Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Netgear has said that this is an known issue and is resolved with a software upgrade. Best Akshay On Sat, May 25, 2013 at 9:03 AM, Roque Gagliano wrote: > IMHO, this is also one of the things that unbound is superior to BIND. > > You can simply configure "local-data" in the general configuration file in > one line: > local-data: "time-g.netgear.com 9600 IN A 209.249.181.22" > > Ref: http://www.unbound.net/documentation/unbound.conf.html > > Roque > > On Sat, May 25, 2013 at 1:40 PM, Roman Hochuli > wrote: > >> Hello Jeroen >> >> > If you are doing that, do it only for time-g.netgear.com by defining >> > a zone for that and using '@' to get the record defined, that way you >> > don't cause colateral damage to the many other records that might >> > exist in netgear.com >> >> Thanks for pointing out. Your solution is much a nicer than my approach. >> Looks like Scalpell vs. Hammer. :) >> >> >> > Tranalyzer only analyzes as far as I recall and the slides do not >> > indicate differently... >> >> You are right. I was more referring to his presentation-style at SwiNOG >> #26 which referred a lot to "what's that hex?" ;) >> >> -- >> Best regards, >> Roman Hochuli >> Operations Manager >> >> nexellent ag >> Saegereistrasse 33 >> CH-8152 Glattbrugg >> >> Phone: +41 44 872 20 00 >> Fax: +41 44 872 20 01 >> URL: www.nexellent.ch >> X-NCC-RegID: ch.nexellent >> >> Imagination is the one weapon in the war >> against reality. >> -- Jules de Gaultier >> >> >> >> ___ >> swinog mailing list >> swinog@lists.swinog.ch >> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog >> > > > > -- > > > At least I did something > Don Draper - Mad Men > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IRC Network / Swinog / Link down
Hello Roman On 25.05.2013 13:31, Roman Hochuli wrote: root@irc:~# ntpdate time1.nexellent.net 25 May 13:30:42 ntpdate[1039]: step time server 217.147.208.1 offset -7195.882746 sec It would probably be much better to start using ntpd on this server. It is not the first time, that this has happen to the IRC Server. bye Fabian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
IMHO, this is also one of the things that unbound is superior to BIND. You can simply configure "local-data" in the general configuration file in one line: local-data: "time-g.netgear.com 9600 IN A 209.249.181.22" Ref: http://www.unbound.net/documentation/unbound.conf.html Roque On Sat, May 25, 2013 at 1:40 PM, Roman Hochuli wrote: > Hello Jeroen > > > If you are doing that, do it only for time-g.netgear.com by defining > > a zone for that and using '@' to get the record defined, that way you > > don't cause colateral damage to the many other records that might > > exist in netgear.com > > Thanks for pointing out. Your solution is much a nicer than my approach. > Looks like Scalpell vs. Hammer. :) > > > > Tranalyzer only analyzes as far as I recall and the slides do not > > indicate differently... > > You are right. I was more referring to his presentation-style at SwiNOG > #26 which referred a lot to "what's that hex?" ;) > > -- > Best regards, > Roman Hochuli > Operations Manager > > nexellent ag > Saegereistrasse 33 > CH-8152 Glattbrugg > > Phone: +41 44 872 20 00 > Fax: +41 44 872 20 01 > URL: www.nexellent.ch > X-NCC-RegID: ch.nexellent > > Imagination is the one weapon in the war > against reality. > -- Jules de Gaultier > > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > -- At least I did something Don Draper - Mad Men ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Hello Jeroen > If you are doing that, do it only for time-g.netgear.com by defining > a zone for that and using '@' to get the record defined, that way you > don't cause colateral damage to the many other records that might > exist in netgear.com Thanks for pointing out. Your solution is much a nicer than my approach. Looks like Scalpell vs. Hammer. :) > Tranalyzer only analyzes as far as I recall and the slides do not > indicate differently... You are right. I was more referring to his presentation-style at SwiNOG #26 which referred a lot to "what's that hex?" ;) -- Best regards, Roman Hochuli Operations Manager nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent Imagination is the one weapon in the war against reality. -- Jules de Gaultier ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?
Hello Benoit >> Yes, it is an EXTREMELY UGLY HACK. > Just set up netgear.com on our cache DNSes. > I see the client's request for time-g.netgear.com is now being replied with > 157.161.1.4 (our NTP server), but those clients still are not happy and keep > sending up to hundreds of request/s. Well, bad luck with this hack then. :-( Apparently this was already pointed out by Beat Bodenmann shortly after my mail. -- Best regards, Roman Hochuli Operations Manager nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent Imagination is the one weapon in the war against reality. -- Jules de Gaultier ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IRC Network / Swinog / Link down
Hello Boris > There's an issue around that the IRC Channel #swinog is in a splitted > state (Link between irc.humppa.ch and irc.swissix.ch). > > The reason: It seems that irc.swissix.ch NTP/date is out of sync. Problem solved: --snip root@irc:~# date Sat May 25 15:30:17 CEST 2013 root@irc:~# ntpdate time1.nexellent.net 25 May 13:30:42 ntpdate[1039]: step time server 217.147.208.1 offset -7195.882746 sec root@irc:~# date Sat May 25 13:30:47 CEST 2013 root@irc:~# --snap -- Best regards, Roman Hochuli SwissIX Board Member ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog