Slashdot Mirror
W2K and MAC OS9 Flood Root Nameservers?
wizzy writes "Irelands toplevel domain registry has a notice on Microsoft and Apple DHCP clients sending dynamic DNS updates per RFC2136. The problem is they are not sufficiently careful about where they send it if they are in RFC1918 space - usually used for behind-firewall addressing, which is where they usually are.. This is resulting in bogus updates being sent at the rate of nearly one million an hour to root nameservers, only to be rejected - as reported on the NANOG mailing list."
With Photoshop 7 out and this, now Mac OS9 users have an even better reason to upgrade to OS X - "to save the Internet." :)
"The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
Yet another reason to use firewalls to filter _OUTGOING_ connections and not only incoming ones (the other reason : to avoid backdoors) .
{{.sig}}
This reeks of something that should've been caught in user testing. Unless, of course, Microsoft and Apple decided that they didn't care about the operators of the root nameservers.
just another reason to start using mac os X... or lets start educating people, i wonder how much resources those bad-changes make anyways....
Kaoslord [quote goes here] define("slashdot purity","67.5");
Their name servers are under the "IE" domain...
Christ! Which link is the real story?
Prevent email address forgery. Publish SPF records for y
Before everyone jumps down MS's throat (or Apple's) does anyone know how to reconfigure a system to fix this issue?
3000 dead over past 2 years, still no free Palestinians, still
I know these problems. In my small ISP company, we ar running our own nameserver.
The logs are flooded from rejected name server updates (several hundreds a day).
They are mostly coming from misconfigured W2K servers from our customers, running their intranet with DHCP and using the same domain as in the real net.
Sadly, we contacted the administrator, but he didn't have a clue what I was talking about (they're justig running windows on their server because they know windows...)
Usually I would suggest to use an internal domain name that doesn't exist in the internet and just "masquerade" the mail domains. So resolving internal addresses from extern fails if some information slips out and the internal servers won't resolve some external name server to contact when an internal server should be.
They only solve a SYMPTOM of the issue. These people need to set their systems up correctly! Either a) install MS-DNS and point your boxen at that, or b) use BIND, but ENABLE dyn-dns and stop this traffic at the local level. ;)
And if you use a RFC1918 address space, your DNS server should have reverse lookups enabled for that address space - even a split zone so the world won't see them - and that will a) help management of the network easier, and b) prevent problems like this from happening
The root nameserver's initially thought that they'd been linked to by /. daily, but then realized that nobody cared about them :)
Another problem is that people are naming their boxes after popular domains
that they don't own, and the dynamic updates are pounding the hell out of the
domain owners nameservers. If anyone here is doing this, owl.com and jove.com
were two of the domains named.
Sealbeater
-- Its survival of the fittest...and we got the fucking guns!!!
I thought this sounds more like a case of misconfiguration than a bad server itself.
Also, assuming that people are DHCP'ing on a local 192.168.* address space, shouldn't upstream routers (especially those on cable companies and the like) automatically filter out any packets with local addressing as opposed to forwarding them?
Infact you'd think they'd filter out ANY DHCP information coming from their subscribers as opposed to sending it out publically?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
There are a couple thousand Windows machines of various flavors inside my network and they are constantly generating crap lookups. I see my poor machines forwarding them to the outside, no doubt pissing someone off.
Where 'FOO' is one of our servers:
FOO.k12.co.us
FOO.co.us
FOO.us
FOO (this is what hits the root servers)
These things are trying to do DNS even when WINS would have a perfectly good answer. Multiply this by thousands of lemming systems and you have a bunch of load that should never be there.
I wonder if adding NS records for the bogous in-addr.arpa domains would help, i.e.:
168.192.in-addr.arpa NS 192.168.1.1
10.in-addr.arpa NS 10.0.0.1
...
Claus
A Microsoft spokesman said, "Thing is, is that those root nameservers would all be fine if they were running Win2K DNS services. " :)
Get your own free personal location tracker
Specifically, if your WinXP advanced DNS settings look like this, then just uncheck that box.
