Folks - Paul Vixie is dead on here but the real problem is not DNS, but rather the routing protocols that allow this type of address forgery to be propagated. This is the subtle difference here and the biggest criminal here is that even with a forged DNS service, the real issue is still Cisco and its brethren for forcing the propagation of routing standards that are insecurable and indefensible - the other bad-guy here is the IETF for not being more in control or forcing issues of security to be ingrained into their protocols that they have or are in the process of making as standards. This is one of the greatest instances proving that the ICANN and the IETF themselves with their current management and format, are incompetetent to build or enforce standards. If they had done their job properly and allowed external input or review of their efforts, then this never would have happened. Just my personal 2 cents here. Todd Glassey ----- Original Message ----- From: "Jim Fleming" <JimFleming@ameritech.net> To: "'The IETF'" <ietf@ietf.org>; <chandley@ntia.doc.gov>; <nvictory@ntia.doc.gov>; <censslin@ntia.doc.gov>; <DEvans@doc.gov> Cc: <yjpark@myepark.com>; <vivek@vivekdurai.com>; "Vittorio Bertola" <vb@vitaminic.net>; "todd glassey" <todd.glassey@worldnet.att.net>; "Richard Henderson" <richardhenderson@ntlworld.com>; "Kristy McKee" <k@widgital.com>; <karl@cavebear.com>; "Joop Teernstra" <terastra@terabytz.co.nz>; "Joanna Lane" <jo-uk@rcn.com>; <jefsey@jefsey.com>; <james.love@cptech.org>; <j.oppenheimer@att.net>; <icheckemail@indiatimes.com>; <ellen@rony.com>; "Elisabeth Porteneuve" <Elisabeth.Porteneuve@cetp.ipsl.fr>; "Alexander Svensson" <alexander@svensson.de>; "Joe Baptista" <baptista@dot-god.com> Sent: Tuesday, August 13, 2002 7:04 AM Subject: Why People Should NOT Depend on "Root Servers" > http://www.merit.edu/mail.archives/nanog/msg02459.html > gentlemen, stop your engines > > a.. From: Paul Vixie > b.. Date: Mon Aug 12 12:07:20 2002 > > -------------------------------------------------------------------------- ------ > > after six reports that 192.5.5.241's address has been forged as the source > of a tcp "fragmented scan" probe, i'm ready to have it stop. but just in > case it doesn't, this is fair warning to the community: F's address is in > unlawful use by as-yet-unidentified third parties. > > re: > > ------- Forwarded Message > > From: ... > To: "'abuse@VIX.COM'" <abuse@VIX.COM> > Subject: Unauthorized Fragmented Scan > Date: Mon, 12 Aug 2002 06:56:08 -0700 > > To whom it may concern, > > The Security Information & Analysis Center has detected an > unauthorized scan against one of our networks that has a possible origin at > 192.5.5.241. > > Please review the following initial information: > > IPHalfScan 08-11-2002 17:34:02 UTC 192.5.5.241:53 > xxx.xxx.xxx.xxx:53 TCP > IPHalfScan 08-11-2002 17:28:00 UTC 192.5.5.241:53 > xxx.xxx.xxx.xxx:53 TCP > > Please take action to verify this address on your network > and it's intent to scan our networks. Thank you for your assistance. > > SECURITY INFORMATION AND ANALYSIS CENTER > 1-877-... > > ------- End of Forwarded Message > > > Modern DNS software finds the TLD Clusters, tracks them, and > does not use ANY "root servers" (legacy or alt). People who rely > on a dozen 32-bit IPv4 addresses to be coherently routed are fools, > in my opinion. Any organization that promotes that type of structure > and architecture as "secure" is perpetrating a fraud on unsuspecting > users, who assume the system is stable and secure. Root servers are > out of date, do not always track the TLD Cluster(s), do not support > fail-over to back-up TLD Clusters, in cases of a major corporate > failure. People continue to use them at their peril, yet clearly profit > from telling people to use them. > > Jim Fleming > 2002:[IPv4]:000X:03DB:...IPv8 is closer than you think... > http://www.iana.org/assignments/ipv4-address-space > http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt > > > >