Re: portscans (was Re: Arbor Networks DoS defense product)
Ralph Doncaster [EMAIL PROTECTED] writes: I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. sarcasm And why, pray tell, would some stranger be carrying a concealed gun if they were not planning on shooting someone? /sarcasm Maybe there is a difference between carrying a concealed portscanner and actually using one? --Johnny
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, 18 May 2002, Scott Francis wrote: On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity. And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it. There are three aims of the landmine project: 1) early warning 2) defensive response 3) deterrence I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 11:46:21PM -0400, [EMAIL PROTECTED] said: [ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last. Apology accepted, but I strongly recommend you learn to use some more reliable mail reader software -- something that doesn't accidentally invent reply addresses! There was no hint that my message to you was in any way associated with the NANOG list -- it was delivered directly to you and CC'd only to the person you were responding to. Some outside influence had to have associated it with having been a reply to a list posting and connected your desire to reply with inclusion of the list submission address. According to your reply's headers you're using Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply command. I don't find any hint in the description of that command to indicate that it will magically associate a given message with a list, especially one that was not received from the list. Even the 'list-reply' command should not be able to associate a private reply with the list address. If Mutt really does magically associate private replies with list addresses by some mysterious mechanism then it's even more broken than I suspected. It doesn't. I cc'd the list because I thought the message to be germaine to the public thread, and no mention was made of the message being private. That was a misstep on my part, for which I apologize, and that was what I meant by a little too quick on the 'g'. I will in the future assume all replies not cc'd to the list to be private, or else get permission before cc'ing the list on a reply. Mea culpa. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01932/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 12:12:01AM -0700, [EMAIL PROTECTED] said: [snip] And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it. There are three aims of the landmine project: 1) early warning 2) defensive response 3) deterrence I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far. This is what I have been (unsuccessfully) attempting to state. I apparently need more practice in being coherent. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01933/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On 18 May 2002, Scott Gifford wrote: Scott Francis [EMAIL PROTECTED] writes: [...] And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. I would argue that this is not good practice and you dont have the right to intrude on the workings of the banks network just because you have the technology to do so.. if a telnet port was open would you also check that you were unable to brute force your way in? That is to say.. what exactly were you hoping to find and then do with the results? I'd also say your reason for this is void, its not your responsibility to assess the bank's security. If they screw up they have insurance and you're not at risk. I'm not sure if I would have been impressed or annoyed if they had stopped accepting packets from my machine during the scan. :-) But surely if all their prospects do this they will not be able to handle the volume of attacks and will be unable to keep up with blocking the more minor benign scans. And you as a customer ought to prefer their time is spent on legitimate attacks which means no one scans then 'for good reasons' and all scans are therefore malicious and worthy of investigating... Steve -ScottG.
Re: route statistics
On Sat, May 18, 2002 at 07:02:58PM -0400, Ralph Doncaster [EMAIL PROTECTED] wrote a message of 10 lines which said: I'm trying to collect statistics on how many routes match certain patterns. So far I've been using zebra, set term len 0, and then sh ip bgp regexp, and wait for the total prefixes count at the end of the list. I figure there must be a better way than this, but so far haven't found one. Any ideas? Compile zebra with --enable-snmp (the Debian binary package just switched on this option) and snmpwalk the BGP table (1.3.6.1.2.1.15 == mib-2.15, see RFC 1657) ? I didn't benchmark the two solutions against each other. If the BGP machine is an actual forwarding router, not just a dedicated looking glass, be sure to look at its load, not just at the wall-clock response time. Another solution is to dump the routing table URL:http://manticore.2y.net/doc/zebra/bgpd.html#Dump BGP packet and table in MRT format and to use MRT tools to analyze it (I tried that and at least the Python version of these tools is hopelessly broken).
Re: portscans (was Re: Arbor Networks DoS defense product)
I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. a full-blown portscan is not required here. A simple telnet to port 80 will do the job. A simple telnet to port 80 will sometimes do the job, but often not. And even your statement a full-blown portscan is not required concedes that a portscan will work in making this determination.
