[Dshield] IWF

Piet Barber pbarber at pietbarber.com
Wed Mar 12 18:51:18 GMT 2003

> Saw this reference to a NANOG message on the dnsop mailing list and was
> amused that someone had created the acronym:

Hey! That was my post on DNSop!  Small world. 

> <http://www.merit.edu/mail.archives/nanog/2002-05/msg01083.html>

> This was prompted by misconfigured firewalls blocking DNS replies to
> buggy resolvers and causing undue load on the root DNS servers:

> <http://www.cs.utk.edu/~moore/ID-PDF/draft-ietf-dnsop-bad-dns-res-00.pdf>

Hey that's my draft!  Small world.  :) 

We get mail about twice a week where somebody is angrily accusing us of 
hacking their network, when the IP address is clearly A root, the 
source port is clearly port 53, and the content is DNS. 

That is not to say that the bad guys aren't capable of spoofing the a
root's address to do probes identical to this. It just doesn't ever seem
to be the case. In a response, we identify the likely cause -- firewall
misconfiguration, and we almost always get a message shortly thereafter
saying something along the lines of:

"Sorry, You're right. Our problem. Bad firewall config" 

More information about the list mailing list