Re: GoDaddy.com shuts down entire data center?

[Richard A Steenbergen]

On Tue, Jan 17, 2006 at 02:09:21AM -0500, Patrick W. Gilmore wrote:
 
 On Jan 17, 2006, at 1:32 AM, Jim Popovitch wrote:
 
 I want to say, from an outsider's perspective, that I whole  
 heartily applaud GoDaddy on the actions they took [...]
 
 There seems to be a wide split on this topic.  I was wondering if  
 people would privately tell me yes or no on a few questions so I can  
 understand the issue better.
 
 1) Do you think it is acceptable to cause any collateral damage to  
 innocent bystanders if it will stop network abuse?
 
 2) If yes, do you still think it is acceptable to take down 100s of  
 innocent bystanders because one customer of a provider is misbehaving?
 
 3) If yes, do you still think it is acceptable if the misbehaving  
 customer is not intentionally misbehaving - i.e. they've been hacked?
 
 3) If yes, do you still think it is acceptable if the collateral  
 damage (taking out 100s of innocent businesses) doesn't actually stop  
 the spam run / DoS attack / etc.?

I don't think anyone (well ok, anyone sane, I know we have a few nutjobs 
on this list :P) thinks that arbitrarily blocking service to hundreds or 
thousands of users because someone is unknowingly hacked is an appropriate 
way to address network abuse. I really have no idea how aggressive GoDaddy 
is with enforcing their AUP, as I don't personally use their services, but 
based on what I know about the affected customer and what I can read from 
the affected whiner's website I'm certainly not going to jump to the 
conclusion that GoDaddy is running around like a hopped up abuse desk 
worker on a power trip, shutting off service to random innocent people 
because they feel like it.

The question at hand is, at what point does a registrar providing services 
have an ethical or moral obligation to step in and do something when they 
do encounter an excessive level of abuse by someone using their services? 
At what point does ARIN revoke the allocation of a blatant and persistant 
spammer who is violating the law without being stopped? I think the answer 
is that clearly this isn't something they want to be doing on a regular 
basis, any more than an ISP wants to be responsible for filtering every 
packet that goes through their routers looking for warez and kiddie porn, 
yet I have seen them do it in certain rare and severe cases of unrelenting 
abuse. 

Maybe it is a judgement call, maybe it isn't. Bottom line, dealing with 
abuse is an ass job, and I certainly wouldn't want it. Some days you're 
doing a good thing because you shut down a spammer, some days you're doing 
a bad thing because you shut down innocent services along with it (and 
some days you're just fending off stop hax0ring me on port 80 or I'll sue 
you and call the CIA e-mails).

I highly suspect that GoDaddy doesn't involve itself in these kinds of 
issues lightly, which means that in all likelihood the level of abuse was 
severe, with no communication from the person they suspended service to. I 
for one have never heard of anyone I know having their GoDaddy service 
suspended for this kind of thing. Unless someone has some actual facts 
that GoDaddy is engaging in this kind of activity, I'm inclined to give 
them the benefit of the doubt. This means, at least for now lumping them 
in the respecting them for taking a stand regarding the abuse of their 
service category, rather than the wackjob conspiracy theorist 
power-crazed zealot category we all know and love. :)

-- 
Richard A Steenbergen [EMAIL PROTECTED]   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

DNS Server domains was Re: GoDaddy.com shuts down entire data center?

[Simon Waters]

On Tuesday 17 Jan 2006 01:04, you wrote:

 Not having all your DNS servers in the same domain, or registered through
 the same registrar, isn't a best practice that has previously occurred
 to me, but it makes a lot of sense now that I think about it.

I think the general consensus in the DNS field is that for security reasons it 
is preferable to have as small a set of DNS servers (or perhaps as small as 
set of differently configured servers! Hmm physical security) in the 
hierarchy above you as possible, since compromise of any of these could 
affect the results obtained for your domain.

See also DJBs Trusted Servers note.
http://cr.yp.to/djbdns/notes.html

Here there is a clear conflict between security through redundancy against 
accident, and resistant to compromise. Although it can be mitigated by 
choosing well managed parents zones.

Incidently we have DNS servers in two domains, but that is historical, and 
both top level domains are managed by Verisign, and delivered via the same 
set of servers. Thus we are dependent on root-servers.net, 
gltd-servers.net and our own servers, only in the resolution of our own 
domain names (and customer domains, where those domains are in .com/.net). 

Of course arguably the effective working of some services (email?) are now 
also dependent on reverse DNS working well, and the delegation of that is 
different again.

That said I think the idea is sound against some issues (at which point one 
should probably also use different providers for the DNS registration 
services, since if their procedures are flawed). However it does increase 
the risk of certain types of malicious activity, as in general it is 
sufficent to compromise one DNS server involved in serving a name to 
compromise the majority of the traffic (at least in theory, I haven't had a 
chance to prove this in anger yet).

Since we are moving a couple of our nameservers from their current domain, I 
think I'll look at putting them under co.uk, as the UK seems to have tidied 
up its DNS management quite nicely in recent years.

