Re: Weird DNS scans

From: Seth Milder (mrsethat_private)
Date: Mon Oct 08 2001 - 15:55:10 PDT

  • Next message: James Willmore: "Port 17889 - new attack?"

    John Hall wrote:
    
    > We've identified several of the sources of these packets as either
    > BIG-IP's or 3-DNS's.  None of them actually have port 6667 open, so
    > that looks like an artifact of some device between the host your ran
    > nmap upon and the destination hosts.  Two of them are 3-DNS's operated
    > by realmedia.com (3dns.east.realmedia.com and 3dns.west.realmedia.com)
    > and several of the others are probably BIG-IP's operated by them as
    > well.  It looks like they've modified the 3-DNS Round Trip Time probe
    > settings to do five probes at a time, which some may consider excessive.
    > 
    > I've forwarded this information to our Support group to see if we can
    > help them configure their 3-DNS's to be a little less noisy.  If you
    > find these probes obnoxious, you can contact them and ask them to add
    > you to their 3-DNS do-not-probe list.  One thing you should understand
    > is that these probes are prompted by a DNS request from your site and
    > result in you getting better service from their sites.  Once you are
    > on the do-not-probe list, you will most likely get poorer service from
    > them.
    > 
    > JMH
    > 
    
    
    Thanks a lot. If they are not malicious, then it is not such a big deal 
    and I will not pursue it. I've just never seen anything like this and I 
    was just curious to find out what it was. Thanks to the people on this 
    great list, I have my answer.
    
    
    Thanks again.
    
    
    
    
    
    -- 
    Seth Milder
    Deptartment of Physics and Astronomy
    MS 3f3
    George Mason University
    Fairfax, VA
    --
    Confidence is simply that quiet, assured feeling you have before you 
    fall flat on your face. -- Dr. L. Binder
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 08:21:22 PDT