RE: What is up with i.gtld-servers.net?

[Doc Savage <doxavg () genocide2600 com>]

On Mon, 18 Jun 2001, Mike Batchelor wrote:
> The most likely explanation is that Snort "lost state" on your outgoing DNS
> queries, because I.gtld-servers.net is taking too long to answer.  So it
> flagged the "unknown" UDP replies as "misc traceroute" traffic.  You need to
> read IDS logs with a jaundiced eye, or you'll go crazy chasing down false
> positives.

Snort doesn't "keep state" therefore has no state to lose.  Snort does
pattern matching on a frame by frame basis (with exception to the
currently rather buggy tcp (yes, TCP, not UDP) stream preprocessor).  The
misc traceroute alerts are coming from the TTL being 1 when the reply
passes the IDS.  Understanding that IDS's love to false goes without
saying, but falses can usually be explained without much problem; this one
definately deserves a second look.

> "Valid (sort of) queries"?  Being valid is like being pregnant, there is no
> "sort-of".  What is "looks ODD" about these packets?  They look like normal
> DNS replies to me.

Valid I'm guessing meaning it looks like a normal DNS packet.  What looks
odd is that the TTL is 1.  Seems strange to me that a TLD name server
would be so many hops away (do any IP stacks start with TTLs lower than
64?).  Even more strange is that so many others have seen similar results.
Mind, I haven't even looked into this, more than catching the initial
email and this response, but it sure looks wierd.

> > [**] IDS03 - MISC-Traceroute UDP [**]
> > 06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
> > len:0x9A
> > 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065
> > Len: 120

--Dox