nanog mailing list archives
Re: botted hosts
From: Paul Vixie <vixie () vix com>
Date: 04 Apr 2005 17:08:21 +0000
sean () donelan com (Sean Donelan) writes:
Do you want an Internet where your provider decides for you, with whom and when you are allowed to communicate? Or do you want to decide for yourself whether to accept or not accept the communication?
i want weak protocols restricted to LANs or at most campuses or ISPs. that means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be adding more. oh and as long as you're considering whether to restrict things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... #sfo2b.f:i386# tcpdump -n -c 10 src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 16:55:10.349179 IP 172.16.1.2.1063 > 192.5.5.241.53: 5330 [1au] MX? mails.hu. (37) 16:55:10.351035 IP 172.16.8.1.1158 > 192.5.5.241.53: 3130 A? www.consumerinput.com. (39) 16:55:10.351528 IP 172.16.8.1.1158 > 192.5.5.241.53: 5184 A? www.consumerinput.com. (39) 16:55:10.352908 IP 172.16.8.1.1158 > 192.5.5.241.53: 15435 A? www.consumerinput.com. (39) 16:55:10.513272 IP 10.14.0.16.32768 > 192.5.5.241.53: 7623% [1au] A? smtp107.apmailer.com. (49) 16:55:10.609281 IP 10.204.1.19.1075 > 192.5.5.241.53: 8176 [1au] PTR? 25.2.0.192.in-addr.arpa. (52) 16:55:10.669655 IP 192.168.240.250.33753 > 192.5.5.241.53: 29750 A? as.adwave.com.L19212.wflu.com. (47) 16:55:10.750369 IP 10.8.224.32.59429 > 192.5.5.241.53: 44783% [1au] A6? ns.mint.net. (40) 16:55:10.770704 IP 192.168.240.250.33753 > 192.5.5.241.53: 56680 A? img07.allegro.pl. (34) 16:55:10.770709 IP 192.168.240.250.33753 > 192.5.5.241.53: 61108 A? img10.allegro.pl. (34) 10 packets captured hell, as long as we're making a list of the things sender-side network admins should filter on their end since they're innappropriate for the wide area, could we increase the readership of BCP38 (if your hair isn't pointy) and/or SAC004 (otherwise)? oh and if 15,000 of your dsl-connected hosts all start sending one packet per second to the same distant endpoint, please stop them. senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) don't try to make this about right-to-communicate or who-gets-to-decide. -- Paul Vixie
Current thread:
- Re: botted hosts, (continued)
- Re: botted hosts Petri Helenius (Apr 04)
- Re: botted hosts Valdis . Kletnieks (Apr 04)
- Re: botted hosts Peter Corlett (Apr 04)
- Re: botted hosts Florian Weimer (Apr 04)
- Re: botted hosts Peter Corlett (Apr 04)
- Re: botted hosts Petri Helenius (Apr 04)
- RE: botted hosts Ejay Hire (Apr 07)
- Re: botted hosts Sean Donelan (Apr 04)
- Message not available
- Re: botted hosts Jay R. Ashworth (Apr 04)
- Re: botted hosts Paul Vixie (Apr 04)
- so, how would you justify giving users security? [was: Re: botted hosts] Gadi Evron (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] J.D. Falk (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Gadi Evron (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Petri Helenius (Apr 04)
- Message not available
- Re: so, how would you justify giving users security? [was: Re: botted hosts] Jay R. Ashworth (Apr 04)
- Re: so, how would you justify giving users security? [was: Re: botted hosts] John Dupuy (Apr 04)