Re: IPv6 vs IPv4 (Re: Sprint NOC? Are you awake now?)
On dinsdag, sep 2, 2003, at 23:18 Europe/Amsterdam, Nenad Pudar wrote: Again my point is that your site (or any other that use the same dns for ipv4 and 6) may be blackholed by ipv6 (it is not the question primary about the quality ipv6 connction it is the fact that your ipv4 connection which may be excelant is blackholed with your ipv6 connection which may not be good and to me the most obvious solution is not to use the same dns name for both) First of all, why are you repeating everything the previous posters said? This is a waste of bandwidth. Not only on the network, but also where it really matters: in the synapses. The real problem is that your software assumes that if there are several addresses in the DNS, it can just pick one and assume that address works. That has never been a good idea, but in IPv4 you can get away with it. In IPv6, you can't. IPv6 hosts are required to support more than a single address per interface, and when people actually use this then it's only a matter of time before address #1 becomes unreachable while address #2 is still reachable. So this means you have to try them all. The new name to address mechanisms for IPv6 are such that you can ask for IPv4 addresses, IPv6 addresses or both for a certain FQDN. If you choose both, you'll usually get an IPv6 address first. I don't see how it would be reasonable to have separate FQDNs for all these addresses and have the user try them all rather than simply have the application walk through the list of addresses and try them all until it gets a live one. (And yes, I've suffered from decreased performance because of non-optimal or even nonexisting IPv6 connectivity, but that's the price of being an early adapter.) Now if your argument is that it's not a good idea to depend on applications handling this they way they should _today_ that is something I'm willing to discuss, although I don't necessarily agree. BTW, my IPv6 connectivity for www.bgpexpert.com is in some ways better than IPv4 as there is an extra path available over IPv6 that isn't available over IPv4.
Re: Automatic shutdown of infected network connections
On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote: I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem. Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). Besides, have you ever tried updating an XP system at 56k? It could literally take days. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote: On Tue, Sep 02, 2003 at 09:59:51AM -0500, Jonathan Crockett wrote: I work for a cable modem provider. What we came up with is a modem config that allows http, pop, and smtp while cutting the allowed bandwidth to 56k upstream and 56k downstrem. This way they can still get the needed updates, but are not able to blast our network. Secondary effect is that customer will call in an complain about slow speeds, then our techs can tell them why, they are slow and inform them how to fix the problem. Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). The modem _is_ the CPE. There's no load on the network; just CPU on the modem. modem config != CMTS config. Besides, have you ever tried updating an XP system at 56k? It could literally take days. You may have a point there. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Perilous to all of us are the devices of an art deeper than we ourselves possess. -- Gandalf the Grey
Re: Automatic shutdown of infected network connections
Besides, have you ever tried updating an XP system at 56k? It could literally take days. Yes, days if you have never updated the system at all or if you count minutes as days. And if you just bought a new system, it should have the big update (SP2) installed on the machine already, unless you're dealing with an incompetent PC manufacturer/reseller/whatever that likes to cut corners (say something idiotic like buying plain XP OEM CDs instead of XP+SP2 OEM CDs because it saves them $1-3 per seat from some gray distributor) or not stay up to speed on MS security because they don't want to deal with after-sale support or provide it. Right now, Windows XP says I'm Connected at 50.6Kbps, and there are no annoying There are critical updates available for your system nag messages beaming from the taskbar.
Re: Automatic shutdown of infected network connections
At 10:41 AM 03/09/2003 -0400, Omachonu Ogali wrote: And if you just bought a new system, it should have the big update (SP2) installed on the machine already, unless you're dealing with an incompetent PC manufacturer/reseller/whatever that likes to cut corners (say something idiotic like buying plain XP OEM CDs instead of XP+SP2 OEM CDs because it saves them $1-3 per seat from some gray distributor) or not stay up to speed on MS security because they don't want to deal with after-sale support or provide it. FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB ---Mike
RE: bgp as-path info
Jay, Customer care should be able to help you. If you have any trouble let me know. I can tell you the community you need to use to get your more specific route out. Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant ATT Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 1:19 PM To: 'Jack Bates'; Austad, Jay Cc: [EMAIL PROTECTED] Subject: RE: bgp as-path info Actually, it looks like this is what they are doing. I've already put a call in with them. -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 1:17 PM To: Austad, Jay Cc: [EMAIL PROTECTED] Subject: Re: bgp as-path info If you look closely, they are probably not just stripping your AS. They are probably aggregating your network. One provider that I am aware of that does this is ATT. Since your advertisements out the other network will be more specific, traffic will only come through them. If the networks are the same size, then traffic will most likely come through your first provider due to AS path counts. Usually, you have to request that your more specific routes be allowed out due to multi-homing. In the case of ATT, they have a community that you must send with the route to have it sent beyond their local network. It's really just a matter of default preference on the part of your provider. Some default to advertise more specific while others default to advertising their aggregates. The latter is used most commonly when a provider does a lot of BGP peering that is not multi-homed. It's not a bad policy when it comes to looking at the BGP tables. -Jack Austad, Jay wrote: I just brought up a BGP session with one of my providers, they are stripping our AS as it leaves their network, so it looks like the route is originating from their network. I have another provider that I will be bringing up BGP with later this week. Once I bring up the other provider, I will be advertising several networks out both of them. Is this as-path stripping going to cause issues? Does it matter either way? -jay
RE: bgp as-path info
IIRC, They will advertise your specifics if you attach a community of 7018:20 to the route as you send it to them. Otherwise they aggregate all of the routes in the 12/8. -Ejay -Original Message- From: Austad, Jay [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 1:19 PM To: 'Jack Bates'; Austad, Jay Cc: [EMAIL PROTECTED] Subject: RE: bgp as-path info Actually, it looks like this is what they are doing. I've already put a call in with them. -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 1:17 PM To: Austad, Jay Cc: [EMAIL PROTECTED] Subject: Re: bgp as-path info If you look closely, they are probably not just stripping your AS. They are probably aggregating your network. One provider that I am aware of that does this is ATT. Since your advertisements out the other network will be more specific, traffic will only come through them. If the networks are the same size, then traffic will most likely come through your first provider due to AS path counts. Usually, you have to request that your more specific routes be allowed out due to multi-homing. In the case of ATT, they have a community that you must send with the route to have it sent beyond their local network. It's really just a matter of default preference on the part of your provider. Some default to advertise more specific while others default to advertising their aggregates. The latter is used most commonly when a provider does a lot of BGP peering that is not multi-homed. It's not a bad policy when it comes to looking at the BGP tables. -Jack Austad, Jay wrote: I just brought up a BGP session with one of my providers, they are stripping our AS as it leaves their network, so it looks like the route is originating from their network. I have another provider that I will be bringing up BGP with later this week. Once I bring up the other provider, I will be advertising several networks out both of them. Is this as-path stripping going to cause issues? Does it matter either way? -jay
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote: On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote: Why in the world would you do that? the DOCSIS specification allows for filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). The modem _is_ the CPE. There's no load on the network; just CPU on the modem. modem config != CMTS config. I think that's exactly what I said, perhaps you misread my comment. My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Anyone here from Earthlink?
Please contact me offlist. Normal contact methodologies have failed, and a problem is now four days old. Thank you. -- Chuck Goolsbee V.P. Technical Operations _ digital.forest Phone: +1-877-720-0483, x2001 where Internet solutions grow Int'l: +1-425-483-0483 19515 North Creek ParkwayFax: +1-425-482-6871 Suite 208 http://www.forest.net Bothell, WA 98011email: [EMAIL PROTECTED]
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote: On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote: [ Jonathan said we are filtering and rate limiting at the modem ... ] On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote: Why in the world would you do that? the DOCSIS specification allows for ^^ filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k). The modem _is_ the CPE. There's no load on the network; just CPU on the modem. modem config != CMTS config. I think that's exactly what I said, perhaps you misread my comment. What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse Why in the world ... :-) My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked. The provider in question has a long-standing tradition of providing unfiltered access. Perhaps recent events will cause them to change their policy as you suggest. Personally I think it's a great idea. [ I'm no longer an employee of said provider ] Best regards, -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] This message cannot be considered spam, even though it is. Some law that never was enacted says so. -- Arkadiy Belousov
Cisco Service Provider code - Any good?
All, It was requested that I post this email to the Nanog list as the person in question does not have posting ability... :) Hello All, We're currently looking into migrating our Cisco 72xx and 75xx routers to Service Provider IOS and I was wondering if anyone has had any good luck with a certain version? We've seen that 12.0(25)S1 seems to be an ok version but I have also heard some gripes about it. The PAs that we run in most of the units are the following: ATM-OC3-MM ATM-OC12-MM FastE GigE The IOS would also have to support RFC-1483 connections (Preferrably RBE), BGP, IS-IS and any other basic services of the such. Thanks in advance -- --- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [EMAIL PROTECTED] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --- Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. -- Albert Einstein [1879-1955] signature.asc Description: This is a digitally signed message part
Re: Automatic shutdown of infected network connections
In article [EMAIL PROTECTED], Mike Tancsa [EMAIL PROTECTED] writes FYI, the last 3 Dell laptops we bought (2 weeks ago) all needed about 56MB of patches OOTB That's exactly the same as I needed for a copy of XP-Upgrade I bought in a high-turnover retail store (Staples, in USA) last week. -- Roland Perry
Distributed sniffer products
Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 10:12:16AM -0500, Nathan E Norman wrote: What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse Why in the world ... :-) I was taking issue with the deny all, allow pop3, smtp, http, .. + rate limit approach, I did see the 'filtering at the modem' part, perhaps restating the ability of DOCSIS compliant CPE's was confusing. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Automatic shutdown of infected network connections
On Wed, Sep 03, 2003 at 10:55:47AM -0400, [EMAIL PROTECTED] wrote: On Wed, 3 Sep 2003, at 10:41am, [EMAIL PROTECTED] wrote: And if you just bought a new system, it should have the big update (SP2) installed on the machine already ... Service Pack 2 for Windows XP has not been released yet. Weird, when I go to Add/Remove programs, I see (SP2) next to the hotfixes I applied, from that I assumed SP2 was out or something. As of 1 Sep 2003, there are 21 post-SP1 security-related hotfixes posted for Windows XP. The total download size is quite large, if you are on a 56 kilobit modem. Most of my updates were done on this same modem, and if I recall correctly, most of them varied in size from 300KB to 2MB. Then again, I haven't done a fresh XP install ever since I installed it on this laptop so I don't know how big the initial lump is right now. ... unless you're dealing with an incompetent PC manufacturer/reseller/whatever that likes to cut corners ... Like, say, most of them? Eek. :( Hate to rehash the responsibility debate...but shouldn't the manufacturers/whatever slap the latest service packs on their products that they're selling? If GM puts out a recall on their vehicles for a GE lamp. Yeah, I'm sure GE takes the blame and a hit to their stock, but the dealers go to GM (the aggregator) for the replacement and fix the vehicles they have on the lot before another one gets sold, right? Subtract one level of hierarchy (the dealer, or you could leave it in, since most system builders are rolling out their own stores...Apple, Dell, Gateway, etc.) and you have the common relationship of Microsoft-OEM-End User. Shouldn't the OEM be responsible for any product coming off their shelf that's been recalled up until the point of the recall?
Re: Distributed sniffer products
On Wed, 3 Sep 2003, Austad, Jay wrote: Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? we use bro and snort... http://www.snort.org/ http://www-nrg.ee.lbl.gov/bro-info.html Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779 -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
RE: Distributed sniffer products
I took a different approach and run a Windows XP machine with multiple network cards to the segments that I regularly need to sniff. I use the remote desktop feature to access the box. It has one NIC for regular connectivity, and a couple others that are just used for sniffing. Others are using cheap linux boxes running ethereal in a similar fashion using VNC to access the box. Luke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Austad, Jay Sent: Wednesday, September 03, 2003 11:08 AM To: '[EMAIL PROTECTED]' Subject: Distributed sniffer products Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
Re: What do you want your ISP to block today?
