noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in
hopes of locating attbi clue. i need somebody who can educate one of
your customers who is dns-updating me.
re:
[fh:i386] grep -c 'client 24.129.84.175.*update.*denied' messages
74
[fh:i386] zgrep -c 'client 24.129.84.175.*update.*denied' messages.?.gz
messages.0.gz:67
messages.1.gz:43
messages.2.gz:106
messages.3.gz:206
messages.4.gz:215
messages.5.gz:104
PS. why is this so hard?
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in
hopes of locating attbi clue. i need somebody who can educate one of
your customers who is dns-updating me.
ATT Broadband was sold to Comcast a while ago. There is no more attbi
clue.
If you find someone, add these to the list of misconfigured Windows
users trying to "update" other people's DNS servers.
acl "bogon" {
// Annoying dynamic DNS updates from this address
68.39.224.6;
68.38.156.178;
68.38.152.156;
68.38.158.209;
};
PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or trying
to contact another ISP, or the sociological difficulties of educating
the general public how to configure very complicated "personal" computers
and software without making a mistake?
Why is dynamic DNS update enabled by default on some operating systems?
In previous mail, Sean Donelan said:
Are you talking about the kitchen sink protocol called DNS, or trying
to contact another ISP, or the sociological difficulties of educating
the general public how to configure very complicated "personal" computers
and software without making a mistake?
Unfortunately, telling end users to disable a default setting is
rather difficult these days. It's too bad that Microsoft hasn't
addressed this issue in the past several years that it has been
an enabled-by-default option.
Why is dynamic DNS update enabled by default on some operating systems?
Back in beta days, the official explanation given was that the DNS
updating was a "value add" and that it would never be disabled as
a default as a courtesy to corporate customers. Furthermore, MSFT
folks have repeatedly said that the workaround is to simply configure
your nameserver to silently ignore the error logs.
Neat policy, eh? I would assume that the dynamic updating feature
is something easily toggled via a registry script; larger ISPs ought
to include this "fix" as an option with their installation CDs. Alas,
we get back to the ongoing debate: adjust user prefs for them, for
their own good... or get the vendor to cooperate?
- Tim
When will entities that implement "solutions" that cause damage on a
global scale be held accountable? The Dynamic DNS problem with Windows
boxes makes me think someone thought it would be a good idea, but didn't
really think it through. The Verisign wildcard decision seems to be along
the same lines. I doubt anyone thought there would be a class action
lawsuit when the made the change.
It reminds me of the Netgear and U of Wisconsin time server SNAFU.
http://www.cs.wisc.edu/~plonka/netgear-sntp/
jas
http://puck.nether.net/netops/nocs.cgi?ispname=Comcast
Comcast Business Communications, Inc. comcastbusiness.net 13385
888-205-5000 Op noc@comcasttel.net 24 x 7
Paul,
I've forwarded it to a contact of ours at abuse who should be able to get it taken care of. I also forwarded the other one from Sean.
- Matt
> PS. why is this so hard?
Are you talking about the kitchen sink protocol called DNS, or ...
Specifically, I want to know why Comcast makes itself so hard to reach.
I'll bet I could get them to talk to me about this host if it were DDoS'ing
me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight.
But because the problem is "non-serious" they do not even reply to e-mail.
Trouble is, it's *their* definition of "serious" being applied, while *I*
am the one receiving this traffic.
What this has in common spam is that a company wants margin from last mile
transit but won't incur the reasonable and customary costs of policing their
customers. They expect to get margin on 10,000,000 customers but only incur
"customer care" costs on a 10,000 customer basis. This is what I meant in
the bad old days when I called spam a form of "cost shifting" or "conversion".
Simply put, because Comcast can't be bothered, everyone else on the 'net pays
their avoided costs in various indirect ways.
In amusement parks there's often a sign saying "you must be at least 42 inches
tall to ride this roller coaster". Sadly, there is no equivilent in ISPland,
and anybody who can accrete or capture customers is allowed to ride.
Why is dynamic DNS update enabled by default on some operating systems?
Microsoft's culpability in this mess is not even on my mind today. They will
at least talk about their role in the situation, so they're more responsible
than Comcast this week.
Back in beta days, the official explanation given was that the DNS
updating was a "value add" and that it would never be disabled as
a default as a courtesy to corporate customers. Furthermore, MSFT
folks have repeatedly said that the workaround is to simply configure
your nameserver to silently ignore the error logs.
Well, I'm not going to disable that logging since it has been useful
in signalling real attacks in the past. But the thing Microsoft needed
to do with this was ensure that whoever is pirating my domain names on
their home PCs get error message popups telling them to go to MSN and
buy a real domain name. That is, they could be making money here rather
than just giving my syslogd a headache. If MSFT would behave more greedily
then their customer PCs would be contacting them rather than me, right?
The only way to reach Comcast (in my experience) is to get a phone number from
the customer having a problem. Sometimes that is slightly more helpful.
In the recent DC power outage it was clear that my power company did not want
to be reachable. The same is true for at less a couple of the domain registrars
(not Verisign in this case :).
My guess is that being unreachable is company policy. Perhaps there is someone
on the list that could clarify the companies policy in this regard.
> > PS. why is this so hard?
>
> Are you talking about the kitchen sink protocol called DNS, or ...Specifically, I want to know why Comcast makes itself so hard to reach.
I'll bet I could get them to talk to me about this host if it were DDoS'ing
me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight.
[cut]
Specifically, I want to know why Comcast makes itself so hard to reach.
I'll bet I could get them to talk to me about this host if it were DDoS'ing
me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight.
Based on the comments in many forums, I think that is a sucker bet.
Its always been hard for non-customers to reach any ISP. Have you talked
to your upstream provider about your problem? Perhaps your upstream ISP
could block port 53 for you?
I've been talking about the problem for 10 years. I don't think it has
gotten any better or worse.
But because the problem is "non-serious" they do not even reply to e-mail.
Trouble is, it's *their* definition of "serious" being applied, while *I*
am the one receiving this traffic.
Other than auto-responders, how often do ISPs respond to e-mail from
non-customers? Customers can't even contact some ISPs by e-mail, you
must fill out a special web form.
Is your definition of *serious* the same as other people's definition
of *serious*? Ranking all the *serious* problem reports received every
day, how does your *serious* report rank? Higher or lower than the FBI,
spam, the latest e-bay scam, a 25Meg nmap scan for 48 hours straight or
wildcards in the .COM zone?
What this has in common spam is that a company wants margin from last mile
transit but won't incur the reasonable and customary costs of policing their
customers. They expect to get margin on 10,000,000 customers but only incur
"customer care" costs on a 10,000 customer basis. This is what I meant in
the bad old days when I called spam a form of "cost shifting" or "conversion".
Simply put, because Comcast can't be bothered, everyone else on the 'net pays
their avoided costs in various indirect ways.
Comparing things to spam is a good way to stir up emotion, but doesn't
help the discussion very much.
How should an ISP tell the difference between "good" DNS packets and "bad"
DNS packets?
Its the fact the recipient doesn't want to receive the packet for
whatever reason, not that the packet itself is "bad." If the ISP
blocked people from doing dynamic DNS updates, I imagine someone would
complain about blocking Dynamic DNS instead. Heck there are companies
that make their business out of enabling people to dynamically update
their DNS records.
What is needed is for individuals to be able to signal "packet blocking"
on a one-to-one basis. What makes the packets "bad" isn't any technical
reason. If you had Comcast at your house and wanted to dynamically update
your DNS server over the Internet, why should Comcast block you from doing
that?
You aren't complaining about your dynamic update packets or even all
dynamic updates. You are complaining about someone sending you packets
you don't want. And more precisely, you are complaining that Comcast is
failing to send you other packets you want to receive, i.e. a response to
your e-mail packets.
Currently, the most common method is the recipient drops the packets
after receiving them. Blocking at the source is difficult, and often
involves layer 8, 9, 10 issues; such as identifying the source,
identifying the "bad" packets, deciding if the packet violates a RFC, TOS,
AUP, etc. Should the sender be blocked from sending packets to anyone,
or just the one person who doesn't want to receive the packets.
Is miconfiguring your Microsoft Windows system a criminal violation
deserving prison or fines? Should the sentencing guidelines take into
account if you use a Macintosh or Linux system instead of Microsoft?
> Why is dynamic DNS update enabled by default on some operating systems?
Microsoft's culpability in this mess is not even on my mind today. They will
at least talk about their role in the situation, so they're more responsible
than Comcast this week.
If you just want to talk about it, Ok. Lets talk. We can talk for years
without doing anything. Meanwhile more and more people are installing
Microsoft Windows bleah with the same default settings.
For the same reasons ISC won't change the default settings in BIND, I
wouldn't be surprised the Microsoft made the same arguments for not
changing the default settings in Windows. It was only after Sendmail
and the other mailers changed the default settings in their products
that slowed down the increase of open mailers. Why could Sendmail
change its defaults, but other vendors won't change their product
defaults?
http://www.caida.org/outreach/presentations/2003/wiapp03/sdu.wiapp03.slides.pdf
I've been thinking how to use ICMP to signal different types of
responses; and even how "smart" edges on both ends of a communication
could establish and enforce policies. Most of these are non-malicious
communications involving misconfigured systems. Edge communications
avoids problems with the host system, but has problems with multi-path
communications and source validation.
Paul,
How about just configuring your BIND to return errors when his queries
against your server? He has got to be using you as either a primary or
secondary name server. That would make everything on that machine suddenly
come to a grinding halt as nothing would resolve anymore.
I used to do that to customers who didn't turn off dynamic dns updates. It
got their attention quick.
No, that's not how it works... (at least, the Win2K/XP-style of this)
It works based on the system's hostname. If you set your Windoze hostname to
blah.domain.com, then the server in domain.com's SOA is going to get blasted
with all those RFC 2136 updates.
In your case, I'm guessing your customers had (automatic DNS configuration
through DHCP? PPP?) a hostname in your domain, so that's actually why the
updates went your way, not because you were their primary/secondary DNS in
their DNS config.
Vivien
I think the solution is for those DNS operators affected who have not
signed an EULA for the system that is hammering their DNS to sue Micr0$0ft
for the costs incurred in dealing with the issue. Making Micr0$0ft
play legal whack-a-mole may be the only strategy with a chance of success
here.
(I recommend small claims so that worst case, your down side is minimal).
Owen
The difference is that Netgear admitted responsibility and worked with
UW to cope with the issue. Further, Netgear has funded UW in it's
cleanup efforts and generally stepped up to the plate. As much as I don't
care for Netgear's products, they did show decent corporate responsibility
when UW was able to escalate to the appropriate management at Netgear.
Micr0$0ft, on the other hand, has consitently said "You just have to cope
with whatever we do to you, and, it's your problem." This is a very
different corporate attitude. In my opinion, that attitude deserves to
be severely punished.
Owen