Re: White House to Propose System for Wide Monitoring of Internet(fwd)
> Also, this threat can be mitigated more cost effectively through > system and network hardening than by expanding the monitoring > infrastructure to be able to handle such a difficult to > codify threat (in any general sense). I agree totally. However, it's unglamorous, and not as sexy of an announcement - or as cool looking - as saying the Federal UberSOC is on its way. But it's Uncle Sam doing what he does best - reinventing a less-capable wheel at a higher cost. > Cyberattacks (again IMHO) are still in the realm of being opportunistic, > as we have seen that given as little as $5-10,000, the resources necessary > to reliably cause widespread damage are better spent on a plane ticket than > a hacker. Definitely agree - 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. The motive of terrorism is to sow fear. There's much more visceral fear seeing the WTC collapse than watching a graphic on television trying to show how a buffer overflow worked on SCADA system. :) > The cyberterrorist threat is based upon the exposure of network systems > and the motivation of the attacker. What is not taken into account in > this threat description is the other, more reliable and severe options > available to someone with the same resources and motives. No, the cyberterrorist threat is a sensational concept based on FUD, ignorance, and hypeand believed to be true by the same politicos who think "Swordfish" was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, "there are no cyberterrorists." In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVESeither through poor management, bad system/network administration and design, or shoddy software. (BTW, I meant "we" in terms of the IT Society, not "we" meaning the experts here on NANOG!) > threat model, we can be relatively successful. However, some threats > are best dealt with by limiting our assets exposure to them instead of > building in safeguards whose reliability is inversely proportional to > their complexity. :) Which goes along with what I tell students at NDU each month -- if something's deemed a 'critical infrastructure system' (SCADA, banking, etc.) it should not be on any publicly-accessible network, and the higher costs associated with higher levels of security (eg, using dedicated, privately-owned pipes vice a VPN over the Internet) must be an acceptable and necessary part of the security solution. If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. > inherant administrative overhead of tracking them. The only > defense against them is to keep your patch levels current, your > firewalls strict, and watch until they get lazy and make a mistake. Amen! This goes back to making sure system admins are competent, trained, and have the time to ensure these security functions are carried out. Unfortunately, I've found they spend most of their time hunting repeated problems in certain mainstream OS environments -- which means that PROACTIVE security routinely takes a back-burner to REACTING to the latest overflow, trojan, worm, or virusor to a 'new' problem injected by the vendor-endorsed patches that allegedly fixed existing ones. Of course, while no OS is perfect, if our systems weren't built on such a flaky foundation, we'd have more time to work on securing them instead of just keeping them operational and somewhat less-annoying while simultaneously providing a self-inflicted target of opportunity for some n'er-do-well. > It does not matter who is watching if you are invisible. A > sensor can only see what it is looking for. A hacker cannot > be seen merely by looking. Hence the need for intelligent network monitoring and pattern profiling, something I've been mulling over for a while now. /rant. :) Rick Infowarrior.org
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Sat, 21 Dec 2002, Christopher L. Morrow wrote: Regarding CenterTrack: : :its not that they misinterpretted, its that its NOT EVER been implemented. I am content to believe you. However, that CenterTrack has never been implemented does not mean that a system for collecting IP session data has never been implemented. This further suggests that automated law enforcement access is also not impossible, which was my original point. :Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP' :(Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to :monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor :a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same :box) Anyone with that size link could be deemed "carrier class" and be compelled to install monitoring equipment within their network. Though admittedly I don't think it's useful to speculate on the legislative "could"'s. :Hmm, actually it is pretty darned simple, no-export+no-advertise do this :for you quickly, then trigger when you want to watch paul vixie's hotmail :activities... simple enough really. This gets back to distributing :'sensors' to each pop, on each carrier and having dedicated ports on :routers to support this... This seems like a very large cost to bear, more :than 'cost of doing business'. Those costs of doing business can be regulated, which it looks like they just might be. Same as the whole PEN register thing for telcoms. Also, if you have an existing IDS infrastructure, it