From maddaemon at gmail.com Fri Jan 2 16:10:18 2009 From: maddaemon at gmail.com (maddaemon at gmail.com) Date: Fri, 2 Jan 2009 16:10:18 -0500 Subject: [nycbug-talk] Text parsing question [SOLVED] Message-ID: <6c1774c50901021310o26100033j678b13c754b511d2@mail.gmail.com> On Wed, Dec 17, 2008 at 10:16 PM, James E Keenan wrote: >> >> >> For example, here are 2 lines: >> >> Dec 15 05:15:56 - abc1234 tried logging in from 192.168.8.17 >> Dec 15 05:15:56 - abc1234 tried logging in from 192.168.18.13 >> >> where 192.168.8.17 is the Windows DC, and the other is the IIP of the >> webmail server. >> >> I need to remove the line that contains the DC _ONLY_WHEN_ there is a >> duplicate entry (same timestamp) with another IP. The text file >> contains hundreds of other entries, and there are single entries where >> the DC IP is the only entry. Using the above examples, I need to >> remove the first line and only retrieve the second line: >> >> Dec 15 05:15:56 - abc1234 tried logging in from 192.168.18.13 >> >> > > Perhaps this: > > #!/usr/bin/perl > use strict; > use warnings; > > my @last = ( '', '', '' ); > my @this; > my $pattern = qr/^ > ([a-zA-Z]{3}\s\d{2}\s\d{2}:\d{2}:\d{2}) # date string > \s-\s > (\w+) # username > .*? > (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # IP address > $/x; > > while (my $firstline = ) { > if ($firstline =~ /$pattern/) { > @last = ( $1, $2, $3 ); > last; > } > } > > while (my $l = ) { > if ($l =~ /$pattern/) { > @this = ( $1, $2, $3 ); > if ( $this[0] eq $last[0] and $this[1] eq $last[1] ) { > $last[2] = $this[2]; > } else { > print ( ( join '|' => @last ), "\n" ); > @last = @this; > } > } > } > print ( ( join '|' => @last ), "\n" ); > > __DATA__ > Dec 15 05:15:33 - abc1234 tried logging in from 192.168.8.17 > Dec 15 05:15:56 - abc1234 tried logging in from 192.168.8.17 > Dec 15 05:15:56 - abc1234 tried logging in from 192.168.18.13 > Dec 15 05:16:03 - xyz1ahj tried logging in from 192.168.18.43 > Dec 15 05:16:03 - xyz1ahj tried logging in from 192.168.15.220 > Dec 15 05:16:05 - xyz1ahj tried logging in from 192.168.15.220 > Dec 15 05:16:05 - xyz1ahj tried logging in from 192.168.15.221 > Dec 15 05:16:05 - xyz1ahj tried logging in from 192.168.15.79 > Dec 15 05:16:07 - vig1234 tried logging in from 192.168.15.79 My boss finally got around to mucking around with it. Here it is: #!/usr/bin/perl use strict; use warnings; my @last = ( '', '', '' ); my @this; my @addys; my $line; # any ip address in the @dcs array will be suppressed if there are duplicates. my @dcs = ('192.168.8.3', '192.168.8.17'); my $pattern = qr/^ ([a-zA-Z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}) # date string \s-\s (\w+) # username .*? (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # IP address $/x; while ($line = <>) { if ($line =~ /$pattern/) { @last = ( $1, $2); push @addys, $3; last; } } while ($line = <>) { if ($line =~ /$pattern/) { @this = ( $1, $2); if ( $this[0] eq $last[0] and $this[1] eq $last[1] ) { push @addys, $3; } else { if ($#addys == 0) { print "$last[0] - $last[1] tried logging in from $addys[0]\n"; } else { my $flag; for my $addy (@addys) { $flag = 0; for my $dc (@dcs) { if ($addy eq $dc) {$flag = 1;} } if (not $flag) { print "$last[0] - $last[1] tried logging in from $addy\n"; } } } @addys = ($3); } @last=@this; } } for my $addy (@addys) { my $flag = 0; for my $dc (@dcs) { if ($addy eq $dc) {$flag = 1;} } if (!($flag)) { print "$this[0] - $this[1] tried logging in from $addy\n"; } } From maddaemon at gmail.com Sat Jan 3 16:28:49 2009 From: maddaemon at gmail.com (maddaemon at gmail.com) Date: Sat, 3 Jan 2009 16:28:49 -0500 Subject: [nycbug-talk] Text parsing question In-Reply-To: <1E9CAB83-CBE4-4240-885A-7578A89A62A2@verizon.net> References: <48AC10A3-60AA-4184-A6EF-1C38B0551668@verizon.net> <6c1774c50812310910n6db7886bt8e9beb3c9b3921ec@mail.gmail.com> <1E9CAB83-CBE4-4240-885A-7578A89A62A2@verizon.net> Message-ID: <6c1774c50901031328ybf678b4yda58e80c0c5df2ed@mail.gmail.com> On Wed, Dec 31, 2008 at 3:09 PM, James E Keenan wrote: > > On Dec 31, 2008, at 12:10 PM, maddaemon at gmail.com wrote: > >> >> Since I don't know Perl (yet), I showed that to my boss, who then >> modified it, > > Why? In what way did it not solve your problem? It resulted in only returning a single line. > I ask this not out of wounded vanity, but because further diagnosis is > difficult without knowing in what way my suggestion was inadequate. > > Note: Your original post presented very little data, so I had to make up > sample data in order to illustrate an approach toward a solution. My boss also rewrote some of my code, and he added the parens. >> but his Perl has some rust on it, and it winds up puking >> a lot. Can anyone show me what should be fixed so I can get this >> working and off my plate? > > As you note farther on, you are probably better off taking this question to > a Perl list. I would suggest perlmonks.org. But whatever list you go to, > the first feedback you get will be something like this: > > "You are using 'use strict;' and 'use warnings;' at the top of your program. > That's good, because they show you where your code is either suboptimal or > simply wrong. (perl -c yourscript) But once those statements show you your > errors, it's up to you to correct them. Start with the first error reported > and proceed from there." > > >> Much thanks.. >> >> Oh, and what would need to change so I could pull the data from a file >> rather than appending the data to the bottom of the script? > > perldoc -f open > >> I realize >> that this isn't the proper forum for this question > > See above. > >> >> __DATA__ >> Dec 30 09:34:53 user1234 (tried logging in from 192.168.32.100) >> Dec 30 09:34:53 user1234 (tried logging in from 192.168.32.7) >> Dec 30 14:38:37 user5678 (tried logging in from 192.168.32.100) >> Dec 30 14:38:37 user5678 (tried logging in from 192.168.32.8) >> Dec 30 14:38:44 user5678 (tried logging in from 192.168.32.100) >> Dec 30 14:38:44 user5678 (tried logging in from 192.168.32.8) > > The data you present here differs from what you originally presented and > from the dummy data I made up in that there is no > 'wordspace-hyphen-wordspace' between the datestamp and the username. So you > would have to modify the regular expression I wrote to reflect this > difference. > > Jim Keenan > Understood. Guess it's time I learned Perl anyway.. Thanks again for the input. From ike at lesmuug.org Mon Jan 5 07:44:11 2009 From: ike at lesmuug.org (Isaac Levy) Date: Mon, 5 Jan 2009 07:44:11 -0500 Subject: [nycbug-talk] PCC, public call for testing! Message-ID: <5E1045CC-064C-4956-989B-8E409014F6A8@lesmuug.org> Hi All, I know many of us read undeadly, and I'm sure the OpenBSD folks here are even more aware, but I thought it was relevant to shout out: Ragge put out a fresh public call for PCC testing- Go Mickey and Ragge!!! -- I know I'll try making some big messes as I test on several other platforms this week... Compiling pcc itself now in a FreeBSD jail, also will try compiling stuff on OSX and OpenSolaris to see what (if anything) happens... Horay for making binary messes, let's all dump some cores!!! Rocket- .ike From ike at lesmuug.org Mon Jan 5 08:13:32 2009 From: ike at lesmuug.org (Isaac Levy) Date: Mon, 5 Jan 2009 08:13:32 -0500 Subject: [nycbug-talk] PCC, public call for testing! In-Reply-To: <5E1045CC-064C-4956-989B-8E409014F6A8@lesmuug.org> References: <5E1045CC-064C-4956-989B-8E409014F6A8@lesmuug.org> Message-ID: <252EB89E-787E-40FB-A7CA-0521ED2A19CE@lesmuug.org> On Jan 5, 2009, at 7:44 AM, Isaac Levy wrote: > Hi All, > > I know many of us read undeadly, and I'm sure the OpenBSD folks here > are even more aware, but I thought it was relevant to shout out: > > Ragge put out a fresh public call for PCC testing- Go Mickey and > Ragge!!! Yikes I forgot, here's the url for the announcement!: http://undeadly.org/cgi?action=article&sid=20090104030528 Rocket- .ike From carton at Ivy.NET Tue Jan 6 07:19:44 2009 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 06 Jan 2009 07:19:44 -0500 Subject: [nycbug-talk] [ccc related] MD5 considered harmful today In-Reply-To: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> (Isaac Levy's message of "Wed, 31 Dec 2008 18:44:01 -0500") References: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> Message-ID: >>>>> "il" == Isaac Levy writes: il> everyone here who's dismissed OpenVPN, it almost goes without il> saying that this is yet another rock in that bucket... what? I've never used openvpn, but does it even use the signatures at all, or do you point to the whole key? Even if it uses signatures, the attack depends on getting a specially-crafted RSA key with collision blocks in it signed by the CA. VPN setups generally do not use public CA's nor auto-signing CA's so this particular practical attack isn't relevant. though the advice use SHA-1 or SHA-2 instead still applies, that's not a rock because I'm sure you can follo wthat advice with openvpn if you want to. I'm not an openvpn fan, nor an x.509/asn/taxonomy-of-everything fan, but it's worth undrestanding the attack better than ``anything containing x.509 is no longer trustworthy!'' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From chsnyder at gmail.com Tue Jan 6 09:55:44 2009 From: chsnyder at gmail.com (csnyder) Date: Tue, 6 Jan 2009 09:55:44 -0500 Subject: [nycbug-talk] [ccc related] MD5 considered harmful today In-Reply-To: <7c21e7d30812310640y76a14e1ahb0dec363efb8f70b@mail.gmail.com> References: <7c21e7d30812310640y76a14e1ahb0dec363efb8f70b@mail.gmail.com> Message-ID: On Wed, Dec 31, 2008 at 9:40 AM, Dan Colish wrote: > This whole issue made me curious about what root CA's I had in Firefox, > remember these are hard coded in. Well it turns out that you absolutely > cannot remove them from your system. Also, as it has been pointed out, a CRL > for a CA that is cracked would be pointless. The only approach I see is to > modify the trust given to the CA's that are know to be broken. If you check, > you'll see the Firefox has not accepted certs signed by a number of MD5 CAs. > So I'm not sure this is really an issue if you are careful about CA > management. Also, if you read the paper, actually creating the fake Root CA > can take months due to timing issues and a fairly decent computing cluster > (200 ps3's). This is hardly the same level of oops as the Kandinsky DNS bug. It's amazing just how helpless we are against the dumbing-down of TLS by browser vendors. - There is no known_hosts store - it's difficult to get at the fingerprint value of a new certificate. (4 clicks in FF, when it could be displayed up front, the bastards) - You have to opt-out of lazy CAs rather than opting-in to trusted ones. - No description of CAs or published rationale for inclusion, link to audit or certification, etc. I suppose that if someone is going to take the time to find a hash collision for a CA signature and hijack DNS, they would also take the time to find a fingerprint collision for the certificate... but at least it's another layer. Could we just start the internet over, but not tell Verisign this time? From badiane_ka at yahoo.com Tue Jan 6 19:50:12 2009 From: badiane_ka at yahoo.com (Badiane Ka) Date: Tue, 6 Jan 2009 16:50:12 -0800 (PST) Subject: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? Message-ID: <547928.2296.qm@web52710.mail.re2.yahoo.com> I have the tftp server setup and functioning. The machine receives DHCP information and gets the kernel and boots to the install. Now this is the part where I've hit a wall. I can not go beyond the partitioning. I don't know where I'm messing up but that's were I stop every time. Is there someone who would like to help me with this? I don't want this laptop to go to the garbage dump or lead and unproductive life. I would appreciate any possible help. I can meet with anyone in Manhattan and certain parts of Brooklyn and Queens. Badiane +++ "We are oft to blame in this. 'Tis too much proved that with devotion's visage and pious action we do sugar o'er the devil himself." Travel is fatal to prejudice, bigotry, and narrow-mindedness.? --Mark Twain ++++++++++++++++++++++++++++++++++++++++++ Avoid idolatry and adulation, be it of people or ideas. ++++++++++++++++++++++++++++++++++++++++++ +++ From badiane_ka at yahoo.com Tue Jan 6 20:33:59 2009 From: badiane_ka at yahoo.com (Badiane Ka) Date: Tue, 6 Jan 2009 17:33:59 -0800 (PST) Subject: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? In-Reply-To: <5458db3c0901061711r1a243659ta08d77d57e89ae08@mail.gmail.com> Message-ID: <292208.35313.qm@web52705.mail.re2.yahoo.com> I had debian installed. I didn't like having to boot first using OS9 and then bootx into linux. I also didn't have a OS9 disc to reinstall only a minimal partition; so I was loosing the disc space that the original install was using. I have looked at the other BSD's and find Net the more interesting. Simple bias. I have it running on a P100 with 72MB and wanted use it on that machine. I like its speed on "underpowered" hardware. If I can't have NetBSD, maybe I'll try on of the others. Have you had experience installing BSD's on powerbook G3's? Badiane +++ "We are oft to blame in this. 'Tis too much proved that with devotion's visage and pious action we do sugar o'er the devil himself." Travel is fatal to prejudice, bigotry, and narrow-mindedness.? --Mark Twain ++++++++++++++++++++++++++++++++++++++++++ Avoid idolatry and adulation, be it of people or ideas. ++++++++++++++++++++++++++++++++++++++++++ +++ --- On Tue, 1/6/09, Justin Dearing wrote: > From: Justin Dearing > Subject: Re: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? > To: badiane_ka at yahoo.com > Date: Tuesday, January 6, 2009, 8:11 PM > Have you tried other BSDs or maybe linux? > My bsd experience is strictly Open and Free on i386 so > I'd probably not be > able to help. However, when I have trouble getting one open > source OS on a > given machine, I usually try another. > > On Tue, Jan 6, 2009 at 7:50 PM, Badiane Ka > wrote: > > > I have the tftp server setup and functioning. The > machine receives DHCP > > information and gets the kernel and boots to the > install. > > > > Now this is the part where I've hit a wall. I can > not go beyond the > > partitioning. I don't know where I'm messing > up but that's were I stop > > every time. > > > > Is there someone who would like to help me with this? > I don't want this > > laptop to go to the garbage dump or lead and > unproductive life. > > > > I would appreciate any possible help. I can meet with > anyone in Manhattan > > and certain parts of Brooklyn and Queens. > > > > Badiane > > > > +++ > > > > "We are oft to blame in this. 'Tis too much > proved that with devotion's > > visage and pious action we do sugar o'er the devil > himself." > > > > Travel is fatal to prejudice, bigotry, and > narrow-mindedness.? > > --Mark Twain > > > > ++++++++++++++++++++++++++++++++++++++++++ > > Avoid idolatry and adulation, be it of people or > ideas. > > ++++++++++++++++++++++++++++++++++++++++++ > > > > +++ > > > > > > > > _______________________________________________ > > talk mailing list > > talk at lists.nycbug.org > > http://lists.nycbug.org/mailman/listinfo/talk > > From dingo at 1984.ws Wed Jan 7 09:29:41 2009 From: dingo at 1984.ws (dingo) Date: Wed, 07 Jan 2009 09:29:41 -0500 Subject: [nycbug-talk] =?utf-8?q?I=27m_new_here_-_Anyone_with_netbsd_on_po?= =?utf-8?q?werbook_G3_experience=3F?