I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can. One basic issue is that people discussing this topic on mailing lists like these are not average home users. Most of us here have seen a DOS prompt at some point and know about Service Packs and Hotfixes. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: Automatic shutdown of infected network connections
At 02:21 PM 03/09/2003 -0400, Omachonu Ogali wrote: Eek. :( Hate to rehash the responsibility debate...but shouldn't the manufacturers/whatever slap the latest service packs on their products that they're selling? That would add cost. You either eat that cost or pass it on to the consumer. As price is the number one criteria for the mass market I am sure vendors are shy about raising prices and equally shy about eating into meager profits If GM puts out a recall on their vehicles for a GE lamp. You know its not that simple Changing a light bulb does not have the same potentially unforeseen and unintended consequences of installing 56MB of new code. It WILL break some things. Vendor A laptop price = $x Vendor B laptop price = $x+ $20 A-Laptop == B-Laptop Given the choice between the two where one has all the service packs installed and the other for $20 less does not Sad to say most will take the one for $20 less as the other is ripping me off! Most consumers dont have a hope in hell sometimes of understanding value in the tech world and instead fixate totally on price. ---Mike
NANOG 29 (Chicago) Meeting Information
Registration is now open for NANOG 29, October 19-21, in Chicago. The meeting will be hosted by Server Central. Call for Presentations (submit by September 8): http://www.nanog.org/mtg-0310/call29.html Additional meeting information: http://www.nanog.org Of special note, vendor sponsors can now display equipment during the continental breakfasts and afternoon breaks. Vendor sponsor information: http://www.nanog.org/vendor.html See you there!
Re: Automatic shutdown of infected network connections
Omachonu Ogali wrote: On Wed, Sep 03, 2003 at 10:55:47AM -0400, [EMAIL PROTECTED] wrote: On Wed, 3 Sep 2003, at 10:41am, [EMAIL PROTECTED] wrote: And if you just bought a new system, it should have the big update (SP2) installed on the machine already ... Service Pack 2 for Windows XP has not been released yet. Weird, when I go to Add/Remove programs, I see (SP2) next to the hotfixes I applied, from that I assumed SP2 was out or something. Those are pre SP2 updates, which means they'll be integrated into Service Pack 2. Chris -- Chris Horry Don't submit to stupid rules, [EMAIL PROTECTED] Be yourself and not a fool. PGP: DSA/2B4C654E Don't accept average habits, Amateur Radio: KG4TSM Open your heart and push the limits.
Re: Cisco Service Provider code - Any good?
Jason Frisvold wrote: [...] We're currently looking into migrating our Cisco 72xx and 75xx routers to Service Provider IOS [...] The IOS would also have to support RFC-1483 connections (Preferrably RBE), BGP, IS-IS and any other basic services of the such. Looks like bridging (IRB and RBE) is spanky new to the S feature sets -- 12.2-14S range, so a 12.0-S load doesn't sound like it'll do the job for you. Peter E. Fry
Re: What do you want your ISP to block today?
On Wed, 3 Sep 2003, Johannes Ullrich wrote: I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can. If ISPs had blocked port 119, Sobig could not have been distributed via USENET. Perhaps unbelievably to people on this mailing list, many people legitimately use 135, 137, 139 and 445 over the open Internet everyday. Which protocols do you think are used more on today's Internet? SSH or NETBIOS? Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. http://www.mailstreet.net/MS/urgent.asp http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/ If done properly, those ports are no more or less dangerous than any other 16-bit port number used for TCP or UDP protocol headers. But we need to be careful not to make the mistake that just because we don't use those ports that the protocols aren't useful to other people.
RE: What do you want your ISP to block today?
I just read the paper... Sounds like as an ISP, I should offer a new product The Internet Minus Four Port Numbers Microsoft Can't Handle. What I can't tell is whether this should cost more or less than The Internet Matthew Kaufman On Behalf Of Johannes Ullrich: I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can.
RE: Distributed sniffer products
OK... I'll leave the XP thing al0wned. As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal. Owen --On Wednesday, September 3, 2003 11:26 AM -0700 Luke Starrett [EMAIL PROTECTED] wrote: I took a different approach and run a Windows XP machine with multiple network cards to the segments that I regularly need to sniff. I use the remote desktop feature to access the box. It has one NIC for regular connectivity, and a couple others that are just used for sniffing. Others are using cheap linux boxes running ethereal in a similar fashion using VNC to access the box. Luke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Austad, Jay Sent: Wednesday, September 03, 2003 11:08 AM To: '[EMAIL PROTECTED]' Subject: Distributed sniffer products Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
Re: Automatic shutdown of infected network connections
Sean Donelan wrote: How many ISPs disconnect infected computers from the network? Do you leave them connected because they are paying customers, and how else could they download the patch from microsoft? As an aside: As a corporation (no customers per-se), we disconnect infected computers _completely_ (via remote router/switch control tools). We can do it automatically (via various detectors), but usually do it manually. This is primarily to maintain service levels with non-infected stuff. Fixing the computer is usually done by support staff. Via CD if it's unsafe to reconnect the machine to the net. If we get infested bad enough, we block the attack ports subnet-by-subnet as necessary until we've sterilized the subnet.
RE: Distributed sniffer products
OK... I'll leave the XP thing al0wned. Understood... It was a quick (and dirty) solution. As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal. SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke
Re: What do you want your ISP to block today?
At 02:51 PM 9/3/2003, Sean Donelan wrote: On Wed, 3 Sep 2003, Johannes Ullrich wrote: I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can. If ISPs had blocked port 119, Sobig could not have been distributed via USENET. Perhaps unbelievably to people on this mailing list, many people legitimately use 135, 137, 139 and 445 over the open Internet everyday. Which protocols do you think are used more on today's Internet? SSH or NETBIOS? Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. http://www.mailstreet.net/MS/urgent.asp http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/ If done properly, those ports are no more or less dangerous than any other 16-bit port number used for TCP or UDP protocol headers. But we need to be careful not to make the mistake that just because we don't use those ports that the protocols aren't useful to other people. Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: What do you want your ISP to block today?
Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. So should everyone else be required to keep their doors open so they can offer the service? Who is wrong/right? Millions of vulnerable users that need some basic protection now, or a few businesses? -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
RE: Distributed sniffer products
OK... I'll leave the XP thing al0wned. Understood... It was a quick (and dirty) solution. How was that any quicker than the same thing running on Linux? (hint: XP install time on P4/1.6Ghz/512MB - ~2 hours RH8.0 install time on same machine - ~30 minutes) As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal. SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). That's what screen is for. :-) Luke Owen
RE: What do you want your ISP to block today?
On Wed, 2003-09-03 at 14:53, Matthew Kaufman wrote: I just read the paper... Sounds like as an ISP, I should offer a new product The Internet Minus Four Port Numbers Microsoft Can't Handle. What I can't tell is whether this should cost more or less than The Internet Charge the same and take your 'abuse' team out for lunch on the change you save by blocking the ports ;-) -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: Cisco Service Provider code - Any good?
Peter E. Fry wrote: Looks like bridging (IRB and RBE) is spanky new to the S feature sets -- 12.2-14S range, so a 12.0-S load doesn't sound like it'll do the job for you. Ooops... RBE is available for the 7500 and IRB for the 7200 in the late 12.0-S loads, apparently. Well, that's new and unusual. Bridging was unavailable on the 7500 in earlier 12.0-S versions, and I made the mistake of searching initially for both features at once. Peter E. Fry
Re: What do you want your ISP to block today?
I would think that any company that outsourced exchange services to another entity would want either a VPN between their two offices or a direct PtP link. But I also know that the most logical method is not always understandable to the pointy haired people. william - Original Message - From: Sean Donelan [EMAIL PROTECTED] To: Johannes Ullrich [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 1:51 PM Subject: Re: What do you want your ISP to block today? On Wed, 3 Sep 2003, Johannes Ullrich wrote: I just summarized my thoughts on this topic here: http://www.sans.org/rr/special/isp_blocking.php Overall: I think there are some ports (135, 137, 139, 445), a consumer ISP should block as close to the customer as they can. If ISPs had blocked port 119, Sobig could not have been distributed via USENET. Perhaps unbelievably to people on this mailing list, many people legitimately use 135, 137, 139 and 445 over the open Internet everyday. Which protocols do you think are used more on today's Internet? SSH or NETBIOS? Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. http://www.mailstreet.net/MS/urgent.asp http://dmoz.org/Computers/Software/Groupware/Microsoft_Exchange/ If done properly, those ports are no more or less dangerous than any other 16-bit port number used for TCP or UDP protocol headers. But we need to be careful not to make the mistake that just because we don't use those ports that the protocols aren't useful to other people.
Re: Distributed sniffer products
On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time: SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke http://www.gnu.org/software/screen/ -r
Re: What do you want your ISP to block today?
Johannes Ullrich wrote: So should everyone else be required to keep their doors open so they can offer the service? Who is wrong/right? Millions of vulnerable users that need some basic protection now, or a few businesses? That depends if you are buying the 100% internet or 99.993% internet service. Pete
RE: Distributed sniffer products
On Wed, 3 Sep 2003, Luke Starrett wrote: OK... I'll leave the XP thing al0wned. Understood... It was a quick (and dirty) solution. As to the linux solution, why would you bother with VNC rather than just ssh. Pull the libpcap file back to a local desktop for analysis in ethereal. SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). screen Luke -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Distributed sniffer products
--On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina [EMAIL PROTECTED] wrote: On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time: SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke http://www.gnu.org/software/screen/ -r Does anyone have a *GOOD* screenrc example config? I was VERY confused by the info file. (OT, I know, but...) LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
Re: What do you want your ISP to block today?
Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies. If you explain the difference between IPSec, The Web to an end user, and can convince them that they have enough Pentium for it, you win and don't have to block the ports. There are 10 kinds of people in the world. Those who understand binary and those that don't. ISPs should either block the mentioned ports, or send out bills in binary. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: What do you want your ISP to block today?
--On Wednesday, September 3, 2003 3:11 PM -0400 Johannes Ullrich [EMAIL PROTECTED] wrote: Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. So should everyone else be required to keep their doors open so they can offer the service? Who is wrong/right? Millions of vulnerable users that need some basic protection now, or a few businesses? Sorry... Millions of vulnerable users are only vulnerable because those users chose to run vulnerable systems. They have the responsibility to do what is necessary to correct the vulnerabilities in the systems they chose to run. I am really tired of the attitude that the rest of the world should bear the consequences of Micr0$0ft's incompetence/arrogance. The people who are Micr0$0ft customers should have responsibility to resolve these issues with Micr0$0ft. It is nice of ISPs to help when they do. This is akin to driving a pinto, knowing that it's a bomb, and expecting your local DOT to build explosion-proof freeways. Owen -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: What do you want your ISP to block today?
That depends if you are buying the 100% internet or 99.993% internet service. Well, if '100%' includes all the garbage traffic generated by the worm d'jeur. On my home cable modem connection, about 80% of the packets hitting my firewall are 'junk'. Maybe I would be able to actually share files unencrypted using MSFT file sharing. If I can manage to inject the necessary traffic between all the Nachia Pings and Blaster scans. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: Distributed sniffer products
On Wed, 3 Sep 2003, Larry Rosenman wrote: --On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina [EMAIL PROTECTED] wrote: On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time: SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke http://www.gnu.org/software/screen/ Does anyone have a *GOOD* screenrc example config? I was VERY confused by the info file. box:~cat .screenrc # do not log in new windows deflogin off # Annoying bell ON vbell off # Bell message so it beeps bell_msg Activity: %^G # detach on hangup autodetach on # don't display the copyright page startup_message off defscrollback 1 # remove some stupid / dangerous key bindings bind k bind ^k bind . bind ^\ bind \\ bind ^h bind h # Re-bind them better. bind '\\' quit bind 'K' kill bind 'I' login on bind 'O' login off bind '}' history -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
Re: Distributed sniffer products
I haven't had any problems using it without a screenrc. screen -- Starts new session screen -r -- resumes old session (won't steal session if active) screen -r -d -- resumes old session and detaches it if necessary Beyond that, I use ^A-D (detach) and a few other ^A commands, all of which are pretty easily documented from ^A-?. FWIW, Owen --On Wednesday, September 3, 2003 2:39 PM -0500 Larry Rosenman [EMAIL PROTECTED] wrote: --On Wednesday, September 03, 2003 15:22:55 -0400 ravi pina [EMAIL PROTECTED] wrote: On Wed, Sep 03, 2003 at 12:05:06PM -0700, Luke Starrett said at one point in time: SSH works, but it's sometimes nice to have a persistent session that I can pick back up later (or from a different PC). Luke http://www.gnu.org/software/screen/ -r Does anyone have a *GOOD* screenrc example config? I was VERY confused by the info file. (OT, I know, but...) LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
RE: Distributed sniffer products
The cost benefit analysis on Ethereal/etc vs Sniffer on anything but the smallest of networks is usually very easy to make. The fundamental issue is what questions do you have and should you have about your network and what tool answers those questions efficiently and reliably. Good protocol analyzers sell because they save time in answering important questions. Sniffer recently released a SMB Sniffer called Netasyst...worth a look if cost has been an issue in the past. So ends this biased response. :-) -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 2:50 PM To: Austad, Jay; '[EMAIL PROTECTED]' Subject: Re: Distributed sniffer products Etherial and other libpcap tools work reasonably well, can be easily deployed using commodity hardware, and would cost you a lot less than NetAssoc. Owen --On Wednesday, September 3, 2003 1:07 PM -0500 Austad, Jay [EMAIL PROTECTED] wrote: Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
Re: What do you want your ISP to block today?
