Re: Kiss-o'-death packets?

[Valdis . Kletnieks]

On Mon, 06 Oct 2003 02:11:22 EDT, Sean Donelan said:

>   to the client. A compliant client will cease further transmission and
>   send a message to the system log. See the Authentication Options page
>   for further information.

ntp-2.vt.edu used to be an alias for my workstation, until it got moved to a
more production machine.  Two years later, there was still a flux of 50 packets/
 second from machines that thought that even though it had been unreachable
for 2 years(*), maybe THIS time it would answer. (when the
xntpd exploit came out a few years ago, we turned on logging on our border
routers - inside of an hour we had trapped packets from some 6-8 hosts that
were heading to an IP address that hadn't been an NTP server for over 8 years).

The only reason this number is notable is because even when it was a production
server, the packet flux was only 100-150 packets/second.  So obviously, we
can't trust users to get it right.

The problem with a 'kiss-o-death' packet is that it needs to be authenticated.
Otherwise, you can use spoofed packets to DoS somebody.  How many lines are in
your root-DNS hints?  And even if we insist on the KoD packet having the query
ID in it, that's a TINY address space.  I can even feed you spam to force you
to hit the DNS, trickle you some forged KoD packets, and within a day or so
make you refuse to talk to any of the root nameservers... (Note that TCP
connections are a lot more easily dealt with, as the 3-packet handshake adds a
lot to the security.  However, Wesel's numbers on "98% of the root DNS traffic
is bogus" indicate that we really need this on the UDP side of the fence as
well)

It's the same basic reason why the UCITA provisions for remote deactivation
of software went over like a lead balloon.

(*) I originally Did The Right Thing and had ICMP Port Unreachables going back,
but some lameware Windows set-your-clock program interpreted those as "Ask
again and maybe it will answer", so it would ask about 50 times a seconds..
continuously (oddly enough, it *didnt* retransmit if it got NO answer). The 5th
or 6th time some bozo installed this program in a lab of 40-80 machines, I gave
up and filtered all responses.



pgp0.pgp
Description: PGP signature

Re: Kiss-o'-death packets?

[Peter Galbavy]

Sean Donelan wrote:
> Should other protocols include the same feature?  If someone sends you
> a Dynamic DNS update, could the protocol include a kiss-o'-death
> packet to tell clients to go away?  If someone keeps probing your
> HTTP server, should HTTP include a kiss-o'-death packet to tell
> clients to go away?

Erm, I can see a huge DoS hole waiting to happen to any protocol that
doesn't in turn implement some sort of authentication of the server. The
more protocols you allow to do this, the more potential for DoS of important
(possibly) client information.

Peter

Re: Kiss-o'-death packets?

[Sean Donelan]

On Mon, 6 Oct 2003 [EMAIL PROTECTED] wrote:
> The problem with a 'kiss-o-death' packet is that it needs to be authenticated.
> Otherwise, you can use spoofed packets to DoS somebody.  How many lines are in
> your root-DNS hints?  And even if we insist on the KoD packet having the query
> ID in it, that's a TINY address space.  I can even feed you spam to force you
> to hit the DNS, trickle you some forged KoD packets, and within a day or so
> make you refuse to talk to any of the root nameservers... (Note that TCP
> connections are a lot more easily dealt with, as the 3-packet handshake adds a
> lot to the security.  However, Wesel's numbers on "98% of the root DNS traffic
> is bogus" indicate that we really need this on the UDP side of the fence as
> well)

That's why I mentioned the 4-way handshake, and the need for it in many
different protocols. Its authenticated based on the end-to-end
communication, but not on a higher authority (e.g. PKI).  Man in the
middle attacks exist, but MITM could disrupt the communications anyway.

Phase I
   Send IP packet ->

<- ICMP GoAway + nonce + header&64 bytes of packet

   Match sent IP packet?
  No -> Ignore
  Duplicate -> Ignore (i.e. received a reply from the "real" host)
  Yes -> Sender is now informed of the possible problem

Phase II
The next phase could be TCP, UDP, SSL, whatever.  I made it ICMP for
simplicity.  In phase II the source (or edge or firewall) confirms
the intention/desire of the destination host to drop the unwanted
packets.

   Send ICMP Block + nonce + header&64 bytes of ICMP GoAway ->

  Match sent ICMP GoAway?
 No -> Reply no block
 Yes -> Reply with block code

  <- ICMP Block Reply + header&64 bytes of ICMP Block
 Code (no block, host, protocol, port, source)

   Match sent ICMP Block?
  No -> Ignore
  Yes
No block -> Ignore
Block host, protocol, port or source ->
  Locally respond to future packets to host/protocol/port/source
as Destination Unreachable
  Set dampening timer, remove block when expires

Re: VeriSign Capitulates

[Michael . Dillon]

>   "There is no data to indicate the core operation of the domain name
>   system or the stability of the Internet has been adversely affected,"
>   VeriSign's Galvin said.

This means that there are no papers published or
conference presentations which detail the problems
caused by sitefinder. A number of people who
posted messages to this list could rectify that
lack of data by writing up their findings in a short
paper and presenting it at a conference or publishing
it in a magazine or journal.

I don't think the fight is over yet.

--Michael Dillon

Re: Will reverting DNS wildcard have any adverse affects?

[Joel Rowbottom]

At 23:40 05/10/2003, Niels Bakker wrote:

> do arbitrary changes to them. Marking "com" and "net" as delegation-only
> is not harming anything. (At least until ICANN changes its mind.)
According to this mail:
http://gnso.icann.org/mailing-lists/archives/registrars/msg00532.html
... apparently it breaks IDN resolution.  Does anybody have the definite
word on that?
It would seem to do so, yes - removal of the wildcard would also imply that 
Verisign's IDN stopgap (between applications which use the xn-- encoding 
and applications which do 8-bit dns) will now break.



--
 Joel Rowbottom, http://www.centralnic.com - CTO and self-confessed Unix geek
  +44 (0)20 7751 9000+44 (0)20 7736 9253[EMAIL PROTECTED]
 # Note: Contents may not necessarily represent the opinions of CentralNic.

Re: Kiss-o'-death packets?

[Sean Donelan]

On Mon, 6 Oct 2003, Peter Galbavy wrote:
> Erm, I can see a huge DoS hole waiting to happen to any protocol that
> doesn't in turn implement some sort of authentication of the server. The
> more protocols you allow to do this, the more potential for DoS of important
> (possibly) client information.

Uhm, you are also aware that if the attacker can spoof the kiss-o'-death
packets; the same attacker could spoof all sorts of other packets
including the time protocol packets to change the clock on your computer.

Re: VeriSign Capitulates

[Daniel Karrenberg]

On 06.10 10:54, [EMAIL PROTECTED] wrote:
> 
> >   "There is no data to indicate the core operation of the domain name
> >   system or the stability of the Internet has been adversely affected,"
> >   VeriSign's Galvin said.
> 
> This means that there are no papers published or
> conference presentations which detail the problems
> caused by sitefinder. 

http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html

Re: Kiss-o'-death packets?

