[Dshield] NAV problems question

Brian Dessent brian at dessent.net
Fri Jan 9 04:53:59 GMT 2004

Paul Marsh wrote:
> Still doesn't make much sense to me.  If that's the case then unplugging
> the network connection of a workstation should get the same results
> right?

No, what's happened is that Verisign had added three unrouteable
(10.x.x.x) 'A' records to crl.verisign.net, which is a round-robin
setup.  So if you resolve that hostname there's a 3 out of 7 chance that
you'll get one of these bogus IP addresses that can't exist on the
global internet (reserved for internal lans.)  But your client has to
try it and wait for it to timeout.  The advantage to verisign is that it
makes those attempts to contact that server fail without any cost to
them, which lessens their large load, which itself was caused by the
expiration of this cert.

The difference between this and the "unplug the cord" case is that in
this case the hostname lookup succeeds, and so the client program
dutifully tries to contact one of these 10.x.x.x addresses, which must
time out -- or in some cases it apparently caused some kind of DDOS to
internal services.  If the cord was unplugged the hostname lookup would
fail, or that were somehow cached the TCP/IP network interface would be
marked 'down' and the connect() call to that address would return an
error immediately.

However, it looks like they changed/fixed this, as I'm not seeing any
10.x.x.x addresses when I dig crl.verisign.net.


More information about the list mailing list