draft-ietf-dnsop-as112-under-attack-help-help-00.txt   draft-ietf-dnsop-as112-under-attack-help-help-01.txt 
Network Working Group J. Abley Network Working Group J. Abley
Internet-Draft Afilias Internet-Draft Afilias
Intended status: Informational W. Maton Intended status: Informational W. Maton
Expires: August 30, 2007 NRC-CNRC Expires: May 21, 2008 NRC-CNRC
February 26, 2007 November 18, 2007
I'm Being Attacked by PRISONER.IANA.ORG! I'm Being Attacked by PRISONER.IANA.ORG!
draft-ietf-dnsop-as112-under-attack-help-help-00 draft-ietf-dnsop-as112-under-attack-help-help-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 30, 2007. This Internet-Draft will expire on May 21, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
Many sites connected to the Internet make use of IPv4 addresses which Many sites connected to the Internet make use of IPv4 addresses which
are not globally unique. Examples are the addresses designated in are not globally unique. Examples are the addresses designated in
RFC1918 for private use within individual sites. RFC1918 for private use within individual sites.
skipping to change at page 9, line 19 skipping to change at page 9, line 19
the traffic may seem alarming to site administrators. the traffic may seem alarming to site administrators.
o Since requests directed ultimately to AS112 servers are usually o Since requests directed ultimately to AS112 servers are usually
triggered automatically by applications, review of firewall logs triggered automatically by applications, review of firewall logs
may indicate a large number of policy violations occurring over an may indicate a large number of policy violations occurring over an
extended period of time. extended period of time.
o Where responses from AS112 servers are blocked by firewalls, hosts o Where responses from AS112 servers are blocked by firewalls, hosts
will often retry, often with a relatively high frequency. This will often retry, often with a relatively high frequency. This
can cause inbound traffic to be misclassified as a denial-of- can cause inbound traffic to be misclassified as a denial-of-
service (DoS) attack. In some case the source ports used by service (DoS) attack. In some cases the source ports used by
individual hosts for successive retries increases in a predictable individual hosts for successive retries increase in a predictable
fashion (e.g. monotonically), which can cause the replies from the fashion (e.g. monotonically), which can cause the replies from the
AS112 server to resemble a port scan. AS112 server to resemble a port scan.
o A site administrator may attempt to perform active measurement of o A site administrator may attempt to perform active measurement of
the remote host in response to alarms raised by inbound traffic, the remote host in response to alarms raised by inbound traffic,
e.g. initiating a port scan in order to gather information about e.g. initiating a port scan in order to gather information about
the host which is apparently attacking the site. Such a scan will the host which is apparently attacking the site. Such a scan will
usually result in additional inbound traffic to the site usually result in additional inbound traffic to the site
performing the measurement, e.g. an apparent flood of ICMP performing the measurement, e.g. an apparent flood of ICMP
messages which may trigger additional firewall alarms and messages which may trigger additional firewall alarms and
skipping to change at page 16, line 5 skipping to change at page 15, line 16
This section to be removed prior to publication. This section to be removed prior to publication.
00 Initial draft, circulated as 00 Initial draft, circulated as
draft-jabley-as112-being-attacked-help-help-00 and reviewed at the draft-jabley-as112-being-attacked-help-help-00 and reviewed at the
DNSOP working group meeting at IETF 66. DNSOP working group meeting at IETF 66.
00 Document adopted by the DNSOP working group and renamed 00 Document adopted by the DNSOP working group and renamed
accordingly. accordingly.
01 Version number bump at request of wg chair.
Authors' Addresses Authors' Addresses
Joe Abley Joe Abley
Afilias Canada Corp. Afilias Canada Corp.
Suite 204, 4141 Yonge Street Suite 204, 4141 Yonge Street
Toronto, ON M2P 2A8 Toronto, ON M2P 2A8
Canada Canada
Phone: +1 416 673 4176 Phone: +1 416 673 4176
Email: jabley@ca.afilias.info Email: jabley@ca.afilias.info
 End of changes. 5 change blocks. 
6 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/