[Peter Galbavy]

Sean Donelan wrote:
> Uhm, you are also aware that if the attacker can spoof the
> kiss-o'-death packets; the same attacker could spoof all sorts of
> other packets including the time protocol packets to change the clock
> on your computer.

"Yes but"... there is a strong likelyhood that less paranoid protocol
implementors (not necessarily designers, just those coding stuff from spec)
could simplify their lives and not check all the right conditions required
to filter unwanted stuff. Bye bye farm.

Oh, this has happened already ? Now, where is that "Windows Update" icon
again ...

Peter

Reverse DNS problem

[Schmiedt, Jamie]

We have been experiencing problems with reverse DNS requests since Thursday 10/2/2003. 
Just wondering if anyone else is seeing this issue? This is affecting freeBSD & Linux 
hosts with Bind version 8.2.3 & 8.3.3. 

Reverse Lookups fail as follows:
host0001$ nslookup
Default Server:  host0001.domain123.net
Address:  0.0.0.0
> ccn.com
Server:  host0001.domain123.net
Address:  0.0.0.0
Name:ccn.com
Address:  63.172.52.127
> 63.172.52.127
Server:  host0001.domain123.net
Address:  0.0.0.0
*** Request to host0001.domain123.net timed-out
> 

tcpdump shows this: 
16:32:21.864111 123.123.123.123.1024 > 192.12.94.30.53:  6333 A? chia.ARIN.NET. (31)
16:32:21.864298 123.123.123.123.1024 > 192.12.94.30.53:  48444 A? dill.ARIN.NET. (31)
16:32:21.864597 123.123.123.123.1024 > 192.12.94.30.53:  43887 A? henna.ARIN.NET. (32)
16:32:21.864754 123.123.123.123.1024 > 192.12.94.30.53:  13510 A? indigo.ARIN.NET. (33)
16:32:21.864910 123.123.123.123.1024 > 192.12.94.30.53:  6129 A? epazote.ARIN.NET. (34)
16:32:21.865067 123.123.123.123.1024 > 192.12.94.30.53:  61408 A? figwort.ARIN.NET. 
(34)
16:32:21.865222 123.123.123.123.1024 > 192.12.94.30.53:  38595 A? ginseng.ARIN.NET. 
(34)
16:32:21.865383 123.123.123.123.1024 > 192.36.148.17.53:  60682 PTR? 
127.52.172.63.in-addr.arpa. (46)
16:32:21.932444 192.12.94.30.53 > 123.123.123.123.1024:  48444- 0/7/7 (271) (DF)
16:32:21.941921 192.12.94.30.53 > 123.123.123.123.1024:  6333- 0/7/7 (271) (DF)
16:32:21.951550 192.12.94.30.53 > 123.123.123.123.1024:  43887- 0/7/7 (272) (DF)
16:32:21.961288 192.12.94.30.53 > 123.123.123.123.1024:  13510- 0/7/7 (273) (DF)
16:32:21.970903 192.12.94.30.53 > 123.123.123.123.1024:  6129- 0/7/7 (274) (DF)
16:32:21.980540 192.12.94.30.53 > 123.123.123.123.1024:  61408- 0/7/7 (274) (DF)
16:32:21.990282 192.12.94.30.53 > 123.123.123.123.1024:  38595- 0/7/7 (274) (DF)
16:32:22.016671 192.36.148.17.53 > 123.123.123.123.1024:  60682- 0/7/0 (199) (DF)
16:32:22.017854 123.123.123.123.1024 > 192.54.112.30.53:  46181 A? chia.ARIN.NET. (31)
16:32:22.017883 123.123.123.123.1024 > 192.54.112.30.53:  28356 A? dill.ARIN.NET. (31)
16:32:22.017907 123.123.123.123.1024 > 192.54.112.30.53:  29015 A? henna.ARIN.NET. (32)
16:32:22.017932 123.123.123.123.1024 > 192.54.112.30.53:  39822 A? indigo.ARIN.NET. 
(33)
16:32:22.017958 123.123.123.123.1024 > 192.54.112.30.53:  25113 A? epazote.ARIN.NET. 
(34)
16:32:22.017984 123.123.123.123.1024 > 192.54.112.30.53:  7656 A? figwort.ARIN.NET. 
(34)
16:32:22.018008 123.123.123.123.1024 > 192.54.112.30.53:  53035 A? ginseng.ARIN.NET. 
(34)
16:32:22.142472 192.54.112.30.53 > 123.123.123.123.1024:  28356- 0/7/7 (271) (DF)
16:32:22.151936 192.54.112.30.53 > 123.123.123.123.1024:  46181- 0/7/7 (271) (DF)
16:32:22.161553 192.54.112.30.53 > 123.123.123.123.1024:  39822- 0/7/7 (273) (DF)
16:32:22.171199 192.54.112.30.53 > 123.123.123.123.1024:  29015- 0/7/7 (272) (DF)
16:32:22.180924 192.54.112.30.53 > 123.123.123.123.1024:  25113- 0/7/7 (274) (DF)
16:32:22.190561 192.54.112.30.53 > 123.123.123.123.1024:  53035- 0/7/7 (274) (DF)
16:32:22.200290 192.54.112.30.53 > 123.123.123.123.1024:  7656- 0/7/7 (274) (DF)
16:32:26.868123 123.123.123.123.1024 > 192.41.162.30.53:  32457 A? chia.ARIN.NET. (31)
16:32:26.868300 123.123.123.123.1024 > 192.41.162.30.53:  65240 A? dill.ARIN.NET. (31)
16:32:26.868452 123.123.123.123.1024 > 192.41.162.30.53:  15332 A? henna.ARIN.NET. (32)
16:32:26.868602 123.123.123.123.1024 > 192.41.162.30.53:  41975 A? indigo.ARIN.NET. 
(33)
16:32:26.868753 123.123.123.123.1024 > 192.41.162.30.53:  21934 A? epazote.ARIN.NET. 
(34)
16:32:26.868905 123.123.123.123.1024 > 192.41.162.30.53:  56761 A? figwort.ARIN.NET. 
(34)
16:32:26.869057 123.123.123.123.1024 > 192.41.162.30.53:  52488 A? ginseng.ARIN.NET. 
(34)
16:32:26.869208 123.123.123.123.1024 > 198.41.0.4.53:  64459 PTR? 
127.52.172.63.in-addr.arpa. (46)
16:32:26.923374 192.41.162.30.53 > 123.123.123.123.1024:  32457- 0/7/7 (271) (DF)
16:32:26.930326 198.41.0.4.53 > 123.123.123.123.1024:  64459- 0/7/0 (199)
16:32:26.931103 123.123.123.123.1024 > 192.52.178.30.53:  45170 A? chia.ARIN.NET. (31)
16:32:26.939982 192.41.162.30.53 > 123.123.123.123.1024:  15332- 0/7/7 (272) (DF)
16:32:26.949578 192.41.162.30.53 > 123.123.123.123.1024:  65240- 0/7/7 (271) (DF)
16:32:26.959220 192.41.162.30.53 > 123.123.123.123.1024:  41975- 0/7/7 (273) (DF)
16:32:26.968842 192.41.162.30.53 > 123.123.123.123.1024:  21934- 0/7/7 (274) (DF)
16:32:26.978581 192.41.162.30.53 > 123.123.123.123.1024:  56761- 0/7/7 (274) (DF)
16:32:26.988220 192.41.162.30.53 > 123.123.123.123.1024:  52488- 0/7/7 (274) (DF)
16:32:27.058851 192.52.178.30.53 > 123.123.123.123.1024:  45170- 0/7/7 (271) (DF)

We can temporarily resolve the problem by issuing the following dig command:

dig @ -x 
example: host0001# dig @ginseng.arin.net -x abc

Then the reverse lookups being to work and the tcpdump is as follows: (notice the 
difference in lines 8,9,10,11)
16:33:01.664320 123.123.123.123.1024 > 192.35.51.32.53:  33751 A? chia.ARIN.N

Re: Kiss-o'-death packets?

