DNS deluge for x.p.ctrc.cc

Paul Vixie vixie at vix.com
Sun Feb 26 21:33:16 UTC 2006

christopher.morrow at verizonbusiness.com ("Christopher L. Morrow") writes:

> seems like global tcp/139|tcp/445 filters, or bogon filters... bits put
> into configs 'now' and completely forgotten about 'tomorrow' :(

speaking of which, f-root has about 35 nodes world wide, and about a third
to a half of them aren't reachable by udp/161, and the blockage is not in
our immediate neighbors but rather on transit paths.  this is due to the
cisco snmp vulnerability five years or so ago.  filtering in the core to
protect vulnerable edges has to be done a LOT more carefully than that.
(BCP38 is an example of how to do it well, but apparently impractically?)

i'm not following up on the dns related parts of this, since [email protected]
seems to be pulling some of the dns related load today and i don't want to
say the same thing in both places.  see this URL for details:

Paul Vixie

More information about the NANOG mailing list