Snort mailing list archives
Re: SV: BAD TRAFFIC data in TCP SYN packet
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 14 Jan 2002 17:31:15 -0500
I doubt it is the windows update service itself, but a load-sharing system developed by f5 called 3dns that they appear to be using.
And yes, the 3dns load balancer does in fact use the DNS ports as it is a DNS server with some fancy addons to try to pick the "fastest" server for a user based on where the query came from. So if your dns server tries to resolve a name for an IP using this system these strange packets will be generated as part of them trying to figure out the lowest network latency to your server (using tcp syn's instead of pings or other things that most people filter.)
Here's a very good analysis of the 3dns traffic and the strange packets: http://www.incidents.org/detect/3dns.phpThe appliance-type device appears to use a xBSD derived IP stack, apparently with value added tcp/ip stack features including sending a small fistful (10-16ish) of 0x00 bytes as data in TCP syn packets. This strikes me as a strange, but relatively harmless bug in their stack implementation, but who knows, they may have done it on purpose...
some information on the 3dns product itself is at. http://www.f5.com/f5products/3dns/index.html At 10:13 PM 1/14/2002 +0100, Lars Jørgensen IT wrote:
>Got similar and they resolved to something.windowsupdate.com. I am wondering >if this has anything to do with windows XP and it's auto-update features. It goes to my DNS server on port 53, and that server is a windows 2000 box. I doubt microsoft's update-protocol would use DNS-port for updates. Lars _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)