[E.B. Dreger]

PG> Date: Mon, 6 Oct 2003 11:45:11 +0100
PG> From: Peter Galbavy


PG> "Yes but"... there is a strong likelyhood that less paranoid
PG> protocol implementors (not necessarily designers, just those
PG> coding stuff from spec) could simplify their lives and not
PG> check all the right conditions required to filter unwanted
PG> stuff. Bye bye farm.
PG>
PG> Oh, this has happened already ? Now, where is that "Windows
PG> Update" icon again ...

HTTP implementations have had vulnerabilities due to insufficient
checking.  Thus HTTP is a bad idea.

SMTP implementations have had vulnerabilities due to insufficient
checking.  Thus SMTP is a bad idea.

SNMP implementations have had vulnerabilities due to insufficient
checking.  Thus SNMP is a bad idea.

Come to think of it, IP stacks have had vulnerabilities due to
insufficient checking.  IP is a bad idea, too.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
  DO NOT send mail to the following addresses :
  [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: Will reverting DNS wildcard have any adverse affects?

[Piotr KUCHARSKI]

On Mon, Oct 06, 2003 at 12:40:42AM +0200, Niels Bakker wrote:
> > do arbitrary changes to them. Marking "com" and "net" as delegation-only
> > is not harming anything. (At least until ICANN changes its mind.)
> According to this mail:
> http://gnso.icann.org/mailing-lists/archives/registrars/msg00532.html
> ... apparently it breaks IDN resolution.  Does anybody have the definite
> word on that?

Hm. And how would it suppose to break IDN resolution? Client encodes
the hostname, then asks the DNS about already encoded name. So the
bind receives the request about, say, "xn--szkoagwnahandlowa-lyb21mca.pl".
How would that fail with "delegation-only"?

p.

-- 
Beware of he who would deny you access to information, for in his
heart he dreams himself your master.   -- Commissioner Pravin Lal
http://nerdquiz.sgh.waw.pl/  -- polska wersja quizu dla nerdów ;)

cisco site down?

[Ezequiel Carson]

hi,
can anyone use cisco site?


[EMAIL PROTECTED] root]# telnet www.cisco.com 80
Trying 198.133.219.25...
Connected to www.cisco.com.
Escape character is '^]'.
Connection closed by foreign host.
[EMAIL PROTECTED] root]#

ezequiel.

RE: [nanog]: cisco site down?

[Tomas Daniska]

the same here

--

deejay  

> -Original Message-
> From: Ezequiel Carson [mailto:[EMAIL PROTECTED] 
> Sent: 6. októbra 2003 17:23
> To: [EMAIL PROTECTED]
> Subject: [nanog]: cisco site down?
> 
> 
> hi,
>   can anyone use cisco site?
> 
> 
> [EMAIL PROTECTED] root]# telnet www.cisco.com 80
> Trying 198.133.219.25...
> Connected to www.cisco.com.
> Escape character is '^]'.
> Connection closed by foreign host.
> [EMAIL PROTECTED] root]#
> 
> ezequiel.
> 
> 
> 

RE: [nanog]: cisco site down?

[Ezequiel Carson]

it seems to be working now. uhmm strange.. it was getting "Document
contains no valid data.." something like this.


ezeq,



On Mon, 2003-10-06 at 12:25, Tomas Daniska wrote:
> the same here
> 
> --
> 
> deejay  
> 
> > -Original Message-
> > From: Ezequiel Carson [mailto:[EMAIL PROTECTED] 
> > Sent: 6. októbra 2003 17:23
> > To: [EMAIL PROTECTED]
> > Subject: [nanog]: cisco site down?
> > 
> > 
> > hi,
> > can anyone use cisco site?
> > 
> > 
> > [EMAIL PROTECTED] root]# telnet www.cisco.com 80
> > Trying 198.133.219.25...
> > Connected to www.cisco.com.
> > Escape character is '^]'.
> > Connection closed by foreign host.
> > [EMAIL PROTECTED] root]#
> > 
> > ezequiel.
> > 
> > 
> > 
> 

RE: cisco site down?

[Todd Mitchell - lists]

| Ezequiel Carson
| Sent: Monday, October 06, 2003 11:23 AM
| hi,
|   can anyone use cisco site?
| 
| 
| [EMAIL PROTECTED] root]# telnet www.cisco.com 80
| Trying 198.133.219.25...
| Connected to www.cisco.com.
| Escape character is '^]'.
| Connection closed by foreign host.
| [EMAIL PROTECTED] root]#
| 
| ezequiel.

Works fine here:

phoenix:~# curl -I cisco.com
HTTP/1.1 200 OK
Date: Mon, 06 Oct 2003 15:29:11 GMT
Server: CCO/1.0 (Unix)
Set-Cookie: CP_GUTC=128.107.241.137.156921065454151936; path=/;
expires=Fri, 29-Sep-28 15:29:11 GMT; domain=.cisco.com
Content-Type: text/html
Connection: close

phoenix:~#

Todd

--

Re: cisco site down?

[Martin Hepworth]

Ezequiel Carson wrote:

hi,
can anyone use cisco site?
[EMAIL PROTECTED] root]# telnet www.cisco.com 80
Trying 198.133.219.25...
Connected to www.cisco.com.
Escape character is '^]'.
Connection closed by foreign host.
[EMAIL PROTECTED] root]#
ezequiel.




doesn't work from UK either...

mozilla say 'document contains no data!

borken..:-(

--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
+44 (0)1865 842300


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**

RE: cisco site down?

[Wim De Houwer]

works just fine from BE

> -Original Message-
> From: Martin Hepworth [mailto:[EMAIL PROTECTED]
> Sent: maandag 6 oktober 2003 17:26
> Cc: [EMAIL PROTECTED]
> Subject: Re: cisco site down?
> 
> 
> 
> Ezequiel Carson wrote:
> 
> > hi,
> > can anyone use cisco site?
> > 
> > 
> > [EMAIL PROTECTED] root]# telnet www.cisco.com 80
> > Trying 198.133.219.25...
> > Connected to www.cisco.com.
> > Escape character is '^]'.
> > Connection closed by foreign host.
> > [EMAIL PROTECTED] root]#
> > 
> > ezequiel.
> > 
> > 
> 
> 
> doesn't work from UK either...
> 
> mozilla say 'document contains no data!
> 
> borken..:-(
> 
> -- 
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic Ltd
> +44 (0)1865 842300
> 
> 
> 
> 
> **
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> 
> www.mimesweeper.com
> **
> 
> 

Re: cisco site down?

