Home page logo
/

nanog logo nanog mailing list archives

Re: DNS deluge for x.p.ctrc.cc
From: Paul Vixie <vixie () vix com>
Date: 26 Feb 2006 21:33:16 +0000


christopher.morrow () verizonbusiness com ("Christopher L. Morrow") writes:

seems like global tcp/139|tcp/445 filters, or bogon filters... bits put
into configs 'now' and completely forgotten about 'tomorrow' :(

speaking of which, f-root has about 35 nodes world wide, and about a third
to a half of them aren't reachable by udp/161, and the blockage is not in
our immediate neighbors but rather on transit paths.  this is due to the
cisco snmp vulnerability five years or so ago.  filtering in the core to
protect vulnerable edges has to be done a LOT more carefully than that.
(BCP38 is an example of how to do it well, but apparently impractically?)

i'm not following up on the dns related parts of this, since dns-operations@
seems to be pulling some of the dns related load today and i don't want to
say the same thing in both places.  see this URL for details:

http://lists.oarci.net/pipermail/dns-operations/2006-February/author.html
-- 
Paul Vixie


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault