Re: Weird distributed spam attack
Unless, I missed the posts about this,.. I just (and still am experiencing) a distributed spam attack. We get these almost continually Yep... same here. it is incredibly depressing to look at the logs. Backup-only MX here see upwards of 10K messages on bad days, mostly attacks of that type. yep same here... before we ducked for cover (see below) I could grep 800 megs of just REJECTED out of our maillog file (two per day). Very depressing. To make it even more depressing we were only getting harvested on about two dozen of the several thousand domains we run MX for. Some of the domains chosen for the attack are ridiculous (are 4 valid addresses really worth that effort?). Well, they don't know that until the dictionary the domain do they? Sigh. I have come to the conclusion that distributed dictionary attacks will eventually get the goods. Sure you can reject by pattern match on ainet.us for this case, but that's not going to help when someone with a large network of spambots sets up a job that: 1) uses completely random from addresses, subject lines and message content Correct. That is exactly what we have seen. 2) uses an attack algorithm to distribute the load so you only see any given source IP every other day Yep. My list of attacking IP's was several thousand deep before I gave up. I suspect that this type of attack is currently ongoing, underneath the obvious noise of the cruder tools. yes. We started seeing it (moderate volume) in July of this year. By August it was equal to regular client traffic. By early-October is was kneecapping our mailservers. Managing the ignore list started to become a full-time job, so we surrendered and started using an external blocking service. (see below) Before that we tried filtering at the router(s) and maintaining ignore lists on the servers, but it broke all sorts of things you *want* to have happen with secondary mail servers, especially the ones we have off-site. The only solution I see for the service provider is to recommend their subscribers choose long, complicated usernames not likely to be found in a dictionary. That doesn't do *anything* to stop the attack, it just hides the user from being harvested (easily.) It managed to find a couple of my weird addresses though, so while you can run, you can't hide forever. If anyone has better thoughts as to defense for the above scenario, I would love to hear it. We have been offering Postini http://www.postini.com spam virus filtering to our clients since May. They offer a service that detects, and blocks/ignores the originating harvest spambots. They call it ActiveEMS... we tried it on our own domain (one of the first targeted) and we saw it drop like a rock. So we made it mandatory for our clients now... they can opt-out of the filtering, but we still hide our mailservers behind theirs, even if our client opts out. That way, the client's *domain* stays protected, but they can read all the spams their hearts desire. It *still* does some wonky stuff with secondaries, so I might have to buy (grumble) their services as secondary MX spooling. I used to believe that running a catchall alias was an effective deterrent until the b*st*rds started sending complete spams and not just RCPT TO. In fact, in this scenario the catch-all is like pouring gasoline on the fire without some giant water tank on the roof to... oh, wait... wrong thread. Sorry. The only clients we haven't moved to Postini are those with catch-all addresses. Those break under Postini... well, they don't really break accept the bank, as clients get charged per-address. We are spreading clues as much as we can to discourage catch-alls. I hope to have all but the completely entrenched converted by year-end. Then we just have to wait until they get harvested... then they'll change their mind. We have one client, who owns close to 50 domains... all with a catch-all going to his *one* address. He went from getting maybe 30 spams a week to several hundred a day... just because a single domain was harvested by these attacks. The only alternative I see is a blacklist populated by some type of distributed detection system... if enough of us under attack contributed 550 unknown user logs, there should be an easily definable threshold for human error. Interesting alternative... the hard part is making it work. How does it face the spambots, but still not refuse actual legit mail traffic coming into your primary MX? What is the threshold where it recognizes an attack from the normal traffic and start feeding the BS to the Bots? I have about 4 gigs of 550 logs to contribute. Mike -- With all the spam I get, maybe mlewinski isn't such a bad idea for username after all. heh. Totally OT, but a nice bonus with Postini was re-acquainting myself with somebody I knew from a Network Manager's user group (ANMA) I was in back in the early 90's. The salesdroid