Johannes Ullrich wrote: Well, if '100%' includes all the garbage traffic generated by the worm d'jeur. On my home cable modem connection, about 80% of the packets hitting my firewall are 'junk'. Maybe I would be able to actually share files unencrypted using MSFT file sharing. If I can manage to inject the necessary traffic between all the Nachia Pings and Blaster scans. Once upon a time there was a proposal for a protocol which allowed clients to push a filter configuration to the edge router to both classify traffic and filter unneeded things. For reason or another, this supposedly ended in the bit bucket? Pete
Re: What do you want your ISP to block today?
Some businesses have create an entire industry of outsourcing Exchange service which need all their customers to be able to use those ports. So should everyone else be required to keep their doors open so they can offer the service? Who is wrong/right? Millions of vulnerable users that need some basic protection now, or a few businesses? If a user needs protection, it is up to user to get it. It is just like one wants to go and screw everyone who walks past him/her, it is up to him/her to make sure that he/she uses condoms, not for everyone else. Alex
Re: What do you want your ISP to block today?
Once upon a time there was a proposal for a protocol which allowed clients to push a filter configuration to the edge router to both classify traffic and filter unneeded things. Nice idea. I am sure clients will figure that out. As quickly as they caught on to 'Windows Update' and 'Setting up a VCR clock'. Lets face it: Some things are better left to the experts. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: What do you want your ISP to block today?
Even on Windows they can be used in a much safer fashion (although I would never attempt it for any of my stuff). It is possible to use IPSec policies on 2000 and higher to encrypt all traffic on specified ports to specified hosts/networks and block all other traffic. I bet some people are using this to join remote locations securely to each other for Windows networking with these ports and IPSec policies. If you explain the difference between IPSec, The Web to an end user, and can convince them that they have enough Pentium for it, you win and don't have to block the ports. That is rubbish. Users do not care about IPSec. Neither do they care about anything else but having everything work. There are 10 kinds of people in the world. Those who understand binary and those that don't. ISPs should either block the mentioned ports, or send out bills in binary. I encourage my competitors to block as many ports as they possibly can, breaking as many applications as they possibly can, since I would gladly take have their users to pay me money to provide the service. Alex
Re: Distributed sniffer products
Have a look at http://www.isr.net/ Right side, are a bunch of links. cheers, -Bert
Re: What do you want your ISP to block today?
No. ISPs should not block ports unless they are listed in the AUP as non-permitted traffic or it is a necessary and temporary remedial action for a service-affecting problem. I fully agree that ISPs should include the list of blocked ports in their AUP. (somewhere in the paper it mentions the confusion caused by uncoordinated filters). I still do not understand why a manufacturer is permitted to release a product which causes such harm, and, rather than hold that manufacturer liable, so many people feel that the entire rest of the world should change to accommodate that one manufacturer's deficiencies But should the end user pay for the faults? They already pay for the software and the Internet connection. How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows? 90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to live with it. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: What do you want your ISP to block today? [OT]
Owen, Owen DeLong wrote: Sorry... Millions of vulnerable users are only vulnerable because those users chose to run vulnerable systems. They have the responsibility to do what is necessary to correct the vulnerabilities in the systems they chose to run. Most of them don't know any better than to run what they've got. Computer users, by and in large, are not at all educated in the nature of what their running, or the potential issues due to running Windows. Who tells them that they shouldn't run Windows? This is akin to driving a pinto, knowing that it's a bomb, and expecting your local DOT to build explosion-proof freeways. Your analogy is flawed. The problem is, most people don't realize that: 1.) Windows is as flawed as it is, 2.) That there are real alternatives. But, I suspect, this has gone far off the topic of Operations. Take this off-list; there's nothing to be gained from this discussion any further. ObOperational: Did anybody see some strange latency on UU.Net yesterday in the Chicago area? Gabriel -- Gabriel Cain www.dialupusa.net Systems Administrator [EMAIL PROTECTED] Dialup USA, Inc.888-460-2286 ext 208 PGP Key ID: 2B081C6D PGP fingerprint: C0B4 C6BF 13F5 69D1 3E6B CD7C D4C8 2EA4 2B08 1C6D Beware he who would deny you access to information, for in his heart he dreams himself your master.
RE: Distributed sniffer products
We've been playing with Wildpackets http://www.wildpackets.com/. They sniff LAN to Gig and some WAN as well. The Distributed model is still vaporware, but is said to be out soon. The expert analysis is comparable if not better than NAI. Mike Braun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 1:02 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Distributed sniffer products The cost benefit analysis on Ethereal/etc vs Sniffer on anything but the smallest of networks is usually very easy to make. The fundamental issue is what questions do you have and should you have about your network and what tool answers those questions efficiently and reliably. Good protocol analyzers sell because they save time in answering important questions. Sniffer recently released a SMB Sniffer called Netasyst...worth a look if cost has been an issue in the past. So ends this biased response. :-) -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 2:50 PM To: Austad, Jay; '[EMAIL PROTECTED]' Subject: Re: Distributed sniffer products Etherial and other libpcap tools work reasonably well, can be easily deployed using commodity hardware, and would cost you a lot less than NetAssoc. Owen --On Wednesday, September 3, 2003 1:07 PM -0500 Austad, Jay [EMAIL PROTECTED] wrote: Anyone have any experience with these? I'm looking for something similar to Network Associates Sniffer product. Are there any open source projects that are decent? What are others using? Jay Austad Senior Network Analyst Travelers Express / MoneyGram e: [EMAIL PROTECTED] p: 952.591.3779
Re: What do you want your ISP to block today?
