Re: relays.osirusoft.com
On Wed, 27 Aug 2003, Iljitsch van Beijnum wrote: I wouldn't recommend this. If you have two DNS servers on different addresses, everyone can talk to #2 if #1 doesn't answer. I noticed that many Windoze mail servers don't bother to check the second server if the primary's dead. --vadim
Re: Re[2]: relays.osirusoft.com
Paul wrote: this part, on the other hand... he's put *.*.*.* in, he's asking people not to use it anymore. ...mystifies me. anyone who has read rfc1034 or rfc1035, even if they did not also read rfc2181 or rfc2136 or rfc2308, knows that in a zone containing the following wildcardish data: $ORIGIN example.vix.com. * 1H IN A 127.0.0.1 *.* 1H IN A 127.0.0.2 *.*.* 1H IN A 127.0.0.3 *.*.*.* 1H IN A 127.0.0.4 the result will be that only the top one will match: I must hope and pray that nobody on NANOG would be foolish enough to load narrative prose mailed to the list into their BIND configurations ;-) BGP, now, feel free to do that all you want. -george william herbert [EMAIL PROTECTED]
Re: relays.osirusoft.com
Hello ; DiG 9.2.0 relays.osirusoft.com txt ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39308 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;relays.osirusoft.com. IN TXT ;; ANSWER SECTION: relays.osirusoft.com. 86384 IN TXT Please stop using relays.osirusoft.com ;; AUTHORITY SECTION: osirusoft.com. 86384 IN NS ns2.osirusoft.com. osirusoft.com. 86384 IN NS ns3.osirusoft.com. osirusoft.com. 86384 IN NS ns4.osirusoft.com. osirusoft.com. 86384 IN NS ns1.osirusoft.com. On Tue, 26 Aug 2003, Crist Clark wrote: Date: Tue, 26 Aug 2003 15:55:10 -0700 From: Crist Clark [EMAIL PROTECTED] To: Gary E. Miller [EMAIL PROTECTED] Cc: Richard Welty [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: relays.osirusoft.com Gary E. Miller wrote: Yo Richard! returning 127.0.0.2 for everything would be an ugly way to bow out. I am just seeing timeouts for XXX.relays.osirusoft.com now. I'm seeing timeout issues too, which would match with DoS attacks. But in my logs I see, Aug 26 01:17:51 aurora named[284]: [ID 866145 daemon.info] lame server resolving '130.38.76.211.relays.osirusoft.com' (in 'relays.osirusoft.COM'?): 127.0.0.1#53 (That's PDT), and in my cache I see, $ dig relays.osirusoft.com ns ; DiG 9.2.2 relays.osirusoft.com ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 59238 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;relays.osirusoft.com. IN NS ;; ANSWER SECTION: relays.osirusoft.com. 33863 IN NS ns2-relays.osirusoft.com. relays.osirusoft.com. 33863 IN NS ns1-relays.osirusoft.com. ;; ADDITIONAL SECTION: ns1-relays.osirusoft.com. 33863 IN A 127.0.0.1 ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 26 15:49:15 2003 ;; MSG SIZE rcvd: 104
Re: Re[2]: relays.osirusoft.com
returning 127.0.0.2 for everything would be an ugly way to bow out. yes, but it's been done before. Someone has been in contact with Joe via phone and posted to another mailing list That Zhall Not Be Named that exactly that is happening. The zone is dead, he's put *.*.*.* in, he's asking people not to use it anymore. It may be back in the future with a new network setup, but right now consider it down. We're working on getting him to send out a public announcement. Yes, this is due to a massive DDOS. At least three of the spamfilter BLs have been so attacked this week. Some of the networks represented here have not been as timely about helping the BL providers with the DDOSes as they could be. Please keep in mind that without dynamic BLs anti-spam folks will fall back to sending out static block maps, which getting your IP space out of will be difficult if not impossible. IT IS VERY MUCH IN NETWORK OPERATORS BEST INTEREST THAT THIS NOT HAPPEN. Please take what measures are necessary to help ensure that your customers are not intentionally or neglegently DDOSing the BLs. -george william herbert [EMAIL PROTECTED]
Re: relays.osirusoft.com
George William Herbert wrote: Yes, this is due to a massive DDOS. At least three of the spamfilter BLs have been so attacked this week. Some of the networks represented here have not been as timely about helping the BL providers with the DDOSes as they could be. Please keep in mind that without dynamic BLs anti-spam folks will fall back to sending out static block maps, which getting your IP space out of will be difficult if not impossible. IT IS VERY MUCH IN NETWORK OPERATORS BEST INTEREST THAT THIS NOT HAPPEN. Please take what measures are necessary to help ensure that your customers are not intentionally or neglegently DDOSing the BLs. Well said George, I have been one of the recepients of the DDoS attacks. If people see non DNS UDP traffic or non Type 3 ICMP traffic aimed at 203.15.51.32/27 it is likely DDoS traffic. Currently I still have at least one IP in that range Null Routed by upstreams. SORBS may have to implement a subscription model soon to fund more hosts around the world if the DDoS's continue, I am desperately trying to avoid it, should it become nessessary it will be for the +50k queries/day users out there. The point is SORBS is funded soley by myself and through hosting dontations - I have 5 public secondaries donated currently, and I cannot afford, personally, any DDoS proofing other than that I have now. I know of at least 3 other DNSbls that are experiencing DDoS issues, and one DNSbl operator that is scared stiff of DDoS. Yours Mat Note: If anyone wants to talk about SORBS, public secondaries, donations, policy etc... this is not the forum, please contact me off list.
Re: relays.osirusoft.com
On 8/26/03 4:45 PM, Matthew Sullivan [EMAIL PROTECTED] wrote: George William Herbert wrote: Yes, this is due to a massive DDOS. At least three of the spamfilter BLs have been so attacked this week. Some of the networks represented here have not been as timely about helping the BL providers with the DDOSes as they could be. Please keep in mind that without dynamic BLs anti-spam folks will fall back to sending out static block maps, which getting your IP space out of will be difficult if not impossible. IT IS VERY MUCH IN NETWORK OPERATORS BEST INTEREST THAT THIS NOT HAPPEN. Please take what measures are necessary to help ensure that your customers are not intentionally or neglegently DDOSing the BLs. Well said George, I have been one of the recepients of the DDoS attacks. If people see non DNS UDP traffic or non Type 3 ICMP traffic aimed at 203.15.51.32/27 it is likely DDoS traffic. Currently I still have at least one IP in that range Null Routed by upstreams. SORBS may have to implement a subscription model soon to fund more hosts around the world if the DDoS's continue, I am desperately trying to avoid it, should it become nessessary it will be for the +50k queries/day users out there. The point is SORBS is funded soley by myself and through hosting dontations - I have 5 public secondaries donated currently, and I cannot afford, personally, any DDoS proofing other than that I have now. I know of at least 3 other DNSbls that are experiencing DDoS issues, and one DNSbl operator that is scared stiff of DDoS. Yours Mat Note: If anyone wants to talk about SORBS, public secondaries, donations, policy etc... this is not the forum, please contact me off list. Hello: If you and others are experiencing DDOS attacks it would be a good idea to get the affected IP's on to the various lists associated with the tracking of such events. If you would like me to post them, I would be happy to do so. Please let me know the IP blocks, other than the one mentioned above, and I will post them to the lists. Thanks, Mike -- Michael K. Smith NoaNet 206.219.7116 (work) 206.579.8360 (cell) [EMAIL PROTECTED]http://www.noanet.net
relays.osirusoft.com
although this has to do with spam, i think folks will agree that there's operational content here: relays.osirusoft.com is down, it's history, stop using it. it is currently returning 127.0.0.2 for everything, so if you're using it, you won't receive this, but at least those who don't use it will know what to say when the issue comes up. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: relays.osirusoft.com
Yo Richard! returning 127.0.0.2 for everything would be an ugly way to bow out. I am just seeing timeouts for XXX.relays.osirusoft.com now. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Tue, 26 Aug 2003, Richard Welty wrote: relays.osirusoft.com is down, it's history, stop using it. it is currently returning 127.0.0.2 for everything, so if you're using it, you won't receive this, but at least those who don't use it will know what to say when the issue comes up.
