On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <gmaxwell@martin.fl.us> said:
Does anyone already have a SNORT signature to match on these updates to aid in tracking down which hosts behind a NAT are guilty for generating this garbage?
The problem is that the sites that are the big offenders are probably not the sort of sites that would run Snort. Now, think about it - one /32 popped of *30K* of these in 4 hours - and a 'dig -x' shows it to apparently be a DSL line. So we're seeing 2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got a bunch of machines doing the Reboot Shuffle and have bigger problems, or they're big enough that 2-3 DHCP per second is reasonable (at which point you have to wonder how they're THAT big, and depending on a DSL line.. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech