North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

filtering 1918 (was Re: Summary with...: Domain Name System ...)

  • From: Paul Vixie
  • Date: Wed Aug 18 16:00:15 2004

> That said, I do filter 1918 at my edge.
> 
> /vijay

ok everybody, vijay says the snapshot below didn't come from him.
who wants to claim it, then?

# tcpdump -n -c 25 net 10 or net 192.168 or net 172.16.0.0/12
tcpdump: listening on fxp0
19:52:53.787244 10.9.10.250.53 > 192.5.5.241.53:  29644 MX? rogers.com. (29)
19:52:53.789098 10.9.10.250.53 > 192.5.5.241.53:  29643 A? tock.usno.navy.mil. (36)
19:52:53.790367 10.9.10.250.53 > 192.5.5.241.53:  29642 MX? nygh.on.ca. (29)
19:52:53.791023 10.9.10.250.53 > 192.5.5.241.53:  29641 MX? sympatico.ca. (31)
19:52:54.000576 10.6.166.16.35067 > 192.5.5.241.53:  51520 PTR? 23.180.243.65.in-addr.arpa. (44) (DF)
19:52:54.000591 10.6.166.16.35067 > 192.5.5.241.53:  39692 MX? wedweb.cc. (27) (DF)
19:52:54.049835 10.21.13.50.32769 > 192.5.5.241.53:  19542 NS? . (17) (DF)
19:52:54.167651 10.1.10.8.53 > 192.5.5.241.53:  17611 PTR? 1.18.32.10.in-addr.arpa. (41)
19:52:54.227294 172.22.26.5.53 > 192.5.5.241.53:  5298 A? autodesk.com. (30)
19:52:54.327460 10.48.10.250.53 > 192.5.5.241.53:  29477 MX? unco.edu. (27)
19:52:54.328475 10.48.10.250.53 > 192.5.5.241.53:  29476 MX? unco.edu. (27)
19:52:54.329118 10.48.10.250.53 > 192.5.5.241.53:  29475 MX? icella.com. (29)
19:52:54.329736 10.48.10.250.53 > 192.5.5.241.53:  29474 MX? att.net. (26)
19:52:54.487335 10.40.1.29.53 > 192.5.5.241.53:  10970 [b2&3=0x400] A? czdm01.bauholding.com. (39)
19:52:54.490662 10.40.1.29.53 > 192.5.5.241.53:  10971 A? IBM-4406B6DF58E.bauholding.com. (48)
19:52:54.491791 192.168.0.2.1033 > 192.5.5.241.53:  4574 A? velu.neuro6.com. (33)
19:52:54.493123 192.168.0.2.1033 > 192.5.5.241.53:  4580 A? velu.neuro6.com. (33)
19:52:54.495051 192.168.0.2.1033 > 192.5.5.241.53:  12777 A? velu.neuro6.com. (33)
19:52:54.508596 172.23.3.39.1057 > 192.5.5.241.53:  2240 A? download.windowsupdate.com. (44)
19:52:54.511223 172.23.3.39.1057 > 192.5.5.241.53:  14538 A? download.windowsupdate.com. (44)
19:52:54.513568 172.23.3.39.1057 > 192.5.5.241.53:  6358 A? download.windowsupdate.com. (44)
19:52:54.527938 10.26.0.10.32769 > 192.5.5.241.53:  53702 A? nuyoo.utm.mx. (30) (DF) [tos 0x4] 
19:52:54.553784 192.168.192.49.47768 > 192.5.5.241.53:  34671 PTR? 36.7.7.4.in-addr.arpa. (39) (DF)
19:52:54.605368 10.26.0.10.32769 > 192.5.5.241.53:  60698 A? uumail.unt.edu.ar. (35) (DF) [tos 0x4] 
19:52:54.634115 10.26.0.10.32769 > 192.5.5.241.53:  30349[|domain] (DF) [tos 0x4] 
2410 packets received by filter
0 packets dropped by kernel

note: in 106 days of uptime, this particular host inside the f-root cluster
has discarded the following:

        rule#   packets   --octets-- -------------rule--------------------
        00400   6446004    428112547 deny ip from 10.0.0.0/8 to any in
        00500   5874604    369667080 deny ip from 172.16.0.0/12 to any in
        00600   8367728    546972348 deny ip from 192.168.0.0/16 to any in

this seems excessive, and so i've been assuming that it was all vijay's
fault.  but apparently it's not him.  so which one of you isn't filtering
1918 at your edge?  (oops, it's all of you, isn't it?)
-- 
Paul Vixie