Re: botted hosts

Mon, 04 Apr 2005 10:09:14 -0700 

[EMAIL PROTECTED] (Sean Donelan) writes:

> Do you want an Internet where your provider decides for you, with whom and
> when you are allowed to communicate?  Or do you want to decide for yourself
> whether to accept or not accept the communication?

i want weak protocols restricted to LANs or at most campuses or ISPs.  that
means UDP/137, UDP/139, and TCP/25 at the moment.  stay tuned, we might be
adding more.  oh and as long as you're considering whether to restrict
things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed...

#sfo2b.f:i386# tcpdump -n -c 10 src net \( 10.0.0.0/8 or 172.16.0.0/12 or 
192.168.0.0/16 \)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
16:55:10.349179 IP 172.16.1.2.1063 > 192.5.5.241.53:  5330 [1au] MX? mails.hu. 
(37)
16:55:10.351035 IP 172.16.8.1.1158 > 192.5.5.241.53:  3130 A? 
www.consumerinput.com. (39)
16:55:10.351528 IP 172.16.8.1.1158 > 192.5.5.241.53:  5184 A? 
www.consumerinput.com. (39)
16:55:10.352908 IP 172.16.8.1.1158 > 192.5.5.241.53:  15435 A? 
www.consumerinput.com. (39)
16:55:10.513272 IP 10.14.0.16.32768 > 192.5.5.241.53:  7623% [1au] A? 
smtp107.apmailer.com. (49)
16:55:10.609281 IP 10.204.1.19.1075 > 192.5.5.241.53:  8176 [1au] PTR? 
25.2.0.192.in-addr.arpa. (52)
16:55:10.669655 IP 192.168.240.250.33753 > 192.5.5.241.53:  29750 A? 
as.adwave.com.L19212.wflu.com. (47)
16:55:10.750369 IP 10.8.224.32.59429 > 192.5.5.241.53:  44783% [1au] A6? 
ns.mint.net. (40)
16:55:10.770704 IP 192.168.240.250.33753 > 192.5.5.241.53:  56680 A? 
img07.allegro.pl. (34)
16:55:10.770709 IP 192.168.240.250.33753 > 192.5.5.241.53:  61108 A? 
img10.allegro.pl. (34)
10 packets captured

hell, as long as we're making a list of the things sender-side network admins
should filter on their end since they're innappropriate for the wide area,
could we increase the readership of BCP38 (if your hair isn't pointy) and/or
SAC004 (otherwise)?  oh and if 15,000 of your dsl-connected hosts all start
sending one packet per second to the same distant endpoint, please stop them.

senders and sender-isp's have a long list of things they have to do in order
to not be compared to toxic polluters (a term i believe michael rathbun coined
for use in this context, and for which i am thankful.)  don't try to make this
about right-to-communicate or who-gets-to-decide.
-- 
Paul Vixie

Reply via email to