[Ezequiel Carson]

i was using galeon 1.3.5

now it seems to be working..
 
On Mon, 2003-10-06 at 12:26, Martin Hepworth wrote:
> Ezequiel Carson wrote:
> 
> > hi,
> > can anyone use cisco site?
> > 
> > 
> > [EMAIL PROTECTED] root]# telnet www.cisco.com 80
> > Trying 198.133.219.25...
> > Connected to www.cisco.com.
> > Escape character is '^]'.
> > Connection closed by foreign host.
> > [EMAIL PROTECTED] root]#
> > 
> > ezequiel.
> > 
> > 
> 
> 
> doesn't work from UK either...
> 
> mozilla say 'document contains no data!
> 
> borken..:-(

Re: VeriSign Capitulates

[Owen DeLong]

Quite the opposite.  It is a very carefully chosen set of words
indicating that:
1.  DNS didn't stop functioning.
2.  The internet did not fail to route packets because of this.
It carefully side-steps the other issues raised without looking like it
is ignoring them.  Verisign is a lousy DNS provider and an even worse
registry/registrar, but, they have great press writers.
Owen

--On Monday, October 6, 2003 10:54 AM +0100 [EMAIL PROTECTED] 
wrote:


  "There is no data to indicate the core operation of the domain name
  system or the stability of the Internet has been adversely affected,"
  VeriSign's Galvin said.
This means that there are no papers published or
conference presentations which detail the problems
caused by sitefinder. A number of people who
posted messages to this list could rectify that
lack of data by writing up their findings in a short
paper and presenting it at a conference or publishing
it in a magazine or journal.
I don't think the fight is over yet.

--Michael Dillon

Earthlink contact

[Sean Crandall]

Greetings.

If there is someone from Earthlink who wouldn't mind talking about
Earthlink's experience with the Cisco 1, I would appreciate it if you
could contact me off list.

Thanks.

-Sean

Sean P. Crandall
VP Engineering Operations
MegaPath Networks Inc.
6691 Owens Drive
Pleasanton, CA  94588
(925) 201-2530 (office)
(925) 201-2550 (fax)

NSI privacy advocate

[John Kinsella]

I double checked...the press release isn't dated April 1...NSI talking
about privacy while keeping a straight face?

http://www.verisign.com/corporate/news/2003/pr_20030930.html

Re: Kiss-o'-death packets?

[Peter Galbavy]

E.B. Dreger wrote:
> HTTP implementations have had vulnerabilities due to insufficient
> checking.  Thus HTTP is a bad idea.
>
> SMTP implementations have had vulnerabilities due to insufficient
> checking.  Thus SMTP is a bad idea.
>
> SNMP implementations have had vulnerabilities due to insufficient
> checking.  Thus SNMP is a bad idea.
>
> Come to think of it, IP stacks have had vulnerabilities due to
> insufficient checking.  IP is a bad idea, too.

No, please do not twist my words; I referrred to poor implementations of
good ideas. Nowhere did I say that the protocol is bad as a result of poor
implementations.

Peter

Comcast

[Wesley Vaux]

Is anyone having issues sending or receiving email to comcast.net?  Is there
anyone here from comcast? 


Wes Vaux, CCNA, CCDA 
Network Security Engineer

RE: cisco site down? multiple sources reporting connectivity problems

[Brennan_Murphy]

I'm on multiple mailing lists now with multiple persons reporting
connectivity issues to cisco.com.

Can anyone summarize what the issue is? 





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Ezequiel Carson
Sent: Monday, October 06, 2003 11:41 AM
To: Martin Hepworth
Cc: [EMAIL PROTECTED]
Subject: Re: cisco site down?



i was using galeon 1.3.5

now it seems to be working..
 
On Mon, 2003-10-06 at 12:26, Martin Hepworth wrote:
> Ezequiel Carson wrote:
> 
> > hi,
> > can anyone use cisco site?
> > 
> > 
> > [EMAIL PROTECTED] root]# telnet www.cisco.com 80
> > Trying 198.133.219.25...
> > Connected to www.cisco.com.
> > Escape character is '^]'.
> > Connection closed by foreign host.
> > [EMAIL PROTECTED] root]#
> > 
> > ezequiel.
> > 
> > 
> 
> 
> doesn't work from UK either...
> 
> mozilla say 'document contains no data!
> 
> borken..:-(

Re: Kiss-o'-death packets?

[E.B. Dreger]

PG> Date: Mon, 6 Oct 2003 19:40:04 +0100
PG> From: Peter Galbavy


PG> No, please do not twist my words; I referrred to poor
PG> implementations of good ideas. Nowhere did I say that the
PG> protocol is bad as a result of poor implementations.

You warned of the hazards of poor implementation.  Fine.  How did
this address Sean's comments?  It seemed as if your post intended
to address an additional hazard.  However, _all_ protocol stacks
require proper validity checks.  This isn't unique to { icmp
buggeroff | whatever } messages.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
  DO NOT send mail to the following addresses :
  [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: Will reverting DNS wildcard have any adverse affects?

[Joel Rowbottom]

At 15:52 06/10/2003, Piotr KUCHARSKI wrote:

> > do arbitrary changes to them. Marking "com" and "net" as delegation-only
> > is not harming anything. (At least until ICANN changes its mind.)
> According to this mail:
> http://gnso.icann.org/mailing-lists/archives/registrars/msg00532.html
> ... apparently it breaks IDN resolution.  Does anybody have the definite
> word on that?
Hm. And how would it suppose to break IDN resolution? Client encodes
the hostname, then asks the DNS about already encoded name. So the
bind receives the request about, say, "xn--szkoagwnahandlowa-lyb21mca.pl".
I don't think Niels was referring to the "proper" IDN solution, but more 
the stopgap implementation which Verisign pushed into service. It actually 
resembles Sitefinder in many ways :/

j
x
--
 Joel Rowbottom, http://www.centralnic.com - CTO and self-confessed Unix geek
  +44 (0)20 7751 9000+44 (0)20 7736 9253[EMAIL PROTECTED]
 # Note: Contents may not necessarily represent the opinions of CentralNic.

Re: cisco site down? multiple sources reporting connectivity problems

[Regis M. Donovan]

On Mon, Oct 06, 2003 at 11:54:41AM -0700, [EMAIL PROTECTED] wrote:
> I'm on multiple mailing lists now with multiple persons reporting
> connectivity issues to cisco.com.
>
> Can anyone summarize what the issue is?

i see timeouts after connecting via ie5.x and lynx.  if i telnet to port
80 and do a "GET /", i get a bunch of html but it just hangs until i
hit enter a few times at which point my OS informs me that the remote
host closed the connection.  so my guess would be that there's some problem
closing the connections after the web content goes out, so the browsers are
hanging waiting for the fin. 