Re: portscans (was Re: Arbor Networks DoS defense product)
rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph
Re: PAIX (was Re: Interconnects)
traffic. If you're going to have to negotiate bilateral agreements to cover the bulk of your peering traffic, why not consistantly negotiate bilateral agreements? Randy (Group Telecom) snubbed me when I asked to peer at TorIX. Group Telecom is on the AADS MLPA. ATT Canada has a tough policy re peering as well, and is on the AADS MLPA. I'm sure there are others among the AADS MLPA signatories that would refuse bilateral peering if I approached them. -Ralph
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... -Ralph
Re[4]: portscans (was Re: Arbor Networks DoS defense product)
Hello Ralph, Sunday, May 19, 2002, 10:50:23 AM, you wrote: RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 RD Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... As I think Eddy already mentioned, you can try Netcraft. Of course in the cases of Yahoo and CNN you have an Akamai factor...though CNN does return some useful information: telnet www.cnn.com 80 Trying 207.25.71.20... Connected to www1.cnn.com (207.25.71.20). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Server: Netscape-Enterprise/4.1 Date: Sun, 19 May 2002 14:58:55 GMT Last-modified: Sun, 19 May 2002 14:58:55 GMT Expires: Sun, 19 May 2002 14:59:55 GMT Cache-control: private,max-age=60 Content-type: text/html Connection: close And, you can also try the direct approach: e-mail the webmaster and ask :). I guess the point I am trying to make is that there are ways of finding out this information without having to resort to portscans. The example of bank is a very good one. With all of the security risks involved in managing a web server, and the associated database, it seems very important to ask the bank for an explanation of the steps they have taken to secure their website, and their customer database. If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile. allan -- allan [EMAIL PROTECTED] http://www.allan.org
Re: Re[4]: portscans (was Re: Arbor Networks DoS defense product)
If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile. I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt. Instead we keep our servers very secure, and spend the time and effort only when there is evidence of a break in.
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
On 07:50 AM 5/19/02, Ralph Doncaster wrote: RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... http://uptime.netcraft.com/up/graph/?mode_u=offmode_w=onsite=www.cnn.com Works for me, works from any system that has a browser. At any given time I'm *far* more likely to have a browser running than port scanning software, so this solution is also IMHO faster. jc
Re: Re[6]: portscans (was Re: Arbor Networks DoS defense product)
RD I think that's pretty stupid. If I had my network admin investigate every RD portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD Instead we keep our servers very secure, and spend the time and effort RD only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference. So you assume it's hostile and do what? Automatically block the source IP? If you do that then you open up a bigger DOS hole. Then if someone sends a bunch of SYN scans with the source address spoofed as your upstream transit providers' BGP peering IP, poof! you're gone.
