|Destination||18.104.22.168 (United States)||domain (53)|
- This rule is triggered when an HTTP GET request is observed on port 53.
- Port 53 is sometimes used as an egress port as firewalls commonly allow DNS traffic without alarming.
- This appears to be a misdirected advertising request. There are multiple event instances for the same request.
- None of the associated domains (original company (www.nationalbusinessfurniture.com) show any evidence of malicious hosting.
- Best guess is someone accidentally hard coded a link to 22.214.171.124:53 in the above site's advertising framework.
- As would be expected, 126.96.36.199 (google's public name servers) are listening on tcp port 53 as they are DNS servers, and immediately close the connection upon receiving HTTP traffic.