ISPs are asked to block yet another port
http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well. How many ports should ISPs block? People still buy and connect insecure computers to the net.
Re: ISPs are asked to block yet another port
On Monday, 2003-06-23 at 01:59 AST, Sean Donelan [EMAIL PROTECTED] wrote: http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well. How many ports should ISPs block? People still buy and connect insecure computers to the net. Good point. In this case, stateless blocking of traffic to 1026/udp will block several per cent of the responses to dns queries (in addition to substantial other legitimate traffic). This is a denial of service for your own customers. Tony Rall
Re: ISPs are asked to block yet another port
The description by LURHQ is misleading. Messenger is an RPC service. Typical pop-up spammers queried 135 (Windows RPC portmapper) to find the port number of the messenger service, then send the message to that port. It turns out that messenger can typically be found on 1026. And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc). Jeff
Re: ISPs are asked to block yet another port
At 2:58 -0400 6/23/03, Jeff Kell wrote: And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc). Jeff It's been a long time since I did any substantial BSD-socket coding, but, back in the day, when you asked for socket 0 in a bind call, the OS would just pick one. The first (unused) one chosen would be 1024, then incrementally pick the next up to some limit where it would then circle around. Most clients (incl. DNS resolvers) would ask for port 0, so, well, y'all can predict the result if you were to filter any of the user space ports. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-703-227-9854 ARIN Research Engineer ...as graceful as a blindfolded bull in a china shop...
Re: ISPs are asked to block yet another port
Sean Donelan wrote: http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. [...] I haven't (yet) seen any scans of port 1026, but looking at my (home) logs I have seen several with a fixed source port of 1026 (destination of 137). Heh. Peter E. Fry
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Sean Donelan wrote: http://www.lurhq.com/popup_spam.html How many ports should ISPs block? People still buy and connect insecure computers to the net. ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :(
Re: ISPs are asked to block yet another port
On Mon, Jun 23, 2003 at 03:59:56PM +, Christopher L. Morrow wrote: On Mon, 23 Jun 2003, Sean Donelan wrote: http://www.lurhq.com/popup_spam.html How many ports should ISPs block? People still buy and connect insecure computers to the net. ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :( I think that many can learn from this. Instead of defaulting with everything enabled, default with the services installed but disabled so they can be easily enabled. This is fairly easy to do and something that has gradually changed in the free UNIX(r) community over the past years. RedHat (for example) no longer enables every possible service by default and requires you to enable these features to protect your machine from being compromised by software you didn't know you had. Not every machine needs to run its own nameserver. While there are some services that are safe(er) to have enabled by default as it improves the usability of the machine, some of these things are just silly to be enabled on consumer (home) machines. I hope all the vendors out there get a clue on this and stop enabling insecure methods of access by default. (eg: telnet) - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: ISPs are asked to block yet another port
[EMAIL PROTECTED] (Christopher L. Morrow) writes: ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems 3) thoughtless reactionism at isp's does little good and sometimes some harm. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using att IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT. so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. -- Paul Vixie
Re: ISPs are asked to block yet another port
On 23 Jun 2003, Paul Vixie wrote: 3) thoughtless reactionism at isp's does little good and sometimes some harm. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless ... so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. We used to provide dial-up ports to a large cut-rate dial provider who I'm not going to name. Their reaction to such games was to send in their radius auth packets data filters to block both outgoing to port 25 and incoming from port 25. There's nothing silly about restricting use of tcp/25 for dial-ups and other dynamics...you just have to do it right to be 100% effective. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network discovery and mapping
On Mon, 23 Jun 2003 [EMAIL PROTECTED] wrote: On the subject, has anyone had success w/ any L2 discovery tools? psnmp seems promsing (http://psnmp.sourceforge.net/), but the lack of support for Cisco, Extreme, and Foundry makes it a bit limiting. I've found that L3 topology is often well documented (and reasonably easy to decipher), but finding troublesome layouts in switched configs is one place where a decent tool could come in handy. Fluke LAN Mapshot is a nice one-trick pony product for mapping L2 switches. Point it at a network, give it the right snmp community strings, and it generates a switch topology.
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Paul Vixie wrote: [EMAIL PROTECTED] (Christopher L. Morrow) writes: ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems 3) thoughtless reactionism at isp's does little good and sometimes some harm. indeed it does... breaking the network with acls often gets me in trouble :) Really, there are always better solutions than mass filtering something like this. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using att IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT. This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn!
Re: ISPs are asked to block yet another port
Christopher L. Morrow wrote: This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) There is another fix for it. If neither provider allowed spoofing, then the individual couldn't send spoofed packets out one way and allow the syn/ack back via the other. Of course, there are better reasons for spoof protection ingress/egress than a little port 25 traffic. -Jack
Re: ISPs are asked to block yet another port
Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) oh yes. i tried *several* ways to get their attention. however, this kind of activity is so common these days that a noc literally has no choice but to focus their efforts on less common and more damaging things than relayprobing. so i was not shocked that they did not answer me. so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn! that's good news, thanks for sharing it. any schedule for a fix :-) ??
Router crash unplugs 1m Swedish Internet users
Has anyone heard what the cause of the outage was? Router crash unplugs 1m Swedish Internet users Saturday, 21 June 2003 The breakdown of one of Sweden's main Internet routers in Stockholmon today unplugged more than 1 million of its Internet subscribers. Reports says in total over 340,000 broadband and 700,000 dial-up customers across the country were affected by the incident. The router failure might also have caused disruptions to other Internet subscribers, who use the services of providers operating on the Telia network. http://www.abc.net.au/science/news/scitech/SciTechRepublish_885166.htm
Re: Router crash unplugs 1m Swedish Internet users
On Mon, 23 Jun 2003, Sean Donelan wrote: Has anyone heard what the cause of the outage was? The official story was memory fault of some kind, not specified as being corruption, hardware error, fragmentation or something else. Outage was 3 hours and reports have been posted stating that it not only affected their broadband business but also their company/commercial customers. No further details have been released to the swedish ISP community anyway, it's likely that they're still investigating and might or might not release further details. I'm also curious. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Paul Vixie wrote: Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) oh yes. i tried *several* ways to get their attention. however, this kind of activity is so common these days that a noc literally has no choice but to focus their efforts on less common and more damaging things than relayprobing. so i was not shocked that they did not answer me. So, for unnamed-provider-X you have a Abuse Ticket number? Perhaps you could send the one you think might apply to me off-list? :) so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn! that's good news, thanks for sharing it. any schedule for a fix :-) ?? I do not know what the timeframe is :( Sorry.
Re: Router crash unplugs 1m Swedish Internet users
stupi.net was offline?? On Mon, 23 Jun 2003, Sean Donelan wrote: Has anyone heard what the cause of the outage was? Router crash unplugs 1m Swedish Internet users Saturday, 21 June 2003 The breakdown of one of Sweden's main Internet routers in Stockholmon today unplugged more than 1 million of its Internet subscribers. Reports says in total over 340,000 broadband and 700,000 dial-up customers across the country were affected by the incident. The router failure might also have caused disruptions to other Internet subscribers, who use the services of providers operating on the Telia network. http://www.abc.net.au/science/news/scitech/SciTechRepublish_885166.htm
RE: Router crash unplugs 1m Swedish Internet users
One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. -jim -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 4:24 PM To: [EMAIL PROTECTED] Subject: Router crash unplugs 1m Swedish Internet users Has anyone heard what the cause of the outage was? Router crash unplugs 1m Swedish Internet users Saturday, 21 June 2003 The breakdown of one of Sweden's main Internet routers in Stockholmon today unplugged more than 1 million of its Internet subscribers. Reports says in total over 340,000 broadband and 700,000 dial-up customers across the country were affected by the incident. The router failure might also have caused disruptions to other Internet subscribers, who use the services of providers operating on the Telia network. http://www.abc.net.au/science/news/scitech/SciTechRepublish_885166.htm
RE: Router crash unplugs 1m Swedish Internet users
On Mon, 23 Jun 2003, Jim Deleskie wrote: One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. Well, if the memory errors corrupts the forwarding table placed on the line cards or something similar, and still keeps its adjacancies up, then you can get these problems. I've seen it happen on route-cache boxes where certain entries in the ip-forwarding table was corrupted and thus incorrectly routed. It could be that they ran out of memory on linecards as well, perhaps injected too many routes etc, and lost dCEF (dunno if the problems was on gsr or juniper), been there, done that. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: Router crash unplugs 1m Swedish Internet users
I've seen a case where a single error in the configuration file of a $VENDOR_1 router was accepted (due to an 'undocumented feature'), and this caused the wholesale importation of BGP routes into the IGP, which caused most of their $VENDOR_2 hardware to spaz out. Locating the single error was a matter of hours, not minutes, so effectively a typo took out that ISP - and it's considered by most to be a relatively well-designed network. -David Barak --- Jim Deleskie [EMAIL PROTECTED] wrote: One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. -jim = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
RE: Router crash unplugs 1m Swedish Internet users
I've lived though one of these a few years ago, the core itself stayed up though crippled as it was :) David, you name sounds familiar have we worked @ the same place before? -Jim -Original Message- From: David Barak [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 5:27 PM To: Jim Deleskie; [EMAIL PROTECTED] Subject: RE: Router crash unplugs 1m Swedish Internet users I've seen a case where a single error in the configuration file of a $VENDOR_1 router was accepted (due to an 'undocumented feature'), and this caused the wholesale importation of BGP routes into the IGP, which caused most of their $VENDOR_2 hardware to spaz out. Locating the single error was a matter of hours, not minutes, so effectively a typo took out that ISP - and it's considered by most to be a relatively well-designed network. -David Barak --- Jim Deleskie [EMAIL PROTECTED] wrote: One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. -jim = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
RE: Router crash unplugs 1m Swedish Internet users
Jim wrote: One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. I assume things are designed in such a way that if the router were actually dead, the traffic would take an alternate route. But the posting commented that they'd been saying something about memory corruption. There are unfortunately too many ways for a router to be not dead yet, happily answering routing protocol messages but not bothering to actually forward packets between network interfaces, and if that happens on the router that's your best route due to geography or BGP or whatever, it can take a while to catch. Dealing with that is at least Networks 203 or maybe Networks 532 :-) Additionally, while the article in the press referred to it as a router, that may be an actual technical description accurately described by a reporter who knows the technology, or it may be press shorthand for one of those high-tech thingies that ISPs use, or it may be the ISP's Speaker-To-Reporters's watered-down description of something.
