nanog mailing list archives

filtering 1918 (was Re: Summary with...: Domain Name System ...)

From: Paul Vixie <vixie () vix com>
Date: 18 Aug 2004 19:57:53 +0000

That said, I do filter 1918 at my edge.

/vijay


ok everybody, vijay says the snapshot below didn't come from him.
who wants to claim it, then?

# tcpdump -n -c 25 net 10 or net 192.168 or net 172.16.0.0/12
tcpdump: listening on fxp0
19:52:53.787244 10.9.10.250.53 > 192.5.5.241.53:  29644 MX? rogers.com. (29)
19:52:53.789098 10.9.10.250.53 > 192.5.5.241.53:  29643 A? tock.usno.navy.mil. (36)
19:52:53.790367 10.9.10.250.53 > 192.5.5.241.53:  29642 MX? nygh.on.ca. (29)
19:52:53.791023 10.9.10.250.53 > 192.5.5.241.53:  29641 MX? sympatico.ca. (31)
19:52:54.000576 10.6.166.16.35067 > 192.5.5.241.53:  51520 PTR? 23.180.243.65.in-addr.arpa. (44) (DF)
19:52:54.000591 10.6.166.16.35067 > 192.5.5.241.53:  39692 MX? wedweb.cc. (27) (DF)
19:52:54.049835 10.21.13.50.32769 > 192.5.5.241.53:  19542 NS? . (17) (DF)
19:52:54.167651 10.1.10.8.53 > 192.5.5.241.53:  17611 PTR? 1.18.32.10.in-addr.arpa. (41)
19:52:54.227294 172.22.26.5.53 > 192.5.5.241.53:  5298 A? autodesk.com. (30)
19:52:54.327460 10.48.10.250.53 > 192.5.5.241.53:  29477 MX? unco.edu. (27)
19:52:54.328475 10.48.10.250.53 > 192.5.5.241.53:  29476 MX? unco.edu. (27)
19:52:54.329118 10.48.10.250.53 > 192.5.5.241.53:  29475 MX? icella.com. (29)
19:52:54.329736 10.48.10.250.53 > 192.5.5.241.53:  29474 MX? att.net. (26)
19:52:54.487335 10.40.1.29.53 > 192.5.5.241.53:  10970 [b2&3=0x400] A? czdm01.bauholding.com. (39)
19:52:54.490662 10.40.1.29.53 > 192.5.5.241.53:  10971 A? IBM-4406B6DF58E.bauholding.com. (48)
19:52:54.491791 192.168.0.2.1033 > 192.5.5.241.53:  4574 A? velu.neuro6.com. (33)
19:52:54.493123 192.168.0.2.1033 > 192.5.5.241.53:  4580 A? velu.neuro6.com. (33)
19:52:54.495051 192.168.0.2.1033 > 192.5.5.241.53:  12777 A? velu.neuro6.com. (33)
19:52:54.508596 172.23.3.39.1057 > 192.5.5.241.53:  2240 A? download.windowsupdate.com. (44)
19:52:54.511223 172.23.3.39.1057 > 192.5.5.241.53:  14538 A? download.windowsupdate.com. (44)
19:52:54.513568 172.23.3.39.1057 > 192.5.5.241.53:  6358 A? download.windowsupdate.com. (44)
19:52:54.527938 10.26.0.10.32769 > 192.5.5.241.53:  53702 A? nuyoo.utm.mx. (30) (DF) [tos 0x4] 
19:52:54.553784 192.168.192.49.47768 > 192.5.5.241.53:  34671 PTR? 36.7.7.4.in-addr.arpa. (39) (DF)
19:52:54.605368 10.26.0.10.32769 > 192.5.5.241.53:  60698 A? uumail.unt.edu.ar. (35) (DF) [tos 0x4] 
19:52:54.634115 10.26.0.10.32769 > 192.5.5.241.53:  30349[|domain] (DF) [tos 0x4] 
2410 packets received by filter
0 packets dropped by kernel

note: in 106 days of uptime, this particular host inside the f-root cluster
has discarded the following:

        rule#   packets   --octets-- -------------rule--------------------
        00400   6446004    428112547 deny ip from 10.0.0.0/8 to any in
        00500   5874604    369667080 deny ip from 172.16.0.0/12 to any in
        00600   8367728    546972348 deny ip from 192.168.0.0/16 to any in

this seems excessive, and so i've been assuming that it was all vijay's
fault.  but apparently it's not him.  so which one of you isn't filtering
1918 at your edge?  (oops, it's all of you, isn't it?)
-- 
Paul Vixie

Current thread:

Re: Summary with further Question: Domain Name System protection, (continued)
- - - Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
    - Re: Summary with further Question: Domain Name System protection bmanning (Aug 16)
    - Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
    - Re: Summary with further Question: Domain Name System protection bmanning (Aug 16)
    - Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
    - Re: Summary with further Question: Domain Name System protection Joe Abley (Aug 17)
    - Re: Summary with further Question: Domain Name System protection Michael . Dillon (Aug 17)
    - Re: Summary with further Question: Domain Name System protection vijay gill (Aug 17)
    - Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)
    - Re: Summary with further Question: Domain Name System protection Jeff Aitken (Aug 17)
    - filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) David A. Ulevitch (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Jared Mauch (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Patrick W Gilmore (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
    - Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
    - Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)
    - Re: Summary with further Question: Domain Name System protection Joe Shen (Aug 17)

(Thread continues...)