PHWinfo - Afficher un message - relays.ordb.org blacklisting all IPs (fwd)

26/03/2008, 03h11

On 3/25/2008 5:33 PM, Res wrote:
> I already stated what they could do in my original post which of course
> you selectively did not quote, it is afterall what 99% of all other
> defunct RBLs have done over the years.

On 3/25/2008 4:53 PM, Res wrote:
>> why cant these deadshits just drop the DNS entries

Ok, let's make sure that we understand each other. You are wanting the
deadshits to drop the DNS query traffic for their now defunct RBL, correct?

(Presuming yes.)

A simple TCPDump (tcpdump -xXnNi eth0 -s 0 host 87.51.32.6) while
querying (nslookup 127.0.0.2.relays.ordb.org 87.51.32.6) will shed some
light on the subject.

# tcpdump -xXnNi eth0 -s 0 host 87.51.32.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:01:18.959078 IP aaa.bbb.ccc.ddd.45560 > 87.51.32.6.53: 11470+ A?
127.0.0.2.relays.ordb.org. (43)
0x0000: 0030 7be8 cc1c 00e0 4c3a 9dee 0800 4500 .0{.....L:....E.
0x0010: 0047 0000 4000 4011 8290 ce98 7244 5733 .G..@.@.....rDW3
0x0020: 2006 b1f8 0035 0033 b85a 2cce 0100 0001 .....5.3.Z,.....
0x0030: 0000 0000 0000 0331 3237 0130 0130 0132 .......127.0.0.2
0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org
0x0050: 0000 0100 01 .....
20:01:19.090749 IP 87.51.32.6.53 > aaa.bbb.ccc.ddd.45560: 11470*- 1/2/2
A 127.0.0.2 (160)
0x0000: 00e0 4c3a 9dee 0030 7be8 cc1c 0800 4500 ..L:...0{.....E.
0x0010: 00bc 7275 0000 3211 5da6 5733 2006 ce98 ..ru..2.].W3....
0x0020: 7244 0035 b1f8 00a8 2cdb 2cce 8500 0001 rD.5....,.,.....
0x0030: 0001 0002 0002 0331 3237 0130 0130 0132 .......127.0.0.2
0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org
0x0050: 0000 0100 01c0 0c00 0100 0100 24ea 0000 ............$...
0x0060: 047f 0000 02c0 1d00 0200 0100 24ea 0000 ............$...
0x0070: 1005 6b6f 616c 6105 6472 6f73 6f02 646b ..koala.droso.dk
0x0080: 00c0 1d00 0200 0100 24ea 0000 1106 6175 ........$.....au
0x0090: 7468 3032 026e 7304 7465 6c65 c053 c047 th02.ns.tele.S.G
0x00a0: 0001 0001 0000 5460 0004 5733 2006 c047 ......T`..W3...G
0x00b0: 001c 0001 0000 5460 0010 2001 06c8 0006 ......T`........
0x00c0: 000c 020d 56ff fe6f f935 ....V..o.5

So based on this I'm going to say that the DNS query is 85 bytes. I'm
also going to say that the DNS reply is 202 bytes. (I'm not taking in
to account that we will be sending things in 64 byte segments on
Ethernet so these numbers will possibly even be low.)

26/03/2008, 03h11	#7
Grant Taylor Messages: n/a Hébergeur:	Re: relays.ordb.org blacklisting all IPs (fwd) On 3/25/2008 5:33 PM, Res wrote: > I already stated what they could do in my original post which of course > you selectively did not quote, it is afterall what 99% of all other > defunct RBLs have done over the years. On 3/25/2008 4:53 PM, Res wrote: >> why cant these deadshits just drop the DNS entries Ok, let's make sure that we understand each other. You are wanting the deadshits to drop the DNS query traffic for their now defunct RBL, correct? (Presuming yes.) A simple TCPDump (tcpdump -xXnNi eth0 -s 0 host 87.51.32.6) while querying (nslookup 127.0.0.2.relays.ordb.org 87.51.32.6) will shed some light on the subject. # tcpdump -xXnNi eth0 -s 0 host 87.51.32.6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:01:18.959078 IP aaa.bbb.ccc.ddd.45560 > 87.51.32.6.53: 11470+ A? 127.0.0.2.relays.ordb.org. (43) 0x0000: 0030 7be8 cc1c 00e0 4c3a 9dee 0800 4500 .0{.....L:....E. 0x0010: 0047 0000 4000 4011 8290 ce98 7244 5733 .G..@.@.....rDW3 0x0020: 2006 b1f8 0035 0033 b85a 2cce 0100 0001 .....5.3.Z,..... 0x0030: 0000 0000 0000 0331 3237 0130 0130 0132 .......127.0.0.2 0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org 0x0050: 0000 0100 01 ..... 20:01:19.090749 IP 87.51.32.6.53 > aaa.bbb.ccc.ddd.45560: 11470*- 1/2/2 A 127.0.0.2 (160) 0x0000: 00e0 4c3a 9dee 0030 7be8 cc1c 0800 4500 ..L:...0{.....E. 0x0010: 00bc 7275 0000 3211 5da6 5733 2006 ce98 ..ru..2.].W3.... 0x0020: 7244 0035 b1f8 00a8 2cdb 2cce 8500 0001 rD.5....,.,..... 0x0030: 0001 0002 0002 0331 3237 0130 0130 0132 .......127.0.0.2 0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org 0x0050: 0000 0100 01c0 0c00 0100 0100 24ea 0000 ............$... 0x0060: 047f 0000 02c0 1d00 0200 0100 24ea 0000 ............$... 0x0070: 1005 6b6f 616c 6105 6472 6f73 6f02 646b ..koala.droso.dk 0x0080: 00c0 1d00 0200 0100 24ea 0000 1106 6175 ........$.....au 0x0090: 7468 3032 026e 7304 7465 6c65 c053 c047 th02.ns.tele.S.G 0x00a0: 0001 0001 0000 5460 0004 5733 2006 c047 ......T`..W3...G 0x00b0: 001c 0001 0000 5460 0010 2001 06c8 0006 ......T`........ 0x00c0: 000c 020d 56ff fe6f f935 ....V..o.5 So based on this I'm going to say that the DNS query is 85 bytes. I'm also going to say that the DNS reply is 202 bytes. (I'm not taking in to account that we will be sending things in 64 byte segments on Ethernet so these numbers will possibly even be low.)