Re: ISPs are asked to block yet another port
* [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Regards, -- Niels. -- The generation of random numbers is Too important to leave to chance
RE: Router crash unplugs 1m Swedish Internet users
On Mon, 23 Jun 2003, Jim Deleskie wrote: One router and it takes there entire network off-line... Maybe someone needs a Intro to Networks 101 class. No matter what kind of technology or design you have there are always kinds of faults which may bring the entire system down. The problem is generally in recognizing when a fault has occured, so the the operation may be switched over to a backup. Particularly, the present Internet routing architecture is (mis)designed in such a way that it is incredibly easy for a local fault or human error to bring a significant portion of the network down. Even single-box _hardware_ faults may lead to global crashes. Long long time ago I had to track down a problem which made US and EU pretty much disconnected for several hours. This turned out to be a hardware problem in 7000's SSE card, which happily worked with packets originating and terminating in the router itself, but silently dropped all transit packets. Voila! Neighbour boxes were convinced that this one's working - because all routing protocols were happy, and were trying to send lots of traffic through it, which was simply going to a blackhole to the mighty annoyance of everyone. I've got a speeding ticket showing over 100mph on Dulles hwy at 3am, too, as a memento of rushing to DC with a spare card... So, in the absense of details, I would reserve judgement on soundness of design practices. --vadim
Re: ISPs are asked to block yet another port
On Tue, 24 Jun 2003, Niels Bakker wrote: * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris
Re: Router crash unplugs 1m Swedish Internet users
Subject: Router crash unplugs 1m Swedish Internet users Date: Mon, Jun 23, 2003 at 04:24:27PM -0400 Quoting Sean Donelan ([EMAIL PROTECTED]): Has anyone heard what the cause of the outage was? Mikael wrote about memory shortage. I have heard the same -- though not from press contacts but from staff. It was worded (but in swedish, so bear with my translation): The official reason is 'memory shortage'. I do believe it is correct. There have been words in the grapevine about not going for full memory on line cards and RP, for optimisation reasons. Sounds like a fine recipe for promoting cascading failures from a fragile base config. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE I represent a sardine!! pgp0.pgp Description: PGP signature
Oh where, oh where has Comcast gone
I saw a bunch of mail to comcast.net bouncing, so I figured I'd check to see if maybe their mail servers were misconfigured or something. Holy petunias, they've imploded into private network space. It appears that the glue records in the GTLD servers are OK, but ns02 is returning the 172.30 address which, since it's authoritative for itself, overwrites the good data. Tsk, tsk. I suppose that's one way to cut down the amount of spam they get. $ dnsqr ns comcast.net 2 comcast.net: 76 bytes, 1+2+0+0 records, response, noerror query: 2 comcast.net answer: comcast.net 4929 NS ns01.jdc01.pa.comcast.net answer: comcast.net 4929 NS ns02.jdc01.pa.comcast.net $ dnsqr a ns01.jdc01.pa.comcast.net 1 ns01.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns01.jdc01.pa.comcast.net answer: ns01.jdc01.pa.comcast.net 4923 A 172.30.0.16 $ dnsqr a ns02.jdc01.pa.comcast.net 1 ns02.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns02.jdc01.pa.comcast.net answer: ns02.jdc01.pa.comcast.net 4919 A 172.30.0.17 Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner More Wiener schnitzel, please, said Tom, revealingly.
RE: ISPs are asked to block yet another port
On Tue, 24 Jun 2003, gml wrote: Security is a lifestyle. People laugh when I say this, do they laugh when you say it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher L. Morrow Sent: Tuesday, June 24, 2003 12:00 AM To: Niels Bakker Cc: [EMAIL PROTECTED] Subject: Re: ISPs are asked to block yet another port On Tue, 24 Jun 2003, Niels Bakker wrote: * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris