Someone just tried to spam my CAKE wiki via IPv6. The attack came from 2002:c26a:c164:0:216:cbff:feab:b3f5 which is a 6to4 address (you can tell from the beginning 2002) meaning that it corresponds to the IPv4 address of c26ac164, also known as 194.106.193.100 which is the address of some computer in Poland.

It also looks like they're on a network that's using EUI-64 based IPv6 address assignment, so the MAC address it came from is 00:16:cb:ab:b3:f5. Looking that up at the MAC Address Vendor lookup page reveals that this MAC address belongs to an Apple.

Someone's poor hacked Mac is trying to spam my wiki, or this is the computer of the hacker who's running the botnet trying to figure out why none of the spam is showing up.

I run a public DNS server for my own domains and I've been getting a lot of outside attempts to run recursive queries through it. This is something I haven't seen before and I'm wondering if DNS cache poisoning is on the rise.

Here is a sample of the logs:

May 15 01:57:38 foo named[2310]: client 125.17.226.217#4921: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 02:40:15 foo named[2310]: client 208.72.168.114#54341: query (cache) 'aa36.com/ANY/IN' denied

May 15 03:41:06 foo named[2310]: client 192.172.226.155#56099: query (cache) 'c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org/A/IN' denied

May 15 03:44:21 foo named[2310]: client 124.173.20.186#2898: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 05:09:01 foo named[2310]: client 88.228.100.29#1598: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 06:08:46 foo named[2310]: client 201.47.54.80#61320: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 19:33:27 foo named[2310]: client 221.208.250.186#12899: query (cache) 'nirvana.admins.ws/A/IN' denied

May 15 23:24:55 foo named[2310]: client 71.110.123.103#4547: query (cache) 'nirvana.admins.ws/A/IN' denied

One of these is a definite probe for poorly configured DNS servers in an attempt to be helpful. And that's the query for c40431ec875aa6d0.a4a1b82e01a13ddb.test1.openresolvers.org.

The others appear to be an attempt to query for the DNS records of a spam trap. This could be one of two things. It could be an attempt to get emails destined for the trap to go elsewhere. It could also be an attempt to get unwitting open DNS resolvers to be a part of a DDOS attack against the spam trap. I don't know which.

Does anybody reading this have any idea?

In looking at the various logs I keep to monitor what's going on on my home network, I've noticed an interesting fact about Vista that I haven't seen published anywhere. This is something of a guess, but it's supported by the increased activity in my logs, the fact the packets are coming from the US, the User-Agent strings and the curious and regular form of most of the new IPv6 connections I've been seeing. This fact is that Vista is fairly aggressive in supporting IPv6.

Now, Windows XP supports IPv6 fairly passively right out of the box. If you put it on a network with other nodes that speak IPv6 and a router or DHCPv6 server advertising a prefix, it will happily pick it up and gain a globally routable IPv6 address. But Vista goes one step further. If it figures out that it's been assigned a globally routable IPv4 address it sets up its on 6to4 tunnel so its IPv4 address can be used to route IPv6 packets to it.

This is slightly worrisome as the IPv6 packets stuck inside the IPv4 packets represent a potential attack vector that may slide by all the filtering. But so far all the machines I've been able to portscan with some confidence that the computer at the IP I saw was still there look like they're heavily firewalled. This is better than I expected, but I did notice a different, more worrisome trend.

I expect that what firewall manufacturers will do when they learn of this is just block all IP packets with a protocol field of 41 (0x29), the IPv6 in IPv4 protocol. This is because in most Internet discussions IPv6 is treated either with "it will never happen" or "it's evil and stupid and NAT is enough". Basically, people are afraid of something new and don't want to have to learn it, so it's easier to dismiss it than embrace it.

I have some evidence that this is already happening. I think all the Vista originated 6to4 tunneled packets all have IPv6 addresses of the form 2002:hexip_upper16:hexip_lower16::hexip_upper16:hexip_lower16. When I ping the associated IPv4 address I often get a response, but when I ping the IPv6 address I don't. But I do in a very small number of cases. My guess is that something is filtering incoming IP packets with a protocol field of 41.

