Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
from 66.165.10.24. Where do we start, do I call the police in Bellingham or
Washington State Police. We have blocked their ips but, we know they will
come in another way.
the best thing is if you call the FBI, or
with them any more (other than as a happy customer),
so i don't know anything about their phone setup.
--
Paul Vixie
they don't do any kind of permission/verification and i got tired of JHD.
which is too bad since i'm very interested in the topic of this mailing list.
if you need a place to host a mailing list, i could ask around at my day job.
--
Paul Vixie
is Paul is volunteering to host this
i guess so, yes, since i'd like to be able to participate in it.
(perhaps on peering.com)?
peering.com belongs to the old day job. if we needed a mailing
list created, i'd be asking the current day job if they can do it.
A huge round of applause for everyone not doing RPF and egress filtering
where it is trivial to do so. You make everyones job that little bit
harder.
You know who you are.
well, no, actually, they mostly don't (know).
--
Paul Vixie
there's no choice at all, really.
Are you suggesting to drop all traffic (which, if widespread would get
attention) or just email?
at the moment i'm proposing just e-mail. but that's only because we should
already be rejecting udp/137 and udp/138 and udp/139 from outside our campuses
and
a distributed, hierarchical, autonomous, reliable database
just to avoid using DNS as its inventor intended it, seems like a great
waste of time, IMHO.
--
Paul Vixie
dependency
of needing to fix other's peoples mistakes in order to do your work.
It also makes it easier for other people to take action, because the
collateral damage is less.
you sound like a man with a vision. care to pass that bong over this way?
--
Paul Vixie
merciless monster known as market forces.
--
Paul Vixie
Peering? Who needs peering if transit can be
had for $20 per megabit per second?
anyone whose applications are too important to risk dependency on OPNs
(other people's networks).
--
Paul Vixie
or not.)
The new motto here is: Blackhole 'em all and let market forces sort 'em out.
--
Paul Vixie
\?\}/REJECT avhead
/^From:.*Symantec_AntiVirus_for_SMTP_Gateways\@/REJECT avhead
/^Subject:.*VIRUS POSLAN SA VASE ADRES/ REJECT avhead
/^Subject:.*Unsolicited commercial email rejected/ REJECT avhead
--
Paul Vixie
I suggested using something like HINFO in the in-addr.arpa address
zones for service providers to give similar information about IP
addresses. Yes, I know, using DNS for yet something else. LDAP or
RWHOIS or any other global mechanism could be used.
more uses for dns is actually a good
... Margin pressure makes it impossible for most broadband service
providers to even catalogue known-defect customer systems or process
complaints about them.
What is the estimated cost per subscriber of such an operation in your
opinion and where should it be to make it feasible?
Maybe a stupid question... But if broadband providers aren't going to do
this, and considering there are way less legitimate SMTP senders than
broadband users, wouldn't it make more sense to whitelist known real SMTP
sources rather than blacklist all addresses that potentially have a fake
rather than html or richtext.
--
Paul Vixie
Be careful about the slice and dice effect. Depending on how you divide
up the numbers you can make any thing come out on top. In some sense
the problem is a lot worse. Its not just spam, worms, viruses. Its not
just residential broadband users. Its not even just Microsoft Windows.
...
anyway, there will absolutely be NAT in ipv6 enterprise networks, but the
reason for it won't be a shortage of globally unique address space.
Hmmm, or rather, there just wont be any demand for IPv6 deployment, at
least from the edges (consumers, small/medium networks). Why bother
preventing DDoS and IP source address forgery each also break what the
IAB calls the end-to-end model.
How so?
I was thinking of RFC 1958:
An end-to-end protocol design should not rely on the maintenance of
state (i.e. information about the state of the end-to-end
communication)
On the other hand, we've had DDoS prevention mechanisms (based on
multiple rate-limiters, for different kinds of packets) deployed for
over 6 months now. They seem to work just fine, are always active,
and require no state in the network.
you know how to rate-limit without state in the
Yes, this is a problem. I'm not sure NAT is the solution, though. I mean,
if you're going to use NAT, why switch to IPv6 in the first place?
reasons will vary from because my vendors are pushing it to because it
has some feature that makes my life easier to because some application
my users
trans where srcaddr='209.148.235.0/24';
count
---
21
(1 row)
ahhh, postgresql and its inet/cidr datatypes. (try 'em, you'll like 'em.)
--
Paul Vixie
raised several times, that
many provider SMTP services are not really performing up to the
expectations of almost instantaneous email delivery. Delays up to days
are not too uncommon occurrences.