Also during recent event it has struck me that the hierarchy of servers 
involved in providing DNS services is quite small, and has quite different 
characteristics to the other records in the DNS. I'm beginning to wonder if 
having the scaffolding in the protocol itself is the right way, but that is a 
debate that has raged before, and is off topic here.

Re: GoDaddy.com shuts down entire data center?

[Michael Loftis]

--On January 16, 2006 10:32:58 PM -0800 Jim Popovitch [EMAIL PROTECTED] 
wrote:




I want to say, from an outsider's perspective, that I whole heartily
applaud GoDaddy on the actions they took and the consistent
professionalism exhibited by their tech support representative.  Despite
obvious (and heavily edited) calls to the same agent, the consumer was
informed in a professional manner of his/her avenue for resolution.  No
doubt remains in my mind that the caller was not caught blind by this
situation.  Go Daddy has a privacy policy that no doubt prohibits them
from releasing details of their side of this case, however to me the
recording suggests that the caller knew this was the end result, not a
sudden surprise move, and they just wanted to circumvent standard
procedure.  The caller's prior thought to record, what appears as a
standard call to tech-support, is insightful and should be an obvious
sign of his motivation.



Theres a clear case of he said they said going on with this case. 
Nectartech is making claims that they fixed the issue.  Also note that the 
caller is not a Nectartech employee at all.  He's a customer who's also 
friends with the owner.  Atleast that's what he says in WHT thread.  In any 
event I don't think Nectartech handled this very well, and more likely than 
not still had a problem and were given ample time to properly correct it.

Re: GoDaddy.com shuts down entire data center?

[Jay Hennigan]

Patrick W. Gilmore wrote:



On Jan 17, 2006, at 1:32 AM, Jim Popovitch wrote:

I want to say, from an outsider's perspective, that I whole  heartily 
applaud GoDaddy on the actions they took [...]



There seems to be a wide split on this topic.  I was wondering if  
people would privately tell me yes or no on a few questions so I can  
understand the issue better.


1) Do you think it is acceptable to cause any collateral damage to  
innocent bystanders if it will stop network abuse?


In some cases.  Our policy is to minimize such.  Example:  Customer has 
a NATted network with multiple machines sharing one global address.  One 
of the machines at customer's premise is causing abuse (virus, etc.) 
Null-routing one specific IP address will cause collateral damage to the 
non-infected machines at that customer, but I think most of here would 
agree that such is justified.  Obviously, if the impact of the abuse is 
minimal, having the customer fix the problem before shutting anything 
down is preferred.  Another example would be a customer's webserver 
which has many name-based virtual hosts, one of which is abusive, and 
you are providing IP connectivity.  By null-routing one IP you are 
causing collateral damage to the non-abusive virtual host customers of 
your customer, but I think most would think that justified.


2) If yes, do you still think it is acceptable to take down 100s of  
innocent bystanders because one customer of a provider is misbehaving?


I assume here that you mean Customer of a customer.  Again, it 
depends.  If the customer has continual problems controlling abuse from 
his customers, or you suspect that your customer is playing 
whack-a-mole, or the abuse is ongoing and/or serious and you can't 
identify which of customer's customers is the cause (spoofed source 
addresses, etc.) in some cases yes.


3) If yes, do you still think it is acceptable if the misbehaving  
customer is not intentionally misbehaving - i.e. they've been hacked?


Again, it depends on the seriousness of the abuse and its affect on the 
network, as well as the frequency thereof and the seriousness of the 
customer in rectifying the problem.  Also whether you can reasonably 
isolate the abuse and disconnect only the customer's abusive customer.


3) If yes, do you still think it is acceptable if the collateral  damage 
(taking out 100s of innocent businesses) doesn't actually stop  the spam 
run / DoS attack / etc.?


If it doesn't stop it but stops your network from being a part of it, 
yes.  If it has no affect on it at all, then you're probably pulling the 
wrong plug.


These are important question to me, and I'm surprised at the number  of 
people who seem to feel so very differently than I thought they  would 
feel - than I personally feel.  Would people mind sending me  private 
e-mails with yes/no answers?  Longer answers are welcome, but  yes/no 
will do.


This is IMHO operational, so posting publicly.  I don't think this is as 
black-and-white as to warrant simple yes-no answers.  There are policies 
involved as well as your agreements with your peers/upstreams.  If the 
issue is serious enough that you risk losing your own connectivity 
because you can't stem the abuse from a customer's customer, then you 
may need to do so, or the end result will be that you become part of 
greater collateral damage.


Using the case under discussion as an example, I am wondering why  
anyone thinks taking down 100s of innocent domains is a good way to  
stop a single hacked machine from doing whatever it is doing?  If you  
somehow think all that is worth it, take a close look at your cost /  
benefit analysis.  At this rate, every business on the Internet will  be 
out of business before we take out even a single moderately large  botnet.