On Wed, 3 Sep 2003, Johannes Ullrich wrote: Once upon a time there was a proposal for a protocol which allowed clients to push a filter configuration to the edge router to both classify traffic and filter unneeded things. Nice idea. I am sure clients will figure that out. As quickly as they caught on to 'Windows Update' and 'Setting up a VCR clock'. Lets face it: Some things are better left to the experts. you mean like 'using a computer' ?
Re: What do you want your ISP to block today?
Johannes Ullrich wrote: 90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to live with it. I wonder if there would be a market for Windows Outside ISP. Pete
Re: What do you want your ISP to block today?
you mean like 'using a computer' ? hehe... yes! if you insert the word securely at the end. Case in point: I helped my neighbor last weekend to diagnose a printer issue. Another problem he had was that his computer always rebooted and never shut down. He just never read/understood the shutdown dialog and it never ocured to him that the radio buttons do anything. Its hard these days. But I HIGHLY recommend for everyone to get out of your server closets, enjoy the sun, and talk to non-techies once in a while. Or: spend a couple hours answering the front end customer support calls if you can't remember where you parked your car. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
Re: On the back of other 'security' posts....
On Sun, Aug 31, 2003 at 02:34:28PM -0700, [EMAIL PROTECTED] said: [snip] What you are saying works only so long as none of your edge connections represent a significant portion of the internet. How do you anti-spoof, for example, a peering link with SPRINT or UUNET? It's not realistic to think that you know which addresses could or could not legitimately come from them. another poster wrote that the spoofed traffic he was seeing was coming from 0.0.0.4 - 40.0.0.0 in .4 increments ... simple bogon filtering would get rid of a good chunk of that space. Granted, it's a small subset of anti-spoof filtering, but there are still networks out there that don't even make _that_ best effort. If folks would simply make the best effort they could, given their situation, the Internet as a whole would be a dramatically nicer place. That best effort will vary greatly by situation, but even a partial attempt is better than none at all. -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
Re: What do you want your ISP to block today?
Sorry... Millions of vulnerable users are only vulnerable because those users chose to run vulnerable systems. no, they chose to run popular/... systems. they do not know what vulnerable means, let alone how to judge it. pinto owners did not make a conscious choice of buying a bomb. randy
Re: What do you want your ISP to block today?
Hi, Johannes. ] Its hard these days. But I HIGHLY recommend for everyone to get out of ] your server closets, enjoy the sun, and talk to non-techies once in a ] while. Or: spend a couple hours answering the front end customer support ] calls if you can't remember where you parked your car. While non-techies can be a support challenge, I find the greatest challenges and demands come from the very techie customers. These are the same customers that don't want to hear the outage happened because we put a new filter on the peering router...to protect you from outages caused by worms! Although it sounds logical to say some filters are better than no filters, this presumes that some filters have no adverse side effects. We all know better. Bugs aren't restricted only to products from Redmond, typos happen, and the performance hit can be quite painful. You say that putting these filters in place will reap financial reward? Where is the data to support that theory? Most contracts include credit or refund clauses if the link goes down or if the performance doesn't meet a certain level. Failure to meet these clauses results in credits to the customer, refund to the customer, or the customer leaving for a competitor. Convincing a business to take a risk - a *fiscal* risk - isn't as easy as saying this will stop worms. All of the cost data I've seen related to worms is either clearly overblown or is based on a paucity of data. I'm not saying these things don't have a cost; I am saying that the cost hasn't been realistically quantified. Of course all of this is hand-waving until the market places security above other requirements, such as increased performance and shiny new features. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: What do you want your ISP to block today?
But should the end user pay for the faults? The end user is angry because lashing out at the manufacturer gets you routed to a null interface :) why should the ISP pay? (Now that is the question) They already pay for the software and the Internet connection. Do you call Microsoft when your internet connection is down? (msn.net customers exempted) How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows? I think they only support their application (the one they want you to dial-in with) over this operating system, nothing else (meaning the OS itself and this is mostly for residential users, nothing was given to me when I had my last optical circuit handed over...wait let me check...nope nothing). 90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to live with it. Wow only 10% of internet connected systems are other than...!! I think that it is ridiculous to expect the ISP now to start filtering these ports. The internet in itself is nothing more than a communications link, and the ISP's are providers to this link. The purpose of which is the exchange of information over a public medium. You want an ISP to begin filtering at the 4th layer (OSI Reference...yikes), why Besides alleviating the headaches of some users of a specific manufacturers product, it makes no sense. What would you filter? Before you filter you need a policy in place. For this idea to even be effective you would need a policy that is acceptable among all ISP's, (HA HA HA). Next you need all ISP's to implement these policies consistently and equally throughout their infrastructure (scary). Now you go back to your firewall logs and poof! Still allot of junk (different junk, but nonetheless junk) You think it will stop there Human nature is suitable for adaptation...now what??? More filters..makes no senseso there will be no more free exchange of information over a public medium? Since only 90% of internet users use MSFT Windows we should make it a Microsoft friendly network then. Plug and Play your heart out!! G. Johannes Ullrich writes: No. ISPs should not block ports unless they are listed in the AUP as non-permitted traffic or it is a necessary and temporary remedial action for a service-affecting problem. I fully agree that ISPs should include the list of blocked ports in their AUP. (somewhere in the paper it mentions the confusion caused by uncoordinated filters). I still do not understand why a manufacturer is permitted to release a product which causes such harm, and, rather than hold that manufacturer liable, so many people feel that the entire rest of the world should change to accommodate that one manufacturer's deficiencies But should the end user pay for the faults? They already pay for the software and the Internet connection. How many ISPs on this list provide support for non-MSFT operating systems? Does the free CD you hand out run on anything but Windows? 90% + of internet users do use MSFT Windows. So I don't think you have a choice other than to live with it. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] -- Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) Affinitas - Latin for Relationship Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
RE: What do you want your ISP to block today?
