[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [Full-Disclosure] Question for DNS pros
- To: Paul Schmehl <pauls@xxxxxxxxxxxx>
- Subject: Re: FW: [Full-Disclosure] Question for DNS pros
- From: John Hall <j.hall@xxxxxx>
- Date: Tue, 03 Aug 2004 17:46:59 -0700
It is possible some of the traffic you are seeing is the result of a site
using our 3-DNS global load balancing product. A clear indicator that
3-DNS is responsible would be that the probes ID fields start at 1 and
increase by one for each packet in a set of probes. 3-DNS sends its probes
only in response to DNS queries and uses them to measure round trip time
and reachability from each data-center under 3-DNS's control to the client's
local DNS server. The data collected is used to direct other requests
using that local DNS server to the "best" data-center. You should
generally see
no more than 9 packets per hour per site using 3-DNS, although one of our
customers may have configured more aggressive probing (which we discourage).
3-DNS does maintain a "do-not-probe" list to which you can be added, if
the 3-DNS's probe traffic is too obnoxious for you.
A verbose tcpdump packet trace including ID numbers would be helpful to
identify this traffic.
Thanks,
JMH
Paul Schmehl wrote:
Frank, I've only checked two of the "attacking" IPs, but they are both
BigIP load balancers. I'd bet that they all are, and these packets are
some sort of probe to see if a host that contacted them before is
still alive.
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
--
John Hall Test Manager - Switch Team F5 Networks, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html