RE: Arbor Networks DoS defense product
Title: RE: Arbor Networks DoS defense product Is it common practice to place your own equipment at the ISP? My thought is that if we are able to have our own routers at the ISP, we'd be in a better position to mitigate the effects of a DDOS. As long as the stream of traffic does not adversely affect our routers from performing properly at the ISP, we can then mitigate the effects through access-lists, QOS, etc. That is if the attack is not too distributed, where the source IPs with the highest amount of syn traffic for example can be easily identified. Rick Cheung NPI IT Wan Team, CCNP -Original Message- From: Pete Kruckenberg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 2:15 AM To: [EMAIL PROTECTED] Subject: Re: Arbor Networks DoS defense product On Wed, 15 May 2002, Rubens Kuhl Jr. wrote: If and when (a) customers don't get exemption for attack traffic (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of the month per customer circuit (c) the DoS increases bytes transferred like large ICMP packet flood; this is not the case for all DoS traffic, which can be a bunch of small packets that actually decreases traffic These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against. Pete.
Re: Arbor Networks DoS defense product
On Tue, 14 May 2002, Pete Kruckenberg wrote: Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day? The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis. I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage. I disagree. If many of your customers have flat-rate as opposed to burstable connectivity, such as a full point-to-point T1 or a dedicated 10 meg switch port to host a colo box, the revenue you derive from those customers doesn't change regardless of how much/how little traffic your network carries for them. If your customers have burstable connectivity, their bill only goes up if you have mechanisms in place to do those calculations - I'll hazard a guess that many providers don't. I would argue that in many cases a service provider loses revenue due to DoS traffic - network performance/availability can be impacted as your network absorbs a DoS attack and your NOC/network engineers/security people have to spend cycles analyzing (calling vendors, upstreams, etc) and dampening the attack. Both of these impact windows have costs associated with them. I haven't done any formal ROI calculations on Arbor or any of the other DoS defense products out there. However, from my viewpoint, I'd be willing to bet that if/once my NOC/network engineers/security people are properly trained on how to handle a DoS attack, anything that allows me to shrink those impact windows, e.g. reduce my costs related with dealing with an attack, is a good thing. So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses? That depends on how those products are priced, how well they're marketed, and of course, how effective they are in helping to stop DoS attacks. jms
The Art of Peering : The Peering Playbook
Hi all - Folks were talking about Traffic Ratios, Depeering, etc. that reminded me I should probably thank everyone for contributing to the Tactical Peering white paper which has now been renamed The Art of Peering : The Peering Playbook. Thanks to the feedback from folks on this list and at RIPE and the Gigabit Peering Forum I have released version 1.0 of this document and it is available to anyone who would like a copy. Send me e-mail at [EMAIL PROTECTED] with the Subject: Art of Peering and I'll send it back directly, or alternatively you can get it from the Equinix web site. In this paper I asked the Peering Coordinators the question What do you do if noone answers your peering request at peering@ispdomain.net ? What are the 'Tricks of the Trade' that distinguish seasoned Peering Coordinators from newbies? The Summary (below) does the best job of highlighting the techniques detailed in the paper: Summary We have presented 19 peering maneuvers that the Peering Coordinator Community have effectively used to obtain peering. 1) The Direct Approach uses peering@ispdomain.net , phone calls, face to face meetings, or some such direct interaction to establish peering. 2) The Transit with Peering Migration tactic leverages an internal advocate to buy transit with a contractual migration to peering at a later time. 3) The End Run Tactic minimizes the need for transit by enticing a direct relationship with the target ISP's largest traffic volume customers. 4) In Europe the Dual Transit/Peering separates the peering traffic from the transit traffic using separate interface cards and/or routers. 5) Purchasing Transit Only from Large Tier 2 ISPs is an approach to reduce the risk of being a customer of a potential peer on the road to Tier 1 status. 6) Paid Peering as a maneuver is positioned by some as a stepping stone to peering for those who don't immediately meet the peering prerequisites. 7) In the Partial Transit tactic, the routes learned at an exchange point are exchanged with the peer for a price slightly higher than transport costs. 