[66238] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: example.com/net/org DNS records

daemon@ATHENA.MIT.EDU (Brian Bruns)
Mon Jan 5 16:05:56 2004

From: "Brian Bruns" <bruns@2mbit.com>
To: <nanog@merit.edu>
Date: Mon, 5 Jan 2004 15:46:28 -0500
X-SA-Exim-Mail-From: bruns@2mbit.com
Errors-To: owner-nanog-outgoing@merit.edu


> I'd say the problem of 1918 leakage is a bigger concern.

Quite a big problem.  Because some of the major backbones don't bother to
filter that address space in the src of the packets, DDoS tools just love
forging UDP packets with reserved space, which makes it nearly impossible to
correctly track down where its coming from.

A good example of this issue is with at least two of the AHBL nameservers run
by the SOSDG (I have no idea what the other nameservers are seeing as they are
not managed by us, but they are probably getting similar queries), someone
from 192.168.1.20 is making dns queries for ip4r lookups under dnsbl.ahbl.org.
Of course, the bogon filters stop it dead in its tracks, but, the fact that
its getting through across Sprint, Cogentco, and similar isn't a good sign.

Providers should be filtering at their borders both src and dst packets going
to any of the reserved spaces.  If they did, this wouldn't be an issue.

Now, the better question is, what idiot is doing those dnsbl queries on our
servers, and why haven't they noticed that the lookups don't work, and
resolving in general probably isn't working?  Who knows.




< Side note:  sorry about the weird quoting.  OE-Quotefix is somehow barfing
on your message specifically and crashing, so I had to turn it off >
-- 
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The AHBL - http://www.ahbl.org
----- Original Message ----- 
From: <Valdis.Kletnieks@vt.edu>
To: "Roger Marquis" <marquis@roble.com>
Cc: <nanog@trapdoor.merit.edu>; <spamtools@lists.abuse.net>
Sent: Sunday, January 04, 2004 3:05 PM
Subject: Re: example.com/net/org DNS records
home help back first fref pref prev next nref lref last post