DNS deluge for x.p.ctrc.cc

• Previous message (by thread): DNS deluge for x.p.ctrc.cc
• Next message (by thread): DNS deluge for x.p.ctrc.cc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

christopher.morrow at verizonbusiness.com ("Christopher L. Morrow") writes:

> seems like global tcp/139|tcp/445 filters, or bogon filters... bits put
> into configs 'now' and completely forgotten about 'tomorrow' :(

speaking of which, f-root has about 35 nodes world wide, and about a third
to a half of them aren't reachable by udp/161, and the blockage is not in
our immediate neighbors but rather on transit paths.  this is due to the
cisco snmp vulnerability five years or so ago.  filtering in the core to
protect vulnerable edges has to be done a LOT more carefully than that.
(BCP38 is an example of how to do it well, but apparently impractically?)

i'm not following up on the dns related parts of this, since dns-operations@
seems to be pulling some of the dns related load today and i don't want to
say the same thing in both places.  see this URL for details:

http://lists.oarci.net/pipermail/dns-operations/2006-February/author.html
-- 
Paul Vixie

• Previous message (by thread): DNS deluge for x.p.ctrc.cc
• Next message (by thread): DNS deluge for x.p.ctrc.cc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]