Re[2]: relays.osirusoft.com
On Tue, 26 Aug 2003 20:59:22 -0400 (EDT) Mark Jeftovic [EMAIL PROTECTED] wrote: Returning 127.0.0.2 on everything would indeed be an ugly way to bow out, but its been done before. Another RBL went out the same way previously, can't remember which one (was it orbz?) it was more complicated than that. orbs went away without a clean shutdown plan, and one of the secondary DNS operators started answering with 127.0.0.2 to try and get people to stop querying his server. it worked, although with non-trivial pain attached. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Re[2]: relays.osirusoft.com
ok so this part does not mystify me... Someone has been in contact with Joe via phone and posted to another mailing list That Zhall Not Be Named that exactly that is happening. The zone is dead, ... ...because running blackhole lists is surprisingly more hard than most people think. (witness the sorbs.net message here a few hours ago complaining of 50Kpkt/day query loads.) i've paid some dues in this area, so i feel qualified to say that i told you so on this topic. but at least there's no mystery. this part, on the other hand... he's put *.*.*.* in, he's asking people not to use it anymore. ...mystifies me. anyone who has read rfc1034 or rfc1035, even if they did not also read rfc2181 or rfc2136 or rfc2308, knows that in a zone containing the following wildcardish data: $ORIGIN example.vix.com. * 1H IN A 127.0.0.1 *.* 1H IN A 127.0.0.2 *.*.* 1H IN A 127.0.0.3 *.*.*.* 1H IN A 127.0.0.4 the result will be that only the top one will match: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 16926 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUERY SECTION: ;; 40.30.20.10.example.vix.com, type = A, class = IN ;; ANSWER SECTION: 40.30.20.10.example.vix.com. 1H IN A 127.0.0.1 and that in a zone containing only this data: $ORIGIN example.vix.com. *.*.*.* 1H IN A 127.0.0.4 the result will be that none of them ever match: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44811 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; 40.30.20.10.example.vix.com, type = A, class = IN you don't even need to read draft-ietf-dnsext-wcard-clarify-01.txt to know that putting *.*.*.* into a zone won't actually mean, or do, *anything*. It may be back in the future with a new network setup, but right now consider it down. i'm not completely sure, but i don't think this list will see much action in the future from the sysadmins who had to make emergency config changes today to avoid bouncing all their e-mail. once burned, twice shy, eh? when i deprecated the old $foo.maps.vix.com zones in favour of the their corresponding replacements $bar.mail-abuse.org some years ago, i had the foresight to ensure that no mail would be blocked by people who failed to put in the configuration change. now you can all see why that was nec'y. -- Paul Vixie
Re: relays.osirusoft.com
On woensdag, aug 27, 2003, at 13:54 Europe/Amsterdam, Matthew Sullivan wrote: Someone has suggested 'anycasting' what do people (particually you Paul) think of using anycasting for a DNSbl? (- AS112 anyone?) I think it may work well... however I am a novice in terms of BGP... As far as I can tell it involves getting a portable address block (somone suggested anything less than a /24 would get filtered) and announcing it in various locations around the Net with local servers behind each of those announcements is this fundamentally correct? I wouldn't recommend this. If you have two DNS servers on different addresses, everyone can talk to #2 if #1 doesn't answer. If you anycast them, everyone only gets to talk to one, and if that one has problems, too bad, nothing to be done about that except wait until someone fixes the problem or changes the BGP announcement. Also, the built-in DNS RTT load balancing is much more sophisticated than BGP shortest path selection. I also have serious doubts about the wisdom of having the root servers anycast for similar reasons but in this case the only alternative is not increasing the number of servers as it's impossible to list the new servers under an IP address of their own. If the number of requests on your servers is the problem and not bandwidth, you could install filters that only allow requests for known users of the service. This means the attackers must first guess and then spoof an address belonging to a registered user, which should take much of the fun out of it. This sounds like a lot of work but you'd have to do something like it anyway when you want to become a paid service.
Re: Re[2]: relays.osirusoft.com
--On Wednesday, August 27, 2003 7:53 AM -0400 [EMAIL PROTECTED] wrote: Mail was delayed (and servers put under heavy load waiting for DNS queries to time out) when MAPS finally shut off free access without warning (a week or more after they originally had warned they'd do it, but gave everyone an extension when there was massive public outcry and they were unable to keep up with inquiries about buying access). Point of clarification - In early to mid July, we gave notice we were securing the zones at the end of July. Starting August 1 we used deny ACLs based on the IP addresses making the largest number of queries - and we emailed domain contacts for those. The deny ACL was not changed to an allow ACL until October 1 - over 10 weeks after we announced the zones would close. That is hardly without warning, nor was it because of public outcry. (The part about not being able to keep up with inquiries was definitely true, but I did learn that sleep is highly overrated g.) At no time did we return positive answers for IP addresses that were not listed. Two years after the fact, we *still* get tens of thousands of queries a day from IP addresses that are not subscribed. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-= Margie Arbon Mail Abuse Prevention System, LLC [EMAIL PROTECTED] http://mail-abuse.org
Re: relays.osirusoft.com
Someone has suggested 'anycasting' what do people (particually you Paul) think of using anycasting for a DNSbl? (- AS112 anyone?) unowned anycast, such as that used in as112, is only possible when the replies have no value (and thus need not be synchronized or centrally authorized.) conversely, unowned anycast only adds value if the replies really ought to be sent anonymously. in the case of sorbs, you can enumerate authorized servers and thus get better management and control than you would with unowned anycast. now, that doesn't mean anycast per se is a bad idea for sorbs. it's just that you'd want to own or at least manage and control each instance. this is what we do for f-root and it's what ultradns and nominum and i think akamai have been doing for some years now. I think it may work well... however I am a novice in terms of BGP... As far as I can tell it involves getting a portable address block (somone suggested anything less than a /24 would get filtered) and announcing it in various locations around the Net with local servers behind each of those announcements is this fundamentally correct? yes. see http://www.isc.org/tn/ for some background materials on all this. Assuming I am right in my current understanding, I am about to start looking at the proceedure to get an ASN and then I'll be looking for some portable IP space if the consensus and thoughts are this will work. I am thinking along the lines of talking with the other large DNSbls (particually Easynet (wirehub) and DSBL) about setting up a set of combined DNSbl servers all anycast'd. This after all will bring an DDoS machines to the attention of the local networks they are attacking ;-) putting multiple dnsbl's on the same /24 sounds like a lot of eggs for only one basket. among the root server operators, we like to chant that diversity is good.
