RE: SV: BAD TRAFFIC data in TCP SYN packet

["Austad, Jay" <austad () marketwatch com>]

Here's a description of the probe from the help provided in the
configuration interface for the 3dns units:

==========================================
Probe Protocol Specifies which protocol the prober uses to probe LDNS
servers, and in what order the protocols are used.  (The box on the right
side lists the order in which the protocols are used.) 

Note:  If you select DNS_DOT or DNS_REV, a working DNS of some sort must be
running on the probed server.

TCP (Transmission Control Protocol)
This is the most common transport layer protocol used on Ethernet and
Internet.  TCP adds reliable communication, flow-control, multiplexing, and
connection-oriented communication.  It provides full-duplex,
process-to-process connections.   TCP is connection-oriented and
stream-oriented, unlike UDP.


DNS_DOT (DNS Dot)
This protocol is specific to the 3-DNS Controller.  The 3-DNS Controller
sends a DNS Message to the probe target LDNS querying for "." (a dot).  If
the LDNS is not blocking queries from unknown addresses, it answers with a
list of root name servers.  The 3-DNS Controller makes these requests only
to measure network latency and packet loss; it does not use the information
contained in the responses.


DNS_REV (Reverse IP address lookup)
This protocol is specific to the 3-DNS Controller.  The 3-DNS Controller
sends a DNS Message to the probe target LDNS querying for a record of class
IN, type PTR.  Most versions of DNS answer with a record containing their
fully-qualified domain name.  The 3-DNS Controller makes these requests only
to measure network latency and packet loss; it does not use the information
contained in the responses.
==========================================================

If the above methods fail, the prober will do an ICMP echo ping, or failing
that, will try a UDP Traceroute.  The probers can run both on 3dns units, or
their BigIP units (like Cisco's Local Director).  It definitely is quite
noisy, however, it is configurable.  You can disable any of the above
behavior, and also put in a list of ips or whole networks not to probe.

---------- 
Jay Austad 
Network Security Administrator 
CBS Marketwatch 
612.817.1271 
austad () marketwatch com <mailto:austad () marketwatch com>  
http://cbs.marketwatch.com 
http://www.bigcharts.com 




> -----Original Message-----
> From: Dan Hollis [mailto:goemon () anime net] 
> Sent: Monday, January 14, 2002 4:57 PM
> To: Matt Kettler
> Cc: Lars Jørgensen IT; 'snort-users () lists sourceforge net'; 
> bugtraq () securityfocus com
> Subject: Re: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet
>
>
> On Mon, 14 Jan 2002, Matt Kettler wrote:
> > Here's a very good analysis of the 3dns traffic and the 
> strange packets:
> > http://www.incidents.org/detect/3dns.php
> > some information on the 3dns product itself is at.
> > http://www.f5.com/f5products/3dns/index.html
>
> Has anyone contacted f5 to ask them why they are sending malformed 
> packets?
>
> Not that I really expect them to give a straight answer, but 
> it could be 
> enlightening...
>
> -Dan
> -- 
> [-] Omae no subete no kichi wa ore no mono da. [-]
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users