someone from attbi please contact me regarding host 24.129.84.175
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me. re: [fh:i386] grep -c 'client 24.129.84.175.*update.*denied' messages 74 [fh:i386] zgrep -c 'client 24.129.84.175.*update.*denied' messages.?.gz messages.0.gz:67 messages.1.gz:43 messages.2.gz:106 messages.3.gz:206 messages.4.gz:215 messages.5.gz:104 PS. why is this so hard?
On Sat, 27 Sep 2003, Paul Vixie wrote:
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me.
ATT Broadband was sold to Comcast a while ago. There is no more attbi clue. If you find someone, add these to the list of misconfigured Windows users trying to "update" other people's DNS servers. acl "bogon" { // Annoying dynamic DNS updates from this address 68.39.224.6; 68.38.156.178; 68.38.152.156; 68.38.158.209; };
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake? Why is dynamic DNS update enabled by default on some operating systems?
In previous mail, Sean Donelan said:
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake?
Unfortunately, telling end users to disable a default setting is rather difficult these days. It's too bad that Microsoft hasn't addressed this issue in the past several years that it has been an enabled-by-default option.
Why is dynamic DNS update enabled by default on some operating systems?
Back in beta days, the official explanation given was that the DNS updating was a "value add" and that it would never be disabled as a default as a courtesy to corporate customers. Furthermore, MSFT folks have repeatedly said that the workaround is to simply configure your nameserver to silently ignore the error logs. Neat policy, eh? I would assume that the dynamic updating feature is something easily toggled via a registry script; larger ISPs ought to include this "fix" as an option with their installation CDs. Alas, we get back to the ongoing debate: adjust user prefs for them, for their own good... or get the vendor to cooperate? - Tim
Back in beta days, the official explanation given was that the DNS updating was a "value add" and that it would never be disabled as a default as a courtesy to corporate customers. Furthermore, MSFT folks have repeatedly said that the workaround is to simply configure your nameserver to silently ignore the error logs.
Well, I'm not going to disable that logging since it has been useful in signalling real attacks in the past. But the thing Microsoft needed to do with this was ensure that whoever is pirating my domain names on their home PCs get error message popups telling them to go to MSN and buy a real domain name. That is, they could be making money here rather than just giving my syslogd a headache. If MSFT would behave more greedily then their customer PCs would be contacting them rather than me, right? -- Paul Vixie
Paul, How about just configuring your BIND to return errors when his queries against your server? He has got to be using you as either a primary or secondary name server. That would make everything on that machine suddenly come to a grinding halt as nothing would resolve anymore. I used to do that to customers who didn't turn off dynamic dns updates. It got their attention quick. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: "Paul Vixie" <vixie@vix.com> To: <nanog@merit.edu> Sent: Sunday, September 28, 2003 12:09 PM Subject: Re: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...)
Back in beta days, the official explanation given was that the DNS updating was a "value add" and that it would never be disabled as a default as a courtesy to corporate customers. Furthermore, MSFT folks have repeatedly said that the workaround is to simply configure your nameserver to silently ignore the error logs.
Well, I'm not going to disable that logging since it has been useful in signalling real attacks in the past. But the thing Microsoft needed to do with this was ensure that whoever is pirating my domain names on their home PCs get error message popups telling them to go to MSN and buy a real domain name. That is, they could be making money here rather than just giving my syslogd a headache. If MSFT would behave more
greedily
then their customer PCs would be contacting them rather than me, right? -- Paul Vixie
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Brian Bruns Sent: September 28, 2003 6:00 PM To: nanog@merit.edu; Paul Vixie Subject: Re: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...)
