At 01:28 PM 5/28/98 -0400, you wrote:
Who *does* do ingress filtering? I have it on our border routers and customer connect ports. We have transit from MCI and UUNET. Neither has ingress filters -- see below message from MCI on this.
We do ingress and egress filtering. It's just a matter of keeping people on both sides of the border router from spoofing either by mistake or maliciously.
The result of course is that spammers and other bad guys can try to attack your systems with forged source IP addresses. Random strange people in the 'net send "NETBIOS name service" (port 137) packets to my unix mail relay, which of course ignores them.
The NETBIOS name service comes from Winblows machines. I would venture to guess that your mailserver also has a resolver running that is also most likely authoritative for your or someones domain. Either that or you are specifying that resolver via radius to your dialup clients. When a Winblows box does a DNS lookup, for some reason, it will also send a NETBIOS name service request thinking that there is a WINS resolver living at the same IP. It's just another example of MS doing very strange things. (Read: They don't know $h!t about IP and show it regularly!) The dialup provider that these requests is originating should be filtering port 137 on egress to prevent it from making it to the global internet. Then again, we should all be egress and ingress filtering, filtering ICMP to our broadcast and network addresses and sending money to our favorite charity too. No matter how much we harp, there will be idiots with the keys to the router cabinets who just won't do the right thing. ------- John Fraizer (root) | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:root@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...
At 02:32 PM 5/28/98 -0400, John Fraizer wrote: <SNIP> Rant trimmed for brevity </SNIP>
When a Winblows box does a DNS lookup, for some reason, it will also send a NETBIOS name service request thinking that there is a WINS resolver living at the same IP. It's just another example of MS doing very strange things. (Read: They don't know $h!t about IP and show it regularly!)
Actually it has nothing to do with WINS. If all the ISP's would implement solid in-addr.arpa reverse mappings, this would go away. Microsoft's DNS resolver has been extended, when DNS lookups fail, to do a reverse NETBIOS query against the target machine so it can use its name when displaying stuff via NBTSTAT, etc. It was designed this way, before the Internet became popular. Before we all rant at MS, I suggest we all read RFC's 1001 and 1002 and UNDERSTAND NetBIOS over IP, before we blame ALL the worlds ills on MS. Last I knew, they weren't written by MS. RFC 1001-> http://answerpointe.cctec.com/notes/rfcs1/254e_1e2.htm RFC 1002-> http://answerpointe.cctec.com/notes/rfcs1/2e46_1e2.htm Author(s): Defense Advanced Research Projects Agency, End-to-End Services Task Force, Internet Activities Board, NetBIOS Working Group
------- John Fraizer (root) | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:root@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...
============================================================================= Eric Germann Computer and Communications Technologies ekgermann@cctec.com Van Wert, OH 45891 Phone: 419 968 2640 http://www.cctec.com Fax: 419 968 2641 Network Design, Connectivity & System Integration Services A Microsoft Solution Provider
participants (2)
-
Eric Germann
-
John Fraizer