I wonder who copied whose code?
my basic question is, though, mac os 9 and w2k have both been out a LONG time. why is this the first time that anyone's noticed this? you'd think the root servers would be constantly doing a heads-up looking for DDOS's, even accidental ones.
also, i'm trying to pore through the links trying to find an answer, but if anyone works it out before me, could you please post a reply and let me know ? is this JUST windows 2000 and mac os 9, or does it also effect other versions of windows/macos? basically, what spread of mac os versions (9.0 to 9.1.2 or what?) and what spread of windows versions (all windows 2000 service packs?) are affected by this bug?
Gee, thanks a lot.
So you get what you pay for. You drive down the perceived value of a Microsoft sys admin and you fill these positions with poorly trained or MCSE certified test takers with no real grasp of the larger issues involving administer *any* IT site.
Any competent sys admin would ensure crap like this doesn't happen, no matter what the OS is.
And if the gap in pay and value between Unix and Windows sys admins is widened, who in their right mind coming out of a CS degree in college (not some fly-by-night certification course) is going to want to use their training to specialize in the market that pays the least?
Hasn't MS had this around for a while now?
They even called it MS-DOS...oh wait, that was Disk Operating System...nevermind.
putting this under the microsoft headline, i mean, i know you don't like them, but it's hardly fair to them, apple is doing it too! hatred is only successful if you annihalate them without being partisan.....
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Here's the solution:
1. Upgrade to Mac OS X. It's so cool.
2. People use W2k on the internet? Is that safe???
If the problem is the private IP's attempting to update DNS records then they have to have been nat'd or masqueraded in someway, so short of parsing EVERY DNS packet there is no way to tell since the source address will the user's public IP
As someone who's just about to come out of college, let me tell you that the market for unix admins doesn't look any better. Yes, unix admins might get paid more, but there are far fewer positions available. And while practically every company with a computer is hiring MCSEs with a year or two of experience, good luck finding a unix admin position requiring less than 10 years experience, or familiarity with less than 3 totally different flavors of unix.
Microsoft may be undermining the value of Microsoft certification, but companies aren't paying any attention, they're begging for MCSEs. But the unix jobs are all "Senior Unix Admin, Must Know Solaris, BSD and Irix" or "Senior to Lead Unix Developer 10+ Years Heavy C++ on Unix" or "Senior Network Engineer, Exp. with SCO, HP, AIX" or "Senior This" or "Senior That."
There are no entry-level unix jobs right now. There are plenty of entry-level MS jobs.
At least your Microsoft certifications will land you a job. It may not pay $80K/year, but it'll pay the bills, while I'm busy looking for any company anywhere who's looking for a junior admin. And failing.
Actually this does not sound at all like an issue that should've been caught in user testing. There is no magic to software testing, and it's a thoughtless misconception to think that "good" software testers will catch every conceivable issue. Software testing catches what the software testers are looking for. Any other issues have to be fairly obvious to be caught, in most cases.
You know, I never understood why they did this as default. And I am also surprised it took this long for anyone to loudly complain. First thing I have always done when installing 2k/xp machines that don't need it is uncheck that option.
MS clients should not attempt this unless they are on a 2k AD domain. This is also as someone pointed out a good reason to filter your outgoing traffic.
It reminds me of when they had that check for "logon" enabled by default for ppp connections, when 90% of ISP's didn't support this.
If you wanna get rich, you know that payback is a bitch
It's AMC - Apple Macintosh Computer... not MAC, even though Acronymfinder.com says something else...
Look out, I think this is an MS plot
First flood the root servers (running bind), cause them to fail, and then claim that if they ran MS-DNS, this wouldn't be happening.
I remember back in the day when Win2k was in beta and I worked at a Dot com. Some of our customers had setup Win2k boxes from their house. They were attempting bogus updates with our DNS and were filling our bind logs and, therefore, my email box with errors.
The funniest thing was that when I notified one of the users ( a MCSE/MCSD ) he asked me to come to his house and configure his Win2k box to stop the bogus updates, because he did not understand DNS. I laughed.
I guess the Root Servers aren't laughing now!
Instead of upgrading every stupid OS in the world to a smart one which is obviously not viable in the short term, simply install a local-only name server that resolves all of your rfc1918 machines locally. This can be "anyname.anydomain.anytoplevel" for each machine. This satisfies the hunger of those stupid OS's. This should be SOP on any local network using NAT.
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Are you saying that someone using any of the addresses above is safe from script kiddies?
HA HA HA HA HA HA
Still need a firewall for these addresses moron. To connect to internet you need a valid IP address provided by your ISP (dhcp or static IP) and that is how script kiddies get in to your supposedly safe private internet.