...for things to keep getting worse, to encourage innovative independence.
--
Paul Vixie
!
The last thing we need is for ISPs to deal with their inbound problem by
ignoring abuse reports or making it more difficult for victims to report
spam or viruses originating from their networks.
that time is past.
--
Paul Vixie
a tradeoff i can live with.
--
Paul Vixie
[EMAIL PROTECTED] (John Curran) writes:
The question is, do you change approach after a decade without progress?
Based on my archives of this and related mailing lists... nope.
--
Paul Vixie
people who benefit from the current pricing model are registrars.
if domains cost $300 a year we'd have less than 1% of the number we have now,
but the ones we have would actually get used. i have never received mail
from a domain ending in .biz that was not spam, for example.
--
Paul Vixie
a printed copy of the www.vix.com/personalcolo web page. problem solved,
costs reduced, revenue upheld, what the heck is stopping them?
--
Paul Vixie
router
design than next generation abuse design. and yet it always seems to surprise
us when the greedy undereducated middle managers, salespeople, and lawyers
keep finding new ways to make the abuse problem worse. lazy, lazy, lazy.
--
Paul Vixie
nature or the tcp/ip protocol suite has had mixed results. (i.e., MAPS.)
so, the article sean quoted is all very entertaining, but says nothing new,
which is sad, because i for one would really like to hear something new.
--
Paul Vixie
is right out.
--
Paul Vixie
it the spammers would have to add the one thing they cannot afford:
state. see http://www.rhyolite.com/dcc/ for how to get started.
--
Paul Vixie
add $node.$zone $ttl A 0.0.0.0
echo update add $node.$zone $ttl TXT created `date +%Y%m%d%H%M%S`
if [ $# -gt 0 ]; then echo update add $node.$zone $ttl TXT reason $@; fi
echo send ) | $nsupdate -k $keyfile /dev/stdin
exit $?
--
Paul Vixie
with the field has to build it.
--
Paul Vixie
i've already removed one that was seen on ROKSO (23 listings).
i don't consider the lists you gave to be credible, but if any
of the entries in the personal colo registry show up on ROKSO or
SBL or MAPS or SORBS, you can bet i'll remove them instantly.
re:
SPEWS: 7
BLARS: 5
Realweasel is a great idea if you can afford it -- but the PCI version
lists for $350, which is as expensive as some used 1U servers on EBay.
my bet is that if you refer to nanog and www.vix.com/personalcolo when you
contact them, they'll cut you a deal. (note: i have no affiliation w/
i've already removed one that was seen on ROKSO (23 listings).
i don't consider the lists you gave to be credible, but if any
of the entries in the personal colo registry show up on ROKSO or
SBL or MAPS or SORBS, you can bet i'll remove them instantly.
...
Even if the COLO space might
hey paul, why are you blocking mail from 12.129.199.61 and
because att's abuse desk ignored me for too long.
65.160.228.34?
because sprint's abuse desk ignored me for too long.
i'll give sprint a second chance (i've removed that /16 from my personal
blackhole list and see what happens) but
People seem to be forgetting the obvious.
Buy a 1U SPARC box. That'll do full console as you're talking about.
They're simple to connect up to your Cisco console too. Ebay for
'netra'.
1U Alphas (DS10L) are also quite nice.
http://www.vix.com/personalcolo/
http://www.vix.com/personalcolo/
http://www.vix.com/personalcolo/
notes:
(1) even in germany they call them 19 inch racks, thus setting the clock
back several decades.
(2) i'm very interested in listing more non-US locations
(3) i'm interested in listing
flood
could see me paying a lot more than their reasonable monthly fee...
agreed. my preference has been for bandwidth limiting and fixed prices.
--
Paul Vixie
(virtual, included, and BYO1U).
note that the virtuals have got me quite concerned since there's NO evidence
that a deposit is taken. spammers are going to have a field day with them,
and i expect to have to drop them from the list, but first, we'll try it and
hope for the best.
--
Paul Vixie
it'll end
like that. ultimately it'll end with something very much like multics was
planned to be. in fact this seems more likely than a standard blade interface.
--
Paul Vixie
with a tailgate warranty -- this would
be marketing suicide since the irresponsibility of the latter would become
intolerable if it were thusly highlighted.
--
Paul Vixie
bad people from
taking advantage for your discovery.
see above.
--
Paul Vixie
and prices :)
naturally everybody has their own units of measure, so it's proving
difficult to regularize it. perhaps another beer will help.
