Message: 5 Date: Wed, 31 Jan 2001 14:17:23 -0800 From: Marc MERLIN To: svlug@svlug.org Subject: [svlug] netsol is a bunch of fucking morons !!! Sender: svlug-admin@lists.svlug.org List-Archive: But I'm sure you knew that already... It's been a month and a half that I've been trying to get rid of that stupid www.svlug.org host record http://www.networksolutions.com/cgi-bin/whois/whois;?STRING=host+WWW7974-HST&STRING=Search Of course, we never created that host record, it was created when svcs.net and svcs.org were as they unfortunately specified www.svlug.org as a name server (something I only found out about way later because there is no way to know who's using your host record unless someone really high up at netsol looks that up for you). So, after moving svlug.org away from netsol (to opensrs), and noticing they were still feeding www.svlug.org to the root name servers, I called them up several times, having to dodge the clueless level 1 people who don't know what a host record is or told me it was not their problem since they don't serve svlug.org. Eventually, they tell me about svcs.net which was very unfortunately registered with www.svlug.org as a name server (instead of ns.svlug.org), I move that over to opensrs (with the help of Chris who owned the domain to click on the URL that opensrs sends you to confirm the domain move), fix the name servers, and it still doesn't work. Chris Dibona mentions to me that there is an svcs.org too (they could have told me, but no...), so wash, rince, and repeat... Both domains are moved, name servers are fixed, wait a few days. (so far so good, nothing in this process involves sending mail to their stupid mail system which never works when I use it anyway, besides I don't get the answers because after 10 years+, they still haven't fixed their script to add a 'To:' field in the Email they send) A week later, they're still feeding the bad data to the root name server. Call them up 3 times, waste time to go through the clueless level 1 people, get level 2 folks who kind of understand the problem but who are now "not habilitated to do a reverse lookup on a host record" to see if any domain is still using the bad host record. I insist, ask for a supervisor, ask for someone who can do the damn lookup, but no, no one is available. - Why don't you send a host delete request? - Well, if a domain is pointing to it, it won't work now, will it? - Err yeah. - And you can't tell me what is pointing to it if anything. - Err no. "Send us letterhead" Yeah, as soon as I go to kinkos and make SVLUG letterhead, I'll do that. "I'll send you the forms you need to fax" I never get them because she misspelled my Email address and apparently never got/saw the bounce from my mail server and insisted that it went through. Call again, get escallated again as soon as I confused the level 1 tech enough. Ok, this guy can actually confirm that nothing is pointing to www.svlug.org. - But then why are you still feeding the bad IP to the root name servers? - Because it's our database - Grrrmm. Ok, look at this: http://www.networksolutions.com/cgi-bin/whois/whois;?STRING=host+ns2.merlins.org Notice the bad IP? Well, it stopped mattering the day I moved my domain to opensrs. If you have no domains pointing to a host record, you stop feeding that host record to the root name servers, as you should. Are you sure nothing whatsoever is pointing to it anymore? - Yes. - Ok, then why are you still feeding it to the root name servers - Because it's in our databasse - And why don't you do it for ns2.merlins.org? - Errr.... Hold on. (wait) That's because the hostname is 'www' - Let me get this straight. You're telling me that you continue to feed an orphaned host name record because it has 'www' in its name? - Yes - Aaaarrrrgggghhh! (eating desk) - So what now? - Ok, submit the deletion form by Email, get the tracking number, print this different form, add the tracking number on there, and fax it to us Swell. I fill the form (http://www.networksolutions.com/en_US/makechanges/fax/hostform.html), confirm: "Domain Not Found! "svlug.org" domain cannot be found in WHOIS Database. Please go back to the previous screen and enter a valid domain name." (of course, svlug.org was moved to opensrs) Arggggh! I'm going to kill someone.... I printed the unconfirmed web form, added their error message and faxed all that to two of their fax numbers. As Rick was saying, their cluelessness allows for very nice denial of service attacks (www.svlug.org has been unusable for 2 months now) Let's wait and see some more. (this was just to let you know that we are definitely working on solving the problem, it's just taking a really long time (I've already wasted a good 10 hours of my time on this issue)) Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key --__--__-- Message: 7 Date: Wed, 31 Jan 2001 15:04:30 -0800 From: "Derek J. Balling" Subject: Re: [svlug] netsol is a bunch of fucking morons !!! At 2:17 PM -0800 1/31/01, Marc MERLIN wrote: >As Rick was saying, their cluelessness allows for very nice denial of >service attacks (www.svlug.org has been unusable for 2 months now) > >Let's wait and see some more. >(this was just to let you know that we are definitely working on solving the >problem, it's just taking a really long time (I've already wasted a good 10 >hours of my time on this issue)) I think you'll find the stupidity goes much much deeper, as I don't think you've even reached someone possessing adequate clue yet. [ where, below, $DOMAIN = svlug.org ] According to my understanding of the "way things work", the only people who can insert a host record into the root in $DOMAIN's zone (e.g., ns1.