North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: and other impatient Postfix mailers everywhere (fwd)

  • From: Valdis.Kletnieks
  • Date: Fri Aug 03 01:25:28 2001

On Thu, 02 Aug 2001 18:44:21 CDT, Larry Sheldon <[email protected]>  said:
> Lemesee if I got this right...Paul Vixie doesn't know anybody that can
> pull my IP addresses out of their logs, look them up on ARIN, send me email.

A long time ago, in a galaxy far far away, the hostname ''
was listed as an NTP stratum-2 server.  Then the building got re-subnetted,
and its IP address changed.  THen a CNAME for was added that
pointed there.  Then the CNAME was moved to point to a different machine.
Then I turned off NTP service to the outside world.

WHen the recent NTP query-packet security problem was found, that host
had not been answering NTP queries off-campus for *6 months*.  It hadn't
been in clocks.txt for *2 years*.  Our router guy put in a filter on our
main router to log NTP packets.

5 minutes later he took it off, because that host was *STILL* getting
pounded to the level of 100 packets *per second*, courtesy of several
freeware packages that had lived on TUCOWS a long time ago.

In 5 minutes, we also got 15 or 20 hits on an IP address that it hadn't
had for *8 years*.

I'm sure that their packet flux is a lot higher than 100 packets
per second.  So you get to log them, sort out which ones are in duplicate
subnets (remembering that since CIDR, you *DONT* know where subnets
start and end - are 128.173.x.x and 128.174.x.x 2 /16s or a /15?
Are 198.82.251.x and 198.82.250.x /24s that belong to different companies,
or part of a CIDR block belonging to one organization?  

Remember in your analysis that NSI's whois is *notoriously* inaccurate,
and quite often the "owner of record" of a /16 is a service provider, and
the person you WANT to send the mail to is the admin of the company that
bought a /22 from that provider's /16.

Hint:  You ever had a hack-in attempt at your site, and tried to figure
out who owned the IP address?  How long did it take you?  Have you ever
come up empty-handed?  Good - now design a way to do that look-up several
hundred times *a second*.

But yeah, with a little bit of hand-waving, they could get the mail
to the right admin at the right company.

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech