Snort mailing list archives

Re: SV: BAD TRAFFIC data in TCP SYN packet

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 14 Jan 2002 17:31:15 -0500

I doubt it is the windows update service itself, but a load-sharing systemdeveloped by f5 called 3dns that they appear to be using.

And yes, the 3dns load balancer does in fact use the DNS ports as it is aDNS server with some fancy addons to try to pick the "fastest" server for auser based on where the query came from. So if your dns server tries toresolve a name for an IP using this system these strange packets will begenerated as part of them trying to figure out the lowest network latencyto your server (using tcp syn's instead of pings or other things that mostpeople filter.)


Here's a very good analysis of the 3dns traffic and the strange packets:

http://www.incidents.org/detect/3dns.php

The appliance-type device appears to use a xBSD derived IP stack,apparently with value added tcp/ip stack features including sending a smallfistful (10-16ish) of 0x00 bytes as data in TCP syn packets. This strikesme as a strange, but relatively harmless bug in their stack implementation,but who knows, they may have done it on purpose...



some information on the 3dns product itself is at.

http://www.f5.com/f5products/3dns/index.html


At 10:13 PM 1/14/2002 +0100, Lars Jørgensen IT wrote:

>Got similar and they resolved to something.windowsupdate.com. I am
wondering
>if this has anything to do with windows XP and it's auto-update features.

It goes to my DNS server on port 53, and that server is a windows 2000 box.
I doubt microsoft's update-protocol would use DNS-port for updates.


Lars

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
  - Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
  - Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
    - Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
  - Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
    - Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
  - RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)
    - RE: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 15)