Re: How much longer..
McBurnett, Jim wrote: I hate top posting, but I want to make sure to get this out of the way first. I was not trying to defend Microsoft. I meant to point out, JUST BECAUSE YOU ARE NOT USING MICROSOFT DOES NOT MEAN THAT YOU ARE SAFE! Bugs happen. Vulnerabilities happen. Worms happen. This worm has happened. Now that it has happened, it's impact is greater because of its install base. And solely for that reason. That's all I wanted to say. Why the worm happened and whether is should have happened are a completely different issues I was not trying to address. I do not plan on addressing them. People with more eloquence, more research in hand, and much, much more time to compose thoughtful essays have debated that endlessly for years now. I doubt my limited remarks on NANOG will move and hearts or win any minds who do not already agree with the classic, well-known arguments I would trot out one more time. But I'll respond to this mail anyway. OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... No way MS has spent $60 billion on development. That's why they look s good, so much in sales versus the development costs. Or did you mispell bazjillion? $1 million for *NIX less than a million lines of code. rewritten on a whim, and source given to millions.. Bugs will be found and squashed easier. Less code, more eyes. and less complex. Less market, less users, less interest for hackers 5 less than statements for *NIX and how many more statements for Micro$oft? A pretty outlandish comparison with some broad characterizations and implicit assumptions. Where's the $1M for UNIX from? ATT gave it away since they didn't think it was worth anything. Back then, vendors made money off of the hardware, the software was an incidental. (Sony makes the money selling you the DVD player, the pretty menus and configuration screens are just soft/firmware that comes with it with no real indpendent value... Now the soft/firmware on a TiVo or an X-Box... Maybe appliance software will develop independent value of its own someday too.) Oh, and I can rewrite the source to Solaris, a direct UNIX Sys V descendant, and they give it all away? I guess they forgot to send me my copy. Could I borrow yours? And send me your source to AIX while your at it too. And SCO's UnixWare? I'd like to look into this whole SCO versus IBM thing. This is like trying to comparing the towing capacity of car to turbo diesal pickup. OK, two things which are very easy to compare. there is no comparison... Uh, no, it's pretty easy to measure the power, torque, and many other capacities of interest for each vehicle and then do an objective comparison. I don't care if MicroSoft spends $600 Million a year, there will always be bugs. Sure will. If a software package was perfect or a network was perfect how many of us would have jobs? Nothing in this world is perfect, and complaining about it does absolutely no good So your point was...? -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: How much longer..
On Wed, 13 Aug 2003, Len Rose wrote: Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. Hey I like MS bashing as much as anyone else but the fact is you could say this of any vendor.. a good recent example being Cisco
Re: How much longer..
On Thu, Aug 14, 2003 at 02:17:08PM +0100, [EMAIL PROTECTED] wrote: On Thu, 14 Aug 2003, St. Clair, James wrote: Cars did not become more popular because owners had to learn how to swap more parts. The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. ^ Yes, I have to understand how to operate a car. I don't need to know how to change my oil. Also, at least in the United States one must have a very limited understanding of driving. There is no real testing of driving in anything other than normal condititions. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. That may be the case in the UK, but I can assure you in Illinois it is not. Take a drive on the Dan Ryan Expressway sometime and you will see cars with bumpers and fenders held on with rope. Neither of these rules currently apply to computers. Maybe they should. Rich -- Shawn Morris
Re: Private port numbers?
On Wed, 13 Aug 2003, Iljitsch van Beijnum wrote: It's not the same thing. RFC 1918 and martian addresses aren't supposed to be present on the internet, but aren't automatically harmful. Having services that are explicitly labeled for internal use be visible to the rest of the world is potentially very harmful. I think I'm missing something, how would a locally managed firewall (local to the end station) not permit this same scenario? (without the added confusion of private/public ports)
Re: Port blocking last resort in fight against virus
On Wed, 13 Aug 2003, Mans Nilsson wrote: Even in an imperfect world, the solution lies in the edge, not even the CPE, but the end node, if you want to do more than pathetic bandaiding of the inherent problem of insecure applications on end nodes. This is the point, atleast I, have been trying to make for 2 years... end systems, or as close to that as possible, need to police themselves, the granularity and filtering capabilities (content filtering even) are available at that level alone.
Microsoft to ship new versions with firewall enabled
John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default.
Re: Microsoft to ship new versions with firewall enabled
on 8/14/2003 9:29 AM Sean Donelan wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. Wouldn't it make more sense to ship with all of the services disabled? I mean, if the role of the firewall is to block packets to weak services, wouldn't it be simpler to just disable the damn services since they aren't going to be usable anyway? -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: Microsoft to ship new versions with firewall enabled
Apple have the right idea... I'd say all the vendors need to take a carefully balanced approach to security in the default configurations of their software. Leave services exposed to the network disabled by default, where possible. By all means, configure firewalls by default to block all non-established incoming connections to low port numbers, but for heaven's sake don't also block access to those ports from the local subnet as well. How would your users cope if all their shared printers and file servers suddenly became inaccessible because NetBIOS was universally blocked by new operating system security features? I'd hazard a guess that after they've called their ISP support team a couple of hunderd times, they'll just switch the firewall off... Your firewall rules should automatically open ports when services are explicitly enabled, and should be able to cope with laptops roaming between home and office where the local subnet addresses may change. If the firewall doesn't detect this, then you're going to cause a whole new world of support problems. - Matt
Re: The impending DDoS storm
Jack Bates Wrote: I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this planned DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant. There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a SaturdayI think not. A lot less personal on-site to deal with possible issues. -Mark Vallar
Re: [Microsoft to ship new versions with firewall enabled]
At 10:46 AM 8/14/2003, Joshua Sahala wrote: Sean Donelan [EMAIL PROTECTED] wrote: John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. while i think many of us will welcome this, i am skeptical of what the firewall will be 'enabled' to block, and how easy it will be for the user to set-up rules (and hopefully there will be a sanity check included so that 'permit in any' is not a valid option, but then 'permit out any' should not be one either) but still, it is a step... The firewall in XP appears to perform stateful inspection. I have run scans against my own XP machines using NMAP and other tools. The machine appears completely non-responsive to such scans (i.e. no response on any ports). I use this feature most especially when using public wifi hot spots, and encourage my clients to do the same (or use some other firewall software) when at such locales. What Microsoft implemented does seem quite sufficient for many users. The down-side to this and all other firewalls running in software on end hosts is the possibility of an application finding another path in (e.g. email attached virus) and disabling the firewall. I am no Microsoft apologist and am a proponent of open source, but have to admit they did a good job on this feature. It's good that Microsoft has finally realized the value in defaulting this capability to ON.
RE: Microsoft to ship new versions with firewall enabled
However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. But that's exactly what a consumer PC is! An appliance (just like a toaster) for exchanging pictures, sending email, balancing the checkbook, paying bill, play games, etc. The average Joe doesn't care why the thing works. But he does notice if it doesn't work as expected. Then he'll call tech support or get the neighbours kid to help. He may never notice that the box is has been compromised and DoSs his favorite website or relays SPAM to millions of fellow Joes. That's reallity! The more broadband there is, the worse the problem becomes. I absolutely agree with the statement that the network should be transparent. No blocked ports, no filtered content. What goes in one end comes out the other or is delivered to the intended recipient in between. Exceptions are temporary measures to reduce or eliminate harmful traffic that impeded network performance or otherwise compromise the network design goals. Having said that, customers of ISPs have great variety of needs. On one hand is the transport of transit data. This is truly a gigo (garbage in, garbageout) situation where traffic should flow unhindered and in its entirety. On the other hand there is the residential ISP market. I don't think it's safe to let a residential PC sit on an internet connection and have pass traffic to and from it without inspection. ISPs need to wake up and offer a managed internet service. Where the ISP takes the initiative to provide filtered internet to residential customers. Turn on firewall features in your cable box or make those small NAT routers part of the service offering. Bashing any OS vendor isn't the solution. All OS have exploits. The *NIX crowd is just a lot more technically inclined and a lot more aware of network security than your average Windows user. So instead of beating up on OS vendors or crippling the network, how about crippling the devices that are the root of the problem??? Adi
Re: Port blocking last resort in fight against virus
On Wed, 13 Aug 2003, Stephen J. Wilcox wrote: Or the dumb [wannabee] IT guy runs some telnet/ftp/filesharing service without passwords and its ok for the whole world to access the private system coz its his fault? there are other actions to be taken... termination being high on that list. (of employment, atleast initially)
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Jack Bates wrote: John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. About 30 seconds, for my customers. In fact, when you configure a dialup connection, the firewall *is* enabled by default, until walk them through turning it off? Why? Because after anywhere from 2 days to 2 months, suddenly things just stop working...usually POP3, but often SMTP, HTTP or HTTPS. Like many things MS, it's broken. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: How much longer..
Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. What makes it all ironic is that you can directly thank Micro$oft if the governments decide to pass more draconian laws, even further criminalizing activities which were considered marginally criminal to begin with. Instead of subsidizing the monopoly, keeping sub-standard operating systems alive, they should fine them billions of dollars for the cost of repairing damages, managing overloaded network and system infrastructures (due to the effects of the latest vulnerability). The governments should cease using all Micro$oft products and go back to UNIX which can easily be transformed into a friendly operating system for business users (it already has been of course) For the millions of dollars that are spent buying this fake operating system with it's fake applications the government could subsidize development of open software whose quality and security would far exceed that of the closed source garbage that has become standard in today's offices. Their operating systems were a joke 10 years ago, and they're still a joke today. The people administering these systems need to start learning UNIX and colleges need to go back to teaching computer science based around a real operating system. It's embarassing for a recent graduate to only know how to point and click while UNIX hackers are unemployed thanks to the disease that is called Micro$oft. Not to mention watching weeks of Micro$oft admins wondering publicly on Full Disclosure (soon to be renamed Microsoft Whining and Crying) what to do about their systems that they can't protect because those systems are rotten to the core with garbage code written by fake programmers who were trained by Universities who use Micro$oft operating systems to teach their curriculum and who are managed by ex-vms programmers (Uncle Bill hired them to write Windows Code) On Wed, Aug 13, 2003 at 11:42:59AM +, *Hobbit* wrote: I often ask the larger question, how long will it take for millions of people to realize that having to deal with winbloze has completely *derailed* their careers for the last ten years, when they could have been doing so much more productive things on their jobs? But evidently most of them can't think that deep, and get all defensive about it. If all those people had been contributing to free and better replacements in the linux/bsd/open-source arena, we'd be *so* much farther ahead, and would have saved countless dollars that are now in Bill's pocket. _H*
The impending DDoS storm
All, What is everyone doing, if anything, to prevent the apparent upcoming DDoS attack against Microsoft? From what I've been reading, and what I've been told, August 16th is the apparent start date... We're looking for some solution to prevent wasting our network resources transporting this traffic, but at the same time trying to allow legitimate through... So, is anyone planning on doing anything? Thanks, -- --- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [EMAIL PROTECTED] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --- Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. -- Albert Einstein [1879-1955] signature.asc Description: This is a digitally signed message part
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Eric A. Hall wrote: Wouldn't it make more sense to ship with all of the services disabled? I mean, if the role of the firewall is to block packets to weak services, wouldn't it be simpler to just disable the damn services since they aren't going to be usable anyway? 'Firewall' is more buzzword compliant. This doesn't even begin to address the fact that the firewalling included in windows is nowhere near as functional as the firewalling in other OSes (such as FreeBSD or Linux).
Re: Microsoft to ship new versions with firewall enabled
Richard Cox wrote: On Thu, 14 Aug 2003 16:07 UTC, Eric A. Hall [EMAIL PROTECTED] wrote: | Wouldn't it make more sense to ship with all of the services disabled? Yes it would - at least to US - but that would inevitably create a load for the Support desk. However as Microsoft charge for end-user support I wouldn't put it past them thinking along those lines. I hope there's nobody from Microsoft reading this list ... that might give them ideas! But who actually calls Microsoft for support? Bob and Beth Luser call their OEM, DELL, Gateway, Sony, Compaq, etc., not Microsoft. And I think the EOMs are getting off a little easy in all of this. Microsoft distributes their product to OEMs who have a fair a bit room to customize the default settings (all of the monopolistic arm twisting involving hiding IE icons, installing other web browsers, etc., ignored for now). How much you wanna bet if Microsoft distributes with the firewall enabled, OEMs will turn around and _disable_ it in the installation they sell? They are the ones who want to cut down the support calls. And they don't want to lose business to a competitor who ships with all of the bells-n-whistles turned back on because Bob and Beth are convinced the computer they got was broken because disabled (mis)features were not enabled out of the box. On the other hand, OEMs can be the Good Guys here and take the lead ahead of Mickeysoft and firm up the loose default setting they get from Microsoft. DELL has promised to do this... but I still don't know if their press releases will live up to reality. If any NANOGers out there make purchasing decisions about PCs with Windows, I hope you direct your business towards OEMs who do sell better secured distributions or demand that the OEMs do so. -- Crist J. Clark [EMAIL PROTECTED]
RE: Microsoft to ship new versions with firewall enabled
The checkpoint and Pix Boxen are what we use here. But we also use ipchains to secure things at a host level. Scott C. McGrath On Thu, 14 Aug 2003, Drew Weaver wrote: ipchains and similar firewalls are indeed far superior. I manage real firewalls as part of my responsibilities. However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen. -Drew
Re: Microsoft to ship new versions with firewall enabled
On donderdag, aug 14, 2003, at 17:45 Europe/Amsterdam, Christopher L. Morrow wrote: No answer on that one, However Mac OS X also includes a built in firewall. yes, with fairly a simple method to add listening services to it... though it seems the 'listening service' might have to register with the OS in order to be seen in the preferences panel? Oh, and lest I forget (which I did) press the 'START' button to make it active :) ...which is completely redundant because MacOS X doesn't expose any services except the ones that the user enabled in the first place. So enabling the firewall is only useful if you don't trust the applications you're running.
Re: How much longer..
On Wed, 13 Aug 2003, Crist Clark wrote: Attacks _are_ on Linux machines. There have been Linux worms, Lion attacked BIND, Ramen attacked rpc.statd and wu-ftpd, Slapper attached Apache, to name a few. Attacks are on Solaris, the sadmin/IIS worm (which also attacked IIS, a cross-platform worm, remember that, cool, huh?). Attacks are on FreeBSD, Scalper worm attacked Apache. How soon people seem to forget these things. No, I don't think people are forgetting, but what Len was originally pointing out is that Microsoft, *because* of their vast install base *needs* to take a more proactive role in producing a secure OS. And the reason you can call it a toy OS is that on one hand you have *BSD, Linux and friends all with an annual budget of what, maybe $1M? And on the other hand you have a multi-billion dollar *software* company. Which should churn out better software? :) Charles To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
RE: Microsoft to ship new versions with firewall enabled
John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. About 30 seconds, for my customers. In fact, when you configure a dialup connection, the firewall *is* enabled by default, until walk them through turning it off? Why? Because after anywhere from 2 days to 2 months, suddenly things just stop working...usually POP3, but often SMTP, HTTP or HTTPS. Like many things MS, it's broken. --- Is that what causes the random stoppage? I never thought of that, why would it prevent outgoing connections on only some ports though. Seems fishy, thanks for the tip though :-) BTW: I've seen this too. -Drew
Re: I can't reach MS sites
On Wed, 13 Aug 2003, John Obi wrote: I can't open www.microsoft.com , windowsupdate.microsoft.com and www.msn.com very slow. Check your processlist. My money is on msblast.exe already running on your machine. Gerald
Re: How much longer..
On Wed, Aug 13, 2003 at 04:09:05PM -0700, [EMAIL PROTECTED] said: These kinds of inflated damages estimates are dubious at best. If you've lost that much productivity, odds are you should be pointing fingers at inapropriate redundancy and planning/procedures in your computing facilities and not blaming some toy programs written by kids with too much time. This kind of financial loss hype/fear-mongering is best left to politicians, and not technical discussions. indeed - and yet companies claim these kind of damages, at least publicly, whenever these worms come along (every month or two, it seems). Two questions spring to mind: 1) where are these figures coming from, and 2) if they're accurate, why in the world would a company make the same mistake that cost them a million bucks last month, again next month? That's the kind of stuff that gets executives fired (you'd think) ... (note: the figures I posted were just gathered from publicly available news sources. We all know how accurate reporters tend to be when covering technical issues, so take them with a grain of salt. The point of the post was, there are a great many companies out there throwing good money after bad, month after month, without seeming to realize it.) -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: The impending DDoS storm
http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;start=0 - Original Message - From: Josh Fleishman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 14, 2003 5:24 AM Subject: RE: The impending DDoS storm Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream? It sounds like uRPF is going to be of very little benefit to blocking the attack if the spoofed addresses come from the infected host's subnet/parent subnet. -Josh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Vallar Sent: Wednesday, August 13, 2003 7:18 PM To: [EMAIL PROTECTED] Subject: Re: The impending DDoS storm Jack Bates Wrote: I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this planned DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant. There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a SaturdayI think not. A lot less personal on-site to deal with possible issues. -Mark Vallar
Re: How much longer ..
http://www.theregister.co.uk/content/55/30072.html The Klez virus last year cost businesses $9 billion worldwide in lost productivity, When I read stuff like this I always wonder if these businesses count the time spent patching their systems as 'lost' productivity. John --
Re: Microsoft to ship new versions with firewall enabled
On Thu, 14 Aug 2003, Christopher L. Morrow wrote: On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. as does OSX. Just to clarify, the OSX firewall has a little bit of sense. If you check that you want to enable one of the services it will automatically add the exception to the firewall rules. That is all through the GUI though. From terminal you can modify firewall rules (ipfw) and add/remove services without notifying the GUI. Microsoft's built in firewalling (at least for Win2k) would let you turn on IIS and the firewall and the firewall would not allow connections to port 80 unless you went in and allowed it. G From my Ti Pb.
Re: How much longer..
Crist Clark wrote: To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. True. I'd be curious to see the worm to software vendor ratios. Anyone have them? -Jack
RE: Microsoft to ship new versions with firewall enabled
From: Scott McGrath [mailto:[EMAIL PROTECTED] No answer on that one, However Mac OS X also includes a built in firewall. On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. I just worked on a friends computer last night. The XP ICF firewall was on, and it did not stop the bug.. I want to test that in a lab environment though...
I can't reach MS sites
Hello, I can't open www.microsoft.com , windowsupdate.microsoft.com and www.msn.com very slow. It took long time to sign in the msn IM too. Do you see any problems so far? Thanks, -J __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: How much longer..
