|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <[email protected]> said: > Does anyone already have a SNORT signature to match on these updates to > aid in tracking down which hosts behind a NAT are guilty for generating > this garbage? The problem is that the sites that are the big offenders are probably not the sort of sites that would run Snort. Now, think about it - one /32 popped of *30K* of these in 4 hours - and a 'dig -x' shows it to apparently be a DSL line. So we're seeing 2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got a bunch of machines doing the Reboot Shuffle and have bigger problems, or they're big enough that 2-3 DHCP per second is reasonable (at which point you have to wonder how they're THAT big, and depending on a DSL line.. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech Attachment:
pgp00008.pgp
|