[shock - operational ingredient to DNS issue on NANOG] I feel that a convenient way to filter out crud that polutes your DNS (or any other crud for that matter) might be: a) Configure a normally non-BGP speaking router in your IGP to run BGP under AS (say) 7778. b) Static the routes to all alternic's primary name servers to null0: (or better to a non-existent IP on an ethernet interface) c) redistribute these statics into BGP through a routemap if necessary. d) Set up peering with a router running BGP tagging the routes as no-export (make sure you don't distribute them to peers or customers). (credit to Paul Vixie for the "how to blackhole traffic" for spam reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*). We're just about to do this. I'll tell you how it goes. Alex Bligh Xara Networks
(credit to Paul Vixie for the "how to blackhole traffic" for spam reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
All true, except that Andrew Partan and Brett Watson worked out the black hole technology that I've been handing to Cisco owners. All Cisco wizardry which occurs in my presence is the result of other people's brains not mine. I'm a GateD diehard, Cisco's command language makes me queasy and uneasy.
We're just about to do this. I'll tell you how it goes.
It won't help. DNS pirates don't need connectivity to your hosts to infect your caches, they need connectivity to _other_ people's hosts.
Since we run OSPF internally, we find it easier to do this by setting up a 2501 (dedicated to the task) with static routes pointing into a loopback interface which is filtered with an access list to block all packets. The static routes are redistributed into OSPF, which caused each static to suck packets bound from anywhere in our network into the filter, kill them, and log them. Of course, there is no risk of the OSPF leaking to the outside world, though it covers our network nicely, and we get logging of attempted replies to these sites. Since OSPF is nicely classless, we block anythink from a /32 up... -Dorn Hetzel Epoch Internet On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
[shock - operational ingredient to DNS issue on NANOG]
I feel that a convenient way to filter out crud that polutes your DNS (or any other crud for that matter) might be: a) Configure a normally non-BGP speaking router in your IGP to run BGP under AS (say) 7778. b) Static the routes to all alternic's primary name servers to null0: (or better to a non-existent IP on an ethernet interface) c) redistribute these statics into BGP through a routemap if necessary. d) Set up peering with a router running BGP tagging the routes as no-export (make sure you don't distribute them to peers or customers).
(credit to Paul Vixie for the "how to blackhole traffic" for spam reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
We're just about to do this. I'll tell you how it goes.
Alex Bligh Xara Networks
Now that's a strategy I like. Thanks Dorn; that's both elegant and easy to implement, its cheap, and it works. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, http://www.mcs.net/ Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal On Tue, Jul 15, 1997 at 05:17:58PM -0400, Dorn Hetzel wrote:
Since we run OSPF internally, we find it easier to do this by setting up a 2501 (dedicated to the task) with static routes pointing into a loopback interface which is filtered with an access list to block all packets. The static routes are redistributed into OSPF, which caused each static to suck packets bound from anywhere in our network into the filter, kill them, and log them. Of course, there is no risk of the OSPF leaking to the outside world, though it covers our network nicely, and we get logging of attempted replies to these sites. Since OSPF is nicely classless, we block anythink from a /32 up...
-Dorn Hetzel Epoch Internet
On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
[shock - operational ingredient to DNS issue on NANOG]
I feel that a convenient way to filter out crud that polutes your DNS (or any other crud for that matter) might be: a) Configure a normally non-BGP speaking router in your IGP to run BGP under AS (say) 7778. b) Static the routes to all alternic's primary name servers to null0: (or better to a non-existent IP on an ethernet interface) c) redistribute these statics into BGP through a routemap if necessary. d) Set up peering with a router running BGP tagging the routes as no-export (make sure you don't distribute them to peers or customers).
(credit to Paul Vixie for the "how to blackhole traffic" for spam reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
We're just about to do this. I'll tell you how it goes.
Alex Bligh Xara Networks
On Tue, 15 Jul 1997 at around 17:17:58, "DH" == Dorn Hetzel penned:
DH> Since we run OSPF internally, we find it easier to do this by DH> setting up a 2501 (dedicated to the task) with static routes DH> pointing into a loopback interface which is filtered with an DH> access list to block all packets. The static routes are DH> redistributed into OSPF, which caused each static to suck DH> packets bound from anywhere in our network into the filter, DH> kill them, and log them. Of course, there is no risk of the DH> OSPF leaking to the outside world, though it covers our network DH> nicely, and we get logging of attempted replies to these DH> sites. Since OSPF is nicely classless, we block anythink from DH> a /32 up... If you have a smaller network and still want the ability to do this (e.g. singly-homed site) just route the networks concerned to nowhere on your gateway router ip route a.b.c.d w.x.y.z Null0 route add net a.b.c.d <local or null IP address> 1 This won't stop the DNS hack from polluting your servers (u/g the software :) but I don't think my Linux box needs to contact DNS pirates ;-} DH> -Dorn Hetzel DH> Epoch Internet Cheers, Lyndon -- Penis Envy is a total Phallusy.
If you have a smaller network and still want the ability to do this (e.g. singly-homed site) just route the networks concerned to nowhere on your gateway router
ip route a.b.c.d w.x.y.z Null0
route add net a.b.c.d <local or null IP address> 1
Make sure that this is causing ICMP-Unreach-Host messages to be sent back to your internal hosts who try to reach that net, and also make sure that your mail server's TCP stack torpedoes its connection state (or even just increments its retry timer and resends) when a SYN-ACK meets that ICMP. Not all Cisco IOS revision levels behave the right way, and not all SunOS kernels do the right thing when a SYN-ACK meets an ICMP-Unreach-Host. So you can, if you're not careful, turn the above recommendation into a SYN flood attack against your own internal servers.
fyi: Date: Tue, 15 Jul 1997 11:54:02 -0700 From: paul@vix.com X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V4.0 alpha) MIME-Version: 1.0 To: courtm@cnet.com CC: paul@vix.com Subject: http://www.news.com/News/Item/0,4,12382,00.html Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit AlterNIC didn't invent the hack that corrupted the www.internic.net name. I published a paper on this three years ago, which you can read in PostScript(tm) form at ftp://ftp.vix.com/pri/vixie/bindsec.psf Note that the bug AlterNIC exploited is the same one covered by several recent Internet mailing list security bulletins. Noone associated with AlterNIC is smart enough to have figured out any of this by themselves. Recent versions of BIND (4.9.6 and 8.1.1) which are available via... http://www.isc.org/isc/ ...fix the programming error which allowed this corruption to occur.
participants (6)
-
Alex.Bligh
-
Dorn Hetzel
-
Hank Nussbacher
-
Karl Denninger
-
Lyndon Levesley
-
Paul A Vixie