Re: Even the New York Times withholds the address
It'd be cheaper to move the entire carrier hotel to the safe area and forget having offsite power. Exactly! If you are going to solve the redundant services problem (power and cooling) with some kind of regional power and cooling network, then it makes sense to cluster the various organizations who need these services in the same area. Therefore, we should be thinking about how we can move carrier hotels to be near major hospitals. And if you think that clustering defeats the idea of distributing your assets, I am not suggesting that there should be only one cluster in a metropolitan area. Just as there are several major hospitals, there should be several carrier hotels. -- Michael Dillon
RE: Weird distributed spam attack
We just recently started using GatewayDefender's Business service. So far, I've only received about 1 or 2 spam a day -- down from nearly 40-60. Not bad in my estimation. (http://www.gatewaydefender.com) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of chuck goolsbee Sent: Wednesday, November 20, 2002 4:16 AM To: [EMAIL PROTECTED] Subject: Re: Weird distributed spam attack Unless, I missed the posts about this,.. I just (and still am experiencing) a distributed spam attack. We get these almost continually Yep... same here. it is incredibly depressing to look at the logs. Backup-only MX here see upwards of 10K messages on bad days, mostly attacks of that type. yep same here... before we ducked for cover (see below) I could grep 800 megs of just REJECTED out of our maillog file (two per day). Very depressing. To make it even more depressing we were only getting harvested on about two dozen of the several thousand domains we run MX for. Some of the domains chosen for the attack are ridiculous (are 4 valid addresses really worth that effort?). Well, they don't know that until the dictionary the domain do they? Sigh. I have come to the conclusion that distributed dictionary attacks will eventually get the goods. Sure you can reject by pattern match on ainet.us for this case, but that's not going to help when someone with a large network of spambots sets up a job that: 1) uses completely random from addresses, subject lines and message content Correct. That is exactly what we have seen. 2) uses an attack algorithm to distribute the load so you only see any given source IP every other day Yep. My list of attacking IP's was several thousand deep before I gave up. I suspect that this type of attack is currently ongoing, underneath the obvious noise of the cruder tools. yes. We started seeing it (moderate volume) in July of this year. By August it was equal to regular client traffic. By early-October is was kneecapping our mailservers. Managing the ignore list started to become a full-time job, so we surrendered and started using an external blocking service. (see below) Before that we tried filtering at the router(s) and maintaining ignore lists on the servers, but it broke all sorts of things you *want* to have happen with secondary mail servers, especially the ones we have off-site. The only solution I see for the service provider is to recommend their subscribers choose long, complicated usernames not likely to be found in a dictionary. That doesn't do *anything* to stop the attack, it just hides the user from being harvested (easily.) It managed to find a couple of my weird addresses though, so while you can run, you can't hide forever. If anyone has better thoughts as to defense for the above scenario, I would love to hear it. We have been offering Postini http://www.postini.com spam virus filtering to our clients since May. They offer a service that detects, and blocks/ignores the originating harvest spambots. They call it ActiveEMS... we tried it on our own domain (one of the first targeted) and we saw it drop like a rock. So we made it mandatory for our clients now... they can opt-out of the filtering, but we still hide our mailservers behind theirs, even if our client opts out. That way, the client's *domain* stays protected, but they can read all the spams their hearts desire. It *still* does some wonky stuff with secondaries, so I might have to buy (grumble) their services as secondary MX spooling. I used to believe that running a catchall alias was an effective deterrent until the b*st*rds started sending complete spams and not just RCPT TO. In fact, in this scenario the catch-all is like pouring gasoline on the fire without some giant water tank on the roof to... oh, wait... wrong thread. Sorry. The only clients we haven't moved to Postini are those with catch-all addresses. Those break under Postini... well, they don't really break accept the bank, as clients get charged per-address. We are spreading clues as much as we can to discourage catch-alls. I hope to have all but the completely entrenched converted by year-end. Then we just have to wait until they get harvested... then they'll change their mind. We have one client, who owns close to 50 domains... all with a catch-all going to his *one* address. He went from getting maybe 30 spams a week to several hundred a day... just because a single domain was harvested by these attacks. The only alternative I see is a blacklist populated by some type of distributed detection system... if enough of us under attack contributed 550 unknown user logs, there should be an easily definable threshold for human error. Interesting alternative... the hard part is making it work. How does it face the spambots, but still not refuse actual legit mail traffic coming into your primary MX? What is the threshold where it recognizes an attack from the normal traffic and start
Fire in Data Centre of Twente University, Netherlands
for all incident watchers: [Update 20/11/2002 12:30] At this moment the ICT-heart of the university of Twente is burning. The so-called TWRC-building houses the central systems of the university, all servers and PCs will be lost and various affiliated institutes are without Internet connectivity. [...] Hosting and colo company Virtu, the neighbour of the university, has provided an IP adress for the University. Further announcements are made available on http://srv1ut.utwente.virtu.nl/, a abbreviated copy of the university website. [Update 12u30] Op dit moment brandt het ICT-hart van de Universiteit Twente uit. Het zogeheten TWRC-gebouw huisvest het centrale net van de universiteit, alle servers en pc's gaan verloren en diverse geaffilieerde instellingen zitten zonder internetverbinding. [...] Hosting- en colocatieprovider Virtu, de fysiek buurman van de universiteit, 'heeft een machine en een IP-adres ter beschikking gesteld met medeweten en op verzoek van de universiteit. Op deze wijze kan de UT toch mededeling wereldkundig maken via het web', aldus een zegsman van Virtu. De site is een gestripte kloon van www.Utwente.nl. pictures: http://webcam.traserv.com/thumbnails/index.html http://images.fok.nl/upload/utwentebranddichtbijgroot.jpg websites [in Dutch]: http://www.planet.nl/pmm/0,1674,101_1501_1277175,00.html newslog with pictures: http://frontpage.fok.nl/news.fok?id=23971
Re: Weird distributed spam attack
It *still* does some wonky stuff with secondaries, so I might have to buy (grumble) their services as secondary MX spooling. We have started distribiting the list of valid addresses to secondary MX servers to reduce the store and forward load of dictionary attacks on those servers. Using a fast response RBL helps, but whitelisting is a chore. (http://openrbl.org pick one) I used to believe that running a catchall alias was an effective deterrent until the b*st*rds started sending complete spams and not just RCPT TO. We have never run catchall, but I am thinking about funneling LUser into pattern matching (spamassassin, or similar) and then used to build a time limited local ipfw or ipfirewall table. We have enough horsepower to filter at the routers, but prefer to let the routers route, and let the MX boxes filter. In fact, in this scenario the catch-all is like pouring gasoline on the fire without some giant water tank on the roof to... oh, wait... wrong thread. Sorry. We tried water cooling, but it quit working when they patched the roof. ;-} -bryan bradsby Texas State Government Net NOC: 512-475-2432 877-472-4848 -- The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in. We're computer professionals. We cause accidents. -- Nathaniel Borenstein co-author of MIME.
Re: Weird distributed spam attack
Hi, #Here is the kicker. I check where these are coming from, they #are from all over the place. I check for IP address spoofing... #not happening. No IP options or TCP options. # #This came from like about 300 different networks, and yes #I don't accept source routing (IP Options). In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing. You can see some of the open proxy servers that we've seen traffic from at http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant). [I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.] Regards, Joe
MIA: oregon-ix.net
As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams.
Re: MIA: oregon-ix.net
Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Weird distributed spam attack
--On Wednesday, November 20, 2002 9:40 AM -0800 Joe St Sauver [EMAIL PROTECTED] wrote: [I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.] They go on the RBL - largely due to the existance of AS, in a manner similar to the way listings happen on the RSS. If we have spam via an open proxy and it tests open, it gets listed. I've got some contract coding work (sh, perl, some C) related to this available if any of you folks in the Bay Area have some spare cycles. (We're also hiring full time for some other positions - feel free to ping me). -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Margie Arbon Mail Abuse Prevention System, LLC [EMAIL PROTECTED] http://mail-abuse.org
Re: Weird distributed spam attack
On 11/20/2002 at 12:40 PM, [EMAIL PROTECTED] wrote: In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing. Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a delivery attack carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses rotating proxies to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with. If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant). If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in pipeline mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this. [I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.] What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai
Re: MIA: oregon-ix.net
There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Bin Laden Associate Warns of Cyberattack
9/11 showed us that, despite the relatively concentrated POPs in NYC, the Internet was still the only communications medium that survived the attack --and it was largely unaffected, even for users located in NYC itself! Does of us who where providing emergency transit to providers that where completely isolated knows that that was more because of luck than actual planning. CAIDA tells us that over 25% of the Internet must be removed before connectivity degrades. I'm quite a cynic, but I doubt the CIA could pull off that kind of damage, much less al Qaeda. I am not sure what you mean with 25% of the Internet? What connectivity would degrade? From where to where? - kurtis -
Re: MIA: oregon-ix.net
route-views is up happy - route-views.oregon-ix.net see: http://www.routeviews.org/ Lucy E. Lynch Academic User Services Computing CenterUniversity of Oregon [EMAIL PROTECTED] (541) 346-1774/Cell: 912-7998 On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: MIA: oregon-ix.net
I was getting dns resolver errors earlier back. (like the zone expired) it appears someone fixed something since. - jared On Wed, Nov 20, 2002 at 06:35:59PM +, Stephen J. Wilcox wrote: telnet to the domain works fine from here? confirm you have it correct- route-views.oregon-ix.net On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: MIA: oregon-ix.net
It's definitely there.. Non-authoritative answer: Name:route-views.oregon-ix.net Address: 198.32.162.100 route-views.oregon-ix.netsh ip bgp sum BGP router identifier 198.32.162.100, local AS number 6447 BGP table version is 5314229, main routing table version 5314229 125745 network entries and 5682928 paths using 216279693 bytes of memory 960510 BGP path attribute entries using 49946520 bytes of memory 744324 BGP AS-PATH entries using 18454476 bytes of memory 4303 BGP community entries using 159674 bytes of memory Dampening enabled. 11361 history paths, 7196 dampened paths 11361 paths received but denied BGP activity 216653/85313 prefixes, 27124356/21395751 paths NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4.0.4.904 1 1200789 41872 531420400 04:49:38 115086 62.164.11.104 8782 58138 41878 531420400 1w0d 2678 64.50.224.5 4 4181 1227857 41871 531420400 3w6d 115686 64.166.72.140 4 65533 0 0000 neverActive 64.200.199.34 7911 2362162 41872 531420400 1w4d 116068 64.200.199.44 7911 2325433 41868 531420400 4w1d 116066 66.185.128.48 4 1668 1409836 41873 531420400 2w2d 116352 129.250.0.6 4 2914 1437478 41860 531420400 1w1d 100143 129.250.0.114 2914 1235081 41862 531420400 1w1d 100145 130.217.2.254 681 44469 41869 531420400 4w1d 853 134.55.20.229 4 293 1569091 41874 531420400 3w4d 116575 141.142.12.14 1224 1920843 81928 531420400 5d22h 118615 144.228.241.81 4 1239 865616 41869 531420400 4w1d 114890 154.11.63.864 852 1300077 41869 531420400 4d14h 117015 154.11.98.184 852 1250484 41751 531420400 1d06h 117015 ... route-views.oregon-ix.net -Original Message- From: Jared Mauch [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 1:05 PM To: Kai Schlichting Cc: [EMAIL PROTECTED] Subject: Re: MIA: oregon-ix.net Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: MIA: oregon-ix.net
