Re: Problems on internet today ?

2003-03-27 Thread Sean Donelan

On Thu, 27 Mar 2003, James-lists wrote:
> Thanks Sean. Sorry for the general fishing and vagueness of my post.
> Finally I have gotten some answers from my upstreams so I have a better
> idea of which gateways to prefer my traffic in & out.

For completeness, I was later informed Level 3 had a fiber cut between
New York City and Washington DC earlier today.




Re: Iraq Telecom Facility

2003-03-27 Thread Sean Donelan

On Fri, 28 Mar 2003, Jeffrey Meltzer wrote:
> MSNBC just reported that 2 Iraq 'Telecom Facilities' were bombed.  Anyone
> know if this is having further reaching effects on the PSTN/Internet in that
> region?

I believe the Iraqi international telelcommunications central office is
across the river from the ministry of information in downtown Baghdad.  It
appears to be a new building, with a typical telco look (lots of concrete
and few windows).  The original PTT building in Baghdad was destroyed
during the first Gulf War.

Al Jazeera is reporting Baghdad's main telephone exchange was hit, but I
don't know if that is the same building as the international exchange.

I can still reach some Internet sites in Iraq, but I don't know their
physical routing.  The round-trip time has remained about the same, so
I think they are still in the same place, same route.



Iraq Telecom Facility

2003-03-27 Thread Jeffrey Meltzer

MSNBC just reported that 2 Iraq 'Telecom Facilities' were bombed.  Anyone
know if this is having further reaching effects on the PSTN/Internet in that
region?

Don't see a url on MSNBC or CNN yet.

Jeff


-- 
Jeffrey Meltzer
Network Services Manager
ICS/VillageWorld
631.218.0700 x100


Re: Verizon mail server on MAPS RSS list

2003-03-27 Thread Jack Bates

[EMAIL PROTECTED] wrote:
> If you're going to use a dnsbl, anybody's dnsbl, figure out how to
> whitelist first (or real soon after), because this sort of thing will
> happen from time to time.
>
Or learn how to tell people that spam is evil and under no circumstances
will you accept spam from a system that sends it out in mass volume. If an
AS became insecure and could start allowing anyone to setup new netbock
advertisements from it, you would filter out the AS. If it was small, you
might hardcode in the valid netblocks, but when it's a large AS, you tend
just to shut it all down. Such is the way with smtp.


--
-Jack



Re: Verizon mail server on MAPS RSS list

2003-03-27 Thread jlewis

On Thu, 27 Mar 2003, Josh Gentry wrote:

> We've got customers trying to receive email from people using Verizon for
> Internet acess, and we are rejecting that mail because
> out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list.  Can't pull
> up the MAPS RSS website at the moment to check why.  Anyone know contact
> info for Verizon for this kind of issue?

MAPS RSS is a list of open relays, no?  It's a pretty good guess that the 
above mentioned server is therefore an open relay...and it's a correct one 
in this case.

http://www.njabl.org/cgi-bin/lookup.cgi?query=206.46.170.44
http://openrbl.org/ip/206/46/170/44.htm

If you're going to use a dnsbl, anybody's dnsbl, figure out how to 
whitelist first (or real soon after), because this sort of thing will 
happen from time to time.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 System Administrator|  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: Problems on internet today ?

2003-03-27 Thread James-lists

Thanks Sean. Sorry for the general fishing and vagueness of my post.
Finally I have gotten some answers from my upstreams so I have a better
idea of which gateways to prefer my traffic in & out.

James Edwards
Routing and Security
[EMAIL PROTECTED]
At the Santa Fe Office: Internet at Cyber Mesa



Re: Problems on internet today ?

2003-03-27 Thread Sean Donelan

On Thu, 27 Mar 2003, James-lists wrote:
> Are others seeing latency and slow or stalled web pages today ? I opened a ticket 
> with my provider,
> who indicates they are seeing problems with many of their peers. I am seeing very 
> increased RTT to all the points
> I usually trace to. The latency does start past my provider, after they hand off to 
> others, and is not specific to
> one major provider.