= In-Reply-To: <292208.35313.qm@web52705.mail.re2.yahoo.com> References: <292208.35313.qm@web52705.mail.re2.yahoo.com> Message-ID: <829de56c99bb1cbc711576bd35866586@1984.ws> >> > Now this is the part where I've hit a wall. I can >> not go beyond the >> > partitioning. I don't know where I'm messing >> up but that's were I stop >> > every time. >> > >> > Is there someone who would like to help me with this? >> I don't want this >> > laptop to go to the garbage dump or lead and >> unproductive life. >> > >> > I would appreciate any possible help. I can meet with >> anyone in Manhattan >> > and certain parts of Brooklyn and Queens. Unfortunately for you, I'm Detroit, MI area. just a side node, as for netbooting, I find tcpdump to do everything for me -- I can't recall the difference between netbooting sparc, sparc64, hppa, i386, ppc, and so on -- so I just tcpdump, and fulfill whatever it is they are looking for. Looks like you got past that, though. I'm not fully understanding your problem with partitioning on ppc -- Are you unable to use pdisk? pdisk does have its quirks... http://www.netbsd.org/ports/macppc/partitioning.html could this help? If you've really hosed your disk... Commands are: C (create with type also specified) c create new partition (standard unix root) d delete a partition h help i initialize partition map n (re)name a partition P (print ordered by base address) p print the partition table q quit editing r reorder partition entry in map s change size of partition map t change a partition's type w write the partition table start out with an 'i'nitialize. Then go on to 'C'reate new w/type specified. I always calculated the block.. looks like you can use a 'p' to specify "at partition" for the "First block:" prompt.. wow, thats a lot easier... Command (? for help): C First block: 2p Length in blocks: 800m Name of partition: netbsd Type of partition: Apple_UNIX_SVR2 Available partition slices for Apple_UNIX_SVR2: a root partition b swap partition c do not set any bzb bits g user partition Other lettered values will create user partitions Select a slice for default bzb values: a theres your / Command (? for help): C First block: 4p Length in blocks: 4p Name of partition: swap Type of partition: Apple_UNIX_SVR2 Available partition slices for Apple_UNIX_SVR2: a root partition b swap partition c do not set any bzb bits g user partition Other lettered values will create user partitions Select a slice for default bzb values: b theres your swp like vi, 'w'rite, and 'q'uit then, newfs the suckers and go on with the install. I haven't actually used netbsd on ppc before, but I have little to no problems using openbsd on ppc. I'm doing an openbsd on a g4 ibook pretty soon here. From what I recall, it looks like the pdisk program on openbsd is slightly different. It doesn't work at all on Freebsd/ppc, so don't even think about it!! Installing the boot loader isn't always simple, either. Thats where I usually goof myself. good luck, jeff quast From dan at langille.org Wed Jan 7 13:59:04 2009 From: dan at langille.org (Dan Langille) Date: Wed, 7 Jan 2009 13:59:04 -0500 Subject: [nycbug-talk] OpenVPN (was MD5 stuff) In-Reply-To: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> References: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> Message-ID: <5108D62D-F429-4DDA-9ADE-0321C8516102@langille.org> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote: > On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote: > >> I think it would be funny if these guys made a real CA cert with >> their >> exploit and started selling certs signed by their fake key for $2 >> each >> or something. not illegitimate certs, like, email-contact-verified >> certs, the regular legitimate kind, just cheaper. Why not? It's >> probably even legal in some jurisdiction if not in most. and most >> webmasters just want to turn the browser bar green. It works now, so >> for $2 why not? I'd buy one. If it starts turning browser bars red >> some day, buy a more expensive cert _some day_, not now. The whole >> cert thing was such a racket to begin with, i wish they'd start >> selling fake ones. > > Insanely great idea, IMHO- I mean, why not? It's like creating a new > currency (backed by insecurity). > > -- > Sidenote- everyone here who's dismissed OpenVPN, it almost goes > without saying that this is yet another rock in that bucket... That's a nice turn of phrase. Never heard it before. Really? People dismiss OpenVPN? Seems to be an OK solution to me. Mind you, it doesn't matter what you pick, someone will dismiss it. It's been working flawlessly for my needs for the past month or so. -- Dan Langille http://langille.org/ From ike at lesmuug.org Wed Jan 7 14:17:04 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 7 Jan 2009 14:17:04 -0500 Subject: [nycbug-talk] OpenVPN (was MD5 stuff) In-Reply-To: <5108D62D-F429-4DDA-9ADE-0321C8516102@langille.org> References: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> <5108D62D-F429-4DDA-9ADE-0321C8516102@langille.org> Message-ID: On Jan 7, 2009, at 1:59 PM, Dan Langille wrote: > On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote: >> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote: >> >>> I think it would be funny if these guys made a real CA cert with >>> their >>> exploit and started selling certs signed by their fake key for $2 >>> each >>> or something. not illegitimate certs, like, email-contact-verified >>> certs, the regular legitimate kind, just cheaper. Why not? It's >>> probably even legal in some jurisdiction if not in most. and most >>> webmasters just want to turn the browser bar green. It works now, >>> so >>> for $2 why not? I'd buy one. If it starts turning browser bars red >>> some day, buy a more expensive cert _some day_, not now. The whole >>> cert thing was such a racket to begin with, i wish they'd start >>> selling fake ones. >> >> Insanely great idea, IMHO- I mean, why not? It's like creating a new >> currency (backed by insecurity). >> >> -- >> Sidenote- everyone here who's dismissed OpenVPN, it almost goes >> without saying that this is yet another rock in that bucket... > > That's a nice turn of phrase. Never heard it before. > > Really? People dismiss OpenVPN? Seems to be an OK solution to me. > Mind you, it doesn't matter what you pick, someone will dismiss it. > > It's been working flawlessly for my needs for the past month or so. I do not use OpenVPN, (IPSec holds much more interest for me based on it's scope...), and with that, I have only a cursory understanding of it's mechanics. With that, I stand corrected by Miles and csnyeder: On Jan 6, 2009, at 9:55 AM, csnyder wrote: > It's amazing just how helpless we are against the dumbing-down of TLS > by browser vendors. Indeed. It seems, with a closer look, that OpenVPN would only be to the recent md5 based SSL attack if it was configured to use public/ auto-signing CA's. I have no idea how likely this is out in the wild, but... On Jan 6, 2009, at 7:19 AM, Miles Nordin wrote: > I'm not an openvpn fan, nor an x.509/asn/taxonomy-of-everything fan, > but it's worth undrestanding the attack better than ``anything > containing x.509 is no longer trustworthy!'' Indeed. On Jan 6, 2009, at 9:55 AM, csnyder wrote: > Could we just start the internet over, but not tell Verisign this > time? I'm all for it. Heck, there's more than Verisign I'd like to not tell this time... http://www.youtube.com/watch?v=F7z8NRUFyN0 Rocket, .ike From dan at langille.org Wed Jan 7 14:29:11 2009 From: dan at langille.org (Dan Langille) Date: Wed, 7 Jan 2009 14:29:11 -0500 Subject: [nycbug-talk] OpenVPN (was MD5 stuff) In-Reply-To: References: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> <5108D62D-F429-4DDA-9ADE-0321C8516102@langille.org> Message-ID: <0E15CDA1-F900-461F-B578-36A553E106CC@langille.org> On Jan 7, 2009, at 2:17 PM, Isaac Levy wrote: > On Jan 7, 2009, at 1:59 PM, Dan Langille wrote: >> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote: >>> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote: >>> >>>> I think it would be funny if these guys made a real CA cert with >>>> their >>>> exploit and started selling certs signed by their fake key for $2 >>>> each >>>> or something. not illegitimate certs, like, email-contact-verified >>>> certs, the regular legitimate kind, just cheaper. Why not? It's >>>> probably even legal in some jurisdiction if not in most. and most >>>> webmasters just want to turn the browser bar green. It works now, >>>> so >>>> for $2 why not? I'd buy one. If it starts turning browser bars >>>> red >>>> some day, buy a more expensive cert _some day_, not now. The whole >>>> cert thing was such a racket to begin with, i wish they'd start >>>> selling fake ones. >>> >>> Insanely great idea, IMHO- I mean, why not? It's like creating a >>> new >>> currency (backed by insecurity). >>> >>> -- >>> Sidenote- everyone here who's dismissed OpenVPN, it almost goes >>> without saying that this is yet another rock in that bucket... >> >> That's a nice turn of phrase. Never heard it before. >> >> Really? People dismiss OpenVPN? Seems to be an OK solution to me. >> Mind you, it doesn't matter what you pick, someone will dismiss it. >> >> It's been working flawlessly for my needs for the past month or so. > > I do not use OpenVPN, (IPSec holds much more interest for me based on > it's scope...), and with that, I have only a cursory understanding of > it's mechanics. I have used IPsec in the past. It may have been suitable for what I'm doing now, but hadn't considered it. > With that, I stand corrected by Miles and csnyeder: > > On Jan 6, 2009, at 9:55 AM, csnyder wrote: >> It's amazing just how helpless we are against the dumbing-down of TLS >> by browser vendors. > > Indeed. It seems, with a closer look, that OpenVPN would only be to > the recent md5 based SSL attack if it was configured to use public/ > auto-signing CA's. I have no idea how likely this is out in the wild, > but... OpenVPN advises against using public CAs. http://openvpn.net/index.php/documentation/howto.html#pki So FWIW, I am guessing few people are using public CAs with OpenVPN. -- Dan Langille http://langille.org/ From bonsaime at gmail.com Wed Jan 7 15:11:22 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 7 Jan 2009 15:11:22 -0500 Subject: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? In-Reply-To: <547928.2296.qm@web52710.mail.re2.yahoo.com> References: <547928.2296.qm@web52710.mail.re2.yahoo.com> Message-ID: On Tue, Jan 6, 2009 at 7:50 PM, Badiane Ka wrote: > I have the tftp server setup and functioning. The machine receives DHCP > information and gets the kernel and boots to the install. > > Now this is the part where I've hit a wall. I can not go beyond the > partitioning. I don't know where I'm messing up but that's were I stop > every time. > > Is there someone who would like to help me with this? I don't want this > laptop to go to the garbage dump or lead and unproductive life. > > I would appreciate any possible help. I can meet with anyone in Manhattan > and certain parts of Brooklyn and Queens. > > Badiane > > +++ > > "We are oft to blame in this. 'Tis too much proved that with devotion's > visage and pious action we do sugar o'er the devil himself." > > Travel is fatal to prejudice, bigotry, and narrow-mindedness.? > --Mark Twain > > ++++++++++++++++++++++++++++++++++++++++++ > Avoid idolatry and adulation, be it of people or ideas. > ++++++++++++++++++++++++++++++++++++++++++ > > +++ > > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > I had a bad time partitioning too. I was using a G4. Not sure about pdisk, but bsdlabel and fdisk are not as helpful when on PPC architecture. I don't know if the OSX install disc will load up on a G3 or not. If it does, then you are in luck! Boot up off the CD and use Disk Utility from the top-menu after selecting your install language. Partition as you would, but leave a small HFS partition laying around just in case you get around to making it bootable off the hard disk... that will be the next challenge if you do get the partitioning working for you. -jesse -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Wed Jan 7 15:19:35 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 7 Jan 2009 15:19:35 -0500 Subject: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? In-Reply-To: References: <547928.2296.qm@web52710.mail.re2.yahoo.com> Message-ID: On Wed, Jan 7, 2009 at 3:11 PM, Jesse Callaway wrote: > > > On Tue, Jan 6, 2009 at 7:50 PM, Badiane Ka wrote: > >> I have the tftp server setup and functioning. The machine receives DHCP >> information and gets the kernel and boots to the install. >> >> Now this is the part where I've hit a wall. I can not go beyond the >> partitioning. I don't know where I'm messing up but that's were I stop >> every time. >> >> Is there someone who would like to help me with this? I don't want this >> laptop to go to the garbage dump or lead and unproductive life. >> >> I would appreciate any possible help. I can meet with anyone in Manhattan >> and certain parts of Brooklyn and Queens. >> >> Badiane >> >> +++ >> >> "We are oft to blame in this. 'Tis too much proved that with devotion's >> visage and pious action we do sugar o'er the devil himself." >> >> Travel is fatal to prejudice, bigotry, and narrow-mindedness.? >> --Mark Twain >> >> ++++++++++++++++++++++++++++++++++++++++++ >> Avoid idolatry and adulation, be it of people or ideas. >> ++++++++++++++++++++++++++++++++++++++++++ >> >> +++ >> >> >> >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > I had a bad time partitioning too. I was using a G4. Not sure about pdisk, > but bsdlabel and fdisk are not as helpful when on PPC architecture. > > I don't know if the OSX install disc will load up on a G3 or not. If it > does, then you are in luck! Boot up off the CD and use Disk Utility from the > top-menu after selecting your install language. > Partition as you would, but leave a small HFS partition laying around just > in case you get around to making it bootable off the hard disk... that will > be the next challenge if you do get the partitioning working for you. > > > -jesse > Sorry, big qualifaction here.. I was using FreeBSD 7.1. -jesse -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Wed Jan 7 21:49:40 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 7 Jan 2009 21:49:40 -0500 Subject: [nycbug-talk] i missed the puppet meeting Message-ID: crap. Anyone care to clue this guy in on the salient points? -jesse -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at pilosoft.com Wed Jan 7 22:02:29 2009 From: alex at pilosoft.com (Alex Pilosov) Date: Wed, 7 Jan 2009 22:02:29 -0500 (EST) Subject: [nycbug-talk] i missed the puppet meeting In-Reply-To: Message-ID: On Wed, 7 Jan 2009, Jesse Callaway wrote: > crap. > > Anyone care to clue this guy in on the salient points? In soviet russia, puppet configures you. -alex From ike at lesmuug.org Wed Jan 7 23:03:04 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 7 Jan 2009 23:03:04 -0500 Subject: [nycbug-talk] OpenVPN (was MD5 stuff) In-Reply-To: References: <3BFFB014-A7E7-41D0-A2C2-6E578C69C3B7@lesmuug.org> <5108D62D-F429-4DDA-9ADE-0321C8516102@langille.org>

Message-ID: On Jan 7, 2009, at 8:16 PM, Siobhan Lynch wrote: >> >> I'm all for it. Heck, there's more than Verisign I'd like to not >> tell >> this time... >> http://www.youtube.com/watch?v=F7z8NRUFyN0 >> >> Rocket, >> .ike >> > > Ike, > > What does Brian Wilson's "Heroes and Villains" have to do with the > intarweb? > > -Trish Hackers and Verio, etc... Perhaps I should have picked a better version (Brian is pretty darned off in what I posted before...) Better: http://www.youtube.com/watch?v=L284UgTLA3c Rocket- .ike From spork at bway.net Thu Jan 8 01:48:10 2009 From: spork at bway.net (Charles Sprickman) Date: Thu, 8 Jan 2009 01:48:10 -0500 (EST) Subject: [nycbug-talk] OT: Managed Hosting SLA? Message-ID: Hi all, I wonder if anyone here has an SLA from a high-end-ish managed hosting provider that they could share? I've been digging around, and while the $5/month hosters publish stuff it seems like the higher-end guys don't publish this online. I am not picky, I just need something full of lawyery gibberish that I can modify. The customer and I both agree that an SLA is more of a sales tool than anything else, but paperwork is paperwork. Thanks, Charles From carton at Ivy.NET Thu Jan 8 08:25:21 2009 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 08 Jan 2009 08:25:21 -0500 Subject: [nycbug-talk] I'm new here - Anyone with netbsd on powerbook G3 experience? In-Reply-To: <547928.2296.qm@web52710.mail.re2.yahoo.com> (Badiane Ka's message of "Tue, 6 Jan 2009 16:50:12 -0800 (PST)") References: <547928.2296.qm@web52710.mail.re2.yahoo.com> Message-ID: >>>>> "bk" == Badiane Ka writes: bk> I can not go beyond the partitioning. I don't know where I'm bk> messing up but that's were I stop every time. yeah I had trouble getting them to boot off disks too. Depending on your openfirmware version, there are two partition types. The apple partition map, the one Mac OS uses and pdisk edits, is for newer machines, and I think openfirmware will boot ONLY off an HFS partition so you need to make a small HFS partition. i don't know if you just put ofwboot there, or if you put the whole netbsd kernel there, but I know pdisk implies apple partition map implies you MUST have an HFS partition. I think in this case the boot device is that txbi colon slash slash whatever it is. I also think anything OF 3.x or newer is ``new''. Older machines, at least with older NetBSD, used a unix disklabel. I think OF 2.x is ``older'', and I think I used a unix disklabel on my PB2400. I am not sure how this worked: does openfirmware booted off the unpartitioned device, so you put an FFS containing bootblocks in the 'a' slice and put 'a' at offset 0? or if openfirmware understood the partition table? I get confused with macppc vs alpha. With this choice you use disklabel not pdisk, and the tbxi or txbi or whatever it is, is used for Mac OS and not used for NetBSD, and it's impossible to share a disk between NetBSD and Mac OS. This may all be fixed up to be more linux-like and mac-os-like in newer NetBSD on old machines, or it might not. i think I had 1.6 or 2.0 when I was doing it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From skreuzer at exit2shell.com Thu Jan 8 10:12:49 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Thu, 8 Jan 2009 10:12:49 -0500 Subject: [nycbug-talk] i missed the puppet meeting In-Reply-To: References: Message-ID: On Jan 7, 2009, at 9:49 PM, Jesse Callaway wrote: > crap. > > Anyone care to clue this guy in on the salient points? My takeaways: * It has a huge CPU and memory footprint * Seems to be pretty unstable * Has scalability Issues -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From nikolai at fetissov.org Thu Jan 8 14:58:48 2009 From: nikolai at fetissov.org (nikolai) Date: Thu, 8 Jan 2009 14:58:48 -0500 (EST) Subject: [nycbug-talk] January 2008 meeting audio Message-ID: <82f6b0ea8f46fc99c846b8075d3c0caa.squirrel@geekisp.com> Folks, Audio of Larry Ludwig's presentation is up at http://www.fetissov.org/public/nycbug/ Cheers, -- Nikolai From nonesuch at bad-apples.org Thu Jan 8 16:12:05 2009 From: nonesuch at bad-apples.org (Mark Saad) Date: Thu, 08 Jan 2009 16:12:05 -0500 Subject: [nycbug-talk] i missed the puppet meeting In-Reply-To: References:

Message-ID: <49666C25.9070507@bad-apples.org> My Points * For the most part its a CFEngine rewrite in Ruby. * Its written in ruby and has "ruby issues" * They use a nice looking Declarative language to "program" your nodes / servers * You can use erb templates to assist you with complex deployments . * There is no built in support for line by line editing of files, Redhat as a proprietary add on to do this on Redhat Only. * They support most UNIX / Linux platforms Its not "Open source for Linux only" * You can't have a hierarchy of Puppet Master servers. * Out of box scalability is limited do to the use of Ruby's Webrick web server * Some scalability can be attained using mongrel and web proxies . It sounds cool but I am not sure why I would want to use it other then to say, I have used it. Steven Kreuzer wrote: > On Jan 7, 2009, at 9:49 PM, Jesse Callaway wrote: > >> crap. >> >> Anyone care to clue this guy in on the salient points? > > My takeaways: > > * It has a huge CPU and memory footprint > * Seems to be pretty unstable > * Has scalability Issues > > -- > Steven Kreuzer > http://www.exit2shell.com/~skreuzer > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -- ]Mark Saad[ mark at bad-apples.org () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments From ike at lesmuug.org Thu Jan 8 17:45:54 2009 From: ike at lesmuug.org (Isaac Levy) Date: Thu, 8 Jan 2009 17:45:54 -0500 Subject: [nycbug-talk] January 2008 meeting audio In-Reply-To: <82f6b0ea8f46fc99c846b8075d3c0caa.squirrel@geekisp.com> References: <82f6b0ea8f46fc99c846b8075d3c0caa.squirrel@geekisp.com> Message-ID: <66F2C055-5628-4260-9A00-4DCFC34D9F20@lesmuug.org> On Jan 8, 2009, at 2:58 PM, nikolai wrote: > Folks, > > Audio of Larry Ludwig's presentation is up at > > http://www.fetissov.org/public/nycbug/ > > Cheers, > -- > Nikolai Yay!!! Thanks Nikolai! Best, .ike From bonsaime at gmail.com Thu Jan 8 19:15:58 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 8 Jan 2009 19:15:58 -0500 Subject: [nycbug-talk] i missed the puppet meeting In-Reply-To: References: Message-ID: On Wed, Jan 7, 2009 at 9:49 PM, Jesse Callaway wrote: > crap. > > Anyone care to clue this guy in on the salient points? > > -jesse > Eh... Why is everything harder than it should be? -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Tue Jan 13 16:42:05 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 13 Jan 2009 16:42:05 -0500 Subject: [nycbug-talk] DCBSDCon trip Message-ID: <496D0AAD.40409@ceetonetechnology.com> I may drive down to DCBSDCon for Thursday *or* Friday. . . day only. If anyone is interested in joining me for the day or one way, ping me offlist. Also, Jason just posted this for anyone looking for hotel space still: http://blog.dcbsdcon.org/2009/01/never-fear-days-inn-is-near/ g From dcolish at gmail.com Tue Jan 13 16:52:06 2009 From: dcolish at gmail.com (Dan Colish) Date: Tue, 13 Jan 2009 16:52:06 -0500 Subject: [nycbug-talk] DCBSDCon trip In-Reply-To: <496D0AAD.40409@ceetonetechnology.com> References: <496D0AAD.40409@ceetonetechnology.com> Message-ID: <7c21e7d30901131352y26395853s519fbdac03430f2b@mail.gmail.com> On Tue, Jan 13, 2009 at 4:42 PM, George Rosamond < george at ceetonetechnology.com> wrote: > I may drive down to DCBSDCon for Thursday *or* Friday. . . day only. > > If anyone is interested in joining me for the day or one way, ping me > offlist. > > Also, Jason just posted this for anyone looking for hotel space still: > > http://blog.dcbsdcon.org/2009/01/never-fear-days-inn-is-near/ > > g > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > I'm hopping the bus on Wednesday, but I'll see you there. -------------- next part -------------- An HTML attachment was scrubbed... URL: From akosela at andykosela.com Tue Jan 13 17:20:52 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 13 Jan 2009 23:20:52 +0100 Subject: [nycbug-talk] Ask Mr. DNS Podcast Message-ID: <496d13c4.TfHC80J1ySgflNmT%akosela@andykosela.com> I bumped into this at [dns-operations]. There is a new podcast series started by Cricket Liu and Matt Larson named "Ask Mr. DNS", in which they explore the deep territory of DNS. http://www.ask-mrdns.com They have already published two episodes. --Andy From skreuzer at exit2shell.com Wed Jan 14 08:46:11 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 14 Jan 2009 08:46:11 -0500 Subject: [nycbug-talk] FreeBSD Kernel Internals Lecture Message-ID: <82E0842D-CCDA-490B-8C40-411707DBA11C@exit2shell.com> The first hour of Marshall Kirk McKusick's course on FreeBSD kernel internals based on his book, The Design and Implementation of the FreeBSD Operating System has been posted to the BSD conferences channel on YouTube. http://www.youtube.com/watch?v=nwbqBdghh6E -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From ike at lesmuug.org Sun Jan 18 16:39:00 2009 From: ike at lesmuug.org (Isaac Levy) Date: Sun, 18 Jan 2009 16:39:00 -0500 Subject: [nycbug-talk] Zimbra Hosting Providers? Message-ID: Hi All, I'm looking for a Zimbra ESP provider that doesn't suck, in general. More specifically, a Zimbra provider who provides excellent availability, backups, and uptime for all services. Any recommendations? Thanks in advance! Best, .ike From max at neuropunks.org Mon Jan 19 14:23:25 2009 From: max at neuropunks.org (Max Gribov) Date: Mon, 19 Jan 2009 14:23:25 -0500 Subject: [nycbug-talk] dns abuse Message-ID: <4974D32D.9070804@neuropunks.org> Hi all, saw a huge spike in root zone ns queries on my servers starting this friday 16th Heres a sample log: 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + some machines query as often as 20-30 times a minute. No idea why this would be happening, doesnt look like legitimate traffic to me.. Is anyone else experiencing this? If you're having same issue, you can do this in pf to throttle it a bit: pass in quick on $ext inet proto udp from any to port 53 keep state (max-src-states 1) From max at neuropunks.org Mon Jan 19 15:08:03 2009 From: max at neuropunks.org (Max Gribov) Date: Mon, 19 Jan 2009 15:08:03 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <4974D32D.9070804@neuropunks.org> References: <4974D32D.9070804@neuropunks.org> Message-ID: <4974DDA3.2010308@neuropunks.org> Max Gribov wrote: > Hi all, > saw a huge spike in root zone ns queries on my servers starting this > friday 16th > ok, thankfully the isp of those ip's has a working abuse contact. it looks like their ip's are getting ddos'ed with dns queries for root zone and the query source is spoofed to their ip's. besides the throttling on pf level to protect the ns server, i decided to make . zone a master and allow query only from localhost and my pub ip, like so: zone "." { type master; file "db.root"; allow-query { 127.0.0.0/8; ; }; }; this seems to fix the issue with me participating in the ddos, but would it break anything on my end?.. so far, everything seems to be working ok. this is also authoritative-only server, so there is no recursion are there any other dns dos mitigation techniques out there?.. > Heres a sample log: > 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + > 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + > 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + > > some machines query as often as 20-30 times a minute. No idea why this > would be happening, doesnt look like legitimate traffic to me.. > Is anyone else experiencing this? > > If you're having same issue, you can do this in pf to throttle it a bit: > pass in quick on $ext inet proto udp from any to port 53 keep > state (max-src-states 1) > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From carton at Ivy.NET Mon Jan 19 15:18:54 2009 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 19 Jan 2009 15:18:54 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <4974DDA3.2010308@neuropunks.org> (Max Gribov's message of "Mon, 19 Jan 2009 15:08:03 -0500") References: <4974D32D.9070804@neuropunks.org> <4974DDA3.2010308@neuropunks.org> Message-ID: >>>>> "mg" == Max Gribov writes: mg> decided to make . zone a master that's how opennic/alternic/pacificroot and other bogus TLD's worked, back when they existed. It shouldn't break anything if your db.root is really a copy of the root zone. I don't think it even needs to be a particularly up-to-date copy because all the dynamic-updating of people maintaining their zones is happening at the zones one level more specific than the root. but the usual fix is to limit recursive service to your own ip's: options { /* fucking chinese pointing themselves at me */ allow-recursion { fw; }; }; acl localhost6 { ::1/128; }; acl fw { 192.168.0.0/16; 69.31.131.32/27; 2610:1f8:dc::/48; localhost; localhost6; }; you can still serve your local authoritative zones to the internet even though you refuse recursive service to the internet. The root servers themselves are configured this way. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From max at neuropunks.org Mon Jan 19 16:14:25 2009 From: max at neuropunks.org (Max Gribov) Date: Mon, 19 Jan 2009 16:14:25 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: References: <4974D32D.9070804@neuropunks.org> <4974DDA3.2010308@neuropunks.org> Message-ID: <4974ED31.3080408@neuropunks.org> Miles Nordin wrote: > but the usual fix is to limit recursive service to your own ip's: > options { > /* fucking chinese pointing themselves at me */ > allow-recursion { fw; }; > hmm, thats what i had there before, since the jails use the master for their dns server, so recursion was allowed to their ip's. But trying to dig @finn.neuropunks.org . ns from any ip on net still returned the . zone, while no recursive queries would work. my rfc foo fails me, so i dont know which behavior is proper.. > }; > acl localhost6 { ::1/128; }; > acl fw { 192.168.0.0/16; 69.31.131.32/27; 2610:1f8:dc::/48; localhost; localhost6; }; > > you can still serve your local authoritative zones to the internet > even though you refuse recursive service to the internet. The root > servers themselves are configured this way. > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at lesmuug.org Mon Jan 19 16:45:37 2009 From: ike at lesmuug.org (Isaac Levy) Date: Mon, 19 Jan 2009 16:45:37 -0500 Subject: [nycbug-talk] Zimbra Hosting Providers? In-Reply-To: References: Message-ID: <4F49822C-93BA-4F32-8967-BCA588230922@lesmuug.org> Quick update, On Jan 18, 2009, at 4:39 PM, Isaac Levy wrote: > Hi All, > > I'm looking for a Zimbra ESP provider that doesn't suck, in general. > More specifically, a Zimbra provider who provides excellent > availability, backups, and uptime for all services. > > Any recommendations? > > Thanks in advance! > > Best, > .ike Thanks everyone for the off-list replies! Here's some highlights: -- Begin forwarded message: > While you're dreaming, would you like a pony? > Zimbra outsourcer that doesn't suck? > How about "honest politician" or "jumbo shrimp" while you're at it? > > :-) ROTFL -- Begin forwarded message: > Why not yourself ? I'm a big fan of outsourced email solutions, in general- since that's all they do, they can do it better (and far cheaper) than I can within an organization. -- Begin forwarded message: >> If you find one, let me know. We actually looked at deploying >> Zimbra itself as an appliance a while ago and I spent about a day >> trying to get it to play nice with our firewall/NAT setup and never >> could. Combine that with our data center power limitations, if we >> could outsource it to someone else, it would be a happy day. The >> software looks wicked cool, I just don't want to run it. ;) Rocket- .ike From carton at Ivy.NET Mon Jan 19 17:24:43 2009 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 19 Jan 2009 17:24:43 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <4974ED31.3080408@neuropunks.org> (Max Gribov's message of "Mon, 19 Jan 2009 16:14:25 -0500") References: <4974D32D.9070804@neuropunks.org> <4974DDA3.2010308@neuropunks.org> <4974ED31.3080408@neuropunks.org> Message-ID: >>>>> "mg" == Max Gribov writes: mg> But trying to dig @finn.neuropunks.org . ns from any ip on net mg> still returned the . zone, while no recursive queries would mg> work. sounds like probably a bug, but I suppose it could also be some corner case they had to work around. Either way I stand corrected. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From akosela at andykosela.com Tue Jan 20 06:38:24 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 20 Jan 2009 12:38:24 +0100 Subject: [nycbug-talk] dns abuse In-Reply-To: <4974ED31.3080408@neuropunks.org> References: <4974D32D.9070804@neuropunks.org> <4974DDA3.2010308@neuropunks.org> <4974ED31.3080408@neuropunks.org> Message-ID: <4975b7b0.3qDvEc1g+HJYJ0fc%akosela@andykosela.com> Max Gribov wrote: > Miles Nordin wrote: > > but the usual fix is to limit recursive service to your own ip's: > > options { > > /* fucking chinese pointing themselves at me */ > > allow-recursion { fw; }; > > > hmm, thats what i had there before, since the jails use the master for > their dns server, so recursion was allowed to their ip's. Disabling recursion to hosts outside of your LAN is the first step in securing your DNS server. Otherwise you are prone to DoS and/or DNS cache poisoning attacks. I think the recent patches from ISC randomizes QID to the point it is extremely difficult to launch this attack successfully, but theoretically it is still possible, since the UDP protocol is so insecure. --Andy From george at ceetonetechnology.com Tue Jan 20 08:51:11 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 20 Jan 2009 08:51:11 -0500 Subject: [nycbug-talk] UNIX quiz Message-ID: <4975D6CF.3040709@ceetonetechnology.com> Caught this on Shining Silence. . . the DFly BSD blog: UNIX quiz from 1984. http://spiffy.ci.uiuc.edu/~kline/Stuff/unixquiz.html And some of the answers: http://chneukirchen.org/trivium/2009-01-18 Cool stuff. I'll ping a source for the ;login: issue with the answers. g From akosela at andykosela.com Tue Jan 20 09:40:50 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 20 Jan 2009 15:40:50 +0100 Subject: [nycbug-talk] UNIX quiz In-Reply-To: <4975D6CF.3040709@ceetonetechnology.com> References: <4975D6CF.3040709@ceetonetechnology.com> Message-ID: <4975e272.q1PtmuqdT505UDa6%akosela@andykosela.com> George Rosamond wrote: > Caught this on Shining Silence. . . the DFly BSD blog: UNIX quiz from 1984. > > http://spiffy.ci.uiuc.edu/~kline/Stuff/unixquiz.html > Excellent stuff, George. This is part of the real UNIX Tradition younger generations know nothing about. And *BSD community was always more concerned about the UNIX heritage and tradition than anybody else. Though, I don't think anyone today can answer *all* of the questions just from the top of his head. --Andy From jbaltz at 3phasecomputing.com Tue Jan 20 11:27:09 2009 From: jbaltz at 3phasecomputing.com (Jerry B. Altzman) Date: Tue, 20 Jan 2009 11:27:09 -0500 Subject: [nycbug-talk] excess vintage hw for free ... Message-ID: <4975FB5D.4010403@3phasecomputing.com> Hi all, I've got a few pieces of excess Sun hardware to give away -- you just have to come pick it up here in bucolic SE Brooklyn. I've got two Ultra-2's and one Ultra-10, all pulled from working condition and all older than dirt. (They were doing miscellaneous tasks here in the office for quite some time.) FBSD 5.2 (I think) was running on the Ultra-10 just fine. FCFS. Just give me a call first, so I can wipe the disks. Otherwise I'll just yank the disks, drill a hole in 'em, and recycle the suckers. //jbaltz -- jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 x112 From ike at lesmuug.org Tue Jan 20 11:33:05 2009 From: ike at lesmuug.org (Isaac Levy) Date: Tue, 20 Jan 2009 11:33:05 -0500 Subject: [nycbug-talk] UNIX quiz In-Reply-To: <4975D6CF.3040709@ceetonetechnology.com> References: <4975D6CF.3040709@ceetonetechnology.com> Message-ID: On Jan 20, 2009, at 8:51 AM, George Rosamond wrote: > Caught this on Shining Silence. . . the DFly BSD blog: UNIX quiz > from 1984. > > http://spiffy.ci.uiuc.edu/~kline/Stuff/unixquiz.html > > And some of the answers: > > http://chneukirchen.org/trivium/2009-01-18 > > Cool stuff. > > I'll ping a source for the ;login: issue with the answers. > > g YEEEEAAAAAAAAAAHHHHHHHH!!!! Excellent post... I'm already crafting the UNIX Trivial Pursuit Cards to stuff in the deck... Rocket- .ike From george at ceetonetechnology.com Tue Jan 20 12:52:15 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 20 Jan 2009 12:52:15 -0500 Subject: [nycbug-talk] UNIX quiz In-Reply-To: References: <4975D6CF.3040709@ceetonetechnology.com> Message-ID: <49760F4F.4040307@ceetonetechnology.com> Isaac Levy wrote: > On Jan 20, 2009, at 8:51 AM, George Rosamond wrote: > >> Caught this on Shining Silence. . . the DFly BSD blog: UNIX quiz from >> 1984. >> >> http://spiffy.ci.uiuc.edu/~kline/Stuff/unixquiz.html >> >> And some of the answers: >> >> http://chneukirchen.org/trivium/2009-01-18 >> >> Cool stuff. >> >> I'll ping a source for the ;login: issue with the answers. >> >> g > > YEEEEAAAAAAAAAAHHHHHHHH!!!! Excellent post... > > I'm already crafting the UNIX Trivial Pursuit Cards to stuff in the deck... > Errr. . . FYI. . . just got the PDF of the issue of ;login: with answers Various character translation problems i due to troff . . copied and pasted from a PDF. Thanks BER! g Below are the answers to last the trivia quiz that appeared in the last issue of ;login: . The syntax for the answers is: left to right precedence a|b is a or b a&b is a and b (any order) a!b is a and not b 1. The source code motel: your source code checks in, but it never checks out. What is it? sccs 2. Who wrote the ?rst UNIX screen editor? irons Volume 9, Number 4 September 1984 7 ;login: 3. Using TSO is like kicking a [what?] down the beach? dead whale 4. What is the ?lename created by the original dsw (1)? core 5. Which edition of UNIX ?rst had pipes? third|3 6. What is -=O=-? empire 7. Which Stephen R. Bourne wrote the shell? software|1138|regis 8. Adam Buchsbaum?s original login was sjb. Who is sjb? sol&buchsbaum 9. What was the original processor in the Teletype DMD-5620? mac&32 10. What was the telephone extension of the author of mpx (2)? 