UDP port 5353
Does anyone please know what is the UDP 5353 port ?
I couldn't find it at Google,even Snort and Neohapsis port scanners won't find it. Thanks a lot |
Can't find any IANA listed service for UDP/5353.
Please post your IDS or fw log or tcpdump or anything else releated. |
Appears to be a multicast service used by Mac OS X.
Could be used for p2p networking Try searching for Rendevous and ichat I found no exploits relating to this port |
sorry
Thanks guys for reply,but.
UnSpawn: I'm sorry don't know what you want from me.I'm newbie.Just installed firestarter few days ago.And this port is showing like once a day or so.It is from same IP as it goes from router. netstat -l : Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 localhost:1025 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:https *:* LISTEN udp 0 0 *:1024 *:* udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp 0 0 224.0.0.251:5353 *:* udp 0 0 192.168.254.44:5353 *:* udp 0 0 localhost:5353 *:* udp 0 0 *:sunrpc *:* udp 0 0 192.168.254.44:ntp *:* udp 0 0 localhost:ntp *:* udp 0 0 *:ntp *:* it is here again and even Firestar won't see it: 192.168.254.44 - is router i guess Some "localhost" i don't know about. :newbie: :scratch: |
what the hell.....
it is 8pm and this UDP at port 5353 "attacks" again in 8:13 and then 8:17 in my Firestarter .
Don't have any idea what it should be. this can't be from ISP in 8pm,i guess.So what is it? Looks like i need to start reading about IPtables.I've read a good about it here. |
to: tobyl
Yes man,
you were right.I found it at Grc.com that this port is using "multicast DNS" .I found a bit at http://www.multicastdns.org/ . I'll go check your URLs. Thanx :D |
I have not used firestarter although I have read good things about it.
If you have got it set up correctly then the listening ports you have listed with netstat should be filtered ok, however I would recommend that you find out how services on your distro are started, and stop the ones you dont require. I believe you can do this from the control centre in Mandrake. Try disabling routed, xinetd and other stuff that is not critical, run netstat again, you should cut down the number of servers 'listening'. Also re-read the firestarter config files and make sure it is running and set up ok. You really dont want that rpc stuff showing up in netstat , you have no doubt seen the problems windows machines have been suffering due to rpc vulnerabilities (blaster). If firestarter is mentioning this port in the logs then it is probably blocking it, but without seeing the logs I cant tell. This is what unspawn is saying - without specific info, it is impossible to say what exactly is going on. fw log is just that, the firewall log. IDS is intrusion detection system which i doubt you have installed. tcpdump is something you can learn about after you have got the basics out of the way. tobyl |
ok
sorry I'm newbie and i think this is firewall log i saved last time.
Wierd is that even Firestarter wont see it today and it is here again,but NETUDP instead of UDP : Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 localhost:1025 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:https *:* LISTEN udp 0 0 *:1024 *:* udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* netudp 0 0 224.0.0.251:5353 *:* udp 0 0 192.168.254.44:5353 *:* udp 0 0 localhost:5353 *:* udp 0 0 *:sunrpc *:* udp 0 0 192.168.254.44:ntp *:* udp 0 0 localhost:ntp *:* udp 0 0 *:ntp and there is a log : time:Sep 10 13:50:31 in: out:eth0 port:5353 source:192.168.254.44 dest:224.0.0.251 len:64 tos:0x00 protocol:udp service:unknown time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.1.1 len:32 tos:0x00 protocol:igmp service:unknown time:Sep 10 13:50:56 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown I'll look for other things might help you wanted. Just :newbie: |
I know this post is real old but it seemed the best out of my search results...
I hope on a related note, I noticed that port 5353 is open by defualt in my IPchains config for the IP 224.0.0.251. (FC5 is installed)One of the IPs listed by the OP it seems but ARIN's whois doesn't list much at all for the address. Anyone have any ideas of why it would be open or why the IP is trusted by defualt? Thanks! /dev |
That's a multicast address and would be used by something like iTunes (or AirTunes?) to see if other users are available to share music. I don't use it myself, but it's not malicious - based on what I've read at:
http://www.multicastdns.org/ http://docs.info.apple.com/article.html?artnum=107174 http://www.networksorcery.com/enp/pr.../multicast.htm http://www.oreillynet.com/etel/blog/..._rendezvo.html http://www.tldp.org/HOWTO/Multicast-HOWTO.html#toc8 http://www.ifelix.co.uk/tech/2005.html |
I think the Gnome desktop environment itself is using mDNS. For WebDAV and SFTP shares in nautilus probably.
I had to open port 5353 to get network browsing working properly in FC6 anyway. |
Just a simple FYI. The first place to look for what a port is normally for is your /etc/services file:
mdns 5353/tcp # Multicast DNS mdns 5353/udp # Multicast DNS # Stuart Cheshire <cheshire@multicastdns.org> mdnsresponder 5354/tcp # Multicast DNS Responder IPC mdnsresponder 5354/udp # Multicast DNS Responder IPC # Stuart Cheshire <mdnsresponder-ipc@multicastdns.org So, looking for multicastdns.org might provide a good reference. You may have realized that already. --- The source could even be a network printer. A google search for "224.0.0.251" turned up both iTunes and the SoundBridge M1001. |
Support
All,
Just built a CENTOS 5 box, and while trying to open ports I noticed this UDP port 5353 was open, pointing to the same IP as noted. After running: service ip6tables stop chkconfig ip6tables off I also noticed that the UDP port is allowed in the ip6tables config. After turning off the ip6tables, and commenting out the iptables line, it is now gone. -Mandrin |
Very interesting little port
I've been having a very annoying problem with this port.
I've been using iptables for a while and haven't made any changes to iptables script I use. But it seems to depend what I install (packages) on my debian system. For some reason every once and a while (depending) I get these damn pop-ups (no real pop-ups) of text (about two lines worth) telling me that the input packet was rejected and where it came from and where it was going to. It keeps coming from my opensuse box udp port 1440 and going to my debian box udp port 5353. very annoying. I'll post the thing when I go back to my debian box... few minutes... |
kernel: INPUT packet died: IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:50:fc:22:d7:52:08:00 SRC=192.168.0.151 DST=224.0.0.251 LEN=55 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=1467 DPT=5353 LEN=35
I can get anywhere to 30 of these a minute (which is impossible to deal with when editing text files) to maybe one or two a day... really odd. also source port seems to increment by 1 each time. 192.168.0.151 is opensuse box 192.168.0.121 is debian box |
All times are GMT -5. The time now is 11:49 PM. |