is your host or dhcp server sending dns dynamic updates for rfc1918?

this was sent personally, but i'm responding to the list:

  I noticed ~550 addresses from several /16's the I manage on the list. The
majority of the addresses were commercial broadband customers that have
static IP address assignments and appear to be running linksys/netgear/smc
broadband routers doing NAT (likely running internal DHCP servers).

a common enough configuration.

  I believe I understand what's happening, but how can I go about fixing
this? Is this Win2k/XP's fault, Linksys' fault, my fault....? Real
question: How do I go about preventing customer Windows machines behind
customer nat boxes from DDoSing root servers with Windoze "Dynamic Updates"?
You mentioned capturing this request, but I'm (perhaps blindly) missing the
"how" part of that concept.

if rfc1918 addressing is in use inside your AS (a foregone conclusion),
then it's your responsibility to install "covering routes" at the IP layer
so that any traffic with that destination will die at your border. if you
can also run URPF on your border routers so that packets with that _source_
will die at your border, so much the better. (i mention this not because
it answers your question but because our flow stats here tell me that most
other AS's don't handle their own rfc1918 traffic at their own border.)

since rfc1918 addressing is in use inside your AS, i recommend that you
install a route for, put some kind of dns servers on the
.1, .6, and .42 addresses in that block, and watch the syslog file, and
have your customer service (or abuse desk) folks work on educating your

i apologize for indicating that an AS owner ought to have been capturing
DNS updates for rfc1918 PTR's, since up until we put the servers into an
anycast block, this wasn't possible. now that it's possible, you should
all start doing it.

BTW, what was the time frame on that list? Hours, days, weeks?

four hours.