> And to Randy's point about problems with open recursive nameservers...
> abusers have been known to cache "hijack". Register a domain,
> configure an authority with very large TTLs, seed it onto known open
> recursive nameservers, update domain record to point to the open
> recursive server
On Mar 27, 2005, at 1:25 PM, Christopher L. Morrow wrote:
Larger providers have the problem that you can't easily filter
'customers' from 'non-customers' in a sane and scalable fashion.
Hrm? Larger providers tend to have old swamp space lying around :)
Throw the resolvers on a netblock that's not
Reminder: program submissions for NANOG 34 are due by Monday, April 4.
If you have any questions or comments, feel free to ask the program
committee at [EMAIL PROTECTED] or the administrative staff
at [EMAIL PROTECTED]
We look forward to hearing from you!
* * * * * * *
I have posted the final results of the 2005 program survey at
http://www.nanogpc.org/public/pcsurvey.html
There were a total of 85 responses.
Steve
On Sun, 27 Mar 2005 18:22:15 +0100, Brad Knowles
<[EMAIL PROTECTED]> wrote:
>
> Abusing someone else's poorly configured resolvers is not the way
> to solve this problem, and it's a bad habit to get into.
>
Er, I forgot to mention that it was my ISP whose resolver I used, and
I have a p
>25, 80, 110, 443, ... are blocked. so no ssh or other vpns.
>i.e. YOU FORCE WIRELESS USERS TO BE INSECURE. so, if i was
>so inclined, i could sit there and tap everyone's email etc.
I thought everyone ran an ssh server on port 443 by now. It's
the easiest way to get through these overbearing
>> problem is many walled garden providers, e.g. t-mo, block 53.
> The world could be a better place if there were fewer people who
> stole service, or if the technologists could come up with more
> secure systems.
ok, tell me. how does allowing my laptop in the united red rug
to access the glob
On Sun, 27 Mar 2005, Randy Bush wrote:
> > Thank $DEITY for large ISPs running open resolvers on fat pipes ..
> > those do come in quite handy in a resolv.conf sometimes, when I run
> > into this sort of behavior.
>
> problem is many walled garden providers, e.g. t-mo, block 53.
The world could b
PJH> Date: Sun, 27 Mar 2005 08:44:34 -0800
PJH> From: Peter John Hill
PJH> configure a loopback interface on your dns servers and advertise a
PJH> route to that loopback address to your connected routers...
We've used this approach for several years. It works very well.
Eddy
--
Everquick Inte
> o could this be used as a dos and then become extortion?
>has this actually happened, or is it just black heli?
It has happened, in a legal sense anyway. See Exactis V. MAPS. One of
Exactis' claims was civil extortion. (Claim 4 on complaint). Exactis
also claimed that MAPS could block
Hi folks. A few points about Sorbs (I've also started a web site
www.iadl.org to track abuse of the internet for defamation purposes. The
web site isn't finished, yet.)
1) Someone said Sorbs is just Matthew Sullivan.
Well, _Sullivan_ said it isn't just him. Yeah, sure, that has
credibilty...
Ho
* Sean Donelan:
> Signatures don't create trust. A signature can only confirm an existing
> trust relationship. DNSSEC would have the same problem, where do you get
> the trustworthing signatures? By connecting to the same root you don't
> trust?
>
> As a practical matter, you can stop 99% of
* Alex Bligh:
> --On 26 March 2005 23:23 +0100 Florian Weimer <[EMAIL PROTECTED]> wrote:
>
>> Should we monitor for evidence of hijacks (unofficial NS and SOA
>> records are good indicators)? Should we actively scan for
>> authoritative name servers which return unofficial data?
>
> And what if
* Brad Knowles:
> It only takes a little while to figure out that domains can be
> fake-hosted using open caching recursive resolvers. Someone creates
> a domain with very small TTLs for the real authoritative servers.
> Within the zone, they do lame delegations to a lot of known public
* Joe Maimon:
> Slightly OT to parent thread...on the subject of open dns resolvers.
>
> Common best practices seem to suggest that doing so is a bad thing.
There was some malware which contained hard-coded IP addresses of a
few open DNS resolvers (probably in an attempt to escape from
DNS-based
[EMAIL PROTECTED] wrote:
On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
er... common best practice for YOU... perhaps.
dnsreport.com is apparently someone who agrees w/ you.
and i know why some COMMERCIAL operators want to squeeze
every last lira from the
Speaking on Deep Background, the Press Secretary whispered:
>
I said:
> > I also don't see any discussion on what ICANN was during during the
.oops doing during
> > hijack situation; maybe I missed that part.
