[geeks] Fwd: [Incident 020324-000029] unroutable traffic bein g passed to my nameserver

geeks at sunhelp.org geeks at sunhelp.org
Sat Mar 30 07:13:50 CST 2002 

I am finding that a lot of providers are using private ip space. It is
unfortunate and dangerous for their users, but its happening.

As a rule, I always acl private ip space for a number of reasons. Usually, I
use private ip's, so it prevents spoofing and other problems.

As for their claim of router load, there is a small grain of truth to it.
Your particular acl won't load their routers much, but they operate by
policy, so if they do it for your they might be affraid they'll end up doing
it for everyone (a big problem). The golden rule of routing is to keep your
acl's as short as possible, as they can be a huge cpu load if they are using
cisco-style extended acl's.

Its a very simple deal to acl private ip space in your router and that
solves the problem.
James Fogg, Network Engineer
Vicinity Corporation - New Hampshire
(603) 442-1751

~ -----Original Message-----
~ From: alex j avriette [mailto:avriettea at speakeasy.net]
~ Sent: Friday, March 29, 2002 6:40 PM
~ To: geeks at sunhelp.org
~ Subject: [geeks] Fwd: [Incident 020324-000029] unroutable 
~ traffic being
~ passed to my nameserver
~ 
~ 
~ What's the truth in this, NOC-geeks?
~ 
~ alex
~ 
~ Begin forwarded message:
~ 
~ > From: abuse at speakeasy.net
~ > Date: Fri Mar 29, 2002  03:28:34 PM US/Eastern
~ > To: avriettea at speakeasy.net
~ > Subject: [Incident 020324-000029] unroutable traffic being 
~ passed to my 
~ > nameserver
~ >
~ >
~ > We are writing to inform you that we have just updated your 
~ Customer 
~ > Support inquiry.
~ >
~ > Please DO NOT reply to this email, as will not be able to 
~ respond to it 
~ > or provide additional support.
~ >
~ > To ensure that you receive a higher level of service, we 
~ kindly request 
~ > that you make further updates to or close your support request in 
~ > MySpeakeasy (http://www.speakeasy.net/myspeak).  Select Customer 
~ > Support from the navigation menu and go to the My Info tab to view.
~ >
~ > For your convenience, we have included a summary of the 
~ inquiry details 
~ > below.
~ >
~ > Thanks!
~ >
~ > The Speakeasy Crew
~ >
~ >
~ > Subject
~ > ---------------------------------------------------------------
~ > unroutable traffic being passed to my nameserver
~ >
~ > Suggested Answer
~ > ---------------------------------------------------------------
~ > At 03/29/2002 12:21 PM we wrote -
~ >
~ > Greetings,
~ >  I've spoken with our network engineers, and apparantly 
~ implementing 
~ > this would generate far too much load on our routers; same 
~ goes for our 
~ > upstream provider, Internap. It's definaly something we'd 
~ like to do, 
~ > but just isn't feasable with our current setup.
~ >
~ > Question
~ > ---------------------------------------------------------------
~ > I have gotten, since march 23 at 5:15 pm (which is to say 
~ 17 hours ago),
~ > 2410 unroutable packets (from 172.24.224.87 and 172.25.224.89). I've
~ > asked in the past, and I'm asking again now since I seem to 
~ be getting
~ > even more. Could you please filter traffic from private 
~ networks? There
~ > is no reason to route it, as replies are impossible, and 
~ the traffic is
~ > always private -- or malicious.
~ >
~ > It is specified in RFC 1918, which is available here:
~ >
~ > http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html
~ >
~ > A simple capture of the traffic from the two hosts 
~ mentioned above is
~ > available here:
~ >
~ > http://envy.posixnap.net/~alex/logs_for_abuse.txt
~ >
~ > I have been subject to two attacks in the last month or so, both of
~ > which involved Mb/s traffic from unroutable hosts. This traffic was
~ > either spoofed or erroneous, but it would save you and me 
~ both bandwidth
~ > and headaches if this traffic could just be dropped at your routers.
~ >
~ > Thanks for your time, and a reply would be appreciated.
~ >
~ > -alex
~ >
~ --
~ alex j avriette, perl hacker
~ avriettea at speakeasy.net
~ http://envy.posixnap.net/
~ >
~ >
~ >
~ >
~ > Question Reference #020324-000029
~ > ---------------------------------------------------------------
~ >      Product: Tech Support
~ >  Sub-Product: Security and Abuse
~ >      Contact: avriettea at speakeasy.net
~ > Date Created: 03/24/2002 07:45 AM
~ > Last Updated: 03/29/2002 12:28 PM
~ > Elapsed Time: 0 Minutes
~ >       Status: Closed
~ >           OS:
~ >
~ >
~ >
~ >
~ >
~ > Thanks,
~ >
~ > Henry Hurley
~ > Speakeasy Network Abuse
~ _______________________________________________
~ GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks
~

More information about the geeks mailing list