RE: What is up with i.gtld-servers.net?

From: Ryan Russell (ryanat_private)
Date: Tue Jun 19 2001 - 08:20:33 PDT

  • Next message: Gary Maltzen: "Re: Huge outgoing ICMP flows"

    On Mon, 18 Jun 2001, Mike Batchelor wrote:
    
    > Nothing is up with I.gtld-servers.net.  Just because it shows up in a snort
    > log, or on ARIS, doesn't mean it's a probe, and doesn't even mean it's
    > suspicious.  Check out the other GTLD or root servers.  I bet most of them
    > have just as many "reports" on ARIS.
    
    We get lots of DNS related false positives relating to DNS in ARIS, mostly
    due to IDS admins not properly excluding their own DNS servers from the
    "DNS source porting attack".  However, that's not what is going on here.
    
    >
    > The most likely explanation is that Snort "lost state" on your outgoing DNS
    > queries, because I.gtld-servers.net is taking too long to answer.
    
    I don't think DNS is one of the items Snort keeps state on.
    
    > So it
    > flagged the "unknown" UDP replies as "misc traceroute" traffic.  You need to
    > read IDS logs with a jaundiced eye, or you'll go crazy chasing down false
    > positives.
    
    The key detail in the logs he sent was the TTL=1, which won't happen under
    normal circumstances.. that's what is causing the traceroute rule to go
    off.  About the only ways I can think of for those to happen "naturally"
    is if they have the default TTL really low on that host for some strange
    reason (which would tend to break communications with it for a lot of
    hosts) or if there is a loop on the net that is flapping really fast (fast
    enough that TTL=small number packets end up getting out).
    
    					Ryan
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:29:29 PDT