Re: Malicious DNS request?
Hi, thanks for your help. I noticed that the requests of those non-exist domain name disappeared yesterday. But the NXDOMAIN record in named.stats keep increasing. ( see attachment) I'm using BIND9.2.5 BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs. Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN? Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
Sorry to attach the rndc stats result. I run rndc stats continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistics Dump +++ (1116322885) success 18889882 referral 229772 nxrrset 1809835 nxdomain 11474755 recursion 3825876 failure 1415044 --- Statistics Dump --- (1116322885) +++ Statistics Dump +++ (1116322886) success 18890342 referral 229772 nxrrset 1809868 nxdomain 11474873 recursion 3825976 failure 1415052 --- Statistics Dump --- (1116322886) Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
Sorry to attach the rndc stats result. I run rndc stats continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistics Dump +++ (1116322885) success 18889882 referral 229772 nxrrset 1809835 nxdomain 11474755 recursion 3825876 failure 1415044 --- Statistics Dump --- (1116322885) +++ Statistics Dump +++ (1116322886) success 18890342 referral 229772 nxrrset 1809868 nxdomain 11474873 recursion 3825976 failure 1415052 --- Statistics Dump --- (1116322886) Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
[EMAIL PROTECTED] (Joe Shen) writes: I'm using BIND9.2.5 BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs. Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN? yes. but we isn't nanog. can you take your bind-specific questions to a bind-related mailing list or newsgroup? www.isc.org has pointers. -- Paul Vixie
Network Mitigation Devices
Has anyone had any experience using Network Mitigation devices like the Cisco Guard XT 5650? I am looking to install one in our network and would like to know if anyone has used the Cisco device? thanks
Microsoft broke MTU discovery by last security pathces??
Do you have amny information about last Microsoft problems with security patches? We can see, how one of last updates broke MTU discovery (not totally, but it restricts number of discovered pathes so servers tsop working in a few days). And, amazingly, no one published this problem.
Re: Microsoft broke MTU discovery by last security pathces??
There is discussion on ntbugtraq http://www.ntbugtraq.com/default.aspx?pid=36sid=1A2=ind0505L=ntbugtraqT=0O=DF=NP=192 ---Mike At 04:43 PM 17/05/2005, Alexei Roudnev wrote: Do you have amny information about last Microsoft problems with security patches? We can see, how one of last updates broke MTU discovery (not totally, but it restricts number of discovered pathes so servers tsop working in a few days). And, amazingly, no one published this problem.
FCC set to require 911 for VoIP as early as Thursday...
Things just seem to coalesce sometimes. http://www.reuters.com/newsArticle.jhtml?type=topNewsstoryID=8521222 - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com
Re: Malicious DNS request?
Paul, I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. According to someone's presentation on NANOG (DNS anomailies and their impact on DNS Cache Server ), such record may be type of attack. If we only rely on cacheing to remove paient of CPU time, cache server load will be increased. So, what I'm tryting to ask is , is there some mechanism proposed to deal with such problem? BIND is just a sample. joe --- Paul Vixie [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Joe Shen) writes: I'm using BIND9.2.5 BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs. Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN? yes. but we isn't nanog. can you take your bind-specific questions to a bind-related mailing list or newsgroup? www.isc.org has pointers. -- Paul Vixie __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Underscores in host names
In article [EMAIL PROTECTED] you write: Hello all. We have a client containing an underscore in the email address domain name. Our email server rejects it because of it's violation of the RFC standard. This individuals claim is that he doesn't have problems anywhere else and if this is going to be a problem he's going to take his business elsewhere! I understand it's a violation of the standard, but does it pose a security hole to the email server to allow this sort of mail? Thanks RFC 952 and RFC 1123 describe what is currently legal in hostnames. Underscore is NOT a legal character in a hostname. Before anyone says that domain names allow underscore which they do. RFC 1034 Section 3.3 For hosts, the mapping depends on the existing syntax for host names which is a subset of the usual text representation for domain names, together with RR formats for describing host addresses, etc. Because we need a reliable inverse mapping from address to host name, a special mapping for addresses into the IN-ADDR.ARPA domain is also defined. Mail domains follow the same rules as for hostnames. RFC 821 and its replacement RFC 2821 havn't extended the syntax to include underscores. Mark
Re: Underscores in host names
In article [EMAIL PROTECTED] you write: Hello all. We have a client containing an underscore in the email address domain name. Our email server rejects it because of it's violation of the RFC standard. This individuals claim is that he doesn't have problems anywhere else and if this is going to be a problem he's going to take his business elsewhere! I understand it's a violation of the standard, but does it pose a security hole to the email server to allow this sort of mail? No *security* hole as such, other than you need to make sure that if you're going to accept such cruft, you make *damned* sure that you never leak it back out and have some *other* standard-conformant site get on *your* case about it Oh, and make sure that none of *your* automated tools that summarize maillogs and the like choke on it. And that your e-mail admin is using software that doesn't choke on it (otherwise if they send you e-mail, you can't reply.. ;) You may want to balance the costs of making sure that *all* your stuff is underscore-ready (don't forget ongoing maintenance costs, as you'll probably have to re-patch each new release of any tools) against what this customer is willing to pay you. pgp52u6Q4SjVH.pgp Description: PGP signature
Re: Malicious DNS request?