$DOMAIN, www.$DOMAIN), is registar_of($DOMAIN) [srs]. Confirm for me the following: http://manage.opensrs.net/ [enter domain info, manage] Click "Name Servers" at the bottom, click "Click Here" Confirm for me that "www.svlug.org" does NOT appear in the resulting output. I'd be willing to bet a six-pack of your favorite beverage that it does. I'd further be willing to bet that one of the two following scenarios will be the cause of the problem: (a) you need to remove it from OpenSRS's database, so that they can stop inserting it into the records they own at the shared-registry, or (b) there are still domains you know nothing about pointing at it, and thus it still cannot be deleted. These domains may (or may not) be with NSI, and their ability to tell you what they are would be extremely limited. If you are able to delete it in SRS's database, rejoice, your work is complete. If you're not able to delete it, I would suggest simply changing the IP in SRS's database to the "proper" IP whilst you try to track down who is still referencing it. If someone wants to contact me offlist, I have some fairly decent contacts at the various registrars and at NSI/Registry, and can try to track this down fairly quickly. D -- +---------------------+-----------------------------------------+ | dredd -at- megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+ --__--__-- Message: 8 Date: Wed, 31 Jan 2001 07:53:44 -0800 From: Seth David Schoen Subject: Re: [svlug] netsol is a bunch of fucking morons !!! Marc MERLIN writes: > But I'm sure you knew that already... > > It's been a month and a half that I've been trying to get rid of that stupid > www.svlug.org host record > http://www.networksolutions.com/cgi-bin/whois/whois;?STRING=host+WWW7974-HST&STRING=Search > > Of course, we never created that host record, it was created when svcs.net > and svcs.org were as they unfortunately specified www.svlug.org as a name > server (something I only found out about way later because there is no way > to know who's using your host record unless someone really high up at netsol > looks that up for you). There used to be a way in whois, but I don't think it's worked lately. You can double check in "whois help@whois.networksolutions.com"; I think they took it out because they thought people would use it to facilitate spam (?) or it would hurt their business. > - Let me get this straight. You're telling me that you continue to feed an > orphaned host name record because it has 'www' in its name? > - Yes > - Aaaarrrrgggghhh! (eating desk) I had a less extreme version of the same problem, trying to delete an A record. - If a domain is using that machine as an NS, you can't delete the record with a DELETE HOST (even if the domain isn't actually yours). - If the IP address of the nameserver has changed, but the new IP address already has a hostname associated with it in the root zone, you can't change the IP address with a MODIFY HOST. So in the case I had, we had to wait until the IP address changed again (two years later!) before I could actually get the host record modified. I _still_ can't delete it, even though the actual nameservers are elsewhere now and we have no need for that record to remain in the root zone. I do think this would work as a denial of service attack. Someone just has to create a host record for www.microsoft.com by specifying that as an NS. Right? And Microsoft's web server would be off the net _again_. Does anybody want to try an experiment with this? Anybody have a "spare" (non-production-use) domain and want to trade simulated denial of service attacks with me (you try to break services in my domain with my permission, I try to break services in your domain with your permission)? If it works, it ought to be on BUGTRAQ or NANOG or a newspaper so that NSI will _finally_ clean up this mechanism a little. -- Seth David Schoen | And do not say, I will study when I Temp. http://www.loyalty.org/~schoen/ | have leisure; for perhaps you will down: http://www.loyalty.org/ (CAF) | not have leisure. -- Pirke Avot 2:5 --__--__-- Message: 9 Date: Wed, 31 Jan 2001 15:40:39 -0800 From: "Derek J. Balling" Subject: Re: [svlug] netsol is a bunch of fucking morons !!! At 7:53 AM -0800 1/31/01, Seth David Schoen wrote: >Does anybody want to try an experiment with this? Anybody have a "spare" >(non-production-use) domain and want to trade simulated denial of service >attacks with me (you try to break services in my domain with my permission, >I try to break services in your domain with your permission)? If it works, >it ought to be on BUGTRAQ or NANOG or a newspaper so that NSI will >_finally_ clean up this mechanism a little. Another DoS in this is for me to know that myhatedcompany.com has, say, 192.168.0.0/24 assigned to them, and for me to create NS0.FUCKMYHATEDCOMPANY.MYDOMAIN.COM 192.168.0.0 NS1.FUCKMYHATEDCOMPANY.MYDOMAIN.COM 192.168.0.1 NS2.FUCKMYHATEDCOMPANY.MYDOMAIN.COM 192.168.0.2 ... NS255.FUCKMYHATEDCOMPANY.MYDOMAIN.COM 192.168.0.255 after which, the only way myhatedcompany.com can actually get DNS working within their domain is to reference my (not-too-friendly-to-their-company) nameservers. This DoS doesn't require any effort or coordination at all (e.g., with the common-name host-record (www.$DOMAIN) DoS, there is easy potential for the victim to actually get the records removed. With this, the attacker has direct control over the records in question, and can deny any attempt to remove them, short of legal-action, etc. etc., often a time-consuming process. D -- +---------------------+-----------------------------------------+ | dredd -at- megacity.org | "Conan! What is best in life?" | | Derek J. Balling | "To crush your enemies, see them | | | driven before you, and to hear the | | | lamentation of their women!" | +---------------------+-----------------------------------------+ --__--__-- Message: 11 Date: Wed, 31 Jan 2001 17:21:14 -0800 From: Marc MERLIN Subject: [svlug] Re: netsol and host records. After a post to nanog, things are looking better. ----- Forwarded message from Marc MERLIN ----- Delivered-To: nanog-outgoing -at- merit.edu Date: Wed, 31 Jan 2001 16:30:01 -0800 From: Marc MERLIN Cc: nanog -at- merit.edu Subject: Re: netsol and host records. On Wed, Jan 31, 2001 at 03:59:56PM -0800, Carter, Gregory wrote: > In your situation, you should be able to delete the nameserver host if > it's not being relied upon by other domain names. They don't remove it > automatically because they probably don't have any auditing tools coded to > check on a regular basis whether or not a nameserver host is needed. > They've always sent through the host records up to the root servers when > you create them whether they are in use by a domain or not. Perhaps they > should give OpenXRS a try. I just found out (with help from other list subscribers) and indeed the netsol host record is not being fed to the root servers anymore (since no domain they own relies on it anymore), and that the bad host record had been automatically moved to opensrs along with the svcs domains I moved. While I did delete the www.svlug.org NS record from the two domains as soon as they were moved, it was still left in opensrs's database as a host record that I might want to use later. William X. Walsh pointed me to the "If you want to create or modify a nameserver which is based on svlug.org click here" link at the bottom of the manage name server page. Sure enough, the bad record was there, and I was able to get rid of it with one mouseclick Without William, I'd never have realized that the host record had been moved to opensrs: magic(@va):~/Mail$ whois "host www.svlug.org" -h whois.opensrs.net No match for HOST WWW.SVLUG.ORG magic(@va):~/Mail$ whois "host 209.81.8.243" -h whois.opensrs.net No match for HOST 209.81.8.243 I should have done this instead: magic(@va):~/Mail$ whois www.svlug.org -h whois.internic.net (...) Server Name: WWW.SVLUG.ORG IP Address: 209.81.8.243 Registrar: TUCOWS.COM, INC. Whois Server: whois.opensrs.net Referral URL: www.opensrs.org It's not very obvious, but oh well :-) (Actually William just told me opensrs is in the process of fixing this) Thanks to those who mailed me privately to offer several tips and help: - Kevin Loch - Scott Francis - Troy Davis - William X. Walsh - Jeff BTW, Troy Davis showed me that you can find out who's using your name server, but apprently netsol folks don't seem to know about this :-) magic(@va):~/Mail$ whois "server NS97718-HST" -h whois.networksolutions.com (...) Andover.net (FRESHMEAT-DOM) FRESHMEAT.NET Patrick Lenz (UNKAPUTTBAR-DOM) UNKAPUTTBAR.ORG Patrick Lenz (POOCS-DOM) POOCS.NET The good news is that my problem is now fixed without depending on netsol at all. Too bad I didn't know this before spending all the time on the phone with them :-) Thanks to all those who replied Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key ----- End forwarded message ----- -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key --__--__---- --198.186.203.43.69.27539.980990522.021.13804 Content-type: text/plain; charset=us-ascii Content-description: Digest Footer _______________________________________________ svlug mailing list svlug@lists.svlug.org http://lists.svlug.org/mailman/listinfo/svlug --198.186.203.43.69.27539.980990522.021.13804-- End of svlug Digest