Sounds like you need a bandaid for that big oozing ball of puss you use for a head.
To quote from RFC1918:
It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise.
If you are connecting your internal LAN using a private address space (10/8, 172.16/12, or 192.168/16) you are obviously using a firewall or router configured with NAT.
These need to be configured correctly for many different reasons, including the prevention of the effect mentioned in this article... Add null routes, or packet filter rules for any outgoing packets containing a destination falling in the RFC1918 address space. Also do the same for the incoming packets. By not doing this, you are flooding your upstream provider (in this case the root DNSs) with tons of bogus *(^@.
A few years ago I was lead engineer for a wireless internet company. Our clients were provided with a raw connection, just as if they had gotten a T1. After doing a week long network audit shortly after starting there, I was amazed to find that over 80% of our customer base had internal configuration problems with their NAT setups. Sniffing on the network, I got to see everything from MS Browse messages, DHCP requests, Netware "burbs", and tons of other stuff that should have never left their LANs.
I finally ended up installing firewalls at each POP site, just to dump out the extra junk... Our network speed increased by over 20% just blocking this nonsense at the POP (tower site) and keeping it from coming over our wireless backbone connections... On a typical 16MB/s link that's over 3MB/s of bandwidth we saved.
It appears Ockham lost his razor and grew a beard.
Since I'm running Win2K, and am behind a proxy box, I started wondering how I'd go about preventing my systems from sending those packets. Then I realized that, since all my systems are configured with static IPs, they wouldn't be sending out those update packets anyway.
So my recommendation is, if you aren't using static IPs on your intranet, do so. Not only will it lower the load on the root servers, but it'll also make port routing more reliable. Don't be lazy and depend on DHCP.
Using a private "unroutable" IP address affords surprisingly little protection. Using techniques like source routing or a compromise of a trusted host, your network can be quickly and easily penetrated.
Firewalls are needed even if you are using private addresses and NAT to access the Internet. In fact, the main reason to use NAT for a local LAN is so that your LAN IP addresses don't conflict with public addresses!
You have to use NAT with these private addresses, or else external connectivity doesn't work. (without a public address, it's damn near impossible to determine how to get the packets back to you!) And that means some things (for example, many network games) either don't work or work in only limited fashion.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well, from what I understand, if requests coming from 192.168.* computers are being NATed, then upstream routers will think that these spurious DNS updates are coming from proper routable addresses.
-Tez
Haskell, the static-typed, lazy, polymorphic, programming language.
Who do you want to flood today?
This problem, among with many, many others, was described in a CAIDA paper, "DNS Measurements at a Root Server." They basically ran TCPDump on root server F, and analyzed the traffic. An amazing number of invalid requests are sent all the time. It really shows how important it is for network admins to correctly set up their name services, but it also identifies problems caused by bugs in software. Very interesting read: http://www.caida.org/outreach/papers/2001/DNSMeasR oot/
CmdrTaco, this news article has six links, but
only of them actually relates directly to this
particular piece of news. Please make it
more obvious which one is correct -- I'm tired
of having to move the mouse over each one and
see what the address is in order to try to figure
out which link actually gives me the news.
(please mod this up so people see it! this is
becoming a big problem on slashdot. and this is
anonymous, so it's not karma whoring)
What exactly is your complaint about firewalls?
....because they are hard to configure?
Do you think that firewalls are a bad thing?
>The only purpose of firewalls seems to be to accomodate people who can't be bothered switching to DHCP.
Is this a joke?
lunky> c++; lunky> do{;}
ugh.. maybe you should pay more attention before blaming this one on "stupid sys admins"..
the problem is that this box is checked by default on every Win2k/WinXP install, not that stupid sys admins are turning it on. It has to explicity be shut off, and how many home users do you think go into their connection settings to shut off some option that they've never heard of when they set up their network connection? i know i didn't, and had to go in and shut it off on my one Windows box this morning.
hmm... I think you're a little harsh. While I agree the coloring books are a good idea I think that the bulk of the blame should go to the vendors for using irresponsible default settings. I don't blame the Mom and Pop operations who get's their brothers son to come in on the weekends to configure their "server". This kid couldn't care less about internet citizenship or traffic on routers in other states or countries.(what's a router?) He wants some beer money and to get that he just has to make sure that his uncles secretary can get her email.
lunky> c++; lunky> do{;}
- The people whose servers this is coming from are MORONS
... They should be taken out back and shot...
