On Fri, 23 Jun 2006, Joe Abley wrote:
> Hi Dean!
>
> I will note that the only question before the wg associated with this
> particular mailing list is whether or not these two drafts might
> benefit from adoption as working group documents. Comments on the
> content seems somewhat orthogonal to that goal, but since you asked
> here, I'll reply here.
I thought they were submitted to DNSOP. How did they get in the ID-Tracker?
> >> draft-jabley-as112-being-attacked-help-help-00
> >
> > This draft seems to entirely miss the point, and unhelpfully belittles the
> > fact that AS112 servers may in fact be used (perhaps have already been used)
> > to conduct DOS attacks.
>
> If you can provide details to expand upon the fact you describe
> above, that would be most helpful. Without some context, I am
> struggling to understand what you are talking about.
You have already provided the details: That is, the fact that you didn't
consider the attacks to be actual attacks, but rather "panic attacks".
>From AS112, you wouldn't be able to know if they were indeed "panic attacks",
unless you had in fact assisted in tracing the source of the packets, which you
imply wasn't done, and would be done even less if your draft were approved.
> > I have rarely seen IDS systems alarm over genuine DNS traffic to external
> > servers.
>
> I have no reason to doubt you. However, having been one of the small
> group of people responsible for answering the phone when people call
> the AS112 netblock contact, I can tell you that your experience is
> not universal.
>
> Your advice to treat reports of abuse seriously is of course valid,
> but unnecessary in this case.
How is it that you know this? You assert complaints were made, and that you
disregarded those complaints; that the admins "panic'ed".
> >> Having been recently in the unenviable position[1] of answering phone
> >> calls from angry people regarding the denial-of-service attack from
> >> PRISONER.IANA.ORG on their firewalls (source port 53),
> >
> > Probably you should have responded differently to their calls: They
> > were
> > probably legitimate DOS attacks involving AS112 servers.
>
> All the calls I responded to were investigated thoroughly. I have no
> reason to doubt that any of the other calls which were handled with
> others enjoyed any less diligence.
It sounds very much like the admins making the complaints, disagreed. Perhaps
if you send me the contact info for some of those admins, I'll follow up to see
if they were satisfied with your response.
> None of the calls I responded to related to DOS attacks involving AS112
> servers;
How could that be? The admins making the complaints didn't seem to agree.
> all of them involved replies being returned from the Internet towards hosts
> that firewall admins had not considered might ever send requests to the
> outside world.
Please explain this, further. So machines that weren't nameservers were
sending
DNS requests (for in-addr.arpa) to the outside world?
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
