Richard Bejtlich wrote:
>
> Alex,
>
> These are most likely round trip time (RTT) latency
> tests from an F5 3DNS load balancer. I describe
> traffic like this in a paper at http://bejtlich.net
> called "Interpreting Network Traffic." This traffic is
> bothersome but not malicious. You can ignore it. I
> recognize the Exodus source IPs from last year, also.
>
> Richard
> > They are both UDP and TCP, so I also suspect
> zone transfer attempts.
> >
> > Here are the logs, times GMT+0300, ntp stratum 3
> synchronised:
> >
> > Sep 4 20:00:11 ns ipmon[254]: 20:00:10.664287
> ed0 @0:20 b 200.211.187.194,3400 ->
> 192.129.3.227,53 PR tcp len 20 26624 -S IN
> > Sep 4 20:13:32 ns ipmon[254]: 20:13:32.402648
> ed0 @0:20 b 209.67.42.162,2200 ->
> 192.129.3.227,53 PR tcp len 20 26624 -S IN
Alex,
I beg to differ on your last sentence. Richard's email addy was .ro, which
matches with the destination IP of 192.129.3.227.
The first IP listed above, 200.211.187.194, ARINs to a co. in San Paulo, Brazil.
The second IP, 209.67.42.162, is indeed under Exodus, but "belongs" to a company
in New York called "Starmedia".
I wouldn't blame Exodus for this. Not entirely at least. From what I recall of
glancing around in the 2 Exodus centers I've been in, I don't recall seeing any
F5 hardware.
Others in that block follow suit.
-aj.
Received on Sep 06 2000
Intro
