[Collisions] "controlled interruption" - 127/8 versus RFC1918 space

Jeff Schmidt jschmidt at jasadvisors.com
Thu Jan 9 16:18:54 UTC 2014


re: "controlled interruption" (see

It has been suggested instead of using, use something within
RFC1918 space (for example,  The thinking being that using
1918 space allows someone who wants to monitor which boxes are resolving
those DNS names (and getting the flag IPs) to do so more easily by
honeypotting these responses, logging at a firewall, etc.  Such tricks are
harder in 127/8 space.  Looking for errors generated by the 127/8 addresses
would involve searching individual application layer logs for connection
errors to those addresses.

Two phases could be used ­ a period that returns and a second
that returns

While I see the value, I'm also a bit leery about injecting unexpected
responses into 1918 space that could possibly be in use within the
enterprise.  That may cause unintended consequences itself.

Thoughts?  Value trade between possibly more effective notification vs.
"protecting the sanctity" of RFC1918 space?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/collisions/attachments/20140109/a998cbdf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/collisions/attachments/20140109/a998cbdf/attachment.bin>

More information about the Collisions mailing list