7775 11. Which machine resulted in the naming of the ?NUXI problem?? series 1|series one 12. What customs threat is dangerous only when dropped from an airplane? belle|chess machine 13. Who wrote the Bourne shell? bourne 14. What operator in the Mashey shell was replaced by ?here documents?? pump 15. What names appear on the title page of the 3.0 manual? dolotta&petrucelli&olsson 16. Sort the following into chronological order: a) PWB 1.2, b) V7, c) Whirlwind, e) System V, f) 4.2BSD, g) MERT. cagbef|c a g b e f 17. The CRAY-2 will be so fast it [what?] in 6 seconds? in?nite|np-complete|p=np 18. How many lights are on the front panel of the original 11/70? 52 19. What does FUBAR mean? failed unibus address register 20. What does ?joff? stand for? jerq obscure feature ?nder 21. What is ?Blit? an acronym of? nothing 22. Who was rabbit!bimmler? rob 23. Into how many pieces did Ken Thompson?s deer disintegrate? three|3 24. What name is most common at USENIX conferences? joy|pike 8 September 1984 Volume 9, Number 4 ;login: 25. What is the US patent number for the setuid bit? 4135240 26. What is the patent number that appears in UNIX documentation? 2089603 27. Who satisi?ed the patent of?ce of the viability of the setuid bit patent? faulkner 28. How many UNIX systems existed when the Second Edition manual was printed? 10|ten 29. Which Bell Labs location is HL? short hills 30. Who mailed out the Sixth Edition tapes? biren|irma 31. Which university stole UNIX by phone? waterloo 32. Who received the ?rst rubber chicken award? mumaugh 33. Name a feature of C not in Kernighan and Ritchie. enum|structure assignment|void 34. What company did cbosg!ccf work for? weco|western 35. What does Bnews do? suck|gulp buckets 36. Who said ?SEX, DRUGS and UNIX?? tilson 37. What law ?rm distributed Empire? dpw|davis&polk&wardwell 38. What computer was requested by Ken Thompson, but refused by management? pdp-10|pdp10 39. Who is the most obsessed private pilot in USENIX? goble|ghg 40. What operating system runs on the 3B-20D? dmert|unix/rtr 41. Who wrote find (1)? haight 42. In what year did Bell Labs organization charts become proprietary? 83 43. What is the UNIX epoch in Cleveland? 1969&dec&31&19:00 44. What language preceded C? nb 45. What language preceded B? bon|fortran 46. What letter is mispunched by bcd (6)? r Volume 9, Number 4 September 1984 9 ;login: 47. What terminal does the Blit emulate? jerq 48. What does ?trb? stand for (it?s Andy Tannenbaum?s login)? tribble 49. allegra!honey is no what? lady 50. What is the one-line description in vs.c? screw works interface 51. What is the TU10 tape boot for the PDP-11/70 starting at location 100000 (in octal)? 012700 172526 010040 012740 060003 105710 012376 005007 52. What company owns the trademark on Writer?s Workbenchtm Software? at&t communications 53. Who designed Belle? condon|jhc 54. Who coined the name ?UNIX?? kernighan|bwk 55. What manual page mentioned Urdu? typo 56. What politician is mentioned in the UNIX documentation? nixon 57. What program was compat (1) written to support? zork|adventure 58. Who is ?mctesq?? michael&toy&esquire 59. What was ?ubl?? rogue|under bell labs 60. Who bought the ?rst commercial UNIX license? rand 61. Who bought the ?rst UNIX license? columbia 62. Who signed the Sixth Edition licenses? shahpazian 63. What color is the front console on the PDP-11/45 (exactly)? puce 64. How many different meanings does UNIX assign to ?.?? lots|many|countless|myriad|thousands 65. Who said, ?Smooth rotation butters no parsnips?? john&tukey 66. What was the original name for cd (1)? ch!dir 67. Which was the ?rst edition of the manual to be typeset? 4|four 68. Which was the ?rst edition of UNIX to have standard error/diagnostic output? 5|?ve 10 September 1984 Volume 9, Number 4 ;login: 69. Who ran the ?rst UNIX Support Group? maranzano 70. Whose Ph.D. thesis concerned UNIX paging? ozalp&babaoglu 71. Who (other than the obvious) designed the original UNIX ?le system? canaday 72. Who wrote the PWB shell? mashey 73. Who invented uucp ? lesk 74. Who thought of PWB? evan ivie 75. What does grep stand for? global regular expression print|g/re/p|g/regular expression/p 76. What hardware device does ?dsw? refer to? console&7 77. What was the old name of the ?sys? directory? ken 78. What was the old name of the ?dev? directory? dmr 79. Who has written many random number generators, but never one that worked? ken|thompson 80. Where was the ?rst UNIX system outside 127? patent 81. What was the ?rst UNIX network? spider 82. What was the original syntax for ?ls -l|pr -h?? ls -l>"pr -h">|<"ls -l" References: <4974D32D.9070804@neuropunks.org> Message-ID: <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote: > Hi all, > saw a huge spike in root zone ns queries on my servers starting this > friday 16th > Heres a sample log: > 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + > 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + > 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + > > some machines query as often as 20-30 times a minute. No idea why this > would be happening, doesnt look like legitimate traffic to me.. > Is anyone else experiencing this? > > If you're having same issue, you can do this in pf to throttle it a > bit: > pass in quick on $ext inet proto udp from any to port 53 keep > state (max-src-states 1) Your DNS servers are/were being used for a DoS attack against 76.9.31.42 and 69.50.142.110 http://isc.sans.org/diary.html?storyid=5713 -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From dan at langille.org Tue Jan 20 16:35:10 2009 From: dan at langille.org (Dan Langille) Date: Tue, 20 Jan 2009 16:35:10 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> Message-ID: <1304EEFC-AD2F-40E5-9D12-EFEE071C106A@langille.org> On Jan 20, 2009, at 3:39 PM, Steven Kreuzer wrote: > > On Jan 19, 2009, at 2:23 PM, Max Gribov wrote: > >> Hi all, >> saw a huge spike in root zone ns queries on my servers starting this >> friday 16th >> Heres a sample log: >> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + >> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + >> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + >> >> some machines query as often as 20-30 times a minute. No idea why >> this >> would be happening, doesnt look like legitimate traffic to me.. >> Is anyone else experiencing this? >> >> If you're having same issue, you can do this in pf to throttle it a >> bit: >> pass in quick on $ext inet proto udp from any to port 53 >> keep >> state (max-src-states 1) > > > Your DNS servers are/were being used for a DoS attack against > 76.9.31.42 and 69.50.142.110 > > http://isc.sans.org/diary.html?storyid=5713 Thank you for posting that. At that article is a link to http://isc1.sans.org/dnstest.html which " will test a DNS server to make sure that it does not respond to the standard NS requests for the root zone." Nice. -- Dan Langille http://langille.org/ From trish at bsdunix.net Tue Jan 20 19:22:49 2009 From: trish at bsdunix.net (Siobhan P. Lynch) Date: Tue, 20 Jan 2009 19:22:49 -0500 Subject: [nycbug-talk] UNIX quiz In-Reply-To: References: <4975D6CF.3040709@ceetonetechnology.com> Message-ID: <4A372F9D-4668-4955-ADBC-A5C4111EC167@bsdunix.net> On Jan 20, 2009, at 11:33 AM, Isaac Levy wrote: > > YEEEEAAAAAAAAAAHHHHHHHH!!!! Excellent post... > > I'm already crafting the UNIX Trivial Pursuit Cards to stuff in the > deck... > > Rocket- > .ike > I'm starting to feel really old, because I know many of the people from USENIX that this quiz talks about - Back when I got into UNIX, drhoney (aka honey, allegra!honey, Peter Honeyman) used to hang out on #UNIX on IRC (back before Efnet and IRCNet split) Many of the other people on here I've met at USENIX over the years as well... Wow, it seems at times I was around to witness history, but I swear, I don;t feel that old. -Trish From yds at CoolRat.org Wed Jan 21 10:50:31 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 10:50:31 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> Message-ID: <49774447.7090100@CoolRat.org> Steven Kreuzer wrote: > On Jan 19, 2009, at 2:23 PM, Max Gribov wrote: > >> Hi all, >> saw a huge spike in root zone ns queries on my servers starting this >> friday 16th >> Heres a sample log: >> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + >> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + >> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + >> >> some machines query as often as 20-30 times a minute. No idea why this >> would be happening, doesnt look like legitimate traffic to me.. >> Is anyone else experiencing this? >> >> If you're having same issue, you can do this in pf to throttle it a >> bit: >> pass in quick on $ext inet proto udp from any to port 53 keep >> state (max-src-states 1) > > > Your DNS servers are/were being used for a DoS attack against > 76.9.31.42 and 69.50.142.110 > > http://isc.sans.org/diary.html?storyid=5713 Steve, what makes you say that Max's DNS servers were used for a DDoS attack against 76.9.31.42 and 69.50.142.110? It seems to me like it's the other way around.. But I haven't got my brain wrapped around this one yet so I'm just looking to get enlightened on the matter. I use djbdns with tinydns on the outward facing interface serving only authoritative responses. And dnscache on the localhost and/or LAN interfaces. That said I've been hit by this same sort of DDoS attack also starting around Jan 16th. I first noticed it on the morning of the 17th. The test of my DNS servers from http://isc1.sans.org/dnstest.html returns: "I am not able to connect to your server, and as a result can't tell if your server is configured right. However, if your server is not reachable, it is secure as far as this test is concerned" I guess that's good. My remedy has been to add each IP that I notice repeatedly querying for the root "." domain to the blacklist table in my pf rules. So far I've collected the following IPs: 66.230.128.15 66.230.160.1 69.50.142.11 69.50.142.110 76.9.16.171 With the above blocked I get no "." queries in the tinydns log file. Otherwise pftop would show upto a 100 pf states on UDP 53 when my normal average tops out at around 30 states, but usually hovers around 10 or 15. Note that I added 66.230.128.15 and 66.230.160.1 just this morning. They have not previously hit my servers. Nor has 76.9.31.42 hit my servers, though 76.9.16.171 did. -- Yarema From max at neuropunks.org Wed Jan 21 10:57:52 2009 From: max at neuropunks.org (Max Gribov) Date: Wed, 21 Jan 2009 10:57:52 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49774447.7090100@CoolRat.org> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> Message-ID: <49774600.3010609@neuropunks.org> Yarema wrote: > > Steve, what makes you say that Max's DNS servers were used for a DDoS > attack against 76.9.31.42 and 69.50.142.110? It seems to me like it's > the other way around.. But I haven't got my brain wrapped around this > one yet so I'm just looking to get enlightened on the matter. > > This dns attack is very similar to good ole smurf - only this time they are spoofed dns requests for the root zone (~450 bytes) with sources set as those ips. As a result, any server with enabled recursion or apparently even with disabled recursion but . zone loaded as 'hint' type in bind will return that result to the servers under attack. Multiply 450 bytes by several hundred K and you have a sizable ddos going. For example, consider UDNS2.ULTRADNS.NET nslookup www.yahoo.com UDNS2.ULTRADNS.NET Server: UDNS2.ULTRADNS.NET Address: 204.74.101.1#53 Non-authoritative answer: *** Can't find www.yahoo.com: No answer ^^ recursion disabled dig @UDNS2.ULTRADNS.NET . in ns ^^ will still return the . zone -- oops > I use djbdns with tinydns on the outward facing interface serving only > authoritative responses. And dnscache on the localhost and/or LAN > interfaces. That said I've been hit by this same sort of DDoS attack > also starting around Jan 16th. I first noticed it on the morning of the > 17th. > > The test of my DNS servers from http://isc1.sans.org/dnstest.html returns: > > "I am not able to connect to your server, and as a result can't tell if > your server is configured right. However, if your server is not > reachable, it is secure as far as this test is concerned" > > I guess that's good. > > My remedy has been to add each IP that I notice repeatedly querying for > the root "." domain to the blacklist table in my pf rules. So far I've > collected the following IPs: > > 66.230.128.15 > 66.230.160.1 > > 69.50.142.11 > 69.50.142.110 > 76.9.16.171 > > With the above blocked I get no "." queries in the tinydns log file. > Otherwise pftop would show upto a 100 pf states on UDP 53 when my normal > average tops out at around 30 states, but usually hovers around 10 or 15. > > Note that I added 66.230.128.15 and 66.230.160.1 just this morning. > They have not previously hit my servers. Nor has 76.9.31.42 hit my > servers, though 76.9.16.171 did. > > From skreuzer at exit2shell.com Wed Jan 21 11:08:04 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 21 Jan 2009 11:08:04 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49774447.7090100@CoolRat.org> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> Message-ID: <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> On Jan 21, 2009, at 10:50 AM, Yarema wrote: > Steven Kreuzer wrote: >> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote: >> >>> Hi all, >>> saw a huge spike in root zone ns queries on my servers starting this >>> friday 16th >>> Heres a sample log: >>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + >>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + >>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + >>> >>> some machines query as often as 20-30 times a minute. No idea why >>> this >>> would be happening, doesnt look like legitimate traffic to me.. >>> Is anyone else experiencing this? >>> >>> If you're having same issue, you can do this in pf to throttle it a >>> bit: >>> pass in quick on $ext inet proto udp from any to port 53 >>> keep >>> state (max-src-states 1) >> >> >> Your DNS servers are/were being used for a DoS attack against >> 76.9.31.42 and 69.50.142.110 >> >> http://isc.sans.org/diary.html?storyid=5713 > > Steve, what makes you say that Max's DNS servers were used for a DDoS > attack against 76.9.31.42 and 69.50.142.110? It seems to me like it's > the other way around.. But I haven't got my brain wrapped around this > one yet so I'm just looking to get enlightened on the matter. Remember the good ol days (1998) when you would send a single ICMP echo request to the broadcast address of a network and hundreds of machines on the network would send back an echo reply. If you changed the source address to address of some other host, you could send a single packet that would result in a huge amount of traffic being sent to your victim. If you found a large enough network, you could successfully take your victim offline from your home machine connected to AOL at 9600 Bps. This is pretty much the same concept, just applied in a new and creative way. Someone makes a request for a root name server which is a small query that generates a large response. You change the source address to the IPs you want to DDoS and eventually their pipes are so clogged with DNS traffic they eventually become unreachable. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From yds at CoolRat.org Wed Jan 21 11:48:04 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 11:48:04 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> Message-ID: <497751C4.8090004@CoolRat.org> Steven Kreuzer wrote: > On Jan 21, 2009, at 10:50 AM, Yarema wrote: > >> Steven Kreuzer wrote: >>> On Jan 19, 2009, at 2:23 PM, Max Gribov wrote: >>> >>>> Hi all, >>>> saw a huge spike in root zone ns queries on my servers starting this >>>> friday 16th >>>> Heres a sample log: >>>> 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + >>>> 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + >>>> 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + >>>> >>>> some machines query as often as 20-30 times a minute. No idea why >>>> this >>>> would be happening, doesnt look like legitimate traffic to me.. >>>> Is anyone else experiencing this? >>>> >>>> If you're having same issue, you can do this in pf to throttle it a >>>> bit: >>>> pass in quick on $ext inet proto udp from any to port 53 >>>> keep >>>> state (max-src-states 1) >>> >>> Your DNS servers are/were being used for a DoS attack against >>> 76.9.31.42 and 69.50.142.110 >>> >>> http://isc.sans.org/diary.html?storyid=5713 >> Steve, what makes you say that Max's DNS servers were used for a DDoS >> attack against 76.9.31.42 and 69.50.142.110? It seems to me like it's >> the other way around.. But I haven't got my brain wrapped around this >> one yet so I'm just looking to get enlightened on the matter. > > Remember the good ol days (1998) when you would send a single ICMP > echo requestto the broadcast address of a network and hundreds of > machines on the network would send back an echo reply. > > If you changed the source address to address of some other host, you > could send a single packet that would result in a huge amount of > traffic being sent to your victim. > > If you found a large enough network, you could successfully take your > victim offline from your home machine connected to AOL at 9600 Bps. > > This is pretty much the same concept, just applied in a new and > creative way. Someone makes a request for a root name server which > is a small query that generates a large response. You change > the source address to the IPs you want to DDoS and eventually their > pipes are so clogged with DNS traffic they eventually become > unreachable. Thanks, I understand that part now. What I don't get as far as my setup is concerned is that when I try to run the "dig . NS @yournameserver" test against my name servers I get: ;; connection timed out; no servers could be reached which means my servers are secure, no? However I was seeing the same sort of high load from 66.230.128.15 66.230.160.1 69.50.142.11 69.50.142.110 76.9.16.171 76.9.31.42 as Max originally reported. So since I'm not returning anything to the "." query yet I am getting hit with repeated queries from the IPs above, doesn't it stand to reason that my servers are the ones getting DDoSed and not the other way around? -- Yarema From akosela at andykosela.com Wed Jan 21 12:12:22 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 21 Jan 2009 18:12:22 +0100 Subject: [nycbug-talk] dns abuse In-Reply-To: <497751C4.8090004@CoolRat.org> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> Message-ID: <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> Yarema wrote: > I was seeing the same sort of high load from > > 66.230.128.15 > 66.230.160.1 > 69.50.142.11 > 69.50.142.110 > 76.9.16.171 > 76.9.31.42 > > as Max originally reported. So since I'm not returning anything to the > "." query yet I am getting hit with repeated queries from the IPs above, > doesn't it stand to reason that my servers are the ones getting DDoSed > and not the other way around? Those source ip's are spoofed. Dan's link can be helpful: http://isc.sans.org/diary.html?storyid=5713 As I understand it, there is no "proper" way to fix it in BIND9. You can block on your firewall any DNS query of 45 bytes length or globally deny recursion and queries, allowing them only at the zones level. Answering for dig . ns @ns_server is a normal behavior even if the server is not allowing recursion. I wonder that exactly the same kind of DoS attack can be successful if using com or net servers instead of root. The payload would be similar. --Andy From carton at Ivy.NET Wed Jan 21 13:38:39 2009 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 21 Jan 2009 13:38:39 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> (Andy Kosela's message of "Wed, 21 Jan 2009 18:12:22 +0100") References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> Message-ID: >>>>> "ak" == Andy Kosela writes: ak> exactly the same kind of DoS attack can be successful if using ak> com or net servers instead of root. it sounds like any query will work for that purpose as long as the answer is bigger than the question, so I'm not sure there's a ``bug'' or ``vulnerability'' in the server software to fix. We're back to the old problem of the new commercial-ISP-landscape providing zero stewardship towards fixing the DDoS problem overall. The real fix, is something like RPF. For example, if you had: * a flag in the header of each packet indicating that it comes from a member of the RPF-implementing ISP Brotherhood, and its source address is semi-trustworthy * a mailsieve-like architecture for instructing your ISP to install traffic filters on your behalf then you could load the victim's IP's into your sieve and say ``from these victim IP's, accept flagged traffic only.'' You could also install a bunch of really aggressive IDS filters for non-Brotherhood traffic, which would at times give false positives, giving users an incentive to pick ISP's that have joined the RPF Brotherhood, the way they now have incentive to pick ISP's with anti-spam AUP's. If your site isn't fully public, you could even say something like ``I only accept TCP and VPN-UDP traffic from outside the RPF brotherhood.'' Let the non-RPF people time out and use your secondary DNS. Finally the victim could maybe add himself to a ``default sieve''---declare analagous to email SPF that ``all my traffic should carry the flag,'' stopping the attack himself once he notices that he's getting DDoSed, before you notice it. In this particular neosmurf attack you don't even need the second sieve piece because the traffic is so small you could block it with your own firewall, if your firewall could see the RPF Brotherhood Header Flag. but for other types of DDoS the sieve is needed, and also needed is the idea that goes along with it, that I should have the right to declare which traffic I'm paying to receive, and if I add it to the sieve I don't want to receive it or pay for it. I think the right to mark your traffic with the Flag should require that you operate a sieve and don't charge customers for sieve-filtered traffic. The sieve is also likely to be part of a truly neutral QoS architecture, so we need a wedge to force this complexity into the network. The idea is, once these incentives are in place, ISP's will want to spread sieve data through the routing mesh so they don't have to carry these unwanted packets. Probably they will end up being blocked at the edge of the Brotherhood, so DDoSes will only overwhelm links to non-Brotherhood ISP's. Given what we have now, maybe the best thing to do would be to blame the victim. Who are your machines being used to attack? Do you know anything about this guy? I bet he's a real shady character, meaning I bet he has shady friends and acquaintences. This kind of person is always causing problems. He was probably asking for it, by insulting someone on irc. What did he expect to happen, failing to grovel before someone who was obviously a pheersome bot-herder? Have this idiot kicked off the internet for his own stupidity. He's a troublemaker. Anyway, there always seems to be trouble around him, and that's all I need to know. I've already spent more time on him than I'm willing, so it's just, fucking, done. Why can't he just browse the web and watch Youtube like everyone else? His weird behavior is using up MY time and attention. We should find out who is the victim's ISP, and block all their IP space---if they are still allow irc-hosting, then they will be a problem tomorrow as well as today. People are just going to keep spoofing them! So you may as well block all their traffic to stop the Network Abuse at your site. Force people to communicate through some proprietary commercial ad-supported medium like AIM or MySpaceIM or Facebook-httpchat by blocking anyone involved in hosting or using irc. We want only ``clean'' traffic at our site: traffic mediated and censored by some funded corporation that can declare arbitrary policies with which you must agree to participate, log everything, and kick off anyone who makes Trouble without recourse. I mean, at least these big corporations have a _stake_ in cooperating, right, as opposed to R4ndomDD05SH3LLZ.net. It's these fucking small businesses doing weird things and mouthy irc people who patronize them that are causing the network abuse problem by riling up the hackers with their irc-mockery and vitriolic insults. not a ``vulnerability'' in DNS. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From yds at CoolRat.org Wed Jan 21 13:53:36 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 13:53:36 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> Message-ID: <49776F30.6050301@CoolRat.org> Andy Kosela wrote: > Yarema wrote: > >> I was seeing the same sort of high load from >> >> 66.230.128.15 >> 66.230.160.1 >> 69.50.142.11 >> 69.50.142.110 >> 76.9.16.171 >> 76.9.31.42 >> >> as Max originally reported. So since I'm not returning anything to the >> "." query yet I am getting hit with repeated queries from the IPs above, >> doesn't it stand to reason that my servers are the ones getting DDoSed >> and not the other way around? > > Those source ip's are spoofed. Dan's link can be helpful: > > http://isc.sans.org/diary.html?storyid=5713 > > As I understand it, there is no "proper" way to fix it in BIND9. You > can block on your firewall any DNS query of 45 bytes length or globally > deny recursion and queries, allowing them only at the zones level. > Answering for > > dig . ns @ns_server > > is a normal behavior even if the server is not allowing recursion. I > wonder that exactly the same kind of DoS attack can be successful if > using com or net servers instead of root. The payload would be similar. Andy, In my case I'm using djbdns' tinydsn, which by default does not allow recursion. And "dig . ns @ns_server" returns ;; connection timed out; no servers could be reached even though the unsuccessful query is logged by tinydns. I can't say enough good things about djbdns. Much simpler to administer than BIND and in the 10 years I've been using it I've yet to upgrade or tweak anything in djbdns itself because of a security issue. This latest incident included. I blocked the above IPs to relieve the load on port 53, but so far as I can tell my servers were not contributing to any DDoSing since they returns nothing to the . NS query. -- Yarema From carton at Ivy.NET Wed Jan 21 14:29:35 2009 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 21 Jan 2009 14:29:35 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49776F30.6050301@CoolRat.org> (Yarema's message of "Wed, 21 Jan 2009 13:53:36 -0500") References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> Message-ID: >>>>> "y" == Yarema writes: y> I can't say enough good things about djbdns. I can say a few bad ones. no support for ipv6, no standards-compliant secondary dns. no support for dyndns and dnssec and thus no support for wide-area dns-sd. dns-sd is the best example of DJB's wrong-headedness. It's a well-liked protocol which is becoming important, and it gracefully builds on standards the rest of us have been carefully laying, one stone upon another, for future protocols we couldn't imagine yet (dnssec, dynamic updates, IXFR), and now dns-sd comes along as such an unimagined protocol using all the prior work. y> my servers were not contributing to any DDoSing since they y> returns nothing to the . NS query. which may well violate some standard, or make something else harder to debug. And it provides no real security because I can still do a query for something for which your server is authoritative and get it to amplify an attack. That just happens to not be the case this time---it's security through obscurity. but as you said it's easier. Maybe this stripped-down linksys-router-style simplified software is an effective, sort of, civil-disobedience backpressure on bloated standards. Also his separating the resolver from the server is proper. Though you can see the crazed zealot's limitations again here in that he didn't really deliver a full resolver because he didn't deliver the library piece of it. libresolv comes with BIND and gets built into libc's, then you use that with dnscache---but the idea of making a resolver by having a library send recursive queries to a DNS server is a BIND idea, of which DJB hijaacked half. Bigger, more complicated libresolv's that do their own cachinig and deviate from the BIND model are built into Solaris and Mac OS X. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From akosela at andykosela.com Wed Jan 21 15:05:09 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 21 Jan 2009 21:05:09 +0100 Subject: [nycbug-talk] dns abuse In-Reply-To: References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> Message-ID: <49777ff5.HJW0wKahV9GGTnb4%akosela@andykosela.com> Miles Nordin wrote: > >>>>> "y" == Yarema writes: > > y> I can't say enough good things about djbdns. > > I can say a few bad ones. > > no support for ipv6, no standards-compliant secondary dns. no support > for dyndns and dnssec and thus no support for wide-area dns-sd. > > dns-sd is the best example of DJB's wrong-headedness. It's a > well-liked protocol which is becoming important, and it gracefully > builds on standards the rest of us have been carefully laying, one > stone upon another, for future protocols we couldn't imagine yet > (dnssec, dynamic updates, IXFR), and now dns-sd comes along as such an > unimagined protocol using all the prior work. > > y> my servers were not contributing to any DDoSing since they > y> returns nothing to the . NS query. > > which may well violate some standard, or make something else harder to > debug. > Exactly. How are you going to point other nameservers to the root then? Disabling recursion to WAN is desirable, but I'm not sure about disabling answering for . zone. So is this some kind of "bug" or not? --Andy From yds at CoolRat.org Wed Jan 21 17:07:01 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 17:07:01 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> Message-ID: <49779C85.8010608@CoolRat.org> Miles Nordin wrote: >>>>>> "y" == Yarema writes: > > y> I can't say enough good things about djbdns. > > I can say a few bad ones. As a disclaimer, I'm not a djb/qmail fanboy, I just happen to like and use djbdns with an eye towards migrating my setup to ldapdns, a drop in replacement for djb's tinydns. I never claimed that djbdns doesn't have its share of shortcomings. Simplicity and "security by default" happen to be it's strong points. > no support for ipv6, no standards-compliant secondary dns. no support > for dyndns and dnssec and thus no support for wide-area dns-sd. IPv6 is supported with a patch selectable in the FreeBSD port. I don't really care, I don't currently use IPv6. And I don't really care that it's a patch and not port of the "official distribution". It's there if needed. If you mean "standards-compliant secondary dns" == AXFR then AXFR can be done with djbdns, but rsync is simpler to do if both the primary and secondary are under your control and running djbdns. And it does come with axfrdns in case you need to support a BIND or what-have-you AXFR secondary. So that's not an issue. See http://cr.yp.to/djbdns/tcp.html#intro-axfr > dns-sd is the best example of DJB's wrong-headedness. It's a > well-liked protocol which is becoming important, and it gracefully > builds on standards the rest of us have been carefully laying, one > stone upon another, for future protocols we couldn't imagine yet > (dnssec, dynamic updates, IXFR), and now dns-sd comes along as such an > unimagined protocol using all the prior work. As far as dnssec, dynamic updates, IXFR not being supported, I currently don't have a need for any of them. When and if I do I'll explore a solution which offers them. However I agree that djb often paints himself into a corner by not supporting what the rest of the world seems to be moving towards. This latter point is why I haven't used qmail for the past 10 years. Postfix offers all the standards support missing from qmail as well as cdb if you count that as an advantage of qmail. But this is a different tangent altogether. Just making a point here that I agree that djb can be wrong-headed. > y> my servers were not contributing to any DDSing since they > y> returns nothing to the . NS query. > > which may well violate some standard, or make something else harder to > debug. Maybe, but I've yet to run into a situation where this was the case. In the case of this latest spoof attack it seems to me like everyone was scrambling for a way to disable answering the "." zone. Was everyone trying to figure out a way to violate "some standard" as a way of protecting their DNS servers? tinydns rejects zone-transfer requests, inverse queries, non-Internet-class queries, truncated packets, and packets that contain anything other than a single query. And it only answers queries for zones that it is configured for. It is never configured to answer the "." zone unless it's being used on a root server I suppose. Even then I don't understand why anyone needs to serve the "." zone. That's what the root hints file is for. This hints file is only useful to the resolver. tinydns is not a resolver, it only serves authoritative replies. dnscache, the resolver half of djbdns, has no problem serving up the "." zone: ; <<>> DiG 9.4.3-P1 <<>> . NS @127.0.0.