Mailing List Archive

[shock - operational ingredient to DNS issue on NANOG]

I feel that a convenient way to filter out crud that polutes
your DNS (or any other crud for that matter) might be:
a) Configure a normally non-BGP speaking router in your IGP to
run BGP under AS (say) 7778.
b) Static the routes to all alternic's primary name servers to null0:
(or better to a non-existent IP on an ethernet interface)
c) redistribute these statics into BGP through a routemap if necessary.
d) Set up peering with a router running BGP tagging the routes as
no-export (make sure you don't distribute them to peers or customers).

(credit to Paul Vixie for the "how to blackhole traffic" for spam
reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).

We're just about to do this. I'll tell you how it goes.

Alex Bligh
Xara Networks

> (credit to Paul Vixie for the "how to blackhole traffic" for spam
> reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
> FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).

All true, except that Andrew Partan and Brett Watson worked out the black
hole technology that I've been handing to Cisco owners. All Cisco wizardry
which occurs in my presence is the result of other people's brains not mine.
I'm a GateD diehard, Cisco's command language makes me queasy and uneasy.

> We're just about to do this. I'll tell you how it goes.

It won't help. DNS pirates don't need connectivity to your hosts to infect
your caches, they need connectivity to _other_ people's hosts.

> http://www.news.com/News/Item/0,4,12382,00.html

fyi:

Date: Tue, 15 Jul 1997 11:54:02 -0700
From: paul@vix.com
X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V4.0 alpha)
MIME-Version: 1.0
To: courtm@cnet.com
CC: paul@vix.com
Subject: http://www.news.com/News/Item/0,4,12382,00.html
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

AlterNIC didn't invent the hack that corrupted the www.internic.net
name. I published a paper on this three years ago, which you can read
in PostScript(tm) form at

ftp://ftp.vix.com/pri/vixie/bindsec.psf

Note that the bug AlterNIC exploited is the same one covered by several
recent Internet mailing list security bulletins. Noone associated with
AlterNIC is smart enough to have figured out any of this by themselves.

Recent versions of BIND (4.9.6 and 8.1.1) which are available via...

http://www.isc.org/isc/

...fix the programming error which allowed this corruption to occur.

Since we run OSPF internally, we find it easier to do this by
setting up a 2501 (dedicated to the task) with static routes
pointing into a loopback interface which is filtered with an
access list to block all packets. The static routes are
redistributed into OSPF, which caused each static to suck
packets bound from anywhere in our network into the filter,
kill them, and log them. Of course, there is no risk of the
OSPF leaking to the outside world, though it covers our network
nicely, and we get logging of attempted replies to these
sites. Since OSPF is nicely classless, we block anythink from
a /32 up...

-Dorn Hetzel
Epoch Internet

On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
> [shock - operational ingredient to DNS issue on NANOG]
>
> I feel that a convenient way to filter out crud that polutes
> your DNS (or any other crud for that matter) might be:
> a) Configure a normally non-BGP speaking router in your IGP to
> run BGP under AS (say) 7778.
> b) Static the routes to all alternic's primary name servers to null0:
> (or better to a non-existent IP on an ethernet interface)
> c) redistribute these statics into BGP through a routemap if necessary.
> d) Set up peering with a router running BGP tagging the routes as
> no-export (make sure you don't distribute them to peers or customers).
>
> (credit to Paul Vixie for the "how to blackhole traffic" for spam
> reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
> FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
>
> We're just about to do this. I'll tell you how it goes.
>
> Alex Bligh
> Xara Networks
>

Now that's a strategy I like. Thanks Dorn; that's both elegant and easy to
implement, its cheap, and it works.

--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service
| 99 Analog numbers, 77 ISDN, http://www.mcs.net/
Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines!
Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal

On Tue, Jul 15, 1997 at 05:17:58PM -0400, Dorn Hetzel wrote:
>
> Since we run OSPF internally, we find it easier to do this by
> setting up a 2501 (dedicated to the task) with static routes
> pointing into a loopback interface which is filtered with an
> access list to block all packets. The static routes are
> redistributed into OSPF, which caused each static to suck
> packets bound from anywhere in our network into the filter,
> kill them, and log them. Of course, there is no risk of the
> OSPF leaking to the outside world, though it covers our network
> nicely, and we get logging of attempted replies to these
> sites. Since OSPF is nicely classless, we block anythink from
> a /32 up...
>
> -Dorn Hetzel
> Epoch Internet
>
> On Tue, Jul 15, 1997 at 04:36:58PM +0100, Alex.Bligh wrote:
> > [shock - operational ingredient to DNS issue on NANOG]
> >
> > I feel that a convenient way to filter out crud that polutes
> > your DNS (or any other crud for that matter) might be:
> > a) Configure a normally non-BGP speaking router in your IGP to
> > run BGP under AS (say) 7778.
> > b) Static the routes to all alternic's primary name servers to null0:
> > (or better to a non-existent IP on an ethernet interface)
> > c) redistribute these statics into BGP through a routemap if necessary.
> > d) Set up peering with a router running BGP tagging the routes as
> > no-export (make sure you don't distribute them to peers or customers).
> >
> > (credit to Paul Vixie for the "how to blackhole traffic" for spam
> > reasons which I've borrowed here - *PAUL DID NOT RECOMMEND DOING THIS
> > FOR DNS TRAFFIC - THIS IS ENTIRELY MY IDEA*).
> >
> > We're just about to do this. I'll tell you how it goes.
> >
> > Alex Bligh
> > Xara Networks
> >

>>>>> On Tue, 15 Jul 1997 at around 17:17:58,
>>>>> "DH" == Dorn Hetzel penned:

DH> Since we run OSPF internally, we find it easier to do this by
DH> setting up a 2501 (dedicated to the task) with static routes
DH> pointing into a loopback interface which is filtered with an
DH> access list to block all packets. The static routes are
DH> redistributed into OSPF, which caused each static to suck
DH> packets bound from anywhere in our network into the filter,
DH> kill them, and log them. Of course, there is no risk of the
DH> OSPF leaking to the outside world, though it covers our network
DH> nicely, and we get logging of attempted replies to these
DH> sites. Since OSPF is nicely classless, we block anythink from
DH> a /32 up...

If you have a smaller network and still want the ability to do this
(e.g. singly-homed site) just route the networks concerned to
nowhere on your gateway router

ip route a.b.c.d w.x.y.z Null0

route add net a.b.c.d <local or null IP address> 1

This won't stop the DNS hack from polluting your servers (u/g the
software :) but I don't think my Linux box needs to contact DNS
pirates ;-}

DH> -Dorn Hetzel
DH> Epoch Internet

Cheers,

Lyndon



--
Penis Envy is a total Phallusy.

> If you have a smaller network and still want the ability to do this
> (e.g. singly-homed site) just route the networks concerned to
> nowhere on your gateway router
>
> ip route a.b.c.d w.x.y.z Null0
>
> route add net a.b.c.d <local or null IP address> 1

Make sure that this is causing ICMP-Unreach-Host messages to be sent back
to your internal hosts who try to reach that net, and also make sure that
your mail server's TCP stack torpedoes its connection state (or even just
increments its retry timer and resends) when a SYN-ACK meets that ICMP.

Not all Cisco IOS revision levels behave the right way, and not all SunOS
kernels do the right thing when a SYN-ACK meets an ICMP-Unreach-Host. So
you can, if you're not careful, turn the above recommendation into a SYN
flood attack against your own internal servers.