Security Incidents mailing list archives
RE: [inbox] RE: Bogus DNS traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 24 Oct 2003 08:35:20 -0700
Just to clarify: When I captured one of these packets, I noticed that the source MAC address was the same as the address in my ARP cache for an internal server. That was what I wrote in my initial description. Later, I realized that there's an (internal) router between me and that server, and so of course that MAC address is that of the router. So when I wrote my initial note, I thought I was seeing evidence that the packet had originated within my organization's network. By the time I wrote my follow-up message, I'd realized that all I knew was that it probably came from somewhere outside my SUBnet. Despite the initial error described above, I really DO know how my routers work. Please stop sending me explanations of how they work -- especially *incorrect* explanations. That wasn't my question. And to reiterate: Several people have suggested I check http://people.ists.dartmouth.edu/~gbakos/bindsweep/ I have, and it appears to describe exactly what I'm seeing. Thank you. David Gillett --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: [inbox] RE: Bogus DNS traffic David Gillett (Oct 25)
- Re: [inbox] RE: Bogus DNS traffic John Sage (Oct 30)
- RE: [inbox] RE: Bogus DNS traffic David Gillett (Oct 30)
- Re: [inbox] RE: Bogus DNS traffic John Sage (Oct 30)