--regis

RE: cisco site down? multiple sources reporting connectivity problems

[Sean McPherson]

> From: Brennan_Murphy 
> Date: Mon Oct 06 14:56:46 2003 
> 
> ---
>
> I'm on multiple mailing lists now with multiple persons reporting
> connectivity issues to cisco.com.
>
> Can anyone summarize what the issue is? 

I'm currently getting the following:

[EMAIL PROTECTED] /tmp]$ telnet www.cisco.com 80
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 06 Oct 2003 20:33:47 GMT
Server: CCO/1.0 (Unix)
Set-Cookie: CP_GUTC=128.107.241.137.13834106547242; path=/; 
expires=Fri, 29-Sep-28 20:33:47 GMT; domain=.cisco.com
Content-Type: text/html
Connection: close

Connection closed by foreign host.

And poof, that's it. No data. Try again, and I randomly get the whole 
page, part of the page down to the 'Feedback' line, or nothing.

Same thing happens from work (AT&T / Qwest) or from my cable modem at home 
(InsightBB.com). Mozilla/Firebird and IE (5 or 6) seem to treat it a bit 
differently, and so far, Galeon and Opera seem the most adept at handling 
it w/o spitting up when a page closes mid-stream.

Sean McPherson
nanog <@ is the at sign> seanmcpherson dotcom

Re: Will reverting DNS wildcard have any adverse affects?

[Niels Bakker]

* [EMAIL PROTECTED] (Joel Rowbottom) [Mon 06 Oct 2003, 22:34 CEST]:
> At 15:52 06/10/2003, Piotr KUCHARSKI wrote:
> 
 do arbitrary changes to them. Marking "com" and "net" as 
 delegation-only is not harming anything. (At least until ICANN changes
 its mind.)
>>> According to this mail:
>>> http://gnso.icann.org/mailing-lists/archives/registrars/msg00532.html
>>> ... apparently it breaks IDN resolution.  Does anybody have the
>>> definite word on that?
>> Hm. And how would it suppose to break IDN resolution? Client encodes
>> the hostname, then asks the DNS about already encoded name. So the bind
>> receives the request about, say, "xn--szkoagwnahandlowa-lyb21mca.pl".
> I don't think Niels was referring to the "proper" IDN solution, but
> more the stopgap implementation which Verisign pushed into service.
> It actually resembles Sitefinder in many ways :/

I only referred to the archived registrars mailing list posting; I'm not
following IDN much as, even though it's nice to see actual work being
done in that area, it does smell of VeriSign landgrab.

I'm interested in what has also broken due to the rash wildcard addition
by Verisign.  If anybody has any more technical information on this,
please step forward.

Regards,


-- Niels.

RE: cisco site down? multiple sources reporting connectivity problems

[just me]

They probably upgraded the code on their { CSSes | Localdirectors }.
;-)


On Mon, 6 Oct 2003, Sean McPherson wrote:

  And poof, that's it. No data. Try again, and I randomly get the whole
  page, part of the page down to the 'Feedback' line, or nothing.

  Same thing happens from work (AT&T / Qwest) or from my cable modem at home
  (InsightBB.com). Mozilla/Firebird and IE (5 or 6) seem to treat it a bit
  differently, and so far, Galeon and Opera seem the most adept at handling
  it w/o spitting up when a page closes mid-stream.

  Sean McPherson
  nanog <@ is the at sign> seanmcpherson dotcom




[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 

CCO/cisco.com issues.

[Roland Dobbins]

Folks,

We've been handling a multi-vector DDoS - 40-byte spoofed SYN-flooding 
towards www.cisco.com (198.133.219.25/32) as well as an HTTP-AUTH 
resource-exhaustion attack, and working these issues with our 
upstreams.  Our apologies for any inconveniences, and our thanks to 
those who've assisted in tracing and blocking the spoofed traffic.

We're continuing the work the issue, and would be grateful if operators 
would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 
and trace/block it as warranted.  Your patience and understanding are 
greatly appreciated.

Thanks!

-
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice

Re: CCO/cisco.com issues.

[Kai Schlichting]

On Mon, 6 Oct 2003 14:01:31 -0700, Roland Dobbins wrote
> Folks,
> 
> We've been handling a multi-vector DDoS - 40-byte spoofed SYN-flooding 
> towards www.cisco.com (198.133.219.25/32) as well as an HTTP-AUTH 
> resource-exhaustion attack, and working these issues with our 
> upstreams.  Our apologies for any inconveniences, and our thanks to 
> those who've assisted in tracing and blocking the spoofed traffic.
> 
> We're continuing the work the issue, and would be grateful if 
> operators would check for 40-byte spoofed TCP headed towards 
> 198.133.219.25/32 and trace/block it as warranted.  Your patience and 
> understanding are greatly appreciated.
> 
> Thanks!
> 
> -
> Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice

My mailbox has filled quite a bit (to the tune of a dozen-plus mails)
with comments along the lines of "don't quote me, NANOG is too important
for my work, I don't want to get on Sue Harris' bad side" since my last
so-called "off-topic" NANOG post (which all but *one* person, other than
Sue Harris, found to be "within range and reason").

The spammers,
the DDoS'ers,
the proxy scanners and rapists,
the SMTP auth crackers.
the trojan spreaders,
the DNSBL-DOS'ers,
the hardcore computer criminals
are the evil army of one?

The following well-remembered lines come to mind here, and excuse me if
you hear a slight hysterical laughter from my direction:


"First They Came for the Jews
 First they came for the Jews
 and I did not speak out
 because I was not a Jew.
 Then they came for the Communists
 and I did not speak out
 because I was not a Communist.
 Then they came for the trade unionists
 and I did not speak out
 because I was not a trade unionist.
 Then they came for me
 and there was no one left
 to speak out for me."

 Pastor Martin Niemöller

Re: Reverse DNS problem

[Trent Arsenault]

I've been in touch with ARIN on the same issue noticed at a different site.

According to ARIN, some older BIND resolvers aren't handling the referrals 
that they get back from the gtld-servers for some of ARIN's name servers. 
The problem started Thursday when ARIN changed the list of NS's for the 
ARIN in-addr.arpa zones.

ARIN is still investigating and I'm waiting to hear back.

Trent Arsenault
[EMAIL PROTECTED]
At 05:46 AM 10/6/2003, Schmiedt, Jamie wrote:

We have been experiencing problems with reverse DNS requests since 
Thursday 10/2/2003. Just wondering if anyone else is seeing this issue? 
This is affecting freeBSD & Linux hosts with Bind version 8.2.3 & 8.3.3.