--
Paul Vixie
with the ratio -- 800:1 may work -- and you might be able to hire
clues very cheaply for a while -- but not at scale.
i'd love to be proved wrong on this point.
--
Paul Vixie
every time i tell somebody that they shouldn't bother trying to send e-mail
from their dsl or cablemodem ip address due to the unlikelihood of a well
staffed and well trained and empowered abuse desk defending the reputation
of that address space, i also say buy a 1U and put it someplace with a
I pay $36/mo for my aDSL. $50 _more_ sounds a lot.
rest assured, some of the mail i've received in response to this has even
lower price points. several have described service businesses which amount
to virtual linux or shell/imap/smarthost but i havn't decided whether to
include all of those
and/or are doing lots of other business.) as a standalone business this
would almost never work out.
--
Paul Vixie
On the other hand, if the person doesn't have a UPS at home, what good is
when their SMTP server in a colo is still chugging? :)
as a matter of courtesy, it's good to let mail be delivered rather than
sitting in other people's retry queues. especially secondary-mx retry
queues.
they want.
--
Paul Vixie
abuse desk for ALL your customers.
--
Paul Vixie
for
uRPF is not at the core (core in the context of the Internet backbone)
but at the customer edge, where the problem starts.
that's sort of what http://www.icann.org/committees/security/sac004.txt says.
--
Paul Vixie
of any particular size (big).
--
Paul Vixie
right at the time, but in my defense it
was only because of things neither of us could have known. given only
what we actually knew and could prove, you were deadass wrong :-).
--
Paul Vixie
you
shouldnt.
yea, verily.
--
Paul Vixie
assymetric but also
negligible.
this sure sounds like a copout. did you actually do something good but you
aren't allowed to say so in public?
--
Paul Vixie
you can come to san francisco
and tell the rest of us how you did it -- both in the ones and zeros, and
in the dollars and cents.
--
Paul Vixie
://www.cctec.com/maillists/nanog/historical/0106/msg00681.html
(and according to that text, it was a 9-year-old idea at that time.)
it's now 2004. how much longer do we want to have this problem?
--
Paul Vixie
After all these years, perhaps its time to re-examine the assumptions.
it's always fun and useful to re-example assumptions. for example, anyone
who assumes that because the attacks they happen to see, or the attacks
they hear about lately, don't use spoofed source addresses -- that spoofing
...
buying screen doors for igloos may not be the best use of resources. uRPF
doesn't actually prevent any attacks.
actually, it would. universal uRPF would stop some attacks, and it would
remove a plan B option for some attack-flowcharts. i would *much* rather
play defense without facing
weapons, we have
to deploy it. this is war, information warfare. let's deprive the enemy
of options until we can force them to meet us on our own chosen terms.
--
Paul Vixie
to repair.
[ of course, sean, i could just be making that part up. but since i keep
saying it and since i get attacked pretty frequently, i might be telling
the truth. it could be worth assuming a little credibility and seeing
where that leads you. (but, we digress.) ]
--
Paul Vixie
recommended.
--
Paul Vixie
rights in the matter of netsol's futures.
--
Paul Vixie
/agreements.htm
and then let us all know what she tells you.
the paper at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=475281 entitled
Site Finder and Internet Governance by Jonathan Weinberg is also quite instructive.
--
Paul Vixie
, in perpetuity.
--
Paul Vixie
a big stick. When we all
say everything over IP that means teaching more devices how to speak
802.11 or other packet-based access protocols rather than giving them ATM
or F/R or dialup modem circuitry. It does *not* mean simulating an ISO-L1
or ISO-L2 circuit using a ISO-L3 network. (Ick.)
--
Paul
It's a module plug-in into bind and if you prefer to try and do this
in a opt-in basis they have a client program that you download and
it gets hooked into the users browser.
This is the right way to do it, end user opt in, and browser only.
i'm a little bit worried about the idea of
of preproduction, is supposed to make this
kind of middletweaking more detectable, but not more preventable. I suspect
that Rodney's idea for doing DNS over IP tunnels is even more desireable than
he thinks, for reasons he may not have yet considered.
--
Paul Vixie
.
Therefore the likelihood of an ISP offering this on an opt in basis is low.
I apologize for having to explain that I was joking. I'll try to do better.
--
Paul Vixie
or just put http://www.isc.org/pubs/tn/?tn=isc-tn-2002-1.txt into effect.
I am confused. Are DNAMEs deprecated or not (RFC3363, section 4)?
A6 and bitstring labels are deprecated. DNAME remains in full force.