is not difficult to add this kind of LEO-access to it. It is as simple as giving them a view of your security management console. :all of these vendors provide products capable of this kind of :'surveillance', whether or not thats the touted talking point or not, each :can provide this 'surveillance'. At least one of the vendors you listed does in fact tout the products surveillance features, at least during their sales pitch. The funny thing in my biz (IT security) is that I think it's the only one where people sell things by not saying what they can be used for. They nod meaningfully while saying that they can't really say just what it is that people use it for. Customers think "Wow, I've never even heard of this, and the sales guy won't even tell me what it does, it *must* be valuable beyond imagination!". To hear them tell it, it's as if they are selling a turnkey blackbox ROI Generator, which uses top secret military technology that "leverages dynamic security policies". Before there was carnivore, law enforcement got access to network data, and I have a few anecdotal accounts of how this was done. There is no reason why LEA's couldn't ask ISP's to permanently integrate this access into their networks. -- batz
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Mon, 23 Dec 2002 [EMAIL PROTECTED] wrote: :Unfortunately, this is (or should be) part of the threat model. What makes :you think that J Random Cyberterrorist is any stupider than the guys Stoll :was chasing? Because Random J Cyberterrorist would know that the probability of success and scope of damage of his action is substantially less than that of a physical attack, given the resources he has to spend on it. Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense). Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker. The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives. In the triage of sorting out what to protect and how to protect it, we can exercise lots of control over our technology, and given a limited threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :) Thus (IMHO again) there is limited value in using what is ultimately a passive monitoring technology to combat the most agile and directed threats against the network. These agile threats being sophisticated hackers using multiple source hosts and jurisdictions, who can evade sensors and who leverage the inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake. The only way to catch them is if they use multiple sources over a short period of time with diverse attacks, thus your search token in the logs would be the timeframe. Needless to say, given the amount of cruft that sensors amass, this isn't very reliable. I have a hacker koan that expresses this problem: It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking. Cheers:) -- batz
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Thus spake <[EMAIL PROTECTED]> > On Mon, 23 Dec 2002 13:26:16 EST, batz said: > > The interjurisdictional administrative hell makes it more cost > > effective to just lock down your network than to re-enact The Cuckoos > > Egg. > > Unfortunately, this is (or should be) part of the threat model. What > makes you think that J Random Cyberterrorist is any stupider than > the guys Stoll was chasing? Whether they're smart or dumb is moot when there's 100+ human attacks (not [D]DoS) against your network every day, plus tens of thousands of worms. It's simply not possible to respond in any meaningful way. Even if you could track down each attacker, they are often in countries that don't consider hacking a crime and won't grant extradition. This is why many organizations (eg .MIL) try to filter non-US addresses. S
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
On Mon, 23 Dec 2002 13:26:16 EST, batz said: > You will miss script kids that bounce all over their compromised > machines around the world, but even if you collected all the information > about those attacks, there is little value in tracking them down anyway. > The interjurisdictional administrative hell makes it more cost > effective to just lock down your network than to re-enact The Cuckoos > Egg. Unfortunately, this is (or should be) part of the threat model. What makes you think that J Random Cyberterrorist is any stupider than the guys Stoll was chasing? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg07585/pgp0.pgp Description: PGP signature
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Sun, 22 Dec 2002, Sean Donelan wrote:
:On any major backbone the IDS function becomes
:
:GlobalIDSFunction() {
: While (1) {
: printf("Attack Detected!");
: }
:}
:
:Do you really want an automatic wiretap installed on your line
:every time an attack is detected? Have you recently connected a
:system to the Internet that hasn't been attacked?
It depends on the attack you are looking for. All signatures are not
created equal. Also, the actual logic is a little more like:
For each attack_source_ip, if all attacks in attack_source are
the same, send low alert. If attacks from any single attack_source
are different, with a range of more than 2 distinct attacks,
look into it. attack_source can be anything from a /32 to a /24,
with monthly reports breaking it down into the diversity of attacks
originating from certain ASN's so that followup can be done with
the ISP.
