Snort mailing list archives
Re: DNS SPOOF query response with ttl: 1 min. and no authority
From: "James" <the_saint_james () yahoo com>
Date: Sat, 15 Dec 2001 18:31:26 -0700
Note that this is a DNS Time-To-Live, regarding the length of time that the Resource Record should be cached by the client... ...not the more commonly seen IP TTL, which relates to the number of hops a packet gets before it's smooshed.
Cool, that clears one thing up. Here is one I got yesterday. DNS SPOOF query response with ttl: 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] 12/14-17:01:17.608704 216.2.192.32:53 -> xxx.xxx.xxx.xxx:53 UDP TTL:240 TOS:0x0 ID:47887 IpLen:20 DgmLen:77 DF xxx.xxx.xxx.xxx is my NS, so my NS queried them and they returned a dns ttl of 60 (secs) attempting to override the standard ~12 hrs refresh of the dns cache ? "No authority" would indicate the auth NS for "them" could not respond ? This could indicate the auth NS was downed by a DoS or other means, so it could be spoofed ? Right, wrong or partial credit ? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS SPOOF query response with ttl: 1 min. and no authority David E. Gianndrea (Dec 14)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority John Sage (Dec 14)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority John Sage (Dec 15)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority James (Dec 15)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority John Sage (Dec 15)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority James (Dec 16)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority John Sage (Dec 15)
- Re: DNS SPOOF query response with ttl: 1 min. and no authority John Sage (Dec 14)