[40196] in North American Network Operators' Group
Re: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Aug 3 01:23:50 2001
Message-Id: <200108030523.f735NDw00845@foo-bar-baz.cc.vt.edu>
To: Larry Sheldon <lsheldon@creighton.edu>
Cc: nanog@merit.edu
In-reply-to: Your message of "Thu, 02 Aug 2001 18:44:21 CDT."
<200108022344.SAA00406@bluejay.creighton.edu>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 03 Aug 2001 01:23:13 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 02 Aug 2001 18:44:21 CDT, Larry Sheldon <lsheldon@creighton.edu> said:
> Lemesee if I got this right...Paul Vixie doesn't know anybody that can
> pull my IP addresses out of their logs, look them up on ARIN, send me email.
A long time ago, in a galaxy far far away, the hostname 'black-ice.cc.vt.edu'
was listed as an NTP stratum-2 server. Then the building got re-subnetted,
and its IP address changed. THen a CNAME for ntp-2.vt.edu was added that
pointed there. Then the CNAME was moved to point to a different machine.
Then I turned off NTP service to the outside world.
WHen the recent NTP query-packet security problem was found, that host
had not been answering NTP queries off-campus for *6 months*. It hadn't
been in clocks.txt for *2 years*. Our router guy put in a filter on our
main router to log NTP packets.
5 minutes later he took it off, because that host was *STILL* getting
pounded to the level of 100 packets *per second*, courtesy of several
freeware packages that had lived on TUCOWS a long time ago.
In 5 minutes, we also got 15 or 20 hits on an IP address that it hadn't
had for *8 years*.
I'm sure that their packet flux is a lot higher than 100 packets
per second. So you get to log them, sort out which ones are in duplicate
subnets (remembering that since CIDR, you *DONT* know where subnets
start and end - are 128.173.x.x and 128.174.x.x 2 /16s or a /15?
Are 198.82.251.x and 198.82.250.x /24s that belong to different companies,
or part of a CIDR block belonging to one organization?
Remember in your analysis that NSI's whois is *notoriously* inaccurate,
and quite often the "owner of record" of a /16 is a service provider, and
the person you WANT to send the mail to is the admin of the company that
bought a /22 from that provider's /16.
Hint: You ever had a hack-in attempt at your site, and tried to figure
out who owned the IP address? How long did it take you? Have you ever
come up empty-handed? Good - now design a way to do that look-up several
hundred times *a second*.
But yeah, with a little bit of hand-waving, they could get the mail
to the right admin at the right company.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
