The "not long discussion" thread....

Jerry Pasker info at n-connect.net
Wed Apr 27 08:51:01 UTC 2005


Steve Sobol allegedly replied to my reply with:

>
>What were the router ACLs doing that the DNS server ACLs weren't/couldn't?
>

The ACLs were doing it for the entire server network.  Since I prefer 
my job as a  router-rat over everything else I do, I find it easiest 
to use the biggest hammer available to me when dealing with DoS 
attacks.  One router ACL vs. 10 server ACLs?  When I'm under attack 
I'll take the one router ACL.   Then, per their request, I added it 
to the networks that my collocation clients were on.  They were 
getting 0wn3d regularly, and it really simplified my life in a time 
when new BIND 8 exploits were coming out every 4 minutes.  The router 
ACLs made my life easier, not harder.  Besides, it's my ASN, and I 
can do what I want.  ;-)

Christopher L. Morrow allegedly wrote:

>This, it seems, was an unfortunate side effect (as I pointed out earlier)
>of legacy software and legacy config... if I had  to guess.

You guess wrong.  See the above.  And don't pass judgement. (am I 
being sited for lack of clue?  It kind of feels like it)  It wasn't a 
*BAD* thing, it was a *GOOD* thing.  It made things better, not 
worse.  I still may go back and re-implement port 53 blocks in the 
future if I find a good reason to. I know now that it doesn't really 
cause operational problems.  At least not in a smaller ISP 
environment.  Would I want a transit network to block TCP 53?  Of 
course not.  But my end customers request those types of services 
regularly, so I try to provide what they want.

And don't think I'm coming off as all ticked off and defensive.  I'm 
not ticked off, I'm actually enjoying this.  As for being defensive? 
Maybe.  I'm trying hard not to be though.  I really can't help 
myself........I have this lurking fear that I'm being tossed in to 
the "clueless block TCP 53 with an outsourced firewall, and don't 
know what I'm doing beyond that" group that I so despise.  ;-) 
Especially on this list, full of people that I have so much respect 
for.

I knew I was opening myself up a little when I decided to "help out" 
by sharing my worldnic.com experiences, but figured it was for the 
good of the group, and therefore, worth it.  And I still think that.

-Jerry



More information about the NANOG mailing list