RE: [inbox] RE: Bogus DNS traffic

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 10/24/03

  • Next message: Jay Castaldo: "New Trojan" 
    To: <incidents@securityfocus.com>
Date: Fri, 24 Oct 2003 08:35:20 -0700

      Just to clarify:

      When I captured one of these packets, I noticed that the
    source MAC address was the same as the address in my ARP cache
    for an internal server. That was what I wrote in my initial
    description.
      Later, I realized that there's an (internal) router between
    me and that server, and so of course that MAC address is that of
    the router.
      So when I wrote my initial note, I thought I was seeing evidence
    that the packet had originated within my organization's network.
    By the time I wrote my follow-up message, I'd realized that all I
    knew was that it probably came from somewhere outside my SUBnet.
     
      Despite the initial error described above, I really DO
    know how my routers work. Please stop sending me explanations
    of how they work -- especially *incorrect* explanations. That
    wasn't my question.

      And to reiterate:

      Several people have suggested I check

    http://people.ists.dartmouth.edu/~gbakos/bindsweep/

    I have, and it appears to describe exactly what I'm seeing.
    Thank you.

    David Gillett

     

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Jay Castaldo: "New Trojan"

    Relevant Pages

    • Re: Weird net connection problem
      ... across the Internet) to throttle or not the traffic). ... Depends how many packets in your connection are lost. ... you connect to some ISP via a router (not a home ADSL one, I should add, ... be advertising to the rest of the Internet, the address of your network, ...
      (uk.comp.sys.mac)
    • RE: Cisco IOS vulnerability
      ... You are vulnerable unless you have deny statement which blocks all ... packets other than say ICMP or IPSEC coming to the router interface ... Even though the packets targeted *at* the routers interface is only ...
      (Incidents)
    • Re: Router stops routing after changing MAC Address
      ... I have a Linux router and I need the ability to swap hardware without ... How to change MAC addresses is documented well enough - and it works - ... ip link set eth0 down ... the right side and back with echo request and reply packets. ...
      (Linux-Kernel)
    • Re: Network Utility - Taceroute problem
      ... Can you try traceroute from one Mac to ... between either mac and the router. ... 10 packets transmitted, 10 packets received, 0% packet loss ...
      (uk.comp.sys.mac)
    • Re: General question about TCP and buffering in switch/router/modem
      ... ROUTER has a fixed 10mbps/half duplex interface for its wan port. ... Say the window size is 64k (roughly 50 packets). ... starts sending data after the TCP call has been established, ... ACK is received and the receiver's TCP buffer is not full. ...
      (comp.dcom.sys.cisco)