North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: what the heck do i do now?

  • From: Jon Lewis
  • Date: Wed Jan 31 23:10:45 2007

On Thu, 1 Feb 2007, Paul Vixie wrote:

One thing you might consider is putting together a script to harvest email
addresses from whois records that correspond to the PTR for the querying
IPs.  Add to that list abuse, postmaster, webmaster, hostmaster, etc @ the
poorly run domain.  Then fire off a message explaining the situation and
that you'll be adding a wildcard record on such and such date (preferably
not 4/1).  Script all of this and run it every couple of days until the
date you gave and then follow through with the wildcard entry.  This
undoubtedly won't stop all of the whining but you can at least say you
tried.

volunteers are welcome to apply for that job.

It's actually a trivial thing to do. Start with something like the geektools whois proxy. That'll handle getting the queries to the right RIR's whois server. Then all you need to do is parse the output for email addresses. For extra credit, you can look for common "abuse" addresses in the output and ignore other addresses in outputs where an "abuse" address is found.

As for trying to "make it stop", the two methods thought to be most successful are:

1) maps.vix.com. 604800 IN NS .

2) maps.vix.com.	604800	IN	NS	u1.vix.com.
   maps.vix.com.	604800	IN	NS	u2.vix.com.
   maps.vix.com.	604800	IN	NS	u3.vix.com.
   ... [as many as you like]
   u1.vix.com.		604800	IN	A	192.0.2.1
   u2.vix.com.		604800	IN	A	192.0.2.2
   u3.vix.com.		604800	IN	A	192.0.2.3
   ... [as many as you like]

1) just tells them there is no NS, go away.

2) gives them someone unreachable to try, which they'll do, and do, and do, wasting lots of retransmitted queries and the time it takes them to timeout. If you're lucky, the timeouts might be noticed as increased load and mail slowdown on the servers sending these queries.

Either way, a properly functioning caching DNS should leave you alone for a while after caching the fact that there (is no NS for maps.vix.com||the NS's for maps.vix.com are unreachable/unresponsive). i.e. Either of these should mitigate the traffic far better than simply returning NXDOMAIN for every maps.vix.com dnsbl query.

Successful here doesn't necessarily mean "the traffic stopped" but rather the traffic has been mitigated as much as is possible without actually getting people to fix their systems and stop querying the dead zone.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________