[Snort-users] BAD TRAFFIC data in TCP SYN packet

Laurie Zirkle lat at ...214...
Tue Jan 15 04:41:03 EST 2002

Here's the explanation I received last year when pursuing this further:

"This system is a 3DNS box from F5. It performs data center load
balancing by trying to determine which data center you are closest to
and routes you there. It does this through some pretty strange and
intrusive ways and it looks like this box was not brought up in one of
the approved configurations. Pounding port 53 is one of the intrusive
things the product is know to do. I've passed it on to the folks who
created that approved configuration and police the misconfigured boxes."

Of course, it took repeated messages and finally blocking them to
get this to stop.  And this was the only "real" message about this
whole mess I got back from them.  I saw this on one of our nameservers
from Sep 22 20:33:37 -> Oct  2 05:32:19 and on another one from
Oct 24 08:02:57 -> Nov  4 21:53:26.  And I noticed over this past
weekend that it's started again to yet another of our nameservers.


More information about the Snort-users mailing list