Tuesday, March 16, 2010

Why is Google Public DNS scanning ports on my host computer?!

Being fade up with poor DNS response during peak hours from the ISP assigned resolver or occasional complete blackouts, recently I opted to use Google Public DNS. While the performance and security benefits of the latter are impressive and I trust Google being able to safeguard against DNS poisoning compared to an average, unaware ISP, recently I found myself on the receiving side of port scan or DoS attempts from Google DNS directed to the private IP of my host computer! Here is a firewall log from my Internet facing router. The router is on a private LAN shared with the host computer. I have intentionally masked the time and the private IP addresses on my host.

Tue, 2010-03-16 03:33:04 - UDP Packet - Source:8.8.8.8 Destination:192.168.x.y - [PORT SCAN]
Tue, 2010-03-16 03:34:43 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,52344 - [DOS]
Tue, 2010-03-16 03:34:44 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,59397 - [DOS]
Tue, 2010-03-16 03:34:44 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,36034 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58507 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,47320 - [DOS]
Tue, 2010-03-16 03:34:49 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,43986 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,57783 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46381 - [DOS]
Tue, 2010-03-16 03:34:54 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37386 - [DOS]
Tue, 2010-03-16 03:34:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42595 - [DOS]
Tue, 2010-03-16 03:34:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,49444 - [DOS]
Tue, 2010-03-16 03:35:00 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46906 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,50278 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42480 - [DOS]
Tue, 2010-03-16 03:35:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,46706 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,33430 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37712 - [DOS]
Tue, 2010-03-16 03:35:10 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58394 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,39228 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,41935 - [DOS]
Tue, 2010-03-16 03:35:16 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,57780 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,60592 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,45238 - [DOS]
Tue, 2010-03-16 03:35:21 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,37143 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,47709 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58876 - [DOS]
Tue, 2010-03-16 03:35:26 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,42900 - [DOS]
Tue, 2010-03-16 03:35:32 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,56628 - [DOS]
Tue, 2010-03-16 03:50:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,35201 - [DOS]
Tue, 2010-03-16 03:50:59 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,58851 - [DOS]
Tue, 2010-03-16 03:51:00 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,59257 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,44891 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,36661 - [DOS]
Tue, 2010-03-16 03:51:05 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,56824 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,43335 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,44840 - [DOS]
Tue, 2010-03-16 03:51:11 - UDP Packet - Source:8.8.8.8,53 Destination:192.168.x.y,48039 - [DOS]

Notice the time difference between two successive scanning or reported DoS attempts. Why is Google scanning these ports? Isn't DNS resolver supposed to be a passive entity responding only to user requests and not initiate a connection with the client host computer? Is this some sort of opportunistic spying?
at 3 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)