Newbie Questions: How-to monitor/control unauthorized uses of our IPs and DNS zones?

Karl Auer kauer at
Mon Aug 23 09:19:58 UTC 2021

On Mon, 2021-08-23 at 09:32 +0100, tim at wrote:
> That's my reading of it - the web admin team are not trusted, and
> Pirawat / the network team are being asked to police them and make
> sure they're not running some kind of side business off the company
> equipment.
> Which is going to need some kind of WAF, reverse proxy, load-
> balancer, or similar in front of the web stuff, operated by the
> network team.  Tech fix for an org problem.

Maybe I missed something (the subject line makes me suspect I did) but
I shall press on regardless, in the best traditions of the Internet :-)

There is no technical difference between a web server being misused as
described and a web server being used correctly.

WAF, reverse proxies, load balancers and so on are really for
protecting a web server against clients, not for preventing a web
server from serving whatever content it has. Trying to use the tools
mentioned to control outbound content would be a very frustrating game
of whack-a-mole.

You could block inappropriate inbound requests, but not knowing what is
on the web servers makes that an infinite set of possibilities. So you
would really have to permit only appropriate inbound requests. On
anything but a trivial server the set of appropriate inbound requests
could be very, very large. Not to mention that rewrite rules and
suchlike could be blurring the difference between appropriate and
inappropriate on a web server where the configuration is possibly in
the hands of the bad guys.

If the web admin team is not trusted to properly control what content
is *on the web servers*, then no amount of tech can help you. You need
a trusted team inserted between them and the web servers, and that team
needs to inspect the content, curate it, and vet anything new. That
team will VERY quickly detect malfeasance.

Bear in mind also that there are quite a few attacks that end up
leaving cuckoos in the nest; warez or worse being quietly served up
alongside legitimate info. What I'm saying is that misuse as described
can sometimes be more about incompetence and underfunding than about

Hope I didn't completely miss the point :-)

Regards, K.

Karl Auer (kauer at

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

More information about the NANOG mailing list