telnet to the domain works fine from here? confirm you have it correct- route-views.oregon-ix.net On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: MIA: oregon-ix.net
I too was seeing DNS timeouts on the servers I was asking. ---Mike At 01:37 PM 20/11/2002 -0500, Jared Mauch wrote: I was getting dns resolver errors earlier back. (like the zone expired) it appears someone fixed something since. - jared On Wed, Nov 20, 2002 at 06:35:59PM +, Stephen J. Wilcox wrote: telnet to the domain works fine from here? confirm you have it correct- route-views.oregon-ix.net On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Experts: Don't dismiss cyberattack warning
Barney Wolff wrote: ... But it would be quite foolish to underestimate the capability of any large group, sufficiently motivated, to inflict massive damage. I agree. Never underestimate power of a fringe lunatic group to cause harm. Now, I am going to go out on a thin limb and ask the following: When Experts say, don't dismiss cyberattack warning, what can somebody like me (just a regular user) or for that matter others with several degrees of better knowledge in the workings of cyber networks than I, do to stop cyber attacks from happening? -raj kulkarni Most Muslims are not Arab, or living in caves. There are certainly millions of Muslim computer users, by now. In fact, I'd bet there are more than a million Muslim computer users in the US alone. Most Muslims, thank God, are not murderous fanatics or computer abusers. But it would be quite foolish to underestimate the capability of any large group, sufficiently motivated, to inflict massive damage. On Tue, Nov 19, 2002 at 07:40:14PM -0600, Stephen Sprunk wrote: I'm not skeptical that millions of starving Arabs living in caves or being slaughtered by their dictators are going to find computers, connect to the Net (outlawed by their leaders), and attack us. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: MIA: oregon-ix.net
bind problem... joelja On Wed, 20 Nov 2002, Lucy E. Lynch wrote: route-views is up happy - route-views.oregon-ix.net see: http://www.routeviews.org/ Lucy E. Lynch Academic User Services Computing Center University of Oregon [EMAIL PROTECTED] (541) 346-1774/Cell: 912-7998 On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- -- Joel Jaeggli Academic User Services [EMAIL PROTECTED] --PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -- In Dr. Johnson's famous dictionary patriotism is defined as the last resort of the scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. -- Ambrose Bierce, The Devil's Dictionary
Re: MIA: oregon-ix.net
pay no attention to that man behind the curtain. Lucy E. Lynch Academic User Services Computing CenterUniversity of Oregon [EMAIL PROTECTED] (541) 346-1774/Cell: 912-7998 On Wed, 20 Nov 2002, Mike Tancsa wrote: I too was seeing DNS timeouts on the servers I was asking. ---Mike At 01:37 PM 20/11/2002 -0500, Jared Mauch wrote: I was getting dns resolver errors earlier back. (like the zone expired) it appears someone fixed something since. - jared On Wed, Nov 20, 2002 at 06:35:59PM +, Stephen J. Wilcox wrote: telnet to the domain works fine from here? confirm you have it correct- route-views.oregon-ix.net On Wed, 20 Nov 2002, Mike Tancsa wrote: There is a second one as well which is 198.32.162.102. Its a little more responsive, but with less peers. ---Mike At 01:04 PM 20/11/2002 -0500, Jared Mauch wrote: Kai, i'm not sure about the dns for the domain (i suspect the appropriate people are at ietf.. infact i know i saw their faces on the mcast stream) but you can reach it by ip. 198.32.162.100 - jared On Wed, Nov 20, 2002 at 12:50:34PM -0500, Kai Schlichting wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: MIA: oregon-ix.net
As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? As others have noted, they just had DNS problems. Their routes appear to be live. In fact, the stability of 198.32.162.0/24 is pretty good, by and large. They did have one global outage of about an hour and a half on October 1st, starting at 12:03 GMT. Also, back on September 13th, between 12:32 and 13:51 GMT they were (accidentally or deliberately) being originated by 15919 (Interhost), creating a brief blackhole situation. They're otherwise usually advertised by 3701, although you'll also see Verio originating them depending on where you look. Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Yeah, for real forensics, neither looking glasses nor public route servers are ideal solutions. The former have single-site myopia and the latter have no good tools. That's why we built our own infrastructure (http://gradus.renesys.com). Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. Also 2516, 3257, 4513, 6730, and 6939, just in the last few weeks. --jim
Re: MIA: oregon-ix.net
[EMAIL PROTECTED] wrote: As some of you have noticed, the BGP4 route containing the address for route-views.oregon-ix.net has disappeared a while ago (mid-October?). Their website seems to be gone, and I swear, I couldn't resolve the domain for a little while just now. Has the Oregon IX been shut down? As others have noted, they just had DNS problems. Their routes appear to be live. In fact, the stability of 198.32.162.0/24 is pretty good, by and large. They did have one global outage of about an hour and a half on October 1st, starting at 12:03 GMT. Also, back on September 13th, between 12:32 and 13:51 GMT they were (accidentally or deliberately) being originated by 15919 (Interhost), creating a brief blackhole situation. They're otherwise usually advertised by 3701, although you'll also see Verio originating them depending on where you look. And 5650 if you are a customer... Their route-server was probably the best-connected one, with the most views, of any public route server I am aware of (please prove me wrong, but do not torment me with any web-based looking glasses :) . Yeah, for real forensics, neither looking glasses nor public route servers are ideal solutions. The former have single-site myopia and the latter have no good tools. That's why we built our own infrastructure (http://gradus.renesys.com). Nothing like having to poke around 10 other RS's to establish that rogue AS 26212 really only has 1, 6402 and 2914 as their upstreams. Also 2516, 3257, 4513, 6730, and 6939, just in the last few weeks. --jim
Re: Experts: Don't dismiss cyberattack warning
Rajendra G. Kulkarni wrote: I agree. Never underestimate power of a fringe lunatic group to cause harm. Now, I am going to go out on a thin limb and ask the following: When Experts say, don't dismiss cyberattack warning, what can somebody like me (just a regular user) or for that matter others with several degrees of better knowledge in the workings of cyber networks than I, do to stop cyber attacks from happening? I think the real question (at least for NANOG members) is not whether terrorists are ready willing and able to to launch attacks against networks. It should be obvious that they are. The real question is whether those attacks will be any worse than the attacks from other sources that have been hitting our networks on a regular basis for the past several years. Are these terrorists actually trying to figure out ways to crack Windows, Linux, IOS and other popular operating systems or are they just downloading the same software that the script kiddies are already using? -- David
Re: Cyberattack FUD
Kurt == Kurt Erik Lindqvist [EMAIL PROTECTED] writes: Kurt I am not sure what you mean with 25% of the Internet? What Kurt connectivity would degrade? From where to where? If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands. As Sean pointed out, the CAIDA study considered a sample of the 50k most connected nodes. So a successful attack aimed at 12500 big routers simultaneously would break the Internet into little pieces. If more strategy is used in the selection process, you get localized outages -- i.e. disabling everything in 60 Hudson or 151 Front is likely to cause significant problems in New York or Toronto but you'll probably be able to see the rest of the world just fine from Sweden. A distributed physical attack against a large number of Telco Hotels and trans-oceanic fibre landing points would be somewhat worse. It would also be very difficult to do from a laptop. With the exception of E911 service (which normally doesn't use IP anyways), any such disruption is unlikely to really hurt anyone. Such hand-wringing whenever someone threatens to break the Internet is maybe a sign of an unhealthy dependence on a medium that is younger than most of the people on this list? Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. -w
Re: Cyberattack FUD
Well said - the radical elements get a lot more bang for their buck with well placed media stories, than they would ever likely get from a cyber attack on the Internet. The one point to consider is that there are critical networks for the economy that run on shared infrastructure also used by the Internet. Hence studying the susceptibility of the Internet can be more than an exercise is guarateeing porn availability. Proprietary issues aside there is a lot to be learned and for fairly good reasons. Micro-biologists study the neural network of the c.elgans worm not because they give a crap about worm brains but because it gives insight to a bigger picture. Not the best analogy but ya get the drift. - Original