8) The Chicken tactic involves de-peering in order to make the other peer adjust the peering relationship. 9) In the Traffic Manipulation tactic, ISPs or content players force traffic along the network path that makes peering appear more cost effective. 10) The Bluff maneuver is simply overstating future traffic volumes or performance issues to make peering appear more attractive. 11) The Wide Scale Open Peering Policy as a tactic signals to the Peering Coordinator Community the willingness to peer and therefore increases the likelihood of being contacted for peering by other ISPs. 12) The Massive Colo Build tactic seeks to meet the collocation prerequisites of as many ISPs as possible by building POPs into as many exchange points as possible. 13) The Aggressive Traffic Buildup tactic increases the traffic volume by large scale market and therefore traffic capture to make peering more attractive. 14) Friendship-based Peering leverages contacts in the industry to speed along and obtain peering where the process may not be in place for a peering. 15) The Spam Peering Requests tactic is a specific case of the Wide Scale Open Peering tactic using the exchange point contact lists to initiate peering. 16) Purchasing Legacy Peering provides an immediate set of peering partners. 17) The Bait and Switch tactic leverages a large corporate identity to obtain peering even though ultimately only a small subset or unrelated set of routes are actually announced. 18) The False Peering Outage tactic involves deceiving an ill-equipped NOC into believing a non-existing peering session is down. 19) The Leverage Broader Business Arrangement takes advantage of other aspects of the relationship between two companies to obtain peering in exchange for something else. Thanks again for your help! If there are questions or comments I'd love to hear them; I fully expect this document (like the other white papers) to evolve over time. Bill --- William B. Norton [EMAIL PROTECTED] 650.315.8635 Co-Founder and Chief Technical Liaison Equinix, Inc.
Re: CPE/OC12 Question
On Wed, 15 May 2002, Sonya Blake wrote: What kind of OC12 CPE devices (routers) are people using out there? Initially for Internet connectivity, but probably would need to do advance features, i.e. BGP, etc. Are you referring to an OC12c that you're using as a single 622 Mb/s pipe, or an OC12 that you're bringing into a SONET add/drop mux and breaking out STS-1 slots for DS3s or OC3/OC3c slots? If you're talking about an OC12c, your choices would probably be: Cisco 7600 Cisco 1 Cisco 12xxx Juniper M-series - I think even an M5 could do an OC12c, though I'm not sure. Other offerings by Riverstone, Avici and others that I'm not as familiar with. You can put an OC12c into a Cisco 7200/7500 *in theory* using an OC12c DPT card, but the router will likely crap out long before you come close to saturating the pipe. For a channelized OC12, assuming you want to do the breakouts yourself, you could use pretty much anything that supports channelized OC12 (Cisco 1/12000, Juniper, etc) as long as it can break the slots out the way you want. jms
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: FYI, the miscreants also _avoid_ certain netblocks in which, they believe, honeypots and other things reside. What leads them to believe this? It could be very useful as deterrence to know their criteria. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: ] It could be very useful as deterrence to know their criteria. For the low fee of a cool t-shirt or a bit of gear for my lab I'd be happy to spread rumours about the mad fast honeypot residing within your prefixes. :) disinformation as a means to raise the level of uncertainty for the attacker, it's classic military tactic. what other military tactics can be used to make life more dangerous for attackers? i've been tossing around an idea for a land mine network. randomly distributed honeypots around the internet. when X landmines are hit from the same source, that source gets entered into a BGP blackhole feed which anyone can subscribe to. put landmines in popularly targeted networks, maybe even make them randomly move about. there are all sorts of wonderful tactics that could be put to use. scanning would quickly become self defeating as attackers would only manage to cut themselves off from the net. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Dan. ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. The end result is a lot of hacked hosts are black holed. On one hand you could say serves 'em right for being hacked! On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. I disagree. They have to start somewhere. Most miscreants first attack offshore hosts, then use those to attack domestic victims. The end result is a lot of hacked hosts are black holed. And this is a bad thing? On one hand you could say serves 'em right for being hacked! On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. They don't. This is purely a response to rogue networks/blackhats and apathetic/irresponsible/toothless NOCs. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On 15 May 2002, Johannes B. Ullrich wrote: See http://www.dshield.org/block.txt ;-). We are about 24hrs away from getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
