SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet

Matt Kettler mkettler at ...4108...
Mon Jan 14 14:31:01 EST 2002


I doubt it is the windows update service itself, but a load-sharing system 
developed by f5 called 3dns that they appear to be using.

  And yes, the 3dns load balancer does in fact use the DNS ports as it is a 
DNS server with some fancy addons to try to pick the "fastest" server for a 
user based on where the query came from. So if your dns server tries to 
resolve a name for an IP using this system these strange packets will be 
generated as part of them trying to figure out the lowest network latency 
to your server (using tcp syn's instead of pings or other things that most 
people filter.)

Here's a very good analysis of the 3dns traffic and the strange packets:

http://www.incidents.org/detect/3dns.php


The appliance-type device appears to use a xBSD derived IP stack, 
apparently with value added tcp/ip stack features including sending a small 
fistful (10-16ish) of 0x00 bytes as data in TCP syn packets. This strikes 
me as a strange, but relatively harmless bug in their stack implementation, 
but who knows, they may have done it on purpose...


some information on the 3dns product itself is at.

http://www.f5.com/f5products/3dns/index.html


At 10:13 PM 1/14/2002 +0100, Lars Jørgensen IT wrote:
> >Got similar and they resolved to something.windowsupdate.com. I am
>wondering
> >if this has anything to do with windows XP and it's auto-update features.
>
>It goes to my DNS server on port 53, and that server is a windows 2000 box.
>I doubt microsoft's update-protocol would use DNS-port for updates.
>
>
>Lars
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list