As far as I can tell, none of the providers I checked (at&t, c&w, mfn,
sprint, earthlink) is currently reporting any problems.

Matrix Systems (average.miq.net) shows a long-term trend of increasing
latency and packet loss, but nothing significant yet.  Keynote Systems
is showing a couple of pockets of problems (phoenix, dallas), but nothing
systemic across providers.




Problems on internet today ?

2003-03-27 Thread James-lists

Are others seeing latency and slow or stalled web pages today ? I opened a ticket with 
my provider, 
who indicates they are seeing problems with many of their peers. I am seeing very 
increased RTT to all the points
I usually trace to. The latency does start past my provider, after they hand off to 
others, and is not specific to 
one major provider. 

james


Re: aljazeera.net domain owned.

2003-03-27 Thread Mike Tancsa


Looks like 213.30.180.218 allows unrestricted zone transfers.

> ls -d ALJAZEERA.NET.
[[213.30.180.218]]
$ORIGIN aljazeera.net.
@   15M IN SOA  ns3 dnsadmin.nav-link.net. (
2003032706  ; serial
3H  ; refresh
1H  ; retry
1W  ; expiry
15M )   ; minimum
15M IN NS   ns1sa.navlink.com.
15M IN NS   ns3
15M IN MX   10 mail
15M IN A213.30.180.219
ns3 15M IN A213.30.180.218
admin   15M IN A213.30.180.219
synadmin15M IN A213.30.180.220
english 15M IN A213.30.180.219
jazad01 15M IN A213.30.180.220
wrc 15M IN A213.30.180.222
jazad02 15M IN A213.30.180.220
cm  15M IN A213.130.180.216
syndication 15M IN A213.30.180.220
jazad   15M IN A213.30.180.220
mail15M IN A64.110.61.12
www 15M IN CNAME@
bm  15M IN A213.30.180.221
www115M IN A213.30.180.219
www215M IN A213.30.180.219
ftp 15M IN CNAME@
stats   15M IN A213.30.180.222
users   15M IN A213.30.180.219
@   15M IN SOA  ns3 dnsadmin.nav-link.net. (
2003032706  ; serial
3H  ; refresh
1H  ; retry
1W  ; expiry
15M )   ; minimum
>

Handy to do a quick update on any servers doing recursion.

---Mike



At 03:48 PM 27/03/2003 -0600, John Palmer wrote:

Hmm - don't think so - although nothing is up there - www.aljazeera.net 
resolves to 127.0.0.1.
This is from the MYDOMAIN.COM nameservers listed as the auth for this domain:

; <<>> DiG 8.2 <<>> ns aljazeera.net @b.gtld-servers.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUERY SECTION:
;;  aljazeera.net, type = NS, class = IN
;; ANSWER SECTION:
aljazeera.net.  2D IN NSNS4.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS1.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS2.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS3.MYDOMAIN.COM.
;; ADDITIONAL SECTION:
NS4.MYDOMAIN.COM.   2D IN A 63.251.83.74
NS1.MYDOMAIN.COM.   2D IN A 64.94.117.195
NS2.MYDOMAIN.COM.   2D IN A 216.52.121.228
NS3.MYDOMAIN.COM.   2D IN A 66.150.161.130
;; Total query time: 80 msec
;; FROM: LAIR.LION to SERVER: b.gtld-servers.net  192.33.14.30
;; WHEN: Thu Mar 27 16:38:14 2003
;; MSG SIZE  sent: 31  rcvd: 179
LAIR$ dig www.aljazeera.net @ns1.mydomain.com

