Internet Engineering Task Force (IETF) J. Abley
Request for Comments: 6305 ICANN
Category: Informational W. Maton
ISSN: 2070-1721 NRC-CNRC
July 2011
I'm Being Attacked by PRISONER.IANA.ORG!
Abstract
Many sites connected to the Internet make use of IPv4 addresses that
are not globally unique. Examples are the addresses designated in
RFC 1918 for private use within individual sites.
Hosts should never normally send DNS reverse-mapping queries for
those addresses on the public Internet. However, such queries are
frequently observed. Authoritative servers are deployed to provide
authoritative answers to such queries as part of a loosely
coordinated effort known as the AS112 project.
Since queries sent to AS112 servers are usually not intentional, the
replies received back from those servers are typically unexpected.
Unexpected inbound traffic can trigger alarms on intrusion detection
systems and firewalls, and operators of such systems often mistakenly
believe that they are being attacked.
This document provides background information and technical advice to
those firewall operators.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6305.
Abley & Maton Informational [Page 1]
RFC 6305 I'm Being Attacked by PRISONER.IANA.ORG! July 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction and Target Audience . . . . . . . . . . . . . . . 3
2. Private-Use Addresses . . . . . . . . . . . . . . . . . . . . . 3
3. DNS Reverse Mapping . . . . . . . . . . . . . . . . . . . . . . 3
4. DNS Reverse Mapping for Private-Use Addresses . . . . . . . . . 4
5. AS112 Nameservers . . . . . . . . . . . . . . . . . . . . . . . 4
6. Inbound Traffic from AS112 Servers . . . . . . . . . . . . . . 5
7. Corrective Measures . . . . . . . . . . . . . . . . . . . . . . 5
8. AS112 Contact Information . . . . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
12.1. Normative References . . . . . . . . . . . . . . . . . . . 7
12.2. Informative References . . . . . . . . . . . . . . . . . . 7
Abley & Maton Informational [Page 2]
RFC 6305 I'm Being Attacked by PRISONER.IANA.ORG! July 2011
1. Introduction and Target Audience
Readers of this document may well have experienced an alarm from a
firewall or an intrusion-detection system, triggered by unexpected
inbound traffic from the Internet. The traffic probably appeared to
originate from one of several hosts discussed further below.
The published contacts for those hosts may well have suggested that
you consult this document.
If you are following up on such an event, you are encouraged to
follow your normal security procedures and take whatever action you
consider to be appropriate. This document contains information that
may assist you.
2. Private-Use Addresses
Many sites connected to the Internet make use of address blocks
designated in [RFC1918] for private use. One example of such
addresses is 10.1.30.20.
Because these ranges of addresses are used by many sites all over the
world, each individual address can only ever have local significance.
For example, the host numbered 192.168.18.234 in one site almost
certainly has nothing to do with a host with the same address located
in a different site.
3. DNS Reverse Mapping
The Domain Name System (DNS) [RFC1034] can be used to obtain a name
for a particular network address. The process by which this happens
is as follows:
1. The network address is rearranged in order to construct a name
that can be looked up in the DNS. For example, the IPv4 address
10.1.30.20 corresponds to the DNS name 20.30.1.10.IN-ADDR.ARPA.
2. A DNS query is constructed for that name, requesting a DNS record
of the type "PTR".
3. The DNS query is sent to a resolver.
4. If a response is received in response to the query, the answer
will typically indicate either the hostname corresponding to the
network address, or the fact that no hostname can be found.
This procedure is generally carried out automatically by software,
and hence is largely hidden from users and administrators.
Abley & Maton Informational [Page 3]
RFC 6305 I'm Being Attacked by PRISONER.IANA.ORG! July 2011
Applications might have reason to look up an IP address in order to
gather extra information for a log file, for example.
4. DNS Reverse Mapping for Private-Use Addresses
As noted in Section 2, private-use addresses have only local
significance. This means that sending queries out to the Internet is
not sensible: there is no way for the public DNS to provide a useful
answer to a question that has no global meaning.
Despite the fact that the public DNS cannot provide answers, many
sites have misconfigurations in the way they connect to the Internet;
this results in such queries relating to internal infrastructure
being sent outside the site. From the perspective of the public DNS,
these queries are junk -- they cannot be answered usefully and result
in unnecessary traffic being received by the nameservers which
underpin the operation of the reverse DNS (the so-called reverse
servers [RFC5855], which serve "IN-ADDR.ARPA").
To isolate this traffic and reduce the load on the rest of the
reverse DNS infrastructure, dedicated servers have been deployed in
the Internet to receive and reply to these junk queries. These
servers are deployed in many places in a loosely coordinated effort
known as the "AS112 project". More details about the AS112 project
can be found at
-- Leo's gemini proxy
-- Connecting to gemini.bortzmeyer.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/plain
-- Response ended
-- Page fetched on Mon May 6 12:56:40 2024