|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: is your host or dhcp server sending dns dynamic updates forrfc1918?
> -----Original Message----- > From: [email protected] [mailto:[email protected]]On Behalf Of > [email protected] > Sent: Friday, April 19, 2002 6:39 AM > To: Greg Maxwell > Cc: [email protected] > Subject: Re: is your host or dhcp server sending dns dynamic > updates for > rfc1918? > > > On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell > <[email protected]> said: > > > Does anyone already have a SNORT signature to match on > these updates to > > aid in tracking down which hosts behind a NAT are guilty > for generating > > this garbage? > > The problem is that the sites that are the big offenders are > probably not > the sort of sites that would run Snort. > > Now, think about it - one /32 popped of *30K* of these in 4 hours - > and a 'dig -x' shows it to apparently be a DSL line. So we're seeing > 2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got > a bunch of machines doing the Reboot Shuffle and have bigger problems, > or they're big enough that 2-3 DHCP per second is reasonable (at which > point you have to wonder how they're THAT big, and depending on a DSL > line.. ;) > I had a dynamic-dns client on my home ADSL system that was generating requests at that rate a few months ago - I read logs and fixed it, don't remember how... so this DOES happen ( and to people who do not read logs.. ) Bruce Williams Benchmarks: Engineering wants to see how fast they can get the wheels to spin on a car. Operations wants to know how fast the car will go. These are different.
|