; <<>> DiG 8.2 <<>> www.aljazeera.net @ns1.mydomain.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUERY SECTION:
;;  www.aljazeera.net, type = A, class = IN
;; ANSWER SECTION:
www.aljazeera.net.  2M IN A 127.0.0.1
;; AUTHORITY SECTION:
aljazeera.net.  2M IN NSns1.mydomain.com.
aljazeera.net.  2M IN NSns2.mydomain.com.
aljazeera.net.  2M IN NSns3.mydomain.com.
aljazeera.net.  2M IN NSns4.mydomain.com.
;; ADDITIONAL SECTION:
ns1.mydomain.com.   30M IN A64.94.117.195
ns2.mydomain.com.   30M IN A216.52.121.228
ns3.mydomain.com.   30M IN A66.150.161.130
ns4.mydomain.com.   30M IN A63.251.83.74
;; Total query time: 117 msec
;; FROM: LAIR.LION to SERVER: ns1.mydomain.com  64.94.117.195
;; WHEN: Thu Mar 27 16:38:28 2003
;; MSG SIZE  sent: 35  rcvd: 199
- Original Message -
From: "Eric Brunner-Williams in Portland Maine" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>
Cc: "Abdullah Ibn Hamad Al-Marri" <[EMAIL PROTECTED]>; 
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, March 27, 2003 15:30
Subject: Re: aljazeera.net domain owned.

>
> Earlier today I logged a disparity between the NSI web whois interface
> and the whois commandline interface outputs (http://nic-iq.nic-naa.net,
> bottom of page).
>
> I sent mail to two contacts inside Verisign, and at 4:30pm EST,

Re[2]: Verizon mail server on MAPS RSS list

2003-03-27 Thread Richard Welty

On Thu, 27 Mar 2003 13:24:06 -0800 (PST) Jay Hennigan <[EMAIL PROTECTED]> wrote:
> Verizon allows anyone who forges an @verizon.net From: address
> to relay through their servers.  This behavior is intentional.

ah. then they will find it "challenging" to get off of anybody's open relay
list.

richard
  (just fixed one of those types of open relay at a customer's site)
--
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
  Unix, Linux, IP Network Engineering, Security




Re: aljazeera.net domain owned.

2003-03-27 Thread John Palmer

Hmm - don't think so - although nothing is up there - www.aljazeera.net resolves to 
127.0.0.1. 
This is from the MYDOMAIN.COM nameservers listed as the auth for this domain:

; <<>> DiG 8.2 <<>> ns aljazeera.net @b.gtld-servers.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUERY SECTION:
;;  aljazeera.net, type = NS, class = IN

;; ANSWER SECTION:
aljazeera.net.  2D IN NSNS4.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS1.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS2.MYDOMAIN.COM.
aljazeera.net.  2D IN NSNS3.MYDOMAIN.COM.

;; ADDITIONAL SECTION:
NS4.MYDOMAIN.COM.   2D IN A 63.251.83.74
NS1.MYDOMAIN.COM.   2D IN A 64.94.117.195
NS2.MYDOMAIN.COM.   2D IN A 216.52.121.228
NS3.MYDOMAIN.COM.   2D IN A 66.150.161.130

;; Total query time: 80 msec
;; FROM: LAIR.LION to SERVER: b.gtld-servers.net  192.33.14.30
;; WHEN: Thu Mar 27 16:38:14 2003
;; MSG SIZE  sent: 31  rcvd: 179

LAIR$ dig www.aljazeera.net @ns1.mydomain.com

; <<>> DiG 8.2 <<>> www.aljazeera.net @ns1.mydomain.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUERY SECTION:
;;  www.aljazeera.net, type = A, class = IN

;; ANSWER SECTION:
www.aljazeera.net.  2M IN A 127.0.0.1

;; AUTHORITY SECTION:
aljazeera.net.  2M IN NSns1.mydomain.com.
aljazeera.net.  2M IN NSns2.mydomain.com.
aljazeera.net.  2M IN NSns3.mydomain.com.
aljazeera.net.  2M IN NSns4.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.com.   30M IN A64.94.117.195
ns2.mydomain.com.   30M IN A216.52.121.228
ns3.mydomain.com.   30M IN A66.150.161.130
ns4.mydomain.com.   30M IN A63.251.83.74

;; Total query time: 117 msec
;; FROM: LAIR.LION to SERVER: ns1.mydomain.com  64.94.117.195
;; WHEN: Thu Mar 27 16:38:28 2003
;; MSG SIZE  sent: 35  rcvd: 199

- Original Message - 
From: "Eric Brunner-Williams in Portland Maine" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>
Cc: "Abdullah Ibn Hamad Al-Marri" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL 
PROTECTED]>
Sent: Thursday, March 27, 2003 15:30
Subject: Re: aljazeera.net domain owned. 