This means that whenever such computers try to visit my website (which has an IPv6 address) they will likely get absolutely nothing in response, or a long wait until the browser decides to fall back to IPv4.

This is actively hostile and wrong. IPv6 is happening. Learn it and get used to it. Fix your broken hardware and software. The specs have been relatively stable for the base protocol now for more than 4 years. There is no excuse for not knowing something about it.

Useful links

• The TCP/IP Guide is a ridiculously comprehensive book and includes these bits of info:
  • A whole section on IPv6: Internet Protocol Version 6 (IPv6) / IP Next Generation (IPng) (IPng was the old name for IPv6
  • And in specific, this very helpful chapter: IPV6 Global Unicast Adresss Format
• This Wikipedia entry on 6 to 4 (IPv6 inside IPv4), though this isn't all that great.
• This Cisco page on 6 to 4 gateway routers that's fairly decent but has no decent overview, just an explosion of technical details. It does talk about how ISPs should do things to better support IPv6 though, so that's helpful.
• The Numbers Resource Organization maintains a helpful page that allows you to set up a nice nameserver for doing PTR lookups of your 6to4 IPv6 addresses. Here is a link using their name: http://6to4.nro.net/. If you're running IPv6, your browser should be smart enough to go to the IPv6 version first. If it isn't, this IPv6 link should work: http://[2001:dc0:2001:7:2d0:b7ff:feb7:f7f9]/ (Slashdot (in an example of the kind of stupidity I'm talking about) mangles the href badly, so cut & paste it).

In fact, that's a big problem here. No pictures, no overview, just an explosion of technical detail. There are some sites that have an overview that are put up by the IPv6 task force, but they are so badly designed I don't want to link to them for fear of crashing someone's browser with the evilness.

Has anybody else noticed how the tagging system seems to have changed. Gone are the tags like 'fud', 'itsatrap', and 'haha'. No more 'slashvertisement' and the like either. I find the current set of tags bland and useless. They are OK for hunting down an article, but horrible for being able to tell anything about an article before you click on it.

I found 'slashvertisement' and a few of the other tags about chronic problems that the Slashdot editors tend not to acknowledge to be particularly helpful. Does anybody know how or why the tags became so bland?

So, I'm looking for a job now. My résumé is updated and I've called a few people I know. I'm curious if any of you know anybody.

Here is what I'm looking for:

Ideally someone would point me at an investor who was interested in funding CAKE development for a couple of years with possibly another couple of people. The focus would be on creating a web-service that provided various services for CAKE users, not selling CAKE itself. A business model like LJs is the idea.

Barring that, I would really like to work for a company that wasn't so interested in someone who was capable of cranking out code. I'm not any good at that. I can program well, but I'm not fast, and I'm very cautious about working with a system I don't fully understand, especially if it's not easy to play with and test. OTOH, I am pretty good at talking to people about technical stuff, talking about design, pointing out flaws in designs, and creating new ones. So, a job that focused on the latter more than the former would be good.

And here's a few bullet points:

• Working on code that was going to be published as Open Source code would be a huge plus.
• I know Python and C++ best out of all the programming languages I know.
• I would really vastly prefer working with a POSIX-like environment like Linux. :-)
• I do best when working with systems level software, not UI software

I made this LJ entry recently. If you feel inclined to comment, please do it there. I have anonymous commenting enabled. I always do. :-)

If people would like to get together anyway, despite the cancelled meetup, let's use this entry to arrange a time and place. :-) I was thinking of doing that anyway, and then droleary suggested it as well, so I'm all for it. :-)

I bought a new PowerBook as well, so I'd have a toy for people to ogle. :-)

I'll be working for Amazon in Seattle. I'm going to have to move. So please, people here in Minnesota, sign up for this month's Slashdot meetup so I can say goodbye to you all before I go. :-)

Well, I'm off to my job interview with Bloomberg in NYC. Wheee!