On Wed, Aug 13, 2003 at 01:07:15PM -0400, [EMAIL PROTECTED] said: How much longer will people put up with the millions of dollars of losses in time, resources and service inflicted on the net by the joke vulnerabilities in the toy operating system known as Windows? Enough is Enough. http://darkuncle.net/microsoft_rant.html -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
MPLS ICMP Extensions
I wanted to get some other opinions on some new features that have appeared in recent code from the popular vendors. It appears there is a new draft, a copy of which can be found at http://www.watersprings.org/links/mlr/id/draft-ietf-mpls-icmp-01.txt that allows MPLS enabled boxes to return some additonal information in a traceroute packet. That's all well and good, and I can see how that might be amazingly useful to someone running an MPLS network, however, it seems to expose data much further than the local network. Here's a random example from a traceroute I recently performed (on a Juniper): traceroute wcg.net [snip] 11 hrndva1wcx3-oc48.wcg.net (64.200.95.117) 91.935 ms 102.652 ms 92.960 ms MPLS Label=13198 CoS=0 TTL=1 S=1 12 hrndva1wcx2-oc48.wcg.net (64.200.95.77) 92.593 ms 92.785 ms 93.119 ms MPLS Label=12676 CoS=0 TTL=1 S=1 13 nycmny2wcx2-oc48.wcg.net (64.200.240.45) 93.273 ms 93.121 ms 93.067 ms MPLS Label=12632 CoS=0 TTL=1 S=1 14 nycmny2wcx3-oc48.wcg.net (64.200.87.78) 104.755 ms 91.949 ms 92.169 ms MPLS Label=12672 CoS=0 TTL=1 S=1 15 chcgil1wcx3-oc48.wcg.net (64.200.240.37) 92.021 ms 91.737 ms 91.684 ms MPLS Label=12592 CoS=0 TTL=1 S=1 16 chcgil1wcx3-pos5-0.wcg.net (64.200.210.114) 175.907 ms 278.144 ms 203.763 ms MPLS Label=12695 CoS=0 TTL=1 S=1 17 chcgil1wcx2-oc48.wcg.net (64.200.103.73) 93.286 ms 93.230 ms 93.593 ms MPLS Label=13506 CoS=0 TTL=1 S=1 18 stlsmo3wcf1-atm.wcg.net (64.200.210.158) 92.780 ms 92.344 ms 92.596 ms It appears both Cisco and Juniper support this new feature. The question I quickly asked both vendors is how do you turn this behavior off, so the traceroutes appear as they did before this feature was introduced. The answer, apparently, is you don't. You can either disable TTL processing on your MPLS tunnels (in effect disabling traceroute), or you can have it output all this extra information. The response I'm getting so far from each vendor is they believe this are the right two options to offer. Thus, my post here. I think there are more people out there who would like to not expose their MPLS labels, Class of Service info, or anything else this feature can provide (because, I don't know all of what it can display), but still allow traceroute to work normally. If I'm off in the deep end, please tell me so, if not, please tell your vendor rep you'd like the icmp no mpls info knob. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: The impending DDoS storm
McBurnett, Jim wrote: But doesn't that mean the hacker won? If you change the DNS and a user can not get to windowsupdate, you just helped him create a better DoS than he had... I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this planned DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant. -Jack
Re: Advice/Experience with small sized DDWM gear
Fletcher, My primary responsibility here is engineering exactly these kinds of systems. The biggest difference between CWDM systems and DWDM systems is system reach. Most CWDM systems are designed for short haul applications like yours (approx 20km and under. Most DWDM systems are designed for much more expansive requirements (50-600km). The primary reason for this is amplification and laser power. CWDM systems use low power uncooled lasers that can drift in frequency making it hard for them to pack many channels into the limited transmission window provided by available fiber. Amplifiers will raise the system cost. DWDM systems use higher power lasers that are actively cooled to make them stable in frequency and consequently, you can fit more into the transmission window. They get system reach by using optical amplifiers. I've had great experience with several vendors but ultimately your choice depends on your particular situation and requirements. CWDM will be much lower cost. Look at the ONLINE 2500 series from Ciena or the CWDM options from Movaz Networks. But don't stop there. There are MANY other CWDM vendors that can help you. Don't forget to check what kinds of channel bandwidths are supported. Some can provide actual BER information for each muxed channel. If you have further questions, don't hesitate to contact me. [EMAIL PROTECTED] wrote: On Fri, 20 Jun 2003 14:56:41 -0400 Deepak Jain wrote: Nanogers, We are looking for advice/experience from folks who has used small 6-8 Wavelength DDWM. Also what are the pros and cons of CDWM and DDWM? Application; 5 Mile Dark Fiber between two carrier neutral hotels in SF. All help is appreciated and results will be shared if requested. Arman, I think the biggest difference between small DWDM and CWDM is how much growth room you need. If you need 8 wavelengths (possibly 16 is still called CWDM but I doubt it) you can stay on the CWDM side. The lasers and the gear is generally cheaper. With DWDM gear everything seems to be more expensive, but you get a lot more control as the electronics governing the chassis' tend to be much more advanced. On a short run like that, many advanced features like all-optical amplification and such are not necessary. I am not aware of any all-optical CWDM amplifiers yet. (for example). If you are planning more than just 1 DF run, you could buy the less expensive solution and just swap it out when you need something more and use the CWDM solution somewhere else. If you have decent/modern fiber, you should be able to comfortable sign al 8 waves x 1G or 8 x 2.5G (full duplex). Some DWDM gear will let you double that on just 8 colors by going full duplex on each fiber (each thread). So its a question of how much BW you need and how much you want to pay for right now. (If I am wrong, someone please correct me). Hope this helps, let me know what you decide. I would be interested in recommendations for specific hardware. We are looking at longer runs and the units must be NEBS compliant as the nodes are in telco COs. thanks, fletcher
RE: MPLS ICMP Extensions
Maybe I'm wrong, but I thought that the extended MPLS info only showed up when the trace was started on a PE or P router. Is that right? If customers or others outside the MPLS domain can see that info I'd definitely agree with you. Mike -Original Message- From: Leo Bicknell [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: MPLS ICMP Extensions I wanted to get some other opinions on some new features that have appeared in recent code from the popular vendors. It appears there is a new draft, a copy of which can be found at http://www.watersprings.org/links/mlr/id/draft-ietf-mpls-icmp-01.txt that allows MPLS enabled boxes to return some additonal information in a traceroute packet. That's all well and good, and I can see how that might be amazingly useful to someone running an MPLS network, however, it seems to expose data much further than the local network. Here's a random example from a traceroute I recently performed (on a Juniper): traceroute wcg.net [snip] 11 hrndva1wcx3-oc48.wcg.net (64.200.95.117) 91.935 ms 102.652 ms 92.960 ms MPLS Label=13198 CoS=0 TTL=1 S=1 12 hrndva1wcx2-oc48.wcg.net (64.200.95.77) 92.593 ms 92.785 ms 93.119 ms MPLS Label=12676 CoS=0 TTL=1 S=1 13 nycmny2wcx2-oc48.wcg.net (64.200.240.45) 93.273 ms 93.121 ms 93.067 ms MPLS Label=12632 CoS=0 TTL=1 S=1 14 nycmny2wcx3-oc48.wcg.net (64.200.87.78) 104.755 ms 91.949 ms 92.169 ms MPLS Label=12672 CoS=0 TTL=1 S=1 15 chcgil1wcx3-oc48.wcg.net (64.200.240.37) 92.021 ms 91.737 ms 91.684 ms MPLS Label=12592 CoS=0 TTL=1 S=1 16 chcgil1wcx3-pos5-0.wcg.net (64.200.210.114) 175.907 ms 278.144 ms 203.763 ms MPLS Label=12695 CoS=0 TTL=1 S=1 17 chcgil1wcx2-oc48.wcg.net (64.200.103.73) 93.286 ms 93.230 ms 93.593 ms MPLS Label=13506 CoS=0 TTL=1 S=1 18 stlsmo3wcf1-atm.wcg.net (64.200.210.158) 92.780 ms 92.344 ms 92.596 ms It appears both Cisco and Juniper support this new feature. The question I quickly asked both vendors is how do you turn this behavior off, so the traceroutes appear as they did before this feature was introduced. The answer, apparently, is you don't. You can either disable TTL processing on your MPLS tunnels (in effect disabling traceroute), or you can have it output all this extra information. The response I'm getting so far from each vendor is they believe this are the right two options to offer. Thus, my post here. I think there are more people out there who would like to not expose their MPLS labels, Class of Service info, or anything else this feature can provide (because, I don't know all of what it can display), but still allow traceroute to work normally. If I'm off in the deep end, please tell me so, if not, please tell your vendor rep you'd like the icmp no mpls info knob. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
RE: How much longer..