> 
> Earlier today I logged a disparity between the NSI web whois interface
> and the whois commandline interface outputs (http://nic-iq.nic-naa.net,
> bottom of page).
> 
> I sent mail to two contacts inside Verisign, and at 4:30pm EST, the
> hijack appears to be over, at least as far as NS records are concerned.
> 
> 


Re: aljazeera.net domain owned.

2003-03-27 Thread Eric Brunner-Williams in Portland Maine

Earlier today I logged a disparity between the NSI web whois interface
and the whois commandline interface outputs (http://nic-iq.nic-naa.net,
bottom of page).

I sent mail to two contacts inside Verisign, and at 4:30pm EST, the
hijack appears to be over, at least as far as NS records are concerned.


Re: Verizon mail server on MAPS RSS list

2003-03-27 Thread Vinny Abello
At 03:59 PM 3/27/2003 -0500, Richard Welty wrote:


On Thu, 27 Mar 2003 13:40:00 -0700 Josh Gentry <[EMAIL PROTECTED]> wrote:
> We've got customers trying to receive email from people using Verizon for
> Internet acess, and we are rejecting that mail because
> out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list.  Can't
> pull
> up the MAPS RSS website at the moment to check why.  Anyone know contact
> info for Verizon for this kind of issue?
maps RSS is open relays.

try the abuse.net relay tester on the BL'd IP and see what it turns up,

   http://www.abuse.net/relay.html
Looks like that IP is on quite a few lists actually...

http://rbls.org/?q=206.46.170.44

Must be a very abused Verizon mail server, possibly one of many...

Vinny Abello
Network Engineer
Server Management
[EMAIL PROTECTED]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and 
those that don't.



Re: burst.net DDoS?

2003-03-27 Thread Allan Liska

-BEGIN PGP SIGNED MESSAGE-
Hash: MD5

Hello Danny,

Thursday, March 27, 2003, 3:46:40 PM, you wrote:


D> Hey, I've got a several domains hosted on bursts IP space and currently they are 
getting about 35-45% packet loss. Does anyone have any idea what is going on? I've 
tried calling them but to no
D> avail sadly enough.

According to their forum:

http://forums.burst.net/showthread.php?s=3e809757b36df1541d1bd78ca8e87f45&threadid=377

They are having problems with their Sprint connection.  According to
the rumor mill, they are being DoS'd, yet again.


allan
- --
Allan Liska
[EMAIL PROTECTED]
http://www.allan.org
http://www.hosthideout.com

-BEGIN PGP SIGNATURE-
Version: 2.6

iQCVAwUAPoNm+ykg6TAvIBeFAQHfbAQAs3E0hZ+U8xbPxhRT7wEIbMK+isG6WxD0
L2GlX+r7sBEkwmaAj9mekkTfkF2hMdn6pOsgeSuTVlelufJ1aefIUN8+MLuZkdnF
8FJyF6HGw3JdpsRKPbtCoGWVF6BJ16qFCSW8j9igMFvVO/RzaGdlW0kzz+omGXn2
HB+UCCOTcmY=
=m/kN
-END PGP SIGNATURE-




Re: Verizon mail server on MAPS RSS list

2003-03-27 Thread Richard Welty

On Thu, 27 Mar 2003 13:40:00 -0700 Josh Gentry <[EMAIL PROTECTED]> wrote:
> We've got customers trying to receive email from people using Verizon for
> Internet acess, and we are rejecting that mail because
> out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list.  Can't
> pull
> up the MAPS RSS website at the moment to check why.  Anyone know contact
> info for Verizon for this kind of issue?

maps RSS is open relays.

try the abuse.net relay tester on the BL'd IP and see what it turns up,

   http://www.abuse.net/relay.html

richard
--
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
  Unix, Linux, IP Network Engineering, Security




RE: burst.net DDoS?