The present example seems to be a combination of poor communication, bad 
attitude and sloppy network design from what I've seen here.  It's 
unclear to me exactly what GoDaddy shut down, and the only data points 
we have to go on are admittedly edited conversations that took place 
after the plug was pulled.  What went on beforehand?  Did Nectar indeed 
make a good faith effort to correct the original problem?  Was their 
attitude the same as shown on the phone calls?  How long had the problem 
existed, had it happened before, and did Nectar keep an open dialogue as 
to the steps they were taking to fix it?  Did GoDaddy have less 
intrusive options to shut down just the abuser?


I am also wondering why anyone thinks the miscreant will stop just  
because the legitimate owner's domain no longer resolves?  Not only  is 
the machine likely to continue sending spam as if nothing  happened, we 
aren't even catching the guy.  I guess you could say  well, it put 
pressure on his hosting provider to clean the infected  machine, which 
is true.  I just think that's a bit silly.  But maybe  I'm the one who's 
silly.


I think this was a case of a fake phishing website rather than 

Re: GoDaddy.com shuts down entire data center?

[Chris Brenton]

On Tue, 2006-01-17 at 03:19 -0500, Richard A Steenbergen wrote:

 The question at hand is, at what point does a registrar providing services 
 have an ethical or moral obligation to step in and do something when they 
 do encounter an excessive level of abuse by someone using their services? 

I think the issue here is not so much what happened, but how it
happened. The phishing problem was originally reported to godaddy and
then passed on to nectar on 1/9 (a Monday). It also appears the nectar
folks resolved the problem on the same day. After that point godaddy
continued to receive complains about the same problem and rather than
checking to see if the problem still existed, they just assumed it did.
Nectar appears to have even responded to godaddy stating that the
problem had already been resolved long before service was cut. 

IMHO the big issue is that service was cut on a Friday night just as the
only folks empowered to resolve the situation have left for the weekend.
I can see cutting service during a weekday morning to get the client's
attention on the matter. Doing it at a time when you know you'll be
causing a long term outage is just plain nasty.

HTH,
Chris

Re: GoDaddy.com shuts down entire data center?

[goemon]

On Tue, 17 Jan 2006, Chris Brenton wrote:

IMHO the big issue is that service was cut on a Friday night just as the
only folks empowered to resolve the situation have left for the weekend.


Actually the big issue is that godaddy's 24/7 seems anything but

-Dan

Re: GoDaddy.com shuts down entire data center?

[Robert E . Seastrom]

Matt Ghali [EMAIL PROTECTED] writes:

 Hear Hear.
 After reading the GoDaddy domain registration legal agreement,
 available at:
 https://www.godaddy.com/gdshop/legal_agreements/show_doc.asp?se=%2Bci=1839pageid=REG%5FSA
 especially section 7, Restriction of Services, Right of Refusal, I
 have to give them a big thumbs up.

 It is good to see that wielding a Big Stick, and actively working for
 the Good Guys has not hindered GoDaddy from achieving quite a bit of
 success in the market.

The first and second paragraphs are sane.  The last paragraph gives Go
Daddy the right to capriciously and arbitrarily delete your domain for
any reason they wish (Morally objectionable activities will include,
but not be limited to...)

   Put an ethnic joke on your blog?  Lose your registration.

   Put up an I'm a dissatisfied Go Daddy customer page?  Lose your 
registration.

   Run a non-2257-compliant adult site (that doesn't show minors, just
   doesn't have the paperwork) outside of the US?  Lose your registration.

   Mirror tubgirl and goatse-man?  Lose your registration.

   Host a site that Go Daddy can plausibly consider morally
   objectionable (gambling?  whiskey reviews?)...  Lose your registration.

Now that Go Daddy has ensured that I'll never do business with them
(which is a shame; I liked certain lawsuits that they brought in the
past, but if being their customer means subscribing to their thought
police, count me out), I think it's time to carefully go over the
registration agreements with the registrars I use...  never know when
someone will slip in something truly odious, and the argument that
none of them would be so crazy as to try it appears to be incorrect.

---Rob

Re: DNS Server domains was Re: GoDaddy.com shuts down entire data center?

[Steven M. Bellovin]

In message [EMAIL PROTECTED], Simon Waters writes:



I think the general consensus in the DNS field is that for security reasons it
is preferable to have as small a set of DNS servers (or perhaps as small as 
set of differently configured servers! Hmm physical security) in the 
hierarchy above you as possible, since compromise of any of these could 
affect the results obtained for your domain.


See http://www.usenix.org/events/imc05/tech/ramasubramanian.html


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Re: DOS attack against DNS?

[Joe Shen]

Last saturday one of our Web server experienced a TCP
SYN attck which make the system down for four hours.
It seems there is not a good solution which could
detect  defend DoS traffic at any time.  

So, to the class ANY queries, should we only filtering
out class any queries on public cache servers ?  To my
understandings, the amplifying result could also be
reached by query type any.

Joe 


--- Alon Tirosh [EMAIL PROTECTED] wrote:

 Admitted, i did not notice the type/class
 difference. I responded as a knee
 jerk reaction, and that is my mistake.
 
 For the second part, the any query type is useful
 (when targeted at either
 your NS and/or public NS servers) to quickly alert
 to issues such as the one
 being discussed with GoDaddy and Nectartech right
 now on this list.
 