I have to agree with Ejay. Microsoft is not the only software vendor. It seems silly to argue that one OS is better than the other. Linux needs to be patched to, as do all the various flavors or Unix, solaris, etc from time to time and with varying degrees of urgency. This is a fact of life. Dan -Original Message- From: Ejay Hire [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:53 To: Len Rose; *Hobbit* Cc: [EMAIL PROTECTED] Subject: RE: How much longer.. From my perspective, I don't care what defective operating system a worm uses. If a malevolent worm is spreading via a vulnerability in IIS and I can keep from answering support calls by blocking it at the edge I will. If one of the 31337 crowd ever catches a clue and launches a worm that spreads via the OpenSSH vulnerability, I'll block that too. My objective in blocking is not to bail Microsoft out, my objective is to make sure the people I work with can accomplish useful work and don't have to spend days repeatedly explaining how to download a patch and remove msblast.exe. For the record, I have two folders that catch Microsoft security bulletins and Red hat package update notifications. Right now the score is close at MS 12 vs RH 9. -e -Original Message- From: Len Rose [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:26 PM To: *Hobbit* Cc: [EMAIL PROTECTED] Subject: Re: How much longer.. Hi.. just think if the billions of dollars being spent on M$ products could have been funneled into open source projects. To reinforce the point in the most blunt manner possible: No one had ever better dare postulate that the inherent reason for all of the vulnerabilities in Micro$oft products are due to any special features of note. There is no particular network-enabled feature that Windows has that UNIX didn't implement years before and has done so securely following established internet design standards adopted by the ruling standards body (IETF) after intense study and open participation from all parties who were interested. Now knee-jerk reactions by various network operators is to filter, filter, filter and soon, by the grace of a piece of crap operating system you'll have a much more limited internet to work with because for Micro$oft's sake they've filtered everything. What makes it all ironic is that you can directly thank Micro$oft if the governments decide to pass more draconian laws, even further criminalizing activities which were considered marginally criminal to begin with. Instead of subsidizing the monopoly, keeping sub-standard operating systems alive, they should fine them billions of dollars for the cost of repairing damages, managing overloaded network and system infrastructures (due to the effects of the latest vulnerability). The governments should cease using all Micro$oft products and go back to UNIX which can easily be transformed into a friendly operating system for business users (it already has been of course) For the millions of dollars that are spent buying this fake operating system with it's fake applications the government could subsidize development of open software whose quality and security would far exceed that of the closed source garbage that has become standard in today's offices. Their operating systems were a joke 10 years ago, and they're still a joke today. The people administering these systems need to start learning UNIX and colleges need to go back to teaching computer science based around a real operating system. It's embarassing for a recent graduate to only know how to point and click while UNIX hackers are unemployed thanks to the disease that is called Micro$oft. Not to mention watching weeks of Micro$oft admins wondering publicly on Full Disclosure (soon to be renamed Microsoft Whining and Crying) what to do about their systems that they can't protect because those systems are rotten to the core with garbage code written by fake programmers who were trained by Universities who use Micro$oft operating systems to teach their curriculum and who are managed by ex-vms programmers (Uncle Bill hired them to write Windows Code) On Wed, Aug 13, 2003 at 11:42:59AM +, *Hobbit* wrote: I often ask the larger question, how long will it take for millions of people to realize that having to deal with winbloze has completely *derailed* their careers for the last ten years, when they could have been doing so much more productive things on their jobs? But evidently most of them can't think that deep, and get all defensive about it. If all those people had been contributing to free and better replacements in the linux/bsd/open-source arena, we'd be *so* much farther ahead, and would have saved countless dollars that are now in Bill's pocket. _H*
Re: Port blocking last resort in fight against virus
There is legitimate traffic on 135. All users I've talked to have been We started blocking 135-139 and 445 a week ago... we got one complaint, and added an exception for those two ip addresses (one remote/one local). We're just a small regional ISP, but we've seen little real use of these ports by our customers across the 'net. This is a good thing.
Electrical Engineering Firm Recommendation
Title: Message Can someone recommend an electrical engineering firm in the middle to north part of California that has experience with NOC design? TIA Dan Lockwood
OT: APAC circuit costs
I am hoping to ask some questions of an enterprise network engineer/manager who knows a bit about circuit costs in APAC. Specifically, I have a vendor telling me a WAN link from Beijing to SanFran is cheaper than Beijing to almost anywhere else in APAC: Singapore, Hong Kong, Sydney and Tokyo. Just looking for someone to contact me off the list and confirm whether that is actually the case Thanks! -BM
Re: WANTED: ISPs with DDoS defense solutions
On Wed, 6 Aug 2003, Paul Vixie wrote: More and more there is less and less spoofing, its just not required and it causes more damage with less effort :( Why spoof when you have 1000 machines pumping 1 packet per second? (or 10) leaving the spoofing option open for future generations of attacks, rather than having a witch-hunt and tracking down and upgrading every insecure edge, is just about the worst thing we could do. because when an attacker wants an extra edge, they'll add spoofing to their attack profile, and the core's immune system will be totally unprepared. I don't believe I ever said that the edges shouldn't filter... did I?
Re: dcom worm released
Some people have mistakenly assumed I was talking about the exploit and berated me for being a week out of date.. To clarify -- I'm talking about a worm based around the exploit. On Thu, Aug 07, 2003 at 06:34:02AM -0400, Len Rose wrote: It seems to be true.. I haven't seen any code yet but-- http://lists.netsys.com/pipermail/full-disclosure/2003-August/007717.html
opsec IETF draft (was Re: WANTED: ISPs with DDoS defense solutions)
Randy Bush wrote: There are requirements one can make of vendors. These have been made, several times :) In fact there is an IETF working group pushing these requirments now, Mr. Bush could provide the details that have slipped my addled brain. it is not a wg. but there is a draft being actively worked, see draft-jones-opsec-00.txt. Closing in on -01 drafttarget was this week, but sleep and USENIX securtity (often incompatable) have conspired to slow it down. If you're interested, pull the current draft and subscribe to the mailing list echo subscribe opsec | mail [EMAIL PROTECTED] I'm currently integrating IETF BOF and mailing list feedback, but once once -01 is out, I would like feedback from nanog (don't spend *too* many cycles on -00 major changes/additions/ section renumbering in -01 soon) Thanks, ---George Jones
Re: Private port numbers?
On woensdag, aug 13, 2003, at 21:38 Europe/Amsterdam, Crist Clark wrote: Cool. So if you use private ports, you'll be totally protected from the Internet nasties (and the Internet protected from your broken or malicious traffic) in the same way RFC1918 addressing does the exact same thing now at the network layer. That would be the theory, yes. (I grant you that it won't be quite this simple in practice.) I'm sure everyone will filter private ports just as effectively as RFC1918 and martian addresses are filtered at borders now. It's not the same thing. RFC 1918 and martian addresses aren't supposed to be present on the internet, but aren't automatically harmful. Having services that are explicitly labeled for internal use be visible to the rest of the world is potentially very harmful.
Re: Server Redundancy
Gerald wrote: We all hedged bets that Cisco was going to absorb the CSS and just make it a software feature on the Catalyst switches. I haven't heard of that actually happening yet though. No, but there is some interesting new functionality in the latest revs of IOS which look awefully borrowed from the CSS. Haven't had time to dive in yet, though. -Jack
Re: AOL breaking dns spoof protection
[EMAIL PROTECTED] (Petri Helenius) writes: I´m constantly seeing responses to queries for AOL servers which come in from different IP addresses than the query was sent to. due to the weakness of the 16-bit query id field, bind will throw that stuff away. the source address and port has to match the destination of the query, and the question section has to be copied in its entirety. i don't know who aol is going to be able to send responses to who won't apply those same restrictions.
Re: Stats of Internet connection speeds
Please look here http://www.cybertelecom.org/statistics.htm and here http://www.cybertelecom.org/broadband.htm -B --- Minseok Kwon [EMAIL PROTECTED] wrote: Can anyone tell me where I can get the recent statistics of Internet connection speeds? Specifically, I need statistics for edge link bandwidth (e.g., what's the percentage of 56kbps lines?) Thanks a million. M. S. Kwon = Telecommunications Policy Research Conference ~~ September 19 - 21 Arlington, Virginia ~~ ~~ www.tprc.org ~~ __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
RE: Port blocking last resort in fight against virus
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McBurnett, Jim ... I really can not image legitimate traffic on 135.. My problem with this approach is that, in 1985, you could have said I really cannot imagine legitimate traffic on port 80. (On the other hand, you could probably say that today and be mostly right) Matthew Kaufman [EMAIL PROTECTED]
RE: RPC errors
does anyone know if the scanning is sequential once a range is chosen or is it random within a range? e.g., 1.1.1.1 1.1.1.2 1.1.1.3 etc or 1.1.1.89 1.1.1.33 1.1.1.12 etc -Original Message- From: John Dvorak [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:57 PM To: NANOG Subject: Re: RPC errors On Mon, 11 Aug 2003 17:33:33 -0400 Kevin Houle [EMAIL PROTECTED] wrote: --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm [EMAIL PROTECTED] wrote: The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise. http://www.cert.org/advisories/CA-2003-19.html That's good advice. Many of the known exploits cause the RPC service to crash after the exploit is successful. I'll point out that not all exploits cause the service failure. So, the absence of an RPC service failure is likewise not an indicator that a vulnerable machine has escaped compromise. Kevin Interestingly, we have clear examples of boxes which were not infected but on which RPC services did crash. This may suggest that the worm also takes advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe MS has still not patched. John
AOL breaking dns spoof protection
anyone here having problems resolving americaonline.aol.com with spoof protection enabled on their dns servers? It appears AOL via a series of cnames is specifying a non-authoritive dns server as authoritive for internet.aol.com which is where the first url is cnamed. I need a dns expert to untangle this one so I can explain it to the aol tech. Can anyone help? Geo.
Re: Server Redundancy
If you go out and spend a few thousand you can also get Allied Telesyn L2-L4 products that now support Load Balancing. Actually the rapier 24i is about $2000 Canadian. (I'd have to check the VAR pricing) Jason On 6 Aug 2003 at 22:59, Paul Vixie wrote: Using outboard appliances for server load balancing is unnecessary, and it adds more powered boxes (thus decreasing theoretical reliability). If your upstream router can speak OSPF and is made by either Cisco or Juniper then it will implement ECMP (equal cost multipath). If you put your service address on lo0 as an alias, and you run Zebra or GateD on the service hosts which possess that alias address, then each such host will appear to be a router toward the service address as a stub host and your upstream routers will dtrt wrt flow hashing for udp or tcp traffic (that is, the udp/tcp port number will figure into the hash function, so you won't multipath your tcp sessions.) This is how f-root has worked for years. Look ma, no appliances. -- Paul Vixie
Proper Protocol for Dealing with Unresponsive Contacts?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, What is the proper way to deal with a company that is unresponsive to any form of contact. IE they have outdated information on their ip assignments, bounce every piece of e-mail that I send? (including postmaster@ which is where the bounce message come from). Here is the situation I am facing. We just registered a new domain (tigerny.net/com) for a project we are working on . It appears that a company, in this case Tigerfund.com has a Microsoft Domain called TIGERNY. Well due to the the helpful setting in Windows that says register this connection in dns (Or something along those lines). We are now seeing 1000's of failed update attempts to our nameservers per day from all of the Tri-State area, mostly cable-modem networks, but also coming from AS5703, as these machines try in vain to update the dns information. As None of the contact information is correct, I have yet to be able to contact a human being, in an attempt to get this corrected. What should my next steps be? My thought is to go to their upstream (AS8112) and try to get contact through them. If it was just a a couple places that this traffic was being sourced from I would just null route them, but since it is all over the place, mostly coming from dynamic ip blocks in RR and Cablevision's cable modem networks, it makes blocking it at our edge rather difficult, if not impossible. Thanks in advance for any suggestions, - -Patrick - -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C Back off Man!, I'm a scientist Peter Vinkman -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/L7uIYGp9wTcNdSwRAkP+AJwPsuxH/lu4MSr0mSNzW7edLPC4cwCgsaH0 VOhO3bUkmzd116UYakvJolw= =DiAR -END PGP SIGNATURE-
RE: How much longer..
But we digress and this horse is dead. Can we move on?
Re: WANTED: ISPs with DDoS defense solutions
More and more there is less and less spoofing, its just not required and it causes more damage with less effort :( Why spoof when you have 1000 machines pumping 1 packet per second? (or 10) leaving the spoofing option open for future generations of attacks, rather than having a witch-hunt and tracking down and upgrading every insecure edge, is just about the worst thing we could do. because when an attacker wants an extra edge, they'll add spoofing to their attack profile, and the core's immune system will be totally unprepared. knowing this, and knowing that spoofing isn't actually necessary right now, the current generation of attackers would be well advised to stop spoofing for a while so that nobody makes any serious attempt to plug the hole. (and, it sounds like that strategy might already be working.) could someone here who can write win32 apps, and someone else who can write cocoa apps, please volunteer short executables that will try to spoof a few packets through some well known server, and then report as to whether the current computer/firewall/cablemodem/isp/core permitted this or not? isc would be happy to host the server component of this, as long as source code for the executables is available under a bsd style copyright, and the executables are released without any fee. this is so the community can gather compelling evidence for the witch-hunt. (i expect we'd have to come up with a web button campaign to brand isp's who dtrt. sort of like the old squid-era cache now! thing.) -- Paul Vixie
Re: Server Redundancy
On Wed, Aug 06, 2003 at 01:50:33PM -0400, Jason Dixon wrote: I second this suggestion. I worked briefly at F5 Networks in 2001 and was responsible for supporting Big-IP and 3DNS. Both are very nice products, but NOT cheap. I've used them all fairly heavily, except the Foundry gear. Alteon's my personal fave. Biggest problem with the F5: hard drive. In my book, that means you instantly need two, doubling the price. For price concerns, tho, just check ebay. $13k AD3s for $2500...don't say nothing good came from the dotcom crash. John
RPC errors
I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
Re: MPLS ICMP Extensions
In a message written on Thu, Aug 14, 2003 at 01:21:28PM -0500, Mike Bernico wrote: Maybe I'm wrong, but I thought that the extended MPLS info only showed up when the trace was started on a PE or P router. Is that right? I did the traceroute from a router with _NO_ mpls commands turned on, and it's on a network that uses _NO_ mpls today. Basically from reading the draft if the router that generates the ICMP unreachable received the packet with an MPLS label, it adds the MPLS info to the returned data. As long as your traceroute can parse/show it (so far I've only confirmed Juniper can do it), it will be displayed to the world. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: Private port numbers?
Lars Higham wrote: It's a good idea, granted, but isn't this covered by IPv6 administrative scoping? That's the network layer, not the transport layer. IPv6 scoping has the potential to be very helpful for private addressing since it's fundamentally built into the protocol, as opposed to RFC1918 addresses which are just kinda an afterthought. This means that, by default, vendor products should DTRT with respect to scoped addresses, and administrators have more effective tools. However, giving administrators more tools is not always a good thing. I fully expect to see the clueless, the same people who don't filter RFC1918 spoofs at their border now, open up their border routers to let in privately scoped addresses from the outside world. And I expect there will be ISPs that let privately scoped addresses pass over their networks 'cause some clueless customers, with $$$ contracts, want to pass the traffic between different sites. And some vendors will ship with bad defaults and bugs. So, I expect private networks with global connectivity (kind of an oxymoron, but you know what I mean) will be easier to set up and set up more securely with IPv6. But it's no magic bullet. There will be some brilliant fools out there who manage to shoot themselves in the foot. That problem will never go away. Unfortunately, besides shooting themselves, these people cause some collateral damage too (just like this worm that started the discussion). We'll have to wait until IPv6 is widely deployed to really see how all of that works out. -- Crist J. Clark [EMAIL PROTECTED]
Server Redundancy
Can I have some suggestions on how to load balance servers that are on seperate IP blocks? Is there any way to perform translation at this level? Exclude DNS based balancing please... -- Jason Greenberg, CCIE #11021 Network Administrator Execulink, Inc. [EMAIL PROTECTED]
Re: [connie.davis@mail.internetseer.com: answerpointe.cctec.com]
On Thu, Aug 07, 2003 at 10:32:04AM -0400, Leo Bicknell wrote: Has anyone else gotten one of these? It appears they are trolling a Nanog archive on the web and sending these out to posters. *sigh* Return-Path: [EMAIL PROTECTED] Received: from internetseer.com (mail9.internetseer.com [66.150.40.23]) by ussenterprise.ufp.org (8.12.9/8.12.9) with SMTP id h77BFT8h066053 for X; Thu, 7 Aug 2003 07:15:29 -0400 (EDT) These are known spammers; we've had them blocked for ages. Probably not an issue of just trolling NANOG - just a stupid blunder on their part. See also: http://spamhaus.org/SBL/sbl.lasso?query=SBL6909 Hosted by Internap and have been for quite some time. They've got a bunch of other blocks too - I guess it's time to block these too: 64.94.204.240/29, 66.150.42.0/24, 66.150.43.0/24, 64.94.206.224/28 -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: Microsoft to ship new versions with firewall enabled
Sean Donelan [EMAIL PROTECTED] 8/14/03 8:29:07 AM John Markoff reports in the New York Times that Microsoft plans to change how it ships Windows XP due to the worm. In the future Microsoft will ship both business and consumer verisons of Windows XP with the included firewall enabled by default. [Veering further off-topic] Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? --
Re: AOL breaking dns spoof protection
I´m constantly seeing responses to queries for AOL servers which come in from different IP addresses than the query was sent to. Pete anyone here having problems resolving americaonline.aol.com with spoof protection enabled on their dns servers? It appears AOL via a series of cnames is specifying a non-authoritive dns server as authoritive for internet.aol.com which is where the first url is cnamed. I need a dns expert to untangle this one so I can explain it to the aol tech. Can anyone help? Geo.
Re: Server Redundancy
Austad, Jay wrote: We all hedged bets that Cisco was going to absorb the CSS and just make it a software feature on the Catalyst switches. I haven't heard of that actually happening yet though. If they did that, how would they sell the CSS hardware? :) I would think that the closest you are going to get to that is the CSS blade for the Cat 6500's. Although, wasn't there a version of code for the 6500's that had some local director features in it awhile back? Or did you actually need a local director blade? -jay Cat6500's in native mode support IOS sever load balancing, which is like a not quite as intelligent version of the CSS, but does use the PFC's hadware accelartion. (Although for this specific application of the original poster, to support servers on different IP subnets requires the SLB function to NAT the client IP address as well as the server IP, to ensure return traffic flows back through the SLB. In this mode, it cannot use the PFC hardware switching.)
