Re: Weird DNS scans

From: Seth Milder (mrsethat_private)
Date: Mon Oct 08 2001 - 15:55:10 PDT

  • Next message: James Willmore: "Port 17889 - new attack?"

    John Hall wrote:
    > We've identified several of the sources of these packets as either
    > BIG-IP's or 3-DNS's.  None of them actually have port 6667 open, so
    > that looks like an artifact of some device between the host your ran
    > nmap upon and the destination hosts.  Two of them are 3-DNS's operated
    > by ( and
    > and several of the others are probably BIG-IP's operated by them as
    > well.  It looks like they've modified the 3-DNS Round Trip Time probe
    > settings to do five probes at a time, which some may consider excessive.
    > I've forwarded this information to our Support group to see if we can
    > help them configure their 3-DNS's to be a little less noisy.  If you
    > find these probes obnoxious, you can contact them and ask them to add
    > you to their 3-DNS do-not-probe list.  One thing you should understand
    > is that these probes are prompted by a DNS request from your site and
    > result in you getting better service from their sites.  Once you are
    > on the do-not-probe list, you will most likely get poorer service from
    > them.
    > JMH
    Thanks a lot. If they are not malicious, then it is not such a big deal 
    and I will not pursue it. I've just never seen anything like this and I 
    was just curious to find out what it was. Thanks to the people on this 
    great list, I have my answer.
    Thanks again.
    Seth Milder
    Deptartment of Physics and Astronomy
    MS 3f3
    George Mason University
    Fairfax, VA
    Confidence is simply that quiet, assured feeling you have before you 
    fall flat on your face. -- Dr. L. Binder
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 08:21:22 PDT