 Pick and/or set up an NS server that is TTL agnostic
 (flameArmor: this
 system is to be used for disparate up-to-date checks
 only, and I know by
 spec this is far from foolproof but its saved my ass
 a couple times in the
 past) and checks disparate roots and its useful for
 finding or alerting to
 major name system, registrar ,and provider issues
 quickly.
 
 Im diverging off-topic, im sure. gnight.
 
 On 1/17/06, william(at)elan.net [EMAIL PROTECTED]
 wrote:
 
 
  Did you notice that it was class ANY and not
 type ANY that Paul noted?
  I've never ever heard of it being used
 anywhere
 
  As for ANY query type, what do you think will
 happen when you query with
  ANY to a host in a domain that is not in your
 local dns server cache?
  And btw if it is in your dns cache, how
 predictable do you think such
  results are going to be???
 
  On Tue, 17 Jan 2006, Alon Tirosh wrote:
 
   Not true,. the ANY query has mutliple uses for
 consolidating multiple
   diagnostic queries into a single display, and
 also for diversion
  monitoring
   systems on small domains or groups of same. Not
 all of us have the
  resources
   (or time) of large ISPs behind us.
  
   On 15 Jan 2006 17:27:40 +, Paul Vixie
 [EMAIL PROTECTED] wrote:
  
   client xx.xx.xx.xx#6704: query: z.tn.co.za ANY
 ANY +E
  
   class ANY has no purpose in the real world,
 not even for
  debugging.  if
   you see it in a query, you can assume malicious
 intent.  if you hear it
  in
   a query, you can safely ignore that query, or
 at best, map it to class
   IN.
   --
   Paul Vixie
 
 






__ 
Do you Yahoo!? 
New and Improved Yahoo! Mail - 1GB free storage! 
http://sg.whatsnew.mail.yahoo.com

Re: GoDaddy.com shuts down entire data center?

[Micheal Patterson]

- Original Message - 
From: Patrick W. Gilmore [EMAIL PROTECTED]

To: [EMAIL PROTECTED]
Cc: Patrick W. Gilmore [EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 1:09 AM
Subject: Re: GoDaddy.com shuts down entire data center?




On Jan 17, 2006, at 1:32 AM, Jim Popovitch wrote:

I want to say, from an outsider's perspective, that I whole  heartily 
applaud GoDaddy on the actions they took [...]


There seems to be a wide split on this topic.  I was wondering if  people 
would privately tell me yes or no on a few questions so I can  understand 
the issue better.


1) Do you think it is acceptable to cause any collateral damage to 
innocent bystanders if it will stop network abuse?


If the damage of the persistant abuse is greater than the lost of the 
innocent persons, yes.


2) If yes, do you still think it is acceptable to take down 100s of 
innocent bystanders because one customer of a provider is misbehaving?


Yes I do and more than likely, so do you. If you are a common end point for 
all of my users and I'm the common end point for yours, either of us has the 
right to deny access to the other at any point for no reason really. Now, 
should your network start flooding me or vice versa, one of us, if not both, 
will toss up some filters. If either of our networks is larger than the 
other and causing a dos for the other end, the effected one of us would have 
no recourse but to contact the upstream of the source point and request 
assistance.


3) If yes, do you still think it is acceptable if the misbehaving 
customer is not intentionally misbehaving - i.e. they've been hacked?


Intentional or not, it doesn't negate the fact that the system has been 
hacked and is now owned by someone other than the actual owner. If one of my 
systems were to be hacked and I miss it, and it starts causing problems for 
your network, I expect my network to be filtered.  If your filters aren't 
effective enough to deal with the issue, and I'm not helping you to correct 
the problem, I expect you to go to my carrier to file a complaint.


3) If yes, do you still think it is acceptable if the collateral  damage 
(taking out 100s of innocent businesses) doesn't actually stop  the spam 
run / DoS attack / etc.?


There is no simple yes / no for this one. It would depend on the 
circumstances of the issue.


snip


Using the case under discussion as an example, I am wondering why  anyone 
thinks taking down 100s of innocent domains is a good way to  stop a 
single hacked machine from doing whatever it is doing?  If you  somehow 
think all that is worth it, take a close look at your cost /  benefit 
analysis.  At this rate, every business on the Internet will  be out of 
business before we take out even a single moderately large  botnet.


You can wonder why, however I, IMHO, think that if more carriers would take 
that stance, then the problems that we face daily would be much less severe. 
Currently, there's not much to keep the big players in check when it comes 
to their network. Now, imagine, what could happen if they were forced to 
play by the same rules that we have to go by? If our network is causing 
problems, our uplink(s) have the authority to disconnect them for that 
generally. Can you see Sprint, SBC/ATT, L3, Cogent, AOL, Cox, etc having 
those same rules applicable to them or be depeered from all peers and become 
network dead? Now, is it feasible to do such a thing? Not usually because it 
causes financial issues on both sides of the depeering. That's because the 
internet that we have is used as a means of financial gain and isn't geared 
for being easily segregated in the event of compromise. Yet, that's the 
current mechanism for a compromised end user. The same means should be used 
all the way to the NAP imo.