RE: Microsoft to ship new versions with firewall enabled
ipchains and similar firewalls are indeed far superior. I manage real firewalls as part of my responsibilities. However the new microsoft policy will help protect the network from Joe and Jane average who buy a PC from the closest big box store and hook it up to their cable modem so they can exchange pictures of the kids with the grandparents in Fla. This is the class of users who botnet builders dream about because these people do not see a computer as a complex system which _requires_ constant maintenance but as a semi-magical device for moving images and text around. I don't believe that many people really see ipchains as a real viable firewall. I think it is awesome, but in many corporations simply mentioning it gets you a stern eyeing. Of course these corporations can spend tons of money on Checkpoint and PIX boxen. -Drew
Re: RPC errors
45 seconds: deny tcp any any eq 135 (5445 matches) deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 deny tcp any any eq 445 (207 matches) - Original Message - From: Randy Bush [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 11, 2003 18:52 Subject: Re: RPC errors must be fun out there on the net today. one minute of counter accumulation deny tcp any any eq 135 (5721 matches) deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 (17 matches) deny tcp any any eq 445 (1137 matches) randy
Re: The impending DDoS storm
On Wed, 13 Aug 2003, Jason Frisvold wrote: If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup. has anyone tried tarpitting eg labrea to slow the worm? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: [connie.davis@mail.internetseer.com: answerpointe.cctec.com]
Charles Sprickman wrote: On Sat, 9 Aug 2003, Eric Germann wrote: You also have the sporadic people who say for whatever reason, I said something on NANOG I shouldn't have because now that I am unemployed from a dot bomb, when I try to get a job, they search the web and these stupid posts I made show up in your archive and can you remove them so I can get a job??? I explain to them the concept of an an archive. Whats the collective voice of NANOG say, keep it or kill it? Personally, since Merit is already archiving it, I'd really prefer that everyone else did not. You don't do us any favor. If I want to search the archives, I know where they are. I never understand the need to archive someone else's mailing list. On the other hand... I think we're all big boys (and girls) here and understand that subscribing to a large, archived mailing list will get your subscription address on yet another 1,000 MILLION EMAIL ADDRESSES CD. I should hope everyone here can implement, or at least ask for, basic spam filtering. This isn't your grandmother's crochet chat group; everyone here should be smart enough to at least glance at the Merit site before subscribing. Sure, maybe, but I really think, in this day and age, if you're going to archive mail in a public manner, that you ought to do the courteous thing, and at least make it somewhat difficult to collect email addresses. Sure, bugtraq (for example) is archived from here to Mars, and they surely don't obscure, but I really think that Nanog ought to be a cut or so above them...but then, it isn't my call. If you come in here and say things that make you unattractive as a prospective employee, tough crap. :) More jobs for the rest of us. Oh, even more important than that: It makes it easier for prospective employers to weed out the bad ones. Think about it. If you behave unprofessionally here, my guess is you're unprofessional. Go right ahead and display your bad manners in public; you're doing everyone a favor, and providing an early warning as well. There you have it. -- A system admin's life is a sorry one. The only advantage he has over Emergency Room doctors is that malpractice suits are rare. On the other hand, ER doctors never have to deal with patients installing new versions of their own innards! (Michael O'Brien)
RE: The impending DDoS storm
Today at 11:24 (-0400), Josh Fleishman wrote: Date: Thu, 14 Aug 2003 11:24:53 -0400 From: Josh Fleishman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: The impending DDoS storm Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream? Josh, Have you tried rebooting the infected box? Apparently, the date check and decision to DoS or infect others comes early on in the code and is not rechecked. - Christopher ==
Re: When Security Guards Attack (was: clearblue part deux)
On Tue, Aug 05, 2003 at 02:09:19PM -0400, Eric Brunner-Williams in Portland Maine wrote: ... tried to silence the door audible alarm Didn't it have battery backup? Inquiring minds want to know. The door? Guess not. Reminds me of a skit from Kentucky Fried Movie, tho. :) Serously, yeah it's SF city building code. I got little wires running from my EPO to my UPSs in my internal server room as well. John
RE: The impending DDoS storm
--On Thursday, August 14, 2003 11:24:53 AM -0400 Josh Fleishman [EMAIL PROTECTED] wrote: Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream? The code looks at the clock once at startup. Once the code is running, it does not appear to recheck the clock. Set your clock prior to running the test. Kevin
Re: Port blocking last resort in fight against virus
On Tue, 12 Aug 2003, Sean Donelan wrote: I think filters/firewalls are usefull. I believe every computer should have one. I have several. I just disagree on who should control the filters. in your opinion who should control them? (just curious)
RE: Server Redundancy
On Wed, 6 Aug 2003, Austad, Jay wrote: If they did that, how would they sell the CSS hardware? :) That was our concern. Cisco already had hardware to do as good or better than what ArrowPoint was doing. They would suck in the intellectual property, discontinue the CSS line, and roll out a software update to the Catalyst that would do all of the same things the ArrowPoints would. Our 1100's SPOF was the single IDE drive that powered the whole thing. Their answer to that observation was: buy 2 1100's. (...which we did.) G
Re: WANTED: ISPs with DDoS defense solutions
On Tue, 5 Aug 2003, Mike Tancsa wrote: At 07:02 PM 05/08/2003 +, Christopher L. Morrow wrote: so long as you are sure they aren't spoofed, yes. A recent post by Rob Thomas said, I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number, only 32 used spoofed sources. I rarely see spoofed attacks now. Thats about 1%. Of the few attacked directed at us and originating from our customers, that generally jives. What number are you seeing ? More and more there is less and less spoofing, its just not required and it causes more damage with less effort :( Why spoof when you have 1000 machines pumping 1 packet per second? (or 10)
Re: When Security Guards Attack (was: clearblue part deux)
Subject: Re: When Security Guards Attack (was: clearblue part deux) Date: Tue, Aug 05, 2003 at 03:19:42PM -0400 Quoting Eric Gauthier ([EMAIL PROTECTED]): People laugh histerically when the evil bad guy in a movie has a button labeled Emergency Power Off that shuts everything down... They say No one would ever really have one of those... It is not the same, but close: Some outdoor broadcasting vehicles I've seen have a RCCB bypass, that they engage when they go into direct live transmission. All rigging and rehearsal is done with protection against ground faults, but the transmission not. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE I need to discuss BUY-BACK PROVISIONS with at least six studio SLEAZEBALLS!! pgp0.pgp Description: PGP signature
Re: WANTED: ISPs with DDoS defense solutions
On Mon, 4 Aug 2003, Jared Mauch wrote: For those of you that are doing IPv6 deployments, might I suggest you also take the time to do the same?I know that Cisco has v6 u-rpf support already. but not netflow as far as i remember. -hank - Jared --
Re: Port blocking last resort in fight against virus
I've been looking at out traffic graphs and trying to decide if traffic really is down 10-15% over the last 24 hours or it's just my imagination. I would say 5-10% below where it should be taking into account seasonal variations, it´s within the error margin, but barely. Pete
Re: Gigabit Media Converter
On Mon, 11 Aug 2003, Vincent J. Bono wrote: Anyone out ther ever see or hear tell of a device that will let you run two GBICs back to back wthout an associated switch and all the trimmings? Application is to convert a CWDM GBIC signal to a Multimode one. Vinny, Would something like this work? http://www.mrv.com/product/MRV-FD-2GBIC/ You can populate it with GBICs to suit. Cheers, Mike
RE: How much longer..
The good ole computers as cars metaphor. In the UK: 1) In order to drive a car, you have to have a license. 2) In order to have the car on the road, you have to have it taxed and have a qualified mechanic certify it for basic road worthiness. Neither of these rules currently apply to computers. Maybe they should. Rich I've been considering lobbying for the imposition of an Internet license for years now. I could think of a few people that need theirs yanked. -Bob
Is Anyone Seeing Packet Loss To Savvis?
