[30591] in North American Network Operators' Group
Re: lame delegations
daemon@ATHENA.MIT.EDU (Derek J. Balling)
Fri Aug 18 12:44:48 2000
Mime-Version: 1.0
Message-Id: <p04320401b5c3165385c3@[63.201.65.219]>
In-Reply-To: <20000818155712.13943.qmail@xuxa.iecc.com>
Date: Fri, 18 Aug 2000 09:42:48 -0700
To: johnl@iecc.com (John R. Levine), jcomeau@world.std.com,
nanog@merit.edu
From: "Derek J. Balling" <dredd@megacity.org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
At 11:57 AM -0400 8/18/00, John R. Levine wrote:
> >Does anyone know of a way to reclaim IPs left registered as hosts by
>>former customers? Let's say Joe Blow moved to another service provider,
>>but he still has ns.joeblow.dom and ns2.joeblow.dom registered using your
>>IP numbers.
>
>Well, since the domain has no name service, it's clearly dead.
Whoa! That's not (necessarily) what he said is happening. You're
reading another sentence in there. He said they moved to another
provider, so the new provider MUST be providing service of some kind,
how about ... e.g.
Where: x.x.x.0/24 is ISP-ONE address-space, y.y.y.0/24 is ISP-TWO
address-space.
I set up domain.com, at ISP-ONE. I have ns1.domain.com/x.x.x.1, and
ns2.domain.com/x.x.x.2.
I move domain.com to ISP-TWO and I start using their name servers
ns1.isptwo.com/y.y.y.1 and ns2.isptwo.com/y.y.y.2.
The domain is NOT lame-delegated, but the address space has been
appropriated from ISP-ONE's space
In fact, this is a nice DoS in and of itself. Don't like someone? Set
up name servers all throughout their address-space, so that they
can't use them themselves without jumping through hoops, e.g.,
ISPONE.COM - x.x.x.0/24
NS1.ISPONESUCKS.COM - x.x.x.1
NS2.ISPONESUCKS.COM - x.x.x.2
...
NS255.ISPONESUCKS.COM - x.x.x.255
What's to stop a belligerent person from doing this? Especially is
ISPONESUCKS.COM isn't lame, but maybe has
REAL-NS1.ISPONESUCKS.COM - y.y.y.1
REAL-NS2.ISPONESUCKS.COM - y.y.y.2
So you can't easily forge to/from their namespace to delete the
errant host declarations, because they can easily NAK the requests.
If they're using a registrar with no mail-based forms at all (e.g.,
OpenSRS), then you can't even try to forge e-mail (since only the
Registrar involved with the domain can alter the host-records
associated with $DOMAIN)
Has anyone seen this DoS in the wild? Strikes me as clinically stupid
that nobody has seen this and exploited it in the past...
D