At 8:45 AM +0800 2005-05-18, Joe Shen wrote: I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. Do a DNS query for slartibartfastisacharacterinamoviewrittenbydouglasadamsthathasnotgottenverygoodreviewslatelyandisbasedontheoriginalBBCradioshowandtheresultingBBCtvminiseries.com, and you'll probably get an NXDOMAIN. Indeed, query for any other non-existent domain, and you'll get an NXDOMAIN response. That's what it means. According to someone's presentation on NANOG (DNS anomailies and their impact on DNS Cache Server ), such record may be type of attack. NXDOMAIN == Attack? Please show me how you arrive at that logic. If we only rely on cacheing to remove paient of CPU time, cache server load will be increased. So, what I'm tryting to ask is , is there some mechanism proposed to deal with such problem? BIND is just a sample. Well, only caching servers have to worry about getting an NXDOMAIN response back. Authoritative-only servers may have to worry about sending them out, but that's pretty cheap. Indeed, it's pretty cheap for the caching servers to handle getting them. Yes, bad clients can abuse either caching servers or authoritative-only servers by doing things that result in a lot of NXDOMAIN responses, but that falls in the category of the programmers doing whatever is possible to protect themselves and their code against whatever kind of abuse gets hurled at them by poorly-behaved clients. As far as that goes, that's a generic problem, and in the case of nameservers there are appropriate places to discuss this sort of thing -- such as the namedroppers mailing list. Now, if you want to drag BIND into this picture as a specific example, there are appropriate places to discuss that, too -- such as the bind-users mailing list, or maybe one of the developer-oriented BIND mailing lists. But none of these places are NANOG, and this discussion doesn't belong here -- either in the general case of nameservers, or in the specific case of BIND. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info.
Re: Underscores in host names
One should note that COM and other tld's stopped giving out domains outside of LDH to prevent these sorts of interoperability issues. COM actually retrieved the ones they had delegated.
