-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: Friday, April 19, 2002 6:39 AM To: Greg Maxwell Cc: nanog@merit.edu Subject: Re: is your host or dhcp server sending dns dynamic updates for rfc1918?
On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <gmaxwell@martin.fl.us> said:
Does anyone already have a SNORT signature to match on these updates to aid in tracking down which hosts behind a NAT are guilty for generating this garbage?
The problem is that the sites that are the big offenders are probably not the sort of sites that would run Snort.
Now, think about it - one /32 popped of *30K* of these in 4 hours - and a 'dig -x' shows it to apparently be a DSL line. So we're seeing 2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got a bunch of machines doing the Reboot Shuffle and have bigger problems, or they're big enough that 2-3 DHCP per second is reasonable (at which point you have to wonder how they're THAT big, and depending on a DSL line.. ;)
I had a dynamic-dns client on my home ADSL system that was generating requests at that rate a few months ago - I read logs and fixed it, don't remember how... so this DOES happen ( and to people who do not read logs.. ) Bruce Williams Benchmarks: Engineering wants to see how fast they can get the wheels to spin on a car. Operations wants to know how fast the car will go. These are different.