2003-03-27 Thread Todd Mitchell - lists

I believe they dropped their AT&T circuit the other day and I've heard
that they're being DDoS'd over their Level3 circuit at the moment.

You probably just have to sit tight until they get things resolved.
Unfortunately these types of incidents are all too common with
Burst/Nocster.

Todd

--


| -Original Message-
| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
| Danny
| Sent: Thursday, March 27, 2003 3:47 PM
| To: '[EMAIL PROTECTED]'
| Subject: burst.net DDoS?
| 
| 
| Hey, I've got a several domains hosted on bursts IP space and
currently
| they are getting about 35-45% packet loss. Does anyone have any idea
what
| is going on? I've tried calling them but to no avail sadly enough.
| 
| Cheers
| Danny
| Network Security Engineer
| PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
| PGP Key: http://akasha.irt.drexel.edu/danny.asc
| 




burst.net DDoS?

2003-03-27 Thread Danny

Hey, I've got a several domains hosted on bursts IP space and currently they are 
getting about 35-45% packet loss. Does anyone have any idea what is going on? I've 
tried calling them but to no avail sadly enough. 

Cheers
Danny
Network Security Engineer
PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
PGP Key: http://akasha.irt.drexel.edu/danny.asc
 


Verizon mail server on MAPS RSS list

2003-03-27 Thread Josh Gentry

We've got customers trying to receive email from people using Verizon for
Internet acess, and we are rejecting that mail because
out013pub.verizon.net [206.46.170.44] is on the MAPS RSS list.  Can't pull
up the MAPS RSS website at the moment to check why.  Anyone know contact
info for Verizon for this kind of issue?

Thanks.

Josh
-- 
Josh Gentry  (Call me Gentry.) 
[EMAIL PROTECTED] * [EMAIL PROTECTED] *  505-232-7992 


Re: aljazeera.net domain owned.

2003-03-27 Thread Sean Donelan

On Thu, 27 Mar 2003, Abdullah Ibn Hamad Al-Marri wrote:
> aljazeera.net domain owned.
>
> Per what the Chief Editor of www.aljazeera.net told me in the phone a while
> ago the domain isn't in their control anymore.
>
> all the info got changed and they are wondering how did this happen.

Probably one of the usual methods.  Al Jazeera forgot (or the security
consultant Al Jazeera hired) to implement approriate security controls
for their domain records, and someone forged a registry update.  This
has happened in the past to numerous other domains, such as AOL.COM,
SEX.COM and others.

There are several levels of security controls a domain name holder can
optionally use.  The default level of security is extremely low, and
easily spoofed.  The domain name holder must take steps to implement
additional security controls.  Unfortunately, relatively few domain name
holders take those additional steps, leaving their domain names
vulnerable to unauthorized updates.

It appears Al Jazeera is learning the same lessons that other highly
visible web sites, e.g. Ebay, CNN, MSNBC, Yahoo, etc, learned years ago.
If Al Jazeera doesn't have the in-house expertise to maintain its service,
I'm sure there are numerous consulting firms looking for business which
could assist them for a moderate fee.



Re: Curing the BIND pain

2003-03-27 Thread Andy Dills

On Thu, 27 Mar 2003 [EMAIL PROTECTED] wrote:

> I suggest that an appropriate technique would be for the BIND server to
> originate traffic on it's local subnet that would look suspicious and
> possibly trigger intrusion alarms. Send out some packets to the broadcast
> address. Do some portscanning of all addresses on the subnet. Find any
> open port 80 and retrieve a URL containing
> BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25
> and send email to postmaster containing the same message, etc.

Better yet, why not just have it print to console "BIND INSECURE, UPGRADE,
SHUTTING DOWN THE SERVER NOW" and then halt? Far more likely to get
noticed.

> Not enough traffic to be a DoS but enough to show up in various logs in
> case someone is looking at some of them.

If you have somebody looking a firewall or IDS logs, you won't need to be
told to upgrade bind. Besides, plenty of networks who do stay current on
application security would miss a little pretend DOS.

The best solutions I can come up with all revert to the undesired "stop
working" solution, in effect.