Message - From: William Waites [EMAIL PROTECTED] Date: Wednesday, November 20, 2002 8:35 pm Subject: Re: Cyberattack FUD Kurt == Kurt Erik Lindqvist [EMAIL PROTECTED] writes: Kurt I am not sure what you mean with 25% of the Internet? What Kurt connectivity would degrade? From where to where? If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands. As Sean pointed out, the CAIDA study considered a sample of the 50k most connected nodes. So a successful attack aimed at 12500 big routers simultaneously would break the Internet into little pieces. If more strategy is used in the selection process, you get localized outages -- i.e. disabling everything in 60 Hudson or 151 Front is likely to cause significant problems in New York or Toronto but you'll probably be able to see the rest of the world just fine from Sweden. A distributed physical attack against a large number of Telco Hotels and trans-oceanic fibre landing points would be somewhat worse. It would also be very difficult to do from a laptop. With the exception of E911 service (which normally doesn't use IP anyways), any such disruption is unlikely to really hurt anyone. Such hand-wringing whenever someone threatens to break the Internet is maybe a sign of an unhealthy dependence on a medium that is younger than most of the people on this list? Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. -w
Re: Cyberattack FUD
Kurt I am not sure what you mean with 25% of the Internet? What Kurt connectivity would degrade? From where to where? If you randomly select nodes to remove, by the time you have removed 25% of them, the network breaks up into many isolated islands. As Sean Well, depending on topology and where you shut things off - you could make one new island per node I take away. I don't see anything relatively new to this. All networking people at the larger ISPs have a pretty good knowledge of exactly which nodes to take out to... pointed out, the CAIDA study considered a sample of the 50k most connected nodes. So a successful attack aimed at 12500 big routers simultaneously would break the Internet into little pieces. To be honest - you would need to go for far less than 12500 routers if you know what you are doing. That everything worked well on the Internet on 9-11 most likely comes from comparing it with the phone network. The Internet (rather specific networks) where affected by 9-11 and only stayed up due to co-operation among a lot of people. Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. Although I generally agree with this - there is a large risk with underestimating the problem as well. We have for the last few years been busy catching up with the attackers, mostly because of sloppiness and laziness on the operators side. no ip directed broadcast and more recently the discussions of ingress-filtering are just examples of this. - kurtis -
Re: Fire in Data Centre of Twente University, Netherlands
NANOG, Wouter van Hulten wrote: [Update 20/11/2002 12:30] At this moment the ICT-heart of the university of Twente is burning. The so-called TWRC-building houses the central systems of the university, all servers and PCs will be lost and various affiliated institutes are without Internet connectivity. [...] Hosting and colo company Virtu, the neighbour of the university, has provided an IP adress for the University. Further announcements are made available on http://srv1ut.utwente.virtu.nl/, a abbreviated copy of the university website. Besides that the University of Twente at Enschede (UTwente) and various affiliated institutes lost many resources, SURFnet completely lost their PoP in Enschede, inclusing 10 customer connections. All routing and switching gear went up in flames. Because of this the following institutions will not be reachable for some time: * University Twente (UTwente) (130.89.0.0/16) * Saxion Hogeschool Enschede(145.76.0.0/16) * Instituut voor Leerplanontwikkeling (SLO) (192.87.212.0/22) * ITC Enschede (192.87.16.0/24, 192.87.172.0/24, 192.87.173.0/24, 192.87.174.0/24) * Telematica Instituut (195.169.16.0/23) * Open University Deventer (145.20.114.0/24, 145.20.77.0/24, 145.20.95.0/24) * Open University Enschede (145.20.112.0/24, 145.20.75.0/24, 145.20.93.0/24) UTwente has dedicated a new building for ICT, and in this building the new SURFnet PoP will be built. New routing and switching gear is on its way to Enschede now, and our infrastructure suppliers are working hard to get our fiber and copper into the new building. Our current expectation is to be up and running again before the upcoming weekend starts. __ Erik-Jan Bos Manager Network Services SURFnet Utrecht, The Netherlands
[OT] Anyone have clueful AOL postmaster contacts?