Re: relays.osirusoft.com
In the immortal words of Richard Welty ([EMAIL PROTECTED]): On Tue, 26 Aug 2003 15:25:46 -0700 (PDT) Gary E. Miller [EMAIL PROTECTED] wrote: returning 127.0.0.2 for everything would be an ugly way to bow out. yes, but it's been done before. And oddly enough, it was a terrible idea the first time, and hasn't gotten any better in the intervening months. I suppose going down in a blaze of glory might be appealing in the sleep-deprived haze of the tail end of a multi-week DDOS attack, but PLEASE. Null-route the netblock and be done with it. Returning 127.0.0.2 for every query does NOTHING but convince more people that volunteer blacklist providers like SPEWS are more trouble than they're worth. -n [EMAIL PROTECTED] Must I pray in Hebrew? No, and wipe that look of terror off your face. Fluency in Hebrew, of course, is vital to the proper understanding of Israeli truck driver insults. (--David Bader, How to Be an Extremely Reform Jew) http://blank.org/memory/
Re[2]: relays.osirusoft.com
On Wed, 27 Aug 2003 13:36:54 -0400 Nathan J. Mehl [EMAIL PROTECTED] wrote: In the immortal words of Richard Welty ([EMAIL PROTECTED]): On Tue, 26 Aug 2003 15:25:46 -0700 (PDT) Gary E. Miller [EMAIL PROTECTED] wrote: returning 127.0.0.2 for everything would be an ugly way to bow out. yes, but it's been done before. And oddly enough, it was a terrible idea the first time, and hasn't gotten any better in the intervening months. I suppose going down in a blaze of glory might be appealing in the sleep-deprived haze of the tail end of a multi-week DDOS attack, but PLEASE. hey, i agree, i'm just the messenger here. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re[2]: relays.osirusoft.com
On Tue, 26 Aug 2003 15:25:46 -0700 (PDT) Gary E. Miller [EMAIL PROTECTED] wrote: returning 127.0.0.2 for everything would be an ugly way to bow out. yes, but it's been done before. I am just seeing timeouts for XXX.relays.osirusoft.com now. there has been a heavy DOS in progress against a couple of prominent anti-spammers for a week or so now, Joe Jared/Osirusoft is one of them. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: relays.osirusoft.com
Gary E. Miller wrote: Yo Richard! returning 127.0.0.2 for everything would be an ugly way to bow out. I am just seeing timeouts for XXX.relays.osirusoft.com now. I'm seeing timeout issues too, which would match with DoS attacks. But in my logs I see, Aug 26 01:17:51 aurora named[284]: [ID 866145 daemon.info] lame server resolving '130.38.76.211.relays.osirusoft.com' (in 'relays.osirusoft.COM'?): 127.0.0.1#53 (That's PDT), and in my cache I see, $ dig relays.osirusoft.com ns ; DiG 9.2.2 relays.osirusoft.com ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 59238 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;relays.osirusoft.com. IN NS ;; ANSWER SECTION: relays.osirusoft.com. 33863 IN NS ns2-relays.osirusoft.com. relays.osirusoft.com. 33863 IN NS ns1-relays.osirusoft.com. ;; ADDITIONAL SECTION: ns1-relays.osirusoft.com. 33863 IN A 127.0.0.1 ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 26 15:49:15 2003 ;; MSG SIZE rcvd: 104 -- Crist J. Clark [EMAIL PROTECTED]