The idea being that you only respond to incidents where followup
may yeild meaningful results. Those incidents can be recognized
by the diversity of attacks originating from a single area and
followed up based on their ISP. The diversity of attacks will
provide compelling evidence that there is someone making a
concerted effort to crack a network, instead of just worm
activity.
You will miss script kids that bounce all over their compromised
machines around the world, but even if you collected all the information
about those attacks, there is little value in tracking them down anyway.
The interjurisdictional administrative hell makes it more cost
effective to just lock down your network than to re-enact The Cuckoos
Egg.
Back to the law enforcement access issue, they could really just be
collecting intelligence from the sensors, to inform their decision
on who to follow up with an investigation on. IDS's aren't as useful
for giving evidence (IMHO) because there are too many variables
(like asymmetry, log integrity, chain of evidence etc) to take into
account. What they can do very well is tell you where suspicious
activity is originating from and tell you whether further analysis
is warranted. eg, whether to have someone sieze the machine as
physical evidence, as that's where it's all got to come from
for prosecution anyway, or to monitor that sites traffic for
more information before launching a full seizure.
So, the value of an IDS, or law enforcement access to IDS-like
devices for sifting information, is to assess who they should be
investigating, not to be used as an investigative tool by itself.
As for how they can do it, they can't put it in a core somewhere.
They would have to put inexpensive ones connected as close
to the customer equipment as possible.
This could be at the edge of a CUG as some people call it, or
as Chris Morrow mentioned, one in each POP.
As far as doing it at an exchange point, it is still possible to
redirect all traffic originating from within a large ISP and
destined to a single site through a secondary GigE monitoring
network. I would be suprised if anyone currently sustains 500Mb/s
of traffic from one of customers to any single IP address that
is outside their own network. It doesn't matter if I am wrong,
as for the purposes of monitoring for further information,
it still works.
Adding them to POP's would make sense as there is a geographical
basis for their distribution, something law enforcement likes
and understands quite well, as that's how their jurisdictions
are laid out.
The reason I am persuing this is that I would hate for
people to waste their energy insisting that ubiquitous intelligence
and law enforcement access to Internet traffic is impossible.
It can be made very possible, just not in the way, or for the
same reasons, some people might imagine it.
--
batz
Bogus ASN tracking
Hi, NANOGers. Bogon prefixes aren't the only bits of garbage one will find in the Internet routing table. There are also bogus (unallocated, reserved, and private) ASNs to be found therein. Please take a moment to check my Bogus ASN Report. I have recently enhanced it a bit to include the full path and better tracking. The report is updated hourly, and you will find it here: http://www.cymru.com/BGP/asnbogusrep.html Comments and feedback are always welcome! Thanks! Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Analyzing The Cidr Report (fwd)
I've agreed to analyze the CIDR Report, to understand why people don't
aggregate more/better, as suggested below. I'll look into AS701, and
(time and security permitting) any other UUNET ASN. I do expect to make
my findings public, at least in summary form.
Whatever I find will be more useful if other operators do the same, so
we can present an overall analysis of many of the top "offenders" of
poor aggregation. At first glance, it looks like it may not require
too much time, but I would like to agree on a methodology and a final
report format. So if anyone from any of the operators listed below
would like to work jointly, reply privately and we'll work out the
details.
--
Lee Howard [EMAIL PROTECTED] (703) 886-5231
Sr. Manager Internet Installations,
WorldComIP Policy and Allocations
-- Forwarded message --
Date: Fri, 13 Dec 2002 22:00:00 +1100 (EST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [apops] The Cidr Report
This report has been generated at Fri Dec 13 21:45:30 2002 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org/as4637 for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
06-12-02116870 84511
07-12-02116855 84559
08-12-02116930 84442
09-12-02116755 84596
10-12-02116879 84724
11-12-02117039 84740
12-12-02117133 84733
13-12-02116860 84827
AS Summary
14178 Number of ASes in routing system
5599 Number of ASes announcing only one prefix
1805 Largest number of prefixes announced by an AS
AS3908 : SUPERNETASBLK SuperNet, Inc.
