is your host or dhcp server sending dns dynamic updates for rfc1918?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Apr 19 13:39:06 UTC 2002


On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <gmaxwell at martin.fl.us>  said:

> Does anyone already have a SNORT signature to match on these updates to
> aid in tracking down which hosts behind a NAT are guilty for generating
> this garbage?

The problem is that the sites that are the big offenders are probably not
the sort of sites that would run Snort.

Now, think about it - one /32 popped of *30K* of these in 4 hours -
and a 'dig -x' shows it to apparently be a DSL line.  So we're seeing
2 or 3 DCHP events *PER SECOND* behind that NAT.  Either they've got
a bunch of machines doing the Reboot Shuffle and have bigger problems,
or they're big enough that 2-3 DHCP per second is reasonable (at which
point you have to wonder how they're THAT big, and depending on a DSL
line.. ;)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020419/ecfa4591/attachment.sig>


More information about the NANOG mailing list