Security Incidents: Re: Weird DNS scans

[Seth Milder <mrseth () physics gmu edu>]

John Hall wrote:

> We've identified several of the sources of these packets as either
> BIG-IP's or 3-DNS's.  None of them actually have port 6667 open, so
> that looks like an artifact of some device between the host your ran
> nmap upon and the destination hosts.  Two of them are 3-DNS's operated
> by realmedia.com (3dns.east.realmedia.com and 3dns.west.realmedia.com)
> and several of the others are probably BIG-IP's operated by them as
> well.  It looks like they've modified the 3-DNS Round Trip Time probe
> settings to do five probes at a time, which some may consider excessive.
>
> I've forwarded this information to our Support group to see if we can
> help them configure their 3-DNS's to be a little less noisy.  If you
> find these probes obnoxious, you can contact them and ask them to add
> you to their 3-DNS do-not-probe list.  One thing you should understand
> is that these probes are prompted by a DNS request from your site and
> result in you getting better service from their sites.  Once you are
> on the do-not-probe list, you will most likely get poorer service from
> them.
>
> JMH

Thanks a lot. If they are not malicious, then it is not such a big deal 
and I will not pursue it. I've just never seen anything like this and I 
was just curious to find out what it was. Thanks to the people on this 
great list, I have my answer.

Thanks again.





--
Seth Milder
Deptartment of Physics and Astronomy
MS 3f3
George Mason University
Fairfax, VA
--
Confidence is simply that quiet, assured feeling you have before you 
fall flat on your face. -- Dr. L. Binder

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com