North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Top AS Offenders causing RFC-1918 DNS traffic

  • From: John M. Brown
  • Date: Sat Sep 14 20:49:59 2002

MS has issued fixes for 2K and XP.  

Roots aren't hammered as much any more, now that AS112 is up and
running.

At one point I helped run the servers for blackhole.iana.org, the 
volume of traffic was very high at times.  At times over 100Mb/s
worth of PTR requests.

One of the interesting things I saw was a corilation between
some enterprise sites getting DDOS'd with RFC1918 source packets
and their IDS/Firewall tools attempting to do PTR look ups.
Thus blackhole-1 and blackhole-2 .iana.org got slammed.  

I would call these orgs, speak to their net people and we would
mitigate by having them become authoratative for RFC1918.in-addr.arpa.

Once they did that, we never saw their traffic again.

This lead to anycasting RFC-1918 services and the AS112 project.
AS112 and to anycast was Pauls idea.  It saved the two servers
and the transit those to servers had at IANA.  And it localizes
the impact on the net.

The amount of DynDNS updates was much less.  Become AUTH for 
RFC-1918.in-addr.arpa and I suspect you will see that traffic
sink inside your network and not leave to hammer others.


Setting the RFC-1918's to resolve to a server in 1918 isn't
a good idea.

john brown
speaking as a geek
and for no org.



On Sat, Sep 14, 2002 at 05:09:02PM -0700, Sameer R. Manek wrote:
> 
> It would not surprise me that pacbell/swbell aka SBC and Time
> Warner/Roadrunner are among the biggest offenders here. A significant
> portion of their customers are DSL/cable mode subscribers.
> 
> Since Win2k and I assume XP both attempt to perform dynamic dns updates,
> hosts behind NAT, windows will happily send the update requests up the dns
> tree as far as it can. When @Home was around, the primary name servers for
> home.com used to see update attempts constantly.
> 
> Paul Vixie has posted in here statistics about the root levels getting
> hammered by such update attempts in the past.
> 
> Any technical solution performed at the network level would be a bubble gum
> and duct tape attempt to fix what was poorly engineered at the software
> level. Since it's unlikely Microsoft will issue some sort of fix to the
> problem.
> 
> Perhaps IANA should set the name servers to an address within each
> particular block, that would at least keep the traffic local to the
> organization, and not hammer larger internet infrastructure name servers.
> 
> Sameer
> 
> 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]On Behalf Of
> > Peter Salus
> > Sent: Saturday, September 14, 2002 2:54 PM
> > To: John M. Brown
> > Cc: [email protected]; [email protected]
> > Subject: Re: Top AS Offenders causing RFC-1918 DNS traffic
> >
> >
> >
> >
> > It seems to me that some folks may not realize who owns
> > John Brown's 5 AS villains.
> >
> > 4134 is Chinanet
> > 3352 is Ibernet
> > 7132 is Southwestern Bell
> >
> > and
> >
> > 5673 )
> > 5676 ) are both SBC
> >
> > As Southwestern Bell is a part of SBC, it looks like
> > SBC is a major villain where RFC-1918 DNS traffic is
> > concerned.
> >
> > Peter
>