goe...@anime.net writes:
On Fri, 8 Aug 2009, Luke S Crawford wrote:
1. are there people who apply pressure to ISPs to get them to shut down
botnets, like maps did for spam?
sadly no.
...
Why do you think this might be? Fear of (extralegal) retaliation by
botnet owners? or fear of
On Mon, 10 Aug 2009, Luke S Crawford wrote:
goe...@anime.net writes:
On Fri, 8 Aug 2009, Luke S Crawford wrote:
1. are there people who apply pressure to ISPs to get them to shut down
botnets, like maps did for spam?
sadly no.
...
Why do you think this might be? Fear of (extralegal)
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote:
such a list would include all of chinanet and france telecom. it
would likely not last long.
You've mentioned France twice now. Is there a big botnet problem
there? I've never heard of anything like that.
I'll admit I don't follow this area
On Aug 10, 2009, at 5:34 AM, Nathan Ward na...@daork.net wrote:
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote:
such a list would include all of chinanet and france telecom. it
would likely not last long.
You've mentioned France twice now. Is there a big botnet problem
there? I've
Why do you think this might be? Fear of (extralegal) retaliation by
botnet owners? or fear of getting sued by listed network owners?
[TLB:] No more than any anti-spam RBL
or
is
the idea (shunning packets from ISPs that host botnets) fundamentally
unsound?
[TLB:] That's an ongoing raging
]
Sent: Saturday, August 08, 2009 3:15 AM
To: Roland Dobbins
Cc: NANOG list
Subject: Re: Botnet hunting resources (was: Re: DOS in progress ?)
Roland Dobbins rdobb...@arbor.net writes:
On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
2. is there a standard way to push a null-route
On Fri, 8 Aug 2009, Luke S Crawford wrote:
1. are there people who apply pressure to ISPs to get them to shut down
botnets, like maps did for spam?
sadly no.
I've got 50 gigs of packet captures, and have been going through with
perl to detect IPs who send me lots of tcp packets with 0
Jorge Amodio jmamo...@gmail.com writes:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
From what I understand, it's quite common. I got hammered last week.
It took out some routers at my upstream (it was a tcp syn flood attack,
a whole lot
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
We are presently seeing some weird FB behavior -- timeouts and retry
issues. We've had several reports from our users and just began
investigating. Any info you have would be appreciated.
--sjk
Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one
Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
DDoS happens hundreds of times a day. Twitter and the Internet
operations security community will likely take care of it, especially as
it's twitter and we all have a warm fuzzy
be appreciated.
--sjk
Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
behavior -- timeouts and retry
issues. We've had several reports from our users and just began
investigating. Any info you have would be appreciated.
--sjk
Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
. Any info you have would be appreciated.
--sjk
Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
On Aug 6, 2009, at 11:25 AM, Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
Twitter is very flaky slow to load today, but that is hardly unusual.
Do you have any other evidence ?
Regards
Marshall
From: Marshall Eubanks [mailto:t...@americafree.tv]
Twitter is very flaky slow to load today, but that is
hardly unusual.
Do you have any other evidence ?
http://www.cnn.com/2009/TECH/08/06/twitter.attack/index.html
http://status.twitter.com/
We are defending against a denial-of-service attack, and will update status
again shortly.
-Original Message-
From: Marshall Eubanks [mailto:t...@americafree.tv]
Sent: 06 August 2009 16:57
To: Jorge Amodio
Cc: NANOG
Subject: Re: DOS in progress ?
On Aug 6
http://status.twitter.com/
We are defending against a denial-of-service attack, and will update status
again shortly.
Perhaps the puddy tat finally got the bird :-)
to defend against and
recover from this attack.
On Thu, Aug 6, 2009 at 8:57 AM, Marshall Eubanks t...@americafree.tv wrote:
On Aug 6, 2009, at 11:25 AM, Jorge Amodio wrote:
Are folks seeing any major DOS in progress ?
Twitter seems to be under one and FB is flaky.
Twitter is very flaky slow
We are defending against a denial-of-service attack, and will update status
again shortly.
Could be interesting if folks @Twitter take pictures or better video about how
are they defending against the attack.
Do they wear special helmets and cyber pitchforks ?
FB flakyness could be related to timeout with Twitter APIs
Just reported by the birdhouse:
As we recover, users will experience some longer load times and
slowness. This includes timeouts to API clients. We’re working to get
back to 100% as quickly as we can.
On Thu, 06 Aug 2009 11:12:23 CDT, Jorge Amodio said:
We are defending against a denial-of-service attack, and will update status
again shortly.
Could be interesting if folks @Twitter take pictures or better video about how
are they defending against the attack.
Do they wear special
It looks like there is something more widespread today. I've noticed a
couple other sites having issues. LiveJournal has confirmed they are
under attack as well:
http://community.livejournal.com/lj_maintenance/125027.html
Cheers,
-Christoph
Jorge Amodio wrote:
FB flakyness could be related to
On Aug 6, 2009, at 5:29 PM, Christoph Blecker wrote:
It looks like there is something more widespread today. I've noticed a
couple other sites having issues. LiveJournal has confirmed they are
under attack as well:
http://community.livejournal.com/lj_maintenance/125027.html
This is
On Thu, 6 Aug 2009, Marshall Eubanks wrote:
http://www.nytimes.com/2009/08/07/technology/internet/07twitter.html
Mr. Woodcock said this
particular attack consisted of a wave of spam e-mail messages, which began
infiltrating Twitter
Uh... Yes, well, the gist of my
On Aug 6, 2009, at 10:26 PM, Bill Woodcock wrote:
On Thu, 6 Aug 2009, Marshall Eubanks wrote:
http://www.nytimes.com/2009/08/07/technology/internet/07twitter.html
Mr. Woodcock said this
particular attack consisted of a wave of spam e-mail messages,
which began
infiltrating Twitter
On Thu, 6 Aug 2009, Bill Woodcock wrote:
Note that this is a deeply-layered conflict, with both sides trying to
pass off actions as those of the other, and I don't know of anyone who's
asserted that they have any means of determining whether this was a
Georgian attack
On 1/24/2009 at 4:50 PM, Brian Keefer ch...@smtps.net wrote:
Caveat: my PERL is _terrible_.
http://www.smtps.net/pub/dns-amp-watch.pl
This assumes you're using BIND. My logs roll on the hour, so I run it
from cron at 1 minute before the hour. Depending on how long it takes
to
I think each point above is true -- BCP38 is indeed a technique, but
failure to universally implement it defaults to (almost) a tragedy of the
commons.
After ~10 years, it is surreal to me that we, as a community, are still
grappling with issues where it could be beneficial for the Internet
-original message-
Subject: Re: Are we really this helpless? (Re: isprime DOS in progress)
From: Michael Dillon wavetos...@googlemail.com
Date: 25/01/2009 10:16 pm
I think each point above is true -- BCP38 is indeed a technique, but
failure to universally implement it defaults to (almost
, 2009 11:06 PM
To: Danny McPherson
Cc: NANOG list
Subject: Re: Are we really this helpless? (Re: isprime DOS in progress)
On Jan 23, 2009, at 8:53 PM, Danny McPherson wrote:
You missed one.. Step 4: enable BCP 38 or similar
ingress source address spoofing mitigation mechanism
on all customer
Lorell,
On Jan 25, 2009, at 5:27 PM, Lorell Hathcock wrote:
Every time I see a post like the one below on this list, I can't
help but
feel like big brother has infiltrated the list.
Someone stating the obvious implications of the lack of the Internet
operations community to address a
Jack,
On Jan 23, 2009, at 9:34 PM, Jack Bates wrote:
David Conrad wrote:
Sad fact is that there are zillions of excuses. Unfortunately I
suspect the only way we're going to make any progress on this will
be for laws to be passed (or lawsuits to be filed) that impose a
financial penalty
In message 8c5f1fec-ff51-4ba2-a762-c13bc275e...@virtualized.org, David Conrad
writes:
It would seem that as ISPs implement DPI and protocol-specific traffic
shaping, they damage the arguments that they can make claiming they
have common carrier status with the inherent immunities that
Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
seems to have stopped for now.
-Phil
On Jan 22, 2009, at 6:01 AM, Bjørn Mork wrote:
Graeme Fowler gra...@graemef.net writes:
I've been seeing a lot of noise from the latter two addresses after
switching on query logging
Hi,
I agree with seeing no traffic to/from 66.230.128.15 but am still seeing flows
'from' 66.230.160.1
Regards,
Steve
-Original Message-
From: Phil Rosenthal [mailto:p...@isprime.com]
Sent: Saturday, 24 January 2009 4:12 AM
To: nanog@nanog.org
Subject: Re: isprime DOS in progress
To: nanog@nanog.org
Subject: Re: isprime DOS in progress
Just a friendly notice, the attack against 66.230.128.15/66.230.160.1
seems to have stopped for now.
