Re: question about per. hack
Paul A Vixie wrote:
i asked all the root name servers about PER. this is what they said: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
ok, so the same is true of nasa.com. all the roots return NXDOMAIN (except J.ROOT-SERVERS.NET) and yet many nameservers (presumably not running the fixed bind) return NOERROR for it.
yes.
so slowly Im realizing that whoever is doing this must be contacting each and every nameserver individually and giving them bad data. is this true?
yes, that is what alternic is doing. they are sending queries about their own names to every nameserver they can learn about, and then when the victim queries alternic's nameserver they get back bogus additional data. older name servers (older than 4.9.5-P1, really, but 4.9.6 and 8.1.1 are the current versions so those are the ones you should upgrade to) ignore the bogus additional data.
has anyone documented exactly how all this has played out in the last week. it seems like there is a lack of public discussion on just how bad what the alternic is doing is...
i think this is the first time. i'm cc'ing NANOG since several folks there are wondering exactly why i think the FBI should get involved and why i think eugene kashpureff should be jailed. (i have the packet traces to prove all of the above, from multiple servers.) what i'm terribly confused about is why MCI won't just cut them off. what alternic is doing is a violation of MCI's AUP, as well as of law and morality.
On Mon, 21 Jul 1997, Paul A Vixie wrote:
has anyone documented exactly how all this has played out in the last week. it seems like there is a lack of public discussion on just how bad what the alternic is doing is...
i think this is the first time. i'm cc'ing NANOG since several folks there are wondering exactly why i think the FBI should get involved and why i think eugene kashpureff should be jailed.
Mr. Kashpureff has been kind enough to document his work at: http://www.alternic.net/press/ Regards, Randy Benn
i think this is the first time. i'm cc'ing NANOG since several folks there are wondering exactly why i think the FBI should get involved and why i think eugene kashpureff should be jailed.
Mr. Kashpureff has been kind enough to document his work at: http://www.alternic.net/press/
What Mr. Kashpureff isn't saying is that he's not just leaking bad data when someone asks him about something in the normal case of DNS events; he is actively sweeping through the public NS RR lists and causing those servers to ask his servers questions whose answers contain intentional cache corruption. Leaking the data would be a "hack." Causing other people to ask questions to which you then send intentionally corrupt answers is a "crack." I am astonished that here we are days later and it's still occuring. Usually the teenagers who perpetrate this kind of stupidity are arrested and have their PC's confiscated.
Is there a U.S. Federal Marshall in the House. I'll even give him Eugenes' home address ... >:| On Mon, 21 Jul 1997, Paul A Vixie wrote:
i think this is the first time. i'm cc'ing NANOG since several folks there are wondering exactly why i think the FBI should get involved and why i think eugene kashpureff should be jailed.
Mr. Kashpureff has been kind enough to document his work at: http://www.alternic.net/press/
What Mr. Kashpureff isn't saying is that he's not just leaking bad data when someone asks him about something in the normal case of DNS events; he is actively sweeping through the public NS RR lists and causing those servers to ask his servers questions whose answers contain intentional cache corruption.
Leaking the data would be a "hack." Causing other people to ask questions to which you then send intentionally corrupt answers is a "crack." I am astonished that here we are days later and it's still occuring. Usually the teenagers who perpetrate this kind of stupidity are arrested and have their PC's confiscated.
The damaged party in the denial-of-service attack earlier (InterNIC) has, undoubtedly, filed proper reports and can't talk about them. These investegations take time, and there's no reason for the Feds to work faster right now because the faked .per and .nic domains aren't hurting anyone and Eugene has stopped knocking legitimate domains down. MCI and Sprint, however, have dissapointed me. Their security contacts are not responding (IMHO) appropriately. I have a hard time believing that Eugene still doesn't realize how serious this all is. And yet he's playing up press coverage of it at his web site, and still posting around lists apparently blase about it. -george william herbert gherbert@crl.com
Knowing Eugene personally (and i barely want to admit to that now) he does not care so long as at the end of the day he wins.... Wait till something more serious happens like he screws up a hospital or worse.... On Mon, 21 Jul 1997, George Herbert wrote:
The damaged party in the denial-of-service attack earlier (InterNIC) has, undoubtedly, filed proper reports and can't talk about them. These investegations take time, and there's no reason for the Feds to work faster right now because the faked .per and .nic domains aren't hurting anyone and Eugene has stopped knocking legitimate domains down.
MCI and Sprint, however, have dissapointed me. Their security contacts are not responding (IMHO) appropriately.
I have a hard time believing that Eugene still doesn't realize how serious this all is. And yet he's playing up press coverage of it at his web site, and still posting around lists apparently blase about it.
-george william herbert gherbert@crl.com
On Mon, 21 Jul 1997, George Herbert wrote:
faked .per and .nic domains aren't hurting anyone and Eugene has stopped knocking legitimate domains down.