Reverse Lookups fail as follows:
host0001$ nslookup
Default Server:  host0001.domain123.net
Address:  0.0.0.0
> ccn.com
Server:  host0001.domain123.net
Address:  0.0.0.0
Name:ccn.com
Address:  63.172.52.127
> 63.172.52.127
Server:  host0001.domain123.net
Address:  0.0.0.0
*** Request to host0001.domain123.net timed-out
>
tcpdump shows this:
16:32:21.864111 123.123.123.123.1024 > 192.12.94.30.53:  6333 A? 
chia.ARIN.NET. (31)
16:32:21.864298 123.123.123.123.1024 > 192.12.94.30.53:  48444 A? 
dill.ARIN.NET. (31)
16:32:21.864597 123.123.123.123.1024 > 192.12.94.30.53:  43887 A? 
henna.ARIN.NET. (32)
16:32:21.864754 123.123.123.123.1024 > 192.12.94.30.53:  13510 A? 
indigo.ARIN.NET. (33)
16:32:21.864910 123.123.123.123.1024 > 192.12.94.30.53:  6129 A? 
epazote.ARIN.NET. (34)
16:32:21.865067 123.123.123.123.1024 > 192.12.94.30.53:  61408 A? 
figwort.ARIN.NET. (34)
16:32:21.865222 123.123.123.123.1024 > 192.12.94.30.53:  38595 A? 
ginseng.ARIN.NET. (34)
16:32:21.865383 123.123.123.123.1024 > 192.36.148.17.53:  60682 PTR? 
127.52.172.63.in-addr.arpa. (46)
16:32:21.932444 192.12.94.30.53 > 123.123.123.123.1024:  48444- 0/7/7 
(271) (DF)
16:32:21.941921 192.12.94.30.53 > 123.123.123.123.1024:  6333- 0/7/7 (271) 
(DF)
16:32:21.951550 192.12.94.30.53 > 123.123.123.123.1024:  43887- 0/7/7 
(272) (DF)
16:32:21.961288 192.12.94.30.53 > 123.123.123.123.1024:  13510- 0/7/7 
(273) (DF)
16:32:21.970903 192.12.94.30.53 > 123.123.123.123.1024:  6129- 0/7/7 (274) 
(DF)
16:32:21.980540 192.12.94.30.53 > 123.123.123.123.1024:  61408- 0/7/7 
(274) (DF)
16:32:21.990282 192.12.94.30.53 > 123.123.123.123.1024:  38595- 0/7/7 
(274) (DF)
16:32:22.016671 192.36.148.17.53 > 123.123.123.123.1024:  60682- 0/7/0 
(199) (DF)
16:32:22.017854 123.123.123.123.1024 > 192.54.112.30.53:  46181 A? 
chia.ARIN.NET. (31)
16:32:22.017883 123.123.123.123.1024 > 192.54.112.30.53:  28356 A? 
dill.ARIN.NET. (31)
16:32:22.017907 123.123.123.123.1024 > 192.54.112.30.53:  29015 A? 
henna.ARIN.NET. (32)
16:32:22.017932 123.123.123.123.1024 > 192.54.112.30.53:  39822 A? 
indigo.ARIN.NET. (33)
16:32:22.017958 123.123.123.123.1024 > 192.54.112.30.53:  25113 A? 
epazote.ARIN.NET. (34)
16:32:22.017984 123.123.123.123.1024 > 192.54.112.30.53:  7656 A? 
figwort.ARIN.NET. (34)
16:32:22.018008 123.123.123.123.1024 > 192.54.112.30.53:  53035 A? 
ginseng.ARIN.NET. (34)
16:32:22.142472 192.54.112.30.53 > 123.123.123.123.1024:  28356- 0/7/7 
(271) (DF)
16:32:22.151936 192.54.112.30.53 > 123.123.123.123.1024:  46181- 0/7/7 
(271) (DF)
16:32:22.161553 192.54.112.30.53 > 123.123.123.123.1024:  39822- 0/7/7 
(273) (DF)
16:32:22.171199 192.54.112.30.53 > 123.123.123.123.1024:  29015- 0/7/7 
(272) (DF)
16:32:22.180924 192.54.112.30.53 > 123.123.123.123.1024:  25113- 0/7/7 
(274) (DF)
16:32:22.190561 192.54.112.30.53 > 123.123.123.123.1024:  53035- 0/7/7 
(274) (DF)
16:32:22.200290 192.54.112.30.53 > 123.123.123.123.1024:  7656- 0/7/7 
(274) (DF)
16:32:26.868123 123.123.123.123.1024 > 192.41.162.30.53:  32457 A? 
chia.ARIN.NET. (31)
16:32:26.868300 123.123.123.123.1024 > 192.41.162.30.53:  65240 A? 
dill.ARIN.NET. (31)
16:32:26.868452 123.123.123.123.1024 > 192.41.162.30.53:  15332 A? 
henna.ARIN.NET. (32)
16:32:26.868602 123.123.123.123.1024 > 192.41.162.30.53:  41975 A? 
indigo.ARIN.NET. (33)
16:32:26.868753 123.123.123.123.1024 > 192.41.162.30.53:  21934 A? 
epazote.ARIN.NET. (34)
16:32:26.868905 123.123.123.123.1024 > 192.41.162.30.53:  56761 A? 
figwort.ARIN.NET. (34)
16:32:26.869057 123.123.123.123.1024 > 192.41.162.30.53:  52488 A? 
ginseng.ARIN.NET. (34)
16:32:26.869208 123.123.123.123.1024 > 198.41.0.4.53:  64459 PTR? 
127.52.172.63.in-addr.arpa. (46)
16:32:26.923374 192.41.162.30.53 > 123.123.123.123.1024:  32457- 0/7/7 
(271) (DF)
16:32:26.930326 198.41.0.4.53 > 123.123.123.123.1024:  64459- 0/7/0 (199)
16:32:26.931103 123.123.123.123.1024 > 192.52.178.30.53:  45170 A? 
chia.ARIN.NET. (31)
16:32:26.939982 192.41.162.30.53 > 123.123.123.123.1024:  15332- 0/7/7 
(272) (DF)
16:32:26.949578 192.41.162.30.53 > 123.123.123.123.1024:  65240- 0/7/7 
(271) (DF)
16:32:26.959220 192.41.162.30.53 > 123.123.123.123.1024:  41975- 0/7/7 
(273) (DF)
16:32:26.968842 192.41.162.30.53 > 123.123.123.123.1024:  21934- 0/7/7 
(274) (DF)
16:32:26.978581 192.41.162.30.53 > 123.123.123.123.1024:  56761- 0/7/7 
(274) (DF

Re[2]: CCO/cisco.com issues.

[Allan Liska]

-BEGIN PGP SIGNED MESSAGE-
Hash: MD5

Hello Kai,

Monday, October 6, 2003, 6:39:49 PM, you wrote:

KS> The following well-remembered lines come to mind here, and excuse me if
KS> you hear a slight hysterical laughter from my direction:


I don't know what your post has to do with the original topic, but if
you don't like the way NONOG is moderated, please feel free to start
your own Network Operators mailing list.

As far as comparing NANOG moderation to Nazi Germany that is
disgusting and beneath contempt.


allan
- --
Allan Liska
[EMAIL PROTECTED]
http://www.allan.org
http://www.hosthideout.com

-BEGIN PGP SIGNATURE-
Version: 2.6

iQCVAwUAP4H5OSkg6TAvIBeFAQH71gP/XLt+Z9O+VHTUJQTNIZpyOI8ijA+HYYI+
Gbji4Z6W9KJcuUKpv5fM6Ud5PbD79yOcGpl4fMndoQnCQsT42CnXAeg9v+mj49/e
e0WXAStNfxl+DC/Arr7vLi4/SkxRqHjdSEPulDTeJeHEWykDm8On/nSUyXinRsrS
gxIGYyOSEYE=
=PMx8
-END PGP SIGNATURE-

Re[2]: CCO/cisco.com issues.