... http://www.isc.org/pubs/tn/?tn=isc-tn-2002-1.txt ...
last i heard from you, you said that DNAME would be evaluated by recursive
resolver and will not be visible to end client... what changed?
according to this experiment:
+---
| ;; QUESTION SECTION:
|
authority server implementation will
synthesize protocol-compliant CNAME RRs in the presence of DNAMEs, and so
the approach documented at www.isc.org/pubs/tn/ will universally work OK.
--
Paul Vixie
[itojun]
i understand some implementation (BIND 9.3?) does this,
i think it's all bind9, but certainly all bind 9.2 and later.
but is the behavior documented somewhere in the set of RFCs?
yes. marka just quoted all of that.
for instance, does djbdns do it? does MS DNS server do it?
:
By fixing the software as ip6.int was deprecated 2 years+++ ago as you
should already know.
or just put http://www.isc.org/pubs/tn/?tn=isc-tn-2002-1.txt into effect.
--
Paul Vixie
, especially in the wrong hands.
power is dangerous thing, in any small set of hands. diversity in all things!
--
Paul Vixie
Uneducated users should live with the slowness. It's protecting the rest of
the world from their blissful ignorance.
if it protected them or anybody else i'd say you were right, but since it's
a pattern matcher it always takes 2 to 24 hours for a new pattern file to
be developed and
-known and consistent controls.
...is not practical. Remember the true street-level definition of spam:
spam is e-mail you didn't want that wasn't sent by me or my customers.
Trying to form an E-S-C under those conditions is unthinkable or useless.
--
Paul Vixie
.
--
Paul Vixie
(f-root).
3. icann doesn't formally read nanog.
--
Paul Vixie
President
ISC
think I'll send a letter.
or go to the next icann meeting in rome. or both.
--
Paul Vixie
- and if ICANN held them to the rules,
Verisign would be rather poorer in short order.
...does not describe an operational problem, and gives a financial remedy.
--
Paul Vixie
and not
from other people. This is pretty much how the world worked from
1980-1990. CompuServe, MCIMail, The Source, Delphi, etc.
fine by me. the people i want to exchange mail with aren't AOL users anyway.
--
Paul Vixie
from virus infections. If we (the community
who provides them service and software) can't make it safe-by-default, then
the problem rests with us, not with the end users.
--
Paul Vixie
I think the tipping point went by a while ago, and that anyone who wants
their e-mail to be accepted will make sure their mail relay has a PTR and
that that this PTR holds the same name used in the SMTP HELO command.
Of course, not all that long ago ATT Worldnet got crucified -- on this
and
that that this PTR holds the same name used in the SMTP HELO command.
--
Paul Vixie
I've run all my mailers with aggressive PTR checks for about a year, and
while some of my guests aren't getting all the e-mail that's sent to them,
it's had no impact on me other than that periodically I have to tell some
remote postmaster that their PTR's are missing or that they don't match
several of you thanked me privately for the earlier post on this thread, and
in the time since then i have been inundated with even more variations of
antivirus messages, so i'm posting an update. the bad news is, you have to
use body checks as well as header checks. the good news is, i don't
providers, etc. the spam/antispam battleground is all just mud now.
--
Paul Vixie
what you do is, install postfix 2.0 or later, set header_checks to some
filename (in your main.cf), and in that file, you put the following:
/^Subject: Anti-Virus Notification/ REJECT av01
/^Subject: BANNED FILENAME/ REJECT av02
/^Subject: File blocked - ScanMail
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file
called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless
you need it for comparison or analysis). there's a high degree of splay in
the smtp/tcp peer address, and the sender is prepared to try backup
more generally... if you want routing, buy a router.
amen.
imho there can't be a better routing equipment than a real router :)
i guess i need to explain in more detail. keep in mind that i'm technophobic
and that when VLANs first appeared i was convinced that the end of the
them.)
--
Paul Vixie
... depends on your isp, and whether their routing policies (openness
or closedness of peering, shortest vs. longest exit, respect for MEDs)
are a good match for their technology/tools, skills/experience, and
resources/headroom.
In practice, all of the above just turn out to be
shivers.)
--
Paul Vixie
tell you stories.
For most other people a trivial packet-filtering firewall, lack of
Windoze, and a switch instead of a hub will do just fine.
this part, i agree with.
--
Paul Vixie
warrants.
--
Paul Vixie
-specific rules of BIND and whatever else was running then, and
the group's coordination and monitoring rules.
those days are gone. verisign isn't doing anything wrong in this change, and
it's probably going to work out just fine.
--
Paul Vixie
401 - 500 of 738 matches
Mail list logo