I am also wondering why anyone thinks the miscreant will stop just 
because the legitimate owner's domain no longer resolves?  Not only  is 
the machine likely to continue sending spam as if nothing  happened, we 
aren't even catching the guy.  I guess you could say  well, it put 
pressure on his hosting provider to clean the infected  machine, which is 
true.  I just think that's a bit silly.  But maybe  I'm the one who's 
silly.


Why should you or I be the ones responsible for catching the miscreant when 
the compromised system isn't on our network? If it were, then that task 
would fall to us to do so. If the threat of a delinking were over our heads, 
we'd have some major incentive to find the idiot and make sure he's not on 
our net anymore wouldn't we.


Lastly, I wonder what average people - people who run businesses on 
hosting providers who really don't understand all this computer stuff  - 
think about such actions.  How many 100s of people have we just  alienated 
for life to stop - er, NOT stop - a single zombie?  And how  many of their 
friends are going to hear over an over how the Internet  is not a real 
business and no one should put any faith in it?


Average 

Re: AW: Odd policy question.

[David W. Hankins]

On Sat, Jan 14, 2006 at 05:31:12PM -0500, Jeffrey I. Schiller wrote:
 If registrars regularly checked for lame delegations (or checked on
 demand). Then a way to attack a domain would be to forge DNS responses
 to cause the registrar to remove the domain because it is lame. So
 DNSSEC would be needed to be sure...

Something more than merely DNS-SEC.

DNS-SEC is about proving zone contents (object security).  To prove
lame delegation you'd need a means to identify the nameserver (channel
security) that's supplying the response.

The difference between this zone contains (or doesn't) an RR versus
this DNS packet is from the server named George.

You could prove inconsistent delegation - that the parent and child
differ.  But this is not necessarily lame.

-- 
David W. HankinsIf you don't do it right the first time,
Software Engineer   you'll just have to do it again.
Internet Systems Consortium, Inc.   -- Jack T. Hankins


pgpZ8oY8W0ESG.pgp
Description: PGP signature

Re: GoDaddy.com shuts down entire data center?

[Michael Loftis]

--On January 17, 2006 7:27:20 AM -0500 Robert E.Seastrom 
[EMAIL PROTECTED] wrote:



Now that Go Daddy has ensured that I'll never do business with them
(which is a shame; I liked certain lawsuits that they brought in the
past, but if being their customer means subscribing to their thought
police, count me out), I think it's time to carefully go over the
registration agreements with the registrars I use...  never know when
someone will slip in something truly odious, and the argument that
none of them would be so crazy as to try it appears to be incorrect.


This thread gets less and less operationalhowever...I'm trying to keep 
this in scope...I think this relates operationally because we all have and 
enforce AUPs and ToS on our customer bases, both internal, and external. 
We also have AUPs and ToS enforced on us, by business relationships and 
peerings, etc.


Most ToS and AUP out there at the consumer level state basically the 
service is worthless, that we can and will d/c you at will, without cause, 
at our whim.  Overzealous lawyering has made this a necessity.  How much 
any of these might or might not stand up in court, I have no clue.  As you 
get into the business world some ToS and AUP become more weighty, but far 
more structured.  Giving both sides clearer and well defined policies and 
practices for responding to issues.  Requiring notification, escalation, 
etc.


I think what matters is the way that the AUPs are applied.  This case...the 
facts...don't match up.  webhosting.info (not an authoritative source mind 
you, but a datapoint) only sees ~150 hosts by this ISP.  From what I 
understand this number is from whois data with nameservers pointing to 
theirs.  Contrast this with mydyndns.org, google.com, ebay.com, 
prioritycolo.com, wellsfargo.com (ok so this ones not that much more, at 
~800), even sun.com has more domains listed.  Those last two aren't even 
'in the business' and they have more.


While they may have a large datacenter, I'm not even remotely sure that 
this incident darkened the whole thing.  It might've taken rDNS offline, 
but that's far from darkening a whole datacenter.  It sounds like another 
WHTer puffing themselves up to being bigger than they are.  They *must* be 
small to let a *CUSTOMER* advocate for them to a third party!  Nectartech 
clearly knew about this and sanctioned it, and the person recording the 
phone calls has pointed this out more than once.


There are no facts in this case either way, because it is really Go Daddy 
against Nectartech.  And Nectartech has a lot more reason to lie to make 
itself look better in front of its customers.  If their whole datacenter 
went dark then it's some unrelated thing, or some really bad practice (such 
as somehow establishing iBGP based on domain names maybe?  hell I dunno).


I've seen so much utter BS spouted by a lot of the self proclaimed web 
hosts on WHT that I'm not inclined to believe his side of the story any 
more (or any less) because of it.  Go Daddy has to my knowledge never been 
draconian in applying their AUP (I think atleast some of us here would know 
about it if so).

Re: DOS attack against DNS?

