Responses in-line...
Frank Knobbe wrote:
Hello John,
glad to see you guys are keeping up with all the current stuff going on in lists ;)
I had sent a dump earlier. It is attached again below. The TCP SYN
packets do indeed start with IPID 1 and move up to 3.
However, these all
come from the same IP address. Also, there doesn't appear to be anything
in regards to "round-trip". I mean, your devices send the SYN's but
nothing is coming back. Are you expecting DNS querying device to have an
open DNS port on TCP and are expecting a SYN-ACK?
No, but most DNS servers *will* respond with a RST which is just as valuable for reachability and RTT measurements. We accept either response.
That I can understand. But what the heck is the purpose of performing
two DNS queries against the host that is querying a 3DNS balanced
server? Seems a bit invasive to me for measuring trip time... :)
In general, most sites use local forwarding DNS servers that do the recursive lookups for all the clients at that site, so our probes measure the RTT from each datacenter to that forwarding DNS server and maintain that data so we can make intelligent decisions the next time a client from that site (via that local forwarder) makes a request.
In any case. I'm glad to see that there is a normal explanation for this, and this does not appear to be an attack mounted by China.
Regards, Mark
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html