[jlewis]

On Mon, 6 Oct 2003, Allan Liska wrote:

> KS> The following well-remembered lines come to mind here, and excuse me if
> KS> you hear a slight hysterical laughter from my direction:
> 
> I don't know what your post has to do with the original topic, but if
> you don't like the way NONOG is moderated, please feel free to start
> your own Network Operators mailing list.

I'm only guessing here, but I think what he may have meant was:

First They Came for the IRC bots
and I did not speak out
because I did not run a bot.
Then They Came for the IRC servers
and I did not speak out
because I did not run an IRC server.
...skip a few years...
Then They Came for the DNSBLs
and I did not speak out
because I did not run a DNSBL.

Now that they've come for cisco, maybe law enforcement, network operators, 
and router vendors will all get their $h!t together and do something to 
put a stop to these DDoS attacks that have been going on in various forms 
for several years.

A handful of people (an assumption on my part) have the power /
distributed bandwidth to bring just about any internet site/network to its
knees using the distributed.net meets DoS tools they've created and
distributed to thousands, perhaps millions of internet connected windows
boxes.

Anyone who doesn't think that's an operational issue, just wait until it 
bites you on the ass. 

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: CCO/cisco.com issues.

[Laurence F. Sheldon, Jr.]

[EMAIL PROTECTED] wrote:
> 
> On Mon, 6 Oct 2003, Allan Liska wrote:
> 
> > KS> The following well-remembered lines come to mind here, and excuse me if
> > KS> you hear a slight hysterical laughter from my direction:
> >
> > I don't know what your post has to do with the original topic, but if
> > you don't like the way NONOG is moderated, please feel free to start
> > your own Network Operators mailing list.
> 
> I'm only guessing here, but I think what he may have meant was:
> 
> First They Came for the IRC bots
> and I did not speak out
> because I did not run a bot.
> Then They Came for the IRC servers
> and I did not speak out
> because I did not run an IRC server.
> ...skip a few years...
> Then They Came for the DNSBLs
> and I did not speak out
> because I did not run a DNSBL.
> 
> Now that they've come for cisco, maybe law enforcement, network operators,
> and router vendors will all get their $h!t together and do something to
> put a stop to these DDoS attacks that have been going on in various forms
> for several years.
> 
> A handful of people (an assumption on my part) have the power /
> distributed bandwidth to bring just about any internet site/network to its
> knees using the distributed.net meets DoS tools they've created and
> distributed to thousands, perhaps millions of internet connected windows
> boxes.
> 
> Anyone who doesn't think that's an operational issue, just wait until it
> bites you on the ass.

Now we have clear evidence that there are no less than three who 
understand the threat.

Re: Re[2]: CCO/cisco.com issues.

[Valdis . Kletnieks]

On Mon, 06 Oct 2003 19:38:38 EDT, [EMAIL PROTECTED] said:

> A handful of people (an assumption on my part) have the power /
> distributed bandwidth to bring just about any internet site/network to its
> knees using the distributed.net meets DoS tools they've created and
> distributed to thousands, perhaps millions of internet connected windows
> boxes.

Zombie networks of 10K or 20K machines all controlled by *one* black
hat are not uncommon now, and I've seen a citation for a single net of 140K.

Let's assume the interesting hosts are on cablemodem, that they have 2Mbit/sec
connectivity, and that one black hat has 10K (if you prefer, he's got 20K but
the rest are on slow links).  Now tell me - how many of you have enough
*excess* bandwidth that you can afford not to worry about suddenly being handed
a 200Gbit/sec inbound stream?  And if you don't have enough spare capacity,
are you set up to deal with 10K machines attacking, quite possibly with spoofed
addresses because your peers don't ingress filter?

Remember guys - Yahoo got whacked by MafiaBoy using only several hundred
machines.  You could be the recipient of a flood 200 times bigger.

And if you're not ready, it won't be an operational issue - it will be a 
NON-operational
issue, because that's what your network will be



pgp0.pgp
Description: PGP signature

Re: CCO/cisco.com issues.

[Peter E. Fry]

On 6 Oct 2003 at 19:22, Allan Liska wrote:

> I don't know what your post has to do with the original topic, but if
> you don't like the way NONOG is moderated, please feel free to start
> your own Network Operators mailing list.
> 
> As far as comparing NANOG moderation to Nazi Germany that is
> disgusting and beneath contempt.

  Read it again.  He has a point (not yours).
  Perhaps this should be an agenda topic for the upcoming get-
together: A common strategy for dealing with Internet crime.  Much of 
it does appear to have common roots.  (And I'm not even a conspiracy 
buff.)
  Hm.  Oddly enough there's a blurb on  that 
follows this somewhat: .

Peter E. Fry

Re: CCO/cisco.com issues.

[Charles Sprickman]

> > First They Came for the IRC bots
> > and I did not speak out
> > because I did not run a bot.
> > Then They Came for the IRC servers
> > and I did not speak out
> > because I did not run an IRC server.
> > ...skip a few years...
> > Then They Came for the DNSBLs
> > and I did not speak out
> > because I did not run a DNSBL.

> > Anyone who doesn't think that's an operational issue, just wait until it
> > bites you on the ass.

Let's add a very important line:

"Then They Came for the OC-3 or smaller connections
and I did not speak out
because I run fat OC-12 - OC-48 pipes"

It's my guess that the "top providers" that ignore cries for help because
they can sink the traffic (and bill for it) without breaking a sweat will
one day find themselves without a plan and without a clue when the Kiddiez
come pounding down the door with something that can saturate their pipes
and bring a major customer down.  I hope we don't have to wait until that
time comes around to figure out how to cooperate.

> Now we have clear evidence that there are no less than three who
> understand the threat.

Heh.  Why things like this don't scare everyone on this list sh*tless is
beyond me.

If anyone ever sees garbage coming out of 8059, hit the abuse@ address or
peek at Jared's list for phone info.

Charles

Re: CCO/cisco.com issues.

[Richard Cox]

On Mon, 06 Oct 2003 18:45:15 -0500
"Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> wrote:

| Now we have clear evidence that there are no less than three who
| understand the threat.

If you mean the threat from those who will attack and disable sites
because they don't like what people at those sites say or do, then I
assure you there are many who do understand that threat; some of whom
can see little difference in terms of effect between DDoS attacks run
by individuals, and the null-routing by a backbone network of IPs (or
ranges of IPs) for which they make BGP announcements.

Both are actions designed to interfere with individual freedoms;
both are serious operational issues, and need to be discussed here.

Or was it a different kind of threat that you were referring to, which
might have discouraged some who understand the real threat from talking
about it?

-- 
Richard Cox

Re: CCO/cisco.com issues.

[Allan Liska]

-BEGIN PGP SIGNED MESSAGE-
Hash: MD5

Hello Allan,

Monday, October 6, 2003, 7:22:30 PM, you wrote:


AL> As far as comparing NANOG moderation to Nazi Germany that is
AL> disgusting and beneath contempt.