[Paul Vixie]

# Admitted, i did not notice the type/class difference. I responded as a knee
# jerk reaction, and that is my mistake.

on nanog@, the tradition is to send knee-jerk flames without having read the
article you're replying to.  it's our own little slice of usenet-like culture,
still alive a decade or several too late.  so you're fitting right in.  :-).

# For the second part, the any query type is useful (when targeted at either
# your NS and/or public NS servers) to quickly alert to issues such as the one
# being discussed with GoDaddy and Nectartech right now on this list.

i don't like type ANY very much, since it's a cpu amplification attack vector
against recursive nameservers.  however, sendmail uses it in hopes of learning
type MX and type A at the same time, and according to eric, this saves more
network traffic than it generates.

in any case i've not said anything against type ANY.  it's common, and seeing
it is not an indication of malicious intent, and it should never be blocked.
my earlier comments on this thread were about class ANY, not type ANY.

Re: DOS attack against DNS?

[Paul Vixie]

# Last saturday one of our Web server experienced a TCP SYN attck which make
# the system down for four hours.  It seems there is not a good solution which
# could detect  defend DoS traffic at any time.

by definition, there will never be a single defense against all attacks.

# So, to the class ANY queries, should we only filtering out class any queries
# on public cache servers ?

if you're seeing them and they're hurting you, yes.  or if you're willing to
undure the configuration pain of always dropping them (see marka's recent mail
on view statements for this purpose), then yes.

# To my understandings, the amplifying result could also be reached by query
# type any.

that's not my understanding.  you're more likely to be hurt by a peer's lack
of BCP38 conformance than by all the type=ANY queries you'll ever hear in DNS.

Re: GoDaddy.com shuts down entire data center?

[Matt Ghali]

On Tue, 17 Jan 2006, Robert E.Seastrom wrote:


The first and second paragraphs are sane.  The last paragraph gives Go
Daddy the right to capriciously and arbitrarily delete your domain for
any reason they wish (Morally objectionable activities will include,
but not be limited to...)


Do you believe that your philosophical objections to the language 
absolves you as a customer from the minimal due dilligence of 
knowing what you are agreeing to?



[EMAIL PROTECTED]darwin
  The only thing necessary for the triumph
  of evil is for good men to do nothing. - Edmund Burke

Re: GoDaddy.com shuts down entire data center?

[Bill Nash]

On Tue, 17 Jan 2006, Matt Ghali wrote:


On Tue, 17 Jan 2006, Robert E.Seastrom wrote:


 The first and second paragraphs are sane.  The last paragraph gives Go
 Daddy the right to capriciously and arbitrarily delete your domain for
 any reason they wish (Morally objectionable activities will include,
 but not be limited to...)


Do you believe that your philosophical objections to the language absolves 
you as a customer from the minimal due dilligence of knowing what you are 
agreeing to?




Find me a registrar that DOESN'T have that kind of language in their user 
agreements, then tell me if anyone wishing to do any kind of e-commerce 
has a choice.


I've gone off on a tear about this before: A registrar has a license to 
print money. Boilerplate user agreements that leave the user zero recourse 
are the standard. I haven't seen a registrar yet that doesn't have this 
kind of verbiage completely freeing them from liability for *any* action 
taken on a domain registration, including none.


- billn

Re: GoDaddy.com shuts down entire data center?

[Martin Hannigan]

 
 
 
 On Tue, 17 Jan 2006, Matt Ghali wrote:
 
  On Tue, 17 Jan 2006, Robert E.Seastrom wrote:
 
   The first and second paragraphs are sane.  The last paragraph gives Go
   Daddy the right to capriciously and arbitrarily delete your domain for
   any reason they wish (Morally objectionable activities will include,
   but not be limited to...)
 
  Do you believe that your philosophical objections to the language absolves 
  you as a customer from the minimal due dilligence of knowing what you are 
  agreeing to?
 
 
 Find me a registrar that DOESN'T have that kind of language in their user 
 agreements, then tell me if anyone wishing to do any kind of e-commerce 
 has a choice.

There are plenty. But they are usually resellers of the larger 
registrars. That's part of the reason to pay the extra $1 to use 
an ICANN accredited registrar. 

 I've gone off on a tear about this before: A registrar has a license to 
 print money. Boilerplate user agreements that leave the user zero recourse 
 are the standard. I haven't seen a registrar yet that doesn't have this 
 kind of verbiage completely freeing them from liability for *any* action 
 taken on a domain registration, including none.

Since this isn't a registrars list I can only say that you should go
discuss that with some registrars and i think you'll find that your
statement isn't entirely factual. For example, GoDaddy has a 24/7  
support system, regardless of what people think about it, that did
answer the phone and process the problem. That's a minimum of a ~half
a million dollar investment on the spot. I'm NOT a registrar and I
don't represent them, but I think they make their money on services
more than domains.

Anyhow, I think this thread is totally off topic at this point, 
as well as Marc Perkel is off topic, asking Marc Perkely what he
thinks is off topic, and this thread should die a horrific death.
It's on the way to a /dev/null forward as we speak.

