Google DNS Port Scan

2,001 views
Skip to first unread message

Daniel Perez

unread,
Jun 21, 2017, 11:00:07 AM6/21/17
to public-dns-discuss
Hello,
Well a have a situation in my job,
Im in charger of monitoring the traffic in the network, we have tools and today someting weird happen
One of tools showed me a alarm for Scan port inside of my network but the source is the Google DNS is this a normal traffic?
i've been looking for information about this but i haven't found nothing concrete.

If someone know something about this could help me

Regards!
DP

Alex Dupuy

unread,
Jul 1, 2017, 11:52:19 AM7/1/17
to public-dns-discuss
Hi Danny,

You wrote:
One of tools showed me a alarm for Scan port inside of my network but the source is the Google DNS is this a normal traffic?
i've been looking for information about this but i haven't found nothing concrete.

This is probably not normal traffic. It is trivial for someone to forge the source IP of a UDP packet on the internet, and 8.8.8.8 is an easy one to remember and use for that purpose. However, as replies are sent to the source IP, it's not clear what the benefit would be for somebody to use that as the source IP for a port scan (you don't say whether this alarm was for traffic to the same port on multiple IPs, or to a variety of ports on one IP, or a variety of ports on multiple IPs).

More likely, somebody was forging your IP address as the source for DNS queries to 8.8.8.8 and Google Public DNS was sending replies to you. This sort of reflection (or amplification) can be used in a Denial of Service attack, and although there are various techniques to detect this and mitigate it (mostly by dropping responses, but also potentially sending back truncated responses) it is certainly possible for some traffic to get in "under the radar" and trigger alarms on targeted devices before the traffic is detected and blocked.

jimmy....@gmail.com

unread,
Nov 8, 2017, 2:32:52 PM11/8/17
to public-dns-discuss
I am seeing simular:

Host Port Scan Detected by Remote HostCustom Rule Engine-118 :: SFL-SIEMEVT01
1
Nov 6, 2017, 5:43:59 PMHost Port Scan8.8.4.453192.168.2.8561142N/A
UDP DNS request exceeds remaining packet lengthASA @ 192.168.3.43
1
Nov 6, 2017, 5:43:59 PMDNS Protocol Anomaly8.8.4.453192.168.2.8561142N/A

UDP DNS request exceeds remaining packet lengthASA @ 192.168.3.43
1
Nov 6, 2017, 5:43:54 PMDNS Protocol Anomaly8.8.4.453192.168.2.8562165N/A


UDP DNS request exceeds remaining packet lengthASA @ 192.168.3.43
1
Nov 6, 2017, 5:43:52 PMDNS Protocol Anomaly8.8.4.453192.168.2.8562308N/A

and on and on ............

mattwes...@gmail.com

unread,
Feb 11, 2018, 9:54:36 AM2/11/18
to public-dns-discuss
Same here. I thought straight into the box, google was hacking me. A secondary or tertiary reflection is most likely case. Just like CID, IP can be spoofed pretty easy.

Mark J.

unread,
Oct 20, 2020, 9:08:05 AM10/20/20
to public-dns-discuss
Same? Detected from my firewall. Why google?

Date/Time (CST): 2020-10-20 02:45:42

Generic Alert type: Attempted Information Leak

SRC: 8.8.8.8
  
DST: 70.120.41.XXX

Rule Trigger: 122:17

Rule Description: (portscan) UDP Portscan  
Reply all
Reply to author
Forward
0 new messages