TOC |
|
Many sites connected to the Internet make use of IPv4 addresses which are not globally unique. Examples are the addresses designated in RFC1918 for private use within individual sites.
Hosts should never normally send DNS reverse mapping queries for those addresses on the public Internet. However, such queries are frequently observed. Authoritative servers are deployed to provide authoritative answers to such queries as part of a loosely-coordinated effort known as the AS112 project.
Since queries sent to AS112 servers are usually not intentional, the replies received back from those servers are typically unexpected. Unexpected inbound traffic can trigger alarms on intrusion detection systems and firewalls, and operators of such systems often mistakenly believe that they are being attacked.
This document provides background information and technical advice to those firewall operators.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
This Internet-Draft will expire on January 30, 2011.
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1.
Introduction and Target Audience
2.
Private-Use Addresses
3.
DNS Reverse Mapping
4.
DNS Reverse Mapping for Private-Use Addresses
5.
AS112 Nameservers
6.
Inbound Traffic from AS112 Servers
7.
Corrective Measures
8.
AS112 Contact Information
9.
IANA Considerations
10.
Security Considerations
11.
References
11.1.
Normative References
11.2.
Informative References
Appendix A.
Change History
§
Authors' Addresses
TOC |
Readers of this document may well have experienced an alarm from a firewall or an intrusion-detection system, triggered by unexpected inbound traffic from the Internet. The traffic probably appeared to originate from one of several hosts discussed further below.
The published contacts for those hosts may well have suggested that you consult this document.
If you are following up on such an event, you are encouraged to follow your normal security procedures and take whatever action you consider to be be appropriate. This document contains information which may assist you.
TOC |
Many sites connected to the Internet make use of address blocks designated in [RFC1918] (Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, “Address Allocation for Private Internets,” February 1996.) for private use. One example of such addresses is 10.1.30.20.
Because these ranges of addresses are used by many sites all over the world, each individual address can only ever have local significance. For example, the host numbered 192.168.18.234 in one site almost certainly has nothing to do with a host with the same address located in a different site.
TOC |
The Domain Name System (DNS) (Mockapetris, P., “Domain names - concepts and facilities,” November 1987.) [RFC1034] can be used to obtain a name for a particular network address. The process by which this happens is as follows:
This procedure is generally carried out automatically by software, and is hence largely hidden from users and administrators. Applications might have reason to look up an IP address in order to gather extra information for a log file, for example.
TOC |
As noted in Section 2 (Private-Use Addresses), private-use addresses have only local significance. This means that sending queries out to the Internet is not sensible: there is no way for the public DNS to provide a useful answer to a question which has no global meaning.
Despite the fact that the public DNS cannot provide answers, many sites have misconfigurations in the way they connect to the Internet which results in such queries relating to internal infrastructure being sent outside the site. From the perspective of the public DNS, these queries are junk -- they cannot be answered usefully and result in unnecessary traffic being received by the nameservers which underpin the operation of the public DNS (the so-called root servers which serve "IN-ADDR.ARPA").
To isolate this traffic, and reduce the load on the rest of the DNS infrastructure, dedicated servers have been deployed in the Internet to receive and reply to these junk queries. These servers are deployed in many places in a loosely-coordinated effort known as the "AS112 Project". More details about the AS112 Project can be found at http://www.as112.net/.
TOC |
The nameservers responsible for answering queries relating to private-use addresses are as follows:
A request sent to one of these servers will result in a response being returned to the client. The response will typically be a UDP datagram, although it's perfectly valid for requests to be made over TCP. In both cases the source port of packets returning to the site which originated the DNS request will be 53.
TOC |
Where firewalls or intrusion detection systems (IDS) are configured to block traffic received from AS112 servers, superficial review of the traffic may seem alarming to site administrators.
TOC |
A site which receives responses from one of the nameservers listed in Section 5 (AS112 Nameservers) is probably under no immediate danger, and the traffic associated with those responses probably requires no emergency action by the site concerned. However, this document cannot aspire to dictate the security policy of individual sites, and it is recognised that many sites will have perfectly valid policies which dictate that corrective measures should be taken to stop the responses from AS112 servers.
It should be noted, however, that the operators of AS112 nameservers which are generating the responses described in this document are not ultimately responsible for the inbound traffic received by the site: that traffic is generated in response to queries which are sent out from the site, and so the only effective measures to stop the inbound traffic is to prevent the original queries from being made.
Possible measures which might be taken to prevent these queries include:
TOC |
More information about the AS112 project can be found at http://www.as112.net/.
TOC |
The AS112 nameservers are all named under the domain IANA.ORG (see Section 5 (AS112 Nameservers)). The IANA is the organisation responsible for the coordination of many technical aspects of the Internet's basic infrastructure. The AS112 project nameservers provide a public service to the Internet which is sanctioned by and operated in loose coordination with the IANA.
This document makes no request of the IANA.
TOC |
The purpose of this document is to help site administrators properly identify traffic received from AS112 nodes, and to provide background information to allow appropriate measures to be taken in response to it.
Hosts should never normally send queries to AS112 servers: queries relating to private-use addresses should be answered locally within a site. Hosts which send queries to AS112 servers may well leak information relating to private infrastructure to the public network, which could represent a security risk.
TOC |
TOC |
[RFC1034] | Mockapetris, P., “Domain names - concepts and facilities,” STD 13, RFC 1034, November 1987 (TXT). |
[RFC1918] | Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, “Address Allocation for Private Internets,” BCP 5, RFC 1918, February 1996 (TXT). |
TOC |
[I-D.ietf-dnsop-as112-ops] | Abley, J. and W. Maton, “AS112 Nameserver Operations,” October 2009. |
[I-D.ietf-dnsop-default-local-zones] | Andrews, M., “Locally-served DNS Zones,” draft-ietf-dnsop-default-local-zones-13 (work in progress), April 2010 (TXT). |
TOC |
This section to be removed prior to publication.
- 00
- Initial draft, circulated as draft-jabley-as112-being-attacked-help-help-00 and reviewed at the DNSOP working group meeting at IETF 66.
- 00
- Document adopted by the DNSOP working group and renamed accordingly.
- 01
- Version number bump at request of wg chair.
- 02
- Updated pointer to DNSOP working group-adopted of Mark Andrew's full-service resolver zones, renamed to ietf-dnsop-default-local-zones.
- 02
- Updated author's addresses.
- 03
- Version number bump at request of dnsop chair.
- 04
- Version number bump at request of dnsop chair. Contact information section truncated to protect the innocent. Minor, non-substantive wordsmithing. References updated.
TOC |
Joe Abley | |
ICANN | |
4676 Admiralty Way, Suite 330 | |
Marina del Rey, CA 90292 | |
US | |
Phone: | +1 519 670 9327 |
Email: | joe.abley@icann.org |
William F. Maton Sotomayor | |
National Research Council of Canada | |
1200 Montreal Road | |
Ottawa, ON K1A 0R6 | |
Canada | |
Phone: | +1 613 993 0880 |
Email: | wmaton@ryouko.imsb.nrc.ca |