My favorite notion, which I didn't even suggest because of Paul's mandate
that the solution not involve breaking bind, would be to return, in
response to every query, the IP address of a special website that says
"THE VERSION OF BIND ON YOUR NAMESERVERS IS VULNERABLE" or whatever, and
include instructions on how to upgrade.

Sure, it will break everything except http, and flood this webserver with
a ridiculous amount of unwanted traffic (bgp anycast with filtering
everything not destined for port 80, to help stem that a little?), but at
least people will know why nothing is working, once they fire up a
browser.

Looming large, of course, is the fact that people would have to upgrade to
get any of this "security upgrade" functionality. So we'd really be only
partially solving a problem in which we won't see any benefit for years to
come, which is usually enough impetus to kill a project these days.

Andy


Andy Dills  301-682-9972
Xecunet, Inc.   www.xecu.net

Dialup * Webhosting * E-Commerce * High-Speed Access



Re: aljazeera.net domain owned.

2003-03-27 Thread Eric Brunner-Williams in Portland Maine

according to the nsi retail interface, the contacts are:

jazeera space channel tv station (account holder)
mj alaliaj7476 (administrative contact)

(they are not one of my retail or wholesale customers, and i'm not operational
as a com/net registrar, yet.)

it is simple enough for them to change the .com zone ns records for their SLD.

folks wanting to move the data from nanog to a web page, just sent it to me,
i'll add it as an annex to my "what little i know about .iq" page, at
nic-iq.nic-naa.net

eric


Re: aljazeera.net domain owned.

2003-03-27 Thread Subhi S Hashwa

On Thu, Mar 27, 2003 at 07:14:13PM +0300, Abdullah Ibn Hamad Al-Marri wrote:
> Hello,
> 
> aljazeera.net domain owned.
>

from whois.crsnic.net seems the nameservers are pointing to NSx.MYDOMAIN.COM
verisign whois gives diffrent nameservers. could it be that someone hijacked the 
domain off verisign (and they fixed it) or what other possibilites could have happened 
there ?

-Subhi

-- 
Subhi S Hashwa *** [EMAIL PROTECTED]
---
When everything's coming your way, you're in the wrong lane.


aljazeera.net domain owned.

2003-03-27 Thread Abdullah Ibn Hamad Al-Marri

Hello,

aljazeera.net domain owned.

Per what the Chief Editor of www.aljazeera.net told me in the phone a while
ago the domain isn't in their control anymore.

all the info got changed and they are wondering how did this happen.

A visit to the website now would explian it all.

Thanks,

-Abdullah




Re: Domain oddity - possibly early warning...

2003-03-27 Thread Rodney Joffe

Thanks for the response Matt... more below...

Matt Larson wrote:
> 
> On Tue, 25 Mar 2003, Rodney Joffe wrote:
> > We've noticed something we've never noticed before that became evident
> > at 14:00 today...  and which could be an isolated glitch at
> > Verisign/Netsol, or it could be a sign of a larger problem looming.
> 
> Or perhaps it could be the result of perfectly normal operations.

for various values of normal ;-)
 
> This behavior is normal.  The owning registrar for this domain,
> Network Solutions, removed both name servers during the evening (EST)
> of 24 March.  A domain with no name servers is a legal state in the
> com/net registry database.  In such a case, however, the domain does
> not appear in the com/net zones.  (How could it--it has no name
> servers.)  The domain was again modified during the evening (EST) of
> 25 March, when two name servers were added.  It was therefore included
> in the com zone with SOA serial 2003032600.

OK...
 
> This is a good opportunity to point out the separation between
> VeriSign Global Registry Services (VGRS), the registry for com/net,
> and the various ICANN-accredited registrars, including Network
> Solutions.  VGRS makes whatever changes requested by registrars to
> domains they own.  In this case, we just see that the name servers
> were removed and re-added a day later.  Presumably Network Solutions
> took this action based on customer instructions, but you'd have to ask
> them.