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
http://uptime.netcraft.com/up/graph/?mode_u=offmode_w=onsite=www.cnn.com Works for me, works from any system that has a browser. At any given time I'm *far* more likely to have a browser running than port scanning software, so this solution is also IMHO faster. Until today netcraft listed agamemnon.cnchost.com as unknown. I ran nmap to see what it says, so I guess you should assume I'm hostile. ;-) Interesting ports on agamemnon.cnchost.com (207.155.252.31): (The 1519 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 25/tcp opensmtp 80/tcp openhttp 110/tcpopenpop-3 TCP Sequence Prediction: Class=truly random Difficulty=999 (Good luck!) No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: TSeq(Class=TR) T1(Resp=Y%DF=Y%W=6045%ACK=S++%Flags=AS%Ops=NWM) T2(Resp=N) T3(Resp=N) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N)
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 03:16:28 (-0700), Dan Hollis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) On 18 May 2002, Scott Gifford wrote: Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. So for your offline banks, do you also go to the local branches at night and jiggle all the locks to make sure their doors and windows are locked? That analogy is fundamentaly flawed. For one the Interent is never locked after hours -- there is no after hours, it's always open! There are also no sign posts at every router on the Internet. The only sign-posts are the responses you get from trying a given door -- either it opens or it doesn't. Unless you actually try to go somewhere in TCP/IP-land you won't know whether or not you can get there. A good firewall makes it appear for all intents and purposes that there's no door handle to wiggle in the first place. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 11:22:08 (-0400), Ralph Doncaster wrote: ] Subject: Re: Re[4]: portscans (was Re: Arbor Networks DoS defense product) I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt. Indeed -- and we can only hope. I know a few companies who actually do that, and sometimes their policies about how they do it are so broken they refuse to acknowledge the difference between the likes of a squid cache server just doing its job and a compromised Windoze box scanning for web servers. :-) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re[8]: portscans (was Re: Arbor Networks DoS defense product)
Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote: RD I think that's pretty stupid. If I had my network admin investigate every RD portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD Instead we keep our servers very secure, and spend the time and effort RD only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference. RD So you assume it's hostile and do what? Automatically block the source RD IP? If you do that then you open up a bigger DOS hole. Then if someone RD sends a bunch of SYN scans with the source address spoofed as your RD upstream transit providers' BGP peering IP, poof! you're gone. You do the same thing you do with any attack: Log the information and take appropriate action. If you are constantly getting scanned from one netblock, you should be aware of that, the only way to be aware of it is to keep a record of all port scans. A portscan may be innocent, though I agree with those who have said previously that most posrtscans are not innocent, in which case it gets filed away into a database and forgotten. However, if the same network is continuously portscanning your network that network should be stopped. This whole process can be automated, so that it does not involve manual intervention...but don't you think a good network administrator should know what is happening to their network? And, since there is no way to distinguish an innocent portscan from one that is a precursor to an attack, wouldn't it make sense to keep track of all portscans? allan -- allan [EMAIL PROTECTED] http://www.allan.org
Re: portscans (was Re: Arbor Networks DoS defense product)
Stephen J. Wilcox [EMAIL PROTECTED] writes: On 18 May 2002, Scott Gifford wrote: Scott Francis [EMAIL PROTECTED] writes: [...] And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. I would argue that this is not good practice and you dont have the right to intrude on the workings of the banks network just because you have the technology to do so.. if a telnet port was open would you also check that you were unable to brute force your way in? That is to say.. what exactly were you hoping to find and then do with the results? I'm not arguing it's good practice. I'm giving it as an example of a reason why somebody might scan your network, even though they were not planning on attacking. ScottG.
RE: portscans (was Re: Arbor Networks DoS defense product)
Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. [snip] I'm not arguing it's good practice. I'm giving it as an example of a reason why somebody might scan your network, even though they were not planning on attacking. Even then, its not really effective. Most compromises I have read about to major banking providers is from someone at a business partner or something inside the business indirectly related to the web service being compromised and then the internal network and any inherit trust relationships being compromised. Very rarely is it something super-obvious like an open service with a default password (but I'm sure there are notable exceptions). So a portscan of their forward netblocks isn't really a 'test' of their network security, imo. - James
Re: portscans (was Re: Arbor Networks DoS defense product)
We maintain most comprehensive whois recursive engine tool at completwhois.com So you could also try this and get more info :) [support@sokol support]$ whois -h completewhois.com 207.99.113.65 [completewhois.com] [whois.arin.net] Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 Record last updated on 22-Aug-2001. Database last updated on 18-May-2002 19:58:45 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [WHOIS.NAC.NET] NAC-Rwhoisd32 Server Ready - [silver/43] Rwhoisd32 v1.0.36 Net Access Corp. (NETBLK-NET-CF637140-28) PO Box 55 Denville, NJ 07834 USA Netname : NET-CF637140-28 Netblock: 207.99.113.64/28 Coordinator: Rubenstein, Alex [EMAIL PROTECTED] Database updated instantaneously. This Registration Services Host contains ONLY Net Access Corporation Network Information. Please use the whois server at whois.arin.net for networks not found here. On Sun, 19 May 2002, Alex Rubenstein wrote: helium:~$ whois -a 207.99.113.65 Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 On Sun, 19 May 2002, Ralph Doncaster wrote: rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: portscans (was Re: Arbor Networks DoS defense product)
That's a netblock, not an IP address. Your script kiddie at home with a cable modem or ADSL connection is not going to have his IP SWIP'd or populated in his ISP's rwhois server. Try that with 206.47.27.12 for instance. That is a Sympatico ADSL customer here in Ottawa. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Sun, 19 May 2002, Alex Rubenstein wrote: helium:~$ whois -a 207.99.113.65 Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 On Sun, 19 May 2002, Ralph Doncaster wrote: rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Re[8]: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] Subject: Re[8]: portscans (was Re: Arbor Networks DoS defense product) However, if the same network is continuously portscanning your network that network should be stopped. Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. You will be scanned. Resistance is futile! I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of stealth scans are often still attempted.) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
RE: Re[8]: portscans (was Re: Arbor Networks DoS defense product)
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Cheers, Benjamin P. Grubin, CISSP, GIAC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg A. Woods Sent: Sunday, May 19, 2002 4:48 PM To: North America Network Operators Group Mailing List Subject: Re: Re[8]: portscans (was Re: Arbor Networks DoS defense product) [ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] Subject: Re[8]: portscans (was Re: Arbor Networks DoS defense product) However, if the same network is continuously portscanning your network that network should be stopped. Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. You will be scanned. Resistance is futile! I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of stealth scans are often still attempted.) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ] Subject: RE: Re[8]: portscans (was Re: Arbor Networks DoS defense product) If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Well, there is still the issue of discovering the intent of a scan, regardless of how many landmines have to be triggered before a blackhole listing is put in place. Such technology is very dangerous if automated. Anyone with sufficient intelligence to find enough of the landmine systems could probably also figure out how to trigger them in such a way as to DoS any random host or network at will (assuming enough networks to matter used the listing service in real time). Unless there's also a sure-fire automated way of quickly revoking such a black list entry, as well as a free white-listing service, the consequences are far too dire to earn my support. On the other hand SMTP open relay blackholes are easy to prove and usually easy enough to fix and get de-listed from. Even the Spamcop realtime DNS list bl.spamcop.net is pretty hard to trick, and of course it's not really widely enough used that getting listed there is all that disruptive (apparently, since listed sites keep sending spam with no apparent degradation in their throughput). -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: Network Reliability Engineering
Try the The Art of Testing Network Systems ISBN: 0-471-13223-3 --- Nigel Clarke Network Security Engineer [EMAIL PROTECTED]
Peering BOF V - Call for Participants
Hi all - NANOG is only three weeks away and Monday evening at NANOG there will be another Peering BOF ; thanks to those that suggested this on the survey forms! We'll do this the same way as last time / the same way the Peering Personals ran at the last GPF: *Peering Coordinators*: Send me the completed RSVP form below. I'll assemble these into logos, icons, AS#s and contact info With this backdrop, each of you in turn get a chance to stand up and a) introduce yourself, your network, b) what you are looking for in a peer, c) why folks should want to peer with you, and d) which locations you currently or plan to peer. Making the initial contact with the potential peer is (oddly enough) the most difficult parts of peering, and the Peering Personals has proven to be an effective (and lively!) way to make those initial contacts. So *Peering Coordinators* - send me those RSVPs ! Since we only have 90 minutes I'm going to limit the number of Peering Coordinators to 25 or so. If there is time remaining we'll use the rest of the time for ad hoc Peering Personals as we did last time. A couple comments: I noticed on the thread Interconnects folks were talking about willingness to peer and MLPAs. At least from the conversations I had during my research on Peering, I found relatively little interest in MLPAs. For those using contracts for peering, folks preferred to control peering using their own contracts written by their lawyers, stating their evolving peering terms and conditions, and generally felt somewhat like they were losing control by signing up to a MLPA document. At the same time, I have found from running these Peering Personals and talking with these Peering Coordinators, that maybe 80% of all Peering Coordinators had a relatively open peering policy. By Relatively Open I mean that they would peer in any single location or multiple location with companies that they would not consider to be a prospective customer. This openness was surprising given all the huff and puff on mailing lists over the years about *not* being able to get peering. We'll see if my 80% figure rings true at the Peering BOF, and I'll share a couple anecdotes about an emerging set of significant traffic open peers at the Peering BOF. Bill -- RSVP FORM -- Clip Here --- Please Fill out and e-mail to [EMAIL PROTECTED] with Subject: Peering BOF V Name: __ Email: __ Title: __ Company: ___ AS#(s): _ Check each that applies: ___ We are an ISP (sell access to the Internet) -- OR -- ___ We are a Non-ISP (content company, etc.) ___ We are Content-Heavy -- OR -- ___ We are Access-Heavy ___ We generally require peering in multiple locations -- OR -- ___ We will peer with anyone in any single location ___Peering with Content Players or Content Heavy ISPs is OK by us ___ We have huge volumes of traffic (lots of users and/or lots of content) (Huge: 1 Gbps total outbound traffic to peers and transit providers) ___ We have a global network ___ We require written contracts for peering ___ We have a U.S. Nation-Wide Backbone (East Coast, West Coast, and at least one location in the middle) --- snip
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Mitch Halmu wrote: On Sun, 19 May 2002, Greg A. Woods wrote: Such technology is very dangerous if automated. And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. What is it that turns a technocracy into idolaters? Just to put mitch's rant into perspective for unfamiliar nanog readers: http://work-rss.mail-abuse.org/cgi-bin/nph-rss?query=205.159.140.2 netside has been a long time lunatic opponent of RBLs -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. Me, I will give them a nice color map to your house. Shiksaa was kind enough to point out a picture of you. I know that I really shouldn't do this, but. http://63.117.95.227/kooks/mitch.html Mike - opinions are definitely just mine and mine alone.
Re: portscans (was Re: Arbor Networks DoS defense product)
From: Mitch Halmu [EMAIL PROTECTED] Date: 2002/05/19 Sun PM 11:32:20 EDT To: Dan Hollis [EMAIL PROTECTED] CC: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs Wait for it... wait for it... here it comes... First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide SCORE!!! And the point is awarded to Dan!
Re: portscans (was Re: Arbor Networks DoS defense product)
TA Date: Mon, 20 May 2002 0:50:58 -0400 TA From: Tim A.Irwin TA Wait for it... wait for it... here it comes... TA SCORE!!! And the point is awarded to Dan! Close enough to call it a Godwin? ;-) -- Eddy Brotsman Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
Re: route statistics
I'm trying to collect statistics on how many routes match certain patterns. So far I've been using zebra, set term len 0, and then sh ip bgp regexp, and wait for the total prefixes count at the end of the list. I figure there must be a better way than this, but so far haven't found one. Any ideas? Zebra supports dumping the RIB to MRT binary format. See the 'dump bgp' family of commands. I find this format much easier to deal with than CLI output. Bradley
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 10:02:26PM -0400, [EMAIL PROTECTED] said: [snip] Such technology is very dangerous if automated. And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. No. You attack or spam some other network, and said network's operator can take action as appropriate to that network. Such action may include that network refusing to accept future traffic from the offending network until the problem is resolved. I don't see how this rates as 'ruling over the masses' - it becomes, as it always has been, individual network operators deciding how best to run their networks, as they see fit. My decisions apply to my network, and nobody else's. Or are you saying that network operators should not be trusted to run their networks as they see fit? Who then makes the rules? What is it that turns a technocracy into idolaters? What is it that turns the decision of an individual network operator into a rant about political ideology? -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01970/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 11:32:20PM -0400, [EMAIL PROTECTED] said: On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. That's close enough to Godwin for me. Next discussion, please. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01971/pgp0.pgp Description: PGP signature