sorry. getting confused by my own tricky url schemes: http://feeds.dshield.org/block.txt On Wed, 2002-05-15 at 17:13, Dan Hollis wrote: On 15 May 2002, Johannes B. Ullrich wrote: See http://www.dshield.org/block.txt ;-). We are about 24hrs away from getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Chris Parker wrote: That's fine until the first person spoofs a scan from 'www.cisco.com' or 'a.root-servers.net' and *poof* it's now automagically unreachable. Only tcp connections with full handshake would be counted. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Lyndon Nerenberg wrote: I usually avoid blackhole subscription lists like this. They let the attacker take out your legitimate peers by spoofing the source. If they can take out your legitimate peers by spoofing end to end TCP connections, then you have got some really enormous problems that need to be addressed. I don't think spoofing will be a problem for the landmines. Most attacks (99%?) are tcp. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: On Wed, 15 May 2002, Dan Hollis wrote: We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. It would take more than a single landmine hit to get blackholed. Like, duh. Enough hits on a wide sensor net prove bad intentions, as proven by dshield. I'm suprised at the extremely shallow level of arguments so far against landmines. Well, I guess I shouldnt be suprised -- this *IS* nanog, after all... :P -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c
(fwd) Re: Arbor Networks DoS defense product
Forgot to include nanog - Forwarded message from PJ [EMAIL PROTECTED] - Date: Wed, 15 May 2002 17:50:01 -0700 From: PJ [EMAIL PROTECTED] Subject: Re: Arbor Networks DoS defense product To: Clayton Fiske [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Reply-To: PJ [EMAIL PROTECTED] User-Agent: Mutt/1.3.25i On Wed, 15 May 2002, Clayton Fiske wrote: On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c Has no one ever tested firewall rules from external networks? The fact remains is that a scan != an attack. PJ -- The worst thing one can do is not to try, to be aware of what one wants and not give in to it, to spend years in silent hurt wondering if something could have materialized -- and never knowing. -- David Viscott
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Johannes B. Ullrich wrote: Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either. Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Clayton Fiske wrote: On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: Sorry for not including nanog in the reply. What about MAPS? They routinely scan netblocks without consent. Does this tool differenciate between local and non-local scanning? Scanning is The tool in question may not even exist yet. There is no preset definition of how it has to work. Perhaps it can be evolved enough to where it only triggers when an exploit is attempted, rather than just on a TCP connection. Granted. However, if it's not yet in existance, these are good questions to be asked now instead of later, no? I would feel much better about it if it was triggered by an exploit, instead of a connection. still not a crime and it will still do nothing to deter anyone with hostile intentions. This is just a bandaid to avoid taking proper security precautions. I can take all the proper security precautions and it doesn't stop third party network A from being exploited and later used to attack me. The point of this is that it will help identify a specific host which is scanning many blocks belonging to many different networks. If they hit several landmines in my network, I might be concerned. If they hit landmines in my network and 6 others to which I have no affiliation, the net as a whole might want to know about it. Granted. However, the suggestion to place said host/network into some sort of BGP black hole, has it's problems. The community has a whole already has an idea of which networks have an greater precentage of attacks originating from it, an alert is fine, a pre-emptive strike in the absence of an actual attack is not. I don't think anyone said this was intended to take the place of security on their own networks. But I don't see how that aspect makes this a bad tool on its own either way. Yes, that was perhaps an implication made on my part. However, there are still concerns with the idea that have yet to be addressed. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Do let us know how your portscans of US military networks goes... There are always going to be people who are going to probe and poke Are you one of them? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]