Fine. And the very instant you make even the slightest mistake or oversite, someone will be there to collect your head. The problem is not large corporations (places with a sysadmin); it's the millions of mindless sheep with a PC (places that will never have a sysadmin.)There are a lot of "Best Practices" that people should be doing. However, very few do simply because there isn't enough time in a day to setup and maintain everything the way things should. Everyone is overworked, under paid, and unappreciated -- most places have fired (layoff, downside, whatever) a significant portion of their staff thus significantly increasing the work load on those still there. Basically, if you could be fired tomorrow as a "cost saving measure", then why should you give a rats ass about doing anything beyond "it works"?
How often does Win2K register these ip addresses? Is it once an hour or so, or is there really a million win2k boxes being rebooted every hour?
Good grief, if you're pointing to 68k.org, you should remember the OS9 operating system from ?Microware? that ran on 68ks and 6809s. The domainregistry.ie page and 68k.org pages you point at do correctly refer to Mac OS 9.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
No, the problem lies in stupid sysadmins NOT explicitly shutting it off. As for the connection settings, it is set up by default that way because if you are querying a Windows 2000 DNS/DHCP server, it supports DDNS (as per RFC 2136). It only causes problems with UNIX servers. Read this article for some detailed info about the issue. I assume it's a similar deal with the Macs.
Of course, ISPs should be filtering out packets in RFC1918 space, and their DNSs should be managing the requests rather than bugging the root servers with them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You must be a Linux zealot, since you have no idea what your are talking about. This isn't a security hole. In fact, it's more of a feature. Windows 2000 differs from NT in that instead of using WINS for machine naming on the network, Win2k has transitioned to using Dynamic DNS instead of using the antiquated NetBIOS/WINS naming convention for local LANs. Now, these machines come set default for LANs with this modern config that are USING WINDOWS 2000 SERVER. The _default_ configuration is the one that will benefit the most people... those using Windows 2000 Pro on a Win2k LAN! Why on earth would/should it ship differently? Win2k networks most often go with Win2k servers! This problem only affects old-fashioned UNIX servers by improperly configured Windows 2000 clients that think they are connected to a W2K LAN. If you care to see why this is true, read this article.
Up till a few months ago I ran Winroute Pro, a firewall, and everytime I booted the win2k server it was installed on (I boot the machine every morning, it's my development box also and I don't need a server running at night, so why burn the electricity?) I saw in the log of Winroute Pro the Win2k server wanted to send out DNS records to the root servers. This is only done at boottime though afaik, since I didn't find this activities again in the logs, until the next boot.
Never underestimate the relief of true separation of Religion and State.
AFACT, most Windows 2000 networks are still setup up the NT4 way -- using WINS for local name resolution and an external static DNS server.
Microsoft optimized the setting for their 'ideal' W2K/W2K/AD network, but that's only because they didn't bother putting some intelligence in the setting. DynDNS updates shouldn't be enabled unless the machine was being added to a ActiveDirectory domain.
This isn't a security hole. In fact, it's more of a feature.
Hmmmm... DDNS updates could be considered to be a feature. What is definately NOT a useful feature is that they are enabled by default.
Why on earth would/should it ship differently?
Isn't that the point of the article? The fact that this feature is on by default is causing the root name servers to be flooded with 1 MILLION DDNS updates per hour. That means very simply that Microsoft's latest misplaced attempt to be featureful is resulting in what is effectively a DDOS against the root nameservers. That is a very bad thing.
Not to be making ms look better, but to give some people a way to fix it. http://support.microsoft.com/default.aspx?scid=kb; en-us;Q259922
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
That may be true, but you're missing the point... that the ideal location for many Win2k workstationss is behind a corporate firewall... so they would be contacting the internal DDNS server and not one on the outside.
Yes, block packets from machines on your network to 192.175.48/24.
That network only hosts the machines that handle DNS for RFC1918 addresses, so you can block it without breaking anything.
My Web Page
>it causes the worth of Microsoft Sys Admins everywhere to be cheapened.
Actually, the worth of all sysadmins is being cheapened. More often than not, small to medium enterprises will find the most 'tech-literate' person on staff and they become the defacto IT person. So the poor sod muddles his/her way through the setup, often with the help of a temp contractor who will setup and install the systems and the network. The contractor leaves, and then said poor sod is left to maintain a system without documentation and a thorough lack of knowledge about what the hell they are using or doing.
The marketplace is trying to replace costly human labour (sysadmins) with plug n' play firewalls, routers and fileservers. When shit breaks, they call the ISP *first* because they get free support and can bitch and whine their way to have someone try and fix it. They will only call the contracting company as a last resort, because then they have to pay for the time. So little Johnny-mail-room calls up and says 'my internet is down' when what they really need is someone familiar with the setup and knows what the hell is what.
Raise your hand ( techsupport phone-monkeys) how many times you've had to deal with some idiot who says he is the IT/sysadmin/netadmin and doesn't know anything beyond tracert and ping? These people aren't even certified in *anything*. Hell sometimes it's even a real sysadmin calling up, and you quickly realize that the clown on the other end is milking the shit out of the smallbiz owner, using your knowledge to troubleshoot *his* problem.
This industry is going to shit. Tech support is being outsourced by enormous franchise-style support agencies, full of mindless CDI/DeVry grads, admins are being cut in favour of standalone systems, and no one seems to appreciate the value of a knowledgable person anymore.
I've read the MSCE material, and I can honestly say that it's nothing more than a preliminary intro to computers followed by numerous pages of point-and-click tutorials. Vey little of the material focuses on the underlying tech, why it works, what can break, and how to fix it. It's utter crap. An MSCE will not learn about DNS, DHCP, ethernet, routing or anything else in any meaningful way using that garbage as a teaching tool. Yes, yes there are shit unix admins just as there are great MS admins. The point is that this is a situation that demands qualified people, and no one wants to pay for it.
If you have a network, you need an admin. If you have a server, you need an admin. If you have more than one end-station with net access 56k or higher, you need an admin. They can be on-call, or on-staff, but you need an admin. Because the simple fact is that the time and money saved by not having one at your disposal is wasted when Sally-secretary has to call and spend 45 minutes fucking around with tech support.
If you don't have someone on staff who understands what the fuck it is they're doing, get out your damn wallet already and enlist the help of a real sysadmin.
The probelm is not stupid sys admnins. It's home users that don't have a sys admin, but happily connect to the internet anyway.
Normal people worry me!
That 'tutorial' is mostly wrong and in fact has probably contributed to the problem described in the toplevel post. The tutorial's wrong both about the structure of DNS, and about the details of client/server interactions in WinDDNS. If you want to understand DNS, I suggest you go read an authoritative book on the subject, e.g., Albitz and Liu's DNS and BIND and perhaps the relevant RFCs. May I specifically recommend RFC1304, RFC1305, and RFC2136.
The best part is at the end of the tutorial:
- Win2K uses DNS names that use the underscore character.
Never mind mentioning that this is specifically verbotten in the DNS RFC's..The canned meat is "SPAM".
The theft of resources is "spam".
18-Apr-2002 16:16:05.491 security: notice: denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
by "a whole lot" i mean we've logged 3.3M of these in the last four hours..."
t_t_b
I'm on PJ's "enemies" list! Are you?
Part of the reason for being so restrictive (or so we were told): every service they allowed to pass over the firewire added to the cost of maintaining the thing.
Come to think of it, they probably shouldn't allow TELNET.
Perhaps my rant against them reflects my relative ignorance of routing issues. My current employer employs a proxyless system that allows me to see out of the network, but not others to see in. Is that a firewall? Given the vagueness of the concept ("Some of the best firewall professionals I know don't even bother with firewalls" -- Chapter 12 of Secrets and Lies), it probably depends on who you ask.
No self respecting OS has source routing enabled. Yes, Windows does, but that was my point.
'Trusted Host' implies that in your infininte wisdom you have trusted it. If it gets compromized, well, you know the deal.
I've seen several firewalls with security so tight a single stray packet will cause an alarm to go off. However, equal though is not give to physical security as you can just walk in and stick a disc into the nearest machine. Just a point to ponder for sys admins out there.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
What is it with people and writing MAC instead of Mac?
Mac is short for Macintosh, it's not a bleeding acronym! I can put up with it when it comes to ignorant posters, but seriously, shouldn't the Slashdot editors know better?
is here.
