I have an Arch Linux mail server that is directly connected to the internet, and firewalled appropriately with iptables (default DROP on the single ethernet interface, allow only necessary ports). From time to time in a packet trace on the internet interface, I see the following:
Code:
01:36:58.763123 IP 91.215.232.75 > 50.252.x.x: ICMP 91.215.232.75 udp port 53 unreachable, length 67
Where 50.252.x.x is my mail server. The source is always a random IP address, and is usually an ICMP "port 53 unreachable" message.
I always figured that this is an attempt by someone to try and somehow redirect my system to use their DNS server (because of the port 53 reference), or at least to get my system to respond to it in some way. Is this likely to be what is happening? Are there systems out there that will respond to this kind of spoof technique?