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 991 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518273 IN NS L.ROOT-SERVERS.NET. . 518273 IN NS C.ROOT-SERVERS.NET. . 518273 IN NS D.ROOT-SERVERS.NET. . 518273 IN NS H.ROOT-SERVERS.NET. . 518273 IN NS F.ROOT-SERVERS.NET. . 518273 IN NS A.ROOT-SERVERS.NET. . 518273 IN NS I.ROOT-SERVERS.NET. . 518273 IN NS G.ROOT-SERVERS.NET. . 518273 IN NS J.ROOT-SERVERS.NET. . 518273 IN NS B.ROOT-SERVERS.NET. . 518273 IN NS M.ROOT-SERVERS.NET. . 518273 IN NS E.ROOT-SERVERS.NET. . 518273 IN NS K.ROOT-SERVERS.NET. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jan 21 16:07:19 2009 ;; MSG SIZE rcvd: 228 So having said all that I'm now convinced that tinydns is doing the Right Thing(TM) by not replying to queries for the "." zone, because no one has any business asking my authoritative servers for the "." zone. Go ask your ISP's DNS cache for the "." zone or your local DNS cache. Don't be asking my authoritative DNS server for "." cuz I'm not authoritative for the "." zone. > And it provides no real security because I can still do a query for > something for which your server is authoritative and get it to amplify > an attack. That just happens to not be the case this time---it's > security through obscurity. Doesn't this apply equally to any DNS server out there? Looks like we're looking at a new(?) DDoS threat regardless of which DNS server implementation anyone uses, no? Seems like Max's pf throttling rule from the post which started this thread is a good practice no matter what.. cuz filtering on packet size is not fool-proof nor is filtering the spoofed "victim" IPs (like I've done) much good in the long term. > but as you said it's easier. Maybe this stripped-down > linksys-router-style simplified software is an effective, sort of, > civil-disobedience backpressure on bloated standards. Maybe.. I certainly gravitate towards simplicity whenever available. > Also his separating the resolver from the server is proper. Though > you can see the crazed zealot's limitations again here in that he > didn't really deliver a full resolver because he didn't deliver the > library piece of it. libresolv comes with BIND and gets built into > libc's, then you use that with dnscache---but the idea of making a > resolver by having a library send recursive queries to a DNS server is > a BIND idea, of which DJB hijaacked half. Bigger, more complicated > libresolv's that do their own cachinig and deviate from the BIND model > are built into Solaris and Mac OS X. The "crazed zealot" did deliver the library piece of the resolver: http://cr.yp.to/djbdns/blurb/library.html http://cr.yp.to/djbdns/dns.html It's upto each OS vendor to implement whatever DNS resolver they happen to go with. Into libc or what have you. But it's probably best that BIND's libresolve or compatible is the standard since it pretty much guarantees a consistent API across the board for Unix-like OSes. See the "crazed zealot's" libresolv security disaster rant: http://cr.yp.to/djbdns/res-disaster.html There he explicitly states that his resolver library is in the public domain so there shouldn't be any licensing related concerns in using it. As for client applications they are also free to chose whichever resolver implementation they wanna program for. Though I don't know of any software besides djb's using his resolver lib, I do know plenty of software which uses libadns http://www.chiark.greenend.org.uk/~ian/adns/ instead of BIND's libresolve. -- Yarema From carton at Ivy.NET Wed Jan 21 17:51:28 2009 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 21 Jan 2009 17:51:28 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49779C85.8010608@CoolRat.org> (Yarema's message of "Wed, 21 Jan 2009 17:07:01 -0500") References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> Message-ID: >>>>> "y" == Yarema writes: y> As far as dnssec, dynamic updates, IXFR not being supported, I y> currently don't have a need for any of them. I do. I also want the infrastructure in place, including at my friends' who are secondarying for me, so that when I want to do IPv6, dns-sd, or dynamic updates, it's not like running in molasses. But I'm already doing two of those things, so I'm unable to take djbdns secondaries. This DJB guy is going to completely fuck us when we start to get serious about dnssec, too. y> And it does come with axfrdns in case you need to support a y> BIND or what-have-you AXFR secondary. okay, well, welcome to 1992. BIND is already using IXFR even for flat-file zones, though. They seem to have some kind of dnsdiff thread built in there somewhere. And I do dynamic updates, so I need IXFR. y> In the case of this latest spoof attack it seems to me y> like everyone was scrambling for a way to disable answering y> the "." zone. Was everyone trying to figure out a way to y> violate "some standard" as a way of protecting their DNS y> servers? probably, yes. Both goals are semi-hysterical. y> So having said all that I'm now convinced that tinydns is y> doing the Right Thing(TM) by not replying to queries for the y> "." zone, because no one has any business asking my >> And it provides no real security because I can still do a query >> for something for which your server is authoritative and get it >> to amplify an attack. y> Doesn't this apply equally to any DNS server out there? yes, to any server including djbdns, which is my point. It's security through obscurity, possibly at the expense of standards-compliance (though possibly not. i'm still not sure whether it's a BIND bug, or an intentional feature complying to the letter of some standard or working around some resolver's corner case). y> The "crazed zealot" did deliver the library piece of the y> resolver: http://cr.yp.to/djbdns/blurb/library.html okay I guess I'm wrong. It's still mostly a wheel-reinvention, in that it preserves the BIND architecture of implementing a resolver through a stateless client stub library plus a recursive resolver. He's just stirring around the bowl full of dust a bit, arguing about the exact order to put function arguments or how to allocate memory. Even BIND's lwres is probably a more relevant re-invention than his. The Mac OS X and Solaris resolvers seem to include more client-side caching and an abstract interface that's not DNS-specific, is generic for looking up ``directory'' information or netinfo. In both cases they used this abstraction to move from their old directory protocols (NIS+ and Netinfo) to LDAP. and in Apple's case the hostname lookup part includes seamless dns-sd/zeroconf support which requires a lot of resolver state to be performant. I brought them up because they're more genuine examples of what it really means to separate the resolver from the server, and of what sorts of refactoring is possible once you do this---DNS caching gets mixed in with caching other directory data, and the API gets simpler and more powerful. DJB's separation is more just copying BIND and then applying a bunch of NIH ranting against it. not pointlessly, but it's just OCD screaming, not the actual creativity you can find among younger developers. That's why I think sysadmins should resist a temptation to idolize him, and sort of embrace all this bloated buggy modern crap a little more readily, learn how to recognize the good and bad among it, and exist in a world built from it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From max at neuropunks.org Wed Jan 21 18:10:32 2009 From: max at neuropunks.org (Max Gribov) Date: Wed, 21 Jan 2009 18:10:32 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> Message-ID: <4977AB68.6010307@neuropunks.org> Miles Nordin wrote: >>>>>> "y" == Yarema writes: >>>>>> > > > y> In the case of this latest spoof attack it seems to me > y> like everyone was scrambling for a way to disable answering > y> the "." zone. Was everyone trying to figure out a way to > y> violate "some standard" as a way of protecting their DNS > y> servers? > > probably, yes. Both goals are semi-hysterical. > i dont believe it says anywhere that an auth dns server MUST answer to request for root zone - it only knows about the zones its authoritative for. If you dont want to declare a hint zone a master you can use views. i also think firewall/router level protection like throttling is a much better way to protect *my* servers - in this case, the victim's servers is what needs protection. its good etiquette not to participate in/amplify a ddos Check out the nanog threads on the subject: http://www.merit.edu/mail.archives/nanog/msg14428.html http://www.merit.edu/mail.archives/nanog/msg14429.html > y> So having said all that I'm now convinced that tinydns is > y> doing the Right Thing(TM) by not replying to queries for the > y> "." zone, because no one has any business asking my > > >> And it provides no real security because I can still do a query > >> for something for which your server is authoritative and get it > >> to amplify an attack. > > y> Doesn't this apply equally to any DNS server out there? > > yes, to any server including djbdns, which is my point. > > It's security through obscurity, possibly at the expense of > standards-compliance (though possibly not. i'm still not sure whether > it's a BIND bug, or an intentional feature complying to the letter of > some standard or working around some resolver's corner case). > > y> The "crazed zealot" did deliver the library piece of the > y> resolver: http://cr.yp.to/djbdns/blurb/library.html > > okay I guess I'm wrong. It's still mostly a wheel-reinvention, in > that it preserves the BIND architecture of implementing a resolver > through a stateless client stub library plus a recursive resolver. > He's just stirring around the bowl full of dust a bit, arguing about > the exact order to put function arguments or how to allocate memory. > Even BIND's lwres is probably a more relevant re-invention than his. > > The Mac OS X and Solaris resolvers seem to include more client-side > caching and an abstract interface that's not DNS-specific, is generic > for looking up ``directory'' information or netinfo. In both cases > they used this abstraction to move from their old directory protocols > (NIS+ and Netinfo) to LDAP. and in Apple's case the hostname lookup > part includes seamless dns-sd/zeroconf support which requires a lot of > resolver state to be performant. I brought them up because they're > more genuine examples of what it really means to separate the resolver > from the server, and of what sorts of refactoring is possible once you > do this---DNS caching gets mixed in with caching other directory data, > and the API gets simpler and more powerful. DJB's separation is more > just copying BIND and then applying a bunch of NIH ranting against it. > not pointlessly, but it's just OCD screaming, not the actual > creativity you can find among younger developers. That's why I think > sysadmins should resist a temptation to idolize him, and sort of > embrace all this bloated buggy modern crap a little more readily, > learn how to recognize the good and bad among it, and exist in a world > built from it. > > ------------------------------------------------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From yds at CoolRat.org Wed Jan 21 20:21:23 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 20:21:23 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> Message-ID: <4977CA13.7060505@CoolRat.org> Miles Nordin wrote: >>>>>> "y" == Yarema writes: > > y> As far as dnssec, dynamic updates, IXFR not being supported, I > y> currently don't have a need for any of them. > > I do. > > I also want the infrastructure in place, including at my friends' who > are secondarying for me, so that when I want to do IPv6, dns-sd, or > dynamic updates, it's not like running in molasses. But I'm already > doing two of those things, so I'm unable to take djbdns secondaries. > > This DJB guy is going to completely fuck us when we start to get > serious about dnssec, too. DJB is not shoving his software down anyone's throat. When DNSSEC becomes a serious requirement djbdns will either have to offer a solution or fall by the wayside. > y> And it does come with axfrdns in case you need to support a > y> BIND or what-have-you AXFR secondary. > > okay, well, welcome to 1992. BIND is already using IXFR even for > flat-file zones, though. They seem to have some kind of dnsdiff > thread built in there somewhere. And I do dynamic updates, so I need > IXFR. Well, the time stamp on djbdns sources is Feb 11, 2001. That probably predates IXFR. and the reason I haven't even looked at IXFR is because I use djbdns + rsync-over-ssh to push/pull updates. Circular argument, I know. Seems to me that AXFR/IXFR both exist because BIND loads it's entire zones into memory. Therefore rsync is not a viable option when using BIND. So they needed to reinvent what rsync does. This is where I do like the djbdns approach, everything is always read from the data.cdb file. CDB is optimized exclusively for read access and guarantees that each record will be read in at most two disk accesses. There's never any need to reload the zones. This makes rsync perfectly viable for pushing/pulling changes. I also like the the ldapdns approach. It's using a threaded core and the development version does not even rely on OpenLDAP libraries. So it claims to "outperform bind and djbdns on medium to large installations, and will scale well both up and down. ...because it queries the ldap server directly, updates are immediate. you don't have to rebuild constant databases, or wait for bind to get it's shit in gear." Again AFXR/IFXR become irrelevant. Even the rsync approach falls by the wayside. For redundancy you have master/slave ldapdns servers talking to the one or more backend LDAP server(s). > y> In the case of this latest spoof attack it seems to me > y> like everyone was scrambling for a way to disable answering > y> the "." zone. Was everyone trying to figure out a way to > y> violate "some standard" as a way of protecting their DNS > y> servers? > > probably, yes. Both goals are semi-hysterical. > > y> So having said all that I'm now convinced that tinydns is > y> doing the Right Thing(TM) by not replying to queries for the > y> "." zone, because no one has any business asking my > > >> And it provides no real security because I can still do a query > >> for something for which your server is authoritative and get it > >> to amplify an attack. > > y> Doesn't this apply equally to any DNS server out there? > > yes, to any server including djbdns, which is my point. > > It's