RE: BAD TRAFFIC data in TCP SYN packet

["John York" <YorkJ () brcc edu>]

Brian is right--this from one of the places the packets came from:

> You're absolutely right.  What you are seeing is 3DNS trying to
determine >the best path to your network.

> Bill Olarte
> Network Systems Lead
> Nintendo of America, Inc.


> > > "John York" <YorkJ () brcc edu> 02/25/03 11:02AM >>>
> I've been receiving a lot of IDS alerts (Snort 1.9.0) from three of
your IP >addresses:  205.166.x.x , x, and x.  Investigation I've done so
far >indicates they may be F5 3DNS servers searching for quick paths to
our >network, presumably after someone hits your web site.

> Do you have F5 3DNS servers, or know where these packets are coming
from?



> -----Original Message-----
> From: Coyle, Brian [mailto:Brian.Coyle () disney com]
> Sent: Tuesday, February 25, 2003 1:12 PM
> To: John York; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] BAD TRAFFIC data in TCP SYN packet
>
> > I've been getting a lot of alerts on this the last few days.  There
> > are several source IP addresses, but they are all owned by either
> > Nintendo of America or an ISP in NC.  They are always directed at my
> > public DNS server's port 53.
>
> Might be a Foundry 3DNS load balancer.   see (esp. section 6
> 'Correlations'):
>
> http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html
>
>
>
>                                     -- Brian Coyle, GCIA



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users