We did. The customer did not provide any instructions to NSI to cause
the deletion of the nameservers. NSI's response to the phone call was to
re-enter the nameservers through the UI which they then did, and as you
say, the nameservers re-appeared following the next zone push.
However... and this is where it takes on more general relevance...

I received some 30+ private emails citing similar experiences going back
2 years. And one in particular that may actually provide a clue to the
root cause (assuming NSI is interested). One of the respondents
suggested that based on his experience, perhaps NSI was running a select
statement against the database as a change was being made, and perhaps
record locking played a part. I then queried the customer who confirmed
that they had applied changes to *other* domains in their *account* at
NSI during the day the record first disappeared.  I have so far been
able to confirm with two of the other folks who sent mail that they had
made changes on the day of, or before, the records disappeared. And they
were adamant that they had *not* deleted the nameservers from their
records by mistake when they made the changes. 

Perhaps NSI can follow this trail?

YMMV.
-- 
Rodney Joffe
CenterGate Research Group, LLC.
http://www.centergate.com
"Technology so advanced, even we don't understand it!"(SM)


Re: Curing the BIND pain

2003-03-27 Thread Nathan J. Mehl

In the immortal words of [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> 
> I suggest that an appropriate technique would be for the BIND server to 
> originate traffic on it's local subnet that would look suspicious and 
> possibly trigger intrusion alarms. 

Good lord.

I'm a little stuck for a proper analogy for this.  A car that
"helpfully" starts emitting noxious smoke to let you know that it's
time for a tune-up?  A refridgerator that drips bleach into your
vegetable drawers to remind you to replace the coolant?  An answering
machine that replaces the outgoing message with a stream of
profanities to alert callers that the incoming message tape is full?

If people are so concerned about BIND's security that they're willing
to seriously consider implementing ideas like this, why are they not
willing to either consider replacing BIND with DNS software that is
secure by design (*cough* *cough*), or paying the ISC to produce a
properly secured BIND?  

The solution to the Ford Pinto problem was not to recommend that
people duct-tape sofa cushions and homemade warning lights to the back
bumper.

-n

<[EMAIL PROTECTED]>
"Thus do `Snuff Movies' take their place with `Political-Correctness,' `Sex 
Addiction,' and `Postmodernism' as Godzillas of bogus moral panic, always 
threatening to crush the nation in their jaws, but never quite willing to take 
the final step of biting down.(--www.suck.com)



Re: how to get people to upgrade? (Re: The weak link? DNS)

2003-03-27 Thread Paul Vixie

> Isn't the problem with this that in order to get the code out, people need
> to upgrade and you therefor risk ending up with only notifying the people
> that upgrade anyway?

eventually a hard drive fails or the operating system is replaced, and then
a BIND upgrade happens as a side effect.  statistically this takes between
five and ten years for a server whose operator doesn't read CERT advisories.

so while the opportunity isn't as frequent as i'd like, it does occur, and
i'd like to slip in some logic that makes subsequent upgrades more frequent.
(several nanoggers have pointed out that the trouble is human nature, not
technology, but that doesn't mean we can't make it easier to do the right
thing.)


Re: Both Iraqi state provider Uruklink.net name servers offline

2003-03-27 Thread Brian McWilliams
Someone has apparently hacked the Uruklink.net DNS server, and is trying to 
redirect visitors to a third-party 9-11 memorial site. The Uruklink.net 
site is still generally available via its IP address: http://62.145.94.111

Details here:

http://www.pc-radio.com/uruklink-0wned.html

Brian

At 02:57 AM 3/27/2003, Sean Donelan wrote:

Despite very old recommendations, the Iraqi state provider Uruklink.net
kept all of its name servers on the same subnet.  Although this is
recognized as a poor design, many domain name server operators worldwide
do the same thing.
nic1.baghdadlink.net.   2D IN A 62.145.94.1
nic2.baghdadlink.net.   2D IN A 62.145.94.2
The nic2 (62.145.94.2) has been offline for over a week.  Yesterday the
remaining name server nic1 (62.145.94.1) was running an old version of
bind (8.1.2).  It was returning obviously bogus answers to queries.
In the last 24 hours, the name server application on nic1 (62.145.94.1)
went offline.  The server is online (responds to pings), but neither
tcp or udp port 53 responds.  The name server application may have
crashed, been trashed, or shutdown by the system administrator.



