MS has issued fixes for 2K and XP. Roots aren't hammered as much any more, now that AS112 is up and running. At one point I helped run the servers for blackhole.iana.org, the volume of traffic was very high at times. At times over 100Mb/s worth of PTR requests. One of the interesting things I saw was a corilation between some enterprise sites getting DDOS'd with RFC1918 source packets and their IDS/Firewall tools attempting to do PTR look ups. Thus blackhole-1 and blackhole-2 .iana.org got slammed. I would call these orgs, speak to their net people and we would mitigate by having them become authoratative for RFC1918.in-addr.arpa. Once they did that, we never saw their traffic again. This lead to anycasting RFC-1918 services and the AS112 project. AS112 and to anycast was Pauls idea. It saved the two servers and the transit those to servers had at IANA. And it localizes the impact on the net. The amount of DynDNS updates was much less. Become AUTH for RFC-1918.in-addr.arpa and I suspect you will see that traffic sink inside your network and not leave to hammer others. Setting the RFC-1918's to resolve to a server in 1918 isn't a good idea. john brown speaking as a geek and for no org. On Sat, Sep 14, 2002 at 05:09:02PM -0700, Sameer R. Manek wrote:
It would not surprise me that pacbell/swbell aka SBC and Time Warner/Roadrunner are among the biggest offenders here. A significant portion of their customers are DSL/cable mode subscribers.
Since Win2k and I assume XP both attempt to perform dynamic dns updates, hosts behind NAT, windows will happily send the update requests up the dns tree as far as it can. When @Home was around, the primary name servers for home.com used to see update attempts constantly.
Paul Vixie has posted in here statistics about the root levels getting hammered by such update attempts in the past.
Any technical solution performed at the network level would be a bubble gum and duct tape attempt to fix what was poorly engineered at the software level. Since it's unlikely Microsoft will issue some sort of fix to the problem.
Perhaps IANA should set the name servers to an address within each particular block, that would at least keep the traffic local to the organization, and not hammer larger internet infrastructure name servers.
Sameer
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Peter Salus Sent: Saturday, September 14, 2002 2:54 PM To: John M. Brown Cc: nanog@merit.edu; peter@matrix.net Subject: Re: Top AS Offenders causing RFC-1918 DNS traffic
It seems to me that some folks may not realize who owns John Brown's 5 AS villains.
4134 is Chinanet 3352 is Ibernet 7132 is Southwestern Bell
and
5673 ) 5676 ) are both SBC
As Southwestern Bell is a part of SBC, it looks like SBC is a major villain where RFC-1918 DNS traffic is concerned.
Peter