Re: Botnet hunting resources (was: Re: DOS in progress ?)
goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Mon, 10 Aug 2009, Luke S Crawford wrote: goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? such a list would include all of chinanet and france telecom. it would likely not last long. what do you do when rogue networks are state owned? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? no. I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. consider how much time and effort it took to get intercage shut down and you'd realize it's pretty much a lost cause. -Dan
Re: ServerBeach Name Server Outage?
Is anyone else that uses ServerBeach hosting having issues with their name servers (ns[12].geodns.net) failing to resolve their hostnames? I haven't seen any recent problems, although I have the geodns servers slaving from my server. Are you doing the same, or generating DNS directly on their NS (through the web front end)? Regards, Tim.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. -- Nathan Ward
Re: ServerBeach Name Server Outage?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Franklin wrote: Is anyone else that uses ServerBeach hosting having issues with their name servers (ns[12].geodns.net) failing to resolve their hostnames? I haven't seen any recent problems, although I have the geodns servers slaving from my server. Are you doing the same, or generating DNS directly on their NS (through the web front end)? Regards, Tim. I am being lazy and using their servers directly. The problem has gone away. SB got back to me about 30 minutes after I opened a trouble ticket through my.sb and said, At around 0930 this morning our DNS servers, ns1.geodns.com and ns2.geodns.com experienced an issue where name resolution was not completing. We have not as of yet identified the root cause of the issue, but services were restored shortly thereafter at around 0940. At this time, we would like to ask that you please check your services again to ensure that all is in order. If they are not, please do let us know and we will investigate further. I strongly disagree with their time frame estimates, as I saw an outage that lasted at least 55 to 60 minutes, not 10 minutes. I first observed the outage about 09:50 EDT, spent about 20 minutes investigating it and trying to verify it was not a routing issue (I checked from 9 different locations that I could not get name resolution), and another 10 minutes tracking down my password and reporting it -- at 10:20. Name services were still failing at 10:45, but were working correctly at 10:50 when I received the above message from SB. To me, it looks like that SB has a *CRITICAL* infrastructure design problem if they have a situation were both name servers can fail simultaneously. I hope this does not mean that they have a single dual-homed box that is really both name servers!! I would really want/expect them to have two physically different servers in two vastly diverse physical locations (or even better, multiple boxes hidden by anycast), but the type of failure observed tends to argue against such diversity. I hope this is a situation that SB will correct, as it is simply unacceptable to have all of one's name servers simultaneously fail. Jon K - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkp//ykACgkQUVxQRc85QlNB9ACeKqHeeHTMLOE8STHffSvYLBto Yk0An2FNGMYiIReL7TgfP6ZGCyOEspBO =YyJH -END PGP SIGNATURE- == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: sat-3 cut?
Eric Brunner-Williams wrote: above link, and routing, at transport, there is a tld effort as well. Randy Bush wrote: yes. informally, a fair number of nanogians have spent the last few decades doing tech transfer to the developing economies, including helping start sister groups such as afnog. nanog participates with arin in a bursary to bring engineers from developing economies to nanog and arin meetings. etc. sorry this so poorly publicized that you did not know. It's not, and I cannot find it on our NANOG website. As you may remember, I'd helped with more formal outreach and instruction via ISoc (mid-'90s), but had not heard of the same by NANOG. OTOH, I've rarely attended any NANOG meeting outside Michigan, and we've not had one here for many years. There's one coming up in October that I'm looking forward to attending (time and finances allowing). What exactly is NANOG doing do help interconnect West Africa? Moreover, what NANOG member financing assistance to Nitel paying its fees, so that its link would be restored?
Re: sat-3 cut?
On that note, folks might want to see http://www.nytimes.com/2009/08/10/business/global/10cable.html
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Aug 10, 2009, at 5:34 AM, Nathan Ward na...@daork.net wrote: On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. I would say the problem plagues many diverse networks. The background radiation goes undetected by most people for cost reasons. It's cheaper to pass the bits then have a human convince someone their machine is compromised. The problem will continue to be acute as transit costs get even lower. - Jared
Re: sat-3 cut?
http://www.nytimes.com/2009/08/10/business/global/10cable.html if seacom completes, and it is looking likely (yay!), this will be great. but Alan Mauldin, research director at TeleGeography, a telecommunications market research company, said Africa was the last major area where broadband access was not widespread. try much of the pacific islands, central asia (the stans), myanmar, much of india, laos, cambodia, and large swaths of northern china and the middle of russia. and i am sticking to places with non-sparse population. americans are a bit naive about the rest of the world. randy
Re: sat-3 cut?
