Does anyone please know what is the UDP 5353 port ?

I couldn't find it at Google,even Snort and Neohapsis port scanners won't find it.


Thanks a lot

Can't find any IANA listed service for UDP/5353.
Please post your IDS or fw log or tcpdump or anything else releated.

Appears to be a multicast service used by Mac OS X.
Could be used for p2p networking
Try searching for Rendevous and ichat
I found no exploits relating to this port

Thanks guys for reply,but.

UnSpawn: I'm sorry don't know what you want from me.I'm newbie.Just installed firestarter few days ago.And this port is showing like once a day or so.It is from same IP as it goes from router.

netstat -l :

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 224.0.0.251:5353 *:*
udp 0 0 192.168.254.44:5353 *:*
udp 0 0 localhost:5353 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 192.168.254.44:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*

it is here again and even Firestar won't see it:

192.168.254.44 - is router i guess

Some "localhost" i don't know about.

it is 8pm and this UDP at port 5353 "attacks" again in 8:13 and then 8:17 in my Firestarter .
Don't have any idea what it should be.

this can't be from ISP in 8pm,i guess.So what is it?

Looks like i need to start reading about IPtables.I've read a good about it here.

Yes man,

you were right.I found it at Grc.com that this port is using "multicast DNS" .I found a bit at http://www.multicastdns.org/ .

I'll go check your URLs.

Thanx

1 members found this post helpful.

I have not used firestarter although I have read good things about it.
If you have got it set up correctly then the listening ports you have listed with netstat should be filtered ok, however I would recommend that you find out how services on your distro are started, and stop the ones you dont require. I believe you can do this from the control centre in Mandrake. Try disabling routed, xinetd and other stuff that is not critical, run netstat again, you should cut down the number of servers 'listening'.
Also re-read the firestarter config files and make sure it is running and set up ok. You really dont want that rpc stuff showing up in netstat , you have no doubt seen the problems windows machines have been suffering due to rpc vulnerabilities (blaster).

If firestarter is mentioning this port in the logs then it is probably blocking it, but without seeing the logs I cant tell.

This is what unspawn is saying - without specific info, it is impossible to say what exactly is going on. fw log is just that, the firewall log. IDS is intrusion detection system which i doubt you have installed. tcpdump is something you can learn about after you have got the basics out of the way.

tobyl

sorry I'm newbie and i think this is firewall log i saved last time.

Wierd is that even Firestarter wont see it today and it is here again,but NETUDP instead of UDP :

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
netudp 0 0 224.0.0.251:5353 *:*
udp 0 0 192.168.254.44:5353 *:*
udp 0 0 localhost:5353 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 192.168.254.44:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp

and there is a log :

time:Sep 10 13:50:31 in: out:eth0 port:5353 source:192.168.254.44 dest:224.0.0.251 len:64 tos:0x00 protocol:udp service:unknown
time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown
time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.1.1 len:32 tos:0x00 protocol:igmp service:unknown
time:Sep 10 13:50:56 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown

I'll look for other things might help you wanted.

Just

I know this post is real old but it seemed the best out of my search results...
I hope on a related note, I noticed that port 5353 is open by defualt in my IPchains config for the IP 224.0.0.251. (FC5 is installed)One of the IPs listed by the OP it seems but ARIN's whois doesn't list much at all for the address.

Anyone have any ideas of why it would be open or why the IP is trusted by defualt?

Thanks!

/dev

That's a multicast address and would be used by something like iTunes (or AirTunes?) to see if other users are available to share music. I don't use it myself, but it's not malicious - based on what I've read at:
http://www.multicastdns.org/
http://docs.info.apple.com/article.html?artnum=107174
http://www.networksorcery.com/enp/pr.../multicast.htm
http://www.oreillynet.com/etel/blog/..._rendezvo.html
http://www.tldp.org/HOWTO/Multicast-HOWTO.html#toc8
http://www.ifelix.co.uk/tech/2005.html

I think the Gnome desktop environment itself is using mDNS. For WebDAV and SFTP shares in nautilus probably.

I had to open port 5353 to get network browsing working properly in FC6 anyway.

Just a simple FYI. The first place to look for what a port is normally for is your /etc/services file:

mdns 5353/tcp # Multicast DNS
mdns 5353/udp # Multicast DNS
# Stuart Cheshire <cheshire@multicastdns.org>
mdnsresponder 5354/tcp # Multicast DNS Responder IPC
mdnsresponder 5354/udp # Multicast DNS Responder IPC
# Stuart Cheshire <mdnsresponder-ipc@multicastdns.org

So, looking for multicastdns.org might provide a good reference.

You may have realized that already.

---

The source could even be a network printer.

A google search for "224.0.0.251" turned up both iTunes and the SoundBridge M1001.

1 members found this post helpful.

All,

Just built a CENTOS 5 box, and while trying to open ports I noticed this UDP port 5353 was open, pointing to the same IP as noted.

After running:
service ip6tables stop
chkconfig ip6tables off

I also noticed that the UDP port is allowed in the ip6tables config. After turning off the ip6tables, and commenting out the iptables line, it is now gone.

-Mandrin

I've been having a very annoying problem with this port.

I've been using iptables for a while and haven't made any changes to iptables script I use. But it seems to depend what I install (packages) on my debian system.

For some reason every once and a while (depending) I get these damn pop-ups (no real pop-ups) of text (about two lines worth) telling me that the input packet was rejected and where it came from and where it was going to.

It keeps coming from my opensuse box udp port 1440 and going to my debian box udp port 5353.

very annoying.

I'll post the thing when I go back to my debian box... few minutes...

kernel: INPUT packet died: IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:50:fc:22:d7:52:08:00 SRC=192.168.0.151 DST=224.0.0.251 LEN=55 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=1467 DPT=5353 LEN=35


I can get anywhere to 30 of these a minute (which is impossible to deal with when editing text files) to maybe one or two a day... really odd.

also source port seems to increment by 1 each time.
192.168.0.151 is opensuse box
192.168.0.121 is debian box