Y Safle

From the BBC Website:

The eccentric British sport of hurling wellington boots has been given a mechanical makeover by scientists at Aberystwyth University.

Friends of mine?

Well, yes as it happens!

We have Sky satellite at home. Sky like to monitor their satellite boxes through the telephone line using a clever little feature that BT developed called “silent signalling”.

The idea is that any piece of data terminal equipment (DTE) can be plugged into the phone line and called up from a central system from where it can be interrogated over the phone network. The signalling is silent, so the phone does not ring and the householder need not be aware a call is in progress. As I understand it, taking a phone off the hook immediately interrupts this process, and no calling line identification (CLI) is ever presented, so it is as if the call did not happen.

Except that theory is not always the reality. It seems that some lines are configured (or misconfigured) in such a way as to cause a telephone to “chirp” briefly when the silent signalling takes place.

Caller line identification is also presented by silent signalling, so it is possible the phone will chipr briefly before all calls for users who have CLI presented on their lines.

Phones will also ring if the BT exchange is carrying out routine testing to your line. This may present as a regular short ring at about the same time each night.

So solutions?

We tried raising a fault with BT. As usual, BT faults told us that they had never heard of such a thing, they could book an engineer for us, but they would charge us if they decided our equipment was at fault. (But the problem is at the exchange, I told them – to no avail).

We tried asking Sky to stop calling us. They suggested unplugging our box from the wall (but the problem is your equipment raising the call, I told them – to no avail. Apparently Sky cannot stop their equipment from contacting you).

Next we tried the BT nuisance call bureau. They tried to convince us to sign up for a service that stops calls from a given number. (But hey – this is silent signalling. No number is presented!)

Finally we found someone at the nuisance call bureau who passed us onto someone at the exchange who knew what was what. He took our line off the regular testing schedule. Hooray!

And then that very night, Sky called and the phones chirped just as my daughter was falling asleep. Grrr.

Last attempt with Sky – I shall tell them we have changed telephones and give them a new number to call. Now if I knew Rupert Murdoch’s number, I would give them his. But I don’t, so I’ll just have to send the chirping phone to work!

If anyone else has found a way to convince BT to fix the line to stop this happening, please let me know. In the meantime, I offer my solutions above as the best way to avoid those annoying calls at 5 AM.

 

Steve Gibson is several years out of date in his Security Now podcast, episode 47. He says:

[The October 2002 DDoS against the DNS]  was directed at all 13 of the main DNS servers, the so-called “root servers,” which maintain the master directories of domain names. Nine of the 13 DNS servers were brought down. Only four of the servers managed to stay on the ‘Net. [...]

There really is no defense. The only thing that can be done is that – and this is what some of the commercial anti-denial-of-service service providers have done, is they could have servers connected to very large pipes

Mr Gibson’s analysis is wrong. There is no need for very large pipes to the DNS servers, because since 2002 a program of anycasting has been rolled out for the DNS servers whereby a number of the servers are essentially cloned around the net, and special BGP routes are announced to routers at multiple points across the Internet, such that traffic from a client will be routed to the nearest (in networking terms) DNS root server. This works because packets will be routed to the lowest cost route. It provides failover, because if one server dies, then the next least costly route will be used (which may be another anycast clone).

October 2002 was not the only DDOS attack against the DNS, but of late no attacks have succeeded, because instead of just 13 root servers, we now have many times that number, and we have very successful over provisioning of the root servers.

Last year I wrote this post: http://safle.org/wordpress/?p=4. In particular I looked up the current locations of the root name servers and used the Google Maps API to create this map of where the root name servers are located. The smaller pins show anycast IP duplicate servers. (Note that these are not accurate all the way down to the street level)

The effect of this is that any DDoS against the DNS will be diluted amongst all name servers, and is unlikely to succeed. With every additional anycast clone server, the chances of a successful attack on the DNS are further reduced (and DNS resolution for the new geographic area covered is imporved).

Mr Gibson’s explanation of what the root servers do is also sloppy. These servers do not hold master copys of the domain names. They merely hold data for the TLDs (top level domains) such as uk., us., to., tv., es., ru., … as well as the gTLDs such as com., org.

They used to hold  the next level of edu. I believe, although a quick dig for the edu. name servers quickly reveals this is no longer the case.

Whilst we are talking about this podcast, Steve Gibson gets onto his pet subject – raw sockets in Windows XP. His argument was that raw sockets were a bad idea because they allow someone with admin priveleges (the default user in XP home edition) to run programs that can become worms and the like.

To an extent he was right – but the problem is not raw sockets. The problem is the brain dead decision of Microsoft to continue allowing technically illiterate users run with full admin priveleges on their network connected boxes by default. In Mr Gibson’s dialogue with Microsoft he claims that raw sockets were his one problem with Windows XP. But these were not the problem.

Yes its hard to have backward compatibility without admin priveleges – especially if you are using NT as your operating system. But look at what Apple did with OS X, and you can see how it is quite possible (for a little pain) to make an astoundingly good OS, with backward compatibility and security designed in (thanks to the use of UNIX).

So enough self congratulation in spotting a problem with raw sockets. The question Mr Gibson should be asking is when will Microsoft release an O.S. with security designed in? When will users no longer be logged in with admin priveleges?