security through obscurity, possibly at the expense of > standards-compliance (though possibly not. i'm still not sure whether > it's a BIND bug, or an intentional feature complying to the letter of > some standard or working around some resolver's corner case). I don't know if it's a BIND "bug" rather it seems like a byproduct of having the authoritative server and caching resolver be part of the same app. And putting the burden on admins to craft their configs to seperate the two functionalities. The djb approach avoids the issue by having separate server for each functionality. This djb approach can be implemented without djbdns. If, as you pointed out, the OS has a caching resolver like OS X or Solaris, then dropping in ldapdns offers up the same division of labor solution of not putting the burden on the (possibly clueless) admin to secure his config. All this without any djb written software. As for the "security through obscurity" argument. Now that I've thought about it I do not believe it applies with this attack. If the attacker sends queries to which my server replies because it is authoritative for that zone -- then only my servers will be "flooding" the spoofed address. It stops being a DDoS attack because no one else's servers will respond to such queries and therefore the victim's spoofed address will not be flooded like it is with a query for the "." zone. Queries for com, org, net, &c. &c. zones also do not get amplified by a server not set up as authoritative for those zones. The more I think about it the more it seems like an exploit of the fact that many BIND servers do not properly configure the split between serving authoritative records and resolving/caching. > y> The "crazed zealot" did deliver the library piece of the > y> resolver: http://cr.yp.to/djbdns/blurb/library.html > > okay I guess I'm wrong. It's still mostly a wheel-reinvention, in > that it preserves the BIND architecture of implementing a resolver > through a stateless client stub library plus a recursive resolver. > He's just stirring around the bowl full of dust a bit, arguing about > the exact order to put function arguments or how to allocate memory. > Even BIND's lwres is probably a more relevant re-invention than his. > > The Mac OS X and Solaris resolvers seem to include more client-side > caching and an abstract interface that's not DNS-specific, is generic > for looking up ``directory'' information or netinfo. In both cases > they used this abstraction to move from their old directory protocols > (NIS+ and Netinfo) to LDAP. and in Apple's case the hostname lookup > part includes seamless dns-sd/zeroconf support which requires a lot of > resolver state to be performant. I brought them up because they're > more genuine examples of what it really means to separate the resolver > from the server, and of what sorts of refactoring is possible once you > do this---DNS caching gets mixed in with caching other directory data, > and the API gets simpler and more powerful. DJB's separation is more > just copying BIND and then applying a bunch of NIH ranting against it. > not pointlessly, but it's just OCD screaming, not the actual > creativity you can find among younger developers. That's why I think > sysadmins should resist a temptation to idolize him, and sort of > embrace all this bloated buggy modern crap a little more readily, > learn how to recognize the good and bad among it, and exist in a world > built from it. I agree with the broader sentiment that people should resist idolizing. Period. If a tool solves the problem at hand use it. Something better comes along or you outgrow the tool you've been using, move on. Without sentiment. There are plenty of artists who's work I like even though I might think the author/creator of that work is a douchebag. I don't really care if djb is a douchebag or not. Some of the stuff he released is top notch, like the djbfft library used by some opensource multimedia projects. cdb is pretty kick ass and in this case tinycdb seems like the preferred implementation, both faster and cleaner API than djb's own. Maildir is still widely used by many non djb servers. It's easy to say that djb's stuff is long in the tooth. It is. A lot of it has not seen an update in years. And a lot of it should be abandoned in favor of more modern approaches. Having read djb's "Some thoughts on security after ten years of qmail 1.0" paper http://cr.yp.to/qmail/qmailsec-20071101.pdf I realized that, simply put, he's a mathematics professor, with an ability to write his own replacements for software he finds inadequate AT THE TIME. The "at the time" bit seems to be missed by both djb zealots and detractors alike. He seems to have little interest in building any sort of community around what he's written. He just puts it out there, and moves on, updating the documentation once in a while. Or just teaching his courses. Chances are he never would have written qmail if Postfix was already around. In the same spirit as the points you've made above, djb seems to say "there's a better way". And he writes code to show what he means by that. NOW there often is a better way other than djb's. Sometimes as a direct result of the direction djb pointed out. At the time he was making his statement by coding an alternate solution there often was no better alternative. djbdns was written mostly in response to BIND 4.x.x. The fact that it's still useful and secure today speaks to the fact that he did something right. Comparing djbdns to BIND 9's features is just out of context. BIND has continued to evolve reinventing itself several times in the process. djbdns is pretty much the same today as it was 10 years ago. -- Yarema From yds at CoolRat.org Wed Jan 21 20:34:49 2009 From: yds at CoolRat.org (Yarema) Date: Wed, 21 Jan 2009 20:34:49 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <4974D32D.9070804@neuropunks.org> References: <4974D32D.9070804@neuropunks.org> Message-ID: <4977CD39.2090307@CoolRat.org> Max Gribov wrote: > Hi all, > saw a huge spike in root zone ns queries on my servers starting this > friday 16th > Heres a sample log: > 19-Jan-2009 14:19:14.565 client 69.50.x.x#63328: query: . IN NS + > 19-Jan-2009 14:19:15.689 client 76.9.x.x#35549: query: . IN NS + > 19-Jan-2009 14:19:21.257 client 76.9.x.x#9389: query: . IN NS + > > some machines query as often as 20-30 times a minute. No idea why this > would be happening, doesnt look like legitimate traffic to me.. > Is anyone else experiencing this? > > If you're having same issue, you can do this in pf to throttle it a bit: > pass in quick on $ext inet proto udp from any to port 53 keep > state (max-src-states 1) Max, looking to implement your throttling rule I noticed http://www.openbsd.org/faq/pf/filter.html#udpstate says: ~~~~~~~~~~~~~~ This option enables the tracking of number of states created per source IP address. This option has two formats: * - The maximum number of states created by this rule is limited by the rule's and options. Only state entries created by this particular rule count toward the rule's limits. * - The number of states created by all rules that use this option is limited. Each rule can specify different and options, however state entries created by any participating rule count towards each individual rule's limits. The total number of source IP addresses tracked globally can be controlled via the runtime option. ... number When the option is used, will limit the number of simultaneous state entries that can be created per source IP address. The scope of this limit (i.e., states created by this rule only or states created by all rules that use ) is dependent on the option specified. ~~~~~~~~~~~~~~ I read this to mean that to use one must also use one of the two formats. That said, shouldn't your rule read as follows? pass in quick on $ext inet proto udp from any to port 53 keep state (source-track rule, max-src-states 1) -- Yarema From akosela at andykosela.com Thu Jan 22 03:00:54 2009 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 22 Jan 2009 09:00:54 +0100 Subject: [nycbug-talk] dns abuse In-Reply-To: <4977CA13.7060505@CoolRat.org> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> <4977CA13.7060505@CoolRat.org> Message-ID: <497827b6.vX+qj1ZpWYJ1OOmw%akosela@andykosela.com> Yarema wrote: > As for the "security through obscurity" argument. Now that I've thought > about it I do not believe it applies with this attack. If the attacker > sends queries to which my server replies because it is authoritative for > that zone -- then only my servers will be "flooding" the spoofed > address. It stops being a DDoS attack because no one else's servers > will respond to such queries and therefore the victim's spoofed address > will not be flooded like it is with a query for the "." zone. Queries > for com, org, net, &c. &c. zones also do not get amplified by a server > not set up as authoritative for those zones. The more I think about it > the more it seems like an exploit of the fact that many BIND servers do > not properly configure the split between serving authoritative records > and resolving/caching. Configuring "views" in BIND can help. Many servers at the same time are authoritative for some zones *and* need to provide recursive queries for some of its clients. Even if you disable recursion for most of the world, "." zone still get served. Yarema, that split you written about is indeed desirable in the current situation. --Andy From yds at CoolRat.org Thu Jan 22 08:55:44 2009 From: yds at CoolRat.org (Yarema) Date: Thu, 22 Jan 2009 08:55:44 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49780417.1080203@neuropunks.org> References: <4974D32D.9070804@neuropunks.org> <4977CD39.2090307@CoolRat.org> <4977F063.5050000@CoolRat.org> <49780417.1080203@neuropunks.org> Message-ID: <49787AE0.6010105@CoolRat.org> Max Gribov wrote: > Yarema wrote: >> Am I correct in interpreting that since >> a) my DNS servers return nothing when queried for "." >> > yup, i tried to query your server for the root zone and it times out. > as long as you know your server replies properly to legitimate > authoritative queries, you should be good > >> b) the throttling option allows only one state per src IP >> > yes, which i believe should be defined by > set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > in pf.conf -- i did not experiment and totally assume this off the top > of my head though > >> c) given the above two states show only one packet of 45 bytes >> then it means I'm creating one state from the spoofed address, receiving >> the single 45 byte query packet and retuning nothing, thus not >> contributing to the DDoS, right? >> > yup, as long as you arent returning the full root zone, you arent really > contributing to the attack. > > as andy said though, because of the way dns and udp work, amplification > attacks are very simple to do. > downloading a full zone, such as the root zone, is a more efficient > attack than spoofing a reply for ip of www.yahoo.com, but given enough > spoofed requests for www.yahoo.com its probably also possible to ddos > someone.. Thanks, man. I just wanned to confirm I got my config buttoned down. Seems like I was never contributing to the DDoS, but without the max-src-states option you proposed it looked to me like _I_ was getting DDoSed cuz of the load it was putting on my authoritative server. Great solution to the problem at hand. You ought to post it on the ISC page about the attack, since you came up with it. From carton at Ivy.NET Thu Jan 22 08:58:09 2009 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 22 Jan 2009 08:58:09 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <4977CA13.7060505@CoolRat.org> (Yarema's message of "Wed, 21 Jan 2009 20:21:23 -0500") References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> <4977CA13.7060505@CoolRat.org> Message-ID: >>>>> "y" == Yarema writes: y> When DNSSEC becomes a serious requirement djbdns will either y> have to offer a solution or fall by the wayside. good plan. Make obstructionist criticisms during the standards process. Ignore the result and let others do the implementation work. Call the result bloated and confusing. successful, but not very foreward-thinking or neighborly. y> ldapdns won't support dns-sd if it can't write to LDAP. y> I don't know if it's a BIND "bug" rather it seems like a y> byproduct of having the authoritative server and caching y> resolver be part of the same app. you can turn off the caching resolver with a config option that many people use, so if it's not completely off when you turn it off, then that's a bug. But when the caching resolver is off, if you ask BIND anything it will reply telling you to go back and ask the root nameservers. This is its way of refusing to answer. so in that sense it's a corner case. In general, simply ignoring a query can have bad consequences, like in my recent thread about facebook ignoring queries for AAAA records, in combination with their gratuitously short load balancer timeouts, making the site almost unuseable for anyone who has IPv6 and a browser set to prefer it. Ignoring might be the best thing to do in this case. I'm just pointing out that there IS an argument on the other side, for giving replies of some kind to bad queries---recursive resolvers are designed to use DNS's redundancy and can answer queries much more quickly if they don't have to wait on timeouts when servers are pissed at them. y> If the attacker sends queries to which my server y> replies because it is authoritative for that zone -- then only y> my servers will be "flooding" the spoofed address. yes you have to send different queries to each amplifier instead of sending the same one everywhere. This makes the attack tool harder to write, but certainly not impossible, hence ``security through obscurity.'' y> djbdns was written mostly in response to BIND 4.x.x. The fact y> that it's still useful and secure today speaks to the fact y> that he did something right. yeah that sounds fair to me. And I do feel lukewarm about these wippersnappers and their modern bloatware. (including LDAP :' ) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From yds at CoolRat.org Thu Jan 22 09:09:51 2009 From: yds at CoolRat.org (Yarema) Date: Thu, 22 Jan 2009 09:09:51 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49780505.4000109@neuropunks.org> References: <4974D32D.9070804@neuropunks.org> <4977CD39.2090307@CoolRat.org> <49780505.4000109@neuropunks.org> Message-ID: <49787E2F.7030003@CoolRat.org> Max Gribov wrote: > Yarema wrote: >> I read this to mean that to use one must also use one >> of the two formats. That said, shouldn't your rule read >> as follows? >> >> pass in quick on $ext inet proto udp from any to port 53 >> keep state (source-track rule, max-src-states 1) >> >> > hmm, i dont have the 'source-track rule' part and it seems to work fine > i got the max-src-states option from the pf.conf manpage yeah, the pf.conf manpage and the pf faq both say pretty much the same thing. Seems that max-src-states implies source-track, but the docs don't spell out which source-track format is implied. At least as far as I can tell. It really makes no difference if only one rule is using max-src-states. -- Yarema From dan at langille.org Thu Jan 22 11:41:36 2009 From: dan at langille.org (Dan Langille) Date: Thu, 22 Jan 2009 11:41:36 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> Message-ID: <4978A1C0.5060107@langille.org> Andy Kosela wrote: > Yarema wrote: > >> I was seeing the same sort of high load from >> >> 66.230.128.15 >> 66.230.160.1 >> 69.50.142.11 >> 69.50.142.110 >> 76.9.16.171 >> 76.9.31.42 >> >> as Max originally reported. So since I'm not returning anything to the >> "." query yet I am getting hit with repeated queries from the IPs above, >> doesn't it stand to reason that my servers are the ones getting DDoSed >> and not the other way around? > > Those source ip's are spoofed. Dan's link can be helpful: > > http://isc.sans.org/diary.html?storyid=5713 > > As I understand it, there is no "proper" way to fix it in BIND9. FWIW, I was running a bind from base under FreeBSD 6.3. Upgrading to bind in ports allowed that box to pass the test in question. Other boxes, running 7.x passed the test. I compared the named.conf files from the various boxes. There was nothing significant in the configuration differences. -- Dan Langille BSDCan - The Technical BSD Conference : http://www.bsdcan.org/ PGCon - The PostgreSQL Conference: http://www.pgcon.org/ From slynch2112 at me.com Thu Jan 22 13:00:28 2009 From: slynch2112 at me.com (Siobhan Lynch) Date: Thu, 22 Jan 2009 13:00:28 -0500 Subject: [nycbug-talk] OFFTOPIC - Cisco Help Message-ID: <4A35036A-EB23-4373-9C04-8F220DB1B8B8@me.com> S anyone here decent at PIX configuration? I have a weird NAT issue I need to get working, its somewhat simple, but