nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: is your host or dhcp server sending dns dynamic updates for rfc1918?

From: Bruce Williams <brucewms () pacbell net>
Date: Fri, 19 Apr 2002 14:15:17 -0700




-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Valdis.Kletnieks () vt edu
Sent: Friday, April 19, 2002 6:39 AM
To: Greg Maxwell
Cc: nanog () merit edu
Subject: Re: is your host or dhcp server sending dns dynamic
updates for
rfc1918?


On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell
<gmaxwell () martin fl us>  said:


Does anyone already have a SNORT signature to match on

these updates to

aid in tracking down which hosts behind a NAT are guilty

for generating

this garbage?


The problem is that the sites that are the big offenders are
probably not
the sort of sites that would run Snort.

Now, think about it - one /32 popped of *30K* of these in 4 hours -
and a 'dig -x' shows it to apparently be a DSL line.  So we're seeing
2 or 3 DCHP events *PER SECOND* behind that NAT.  Either they've got
a bunch of machines doing the Reboot Shuffle and have bigger problems,
or they're big enough that 2-3 DHCP per second is reasonable (at which
point you have to wonder how they're THAT big, and depending on a DSL
line.. ;)



I had a dynamic-dns client on my home ADSL system that was generating
requests at that rate a few months ago - I read logs and fixed it, don't
remember how... so this DOES happen ( and to people who do not read logs.. )


Bruce Williams
Benchmarks: Engineering wants to see how fast they can get the wheels to
spin on a car.  Operations wants to know how fast the car will go.  These
are different.
Previous By Date Next
Previous By Thread Next

Current thread: