[79345] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Paul Vixie)
Mon Apr 4 13:08:49 2005
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 04 Apr 2005 17:08:21 +0000
In-Reply-To: <Pine.GSO.4.58.0504040646370.21115@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
sean@donelan.com (Sean Donelan) writes:
> Do you want an Internet where your provider decides for you, with whom and
> when you are allowed to communicate? Or do you want to decide for yourself
> whether to accept or not accept the communication?
i want weak protocols restricted to LANs or at most campuses or ISPs. that
means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be
adding more. oh and as long as you're considering whether to restrict
things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed...
#sfo2b.f:i386# tcpdump -n -c 10 src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
16:55:10.349179 IP 172.16.1.2.1063 > 192.5.5.241.53: 5330 [1au] MX? mails.hu. (37)
16:55:10.351035 IP 172.16.8.1.1158 > 192.5.5.241.53: 3130 A? www.consumerinput.com. (39)
16:55:10.351528 IP 172.16.8.1.1158 > 192.5.5.241.53: 5184 A? www.consumerinput.com. (39)
16:55:10.352908 IP 172.16.8.1.1158 > 192.5.5.241.53: 15435 A? www.consumerinput.com. (39)
16:55:10.513272 IP 10.14.0.16.32768 > 192.5.5.241.53: 7623% [1au] A? smtp107.apmailer.com. (49)
16:55:10.609281 IP 10.204.1.19.1075 > 192.5.5.241.53: 8176 [1au] PTR? 25.2.0.192.in-addr.arpa. (52)
16:55:10.669655 IP 192.168.240.250.33753 > 192.5.5.241.53: 29750 A? as.adwave.com.L19212.wflu.com. (47)
16:55:10.750369 IP 10.8.224.32.59429 > 192.5.5.241.53: 44783% [1au] A6? ns.mint.net. (40)
16:55:10.770704 IP 192.168.240.250.33753 > 192.5.5.241.53: 56680 A? img07.allegro.pl. (34)
16:55:10.770709 IP 192.168.240.250.33753 > 192.5.5.241.53: 61108 A? img10.allegro.pl. (34)
10 packets captured
hell, as long as we're making a list of the things sender-side network admins
should filter on their end since they're innappropriate for the wide area,
could we increase the readership of BCP38 (if your hair isn't pointy) and/or
SAC004 (otherwise)? oh and if 15,000 of your dsl-connected hosts all start
sending one packet per second to the same distant endpoint, please stop them.
senders and sender-isp's have a long list of things they have to do in order
to not be compared to toxic polluters (a term i believe michael rathbun coined
for use in this context, and for which i am thankful.) don't try to make this
about right-to-communicate or who-gets-to-decide.
--
Paul Vixie
