Re: Scaled Back Cybersecuruty

[Sean Donelan]

On Tue, 14 Jan 2003, Pete Kruckenberg wrote:
> All of the initiatives (only a couple) I've found related to
> Internet operator security collaboration all appear to be
> pre 2000. At the May 2001 NANOG, which specifically focused
> on networking security, there was no presentation or
> (significant) discussion about inter-operator security
> collaboration.

Whenever "security" comes up people get a little weird.  Nevertheless there
have been several inter-provider initiatives since 2000.

   - INOC-Dial by ASN included security contacts
   - ISP security BOF and nsp-security
   - FCC NRIC focus group on provider security best practices

Re: How do I get host records deleted?

[william]

At this time no registrar can delete host records. What they do is 
transfer your host into another specifially reserved domain, for example 
NSI uses LAME-DELEGATION.ORG, so if you had ns1.somedomain.com, it would
become LAME9.LAME-DELEGATION.ORG. Other registrars have their own 
domains for such domains (for example opensrs is NS-NOT-IN-SERVICE.COM).
Usually hosts are transfered into these domains before domain is deleted 
(for non-payment) but if you talk to your registrar (which is difficult 
with NSI...), their engineers can do it with active domains too.

On Wed, 15 Jan 2003, Adam McKenna wrote:

> 
> On Wed, Jan 15, 2003 at 10:50:47AM -0500, Jonathan Disher wrote:
> > And it's not entirely true that "only your domain registrar has host
> > records for your domain".
> 
> You're right, but that's not what I said.
> 
> I guess the completeley technically correct statement in this case would have
> been "only your registrar is able to create, delete, and modify your host
> records in whois.internic.net, and hence, your nameservers' glue records in
> the GTLD servers".
> 
> Another registrar could do whatever it wants with its own database, and
> that's exactly what NSOL does.  The only way to fix this is to do your part
> to make NSOL 'shape up or ship out'.  Transfer your domains to other 
> registrars and encourage your customers to do the same.
> 
> --Adam
> 

Re: How do I get host records deleted?

[Adam McKenna]

On Wed, Jan 15, 2003 at 10:50:47AM -0500, Jonathan Disher wrote:
> And it's not entirely true that "only your domain registrar has host
> records for your domain".

You're right, but that's not what I said.

I guess the completeley technically correct statement in this case would have
been "only your registrar is able to create, delete, and modify your host
records in whois.internic.net, and hence, your nameservers' glue records in
the GTLD servers".

Another registrar could do whatever it wants with its own database, and
that's exactly what NSOL does.  The only way to fix this is to do your part
to make NSOL 'shape up or ship out'.  Transfer your domains to other 
registrars and encourage your customers to do the same.

--Adam

-- 
Adam McKenna <[EMAIL PROTECTED]>   | GPG: 17A4 11F7 5E7E C2E7 08AA
http://flounder.net/publickey.html |  38B0 05D0 8BF7 2C6D 110A

Re: Scaled Back Cybersecurity

[Daniel Senie]

At 12:31 PM 1/15/2003, Avi Freedman wrote:



> > - Starting at the core, which is who the Feds buy the most IP from,
> >   still makes life a lot simpler if and when we get the "big one"
> >   in terms of cyber-attack.
>
> Is not the problem with this that few if any attacks originate in the
> core, and by the time the traffics start getting aggregated there it is
> already more or less to late?
>
> - kurtis -

I'm getting at attacks *on* the core as something we need to be
concerned about...


If protecting the core includes protecting the core from further at the 
edges, then the folks running core components need to require those who 
connect to them to implement such protection (ingress filtering and 
whatever other measures are deemed helpful).

There's some precedent for this type of edict. Some years ago UUNet 
mandated anyone using their dialups MUST implement port 25 filter configs 
in their Radius servers.

Sure seems like a better thing for the core operators to do than throw 
their hands in the air and say "it's someone else's problem." 

Re: FYI: Anyone seen this?

[alex]

> This is not entirely hoax.
> 
> I know for sure (first-hand) that such actions were contemplated by at
> least some recording companies.

... and some people had most certainly been approached to write the exploit...

Alex

Re: Scaled Back Cybersecurity

[Avi Freedman]

> > - Starting at the core, which is who the Feds buy the most IP from,
> >   still makes life a lot simpler if and when we get the "big one"
> >   in terms of cyber-attack.
> 
> Is not the problem with this that few if any attacks originate in the 
> core, and by the time the traffics start getting aggregated there it is 
> already more or less to late?
> 
> - kurtis -

I'm getting at attacks *on* the core as something we need to be 
concerned about...

Thanks,

Avi

Re: Scaled Back Cybersecuruty

[Kurt Erik Lindqvist]

- Starting at the core, which is who the Feds buy the most IP from,
  still makes life a lot simpler if and when we get the "big one"
  in terms of cyber-attack.



