On Fri, 19 Apr 2002 09:03:51 EDT, Greg Maxwell <[EMAIL PROTECTED]> said:
> Does anyone already have a SNORT signature to match on these updates to
> aid in tracking down which hosts behind a NAT are guilty for generating
> this garbage?
The problem is that the sites that are the big offenders are probably not
the sort of sites that would run Snort.
Now, think about it - one /32 popped of *30K* of these in 4 hours -
and a 'dig -x' shows it to apparently be a DSL line. So we're seeing
2 or 3 DCHP events *PER SECOND* behind that NAT. Either they've got
a bunch of machines doing the Reboot Shuffle and have bigger problems,
or they're big enough that 2-3 DHCP per second is reasonable (at which
point you have to wonder how they're THAT big, and depending on a DSL
line.. ;)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
msg01014/pgp00000.pgp
Description: PGP signature