I'm getting ICMP timeouts to 2 destinations that on are on Savvis. Is anyone else seeing it? I don't have packet loss to anything else. Below is my ping to www.savvis.net and a customer that I have masked to protect the innocent :). MUSKET:8:36:56am/export/home/pete:ping -s www.savvis.net PING www.savvis.net: 56 data bytes 64 bytes from 216.91.182.42: icmp_seq=0. time=67. ms 64 bytes from 216.91.182.42: icmp_seq=1. time=68. ms 64 bytes from 216.91.182.42: icmp_seq=2. time=68. ms 64 bytes from 216.91.182.42: icmp_seq=3. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=4. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=5. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=6. time=64. ms 64 bytes from 216.91.182.42: icmp_seq=7. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=8. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=9. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=10. time=68. ms 64 bytes from 216.91.182.42: icmp_seq=11. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=12. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=13. time=66. ms 64 bytes from 216.91.182.42: icmp_seq=14. time=73. ms ICMP Time exceeded in transit from dsl092-097-001.nyc2.dsl.speakeasy.net (66.92.97.1) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33434 ICMP Time exceeded in transit from dsl092-097-001.nyc2.dsl.speakeasy.net (66.92.97.1) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33435 ICMP Time exceeded in transit from dsl092-097-001.nyc2.dsl.speakeasy.net (66.92.97.1) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33436 ICMP Time exceeded in transit from border28.g3-2.speakeasy-26.nyc.pnap.net (209.191.132.48) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33437 ICMP Time exceeded in transit from border28.g3-2.speakeasy-26.nyc.pnap.net (209.191.132.48) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33438 ICMP Time exceeded in transit from border28.g3-2.speakeasy-26.nyc.pnap.net (209.191.132.48) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33439 ICMP Time exceeded in transit from core1.ge3-0-bbnet2.nyc.pnap.net (209.191.128.129) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33440 64 bytes from 216.91.182.42: icmp_seq=15. time=2063. ms ICMP Time exceeded in transit from core1.ge3-0-bbnet2.nyc.pnap.net (209.191.128.129) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33441 ICMP Time exceeded in transit from core1.ge3-0-bbnet2.nyc.pnap.net (209.191.128.129) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33442 ICMP Time exceeded in transit from sl-bb12-nyc-8-0.sprintlink.net (160.81.48.17) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33443 ICMP Time exceeded in transit from sl-bb12-nyc-8-0.sprintlink.net (160.81.48.17) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33444 ICMP Time exceeded in transit from sl-bb12-nyc-8-0.sprintlink.net (160.81.48.17) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33445 ICMP Time exceeded in transit from sl-bb26-nyc-15-1.sprintlink.net (144.232.7.125) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33446 64 bytes from 216.91.182.42: icmp_seq=16. time=3461. ms ICMP Time exceeded in transit from sl-bb26-nyc-15-1.sprintlink.net (144.232.7.125) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33447 ICMP Time exceeded in transit from sl-bb26-nyc-15-1.sprintlink.net (144.232.7.125) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33448 ICMP Time exceeded in transit from sl-bb22-nyc-6-0.sprintlink.net (144.232.7.42) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33449 ICMP Time exceeded in transit from sl-bb22-nyc-6-0.sprintlink.net (144.232.7.42) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33450 ICMP Time exceeded in transit from sl-bb22-nyc-6-0.sprintlink.net (144.232.7.42) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33451 ICMP Time exceeded in transit from sl-bb21-chi-9-0.sprintlink.net (144.232.9.149) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33452 64 bytes from 216.91.182.42: icmp_seq=17. time=4865. ms ICMP Time exceeded in transit from sl-bb21-chi-9-0.sprintlink.net (144.232.9.149) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33453 ICMP Time exceeded in transit from sl-bb21-chi-9-0.sprintlink.net (144.232.9.149) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33454 ICMP Time exceeded in transit from sl-gw31-chi-10-0.sprintlink.net (144.232.26.30) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33455 ICMP Time exceeded in transit from sl-gw31-chi-10-0.sprintlink.net (144.232.26.30) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33456 ICMP Time exceeded in transit from sl-gw31-chi-10-0.sprintlink.net (144.232.26.30) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33457 ICMP Time exceeded in transit from sl-savvis-16-0.sprintlink.net (144.228.154.178) for udp from MUSKET (192.168.1.2) to 216.91.182.42 port 33458 64 bytes from
Re: When Security Guards Attack (was: clearblue part deux)
Ahhh... You don't put battery backup on a kill-all switch The idea behind it is to kill-all!! (*doh*) If you ever need to press it, you do so just before the guys-with-foam run in to douse your burning UPS... Jerry ---Original Message--- From: Eric Brunner-Williams in Portland Maine Date: Tuesday, August 05, 2003 14:01:14 To: John Kinsella Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: When Security Guards Attack (was: clearblue part deux) ... tried to silence the door audible alarm Didn't it have battery backup? Inquiring minds want to know. .
Re: [connie.davis@mail.internetseer.com: answerpointe.cctec.com]
In the immortal words of Leo Bicknell ([EMAIL PROTECTED]): Has anyone else gotten one of these? Dozens, and have bitbucketed them on every single mail server I can get my hands on. It appears they are trolling a Nanog archive on the web and sending these out to posters. *sigh* They may be doing that as well, but they are also simply spamming domain contact addresses, and have been for over a year now. -n [EMAIL PROTECTED] I like my beer cold, my TV loud, and my homosexuals FL-MING! (--Homer Simpson) http://blank.org/memory/
Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Tue, 05 Aug 2003 09:56:52 BST, [EMAIL PROTECTED] said: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). You can replace complex and buggy spam filtering software with simple rules on your NIMTP servers. Erm. No. That's an *eventual* benefit. If you're among the first 10 sites to deploy, you get to haul the complex and buggy spam filtering software along until enough other sites start running the new protocol that you can get away with saying screw you and dropping SMTP support entirely. Or you can drop SMTP support immediately, or you can drop the spam filtering immediately - I think both of those are covered by Randy Bush's I invite my competitors to design their networks this way ;) pgp0.pgp Description: PGP signature
firewall == network diaper, ranting in HTML
I've got to wonder about someone who posts a rant to nanog to begin with and I'll give you kudos for having the balls to format it in HTML as well. Below I included the text of the message sans large aqua font other HTML 'enhancements'. I think you rather missed my point - machines with incontinent TCP/IP stacks or incontinent applications should not be plugged in to the internet for server duty. It is just that simple. Unix has its occasional dribbles, Microsoft needs to be restrained and catheterized. Cisco could make one giant leap for mankind by simply renaming the PIX Firewall to the PIX Network Diaper. Its a more truthful description of what those things do and it might just get the people who sign checks asking why applications straight out of preschool are being placed in the field with a MCWN+N(Microsoft Certified Wet Nurse + Nanny) to watch over them, when perfectly functional adult alternatives exist. I'd really like to get down and roll in the muck with you guys, but I'm busying replacing M$ systems with FreeBSD 4.8 ... - Original Message - From: neal rauhauser 402-301-9555 To: Måns Nilsson ; [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 11:48 PM Subject: Re: Port blocking last resort in fight against virus Måns Nilsson wrote: Firewalls are a patch to broken network application architechture. If your applications would have been properly designed, you would not have the need for firewalls. They are for perimeter defence only anyway. Right on - if you can't plug a machine directly in to the internet and rely on its own defenses well written code to keep it safe, why are you plugging it in at all? Oh come ON! Let's be a little real about this. How many millions of don't have a clue, don't want a clue people do you know who want to get online and see porn or nice pictures in other countries on THE Internet as the clueless call internet? How many businesses do you suppose there are that connect through a disk from an internet service provider and have the ISP set up a web site FOR them from where they get emails through a mailto link? There are literally MILLIONS of machines that want to be on internet without a clue about protecting at all. If they all knew how to protect, YOU would be working in something else! Lord help me what an attitude! When I was 17 and got my first car, I learned some about keeping it on the road but I found it didn't interest me too much and times and cars have changed since then. So, I get a mechanic to keep my car on the road and pay him. Don't tell me that anything you want to do even outside of computers at all you CAN do? Surely you rely on a mechanic to keep your car on the road. Maybe that mechanic is saying If you cant keep your car on the road why are you driving at all? Honestly the attitude of some people in I.T. gives me the shits. I know a LOT of businesses that USE computers but don't make money out of selling or servicing them. Get real - we are the mechanics of the computer world and it is up to US to let our customers know the truth. Don't forget, there are a lot of people about who are OLDER than 40 and use computers. Those people can REMEMBER being frustrated with computers even though some of them know as much as YOU do now. 20 something year olds are too young to remember that frustration and they end up with YOUR attitude as a result! There will come a day when the attitude of I.T. security people needs to be friendly to earn money. Learn to be friendly now ahead of time! Greg.
