|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Schneier: ISPs should bear security burden
on Thu, Apr 28, 2005 at 04:38:00PM +0930, Mark Newton wrote: > > On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote: > > > Any IP that a provider allows servers on should have > > distinctive, non-dynamic-looking DNS (and preferably be in a separate > > netblock from the dynamically-assigned IPs). > > What the hell is a "non-dynamic-looking DNS"? Sure, if I see something > like "static-192-168-1-1.isp.net" I can be reasonably sure that it's > non-dynamic-looking, Eh, doesn't really matter to me, it's still generic, and still impossible to tell from static-192-168-1-2.isp.net, and if they've sent me spam or a virus or hammered on my ssh/ftp/pop servers, I'm not going to accept mail from them, either. Want to run a mail server? Give it non-generic rDNS. I already assume that it should be on a static IP, but that doesn't mean I assume that all static connections are worth accepting mail from. > but what does the same thing look like in > Portugese? e.g. 197.87.30.213.rev.vodafone.pt (rev? boy, there's an informative naming convention for rDNS - it's "rev", everybody) adsl-norte02-1-136.vianw.pt - no way to tell if it's static/dynamic 195-23-87-54.tvtel.pt - no way to tell adslfixo-b3-115-101.telepac.pt - static adslsapo-b4-38-128.telepac.pt - 'sapo' means 'frog', apparently dial-b3-61-196.telepac.pt - assumed dynamic 0000007790-10001150399.acesso.oni.pt - acesso? static or dynamic? 195-23-125-174.net.novis.pt - apparently, it's some kind of network 48-29.dial.nortenet.pt - assumed dynamic pal-213-228-134-120.netvisao.pt - no way to tell a213-22-198-130.netcabo.pt - no way to tell 0000002180-0001062928.dial.net4b.pt - no way to tell, assumed dynamic d173018.csc.net.KPNQwest.pt - ".net"? no way to tell 213-63-0-209.jdsl.jazznet.pt - no way to tell 194-79-84-31.nr.ip.pt - no idea At least some of the Portuguese providers use right-anchored substrings so you don't have to use regexes to block mail from generic hosts. All of those hosts have spammed me, so I don't accept mail from any of them or anything that looks like them anymore. Brazil is a mess, but they still adhere to many of the same sorts of rDNS naming conventions as everyone else, they just tend to do it really haphazardly. You'll see 'fixo' for static, 'dinamico' for dynamic, 'cliente' for client. 'rede' for network, 'cabo' for cable. I've seen at least one 'conexao'. I dunno about PT influence on other parts of the world. > German? 213-239-235-249.clients.your-server.de pop8-427.catv.wtnet.de 62.241.33.6.rev.worldbone.de dont-blame-admin-its-a-dsl-pool-12-41.wobline.de <-- a personal fave 189-50.access.witcom.de u2-25.dsl.vianetworks.de ppp025.f.ipdial.vianetworks.de 154.2.sr1.DTM1.ip.versanet.de a188060.studnetz.uni-leipzig.de <-- resnet dynamic202.jura.uni-bonn.de ip-112-188.travedsl.de c-217.27.193.195.host.tnp-potsdam.de 42.adsl.tnp-potsdam.de p213.54.0.171.tisdip.tiscali.de td9091b9a.adsl.terralink.de td9091c62.pool.terralink.de etc. Same case as above. You might be surprised at how consistent the naming conventions are, with very little local color. > Spanish? Some regional differences between Mexico and Latin America on the one hand and Spain on the other, but some examples from both: via-addr11018.vianetworks.es 62-36-112-5.dialup.uni2.es 62-37-53-13.mad2.adsl.uni2.es 62-36-123-150.unresolved.net.uni2.es <-- personal fave 193-152-205-108.uc.nombres.ttd.es 213-129-168-49.DialUp.tiscali.es 48.host.terra.es cm-213.141.42-126.telecable.es d213-102-65-192.cust.tele2.es 128-VIGO-X6.libre.retevision.es 81-172-11-216.usuarios.retecal.es 62-15-203-25.inversas.jazztel.es eu04-11.clientes.euskaltel.es host-200.77.152.40-cust.telemedia.net.mx dsl-201-128-15-62.prodigy.net.mx ip-fir-clbi207-249-85-82mexis.net.mx (sic) host112197.metrored.net.mx customer-COB-122-31.megared.net.mx dialip-200-53-62-177-gdl.marcanet.net.mx ap-tp-acs15-093.ap.infosel.net.mx dial-148-243-59-179.zone-1.dial.net.mx cablea0olr.cybercable.net.mx cmodem067.zona5.cablered.net.mx host-148-244-152-186.block.alestra.net.mx telviso-dsl-bloques-03-200-85-107-243.telviso.net.ar adsl187-teco.via-net-works.net.ar 200-42-111-172.dup.prima.net.ar 200-42-83-250.cab.prima.net.ar 200-55-75-126.dsl.prima.net.ar dig-ppp69156547.copetel.net.ar line106.comsat.net.ar 'red', mostly, for 'network'. And 'usuarios' for 'users', 'linea' for line. The