Is not the problem with this that few if any attacks originate in the 
core, and by the time the traffics start getting aggregated there it is 
already more or less to late?

- kurtis -

Nordnog-2 Agenda items

[Kurt Erik Lindqvist]

The agenda items for Nordnog-2 is starting to be posted on 
http://www.nordnog.org/nordnog2/agenda.html as the speakers final 
confirmation comes in.

To register, please fill the form at http://www.nordnog.org/nordnog2 
and mail it to [EMAIL PROTECTED]

Best regards,

- kurtis -

Re: How do I get host records deleted?

[Jonathan Disher]

On Wed, 15 Jan 2003, Jeffrey Meltzer wrote:

>
> I went through this with NetSol a while ago.  It's a pain in the neck, but
> they will get it done, eventually.  First you have to call them and sit on
> hold and get transfered for about 3 days, and get a list of all domains
> which use this nameserver.  Then, you send them a fax on letterhead saying
> that those domains were never authorized to use that nameserver, etc, etc,
> etc.  Eventually, your nameserver will be removed from those domains and you
> can then delete it.  Whole process ended up taking about 2 months for me.

Must be nice.  The entire process took 6+ years for us.

And it's not entirely true that "only your domain registrar has host
records for your domain".  We recently transferred the affected domain
from Netsol to another registry, but Netsol failed to delete the host
record.  Then, when called about it, they first said we had to get the
domain list (which we have requested, literally, about a hundred times
over the years, and never gotten), or, more recently, that it wasn't even
in their database!

Finally it took threats of lawsuits (don't look at me, that wasn't my
idea.  My boss is whacked out, he likes to threaten people like that way
too much for his own good), but it disappeared.

I still think my idea of submitting an IP change for the host record to a
non-useable address (I was leaning towards 127.0.0.1, but RFC1918 addrs
will work just fine, too) would have been more effective.  But, c'est la
vie.

-j

Re: FYI: Anyone seen this?

[Nathan J. Mehl]

In the immortal words of blitz ([EMAIL PROTECTED]):
> 
> From ISN:
> 
> >http://www.theregister.co.uk/content/6/28842.html

Wow.  With one post to bugtraq, gobbles has now successfully trolled
the register, slashdot, and now nanog.

Somebody buy that turkey a beer.

-n

<[EMAIL PROTECTED]>
"For years, I've been predicting that artists, writers, and filmmakers would 
be paid by the government not to produce work, just like farmers are paid not 
to grow food.  Or that they'd be paid to make their work, but would then be 
forced to store it in a silo unshown or unread.  But now I see I was a little 
off in my prediction. The Internet is that silo."   (--Slotcar Hatebreath)

Re: FYI: Anyone seen this?

[Vadim Antonov]

This is not entirely hoax.

I know for sure (first-hand) that such actions were contemplated by at
least some recording companies.

--vadim


On Wed, 15 Jan 2003, Marshall Eubanks wrote:

> The feeling in the music community is that this is almost certainly a 
> hoax.
> 
> Of course, RIAA apparently tried to legalize such activities in the 
> Berman Bill.
> 
> > Of course, even if it were true, they'd probably want to deny it, since
> > they haven't gotten their "hack back" legislation passed yet :)

Re: How do I get host records deleted?

[Jeffrey Meltzer]

I went through this with NetSol a while ago.  It's a pain in the neck, but
they will get it done, eventually.  First you have to call them and sit on
hold and get transfered for about 3 days, and get a list of all domains
which use this nameserver.  Then, you send them a fax on letterhead saying
that those domains were never authorized to use that nameserver, etc, etc,
etc.  Eventually, your nameserver will be removed from those domains and you
can then delete it.  Whole process ended up taking about 2 months for me.

Jeff


On Tue, Jan 14, 2003 at 10:54:31PM -0800, Adam McKenna wrote:
> 
> On Tue, Jan 14, 2003 at 10:53:47PM -0800, Matthew Kaufman wrote:
> > 
> > 
> > I have IP address space. An address in that address space is listed as
> > a host record for a fair number of domains that are not mine. Hence, DNS
> > requests come to that address. But I cannot delete the host record, because
> > there are domains using it.
> > 
> > Is there a magic contact somewhere at Network Solutions that can fix this?
> 
> Is there really an appreciable amount of traffic being caused by this?
> 
> Anyway, only your registrar can delete host records.  If Network Solutions is
> your registrar, then they can do it.  If they refuse (due to the host being
> in use), then your best bet might be to change it to another address, 
> possibly one you've null routed.
> 
> --Adam
> 
> -- 
> Adam McKenna <[EMAIL PROTECTED]>   | GPG: 17A4 11F7 5E7E C2E7 08AA
> http://flounder.net/publickey.html |  38B0 05D0 8BF7 2C6D 110A