RE: The impending DDoS storm
Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream? It sounds like uRPF is going to be of very little benefit to blocking the attack if the spoofed addresses come from the infected host's subnet/parent subnet. -Josh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Vallar Sent: Wednesday, August 13, 2003 7:18 PM To: [EMAIL PROTECTED] Subject: Re: The impending DDoS storm Jack Bates Wrote: I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this planned DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant. There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a SaturdayI think not. A lot less personal on-site to deal with possible issues. -Mark Vallar
Network Solutions and Broken E-mail Addresses
Sometime recently Network Solutions seems to have stopped accepting + as a valid character in an e-mail address. Yes, I did open a ticket via their customer service people, and was given the reply that I needed to use another e-mail address. Per their web form, the only acceptable addresses are [EMAIL PROTECTED] (no, they don't put it in a regex, but I did for clarity). Evidence suggests some Network Solutions people read this list, but are unlikely to reply to queries such as mine. That's fine, but if one of you could suggest to the people in the right place that there are many valid e-mail addresses not in that form it would be great. In particular I'm trying to use [EMAIL PROTECTED], which I have used for years. Note to all, they also sent out a recent note that ICANN requires valid contact info for a domain, and if you don't have it they can unregister your domain. Well, their web form flags my e-mail as invalid, even though it works just fine (and it's the address they used to send me the notice). If you use a e-mail that doesn't match the regex above you might want to complain, or change it, or both. A private e-mail from someone at netsol will yeild the ticket number I opened with standard customer service. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: WANTED: ISPs with DDoS defense solutions
There are requirements one can make of vendors. These have been made, several times :) In fact there is an IETF working group pushing these requirments now, Mr. Bush could provide the details that have slipped my addled brain. it is not a wg. but there is a draft being actively worked, see draft-jones-opsec-00.txt. As some Shoe company has said, Get out there and _do_ something This is also the case, things are being done for most networks... and for those who are not, darwin is a worthy read randy
Re: RPC errors
On Mon, 11 Aug 2003, Jack Bates wrote: Sean Donelan wrote: http://isc.sans.org/diary.html?date=2003-08-11 The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell and use it to download the actual worm via tftp. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: Has anyone seen/heard of this virus propagating through email in any way? We appear to have been infected on a network that is very heavily firewalled from the outside, and are trying to track down possibly entry methods the worm might have had... - d. -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
Re: Gigabit Media Converter
Omnitron also makes these, but they're probably closer to the $1000 range. http://www.omnitron-systems.com/converters/converters.htm - Original Message - From: Stephen J Wilcox [EMAIL PROTECTED] To: Vincent J Bono [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 6:31 AM Subject: Re: Gigabit Media Converter Sounds like you need a singlemode-multimode convertor, available from various places, cost around $600 Steve On Mon, 11 Aug 2003, Vincent J. Bono wrote: Anyone out ther ever see or hear tell of a device that will let you run two GBICs back to back wthout an associated switch and all the trimmings? Application is to convert a CWDM GBIC signal to a Multimode one. TIA, Vin
RE: RPC errors
Jack, This is that RPC flaw in MicroSoft. I noticed it too.. Got about 20K in 15 hours Jim -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 4:12 PM To: NANOG Subject: RPC errors I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
Touchamerica
Hello, If there are any Touch America techs within reach of this email, could you please contact me off list. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com [EMAIL PROTECTED]
RE: The impending DDoS storm
On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote: It might be somewhat tricky to block TCP/80 going to windowsupdate.com. I agree... but then, who needs updates anyways.. *grin* Regards, === Daniel Ingevaldson Engineering Manager, X-Force RD [EMAIL PROTECTED] 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net === -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:38 AM To: Jason Frisvold Cc: [EMAIL PROTECTED] Subject: Re: The impending DDoS storm On Wed, 13 Aug 2003, Jason Frisvold wrote: All, What is everyone doing, if anything, to prevent the apparent upcoming DDoS attack against Microsoft? From what I've been reading, and what I've been told, August 16th is the apparent start date... We're looking for some solution to prevent wasting our network resources transporting this traffic, but at the same time trying to allow legitimate through... So, is anyone planning on doing anything? See previous discussion on filtering... Other than that experience says if these things turn out to be big enough to cause an issue then they quickly burn themselves out anyway Steve -- --- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [EMAIL PROTECTED] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --- Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. -- Albert Einstein [1879-1955] signature.asc Description: This is a digitally signed message part
Re: Server Redundancy
[EMAIL PROTECTED] (Jason Robertson) writes: If you go out and spend a few thousand you can also get Allied Telesyn L2-L4 products that now support Load Balancing. Actually the rapier 24i is about $2000 Canadian. (I'd have to check the VAR pricing) how much would i have to pay to not have that extra powered box between my data and my customers? oh, i forgot, it's zero, isn't it? re: Using outboard appliances for server load balancing is unnecessary, and it adds more powered boxes (thus decreasing theoretical reliability). If your upstream router can speak OSPF and is made by either Cisco or Juniper then it will implement ECMP (equal cost multipath). If you put your service address on lo0 as an alias, and you run Zebra or GateD on the service hosts which possess that alias address, then each such host will appear to be a router toward the service address as a stub host and your upstream routers will dtrt wrt flow hashing for udp or tcp traffic (that is, the udp/tcp port number will figure into the hash function, so you won't multipath your tcp sessions.) This is how f-root has worked for years. Look ma, no appliances. -- Paul Vixie
Re: Port blocking last resort in fight against virus
On Wed, 13 Aug 2003, Mans Nilsson wrote: Subject: Re: Port blocking last resort in fight against virus Date: Wed, Aug 13, 2003 at 09:57:56AM +0100 Quoting Stephen J. Wilcox ([EMAIL PROTECTED]): Sorry I see where you're coming from on this but firewalls are more than just patches to broken OS's. In your world DoS traffic would be free to roam the networks as it pleased without being throttled sensibly at ingress? Providing one makes people responsible for what their boxes (not aggregates of networks) cause, and enforces this, there will be no DoS traffic; given a perfect world. What if the people running the boxes are irresponsible, perhaps even harboring malicious intent Even in an imperfect world, the solution lies in the edge, not even the CPE, but the end node, if you want to do more than pathetic bandaiding of the inherent problem of insecure applications on end nodes. I dont have control of all end nodes but I do control my edge. Steve
Re: WANTED: ISPs with DDoS defense solutions
[EMAIL PROTECTED] wrote: If the client is behind a NAT, and the spoofed source address doesn't get through, then that's OK because it means that no application in that same location behind the NAT can use spoofed addresses. Which is important given the number of NAT setups that only perform NAT for the ranges they deal with and leave everything else alone. NATing all traffic may not be ideal in some cases, but filtering traffic that isn't desired is critical. Establishing an initial connection is, of course, necessary so that the server recognizes what the source address should be. -Jack
Re: Microsoft to ship new versions with firewall enabled
John Neiberger wrote: Hmm...I didn't even know XP had a built-in firewall. Any bets on how long it is before other companies with software firewall products bring suit against Microsoft for bundling a firewall in the OS? -- No clue, but I can tell you how long it will last before ISP helpdesks disable the firewall. -Jack
Re: RPC errors and latest worm
According to http://isc.sans.org/diary.html?date=2003-08-11 , the worm uses the latest popular MS exploit ports, so * Close port 135/tcp (and if possible 135-139, 445 and 593) . It also uses TCP port and TFTP = UDP 69 to download its attack code after getting the initial bootstrap infection. So you probably want to be blocking TCP and (if appropriate, which it usually is, TFTP), and tracing any activity and TFTPs to detect attacks.
Re: Gigabit Media Converter
Thanks but this wont work. We have a Specific frequency (CWDM) on one side. -vb - Original Message - From: Curtis Clan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 11, 2003 1:12 PM Subject: Re: Gigabit Media Converter I believe this is what you are looking http://www.transition.com/products/mcon_platform/standalone/gigabit/fsmmm04. htm Vincent J. Bono [EMAIL PROTECTED] 8/11/2003 12:02:04 PM Anyone out ther ever see or hear tell of a device that will let you run two GBICs back to back wthout an associated switch and all the trimmings? Application is to convert a CWDM GBIC signal to a Multimode one. TIA, Vin
Re: Port blocking last resort in fight against virus
On Wed, 13 Aug 2003, Petri Helenius wrote: Mans Nilsson wrote: Subject: Re: Port blocking last resort in fight against virus Date: Tue, Aug 12, 2003 at 10:42:38PM -0400 Quoting Sean Donelan ([EMAIL PROTECTED]): I think filters/firewalls are useful. I believe every computer should have one. I have several. I just disagree on who should control the filters. Bingo! Firewalls are a patch to broken network application architechture. If your applications would have been properly designed, you would not have the need for firewalls. They are for perimeter defence only anyway. Sorry I see where you're coming from on this but firewalls are more than just patches to broken OS's. In your world DoS traffic would be free to roam the networks as it pleased without being throttled sensibly at ingress? Or the dumb [wannabee] IT guy runs some telnet/ftp/filesharing service without passwords and its ok for the whole world to access the private system coz its his fault? Steve
Re: Port blocking last resort in fight against virus
--On Wednesday, August 13, 2003 11:00:56 +0300 Petri Helenius [EMAIL PROTECTED] wrote: I think filters/firewalls are useful. I believe every computer should have one. Firewalls are a patch to broken network application architechture. If your applications would have been properly designed, you would not have the need for firewalls. They are for perimeter defence only anyway. The important wording here is every computer should have one; indicating that it is the host that protects itself. This said, I do agree that properly written operating systems not even need this. One free Unix-clone I happen to run manages to reach this level of properness; so it is definitely possible. -- Måns NilssonSystems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. pgp0.pgp Description: PGP signature
RE: How much longer..
Users, both corporate and at home, need to be taught that there is no such thing as plug and play. For as much as I agree with the philosophy here, we must realize it is the wrong approach. Cars did not become more popular because owners had to learn how to swap more parts. Wireless phones don't require a contract and setting up your own frequency band. Computers are becoming a utility, and with greater sophistication more and more embedded. Back to cars, remember when a mechanic could fix a problem in a day? How many cars do we all own that now start a service check with a CPU diagnostic? This is not a trend that will be reversed. The emphasis must be placed on other market forces to correct things, like liability for failure and greater RD for secure systems. Forcing the consumer to learn more has never worked in the market before, and won't here. Jim
RE: Packeteer stuff?
If you're looking at the Packeteer to put some limits in place based on protocol, you can take a look at Cisco's NBAR, which is supported in IOS. What kind of metrics are you looking for? Netflow type info? How fat is the pipe you want to monitor/manipulate? -jay -Original Message- From: Drew Weaver [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 9:47 AM To: '[EMAIL PROTECTED]' Subject: Packeteer stuff? Specifically talking about the PacketSeeker 6500 Is it worth the money? Or are there better ways to get centralized views of network metrics? -Drew
Re: Port blocking last resort in fight against virus
* [EMAIL PROTECTED] (Stephen J. Wilcox) [Wed 13 Aug 2003, 10:58 CEST]: In your world DoS traffic would be free to roam the networks as it pleased without being throttled sensibly at ingress? How many people are actually following RFC3514? (In other words, how do you separate DoS traffic from normal traffic and define sensibly) Or the dumb [wannabee] IT guy runs some telnet/ftp/filesharing service without passwords and its ok for the whole world to access the private system coz its his fault? Whose fault can it possibly be besides his? You have to expect others to be psychic to believe otherwise. -- Niels.