/not/ funny seeing a ten megabyte logfile produced every seven minutes. I wonder what they use for logfile analyses, I think it's getting more information than it's able to process.
It's funny to see a ten megabyte logfile produced every seven minutes *SLAP* woops. It's
Edwin
bash$
Blockpoth the quoster:
No. (Although using ".localdomain" doesn't suck as badly as naming your private network "slashdot.org" and assuming that your NATbox will prevent anyone from seeing this posturing..) In practice, using ".localdomain" probably won't break anything as a pseudo-TLD for an RFC 1918-conformant private IP space, presuming you're talking about a home network that's not going to have anything complex depending on absolutely strict, standards-compliant DNS behavior, but it's actually defined as a domain "having an A record pointing to the loop back IP address and is reserved for such use. Any other use would conflict with widely deployed code which assumes this use." I.e. for DNS purposes, the only .in-addr.arpa domain that should map into localdomain is 127.in-addr.arpa -- this is the class-A netblock for your loopback interface(s), which all have the form 127.#.#.#.
RFC 2606, "Reserved Top Level DNS Names", says that the TLD for a private network space should be one of the following:
- .example
- .test
- .invalid
(Note: there's no (technical) reason the TLD has to have three letters or less.)Need a UNIX/Linux/network guru in the Boulde
That may be true, but you're missing the point... that the ideal location for many Win2k workstationss is behind a corporate firewall..
I am not missing any point. What counts is what is actually happening, not some kind of ideal. The fact is that W2K is conducting a DDOS attack on key internet infrastructure components becasue of a bad default configuration.
Let's say it didn't ship that way by default. That means that every corporate install of Windows 2000 would have to be manually configured to interoperate with its native servers. It's more of a conveinence to Win2k shops.
On the other hand, I'm surprised that this huge "Win2k DDOS attack" on "key internet infrastructure" has risen so suddenly, as these settings have existed since 1999 and Windows 2000 has done the same thing till then. What, did these machines suddenly come to life and grab the Internet by its balls?
The best part is at the end of the tutorial:
... it's just not on the Internet that it's allowed. Don't dog on details if you don't understand them.
Win2K uses DNS names that use the underscore character.
Never mind mentioning that this is specifically verbotten in the DNS RFC's..
That's probably in there for backwards compatibility with WINS... let's say you have a bunch of NT boxes named Jims_box, Daves_box and so on... those were legal in WINS but it would be hell in upgrading.
Novell allows the same thing... you can refer to servers like filesrv_1.foohost.bardomain
"With enough eyes, all bugs are shallow" or something to that effect.
It's the find and identify. A lot of bugs stay very well hidden until you look at them in just the right way.
I am an administrator for some IP space assigned but not ever routed. Several years ago, I was wondering where the hell all my bandwidth was going and found a lot of it was for DNS traffic trying to resolve IPs in that space. This was very odd, considering that it wasn't routed. These were at the rate of about 10 per second per IP address, and there were about 80 addresses two servers were querying for, for a total of 1600 requests per second. Now, there was no DNS server running on the host that these requests were going to so they were send port unreachable messages.
:)
Evidently what was going on was this large corporation was using MY IP space internally, but they weren't making their DNS servers authoritative for it, so the DNS servers went to the Internet (and to me) for resolution. Something somewhere was configured wrong and so they retried constantly.
I firewalled these DNS servers out, but not before I composed email to the whois contact at the big corporation telling them to fix this stuff. They ignored me (yes I made sure their SMTP sending host was not blocked). Firewalling didn't fix the problem, only kept my server from sending port unreachable messages. The queries from the big stupid corporation's network were only getting worse. I was getting really pissed off.
So I put up a DNS server up on that host, and made entries for every single IP (I was using bind, which is too stupid to have default responses). And I had fun, with obscene and abusive DNS names for every host, and forward resolution to match (in a silly domain also routed to the same dns server) -- and the highest possible TTL! Problem solved!
The funny thing is that this staid corporation was now seeing all sorts of nasty names on their internal servers...BAH HA HA.
The abuse stopped. Hopefully, someone was fired. Now we know that they will never attack me again in this way: you see, that abusive network belonged to Enron
I actually let them off the hook easily. I had, at this point, control over data being returned to servers well firewalled away. Servers that probably had ancient resolvers that had buffer overflows in their DNS resolvers. High level servers that could have been r00ted straight through the firewall.
moral of the story: don't leave dns work to weenies. You may be surprised at the results.
