Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 03 Aug 2004 17:23:16 -0500
On Tue, 2004-08-03 at 15:34, Paul Schmehl wrote:
Frank, I've only checked two of the "attacking" IPs, but they are both BigIP load balancers. I'd bet that they all are, and these packets are some sort of probe to see if a host that contacted them before is still alive.
hmm... I think it's a bit early to say that. After all, why doesn't it contact other systems? Why would it have to recheck in the first place? And why would it use a) a valid DNS query, b) and obscure, non-standard SYN packet, and c) a DNS query *specifically* including the "pinged" hosts' IP address in reverse notation? I strongly doubt that the F5 engineers through *that* would be a good way to see if a host is still alive. Even if, what would the BigIP gain from it? Nuttin' (as we say here in TN :) The mystery continues... Later, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Ron DuFresne (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Mark (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros Paul Schmehl (Aug 03)
- Re: FW: Question for DNS pros Frank Knobbe (Aug 03)
- Re: FW: Question for DNS pros grutz (Aug 03)