lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: j.hall at (John Hall)
Subject: FW: Question for DNS pros

It is possible some of the traffic you are seeing is the result of a site
using our 3-DNS global load balancing product. A clear indicator that
3-DNS is responsible would be that the probes ID fields start at 1 and
increase by one for each packet in a set of probes. 3-DNS sends its probes
only in response to DNS queries and uses them to measure round trip time
and reachability from each data-center under 3-DNS's control to the client's
local DNS server. The data collected is used to direct other requests 
using that local DNS server to the "best" data-center. You should 
generally see
no more than 9 packets per hour per site using 3-DNS, although one of our
customers may have configured more aggressive probing (which we discourage).
3-DNS does maintain a "do-not-probe" list to which you can be added, if
the 3-DNS's probe traffic is too obnoxious for you.

A verbose tcpdump packet trace including ID numbers would be helpful to
identify this traffic.


Paul Schmehl wrote:

> Frank, I've only checked two of the "attacking" IPs, but they are both 
> BigIP load balancers. I'd bet that they all are, and these packets are 
> some sort of probe to see if a host that contacted them before is 
> still alive.
> Paul Schmehl (
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member


John Hall              Test Manager - Switch Team             F5 Networks, Inc.

Powered by blists - more mailing lists