We (uconn.edu) detected this either last year or the year before with misconfigured windows clients (typically win2k AS where someone left the DNS service running with a default configuration).
Seems like security is a perimeter type of thing. Weakest link and all that.
As long as people inside get email and have access to web pages and floppy disks, there is nothing a firewall can do that will actually make the network secure. A hair-trigger firewall seems like a good target for diversionary attacks.
We both got all beef patties, special sauce, lettuce, cheese, pickles, and onions. But, they use a sesame seed bun. My buns have no seeds.
What does dumb fuck mean?
CAn'T CompreHend SARcaSm?
Go do what you do best..throw on your penguin spandex and run around burning Microsoft flags.....I mean..that is what Linux is about right?
I pwn you.
Bah... No one checks the RFCs anymore.
...]
Another example of something where a company dows not follow the RFCs is HP using 192.0.0.192 [do an nslookup on that address for an interesting reverse name] as the default IP address for their devices instead of going through a formal rfc process... [or something to get ball rolling for "newly" unconfigured devices to allow config on an ip only network. without a bootp/dhcp server..]
The list of addresses to control at border routers is growing... [hint many firewall admins block the RFC1918 addresses, but forget the Autoconfig address space 169.254.0.0, or 192.0.0.192, or 192.0.2.0/255.255.255.0
--
Time is on my side
No. By default it should not ship that way. "Features" should be opt-in and a concious descision made to acttivate such features.
The corporate installation should be configured so that it can be turned on during the install script/procedure or via a policy....
[btw: even normal users can update their sytstem selectivly by going to http://corporate.windowsupdate.microsoft.com which allows downloading of specific patches/updates to be done at a later stage]
another item that also annoys me is XP configured to use time.windows.com as an ntp server. That should be a selectable option, or one that should be picked up from the dhcp server... but then I digress...
--
Time is on my side
Uhhh, it doesn't cause problems with Unix servers. Many Unix DNS servers support DDNS. And many of us disable it because we prefer for random, unauthenticated machines on our networks not to be messing with our DNS databases. Therefore we get lines in our syslog files saying that certain machines tried and failed to push a DNS update to our server. If we get too many such lines and become annoyed, we hunt down the Win2k machine in question and untick the box under advanced TCP/IP settings.
It only becomes a problem when too many of these machines try to hammer the same few servers, to no purpose. Believe me, if the root servers were running Win2k, the root server admins still wouldn't have enabled DDNS. It's not about platforms, except for the arguably stupid default in the client.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
A)if you're not set up to use only DYNDNS capable name servers, you should disable the "register this whatever" tab, or however you do it in MacOS.
B)Whose bright idea was it to have that a default?
I didn't know about the issue myself, because I'm a unix geek, and it never occurred to me that an OS would make such a ridiculous assumption. I found out when corporate IT busted me for upgrading my laptop to Win2K. At first, I thought it was because I was not getting my mandated 11 reboots/day, and snidely said so. The guy was much nicer than me, and just asked me to tell it to stop beating up the DNS server with invalid requests, and don't even think of trying to use it as a bdc (it would take over the domain, apparently... another bit of genius on the part of MS).
another item that also annoys me is XP configured to use time.windows.com as an ntp server. That should be a selectable option, or one that should be picked up from the dhcp server... but then I digress...
r entVersion\DateTime\Servers and then tell me you can't write a shell script to fix that! ;P Also, if you logon to a WinNT/2k domain I believe that time is synched to it. But you can run an internal NTP server and have that registry entry refreshed from a logon script.
Try checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
Just got finished setting my 2K box straight. Yeah, I think that ICANN should think quite strongly of setting aside .LAN as a non-routable TLD. Simple, looks like a real TLD, but can't get out on the Internet. Just like non-routable IP addresses: 10.x.x.x, 192.168.x.x and those Class B's that nobody uses but are there anyway.
.LINK as a non-routable TLD, but .LOCAL was once proposed and is often used as an example in books about TCP/IP networking. .LAN, however, has the advantage of looking like a "proper" TLD. (at least Stateside, anyway...)
I didn't know about the attempt to codify
Knowledge is power. Knowledge shared is power multiplied.