universities are the worst; as you end up with names of sciences and disciplines and so forth, but as long as you don't block 'correo' or 'fpe' or 'fep' you should be fine. > French? French is more difficult, as you might expect, because of course they all use French words from time to time and last I knew, the official government position was to create French words to replace any borrowed American/English words so as to prevent the lingo from being corrupted. So, a lot more mail servers named "courrier-electronique1.example.fr" and the like. But when it comes to the multinationals, the naming is usually the same or similar. ANantes-106-1-5-107.w193-251.abo.wanadoo.fr dyn-195-242-113-210.ppp.tiscali.fr rev.host-159.6.tiscali-business.fr d213-103-74-10.cust.tele2.fr c2cea00e.adsl.oleane.fr c3065fb3.tutti.oleane.fr <-- dunno. "all"? ip-202.net-81-220-135.standre.rev.numericable.fr e232.dhcp212-198-94.noos.fr ppp-6.net-102.magic.fr isdn-211.nantes.imaginet.fr du-201-1.nat.dialup.freesurf.fr infodis6238-2.clients.easynet.fr du-214-105.nat.adsl.claranet.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most of the abbreviations and acronyms you'll see the same thing worldwide. They haven't bothered to backtranslate PPP or ISDN or ADSL or DHCP. And in Canada, where the movement to require multiple PTR records for each IP in both French and English has stalled, you'll see stuff like: d109.rocler.qc.ca - wtf? IGV-C122.rocler.qc.ca - ? ppp1239.webnet.qc.ca dyn-230.loisirquebec.QC.CA ppp36.67-113-216.ivic.qc.ca ppp2-15.infoteck.qc.ca dsl-205-205-142-112.cooptel.qc.ca cnq20-253.cablevision.qc.ca 181-111-cormier-56k.9bit.qc.ca You'll also see 'modemcable' or 'mc', such as videotron.ca, or intermonde.ca uses, but they're the only ones I know of. > (Korean? Chinese?) Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named. And the other non-edu example I have is ppp191-188-129-61.online.sh.cn Taiwan, on the other hand, is a complete mess in the edu space. But in .net.tw it's pretty anglified and for the most part uses right anchors: tp167099.adsl.tisnet.net.tw tp167099.adsl.static.tisnet.net.tw 150-186.73.211-tdtv.tinp.net.tw 25.69.81.219.dynamic.tfn.net.tw 219-81-103-119.static.tfn.net.tw 61-62-33-143-adsl-tai.STATIC.so-net.net.tw 139-175-217-18.dialup.dynamic.seed.net.tw 221-169-101-166.adsl.static.seed.net.tw 218-187-123-82.dynamic.best.lsc.net.tw 243-197-63-61.lease.isl.net.tw 61-70-116-205.adsl.static.giga.net.tw 203-203-103-33.cable.dynamic.giga.net.tw host81.21067173.gcn.net.tw FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers). The only ISPs naming conventions I've had a difficult time translating are the Finns, and the occasional Hungarian or Rumanian; and even those give an opportunity for creativity: dsl-XXII-150.kotikaista.weppi.fi - yep, Roman numerals There are three or more Finnish ISPs using full-on Roman Numerals for their rDNS naming. multi.fi, weppi.fi, and saunalahti.fi. But even the rest of the Finns use 'dsl', 'catv', 'dialup'. I think the only regional variation is 'netti', which I assume means 'net'. The Swedes use 'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others sometimes use 'kabel', Spanish speakers have 'telviso', and dial into 'pooles'. 'dedicado' is the name of an ISP in Uruguay, but they name all their hosts with two numbers e.g. 107-15.dedicado.com.uy. Almost all of the edu space uses 'dorm' or 'resnet' or some variation, except UNC Greensboro, who, in a boon to address scrapers everywhere, actually encourage abuse of their students' email by naming their dynamically assigned hosts after the user's uncc.edu email address (I noticed this in an rDNS scan trying to find a pattern so I could block abuse from their network, and noticed that whereas most of the names looked like flast-type formations, e.g., schampeon.uncg.edu, (naturally, not subdomained off into 'students' or 'resnet', either) some of them looked like schampeonuncgedu.uncg.edu, and then came somebody75aolcom.uncg.edu. If I've noticed it, be sure the spammers have. > Just wait'll we start getting unicode DNS names in non-English alphabets. > Perhaps then you can tell what to look for in a string of Kanji symbols > which might be suggestive of the concept of "static". Well, when that happens, I'm sure we'll all have to learn the Kanji or Mandarin strings for static and dynamic and ppp and so forth. Oh, well. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
|