-Phil
On Jan 22, 2009, at 6:01 AM, Bjørn Mork wrote:
Graeme Fowler gra...@graemef.net writes:
I've been seeing a lot of noise from
but am still seeing
flows 'from' 66.230.160.1
Regards,
Steve
-Original Message-
From: Phil Rosenthal [mailto:p...@isprime.com]
Sent: Saturday, 24 January 2009 4:12 AM
To: nanog@nanog.org
Subject: Re: isprime DOS in progress
Just a friendly notice, the attack against
On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
Hi,
I agree with seeing no traffic to/from 66.230.128.15 but am still
seeing flows 'from' 66.230.160.1
Regards,
Steve
Hi Steve,
There is at least an iptables rule you can use to drop this specific
query, assuming your nameservers run
In message 9a251497-e94c-4693-8e89-3fd3acf6d...@stupendous.net, Nathan Ollere
nshaw writes:
On 24/01/2009, at 6:46 AM, Steven Lisson wrote:
Hi,
I agree with seeing no traffic to/from 66.230.128.15 but am still
seeing flows 'from' 66.230.160.1
Regards,
Steve
Hi Steve,
On Sat, 2009-01-24 at 07:21, Chris McDonald wrote:
We [AS3491] null0'd the IP earlier. Rest-of-world encouraged to do the same
:/
Wrong approach, they are *innocent* in this as are the new targets.
insert into your favourite acl:
deny udp host 66.230.160.1 neq 53 any eq 53
deny udp host
On Fri, 23 Jan 2009, Jeffrey Lyon wrote:
I respectfully disagree. Network engineers have to keep up with many
tasks and preventing DoS/DDoS should be the responsibility of
everyone. I see more folks worried about spam than they are actual
security.
Because non of us wantsto spend the next two
Jeffrey Lyon wrote:
I respectfully disagree. Network engineers have to keep up with many
tasks and preventing DoS/DDoS should be the responsibility of
everyone. I see more folks worried about spam than they are actual
security.
Back to my original question: is there really not a better
On Fri, 23 Jan 2009 18:33:14 PST, Seth Mattinen said:
Back to my original question: is there really not a better solution?
Well, we *could* hunt down the perpetrators, pool some $$, and hire 3 or 4
baseball-bat wielding professional explainers to go explain our position to
them. Figuring out
On Jan 23, 2009, at 10:31 PM, valdis.kletni...@vt.edu wrote:
On Fri, 23 Jan 2009 18:33:14 PST, Seth Mattinen said:
Back to my original question: is there really not a better solution?
Well, we *could* hunt down the perpetrators, pool some $$, and hire
3 or 4
baseball-bat wielding
On Jan 23, 2009, at 10:06 PM, David Conrad wrote:
Sad fact is that there are zillions of excuses. Unfortunately I
suspect the only way we're going to make any progress on this will
be for laws to be passed (or lawsuits to be filed) that impose a
financial penalty on ISPs through which
Graeme Fowler gra...@graemef.net writes:
I've been seeing a lot of noise from the latter two addresses after
switching on query logging (and finishing an application of Team Cymru's
excellent template) so I decided to DROP traffic from the addresses
(with source port != 53) at the hosts in
On Wed, 21 Jan 2009, Phil Rosenthal wrote:
This attack has been ongoing on 66.230.128.15/66.230.160.1 for about 24 hours
now, and we are receiving roughly 5Gbit of attack packets from roughly
750,000 hosts.
I'm only receiving NS queries for . from spoofed 66.230.128.15 and
66.230.160.1 via
Graeme Fowler wrote:
On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:
I've been seeing a lot of noise from the latter two addresses after
switching on query logging (and finishing an application of Team Cymru's
excellent template) so I decided to DROP traffic from the addresses
On Wed, 2009-01-21 at 12:27 -0500, Phil Rosenthal wrote:
Representing ISPrime here.
Well... representing myself and nobody else, so if that stretches my
credibility thin so be it.
It's somewhat absurd to suggest that we are attacking our own
nameservers, I assure you, we didn't spend many
51 matches
Mail list logo