RE: What is up with i.gtld-servers.net?

[Ryan Russell <ryan () securityfocus com>]

On Mon, 18 Jun 2001, Mike Batchelor wrote:

> Nothing is up with I.gtld-servers.net.  Just because it shows up in a snort
> log, or on ARIS, doesn't mean it's a probe, and doesn't even mean it's
> suspicious.  Check out the other GTLD or root servers.  I bet most of them
> have just as many "reports" on ARIS.

We get lots of DNS related false positives relating to DNS in ARIS, mostly
due to IDS admins not properly excluding their own DNS servers from the
"DNS source porting attack".  However, that's not what is going on here.

> The most likely explanation is that Snort "lost state" on your outgoing DNS
> queries, because I.gtld-servers.net is taking too long to answer.

I don't think DNS is one of the items Snort keeps state on.

> So it
> flagged the "unknown" UDP replies as "misc traceroute" traffic.  You need to
> read IDS logs with a jaundiced eye, or you'll go crazy chasing down false
> positives.

The key detail in the logs he sent was the TTL=1, which won't happen under
normal circumstances.. that's what is causing the traceroute rule to go
off.  About the only ways I can think of for those to happen "naturally"
is if they have the default TTL really low on that host for some strange
reason (which would tend to break communications with it for a lot of
hosts) or if there is a loop on the net that is flapping really fast (fast
enough that TTL=small number packets end up getting out).

                                        Ryan