Re: FW: [Full-Disclosure] Question for DNS pros

From: John Hall (j.hall_at_f5.com)
Date: 08/04/04

  • Next message: Frank Knobbe: "Re: FW: [Full-Disclosure] Question for DNS pros"
    To: Paul Schmehl <pauls@utdallas.edu>
    Date: Tue, 03 Aug 2004 17:46:59 -0700
    
    

    It is possible some of the traffic you are seeing is the result of a site
    using our 3-DNS global load balancing product. A clear indicator that
    3-DNS is responsible would be that the probes ID fields start at 1 and
    increase by one for each packet in a set of probes. 3-DNS sends its probes
    only in response to DNS queries and uses them to measure round trip time
    and reachability from each data-center under 3-DNS's control to the client's
    local DNS server. The data collected is used to direct other requests
    using that local DNS server to the "best" data-center. You should
    generally see
    no more than 9 packets per hour per site using 3-DNS, although one of our
    customers may have configured more aggressive probing (which we discourage).
    3-DNS does maintain a "do-not-probe" list to which you can be added, if
    the 3-DNS's probe traffic is too obnoxious for you.

    A verbose tcpdump packet trace including ID numbers would be helpful to
    identify this traffic.

    Thanks,
    JMH

    Paul Schmehl wrote:

    > Frank, I've only checked two of the "attacking" IPs, but they are both
    > BigIP load balancers. I'd bet that they all are, and these packets are
    > some sort of probe to see if a host that contacted them before is
    > still alive.
    >
    > Paul Schmehl (pauls@utdallas.edu)
    > Adjunct Information Security Officer
    > The University of Texas at Dallas
    > AVIEN Founding Member
    > http://www.utdallas.edu/ir/security/

    -- 
    John Hall              Test Manager - Switch Team             F5 Networks, Inc.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Frank Knobbe: "Re: FW: [Full-Disclosure] Question for DNS pros"

    Relevant Pages

    • Re: RPC Probes
      ... What really caught my eye was the timing. ... The probes ... > The entries occur in pairs because you've got two separate LOG targets ... So each packet generates two log entries. ...
      (comp.security.unix)
    • Re: Is stealth redundant?
      ... Alan Guy wrote: ... > Your logic escapes me. ... someone probes my IP, ... > NOT one packet from me. ...
      (comp.security.firewalls)