How about just configuring your BIND to return errors when his queries against your server? He has got to be using you as either a primary or secondary name server. That would
No, that's not how it works... (at least, the Win2K/XP-style of this) It works based on the system's hostname. If you set your Windoze hostname to blah.domain.com, then the server in domain.com's SOA is going to get blasted with all those RFC 2136 updates. In your case, I'm guessing your customers had (automatic DNS configuration through DHCP? PPP?) a hostname in your domain, so that's actually why the updates went your way, not because you were their primary/secondary DNS in their DNS config. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Perhaps (to meld threads...) those DNS queries belong at 64.94.110.11? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
I think the solution is for those DNS operators affected who have not signed an EULA for the system that is hammering their DNS to sue Micr0$0ft for the costs incurred in dealing with the issue. Making Micr0$0ft play legal whack-a-mole may be the only strategy with a chance of success here. (I recommend small claims so that worst case, your down side is minimal). Owen --On Saturday, September 27, 2003 6:56 PM -0500 Tim Yocum <tim@yocum.org> wrote:
In previous mail, Sean Donelan said:
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake?
Unfortunately, telling end users to disable a default setting is rather difficult these days. It's too bad that Microsoft hasn't addressed this issue in the past several years that it has been an enabled-by-default option.
Why is dynamic DNS update enabled by default on some operating systems?
Back in beta days, the official explanation given was that the DNS updating was a "value add" and that it would never be disabled as a default as a courtesy to corporate customers. Furthermore, MSFT folks have repeatedly said that the workaround is to simply configure your nameserver to silently ignore the error logs.
Neat policy, eh? I would assume that the dynamic updating feature is something easily toggled via a registry script; larger ISPs ought to include this "fix" as an option with their installation CDs. Alas, we get back to the ongoing debate: adjust user prefs for them, for their own good... or get the vendor to cooperate?
- Tim
When will entities that implement "solutions" that cause damage on a global scale be held accountable? The Dynamic DNS problem with Windows boxes makes me think someone thought it would be a good idea, but didn't really think it through. The Verisign wildcard decision seems to be along the same lines. I doubt anyone thought there would be a class action lawsuit when the made the change. It reminds me of the Netgear and U of Wisconsin time server SNAFU. http://www.cs.wisc.edu/~plonka/netgear-sntp/ jas
On Sat, 27 Sep 2003, Paul Vixie wrote:
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me.
ATT Broadband was sold to Comcast a while ago. There is no more attbi clue.
If you find someone, add these to the list of misconfigured Windows users trying to "update" other people's DNS servers.
acl "bogon" { // Annoying dynamic DNS updates from this address 68.39.224.6; 68.38.156.178; 68.38.152.156; 68.38.158.209; };
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake?
Why is dynamic DNS update enabled by default on some operating systems?
The difference is that Netgear admitted responsibility and worked with UW to cope with the issue. Further, Netgear has funded UW in it's cleanup efforts and generally stepped up to the plate. As much as I don't care for Netgear's products, they did show decent corporate responsibility when UW was able to escalate to the appropriate management at Netgear. Micr0$0ft, on the other hand, has consitently said "You just have to cope with whatever we do to you, and, it's your problem." This is a very different corporate attitude. In my opinion, that attitude deserves to be severely punished. Owen --On Saturday, September 27, 2003 8:03 PM -0400 Jason Lewis <jlewis@packetnexus.com> wrote:
When will entities that implement "solutions" that cause damage on a global scale be held accountable? The Dynamic DNS problem with Windows boxes makes me think someone thought it would be a good idea, but didn't really think it through. The Verisign wildcard decision seems to be along the same lines. I doubt anyone thought there would be a class action lawsuit when the made the change.
It reminds me of the Netgear and U of Wisconsin time server SNAFU. http://www.cs.wisc.edu/~plonka/netgear-sntp/
jas
On Sat, 27 Sep 2003, Paul Vixie wrote:
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me.
ATT Broadband was sold to Comcast a while ago. There is no more attbi clue.
If you find someone, add these to the list of misconfigured Windows users trying to "update" other people's DNS servers.
acl "bogon" { // Annoying dynamic DNS updates from this address 68.39.224.6; 68.38.156.178; 68.38.152.156; 68.38.158.209; };
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake?
