Security Incidents mailing list archives
RE: What is up with i.gtld-servers.net?
From: Doc Savage <doxavg () genocide2600 com>
Date: Mon, 18 Jun 2001 20:56:03 -0600 (MDT)
On Mon, 18 Jun 2001, Mike Batchelor wrote:
The most likely explanation is that Snort "lost state" on your outgoing DNS queries, because I.gtld-servers.net is taking too long to answer. So it flagged the "unknown" UDP replies as "misc traceroute" traffic. You need to read IDS logs with a jaundiced eye, or you'll go crazy chasing down false positives.
Snort doesn't "keep state" therefore has no state to lose. Snort does pattern matching on a frame by frame basis (with exception to the currently rather buggy tcp (yes, TCP, not UDP) stream preprocessor). The misc traceroute alerts are coming from the TTL being 1 when the reply passes the IDS. Understanding that IDS's love to false goes without saying, but falses can usually be explained without much problem; this one definately deserves a second look.
"Valid (sort of) queries"? Being valid is like being pregnant, there is no "sort-of". What is "looks ODD" about these packets? They look like normal DNS replies to me.
Valid I'm guessing meaning it looks like a normal DNS packet. What looks odd is that the TTL is 1. Seems strange to me that a TLD name server would be so many hops away (do any IP stacks start with TTLs lower than 64?). Even more strange is that so many others have seen similar results. Mind, I haven't even looked into this, more than catching the initial email and this response, but it sure looks wierd.
[**] IDS03 - MISC-Traceroute UDP [**] 06/15-01:38:06.209014 0:20:6F:5:6:3B -> 0:20:78:10:59:1D type:0x800 len:0x9A 192.36.144.133:53 -> 206.111.213.146:8708 UDP TTL:1 TOS:0x0 ID:18065 Len: 120
--Dox
Current thread:
- What is up with i.gtld-servers.net? Etaoin Shrdlu (Jun 17)
- RE: What is up with i.gtld-servers.net? Mike Batchelor (Jun 18)
- RE: What is up with i.gtld-servers.net? Ryan Russell (Jun 19)
- RE: What is up with i.gtld-servers.net? Doc Savage (Jun 19)
- RE: What is up with i.gtld-servers.net? Mike Batchelor (Jun 18)