I think he's still at it. I just watched a BIND 4.9.5-P1 server here pick up an IP address of 207.51.48.15 (one of Eugene's boxes) for the InterNIC at around 19:50 CDT tonight. He also is targeting www.netsol.com. - Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu> "People who laugh at themselves will never run out of things to laugh at." -- fortune cookie
He'd better watch it, or he'll get slapped with a class-action suit for denial of service by everyone who may happen to REALLY give a hoot about connecting to the internic web site. -David Mercer Systems Admin. infiNETways, Inc. On Mon, 21 Jul 1997, Paul 'Shag' Walmsley wrote:
On Mon, 21 Jul 1997, George Herbert wrote:
I think he's still at it. I just watched a BIND 4.9.5-P1 server here pick up an IP address of 207.51.48.15 (one of Eugene's boxes) for the InterNIC at around 19:50 CDT tonight.
He also is targeting www.netsol.com.
On Mon, 21 Jul 1997, David Mercer wrote:
He'd better watch it, or he'll get slapped with a class-action suit for denial of service by everyone who may happen to REALLY give a hoot about connecting to the internic web site.
I generally couldn't give a hoot about the nic's web page, and I would still like to see him punished. As I said before, this is making the net look very, very bad. Perhaps we need to begin policing ourselves? Michael Stevenson
-David Mercer Systems Admin. infiNETways, Inc.
On Mon, 21 Jul 1997, Paul 'Shag' Walmsley wrote:
On Mon, 21 Jul 1997, George Herbert wrote:
I think he's still at it. I just watched a BIND 4.9.5-P1 server here pick up an IP address of 207.51.48.15 (one of Eugene's boxes) for the InterNIC at around 19:50 CDT tonight.
He also is targeting www.netsol.com.
On Mon, 21 Jul 1997, George Herbert wrote:
The damaged party in the denial-of-service attack earlier (InterNIC) has, undoubtedly, filed proper reports and can't talk about them. These investegations take time, and there's no reason for the Feds to work faster right now because the faked .per and .nic domains aren't hurting anyone and Eugene has stopped knocking legitimate domains down.
MCI and Sprint, however, have dissapointed me. Their security contacts are not responding (IMHO) appropriately.
Hmm.. you might want to talk to Alternic's direct upstream (Sprint anyway): 9 sl-osd-1-s1-t1.sprintlink.net (144.228.141.38) 103 ms 103 ms 102 ms 10 sea-nile.seanet.com (199.181.164.99) 134 ms 120 ms 103 ms 11 alternic-sea.seanet.com (204.182.108.54) 112 ms 177 ms 112 ms 12 mx.alternic.net (204.94.42.1) 116 ms 114 ms 115 ms Knowing Sprint's names assigned to their customers border interfaces, it APPEARS that seanet is Eugene's upstream. Michael Stevenson
I have a hard time believing that Eugene still doesn't realize how serious this all is. And yet he's playing up press coverage of it at his web site, and still posting around lists apparently blase about it.
It is nearly unbelievable, isn't it.
-george william herbert gherbert@crl.com
i think this is the first time. i'm cc'ing NANOG since several folks there are wondering exactly why i think the FBI should get involved and why i think eugene kashpureff should be jailed. unfortunately i think it's the FBI we need to convince and i'm not sure they read nanog (i have the packet traces to prove all of the above, from multiple servers.) you may be the one the FBI needs to hear from then what i'm terribly confused about is why MCI won't just cut them off. what alternic is doing is a violation of MCI's AUP, as well as of law and morality. mmm,. . pretty words (really) but as we all know by now, the current state of Internet stats collection and our elegantly ambiguous role as not-really-common-carrier-but-don't- regulate-or-tariff us-either-please- just-leave-us-alone-we'll-be-fine renders it fairly non-trivial for MCI (or any other backbone provider, in fact MCI's probably closer then elseNSP) to provide the FBI with _proof_ that Eugene was using mci as his testosterone transport mechanism, so even their oodles of well-dressed lawyers can't prove he's violating AUP and it's not like mci can demand to know what box he's playing from, what his routing policy was at the time, etc. if you'd like to get a deposition from him, i'm sure mci would gladly forward it to the feds. or if your tcpdump packets incriminate him adequately, that would likely help them too. MCI can't do much unless law enforcement asks them to, which would require not only law enforcement w/clue but also your log data proving the attacks used their pipes (if you're comfortable they're not violating any not-really-existent-but-if-they-did-exist- they'd-be-unenforceably-ambiguous-anyway privacy laws) the internet just isn't there yet (there = with enforceable and sensical laws; i think we'll have to punt on morality) and we're apparently in much more of a rush to implement faster push technology and verifiable hit counts (for ad pricing schedules yum yum) than integrity. sigh++; fwiw mci is not happy about it either and is not Doing Nothing but if you have something that would help - k
participants (8)
-
David Mercer -
George Herbert -
k claffy -
Marc Hurst -
MFS -
Paul 'Shag' Walmsley -
Paul A Vixie -
rbenn@clark.net