resnets and naming (was: Re: botnets: web servers, end-systems and Vint Cerf)

Steven Champeon schampeo at hesketh.com
Fri Feb 16 13:30:10 UTC 2007


on Fri, Feb 16, 2007 at 07:43:38AM -0500, Eric Gauthier wrote:
> > Dorms are basically large honey nets. :)
> 
> I run the network for a University with about 12,000 students and
> 12,000 computers in our dormitories. We, like many other Universities,
> have spent the last five or six years putting systems in place that
> are both reactive and preventative. From my perspective, the issues
> are still there but I'm not sure that I agree with your implications.
> 
> Do we still have "compromised" systems?  Yes.  
> Is the number of "compromosed" systems at any time large?  No.
> Is the situation out of control?  No.
> 
> Email me off-list if you want more details.  IMHO, Its too bad broadband 
> providers have not yet picked up on what the Universities have done.

Hear, hear. It's also too bad that there are still so many .edus without
rDNS that identifies their resnets and dynamic/anonymous space easily,
though the situation seems to be improving. Not knowing which .edu is
yours, I'll refrain from further comment, but I will give some examples
from some that I know about:

Good examples:
[0-9a-z\-]+\.[0-9a-z\-]+\.resnet\.ubc\.ca
[0-9a-z\-]+\.[0-9a-z]+\.resnet\.yorku\.ca
ip\-[0-9]+\.student\.appstate\.edu
r[0-9]+\.resnet\.cornell\.edu
ip\-[0-9]+\-[0-9]+\.resnet\.emich\.edu
[0-9a-z\-]+\.resnet\.emory\.edu
dynamic\-[0-9]+\-[0-9]+\.dorm\.natpool\.uc\.edu

Bad examples:
resnet\-[0-9]+\.saultc\.on\.ca
[0-9a-z\-]+\.(brooks|camp|congdon|cubley|graham|hamlin|moore|powers|price|townhouse|woodstock)\.clarkson\.edu
[a-z]+\.(andr|carm|ford|laws|stev|thom|ucrt)[0-9]+\.eiu\.edu
(linden|parkave|ruthdorm|ucrt|village)[0-9a-z]+\-[0-9a-z]+\.fdu\.edu
resnet[0-9]+\.saintmarys\.edu
[0-9a-z\-]+(aolcom|uncgedu)\.uncg\.edu **
(l[0-9]+stf|bl)[0-9]+\.bluford\.ncat\.edu

The general idea is, as has been mentioned before, to use a naming
convention that can easily be blocked in sendmail and other MTAs by the
simple addition of a domain tail or substring to an ACL, such as
'resnet.miskatonic.edu' or 'dyn.miskatonic.edu'. As interesting it can
be to explore the campus map trying to figure out whether a given DNS
token represents a lab, the administration building, the faculty lounge,
or a dorm, over and over again, there's gotta be some activity that is
more rewarding in the long run, such as skeet shooting or helping people
disinfect their computers (or, joy of joys - both simultaenously!)

** I'd like to single out uncg.edu for special ridicule here - I hope
they're still not doing this, but at one point over the last three years
at least, their DHCP addresses were comprised of the end user's email
address, sans '.' and '@', AS THE HOSTNAME in an otherwise non-subdomained
whole:

e.g., 'britney1986 at aol.com' got the hostname 'britney1986aolcom.uncg.edu',
'billg at uncg.edu' got 'billguncgedu.uncg.edu', etc.

I'm sure the spammers who plague uncg.edu today didn't get their entire
computer-literate student body's addresses through an rDNS scan. After
all, not /all/ of the addresses were in uncg.edu. The rest were in AOLland
or at hotmail or a few other obvious freemail providers.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
rambling, amusements, edifications and suchlike: http://interrupt-driven.com/



More information about the NANOG mailing list