[46980] in North American Network Operators' Group
RE: is your host or dhcp server sending dns dynamic updates for
daemon@ATHENA.MIT.EDU (Bruce Williams)
Fri Apr 19 17:11:01 2002
Date: Fri, 19 Apr 2002 14:15:17 -0700
From: Bruce Williams <brucewms@pacbell.net>
In-reply-to: <200204191339.g3JDd7Qn010919@foo-bar-baz.cc.vt.edu>
To: Valdis.Kletnieks@vt.edu, 'Greg Maxwell' <gmaxwell@martin.fl.us>
Cc: nanog@merit.edu
Reply-To: brucewms@pacbell.net
Message-id: <003901c1e7e7$4fc1ff20$d9ddfea9@faqserv.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Errors-To: owner-nanog-outgoing@merit.edu
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Valdis.Kletnieks@vt.edu
> Sent: Friday, April 19, 2002 6:39 AM
> To: Greg Maxwell
> Cc: nanog@merit.edu
> Subject: Re: is your host or dhcp server sending dns dynamic
> updates for
> rfc1918?
>
>
> On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell
> <gmaxwell@martin.fl.us> said:
>
> > Does anyone already have a SNORT signature to match on
> these updates to
> > aid in tracking down which hosts behind a NAT are guilty
> for generating
> > this garbage?
>
> The problem is that the sites that are the big offenders are
> probably not
> the sort of sites that would run Snort.
>
> Now, think about it - one /32 popped of *30K* of these in 4 hours -
> and a 'dig -x' shows it to apparently be a DSL line. So we're seeing
> 2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got
> a bunch of machines doing the Reboot Shuffle and have bigger problems,
> or they're big enough that 2-3 DHCP per second is reasonable (at which
> point you have to wonder how they're THAT big, and depending on a DSL
> line.. ;)
>
I had a dynamic-dns client on my home ADSL system that was generating
requests at that rate a few months ago - I read logs and fixed it, don't
remember how... so this DOES happen ( and to people who do not read logs.. )
Bruce Williams
Benchmarks: Engineering wants to see how fast they can get the wheels to
spin on a car. Operations wants to know how fast the car will go. These
are different.
