Re: DNS Amplification Attacks
On Fri, Mar 17, 2006 at 03:27:03PM -0800, [EMAIL PROTECTED] wrote: That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing. The fact that there are vendors out there that do not support RPF filtering is even more amazing. --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/
Re: DNS Amplification Attacks
Geo. wrote: Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world. Fixing the one does not mean we shouldn't fix the other. But fixing recursion also fixes the internet (fixes as in how you fix a dog) in that he who controls the DNS controls the net. Fixing DNS is going to hand over strict control to governments because now they can prevent you from resolving anything they don't want you to resolve. Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies.
TDS - AS
Title: TDS - AS Is anyone else having issues getting to AS 4181? Seems like my route to them was withdrawn around 20:05 z. (64.35.192.0/20) (and yes, I DID open a ticket) -Keith
Re: DNS Amplification Attacks
Joseph S D Yao wrote: On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote: ... Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies. ... Then leave governments out of it, and re-phrase the question in this way. If one can not run one's own DNS server on the public Internet, but must rely on a DNS service supplier for your DNS, and at some point you start to wonder about the technical competence or correct configura- tion of the DNS service supplier whose DNS you are configured to use, and all other DNS servers out there are configured to refuse recursive service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what the world should be seeing? That is exactly what worries me. In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools. Corrupt people use it to play tricks on their friends. How about alternative roots? ICANN does censor XN--55QX5D., XN--FIQS8S. and XN--IO0A7I. already. You must use alternative roots to exchange emails with people living in those domains. Banning open resolvers means censoring for a lot of people, at least if they cannot run their own servers. Regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
RE: TDS - AS
Thanks for the correction :). Being rather self centered at times, it's the only prefix I care about. -Original Message- From: Arnold Nipper [mailto:[EMAIL PROTECTED] Sent: Monday, March 20, 2006 5:25 PM To: Wallace Keith Cc: Arnold Nipper Subject: Re: TDS - AS On 20.03.2006 23:16 Wallace Keith wrote Is anyone else having issues getting to AS 4181? Seems like my route to them was withdrawn around 20:05 z. (64.35.192.0/20) (and yes, I DID open a ticket) There are a lot of prefixes from AS 4181, but not that particular ... Not *your* route to them is withdrawn but *their* prefix ... gw001#sh ip bg 64.35.192.0/20 % Network not in table gw001#sh ip bg 64.35.192.0 BGP routing table entry for 64.0.0.0/4, version 247378 Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to update-groups: 3 13101 3356 7911 22637 80.81.196.131 from 80.81.196.131 (213.178.64.92) Origin IGP, metric 0, localpref 100, valid, external Community: 3356:3 3356:86 3356:575 3356:666 3356:2006 7911:777 7911:7705 13101:90 13101:1500 13101:2010 12731 3356 7911 22637 80.81.196.130 from 80.81.196.178 (80.81.196.157) Origin IGP, metric 0, localpref 100, valid, internal 12731 3356 7911 22637 80.81.196.130 from 80.81.196.130 (213.128.128.8) Origin IGP, localpref 100, valid, external, best Community: 3356:3 3356:86 3356:575 3356:666 3356:2006 7911:777 7911:7705 gw001#tra 64.35.192.1 Type escape sequence to abort. Tracing the route to cntcnhedg02.network.tds.net (64.35.192.1) 1 br1.frankfurt1.iphh.net (80.81.196.130) 0 msec 4 msec 0 msec 2 62.67.36.157 [AS 3356] 4 msec 0 msec 4 msec 3 ae-0-54.bbr2.Frankfurt1.Level3.net (4.68.118.98) [AS 3356] 0 msec 204 msec 40 msec 4 ae-0-0.bbr1.Washington1.Level3.net (64.159.0.229) [AS 3356] !N as-3-0.bbr2.Washington1.Level3.net (4.68.128.206) [AS 3356] !N !N Regards, Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: [EMAIL PROTECTED] phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333
Re: DNS Amplification Attacks
On Mon, 20 Mar 2006, Peter Dambier wrote: How about alternative roots? ICANN does censor XN--55QX5D., XN--FIQS8S. and XN--IO0A7I. already. You must use alternative roots to exchange emails with people living in those domains. Stop with the bull$**+ (self-censored), trying to recast the censorship light on the issue of alternate roots. ICANN is censoring nothing; it's alternative roots that are taking it upon themselves not to go through a standardization process by creating nonstandard naming trees. I encourage you to look up the English definition of censor sometime. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: TDS - AS
Arnold Nipper wrote: gw001#sh ip bg 64.35.192.0 BGP routing table entry for 64.0.0.0/4, version 247378 Should we really be seeing 64/4? That's an awfully big aggregate...that I don't see in ARIN as an exact-match. (Paging the filter police...) pt
Re: DNS Amplification Attacks
Joseph S D Yao wrote: [...] service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what the world should be seeing? DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.