Notes

Informal notes taken by Geoff Huston - any inaccuracies are becuase I didn't hear it correctly! Apologies in advance if thats the case.

Sapphire Slammer Worm, Olaf Kolkman

Very aggressive worm with highly exponential grwoth characteristics. RIPE NCC is collecting data with TTM, RIA and ROute Server monitoring. Very rapid onset. No major impact on the backbone. All the effects of the slammer worm were on the last hops of the network. The system as a whole was not impacted. http://www.ripe.net/ttm/worm/

TTM data shows around 40% of the monitored paths were affected. The one way end-to-end delays were stable, while the traceroute timers showed delay increase in a number of cases. It appeared that the problems were heavily localized with border routers and some customer connections impacted. The RIS data showed a 1 - 2 order ot magnitude increase in announcements. The assumption is that there was a loss of control plane adjacencies, generating a adjancency reset in some cases. The peterbation was a rapid impact with some form of decay function in update rates to reach stability. Root server monitoring saw 2 root servers being affected, again due to localized issues. The servers did not die, but there was probably some localized congestion close to two root servers.

DNSQC-TF (DNS Quality Check Task Force) Update, Yasuhiro Orange Morishita

[email protected] Objectives to check and correct DNS misconfigurations under the .jp tld.. Started in 2002. Check for lame delegations, inconsistent NS RR, bad SOA/NS/MX records, use of private IP addresses, etc. The check code is a 2,400 line perl code, using dig to send queries (serially). The serial version takes 2 days for 400,000 zones, so this will be altered to a parallel mode of behaviour. They are seeing some 38% of zones with errors, with 25% being NS inconsistencies and 17% with lame delegations. They are looking at notification, continuous checking and sweeping lames and errors.

.KR DNS behaviours, George Michaelson

Speculative look at the Korean DNS traffic with the Slammer worm.

RIR stats, Axel Pawlik

Summary report on assignments and coordinated activities. Note rise in V6 allocations in the RIPE region for 2002. ERX transfer project underway. Report on APNIC policy work on IPv6 sparse allocation was noted as being referred to the policy mailer. ARIN is working on lame delegations, ERX, rwhois project, incl integration with CRISP, and Cert Auth. RIPE is implementaqtion sub-allocation policy and portable address task force is underway. Anycasting of K root has the proposal out and it will be taken from there.

DNS RTTs, as viewed from multiple sites, Nevil Brownlee

Gather DNS behaviour from multiple sites. Nevil's approach relies on passive traffic monitoring. Uses 3 observation meters (San Diego, Auckland, Boulder) with 9 weeks of accumulated data gathered so far. Very little correlation of data observed so far from the three sites. There is some regular spikes in delay for all 3 meters for some servers.

Sink Hole Deployments, Barry Raveendran Greene

[email protected] Sink holes are proving to be valuable as a security tool There are a lot of large volume DDOS atttacks on the net, as well as the high rate worms. Is it time to rethink CIDR aggregation points . The current situation is that the ISP advertises the encompassing aggregate and this border router is the sink. In addition the cusotmner ispointing default to the access router and the accrous router is the customer sink. Sink Holes advertise dark IP addresses to target analyzers. The presentation advicates an internal architecture where there is deliberate redirection of unaddressed traffic to analyzers. The sink hole would be an anycase address. http://www.port111.com/docs. The issue is really an approach to data / control plane delineation in various ways. Part of the issue is the standard architecture of address architecture where border routers are deployed as sinks and customer edges are sinks, and these two devices are vulnerable to varioujs forms of scatter address attacks. Not that there is an overhead of network unreachable 1812 compliance that should be turned off, with some ietf implications.

.br lame delegation control

Accept new delegations only with correctly configured servers, and sweep for lames. Software can check 350 delegations / second. This is achieving a 7% lame outcome through this proactive approach.