Once upon a time there was a proposal for a protocol which allowed clients to push a filter configuration to the edge router to both classify traffic and filter unneeded things. Nice idea. I am sure clients will figure that out. As quickly as they caught on to 'Windows Update' and 'Setting up a VCR clock'. Lets face it: Some things are better left to the experts. If the clients don't figure it out, they get the default, which can be as permissive or as restrictive as make sense for people who can't figure out how to control filtering. DS
Re: What do you want your ISP to block today?
Rob Thomas [EMAIL PROTECTED] writes: ;; Hi, Johannes. ;; ;; ] Its hard these days. But I HIGHLY recommend for everyone to get out of ;; ] your server closets, enjoy the sun, and talk to non-techies once in a ;; ] while. Or: spend a couple hours answering the front end customer support ;; ] calls if you can't remember where you parked your car. ;; ;; While non-techies can be a support challenge, I find the greatest ;; challenges and demands come from the very techie customers. YES! Often it's the case that they A) don't fully understand the problem but B) feel they have the perfect solution anyways. non-techies will defer to your judgement, demi-techies will require bulletproof reasoning for not doing things their way. I hate when that happens. Especially when the reasoning is indeed suboptimal and not by (my) choice or under my control. Peace, Petr
Re: What do you want your ISP to block today?
While non-techies can be a support challenge, I find the greatest challenges and demands come from the very techie customers. These are the same customers that don't want to hear the outage happened because we put a new filter on the peering router...to protect you from outages caused by worms! The paper talks about consumers defined as home users or small business without dedicated IT staff. These filters should be clearly stated as part of the subscriber agreement. Many filter problems are the result of inconsistent and rushed implementation. You say that putting these filters in place will reap financial reward? Where is the data to support that theory? I admit: I do not have hard numbers. But all the calls to support about slow connections, or dealing with all the abuse@ complaints has to cost something. Most contracts include credit or refund clauses if the link goes down or if the performance doesn't meet a certain level. given that (a) the customer knows ahead of time about the blocked port, and (b) blocking the port may actually reduce the impact of the occasional worm, your argument proofs that there may be a financial benefit. All of the cost data I've seen related to worms is either clearly overblown or is based on a paucity of data. I'm not saying these things don't have a cost; I am saying that the cost hasn't been realistically quantified. yes. I am not using any of these numbers to support my issue. But answering support calls, handing out refunds, and dealing with abuse email does cost money. such as increased performance and shiny new features. Well, performance should if anything improve. At this point, my cable modem which I use for regular web browsoing is seeing about 80% unsolicited traffic. Not that the bandwidth impact is huge. But I rather use it to speed up my pr0n downloads then to waste it on pings/port 135 probes/arp storms... And someone is paying to move all these packets across the wire. After all: Thats what we all agree on. We are paying ISPs to move packets. -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- We regret to inform you that we do not enable any of the security functions within the routers that we install. [EMAIL PROTECTED] --
ethernet-based temperature sensors
I know this has been mentioned before, but other than NetBotz (too pricey), what are people use as ethernet-based, SNMP-probable temp sensors? I very simply need to trend temp with cricket/mrtg in various parts of the data center. Looking for real-world experience. Thanks. -- matthew zeier - Curiosity is a willing, a proud, an eager confession of ignorance. - Leonard Rubenstein
CalPOP contact? HTTP CONNECT scanning
-BEGIN PGP SIGNED MESSAGE- As people are complaining all around about ISP's, here is my small question. Who has a _working_ contact at CalPOP (216.240.128.0/19 and others). It is not in puck :( If anybody has a working one please mail it me offlist so that the following long version of the problem can be solved. Is there anything alive at CalPOP that doesn't try to abuse open proxies for massively spamming hotmail ? These are the hits from Sep 3rd: 216.240.140.204 - - [03/Sep/2003:06:27:15 +0200] CONNECT 65.54.253.99:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:17 +0200] CONNECT 65.54.167.5:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:19 +0200] CONNECT 65.54.253.230:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:20 +0200] CONNECT 65.54.167.230:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:22 +0200] CONNECT 65.54.254.151:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:24 +0200] CONNECT 65.54.252.99:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:25 +0200] CONNECT 65.54.254.145:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] CONNECT 65.54.252.230:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] CONNECT 65.54.254.140:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:28 +0200] CONNECT 65.54.254.145:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:29 +0200] CONNECT 65.54.252.230:25 HTTP/1.0 200 2366 - - 216.240.140.204 - - [03/Sep/2003:06:27:30 +0200] CONNECT 65.54.254.140:25 HTTP/1.0 200 2366 - - Since 29 Sep they did that 13007 times to the same box. Quite persistent apparently as previously at 10-15 August they used 216.240.129.201 + .205 to hit that box for another 17502 times and that one stopped mysteriously after mailing [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] (as shown in whois). Unfortunatly without any reply whatsoever and apparently they are continuing to scan for open http connect proxies. I know the 200 response should indicate a CONNECT succes. But unfortunatly if one loads up an apache2 with PHP suddenly it starts passing _all_ methods to PHP which nicely responds a 200. But it is perfect for logging some nice data from the wanna-be-spammer. Limit CONNECTDeny from all/Limit solves that ofcourse but that spammer needs to go, but the contacts don't work. This acts as a perfect spamtrap honeypot btw especially as they keep trying. Before anyone asks the IP being hit is on a DSL line so they are quite probably scanning all the DSL networks for open proxies. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP1aErymqKFIzPnwjEQJy9QCfSQep7SBrrZ6xaQySWJ/LTwgqFNEAoKkB TErNe82mRJXd5JyoLMneYEVw =xLmY -END PGP SIGNATURE-
Re: Anyone here from Earthlink?
Please contact me offlist. Normal contact methodologies have failed, and a problem is now four days old. Thanks for the swift replies from Earthlink/Mindspring staff (three!) Problem still ongoing, but at least we are talking/working on it now. Regards, -- Chuck Goolsbee V.P. Technical Operations _ digital.forest Phone: +1-877-720-0483, x2001 where Internet solutions grow Int'l: +1-425-483-0483 19515 North Creek ParkwayFax: +1-425-482-6871 Suite 208 http://www.forest.net Bothell, WA 98011email: [EMAIL PROTECTED]
What were we saying about edge filtering?
