North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: resnets and naming

  • From: Scott McGrath
  • Date: Fri Feb 16 09:35:02 2007

We have similar problems here

I can talk offnet about the remediation tools and systems we use here many of which are cheap and applicable to a service provider environment as most large edu's are more
comparable to a small town service provide than a enterprise network.

we recently upgraded our DHCP/DNS system to the solution from vendor 'C' as part of this the general user systems were renamed this of course included the resnet systems

i.e. dhcp-0123456-78-10.[student|client].domain.edu


Steven Champeon wrote:
on Fri, Feb 16, 2007 at 07:43:38AM -0500, Eric Gauthier wrote:
Dorms are basically large honey nets. :)
I run the network for a University with about 12,000 students and
12,000 computers in our dormitories. We, like many other Universities,
have spent the last five or six years putting systems in place that
are both reactive and preventative. From my perspective, the issues
are still there but I'm not sure that I agree with your implications.

Do we still have "compromised" systems? Yes. Is the number of "compromosed" systems at any time large? No.
Is the situation out of control? No.

Email me off-list if you want more details. IMHO, Its too bad broadband providers have not yet picked up on what the Universities have done.

Hear, hear. It's also too bad that there are still so many .edus without
rDNS that identifies their resnets and dynamic/anonymous space easily,
though the situation seems to be improving. Not knowing which .edu is
yours, I'll refrain from further comment, but I will give some examples
from some that I know about:

Good examples:
[0-9a-z\-]+\.[0-9a-z\-]+\.resnet\.ubc\.ca
[0-9a-z\-]+\.[0-9a-z]+\.resnet\.yorku\.ca
ip\-[0-9]+\.student\.appstate\.edu
r[0-9]+\.resnet\.cornell\.edu
ip\-[0-9]+\-[0-9]+\.resnet\.emich\.edu
[0-9a-z\-]+\.resnet\.emory\.edu
dynamic\-[0-9]+\-[0-9]+\.dorm\.natpool\.uc\.edu

Bad examples:
resnet\-[0-9]+\.saultc\.on\.ca
[0-9a-z\-]+\.(brooks|camp|congdon|cubley|graham|hamlin|moore|powers|price|townhouse|woodstock)\.clarkson\.edu
[a-z]+\.(andr|carm|ford|laws|stev|thom|ucrt)[0-9]+\.eiu\.edu
(linden|parkave|ruthdorm|ucrt|village)[0-9a-z]+\-[0-9a-z]+\.fdu\.edu
resnet[0-9]+\.saintmarys\.edu
[0-9a-z\-]+(aolcom|uncgedu)\.uncg\.edu **
(l[0-9]+stf|bl)[0-9]+\.bluford\.ncat\.edu

The general idea is, as has been mentioned before, to use a naming
convention that can easily be blocked in sendmail and other MTAs by the
simple addition of a domain tail or substring to an ACL, such as
'resnet.miskatonic.edu' or 'dyn.miskatonic.edu'. As interesting it can
be to explore the campus map trying to figure out whether a given DNS
token represents a lab, the administration building, the faculty lounge,
or a dorm, over and over again, there's gotta be some activity that is
more rewarding in the long run, such as skeet shooting or helping people
disinfect their computers (or, joy of joys - both simultaenously!)

** I'd like to single out uncg.edu for special ridicule here - I hope
they're still not doing this, but at one point over the last three years
at least, their DHCP addresses were comprised of the end user's email
address, sans '.' and '@', AS THE HOSTNAME in an otherwise non-subdomained
whole:

e.g., '[email protected]' got the hostname 'britney1986aolcom.uncg.edu',
'[email protected]' got 'billguncgedu.uncg.edu', etc.

I'm sure the spammers who plague uncg.edu today didn't get their entire
computer-literate student body's addresses through an rDNS scan. After
all, not /all/ of the addresses were in uncg.edu. The rest were in AOLland
or at hotmail or a few other obvious freemail providers.