Fwd: Re: Patching BIND (Re: What *are* they smoking?)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
we've burned a AS for this, ICK
Yup - and 2 /24's .... #show ip bgp regexp _30060$ Network Next Hop Metric LocPrf Weight Path *>i12.158.80.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ? *>i64.94.110.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ?
based on the ASNAME, its seems a nice little route-map /dev/null will be real easy. As long as they keep prefixs used in this really dumb idea for this idea.
If you have a full table (i.e. no default) just drop inbound routes with a AS path _30060$ Also .... <user>@dns0:/var/named/verisignwildcard#host 64.94.110.11 Host 11.110.94.64.in-addr.arpa not found: 3(NXDOMAIN) Oh dear, I wonder what happened to the reverse ..... looks like that doesn't resolve any more from here ;-) ... so we can still do reverse DNS checks.... Mark - -- Mark Vevers. mark@ifl.net / mark@vevers.net Principal Internet Engineer, Internet for Learning, Research Machines Plc. (AS5503) - -- GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3 Fingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/ZtFGWLU9HLCPPKMRApqHAJwJAxEbkUmKfUsuK4lOrrs5izPaRgCfePsT b0klVYOObpWZqQZIUd3TrJk= =gb31 -----END PGP SIGNATURE-----
Mark Vevers wrote:
On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
we've burned a AS for this, ICK
Yup - and 2 /24's ....
#show ip bgp regexp _30060$ Network Next Hop Metric LocPrf Weight Path *>i12.158.80.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ? *>i64.94.110.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ?
based on the ASNAME, its seems a nice little route-map /dev/null will be real easy. As long as they keep prefixs used in this really dumb idea for this idea.
If you have a full table (i.e. no default) just drop inbound routes with a AS path _30060$
Are there any adverse side effects, that anybody can think of? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
I am already filtering _30060_ and I currently see no problems. Of course... seeing that email bounces may pile up, I should start routing that /24 to a box on our network pretty quick... -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: haesu@towardex.com Cell: (978) 394-2867 On Tue, Sep 16, 2003 at 01:04:18PM -0400, William Allen Simpson wrote:
Mark Vevers wrote:
On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
we've burned a AS for this, ICK
Yup - and 2 /24's ....
#show ip bgp regexp _30060$ Network Next Hop Metric LocPrf Weight Path *>i12.158.80.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ? *>i64.94.110.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ?
based on the ASNAME, its seems a nice little route-map /dev/null will be real easy. As long as they keep prefixs used in this really dumb idea for this idea.
If you have a full table (i.e. no default) just drop inbound routes with a AS path _30060$
Are there any adverse side effects, that anybody can think of?
-- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Tue, Sep 16, 2003 at 01:04:18PM -0400, William Allen Simpson wrote:
Mark Vevers wrote:
On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
we've burned a AS for this, ICK
Yup - and 2 /24's ....
#show ip bgp regexp _30060$ Network Next Hop Metric LocPrf Weight Path *>i12.158.80.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ? *>i64.94.110.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ?
based on the ASNAME, its seems a nice little route-map /dev/null will be real easy. As long as they keep prefixs used in this really dumb idea for this idea.
If you have a full table (i.e. no default) just drop inbound routes with a AS path _30060$
Are there any adverse side effects, that anybody can think of?
One is that any mail destined for this host would probably sit in the queue for the maximum queue lifetime, generally about 4 days, before bouncing as undeliverable, rather than either being rejected immediately. One wonders why they didn't at LEAST set an MX of '.' for the wildcard record (this is how you're supposed to indicate that a domain does not receive mail if it has an active A record). This really is a *horrible* idea, and I hope that many horrible, painful, and unprintable things happen to those responsible for coming up with / implementing this idea. At the least, I hope that ICANN stops this in the very short term. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On Tue, 16 Sep 2003, Will Yardley wrote:
On Tue, Sep 16, 2003 at 01:04:18PM -0400, William Allen Simpson wrote:
Are there any adverse side effects, that anybody can think of?
One is that any mail destined for this host would probably sit in the queue for the maximum queue lifetime, generally about 4 days, before bouncing as undeliverable, rather than either being rejected immediately.
On the other hand, if your routers have the CPU cycles to spare, an inbound access-list along the lines of deny tcp 64.94.110.0 0.0.0.255 eq 80 any [whatever other stuff you have] permit ip any any Will block their return traffic from tbe website (including the TCP ack) allowing them to cheerfully syn-flood DDoS themselves if enough people do this. This will kill the web traffic but allow mail. -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Hehe Wheres Rob Thomas ? Can we class this as a bogon... On Tue, 16 Sep 2003, William Allen Simpson wrote:
Mark Vevers wrote:
On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
we've burned a AS for this, ICK
Yup - and 2 /24's ....
#show ip bgp regexp _30060$ Network Next Hop Metric LocPrf Weight Path *>i12.158.80.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ? *>i64.94.110.0/24 xxx.xxx.xxx.xxx 305 100 0 1239 7018 26134 30060 ?
based on the ASNAME, its seems a nice little route-map /dev/null will be real easy. As long as they keep prefixs used in this really dumb idea for this idea.
If you have a full table (i.e. no default) just drop inbound routes with a AS path _30060$
Are there any adverse side effects, that anybody can think of?
participants (6)
-
Haesu
-
Jay Hennigan
-
Mark Vevers
-
Stephen J. Wilcox
-
William Allen Simpson
-
william+nanog@hq.dreamhost.com