Hi All, More whining and bitching from me ... sorry... So who thinks allowing anyone to route to or from IANA Reserved blocks (Bogons) is acceptable? A few captured packets 15:42:41.434384 1.6.145.24.1116 203.101.254.254.53: S 2056192000:2056192000(0) win 16384 15:42:41.570812 1.6.145.161.1043 203.101.254.254.53: S 773455872:773455872(0) win 16384 15:42:41.678862 1.6.147.198.1505 203.101.254.254.53: S 424280064:424280064(0) win 16384 15:42:41.985075 1.6.148.115.1448 203.101.254.254.53: S 1675624448:1675624448(0) win 16384 15:42:42.045121 1.6.148.202.1467 203.101.254.254.53: S 2072117248:2072117248(0) win 16384 15:42:42.528080 1.6.151.121.1180 203.101.254.254.53: S 1363410944:1363410944(0) win 16384 15:42:42.851633 1.6.153.101.1904 203.101.254.254.53: S 786563072:786563072(0) win 16384 15:42:42.908956 1.6.153.158.1712 203.101.254.254.53: S 1205272576:1205272576(0) win 16384 15:42:43.564536 1.6.157.75.1864 203.101.254.254.53: S 1150615552:1150615552(0) win 16384 15:42:43.653790 1.6.157.220.1882 203.101.254.254.53: S 209584128:209584128(0) win 16384 15:42:43.900861 1.6.159.103.1172 203.101.254.254.53: S 1935015936:1935015936(0) win 16384 15:42:44.247869 1.6.161.53.1045 203.101.254.254.53: S 1374552064:1374552064(0) win 16384 15:42:44.247936 1.6.161.140.1877 203.101.254.254.53: S 1761083392:1761083392(0) win 16384 15:42:44.388279 1.6.162.58.1230 203.101.254.254.53: S 1534263296:1534263296(0) win 16384 15:42:44.583169 1.6.163.23.1584 203.101.254.254.53: S 467271680:467271680(0) win 16384 15:42:44.653624 1.6.163.168.1091 203.101.254.254.53: S 1094844416:1094844416(0) win 16384 15:42:44.960670 1.6.166.33.1953 203.101.254.254.53: S 517210112:517210112(0) win 16384 15:42:45.323007 1.6.167.182.1541 203.101.254.254.53: S 417857536:417857536(0) win 16384 15:42:45.558600 1.6.168.235.1603 203.101.254.254.53: S 1652490240:1652490240(0) win 16384 15:42:45.588731 1.6.169.36.1581 203.101.254.254.53: S 1524498432:1524498432(0) win 16384 15:42:45.618207 1.6.170.39.1591 203.101.254.254.53: S 271319040:271319040(0) win 16384 15:42:47.164426 1.6.178.177.1159 203.101.254.254.53: S 879689728:879689728(0) win 16384 15:42:47.379603 1.6.179.231.1331 203.101.254.254.53: S 1859256320:1859256320(0) win 16384 15:42:47.979871 1.6.183.72.1516 203.101.254.254.53: S 1277362176:1277362176(0) win 16384 15:42:48.249871 1.6.184.215.1945 203.101.254.254.53: S 718929920:718929920(0) win 16384 15:42:48.581342 1.6.186.166.1478 203.101.254.254.53: S 889782272:889782272(0) win 16384 15:42:48.638018 1.6.187.54.1372 203.101.254.254.53: S 1532952576:1532952576(0) win 16384 15:42:48.803879 1.6.188.47.1253 203.101.254.254.53: S 1614348288:1614348288(0) win 16384 15:42:48.910837 1.6.188.191.1872 203.101.254.254.53: S 164429824:164429824(0) win 16384 15:42:49.014086 1.6.189.22.1078 203.101.254.254.53: S 1580924928:1580924928(0) win 16384 And a few more 13:31:16.215267 255.205.43.12.1146 203.101.254.254.53: S 1909522432:1909522432(0) win 16384 13:31:16.225790 254.255.110.156.1934 203.101.254.254.53: S 843513856:843513856(0) win 16384 13:31:16.255373 255.205.9.178.1040 203.101.254.254.53: S 1741881344:1741881344(0) win 16384 13:31:16.297785 255.64.58.64.1759 203.101.254.254.53: S 832634880:832634880(0) win 16384 13:31:16.365988 255.64.58.47.1057 203.101.254.254.53: S 1301217280:1301217280(0) win 16384 13:31:16.375685 254.255.111.56.1351 203.101.254.254.53: S 2103771136:2103771136(0) win 16384 13:31:16.397829 254.255.110.157.1513 203.101.254.254.53: S 1743912960:1743912960(0) win 16384 13:31:16.562945 254.255.111.57.1137 203.101.254.254.53: S 1048379392:1048379392(0) win 16384 13:31:16.586507 255.64.58.106.1017 203.101.254.254.53: S 1919811584:1919811584(0) win 16384 13:31:16.607479 254.255.110.158.1400 203.101.254.254.53: S 1749942272:1749942272(0) win 16384 13:31:16.633489 255.64.58.118.1783 203.101.254.254.53: S 1790640128:1790640128(0) win 16384 13:31:16.669888 255.64.58.130.1871 203.101.254.254.53: S 223608832:223608832(0) win 16384 13:31:16.727705 255.205.44.169.1309 203.101.254.254.53: S 1294270464:1294270464(0) win 16384 13:31:16.769538 255.205.11.113.1578 203.101.254.254.53: S 386662400:386662400(0) win 16384 13:31:16.804433 254.255.111.58.1724 203.101.254.254.53: S 1657602048:1657602048(0) win 16384 13:31:16.804552 255.64.58.195.1374 203.101.254.254.53: S 1183514624:1183514624(0) win 16384 13:31:16.838304 254.255.110.159.1749 203.101.254.254.53: S 2041905152:2041905152(0) win 16384 13:31:16.854785 255.205.45.24.1962 203.101.254.254.53: S 980942848:980942848(0) win 16384 13:31:16.891851 255.64.58.189.1145 203.101.254.254.53: S 1588723712:1588723712(0) win 16384 13:31:16.907291 255.205.45.101.1850 203.101.254.254.53: S 281804800:281804800(0) win 16384 13:31:16.926608 255.64.58.199.1491 203.101.254.254.53: S 396623872:396623872(0) win 16384 13:31:16.960441 255.64.58.240.1647 203.101.254.254.53: S 1321926656:1321926656(0) win 16384