-M

Collateral Damage

[Patrick W. Gilmore]

My previous post sparked quite a bit of traffic (mostly to me  
personally).  It also sparked some confusion.  That's mostly my fault  
for writing e-mails far too late at night and mixing it with an  
emotionally charged thread.


So I would like to separate my questions out of the GoDaddy thread,  
write them slightly differently, and give a little more scope for  
clarity.


These questions are designed as yes/no, not it depends.  The idea  
being if there are general circumstances (not billion-in-one corner  
cases) which would make the action in question acceptable, please  
answer yes, and move to the next question.


For instance, I would answer the first question as yes, because  
there are circumstances which happen reasonably often where I would  
take down an innocent domain to stop network abuse.  (E.g. I would  
null-route a /24 that is sending gigabits of DoS traffic, even if  
there is an innocent mail server in that block.)


Anyway, on to the poll.  You are welcome and encouraged to send the  
answers to me privately, I will collate and post back to the list in  
a few days.



* Please answer yes/no.
  - Additional text is encouraged, but I need a yes/no to tabulate  
the vote.
* These questions are not regarding a specific provider or even  
specific abuse type.

  - You can consider spam, DoS, phishing, hacking, etc.
  - Please assume what you consider to be the worst abuse which is  
common on the Internet today.

* There is a basic assumption that due diligence has been applied.
  - You have investigated and are certain this is not a false  
positive or such.
  - I hope we can all agree that shutting someone down without doing  
proper investigation is a Bad Thing.

* There is a basic assumption of notification and grace period.
  - The provider in question knows Bad Things are happening.
  - The provider in question has had a reasonable amount of time to  
fix said Bad Things.

  - Bad Things are still happening.
* Please do not consider extremely rare occurrences or utra-extreme  
scenarios.
  - Null-routing an IP address to stop nuclear war is not in scope  
of this survey.


If you have any questions, please feel free to e-mail me.


1) Do you think it is ever acceptable to cause collateral damage to  
innocent bystanders if it will stop network abuse?


2) If yes, do you still think it is ever acceptable to take down a  
provider with 100s of innocent customers because one customer is  
misbehaving?


3) If yes, do you still think it is ever acceptable if the  
misbehaving customer is not intentionally misbehaving - i.e.  
they've been hacked?


4) If yes, do you still think it is ever acceptable if the collateral  
damage (taking out 100s of innocent businesses) doesn't actually stop  
the spam run / DoS attack / etc.?



Thank you all for your time.

--
TTFN,
patrick

OT: Training

[Ted Fischer]

All,

   I am working on a training proposal, and would appreciate your input.

   This training is going to be an introductory course aimed at 
those who are new to networking.


   Just to put it in context ... I'm presuming that most of you on 
this list have help desk personnel who would be 3 or more levels 
above the training I'm working on.  For example, if I even mention 
BGP it would be along the lines of BGP is a routing protocol 
{presuming I've even mentioned routing protocols} that is used 
between ISPs. Period.  I don't expect that people coming out of this 
particular course will be able to do even non-VLSM subnetting - with 
a calculator, let alone on paper - but at least they will have seen it.


   What I'm more interested in from you all is something along the 
lines of - What do you wish the Help Desk personnel that your Help 
Desk is trying to help actually knew.  Or even, more basically, 
What do I wish that people interested in - or in the process of 
being hired for/promoted to/assigned to (because no one else wants 
it) -  network help desk assignments knew, or should be sent to 
training to learn, before even trying to talk to me.  What would be 
an appropriate 5-10 minute overview (i.e. what is MPLS and how does 
it help networks), and what might be appropriate for more in depth 
(i.e. IP Addressing basics).  What networking myths do you want me to bust?


   I may also be able to let them actually do something ... perhaps 
run a traceroute (live or canned, not sure yet) and explain how it 
works.  I will definitely have a chapter - or at least portion of a 
chapter - on history (how we got where we are), including the 
who/what/why/where/when of RFCs (traceroute might be a good one to 
explore the technical aspects of implementation; i.e. why should UDP 
be used instead of ICMP - what do the RFCs say about it).  If nothing 
else, I may assign some of Jon Postel's writing for research - like RFC 791 :-)


   Everyone has to start somewhere, and I want this to be the best, 
yet most succinct, training I can come up with.


   Please keep in mind that I only have 4 or 5 (probably 4) days to 
do this in.  It is meant to be an introduction, and not cure all 
network training fauxes pas (is that the correct plural?) in one fell 
swoop.  One of the other things I want to accomplish is to hook 
people on networking so that they will continue their training.


   Off-list replies welcome - you decide.

   Thanks.

   Regards.



Ted Fischer

Re: GoDaddy.com shuts down entire data center?

[Steve Sobol]

Joe McGuckin wrote:


On the other hand �, I'm not comfortable with the idea that an organization
that provides network infrastructure services under the aegis of the US
Government could unilaterally revoke those services for something that is
not illegal. 


You could say I do that. I am not a registrar, but I do host DNS for many 
domains. So if my customer spams and I cut them off, including DNS, do you 
have a problem with that too?