Why is dynamic DNS update enabled by default on some operating systems?
http://puck.nether.net/netops/nocs.cgi?ispname=Comcast Comcast Business Communications, Inc. comcastbusiness.net 13385 888-205-5000 Op noc@comcasttel.net 24 x 7 --- Alan Spicer (a_spicer@bellsouth.net) Systems and Network Administration, and Telecommunications (954) 977-5245) ----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Saturday, September 27, 2003 7:30 PM Subject: Annoying dynamic DNS updates (was Re: someone from attbi please contact me ...)
On Sat, 27 Sep 2003, Paul Vixie wrote:
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me.
ATT Broadband was sold to Comcast a while ago. There is no more attbi clue.
If you find someone, add these to the list of misconfigured Windows users trying to "update" other people's DNS servers.
acl "bogon" { // Annoying dynamic DNS updates from this address 68.39.224.6; 68.38.156.178; 68.38.152.156; 68.38.158.209; };
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or trying to contact another ISP, or the sociological difficulties of educating the general public how to configure very complicated "personal" computers and software without making a mistake?
Why is dynamic DNS update enabled by default on some operating systems?
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or ...
Specifically, I want to know why Comcast makes itself so hard to reach. I'll bet I could get them to talk to me about this host if it were DDoS'ing me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight. But because the problem is "non-serious" they do not even reply to e-mail. Trouble is, it's *their* definition of "serious" being applied, while *I* am the one receiving this traffic. What this has in common spam is that a company wants margin from last mile transit but won't incur the reasonable and customary costs of policing their customers. They expect to get margin on 10,000,000 customers but only incur "customer care" costs on a 10,000 customer basis. This is what I meant in the bad old days when I called spam a form of "cost shifting" or "conversion". Simply put, because Comcast can't be bothered, everyone else on the 'net pays their avoided costs in various indirect ways. In amusement parks there's often a sign saying "you must be at least 42 inches tall to ride this roller coaster". Sadly, there is no equivilent in ISPland, and anybody who can accrete or capture customers is allowed to ride.
Why is dynamic DNS update enabled by default on some operating systems?
Microsoft's culpability in this mess is not even on my mind today. They will at least talk about their role in the situation, so they're more responsible than Comcast this week. -- Paul Vixie
The only way to reach Comcast (in my experience) is to get a phone number from the customer having a problem. Sometimes that is slightly more helpful. In the recent DC power outage it was clear that my power company did not want to be reachable. The same is true for at less a couple of the domain registrars (not Verisign in this case :). My guess is that being unreachable is company policy. Perhaps there is someone on the list that could clarify the companies policy in this regard. On Sun, 28 Sep 2003, Paul Vixie wrote:
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or ...
Specifically, I want to know why Comcast makes itself so hard to reach. I'll bet I could get them to talk to me about this host if it were DDoS'ing me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight.
[cut]
-- Paul Vixie
_____ Douglas Denault doug@safeport.com Voice: 301-469-8766 Fax: 301-469-0601
On 28 Sep 2003, Paul Vixie wrote:
Specifically, I want to know why Comcast makes itself so hard to reach. I'll bet I could get them to talk to me about this host if it were DDoS'ing me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight.
Based on the comments in many forums, I think that is a sucker bet. Its always been hard for non-customers to reach any ISP. Have you talked to your upstream provider about your problem? Perhaps your upstream ISP could block port 53 for you? I've been talking about the problem for 10 years. I don't think it has gotten any better or worse.
But because the problem is "non-serious" they do not even reply to e-mail. Trouble is, it's *their* definition of "serious" being applied, while *I* am the one receiving this traffic.
Other than auto-responders, how often do ISPs respond to e-mail from non-customers? Customers can't even contact some ISPs by e-mail, you must fill out a special web form. Is your definition of *serious* the same as other people's definition of *serious*? Ranking all the *serious* problem reports received every day, how does your *serious* report rank? Higher or lower than the FBI, spam, the latest e-bay scam, a 25Meg nmap scan for 48 hours straight or wildcards in the .COM zone?
