RE: [inbox] RE: Bogus DNS traffic

["David Gillett" <gillettdavid () fhda edu>]

  Just to clarify:

  When I captured one of these packets, I noticed that the
source MAC address was the same as the address in my ARP cache 
for an internal server.  That was what I wrote in my initial
description.
  Later, I realized that there's an (internal) router between 
me and that server, and so of course that MAC address is that of 
the router.
  So when I wrote my initial note, I thought I was seeing evidence 
that the packet had originated within my organization's network.  
By the time I wrote my follow-up message, I'd realized that all I 
knew was that it probably came from somewhere outside my SUBnet.
 
  Despite the initial error described above, I really DO 
know how my routers work.  Please stop sending me explanations
of how they work -- especially *incorrect* explanations.  That
wasn't my question.

  And to reiterate:

  Several people have suggested I check

http://people.ists.dartmouth.edu/~gbakos/bindsweep/

I have, and it appears to describe exactly what I'm seeing.
Thank you.

David Gillett

 

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------