I'm not as well versed in Cisco NAT/PAT as I'd be with the BSD equivalents. Please contact me offlist -Trish From akosela at andykosela.com Mon Jan 26 06:18:33 2009 From: akosela at andykosela.com (Andy Kosela) Date: Mon, 26 Jan 2009 12:18:33 +0100 Subject: [nycbug-talk] dns abuse In-Reply-To: <497827b6.vX+qj1ZpWYJ1OOmw%akosela@andykosela.com> References: <4974D32D.9070804@neuropunks.org> <3A46981C-9D17-48D1-9507-CB04A0A8A04E@exit2shell.com> <49774447.7090100@CoolRat.org> <46C39273-8A91-44C1-A149-2D6F72CBE22C@exit2shell.com> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> <4977CA13.7060505@CoolRat.org> <497827b6.vX+qj1ZpWYJ1OOmw%akosela@andykosela.com> Message-ID: <497d9c09./EMOI3B2K1So7aum%akosela@andykosela.com> DNS-OARC issued an official statement regarding recent "." attacks. https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful Nothing new here though. Those who followed the discussion probably already configured their servers to at least issue REFUSED status in reply to a "." query. --Andy From chsnyder at gmail.com Mon Jan 26 12:30:32 2009 From: chsnyder at gmail.com (csnyder) Date: Mon, 26 Jan 2009 12:30:32 -0500 Subject: [nycbug-talk] dns abuse In-Reply-To: <497d9c09./EMOI3B2K1So7aum%akosela@andykosela.com> References: <4974D32D.9070804@neuropunks.org> <497751C4.8090004@CoolRat.org> <49775776.x62kz5/DNJKLXfLO%akosela@andykosela.com> <49776F30.6050301@CoolRat.org> <49779C85.8010608@CoolRat.org> <4977CA13.7060505@CoolRat.org> <497827b6.vX+qj1ZpWYJ1OOmw%akosela@andykosela.com> <497d9c09./EMOI3B2K1So7aum%akosela@andykosela.com> Message-ID: On Mon, Jan 26, 2009 at 6:18 AM, Andy Kosela wrote: > DNS-OARC issued an official statement regarding recent "." attacks. > > https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful > > Nothing new here though. Those who followed the discussion probably > already configured their servers to at least issue REFUSED status in > reply to a "." query. > > --Andy Thanks for posting that. As a small-time operator I followed the discussion with interest but was waiting for someone to explain the best action to take, specifically, re bind. Now watching a trickle of refused requests for "." in the log, so that's satisfying. chris. From kacanski_s at yahoo.com Mon Jan 26 13:50:11 2009 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Mon, 26 Jan 2009 10:50:11 -0800 (PST) Subject: [nycbug-talk] Accusys ACS-61100-12H PCI Express SATA II RAID Card Message-ID: <667095.87393.qm@web53611.mail.re2.yahoo.com> maybe someone can help me here, I have problem finding three Accusys ACS-61100-12H PCI Express SATA II RAID Cards. Neweeg has one left and I can't find any ware else. Appreciated ... --Aleksandar (Sasha) Kacanski From attroppa at yahoo.com Tue Jan 27 07:59:54 2009 From: attroppa at yahoo.com (Evgueni Tzvetanov) Date: Tue, 27 Jan 2009 04:59:54 -0800 (PST) Subject: [nycbug-talk] Accusys ACS-61100-12H PCI Express SATA II RAID Card In-Reply-To: <667095.87393.qm@web53611.mail.re2.yahoo.com> Message-ID: <935512.91429.qm@web38104.mail.mud.yahoo.com> --- On Mon, 1/26/09, Aleksandar Kacanski wrote: > From: Aleksandar Kacanski > Subject: [nycbug-talk] Accusys ACS-61100-12H PCI Express SATA II RAID Card > To: talk at lists.nycbug.org > Date: Monday, January 26, 2009, 1:50 PM > maybe someone can help me here, > I have problem finding three Accusys ACS-61100-12H PCI > Express SATA II RAID Cards. Neweeg has one left and I > can't find any ware else. Appreciated ... > > --Aleksandar (Sasha) Kacanski > > > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk Try the Canadian web sites like: http://www.pricecanada.com/detail.php?product_id=580400 Also here: http://www.southbaypc.com/store/Hard_Drive_Controllers_RAID_Cards/Accusys_ACS_61100_12H_PCI_Express_SATA_II_RAID_Card.asp From kacanski_s at yahoo.com Tue Jan 27 21:33:57 2009 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Tue, 27 Jan 2009 18:33:57 -0800 (PST) Subject: [nycbug-talk] Accusys ACS-61100-12H PCI Express SATA II RAID Card References: <935512.91429.qm@web38104.mail.mud.yahoo.com> Message-ID: <865480.97317.qm@web53608.mail.re2.yahoo.com> Try the Canadian web sites like: http://www.pricecanada.com/detail.php?product_id=580400 Also here: http://www.southbaypc.com/store/Hard_Drive_Controllers_RAID_Cards/Accusys_ACS_61100_12H_PCI_Express_SATA_II_RAID_Card.asp Thanks, before I posted questions I tried both of those links and they converge to newegg which has only one card left. I even talked to vendor and their official seller but no go. Finally today I decided to go with 16 vs. 12 port cards. It is not much more money wise. Thanks much --sasha From jkeen at verizon.net Tue Jan 27 19:58:00 2009 From: jkeen at verizon.net (James E Keenan) Date: Tue, 27 Jan 2009 19:58:00 -0500 Subject: [nycbug-talk] Seek speaker on current state of *BSDs Message-ID: Those of you who see me at NYCBUG meetings may know that I am co- moderator of Perl Seminar NY (http://tech.groups.yahoo.com/group/ perlsemny), which meets monthly 8 out of 12 months per year. I'd like to see if there is anyone in NYCBUG who would be willing to make a presentation on the current state of the BSDs at perlsemny in one of our 3rd-Tuesday-of-the-month meetings between February and May. Many of our members know of BSD, but unless they're employed at a "BSD shop," their familiarity with BSD is likely to extend no farther than what's inside their Macs. Suggestions for what a presentation would cover might include: * What is the purpose of the major BSD flavors (Free, Open, Net)? How have their missions evolved over time? * What is the suitability of the various BSDs for servers, desktops and laptops? * To what extent is Darwin a BSD? And, of course, ... * What are the major differences between BSD and that other open source operating system? Both in terms of the code itself and the culture and community surrounding each? (Feel free to cop freely from the collective works of Jason Dixon!) Anyone interested? Please contact me at jkeen at verizon dot net. Thanks. Jim Keenan From ike at lesmuug.org Wed Jan 28 10:25:17 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 28 Jan 2009 10:25:17 -0500 Subject: [nycbug-talk] jsch, java ssh? Message-ID: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> Hi All, I'm wondering if anyone here has heard of JSch, (a native java ssh implimentation). http://www.jcraft.com/jsch/index.html Good or bad, I find myself dealing with vendor sw which relies on it- so I'm trying to learnin about it's history. It seems, in the Java world, I'm told everyone uses this library, it's the de-facto. Additionally, popular things like the Eclipse IDE use it. What do folks here think about completely non-openssh ssh implementations, let alone one in Java? I mean, I can see positive and negative aspects right off the bat... but the shock of a pure- java ssh is still sinking in... Rocket, .ike From thenorthsecedes at gmail.com Wed Jan 28 10:39:35 2009 From: thenorthsecedes at gmail.com (Eric Lee) Date: Wed, 28 Jan 2009 10:39:35 -0500 Subject: [nycbug-talk] jsch, java ssh? In-Reply-To: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> References: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> Message-ID: <5AF1233F-3C86-4153-A155-975220B4EBF7@gmail.com> On Jan 28, 2009, at 10:25 AM, Isaac Levy wrote: > Hi All, > > I'm wondering if anyone here has heard of JSch, (a native java ssh > implimentation). > > http://www.jcraft.com/jsch/index.html > I've only used it to scp files to and from hosts over the net, in ant and in standalone apps. But it does that well enough. > Good or bad, I find myself dealing with vendor sw which relies on it- > so I'm trying to learnin about it's history. > It seems, in the Java world, I'm told everyone uses this library, it's > the de-facto. Additionally, popular things like the Eclipse IDE use > it. > Interactive sessions, X forwarding, running a socks proxy and many of the other features you get with original recipe ssh I've never tried using it - but I get the impression that it's really not meant for that. -Eric From ike at lesmuug.org Wed Jan 28 11:01:51 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 28 Jan 2009 11:01:51 -0500 Subject: [nycbug-talk] jsch, java ssh? In-Reply-To: <5AF1233F-3C86-4153-A155-975220B4EBF7@gmail.com> References: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> <5AF1233F-3C86-4153-A155-975220B4EBF7@gmail.com> Message-ID: <40DBC187-A82A-4859-AC64-6BD9FCC77887@lesmuug.org> Thanks Eric, On Jan 28, 2009, at 10:39 AM, Eric Lee wrote: > On Jan 28, 2009, at 10:25 AM, Isaac Levy wrote: > >> Hi All, >> >> I'm wondering if anyone here has heard of JSch, (a native java ssh >> implimentation). >> >> http://www.jcraft.com/jsch/index.html >> > > I've only used it to scp files to and from hosts over the net, in > ant and in standalone apps. But it does that well enough. That's *exactly* what it's being used for over here- automated scp of files, neatly using ssh keys and all. Also, for Eclipse, it's used to wrap cvs/svn access with ssh. So far, I'm somewhat counter-intuitively excited to see it working- I guess I'm trying to shake the nagging feeling from sad-sack experiences with vendor-supplied ssh, (ancient closed-source ssh V1 junk, was in PDU's... worst case scenario for junky software). This ssh implementation is at least open, (BSD Licensed even), and seems commonly/heavily used used? >> Good or bad, I find myself dealing with vendor sw which relies on it- >> so I'm trying to learnin about it's history. >> It seems, in the Java world, I'm told everyone uses this library, >> it's >> the de-facto. Additionally, popular things like the Eclipse IDE >> use it. >> > > Interactive sessions, X forwarding, running a socks proxy and many > of the other features you get with original recipe ssh I've never > tried using it - but I get the impression that it's really not meant > for that. > > -Eric Noted, thanks! Best, .ike From skreuzer at exit2shell.com Wed Jan 28 11:05:24 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 28 Jan 2009 11:05:24 -0500 Subject: [nycbug-talk] Contract BSD Associate or Better Message-ID: Interesting FreeBSD Job Posting: http://taosecurity.blogspot.com/2009/01/contract-bsd-associate-or-better.html One of the things I found most interesting was that the level of experience the employer is looking for in a potential candidate is "BSD Associate of higher". This is the first time that I have seen a job posting that uses the BSD certification exam as a metric to gauge experience, which means that the exam is starting to gain creditability. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From drulavigne at sympatico.ca Wed Jan 28 11:13:13 2009 From: drulavigne at sympatico.ca (Dru Lavigne) Date: Wed, 28 Jan 2009 16:13:13 +0000 Subject: [nycbug-talk] Contract BSD Associate or Better In-Reply-To: Message-ID: >This is the first time that I have seen a job posting that uses the >BSD certification exam as a metric to gauge experience, which means >that the exam is starting to gain creditability. And a look at the linked-in profiles for those who have passed the exam (and joined the group) also adds to the credibility of the exam: http://www.linkedin.com/groups?viewMembers=&gid=1600807 On a semi-related note, those linked-in users who are interested in joining the general bsdcert interest group can do so here: http://www.linkedin.com/groups?gid=1600767 Cheers, Dru From rambiusparkisanius at gmail.com Wed Jan 28 12:20:24 2009 From: rambiusparkisanius at gmail.com (Ivan "Rambius" Ivanov) Date: Wed, 28 Jan 2009 12:20:24 -0500 Subject: [nycbug-talk] jsch, java ssh? In-Reply-To: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> References: <23EA3A64-715B-4702-84AE-DB45F41B8F89@lesmuug.org> Message-ID: <89ce7f740901280920h1c4fcc87wb96a0801b8ba5b1d@mail.gmail.com> Hello Ike, On Wed, Jan 28, 2009 at 10:25 AM, Isaac Levy wrote: > Hi All, > > I'm wondering if anyone here has heard of JSch, (a native java ssh > implimentation). > > http://www.jcraft.com/jsch/index.html > > Good or bad, I find myself dealing with vendor sw which relies on it- > so I'm trying to learnin about it's history. > It seems, in the Java world, I'm told everyone uses this library, it's > the de-facto. Additionally, popular things like the Eclipse IDE use it. > > What do folks here think about completely non-openssh ssh > implementations, let alone one in Java? I mean, I can see positive > and negative aspects right off the bat... but the shock of a pure- > java ssh is still sinking in... I am using jsch extensively in ant. It supports password and ssh keys authentication and I use it always with keys because otherwise you have to provide the password to your build script which breaks the automation. It has the ability to remotely execute commands and copy files using scp. Ant provides tasks for this - for executing a remote command and for copying files. If you provide more information on how you want to use jsch from java or ant, I may be able to give more details. Regards Rambius -- Tangra Mega Rock: http://www.radiotangra.com From drulavigne at sympatico.ca Wed Jan 28 20:10:22 2009 From: drulavigne at sympatico.ca (Dru Lavigne) Date: Thu, 29 Jan 2009 01:10:22 +0000 Subject: [nycbug-talk] shmoocon ticket Message-ID: I have an extra $100 shmoocon ticket. If anyone is interested, contact me off list. Cheers, Dru From matt at atopia.net Fri Jan 30 01:08:43 2009 From: matt at atopia.net (Matt Juszczak) Date: Fri, 30 Jan 2009 01:08:43 -0500 (EST) Subject: [nycbug-talk] Odd behavior on FreeBSD 6.3 box Message-ID: I have a simple webserver/mysql box that usually works fine. But tonight, I was seeing load averages in the 80's and 90's, incredibly high I/O wait, and perl in the top of the processlist using 80-90% of CPU. Seemed to be spamassassin related, but I also had a ton of apache processes running. I'm still looking to see if perhaps a website was being hammered, but in the meantime I noticed that I was getting this repeatedly (about once a second) in my http-access log: ::1 - - [30/Jan/2009:05:52:23 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.6 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.8.8 (internal dummy connection)" Does anyone know what that is (other than the fact that its a loopback dummy connection)? It seems to have stopped since I restarted postfix and apache. Thanks for any thoughts... -Matt From bonsaime at gmail.com Fri Jan 30 01:23:52 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Fri, 30 Jan 2009 01:23:52 -0500 Subject: [nycbug-talk] Odd behavior on FreeBSD 6.3 box In-Reply-To: References: Message-ID: On Fri, Jan 30, 2009 at 1:08 AM, Matt Juszczak wrote: > I have a simple webserver/mysql box that usually works fine. But tonight, > I was seeing load averages in the 80's and 90's, incredibly high I/O wait, > and perl in the top of the processlist using 80-90% of CPU. Seemed to be > spamassassin related, but I also had a ton of apache processes running. > > I'm still looking to see if perhaps a website was being hammered, but in > the meantime I noticed that I was getting this repeatedly (about once a > second) in my http-access log: > > ::1 - - [30/Jan/2009:05:52:23 +0000] "OPTIONS * HTTP/1.0" 200 - "-" > "Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.6 > with Suhosin-Patch mod_perl/2.0.4 Perl/v5.8.8 (internal dummy connection)" > > > Does anyone know what that is (other than the fact that its a loopback > dummy connection)? It seems to have stopped since I restarted postfix and > apache. > > Thanks for any thoughts... > > -Matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Apache does this when it's trying to kill off threads. I forget exactly what brings you to this condition, but check out the MaxSpare, MinSpare, and all that stuff. Run 'httpd -M' i think to find out whether you are MPM prefork or the other other one, the knobs mean different things depending on which module is implemented. mod_perl shouldn't be invoking /usr/bin/perl as far as I know, so this and the Apache thing might be not directly related.... check that the cgi module isn't being used for anything just to clear that out. -jesse From brian.gupta at gmail.com Fri Jan 30 03:26:37 2009 From: brian.gupta at gmail.com (Brian Gupta) Date: Fri, 30 Jan 2009 03:26:37 -0500 Subject: [nycbug-talk] Puppet user meetup Feb 3rd at Gingerman 6:30pm In-Reply-To: <5b5090780901300025v2744255bkf33ed47a3b28eff3@mail.gmail.com> References: <5b5090780901300025v2744255bkf33ed47a3b28eff3@mail.gmail.com> Message-ID: <5b5090780901300026k143d9bc4j20d273a067e58aeb@mail.gmail.com> Please join as at Gingerman: http://www.gingerman-ny.com/ Map here: http://www.gingerman-ny.com/content/view/26/82/ Please note if you plan to come, drop a note on puppet-nyc Google group: http://groups.google.com/group/puppet-nyc Thanks, Brian -- - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/