RE: What is up with i.gtld-servers.net?

From: Doc Savage (doxavgat_private)
Date: Mon Jun 18 2001 - 19:56:03 PDT

  • Next message: Jeff Kell: "Re: ICMP Parameter Problem packets to random addresses"

    On Mon, 18 Jun 2001, Mike Batchelor wrote:
    > The most likely explanation is that Snort "lost state" on your outgoing DNS
    > queries, because I.gtld-servers.net is taking too long to answer.  So it
    > flagged the "unknown" UDP replies as "misc traceroute" traffic.  You need to
    > read IDS logs with a jaundiced eye, or you'll go crazy chasing down false
    > positives.
    
    Snort doesn't "keep state" therefore has no state to lose.  Snort does
    pattern matching on a frame by frame basis (with exception to the
    currently rather buggy tcp (yes, TCP, not UDP) stream preprocessor).  The
    misc traceroute alerts are coming from the TTL being 1 when the reply
    passes the IDS.  Understanding that IDS's love to false goes without
    saying, but falses can usually be explained without much problem; this one
    definately deserves a second look.
    
    > "Valid (sort of) queries"?  Being valid is like being pregnant, there is no
    > "sort-of".  What is "looks ODD" about these packets?  They look like normal
    > DNS replies to me.
    
    Valid I'm guessing meaning it looks like a normal DNS packet.  What looks
    odd is that the TTL is 1.  Seems strange to me that a TLD name server
    would be so many hops away (do any IP stacks start with TTLs lower than
    64?).  Even more strange is that so many others have seen similar results.
    Mind, I haven't even looked into this, more than catching the initial
    email and this response, but it sure looks wierd.
    
    > > [**] IDS03 - MISC-Traceroute UDP [**]
    > > 06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800
    > > len:0x9A
    > > 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065
    > > Len: 120
    
    --Dox
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:43:28 PDT