On Mon, Aug 10, 2009 at 09:49:51PM +0900, Randy Bush wrote: http://www.nytimes.com/2009/08/10/business/global/10cable.html if seacom completes, and it is looking likely (yay!), this will be great. but Alan Mauldin, research director at TeleGeography, a telecommunications market research company, said Africa was the last major area where broadband access was not widespread. try much of the pacific islands, central asia (the stans), myanmar, much of india, laos, cambodia, and large swaths of northern china and the middle of russia. and i am sticking to places with non-sparse population. americans are a bit naive about the rest of the world. randy clearly Alan's whole point rests on the interpretation of the two words -major- and -area-... and no, we will not stoop to using the US definition of broadband. --bill
Re: sat-3 cut?
[Followups set to futures as organization discussion.] On Mon, Aug 10, 2009 at 08:13:55AM -0400, William Allen Simpson wrote: Eric Brunner-Williams wrote: above link, and routing, at transport, there is a tld effort as well. Randy Bush wrote: yes. informally, a fair number of nanogians have spent the last few decades doing tech transfer to the developing economies, including helping start sister groups such as afnog. nanog participates with arin in a bursary to bring engineers from developing economies to nanog and arin meetings. etc. sorry this so poorly publicized that you did not know. It's not, and I cannot find it on our NANOG website. As you may remember, I'd helped with more formal outreach and instruction via ISoc (mid-'90s), but had not heard of the same by NANOG. It currently goes by the somewhat confusing moniker of a scholarship, right there on the pull-downs on every page of the site. The Postel Network Operator's Scholarship does get promoted widely and applicants are sought from other ops communities across the globe. Unfortunately for those not plugged into the physical meetings, it hasn't actually been promoted on nanog-announce, etc in the past. That will definitely get rectified. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
RE: Botnet hunting resources (was: Re: DOS in progress ?)
Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? [TLB:] No more than any anti-spam RBL or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? [TLB:] That's an ongoing raging debate. Some say, since enumerating badness cant' protect you against all threats, that you shouldn't' do it at all. My take is, if you can filter the worst actors early and fast, based on IP address, that gives you deeper packet devices more capacity, and saves you network bandwidth. It's been my experience that IP level blocking is a best practice as the second step (the first being selective availability of any service to only those it NEEDS to be, which in the case of many network operators is everywhere and everyone, and therefore a useless filter for a network operator) in a layered defense. If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. [TLB:] shameless plug That's what ThreatSTOP is for. We use DNS, not BGP, because there are far more traffic management devices (think Subscriber firewalls) that can use it, and because ATT has a patent on using BGP for block lists. /shameless plug
Re: DNS hardening, was Re: Dan Kaminsky
This was responded to on the DNSEXT mailing list. Sorry, but your question was accidentally attributed to Paul who forwarded the message. DNSEXT Archive: http://ops.ietf.org/lists/namedroppers/ -Doug
IPv6 Interview: Martin J. Levy of Hurricane Electric
http://www.youtube.com/watch?v=p47m5XVt4WQ Time for another interview. Martin Levy talks about his experiences, what kind of customers they cater to, what worked and what didn't work during deployment, and what internal strategy they had. We recorded an interview with the Swedish government this week, which we'll be editing shortly. If you want specific topics to be covered, or there are specific people or industry players we should talk to in future interviews, please let me know and we'll try to get them in front of a camera. Enjoy, Alex
Re: Botnet hunting resources
Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? Hi, Luke! MAAWG recently published a document to help ISPs deal with infected machines in their networks. It's not the same kind of pressure, but (as we learned with open relays at MAPS) pressure isn't very effective unless there are tools available to deal with the problem. http://www.maawg.org/about/publishedDocuments/MAAWG_Bot_Mitigation_BP_2007-07.pdf -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: sat-3 cut?
On Mon, Aug 10, 2009 at 8:49 AM, Randy Bush ra...@psg.com wrote: americans are a bit naive about the rest of the world Not the Americans who provided a large chunk of capital and are managing SEACOM. Short summary: The operator is anticipating that South Africa and Kenya alone are going to utilize 85% of the capacity. The design capacity of the cable (The maximum saleable amount of bandwidth) is 1.28 Tb/s. The rest of the capacity is within reach of oil and some Francophone countries. Tata is buying capacity on the Mumbai to Djibouti leg which will interconnect them to both EASSY and SEACOM. EASSY and SEACOM are sharing landing stations in a few high value locations. All very commercial and not so uncommon. The only question I have is a context switch. Why Mogadishu? Do the (sea) pirates need more capacity to manage their ship hijacking business? Best Regards, Martin -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: sat-3 cut?
On 11/08/2009 00:24, Martin Hannigan wrote: The only question I have is a context switch. Why Mogadishu? Do the (sea) pirates need more capacity to manage their ship hijacking business? The indications are that Somalia has been improving over the past year or two. If this continues, then it may have a reconstructive capacity to grow which other countries don't. Nick
Re: sat-3 cut?
Martin Hannigan wrote: The only question I have is a context switch. Why Mogadishu? Do the (sea) pirates need more capacity to manage their ship hijacking business? Because ethiopia is the effectively land-locked economic power in the neighborhood and it needs diverse landing sites. Also I think Mogadishu is off the table for the moment. Best Regards, Martin