What this has in common spam is that a company wants margin from last mile transit but won't incur the reasonable and customary costs of policing their customers. They expect to get margin on 10,000,000 customers but only incur "customer care" costs on a 10,000 customer basis. This is what I meant in the bad old days when I called spam a form of "cost shifting" or "conversion". Simply put, because Comcast can't be bothered, everyone else on the 'net pays their avoided costs in various indirect ways.
Comparing things to spam is a good way to stir up emotion, but doesn't help the discussion very much. How should an ISP tell the difference between "good" DNS packets and "bad" DNS packets? Its the fact the recipient doesn't want to receive the packet for whatever reason, not that the packet itself is "bad." If the ISP blocked people from doing dynamic DNS updates, I imagine someone would complain about blocking Dynamic DNS instead. Heck there are companies that make their business out of enabling people to dynamically update their DNS records. What is needed is for individuals to be able to signal "packet blocking" on a one-to-one basis. What makes the packets "bad" isn't any technical reason. If you had Comcast at your house and wanted to dynamically update your DNS server over the Internet, why should Comcast block you from doing that? You aren't complaining about your dynamic update packets or even all dynamic updates. You are complaining about someone sending you packets you don't want. And more precisely, you are complaining that Comcast is failing to send you other packets you want to receive, i.e. a response to your e-mail packets. Currently, the most common method is the recipient drops the packets after receiving them. Blocking at the source is difficult, and often involves layer 8, 9, 10 issues; such as identifying the source, identifying the "bad" packets, deciding if the packet violates a RFC, TOS, AUP, etc. Should the sender be blocked from sending packets to anyone, or just the one person who doesn't want to receive the packets. Is miconfiguring your Microsoft Windows system a criminal violation deserving prison or fines? Should the sentencing guidelines take into account if you use a Macintosh or Linux system instead of Microsoft?
Why is dynamic DNS update enabled by default on some operating systems?
Microsoft's culpability in this mess is not even on my mind today. They will at least talk about their role in the situation, so they're more responsible than Comcast this week.
If you just want to talk about it, Ok. Lets talk. We can talk for years without doing anything. Meanwhile more and more people are installing Microsoft Windows bleah with the same default settings. For the same reasons ISC won't change the default settings in BIND, I wouldn't be surprised the Microsoft made the same arguments for not changing the default settings in Windows. It was only after Sendmail and the other mailers changed the default settings in their products that slowed down the increase of open mailers. Why could Sendmail change its defaults, but other vendors won't change their product defaults? http://www.caida.org/outreach/presentations/2003/wiapp03/sdu.wiapp03.slides.... I've been thinking how to use ICMP to signal different types of responses; and even how "smart" edges on both ends of a communication could establish and enforce policies. Most of these are non-malicious communications involving misconfigured systems. Edge communications avoids problems with the host system, but has problems with multi-path communications and source validation.
try comcast.net...email switched over 6 months ago. ----- Original Message ----- From: "Paul Vixie" <paul@vix.com> To: <nanog@merit.edu> Sent: Saturday, September 27, 2003 7:05 PM Subject: someone from attbi please contact me regarding host 24.129.84.175
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in hopes of locating attbi clue. i need somebody who can educate one of your customers who is dns-updating me.
re:
[fh:i386] grep -c 'client 24.129.84.175.*update.*denied' messages 74 [fh:i386] zgrep -c 'client 24.129.84.175.*update.*denied' messages.?.gz messages.0.gz:67 messages.1.gz:43 messages.2.gz:106 messages.3.gz:206 messages.4.gz:215 messages.5.gz:104
PS. why is this so hard?
Paul, I've forwarded it to a contact of ours at abuse who should be able to get it taken care of. I also forwarded the other one from Sean. - Matt
participants (13)
-
Alan Spicer
-
Brian Bruns
-
David Lesher
-
doug@safeport.com
-
Eric Kagan
-
Jason Lewis
-
Matt
-
Owen DeLong
-
Paul Vixie
-
Paul Vixie
-
Sean Donelan
-
Tim Yocum
-
Vivien M.