Well, I have a name for my project, and a website. It will be known as CAKE. :-)

I need to set up a Wiki and a mailing list for it, and some other ways of getting feedback from people. I want to build a community around this project fairly quickly as there will be a number of aspects of the project that others would be much more suited to attacking than I.

Well, it's starting to come together a bit, and I'm needing a name. I'm building a protocol in which all objects are named with self verifying names that aren't human readable. Messages are sent to a public key, and are always signed by the sender's public key. Files are named by secure hashes of their contents. That kind of thing.

I have grand plans of using this protocol for email, instant messages, web browsing, remote filesystem and database access, and almost anything else you can imagine. I intend for the basics of the protocol to form a layer above TCP or UDP, though it should be able to be layered inside of almost anything. I intend to write layerings for SMTP/IMAP, and AIM/Yahoo/MSN/ICQ/Jabber (via a gaim plugin).

I have some of the basics working using a mixture of C++ and Python, but it's not quite ready for public consumption. One obstacle is a name. I made a post in my LiveJournal about naming it. I'd like input from people here, if they're interested. Please feel free to make posts (anonymous or otherwise) to my LiveJournal with opinions or suggestions.

I don't consider the non-human readability of the names to be an obstacle. After all, IP addresses aren't particularly human readable either.

Also, if you care to look at the source at it currently stands, it can be found at: http://www.cakem.net/

Subversion is great, and MUCH better than CVS, even though it's still in alpha/beta.

*sigh* The company I used to work for is barely staying afloat. They decided to jettison more development staff today in the attempt. They cut some really excellent people today. They won't be able to move things forward much at all now with so few people. :-(

Oh, well.

If anybody knows someone in MN who wants a really good C++ programmer who also knows enough Unix administration to be a good sysadmin, and who knows Python, Perl, some Java, and a whole slew of other stuff, post them here. :-)

Well, my XML parser understands XML well enough now to turn this:

<fred> <went> <down> <to> <the> <street> </street> <br/> </the> <a><store></store></a></to> </down> </went> </fred>

into this:

<fred>
  <went>
      <down>
        <to>
            <the>
              <street>
              </street>
              <br/>
            </the>
            <a>
              <store>
              </store>
            </a>
        </to>
      </down>
  </went>
</fred>

Yeah, maybe it doesn't seem like much, but in order for the code to do that, it has to understand what a start tag looks like, what an end tag looks like, and what an empty tag looks like. It also has to keep track of the nesting level.

I'm happy about all this because the parser is carefully designed to for two requirements. The first requirement being that it be as fast as possible. The second being that it give me pointers into the original text where the various elements and tags are. The second requirement allows me to cut out or replace pieces of XML documents without altering the parts I'm not changing.

Since the XML messages I'm working with may have pieces that are digitally signed, it is vitally important I leave them exactly as I found them. Any alteration, no matter how slight, would render the signature invalid, and the message would be rejected by the destination. Most XML parsers forget the original document as they construct an internal structure describing the various elements and their relationships that throws away superficial features (like spacing) found in the original document.

Anyway, I'm pleased with my progress. I've had to stop for careful thought along the way to make sure that it was as flexible and fast as possible. I think it'll be fairly widely useful when I'm done.

Despite 8 people claiming they'd show up, only 3 actually did. It was still fun, but still something of a disappointment. Especially after I reserved a table for 6-12 people on Wednesday. :-(

I wish meetup.com had a way of leaving feedback for other people who claimed they would show up.

I'm trying to convince various groups I work with to start using Wiki's to collaborate. They seem like a collaboration method that has an impressive degree of flexibility and open-endedness. It makes them kind of fun to use and quick to create.

I've put up a Wiki for my homepage, and am hoping I get random people writing in it. :-) I should probably stick links to and from Wiki pages to documents in my technical section to try to spark debate and ideas.