Network Operators and smurf

Thus spake Karl Denninger

I will remove those blocks when I can PROVE that they can no longer be used
as a smurf amplifier. To date, NOBODY on the list has come forward and said
"we've audited and fixed, please remove the block".

I have got one site to fix their routers. It's the DISA Information Systems
Center on netblock 131.80.0.0. I explained the situation and gave them
a few pointers. A few days laterthey had fixed it and they no longer
act as an amplifier. Very satisfying.

Another one, 142.21.0.0, bounced my email but they seem to have fixed
their routers anyway. Perhaps someone local called them up and harrassed
them about it.

PSU (which is on the list) said "we're looking into it" but that was more
than two weeks ago! How long does it take to telnet into your routers and
check the ethernet interfaces for the correct configuration? A day or so?
Perhaps, even if you have a HUGE netwokr.

Perhaps when pointing at problem networks, just mention the netblock.
That way we can compare it with our own lists.

Here's one that seems particularly troublesome and I know it is in your
list as well.

----129.115.255.255 PING Statistics----
2 packets transmitted, 2 packets received, +110 duplicates, 0% packet loss
In Karl's list
   
route: 129.115.0.0/16
descr: University of Texas at San Antonio
descr: 7000 NW Loop 1604
descr: San Antonio
descr: TX 78285, USA
origin: AS3354
comm-list: COMM_NSFNET
advisory: AS690 1:1800 2:1239
mnt-by: MAINT-AS3354
changed: selina@ans.net 951010
source: RADB

University of Texas at San Antonio (UTSA-DOM)
   Computing Resources
   7000 NW Loop 1604
   San Antonio, TX 78285
      
   Domain Name: UTSA.EDU
      
   Administrative Contact:
      Massey, John (JM828) CRJWM@UTSA86.UTSA.EDU
      (512) 691-4555
   Technical Contact, Zone Contact:
      Dominguez, Joaquin (JD386) 3CRJXD@UTSA86.UTSA.EDU
      (512) 691-4555

   Record last updated on 09-Sep-93.
   Record created on 14-Dec-90.
   Database last updated on 15-Apr-98 03:43:36 EDT.

   Domain servers in listed order:

   JULIET.UTSA.EDU 129.115.102.150
   NS1.OAR.NET 192.88.193.144

Looks to me like they have been running on autopilot for 5 years. I
sent email to the contact addresses and, since I had doubts that they
were valid addresses, I copied root and hostmaster. Root and hostmaster
bounced and the others seem to have been completely ignored. Perhaps
someone closer to them can poke around and see what the situation is.

This is great because each success has a significant overall effect.

Here's one that seems particularly troublesome and I know it is in your
list as well.

----129.115.255.255 PING Statistics----
2 packets transmitted, 2 packets received, +110 duplicates, 0% packet loss
In Karl's list

Look on the bright side, it could have been 64,000 duplicates. ;-}

descr: University of Texas at San Antonio
descr: San Antonio
descr: TX 78285, USA

Perhaps someone closer to them can poke around and see what the situation
is.

I am closer (we share the same backbone). I forwarded your note to my
contact over there.

Your good net neighbor,
-bryan
hostmaster@capnet.state.tx.us

>
> Here's one that seems particularly troublesome and I know it is in your
> list as well.
>
> ----129.115.255.255 PING Statistics----
> 2 packets transmitted, 2 packets received, +110 duplicates, 0% packet loss
> In Karl's list

Look on the bright side, it could have been 64,000 duplicates. ;-}

Aieeeeeeeee!

> descr: University of Texas at San Antonio
> descr: San Antonio
> descr: TX 78285, USA
>
> Perhaps someone closer to them can poke around and see what the situation
> is.

I am closer (we share the same backbone). I forwarded your note to my
contact over there.

Your good net neighbor,
-bryan
hostmaster@capnet.state.tx.us

Well, I don't expect much.

On the other hand, it appears that at least a few of the networks on my
"hall of shame" list are cleaning up their acts. If you're one of those
folks, please contact our NOC and let them know so we can take you off the
router block and web listing.