--
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307

Service contracts and Morally objectionable activities

[Kevin]

On 1/17/06, Bill Nash [EMAIL PROTECTED] wrote:
 On Tue, 17 Jan 2006, Matt Ghali wrote:
  On Tue, 17 Jan 2006, Robert E.Seastrom wrote:
   The first and second paragraphs are sane.  The last paragraph gives Go
   Daddy the right to capriciously and arbitrarily delete your domain for
   any reason they wish (Morally objectionable activities will include,
   but not be limited to...)
 
  Do you believe that your philosophical objections to the language absolves
  you as a customer from the minimal due dilligence of knowing what you are
  agreeing to?

 Find me a registrar that DOESN'T have that kind of language in their user
 agreements, then tell me if anyone wishing to do any kind of e-commerce
 has a choice.

Yes, but that language DOESN'T have to stay in YOUR agreement.

Many registrars will negotiate contract language, at least for larger customers.

My employer isn't a huge network operation, with just a few hundred domains,
but is big enough to have staff counsel, and stubborn enough to routinely
stonewall ISPs and registrar's into removing content related clauses from
their contracts.

Messes with my project deadlines, but better late than Godaddy.


 I've gone off on a tear about this before: A registrar has a license to
 print money. Boilerplate user agreements that leave the user zero recourse
 are the standard. I haven't seen a registrar yet that doesn't have this
 kind of verbiage completely freeing them from liability for *any* action
 taken on a domain registration, including none.

And this is why, if any money is riding on the service at all, you
have
at least one law talking guy vet all contracts at the front of the process.

Kevin Kadow

Intradomain Traffic Engineering

[Hao Wang]

Hi All, I'm a PhD student currently studying intra-domain traffic engineering, and I have two questions that I really wish to hear some opinions from you network operators. I'm experimenting with a prediction-based intra-domain traffic engineering technique. The technique uses traffic demand matrices observed in the history to predict future traffic demands, and computes a routing that minimizes maximum link utilization (MLU) for those future demands.
 I evaluate the performance of the technique using Abilene traffic traces collected at every 5 minutes interval. The results show that when the model is able to predict the real traffic matrix, the technique can achieve close to optimal MLU. However, when the model makes wrong prediction, the technique suffers very high MLU (as high as 140%).
 Basically, I have the following two questions: 1. In the traces I have, there exist several intervals with a huge, sudden increase of traffic on some links. The prediction model I use cannot predict those 'big spikes'. Do these 'big spikes' really happen in operational networks? Or are they merely measurement errors? If they really happen, is there a gradual ramp up of traffic in smaller time scale, say, on the order of tens of seconds? Or do these 'big spikes' really occur very quickly, say, in a few seconds?
 2. I have the option to make a tradeoff between average case performance and worst case performance guarantee, but I don't know which one is deemed more important by you. Are ISP networks currently optimized for worst case or average case performance? Is the trade-off between these two an appealing idea, or may the ISP networks are already doing it?
 I really appreciate any feedback from you about the above two questions, and your help will be acknowledged inany publication about this work.
Thanks,Edgar

Re: Intradomain Traffic Engineering

[Robert Boyle]

At 12:06 AM 1/18/2006, you wrote:

(snip)
wrong prediction, the technique suffers very high MLU (as high as 140%).
Basically, I have the following two questions:
1. In the traces I have, there exist several intervals with a 
huge, sudden increase of traffic on some links. The prediction 
model I use cannot predict those 'big spikes'. Do these 'big 
spikes' really happen in operational networks? Or are they merely 
measurement errors? If they really happen, is there a gradual ramp 
up of traffic in smaller time scale, say, on the order of tens of 
seconds? Or do these 'big spikes' really occur very quickly, say, 
in a few seconds?


Nobody can predict them so you build your network with excess 
capacity from an overhead standpoint as well as a link standpoint. 
Here are several reasons for variation and unpredictability. This is 
not a comprehensive list and I'm sure others will add to it.


CNN or other major network coverage including major advertising 
events - super bowl, victoria's secret show, etc. (10s of seconds)
SQL Slammer / Code Red / Nimda / or other major fast moving outbreaks 
(10s of seconds - maybe. We saw the spread of SQL slammer within 2 
seconds to many unmanaged colo customer machines)
depeering of any two or more large networks or routing mistakes or 
flapping thus dampening (a few seconds to 10s of seconds to hours)
major provider outage which moves flows to other paths (a few seconds 
to 10s of seconds)

fiber cuts / regional power outages (a few seconds to 10s of seconds)
significant events such as 9/11  Katrina (a few seconds to many hours)

2. I have the option to make a tradeoff between average case 
performance and worst case performance guarantee, but I don't know 
which one is deemed more important by you. Are ISP networks 
currently optimized for worst case or average case performance? Is 
the trade-off between these two an appealing idea, or may the ISP 
networks are already doing it?


Each ISP makes their own decisions based on their business needs, 
budgets, and promised SLAs to customers


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
Well done is better than well said. - Benjamin Franklin