is your host or dhcp server sending dns dynamic updates for rfc1918?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Apr 19 13:39:06 UTC 2002
On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <gmaxwell at martin.fl.us> said:
> Does anyone already have a SNORT signature to match on these updates to
> aid in tracking down which hosts behind a NAT are guilty for generating
> this garbage?
The problem is that the sites that are the big offenders are probably not
the sort of sites that would run Snort.
Now, think about it - one /32 popped of *30K* of these in 4 hours -
and a 'dig -x' shows it to apparently be a DSL line. So we're seeing
2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got
a bunch of machines doing the Reboot Shuffle and have bigger problems,
or they're big enough that 2-3 DHCP per second is reasonable (at which
point you have to wonder how they're THAT big, and depending on a DSL
line.. ;)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020419/ecfa4591/attachment.sig>
More information about the NANOG
mailing list