resnets and naming

Scott McGrath mcgrath at fas.harvard.edu
Fri Feb 16 14:26:51 UTC 2007


We have similar problems here

I can talk offnet about the remediation tools and systems we use here 
many of which are cheap and applicable to a service provider environment 
as most large edu's are more
comparable to a small town service provide than a enterprise network.

we recently upgraded our DHCP/DNS system to the solution from vendor 'C' 
as part of this the general user systems were renamed this of course 
included the resnet systems

i.e. dhcp-0123456-78-10.[student|client].domain.edu


Steven Champeon wrote:
> on Fri, Feb 16, 2007 at 07:43:38AM -0500, Eric Gauthier wrote:
>   
>>> Dorms are basically large honey nets. :)
>>>       
>> I run the network for a University with about 12,000 students and
>> 12,000 computers in our dormitories. We, like many other Universities,
>> have spent the last five or six years putting systems in place that
>> are both reactive and preventative. From my perspective, the issues
>> are still there but I'm not sure that I agree with your implications.
>>
>> Do we still have "compromised" systems?  Yes.  
>> Is the number of "compromosed" systems at any time large?  No.
>> Is the situation out of control?  No.
>>
>> Email me off-list if you want more details.  IMHO, Its too bad broadband 
>> providers have not yet picked up on what the Universities have done.
>>     
>
> Hear, hear. It's also too bad that there are still so many .edus without
> rDNS that identifies their resnets and dynamic/anonymous space easily,
> though the situation seems to be improving. Not knowing which .edu is
> yours, I'll refrain from further comment, but I will give some examples
> from some that I know about:
>
> Good examples:
> [0-9a-z\-]+\.[0-9a-z\-]+\.resnet\.ubc\.ca
> [0-9a-z\-]+\.[0-9a-z]+\.resnet\.yorku\.ca
> ip\-[0-9]+\.student\.appstate\.edu
> r[0-9]+\.resnet\.cornell\.edu
> ip\-[0-9]+\-[0-9]+\.resnet\.emich\.edu
> [0-9a-z\-]+\.resnet\.emory\.edu
> dynamic\-[0-9]+\-[0-9]+\.dorm\.natpool\.uc\.edu
>
> Bad examples:
> resnet\-[0-9]+\.saultc\.on\.ca
> [0-9a-z\-]+\.(brooks|camp|congdon|cubley|graham|hamlin|moore|powers|price|townhouse|woodstock)\.clarkson\.edu
> [a-z]+\.(andr|carm|ford|laws|stev|thom|ucrt)[0-9]+\.eiu\.edu
> (linden|parkave|ruthdorm|ucrt|village)[0-9a-z]+\-[0-9a-z]+\.fdu\.edu
> resnet[0-9]+\.saintmarys\.edu
> [0-9a-z\-]+(aolcom|uncgedu)\.uncg\.edu **
> (l[0-9]+stf|bl)[0-9]+\.bluford\.ncat\.edu
>
> The general idea is, as has been mentioned before, to use a naming
> convention that can easily be blocked in sendmail and other MTAs by the
> simple addition of a domain tail or substring to an ACL, such as
> 'resnet.miskatonic.edu' or 'dyn.miskatonic.edu'. As interesting it can
> be to explore the campus map trying to figure out whether a given DNS
> token represents a lab, the administration building, the faculty lounge,
> or a dorm, over and over again, there's gotta be some activity that is
> more rewarding in the long run, such as skeet shooting or helping people
> disinfect their computers (or, joy of joys - both simultaenously!)
>
> ** I'd like to single out uncg.edu for special ridicule here - I hope
> they're still not doing this, but at one point over the last three years
> at least, their DHCP addresses were comprised of the end user's email
> address, sans '.' and '@', AS THE HOSTNAME in an otherwise non-subdomained
> whole:
>
> e.g., 'britney1986 at aol.com' got the hostname 'britney1986aolcom.uncg.edu',
> 'billg at uncg.edu' got 'billguncgedu.uncg.edu', etc.
>
> I'm sure the spammers who plague uncg.edu today didn't get their entire
> computer-literate student body's addresses through an rDNS scan. After
> all, not /all/ of the addresses were in uncg.edu. The rest were in AOLland
> or at hotmail or a few other obvious freemail providers.
>
>   



More information about the NANOG mailing list