SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet
mkettler at ...4108...
Mon Jan 14 14:31:01 EST 2002
I doubt it is the windows update service itself, but a load-sharing system
developed by f5 called 3dns that they appear to be using.
And yes, the 3dns load balancer does in fact use the DNS ports as it is a
DNS server with some fancy addons to try to pick the "fastest" server for a
user based on where the query came from. So if your dns server tries to
resolve a name for an IP using this system these strange packets will be
generated as part of them trying to figure out the lowest network latency
to your server (using tcp syn's instead of pings or other things that most
Here's a very good analysis of the 3dns traffic and the strange packets:
The appliance-type device appears to use a xBSD derived IP stack,
apparently with value added tcp/ip stack features including sending a small
fistful (10-16ish) of 0x00 bytes as data in TCP syn packets. This strikes
me as a strange, but relatively harmless bug in their stack implementation,
but who knows, they may have done it on purpose...
some information on the 3dns product itself is at.
At 10:13 PM 1/14/2002 +0100, Lars Jørgensen IT wrote:
> >Got similar and they resolved to something.windowsupdate.com. I am
> >if this has anything to do with windows XP and it's auto-update features.
>It goes to my DNS server on port 53, and that server is a windows 2000 box.
>I doubt microsoft's update-protocol would use DNS-port for updates.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users