Re: Bogon list or Dshield.org type list
I looked up a nameserver that I once worked with and found that it is attacking from port 53. Needless to say, it's not hacked, it's answering queries. Charles -- Charles Sprickman [EMAIL PROTECTED] On Sat, 27 Jul 2002, Johannes Ullrich wrote: I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days). Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment. For the block list: http://www.dshield.org/block_list_info.html On Sat, 27 Jul 2002 20:19:47 -0400 Phil Rosenthal [EMAIL PROTECTED] wrote: I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: [EMAIL PROTECTED] Subject: Bogon list or Dshield.org type list Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato -- --- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
Re: NIST Wireless ...
On Sat, 27 Jul 2002, W.D.McKinney wrote: NASA has had this out for over a year. http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html Yep, its like the early 1980's all over again when the wardialing first came up. All sorts of security features were built into modems, such as callback, modem passwords, encryption, etc. Some people enabled every security feature modem vendors created. As long as you used the same modem brand on both ends, you might even get them all to work. Eventually people decided the modem level was generally the wrong place to do access control. System, NAS/RAS, etc were used to enforce access controls. Of course, there were some basic things you should configure correctly, or you might experience some problems. +++ATH I'm not sure we've come to an agreement on the best way to handle wireless networks.
Re: Bogon list or Dshield.org type list
Yes - DSHEILD has our ORSC root server listed as well. I thought that was hilarious. - Original Message - From: Charles Sprickman [EMAIL PROTECTED] To: Johannes Ullrich [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, July 28, 2002 2:36 AM Subject: Re: Bogon list or Dshield.org type list I looked up a nameserver that I once worked with and found that it is attacking from port 53. Needless to say, it's not hacked, it's answering queries. Charles -- Charles Sprickman [EMAIL PROTECTED] On Sat, 27 Jul 2002, Johannes Ullrich wrote: I do not recommend adding every IP listed at DShield to your filter. We do publish a 'block list', of the worst networks (based on reports for the last 5 days). Quick note on our methods: We basically aggregate firewall logs and offer summarized reports. The reports should allow everyone to apply their own judgment. For the block list: http://www.dshield.org/block_list_info.html On Sat, 27 Jul 2002 20:19:47 -0400 Phil Rosenthal [EMAIL PROTECTED] wrote: I can comment on the dshield list. I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) -- it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn't seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list) --Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of alsato Sent: Saturday, July 27, 2002 8:08 PM To: [EMAIL PROTECTED] Subject: Bogon list or Dshield.org type list Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not? Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though. alsato -- --- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
Re: Dshield.org
I do not recommend adding every IP listed at DShield to your filter /understatement. I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging. /overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
RE: Dshield.org
/overstatement -- fair enough. I don't mean to diminish the effort. I guess it is the unused potential that gets under my skin here. This could actually be an extremely useful tool for research if the data had some sense of accountability. one has to understand and take into account how it is collected Based on your methods of collection, with minimal work, one could make 167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the false positive's list). Anyway, that's my $.02... I'll mind my own business now GL, j -Original Message- From: Johannes Ullrich [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 28, 2002 4:24 PM To: jnull Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Dshield.org I do not recommend adding every IP listed at DShield to your filter /understatement. I took a short while to peruse the data collected and distributed by DShield. I don't believe I need to go into the many reasons (I'm sure you know yourself) why this information is completely unreliable, but worse, possibly damaging. /overstatement ;-) DShield data is not 'completely unreliable'. However, in order to use it, one has to understand and take into account how it is collected. If you find one of your machines listed as 'attackers', you may want to take a closer look at the reports. If it turns out that the machine in question is your DNS server, and the reports listed are port 53 requests, you can probably assume that everything is fine, in particular if there are only a few reports. We (DShield) don't apply any filters, but this doesn't indicate that you shouldn't. We do no apply any filters because we do not know your network configuration. In several cases, we added IPs to our 'false positive' list of IPs which we consider as common sources of false positive reports. For example, root DNS servers are on this list, some large load balancers and some port scan sites (Shields Up...) -- --- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
DNS monitoring changes
Hi, NANOGers. I have added two additional data collection points to my DNS root name server monitoring. I have also scaled the graphs (thanks, Howard!) and added a text only version. You will find it all here: http://www.cymru.com/DNS Comments and feedback are always welcome! Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: AS286 effectively no more..
We have lost connectivity from them since last friday. If you send an email to their NOC you will get an autoreply saying: The KPNQwest Network Operations Center was CLOSED on 19/07/2002 As everybody knew they did have a really proactive and responsive NOC. It is sad to see things like thi happen. :-( Cheers German On Mon, 29 Jul 2002, Stephen J. Wilcox wrote: FYI we have still got BGP with KPN and all routes look okay (from London).. no evidence of this shutdown as yet, perhaps it was only a couple of sections? Steve On Thu, 25 Jul 2002, Huopio Kauto wrote: Interesting how quietly one of the powerhouses in Europe has been shut down yesterday evening. Any notes on increased latency / routing issues wrt AS286 shutdown? --kauto Kauto Huopio - [EMAIL PROTECTED] Information Security Adviser Finnish Communications Regulatory Authority / CERT-FI tel. +358-9-6966772, fax. +358-9-6966515 CERT-FI duty desk +358-9-6966510 - http://www.cert.fi
Re: AS286 effectively no more..
The KPNQwest Network Operations Center was CLOSED on 19/07/2002 As everybody knew they did have a really proactive and responsive NOC. It is sad to see things like thi happen. :-( indeed. it's rare these days that a noc is given enough budget and authority to do a good job. as286 predated the dotcom boom (and bust) by a lot of years and was a fine bunch of folks from the earliest days to the final days. it's really sad to see a successful enterprise swept up by a boom/bust cycle. (i guess anybody who was able to cash out their equity from the kpn/qwest deal saw it as a good thing, but older customers probably wish it hadn't happened.) -- Paul Vixie
Qwest to Restate Earnings
http://story.news.yahoo.com/news?tmpl=storyu=/ap/20020729/ap_on_bi_ge/qwest_2 Not too much of a surprise. allan -- Allan Liska [EMAIL PROTECTED]