Curing the BIND pain

2003-03-27 Thread Michael . Dillon

Let's assume that BIND has a way to know when it is dangerously out of 
date. The mechanism used would be up to ISC and I'll admit that it would 
probably involve some sort of DNS records in an ISC-run domain because 
that's the only way that has a high likelihood of working  given the 
number of firewalls and caching nameservers that may be between a given 
BIND box and ISC. Seems to me that ISC has always maintained that there 
are two version numbers, one 4.x and one 8.x, that are always the oldest 
ones you can run and still be secure against known exploits. So the info 
stored in the ISC DNS server really doesn't need to be more than those two 
version numbers.

OK, now assume that we have a BIND server which has detected that it is 
out of date and at risk of attack. What should it do?

Well, first of all, what would a human being do if if realised that it was 
at risk of attack and they had no means of contacting their friends or the 
police. A child might cry out and an adult might yell for help in case 
someone was near enough to hear. BIND is in a similar situation. It 
doesn't know if there is anyone looking after it but it is hurting, so 
let's make it cry out.

I suggest that an appropriate technique would be for the BIND server to 
originate traffic on it's local subnet that would look suspicious and 
possibly trigger intrusion alarms. Send out some packets to the broadcast 
address. Do some portscanning of all addresses on the subnet. Find any 
open port 80 and retrieve a URL containing 
BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25 
and send email to postmaster containing the same message, etc.

Not enough traffic to be a DoS but enough to show up in various logs in 
case someone is looking at some of them.

Even then, this is still a string and sealing wax solution. It's 
situations like this that demonstrate just how primitive our supposedly 
high technology really is. 

--Michael Dillon


Re: how to get people to upgrade? (Re: The weak link? DNS)

2003-03-27 Thread Kurt Erik Lindqvist

so here's a proposal.  we (speaking for ISC here) could add a config 
option
(default to OFF) to make bind send some kind of registration packet at 
boot
time, containing an e-mail address for a technical contact for that 
server,
and perhaps its hostname as well.  the destination would be 
configurable, and
the format would be open, and we would include in the distribution a 
tool
capable of catching these.  any campus/WAN admin who wanted to run 
their own
"BIND registration system" could do so.  anyone who wanted to simply 
config
their server to send registration data to ISC could do so.  for data 
received
at ISC, we'd (a) keep it completely private other than public 
statistics,
(b) clean it of obvious trash (some people will sent registration data 
for
[EMAIL PROTECTED] just for fun; we know that), and (c) use the 
contact
information only in the event that a security defect discovered in that
version.  remember, the default would be OFF.

Isn't the problem with this that in order to get the code out, people 
need to upgrade and you therefor risk ending up with only notifying the 
people that upgrade anyway?

- kurtis -



Re: good networking

2003-03-27 Thread Petri Helenius

>
> Despite very old recommendations, the Iraqi state provider Uruklink.net
> kept all of its name servers on the same subnet.  Although this is
> recognized as a poor design, many domain name server operators worldwide
> do the same thing.
>
> nic1.baghdadlink.net.   2D IN A 62.145.94.1
> nic2.baghdadlink.net.   2D IN A 62.145.94.2
>
The way how I see this that there is hardly any incentive to do proper placement
of nameservers. The pain inflicted if something goes wrong is minimal unless
you are a billion dollar company doing millions of online transactions. And if 
something
goes wrong and you still fly, maybe a very tiny fraction of the population will 
appreciate
that you did your homework.

The above applies to many other good networking practises than DNS related ones.

It can also be said that maybe the above addresses are carried as /32 inside
the destination AS. They might not be on the same subnet. If the number of domains
having DNSĀ“s in the same subnet is large, the number of domains dependent on
a single AS for their DNS service is even greater.

As you all well know, the usual excuse to do poor job is being too busy to do it 
properly
and if failures come every year or two, this might just hold water.

Pete