I have been wrestling with their Postmaster contact staff (via phone, and the email black holes at [EMAIL PROTECTED] and [EMAIL PROTECTED]) for over a week now. I need some sort of resolution, or anything other than Your case is open. Someone somewhere will do something. Someday. If anyone has any contacts inside AOL, I would greatly appreciate an off-list email. ~Ben --- Ben Browning [EMAIL PROTECTED] The River Internet Access Co. Network Operations 1-877-88-RIVER http://www.theriver.com
Re: Cyberattack FUD
William Waites wrote: Taking the fear mongering and sabre rattling too seriously is much more dangerous than any possible network outage. -w The context may be different, however, the following two stories tell yet other sides of cyber security problem. In this case, it is not the net but the users of the net, both the public (govt.) http://zdnet.com.com/2100-1105-966444.html and private sector seem susceptible. http://computerworld.com/securitytopics/security/cybercrime/story/0,10801,76071,00.html Don't know whether this fear mongering/saber rattling or something else. -raj = http://computerworld.com/securitytopics/security/cybercrime/story/0,10801,76071,00.html http://zdnet.com.com/2100-1105-966444.html
on-line briefing on NRC study of Internet on 9/11 of last year
Dave Clark, Sean Donelan and I will be briefing the National Research Council report on how the Internet handled the events of 9/11/2001 on Thursday morning. The report is available on-line this evening and the briefing will be webcast. For more details see www.nas.edu Thanks! Craig
Arin Smack down?
Perhaps something I've mised, but is ARIN.Net no longer handling lookups? I usually use them to find offending users but got this when doing a lookup. No match for 64.124.168.60 Thanks in Advance off on on list. -Joe
Re: Arin Smack down?
Worked for me: [mlyon@fitzharris mlyon]$ whois -h whois.arin.net 64.124.168.60 [whois.arin.net] OrgName:Abovenet Communications, Inc OrgID: ABVE NetRange: 64.124.0.0 - 64.125.255.255 CIDR: 64.124.0.0/15 NetName:ABOVENET NetHandle: NET-64-124-0-0-1 Parent: NET-64-0-0-0-0 NetType:Direct Allocation NameServer: NS.ABOVE.NET NameServer: NS3.ABOVE.NET Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:2000-07-06 Updated:2001-04-27 TechHandle: NOC41-ORG-ARIN TechName: Metromedia Fiber Networks/AboveNet TechPhone: +1-408-367- TechEmail: [EMAIL PROTECTED] OrgTechHandle: MFNA1-ARIN OrgTechName: Metromedia Fiber Networks AboveNet OrgTechPhone: +1-408-367- OrgTechEmail: [EMAIL PROTECTED] # ARIN Whois database, last updated 2002-11-20 19:05 # Enter ? for additional hints on searching ARIN's Whois database. [mlyon@fitzharris mlyon]$ -Mike On Thu, 21 Nov 2002, Joe wrote: Perhaps something I've mised, but is ARIN.Net no longer handling lookups? I usually use them to find offending users but got this when doing a lookup. No match for 64.124.168.60 Thanks in Advance off on on list. -Joe
Re: Arin Smack down?
Thanks All for the response. Looks like the web interface (www.arin.net) is the problem. Thanks again!