
Source Port: domain-udp (53)

Problem is that target port is not 53, in otherwords asking for a DNS
response on an odd port while sourcing port 53.
Is this normal, am I missing something that a bigger ISP knows? This would
be Hughesnet. so I should be concerned? I have a ticket opened with them,
#15048812 but am getting the run around with them.
I understand that the normal recourse is to "Reboot the modem" but in this
case I think it's a bit more than that.
Can anyone point me in the right direction? Thanks in advance,

Are they asking for a DNS or is this a reply?

Replies are from 53 to an ephemeral destination. If your firewall is set
up correctly and not losing state too quickly for DNS responses, this may
be backscatter. I see a bit of this from time to time and dark space
monitoring systems see a lot of it. With the cache poisoning attacks,
I'd expect to see more t it.