72982528 Largest address span announced by an AS (/32s)
AS568 : SUMNET-AS DISO-UNRRA
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 13Dec02 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 116935847903214527.5% All ASes
AS3908 1805 1063 74241.1% SUPERNETASBLK SuperNet, Inc.
AS701 1676 1219 45727.3% ALTERNET-AS UUNET
Technologies, Inc.
AS18566 4195 41498.8% COVAD Covad Communications
AS7018 1389 1014 37527.0% ATT-INTERNET4 AT&T WorldNet
Services
AS4323 524 185 33964.7% TW-COMM Time Warner
Communications, Inc.
AS1221 1162 843 31927.5% ASN-TELSTRA Telstra Pty Ltd
AS6197 456 141 31569.1% BATI-ATL BellSouth Network
Solutions, Inc
AS7843 596 295 30150.5% ADELPHIA-AS Adelphia Corp.
AS4355 405 136 26966.4% ERMS-EARTHLNK EARTHLINK, INC
AS6347 352 85 26775.9% DIAMOND SAVVIS Communications
Corporation
AS7046 586 319 26745.6% UUNET-CUSTOMER UUNET
Technologies, Inc.
AS22927 289 22 26792.4% AR-TEAR2-LACNIC TELEFONICA DE
ARGENTINA
AS1239 935 670 26528.3% SPRINTLINK Sprint
AS705434 195 23955.1% ASN-ALTERNET UUNET
Technologies, Inc.
AS4814 249 15 23494.0% CHINANET-BEIJING-AP China
Telecom (Group)
AS1 665 440 22533.8% GNTY-1 Genuity
AS6198 420 201 21952.1% BATI-MIA BellSouth Network
Solutions, Inc
AS17676 232 28 20487.9% GIGAINFRA XTAGE CORPORATION
AS690513 319 19437.8% MERIT-AS-27 Merit Network Inc.
AS6140 314 121 19361.5% IMPSAT-USA ImpSat
AS4151 326 135 19158.6% USDA-1 USDA
AS4134 292 108 18463.0% ERX-CHINALINK Data
Communications Bureau
AS209519 339 18034.7% ASN-QWEST Qwest
AS852625 445 18028.8% ASN852 Telus Advanced
Communications
AS2048 260 88 17266.2% LANET-1 State of Louisiana
AS6327 183
Re: Optical interface failure rates
Thus spake "David Waitzman" <[EMAIL PROTECTED]> > Historically, optical interfaces have had lower reliability (MTBF) than > electrical interfaces, of the same rate, due to a high burnout rate for the > lasers. This has apparently changed now, and optical failure rates are > lower. > > Do customers perceive this as true? My experience is that product failure is almost exclusively due to design or manufacturing problems, or customer damage (e.g. floods, ESD). The best resource for this data would be your vendors' RMA departments. > And in terms of all optical interface types, if you want roughly 10Gbps > speed but are agnostic about how, what about OC192C POS interfaces > versus 10Gig Ether? In theory, both MTBF and price will be lower for the simpler technology, but by the same token that simpler technology may not support all the features you need. It's hard to say what's best if you don't list your criteria. S
Optical interface failure rates
Historically, optical interfaces have had lower reliability (MTBF) than electrical interfaces, of the same rate, due to a high burnout rate for the lasers. This has apparently changed now, and optical failure rates are lower. Do customers perceive this as true? Do you know of estimates for MTBF for lasers vs copper, for example, 1Gig ether O versus E? Assume that we're talking VSR usage; otherwise copper wouldn't be suitable. And in terms of all optical interface types, if you want roughly 10Gbps speed but are agnostic about how, what about OC192C POS interfaces versus 10Gig Ether? thanks, -david waitzman