-- 
Jeffrey Meltzer
ICS/VillageWorld
631-218-0700 x100

Re: Scaling up Internet Security (was: Scaled Back Cybersecuruty)

[bmanning]

> > > i've had absolutely no luck getting the source isp's to care about
> > > the problems i've seen at my home firewall in recent weeks.
> 
> > we try hard to send out
> > correlated and filtered reports in a standardized format to valid
> > 'contact' addresses. There are some success stories, but more misses
> > than hits overall. 
> 
> All of this requires an ISAC dedicated to the purpose of analyzing and 
> stamping out network abuse.
> 
> --Michael Dillon
> 

what might be tough is to come up with a universal definition
of "network abuse".  even harder will be a change in the fundamental
nature of IP, while maintaining backward compatability with the
existing technology (source vs destination orientation).

then there is the problem of "walled gardens"/NATs that allow/encourage
anonymous behaviour (bad contacts) and the lack of consistant
standards for maintaining accurate contact data (goofy "privacy"
laws)...

the only saving grace is that business relationship you have with
your immediate peers/transit providers. they can help you from
seeing stuff you don't want to see.  The trick question is, can 
the accomodate your desires along with the rest of their 10,000,000
customers?  Esp. with the technologies available to them?

--bill

Re: FYI: Anyone seen this?

[Marshall Eubanks]

The feeling in the music community is that this is almost certainly a 
hoax.

Of course, RIAA apparently tried to legalize such activities in the 
Berman Bill.

 Regards
 Marshall Eubanks

On Wednesday, January 15, 2003, at 12:09  AM, [EMAIL PROTECTED] 
wrote:

On Tue, 14 Jan 2003 20:16:31 EST, blitz <[EMAIL PROTECTED]>  said:


http://www.theregister.co.uk/content/6/28842.html

By Andrew Orlowski in San Francisco
Posted: 14/01/2003

The RIAA is preparing to infect MP3 files in order to audit and
eventually disable file swapping, according to a startling claim by


The RIAA denies all knowledge...

http://www.eweek.com/article2/0,3959,827970,00.asp

Of course, even if it were true, they'd probably want to deny it, since
they haven't gotten their "hack back" legislation passed yet :)



T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624   Fax : 703-293-9609
e-mail : [EMAIL PROTECTED]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html

Scaling up Internet Security (was: Scaled Back Cybersecuruty)

[Michael . Dillon]

> > i've had absolutely no luck getting the source isp's to care about
> > the problems i've seen at my home firewall in recent weeks.

> hehe... I know the feeling. With DShield, we try hard to send out
> correlated and filtered reports in a standardized format to valid
> 'contact' addresses. There are some success stories, but more misses
> than hits overall. 

I think these efforts would get a lot of attention if there were two 
changes to the notification procedure:

1. The notice started by saying "This is a notice according to the 
procedures of the ISP-ISAC which operates in coordination with the FBI's 
NIPC(National Infrastructure Protection Center)". Of course before you can 
put this notice in your email the industry would first have to create the 
ISP-ISAC (see http://www.nipc.gov/infosharing/infosharing6.htm for background) and the 
ISAC would have to agree on some basic procedures 
for notifying other ISPs when network abuse occurs. But this is not rocket 
science and I think a half-dozen of the larger ISPs could kick this off 
with some kind of a BOF at NANOG.

2. If the email notice doesn't get a response, follow it up with a letter 
on paper to the company concerned and include another letter explaining 
the benefits of being an active participant in the ISAC (Information 
Sharing and Analysis Center). The paper letter could be addressed to the 
legal department because this really is a compliance issue. In other words 
the time could come when companies who do not comply with industry 
standards for cooperation in addressing network abuse will find themselves 
facing lawsuits. If you can get a company's legal department to agree that 
participation in an ISAC is a good way to cover their ass, then you will 
find it a lot easier to get inter-company cooperation.

The other ISACs can be of use too. Imagine that you have a DDOS in 
progress and you can track it back to a number of compromised servers. 
Some of them are colocated so the ISP-ISAC would directly notify the 
hosting companies concerned. Some of them belong to companies who appear 
to be in the financial services industry so you notify the FS-ISAC about 
those ones. Some of the servers appear to be suffering from security holes 
that are introduced by using default install options for the O/S so you 
notify the IT-ISAC about those ones.

Before long the members of the FS-ISAC are requiring their business 
partners to secure their Internet servers, the OS vendors are tightening 
up baseline OS security and the hosting companies are securing or shutting 
down compromised servers. The press reports on all of this activity and 
managers in all types of businesses and organizations start asking 
searching questions about the security of their own infrastructure. Or 
maybe the FS-ISAC gets all bank managers to ask questions about security 
as part of their regular business review meetings with customers. 

All of this requires an ISAC dedicated to the purpose of analyzing and 
stamping out network abuse.

--Michael Dillon