Re: Underscores in host names
On Wed, May 18, 2005 at 11:08:03AM +1000, Mark Andrews wrote: In article [EMAIL PROTECTED] you write: Hello all. We have a client containing an underscore in the email address domain name. Our email server rejects it because of it's violation of the RFC standard. This individuals claim is that he doesn't have problems anywhere else and if this is going to be a problem he's going to take his business elsewhere! I understand it's a violation of the standard, but does it pose a security hole to the email server to allow this sort of mail? RFC 952 and RFC 1123 describe what is currently legal in hostnames. Underscore is NOT a legal character in a hostname. Before anyone says that domain names allow underscore which they do. RFC 1034 Section 3.3 For hosts, the mapping depends on the existing syntax for host names which is a subset of the usual text representation for domain names, together with RR formats for describing host addresses, etc. Because we need a reliable inverse mapping from address to host name, a special mapping for addresses into the IN-ADDR.ARPA domain is also defined. Mail domains follow the same rules as for hostnames. RFC 821 and its replacement RFC 2821 havn't extended the syntax to include underscores. Those with long memories will remember when Apple got strict on this years ago, and lots of websites became unreachable to their users... Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Underscores in host names
on Wed, May 18, 2005 at 11:08:03AM +1000, Mark Andrews wrote: RFC 952 and RFC 1123 describe what is currently legal in hostnames. Underscore is NOT a legal character in a hostname. So, these are *all* non-compliant? Perhaps someone should tell them that. Certainly would have been nice not to get spammed by them, or to have an even easier reason to reject same. 003_150.pool-clientes.gilat.com.pe 131_202.btc-net.bg 153_199_103_66-wifi_hotspots.eng.telusmobility.com 154_ras_01.dial-ip.plugon.com.br 194_30_119_112_maca0001.lpp_za_bi.ips.sarenet.es 200.126.99.247.block7_dsl.surnet.cl 200_13_215_210.colomsat.net.co 200_63_222_138.uio.satnet.net 203_221_178_213.easynet.net.au 208_218_35_14.huntsville6.56k.cvalley.net 208_75.compnet.com.pl 212_218.bytom.compnet.com.pl 212_81_214_10_peni.gignu_adsl_ma_ma.ips.sarenet.es 229.usuarios_dhcp-195-219-18.gemytel.net 63_224_210_245.spkn.uswest.net 64_192_75_146.wcg.net 82_119_148_246.stv.ru Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr adm_node207.ral.esu3.k12.ne.us adsl_basico_1196-170.etb.net.co adsl_lav178_218.datastream.com.mt adsl_pool_20_standard93137-133.etb.net.co adsl_pool_22_standard93139-190.etb.net.co adsl_standard_2450-46.etb.net.co c_178_237.tv-naruto.ne.jp clientes_corpor_7549-2.etb.net.co clientes_corporativos69100-82.etb.net.co corporativo_16780-201.pool.etb.net.co.80.167.65.in-addr.arpa customer125_200.grm.net d7_annex_palu_a.lac.telkom.net.id dean_rm135_2xp.business.colostate.edu dhcp-210_169_160_191.ttn.ne.jp dialup_67-36-145-125.ndemand.com dsl_61_161_30_212.turbonet.com extremo_pool_11934-63.etb.net.co extremo_pool_11943-164.etb.net.co h107_17.u.datacomsa.pl hfc3-9_32.melitaonline.net host-195_87_69_26-koc.net host-200-75-132-202.cliente_202_net-uno.net host85_14_64_224.galileusz.3s.pl host_169_253.compower.pl host_88-hra.susice-net.cz igld-83_130_117_32.inter.net.il igld-83_130_130_243.inter.net.il igld-83_130_141_197.inter.net.il ip_167_68.omni-tech.net ip_199.directservices.com maroochydore_client185.hypermax.net.au neterra139_250.neterra.net nev_dial_11.stv.ru p165_223.knu.ac.kr pc_163_209.smrw.lodz.pl pool_245224-151.etb.net.co potter_313.caasdphb.brown.edu price3_highspeed-109.preciscom.com ras56_196.un.vsnl.net.in red_200.32.64_customer_7.static.impsat.net.ve red_200.41.118_cust_17.static.impsat.net.ve sistemas__s21278-010__slv-son-001.man.newskies.net slerpool4_69121-134.etb.net.co slerpool5_69122-26.007mundo.com slerpool8_93159-211.etb.net.co sp.200_155_13_3.8x.com.br sp.200_155_9_57.datacenter1.com.br sp_200_219_192_94.datacenter1.com.br st00_162.dorm.depaul.edu sun_b035.doggy.com.au tnt_norman_int493149-194.etb.net.co tnt_pool_11979-199.etb.net.co tntcuisdnixd_169106-123.007mundo.com tntmuzuixd_169105-36.etb.net.co tv_cable_bmga7546-72.etb.net.co ubr2-5_38.onvol.net user_155_208.kutztown.edu wks_177_10.dom_bci_prod.cl ws_541a.ff.uni-lj.si -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!