[46961] in North American Network Operators' Group
Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Apr 19 09:39:39 2002
Message-Id: <200204191339.g3JDd7Qn010919@foo-bar-baz.cc.vt.edu>
To: Greg Maxwell <gmaxwell@martin.fl.us>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Fri, 19 Apr 2002 09:03:51 EDT."
<Pine.GSO.4.33.0204190902050.9888-100000@da1server.martin.fl.us>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-782928778P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Fri, 19 Apr 2002 09:39:06 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-782928778P
Content-Type: text/plain; charset=us-ascii
On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <gmaxwell@martin.fl.us> said:
> Does anyone already have a SNORT signature to match on these updates to
> aid in tracking down which hosts behind a NAT are guilty for generating
> this garbage?
The problem is that the sites that are the big offenders are probably not
the sort of sites that would run Snort.
Now, think about it - one /32 popped of *30K* of these in 4 hours -
and a 'dig -x' shows it to apparently be a DSL line. So we're seeing
2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got
a bunch of machines doing the Reboot Shuffle and have bigger problems,
or they're big enough that 2-3 DHCP per second is reasonable (at which
point you have to wonder how they're THAT big, and depending on a DSL
line.. ;)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-782928778P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE8wB36cC3lWbTT17ARAoYVAJ9g6uLnSAo04sJdvA+e1ck+rMC+xwCg+gvI
sCX8wG0Av/aIcq0tYhFo/KA=
=bkEs
-----END PGP SIGNATURE-----
--==_Exmh_-782928778P--
