using our 3-DNS global load balancing product. A clear indicator that
3-DNS is responsible would be that the probes ID fields start at 1 and
increase by one for each packet in a set of probes. 3-DNS sends its probes
only in response to DNS queries and uses them to measure round trip time
and reachability from each data-center under 3-DNS's control to the client's
local DNS server. The data collected is used to direct other requests using that local DNS server to the "best" data-center. You should generally see
no more than 9 packets per hour per site using 3-DNS, although one of our
customers may have configured more aggressive probing (which we discourage).
3-DNS does maintain a "do-not-probe" list to which you can be added, if
the 3-DNS's probe traffic is too obnoxious for you.
A verbose tcpdump packet trace including ID numbers would be helpful to identify this traffic.
Thanks, JMH
Paul Schmehl wrote:
Frank, I've only checked two of the "attacking" IPs, but they are both BigIP load balancers. I'd bet that they all are, and these packets are some sort of probe to see if a host that contacted them before is still alive.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
--
John Hall Test Manager - Switch Team F5 Networks, Inc.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
