|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: trapdoor.merit.edu and other impatient Postfix mailers everywhere (fwd)
On Thu, 02 Aug 2001 18:44:21 CDT, Larry Sheldon <[email protected]> said: > Lemesee if I got this right...Paul Vixie doesn't know anybody that can > pull my IP addresses out of their logs, look them up on ARIN, send me email. A long time ago, in a galaxy far far away, the hostname 'black-ice.cc.vt.edu' was listed as an NTP stratum-2 server. Then the building got re-subnetted, and its IP address changed. THen a CNAME for ntp-2.vt.edu was added that pointed there. Then the CNAME was moved to point to a different machine. Then I turned off NTP service to the outside world. WHen the recent NTP query-packet security problem was found, that host had not been answering NTP queries off-campus for *6 months*. It hadn't been in clocks.txt for *2 years*. Our router guy put in a filter on our main router to log NTP packets. 5 minutes later he took it off, because that host was *STILL* getting pounded to the level of 100 packets *per second*, courtesy of several freeware packages that had lived on TUCOWS a long time ago. In 5 minutes, we also got 15 or 20 hits on an IP address that it hadn't had for *8 years*. I'm sure that their packet flux is a lot higher than 100 packets per second. So you get to log them, sort out which ones are in duplicate subnets (remembering that since CIDR, you *DONT* know where subnets start and end - are 128.173.x.x and 128.174.x.x 2 /16s or a /15? Are 198.82.251.x and 198.82.250.x /24s that belong to different companies, or part of a CIDR block belonging to one organization? Remember in your analysis that NSI's whois is *notoriously* inaccurate, and quite often the "owner of record" of a /16 is a service provider, and the person you WANT to send the mail to is the admin of the company that bought a /22 from that provider's /16. Hint: You ever had a hack-in attempt at your site, and tried to figure out who owned the IP address? How long did it take you? Have you ever come up empty-handed? Good - now design a way to do that look-up several hundred times *a second*. But yeah, with a little bit of hand-waving, they could get the mail to the right admin at the right company. Valdis Kletnieks Operating Systems Analyst Virginia Tech
|