>
> i dont believe this is icanns respo
On Sun, Mar 27, 2005 at 11:36:26AM -0500, Joe Maimon wrote:
>
>
>
> Suresh Ramasubramanian wrote:
> >On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <[EMAIL PROTECTED]>
> >wrote:
> >
>
> >
> >Thank $DEITY for large ISPs running open resolvers on fat pipes ..
> >those do come in quite h
here is what i answered a private message on the subject, with a
typo corrected. [un]fortunately, i seem not to have saved the
follow-on mess age where i suggested how one could get a good first
cut at this from route-views data.
randy
---
From: Randy Bush <[EMAIL PROTECTED]>
Date: Sat, 26 Mar
On Sun, 27 Mar 2005, Patrick W Gilmore wrote:
> On Mar 26, 2005, at 11:21 PM, Randy Bush wrote:
>
> >> forget this concept of tier1, 2, 3 .. they are little more than terms used
> >> by salesmen.
> >
> > at least t1 and t2, also permeate academic papers where the real topology is
> > actually me
On Sat, 26 Mar 2005, David Lesher wrote:
> > > ICANN Blames Melbourne IT for Panix Domain Hijacking
>
> I also don't see any discussion on what ICANN was during during the
> hijack situation; maybe I missed that part.
i dont believe this is icanns responsibility.. it is however their
responsib
On Sun, 27 Mar 2005, Randy Bush wrote:
>
> i have yet to see cogent arguments, other than scaling issues,
> against running open recursive servers.
>
The common example to NOT run them is the DNS Smurf attack, forge dns
requests from your victim for some 'large' response: MX for mci.com works
pr
i have yet to see cogent arguments, other than scaling issues,
against running open recursive servers.
randy
>> On the other hand, there are a lot of reasons why a DNS operator may
>> return different answers to their own users of their resolvers. Reverse
>> proxy caching is very common. Just about all WiFi folks use cripple
>> DNS as part of their log on. Or my favorite, quarantining infected
>> comput
Jon Lewis wrote:
On Thu, 24 Mar 2005, Randy Bush wrote:
[1] at least not until cisco adds a feature allowing you to ignore new BGP
routes for subnets of a bogon feed.
Last I understood from c-nsp this was a feature without much interest.
Is such a feature expected to arrive anytime soon? From any
On Mar 26, 2005, at 1:41 PM, just me wrote:
1) should each dns cache server be configured a static
default route (0.0.0.0/0.0.0.0)? If server-(1,3) is
configured statically to use
router-1 as default router, will Quagga make it use
router-2 when router-1 is not reachable?
configure a loo
vijay gill wrote:
On Tue, Mar 22, 2005 at 03:13:07PM -0800, Randy Bush wrote:
y'all might give us something pingable in that space so we can
do a primitive and incomplete test in a simple fashion.
randy
try 172.128.1.1
/vijay
Wouldnt 172.15.255.254 and 172.32.0.1 do better at helping to nail dow
Suresh Ramasubramanian wrote:
On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <[EMAIL PROTECTED]>
wrote:
Thank $DEITY for large ISPs running open resolvers on fat pipes ..
those do come in quite handy in a resolv.conf sometimes, when I run
into this sort of behavior.
--srs
Slightly OT to
On Mar 26, 2005, at 11:21 PM, Randy Bush wrote:
forget this concept of tier1, 2, 3 .. they are little more than terms
used
by salesmen.
at least t1 and t2, also permeate academic papers where the real
topology is actually measured. but we should not let demonstrable
measurements get in the way of
* [EMAIL PROTECTED] (Sean Donelan) [Sun 27 Mar 2005, 03:16 CEST]:
> As a practical matter, you can stop 99% of the problems with a lot less
> effort. Why has SSH been so successful, and DNSSEC stumbled so badly?
Because one of these products came with "./configure; make; make install"
On Sat, 26 Mar 2005 17:52:56 -0500 (EST), Sean Donelan <[EMAIL PROTECTED]>
wrote:
>
> On the other hand, there are a lot of reasons why a DNS operator may
> return different answers to their own users of their resolvers. Reverse
> proxy caching is very common. Just about all WiFi folks use crip
31 matches
Mail list logo
