Iran decreased its efforts, and for a change, most active attackers occupying all top three positions are from Romania. There is a new interesting IP that emerged last month, and that is an attacker from Panama. Small port scans for port 53 were at their record this month; we could not help but dig deeper. For more information: Sentinel View report – November 2023.
One reason is that the port is dedicated to communication with the DNS server, which is actually essential service that CZ.NIC provides. The other one is that the difference between the previous month is at least suspicious. What might look for the first sight, like a DNS amplification DDoS attack, could also be just a simple configuration error. In case the port scan is recorded on multiple probes, it is obvious that the attackers try random targets. On the other hand, if the “target” is one device, that leans more toward misconfiguration. In our team, we came to the conclusion that this is probably the second case, as, by simple query in our database, the target is one device. It seems like there was a DNS server running, but for now, it is stopped, and everybody who seeks an answer ends up on the firewall. This makes noise that we should ignore similarly to BitTorrent ports.