| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: j.hall at f5.com (John Hall) Subject: FW: Question for DNS pros It is possible some of the traffic you are seeing is the result of a site using our 3-DNS global load balancing product. A clear indicator that 3-DNS is responsible would be that the probes ID fields start at 1 and increase by one for each packet in a set of probes. 3-DNS sends its probes only in response to DNS queries and uses them to measure round trip time and reachability from each data-center under 3-DNS's control to the client's local DNS server. The data collected is used to direct other requests using that local DNS server to the "best" data-center. You should generally see no more than 9 packets per hour per site using 3-DNS, although one of our customers may have configured more aggressive probing (which we discourage). 3-DNS does maintain a "do-not-probe" list to which you can be added, if the 3-DNS's probe traffic is too obnoxious for you. A verbose tcpdump packet trace including ID numbers would be helpful to identify this traffic. Thanks, JMH Paul Schmehl wrote: > Frank, I've only checked two of the "attacking" IPs, but they are both > BigIP load balancers. I'd bet that they all are, and these packets are > some sort of probe to see if a host that contacted them before is > still alive. > > Paul Schmehl (pauls@...allas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/ir/security/ -- John Hall Test Manager - Switch Team F5 Networks, Inc.
Powered by blists - more mailing lists