My apologies to Kai and the list, I misread -- to some extent -- the
original meaning of the post.  My comments were certainly harsher than
warranted.


allan
- --
Allan Liska
[EMAIL PROTECTED]
http://www.allan.org
http://www.hosthideout.com

-BEGIN PGP SIGNATURE-
Version: 2.6

iQCVAwUAP4IEiSkg6TAvIBeFAQG7mAQAsiNj+6O0K7LXpnXFgLDI/0135zCoSgW1
qQXXQLJ55VxofXl68YcATV6ANCNzmsOXVcztnO3u8k2WXfxWhpXqXTItdf2JMTCH
i0T/VfjXDl7GTSwhBKGh2JF07qlO9r8J94qOaegvIsz9bnNpuKrd4PyUzofcWRSx
W9k/4C5v23k=
=ALrZ
-END PGP SIGNATURE-

Re: CCO/cisco.com issues.

[ed]

> > Anyone who doesn't think that's an operational issue, just wait until it
> > bites you on the ass.
>
> Now we have clear evidence that there are no less than three who
> understand the threat.

My first thought was that the DDoS was a means of obscuring access to
patches for other vulnerabilities that might be simulatenously exploited.
I'm assuming, though not certain, that Cisco would have alternative
distribution/communication/update channels in such an event, but is that
indeed the case?

 -ed
-
[EMAIL PROTECTED]

Re: CCO/cisco.com issues.

[Stephen J. Wilcox]

On Mon, 6 Oct 2003, [EMAIL PROTECTED] wrote:

> > > Anyone who doesn't think that's an operational issue, just wait until it
> > > bites you on the ass.
> >
> > Now we have clear evidence that there are no less than three who
> > understand the threat.
> 
> My first thought was that the DDoS was a means of obscuring access to
> patches for other vulnerabilities that might be simulatenously exploited.
> I'm assuming, though not certain, that Cisco would have alternative
> distribution/communication/update channels in such an event, but is that
> indeed the case?

My access to ftp.cisco.com is working fine whilst the website remains down..

Steve

Re: CCO/cisco.com issues.

[ed]

> > I'm assuming, though not certain, that Cisco would have alternative
> > distribution/communication/update channels in such an event, but is that
> > indeed the case?
>
> My access to ftp.cisco.com is working fine whilst the website remains down..

Hi Steve,

No I do realize that what I suggested in my email was just a scenario
removed from the case at hand.  What I was suggesting though is that 1) if
the portals of distribution (http and ftp) were DDoS'd, say as a precursor
to exploitation of some other vulnerability.  I was not trying to suggest
that all means of communication were blocked and that this particular
instance was one of an opportunistic DDoS.  Sorry if I was unclear.



-ed
-
[EMAIL PROTECTED]

Re: Comcast

[Suresh Ramasubramanian]

Wesley Vaux [10/7/2003 12:15 AM] :

Is anyone having issues sending or receiving email to comcast.net?  Is there
anyone here from comcast? 
Works for me - but a trifle slow.

[EMAIL PROTECTED] 06:18:18 [~]$ dnsmx comcast.net
5 gateway-r.comcast.net
5 gateway-s.comcast.net
[EMAIL PROTECTED] 06:44:59 [~]$ telnet gateway-r.comcast.net 25
Trying 216.148.227.126...
Connected to gateway-r.comcast.net.
Escape character is '^]'.
220 rwcrmxc13.comcast.net - Maillennium ESMTP/MULTIBOX rwcrmxc13 #221
ehlo frodo.hserus.net
250-rwcrmxc13.comcast.net
250-7BIT
250-8BITMIME
250-DSN
250-EXPN
250-HELP
250-NOOP
250-PIPELINING
250-SIZE 10485760
250-VERS V04.61c++
250 XMVP 2
mail from: <[EMAIL PROTECTED]>
250 ok
rcpt to: <[EMAIL PROTECTED]>
250 ok
rset
250 ok
quit
221 rwcrmxc13.comcast.net
If this is a block issue that you are looking at, trying to contact 
their postmaster team might be a good idea.

--
Suresh Ramasubramanian <[EMAIL PROTECTED]> gpg# EDEDEFB9
Security and Antispam Operations Manager, Outblaze Limited

Re: Is there anything that actually gets users to fix their computers?

[Kee Hinckley]

At 8:15 PM -0400 10/6/03, Jeffrey S. Young wrote:
It's a difficult thing for all of us when j.random users start to discover
things like personal firewall.  I had one threaten me personally with
'investigation' by the FBI because "my system was attempting to break
into his PC"  He sent it to my account, no cc: to abuse.
I'm quite sure these are off topic.  But I have to say my favorite 
response came early in the wormalert hoax, when I was attempting to 
respond by hand to people asking them to stop sending us email.  I 
received this reply.

Gather evil into your briars
Reflect negativity back to its sender
all ill will or any blight
Snatch from the air and send it back in flight
Seek out the one who did this deed
That it return to them thrice
by magick's creed
Hence more contact made by he
spew his negativity back times three.
So Mote It Be
I'd never been formally cursed before.  Sure beats a DoS attack.

--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

Re: CCO/cisco.com issues.

[Ariel Biener]

On Mon, 6 Oct 2003, Peter E. Fry wrote:



 Hi,



   As a jew, I must admit that I also understood the point, and didn't
think of Nazi Germany, although you'd think it would evoke an immediate
emotional reaction (which it admitedly did), but that reaction did not
cloud my judgement.

   I think it's safe to assume that most people on this list have a reason
for being on it. Although I am not trying to say that sometimes we get to
see posts that are ... well, that shouldn't be sent before thinking, it
would be wise to read an e-mail twice, even three times, before assuming
mal-intent from its originator.

peace,

--Ariel

> Read it again.  He has a point (not yours).
> Perhaps this should be an agenda topic for the upcoming get-
> together: A common strategy for dealing with Internet crime.Much of
> it does appear to have common roots.(And I'm not even a conspiracy
> buff.)
> Hm.  Oddly enough there's a blurb on  that
> follows this somewhat: .
>
> Peter E. Fry
>

--
Ariel Biener
e-mail: [EMAIL PROTECTED]
PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html

Verisign's public opinion play

[Kee Hinckley]

Take your blood pressure medicine before reading this one.
http://news.com.com/2010-1071-5086769.html
Apparently our objections stem from our lingering resentment over the 
commercial use of the internet.

In case you're wondering who the author is, since neither the bio on 
the page or Verisign's site is helpful.  Mark McLaughlin is a former 
lawyer who moved into Marketing and Biz Development (Caere, Gemplus, 
Signio and then Verisign payments).
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

[MEDIA] McLaughlin Defends Site Finder As 'Innovation'

[wayne]

As seen on /.

http://news.com.com/2010-1071-5086769.html

Mark McLaughlin, senior VP of Verislime, has an editorial on news.com
claiming that ICANN is stifling innovation and forcing the internet to
stagnate.

The PR machine is out in force and painting anyone who disagrees with
them as anti-capitalistic loonies.

-wayne

Re: Verisign's public opinion play

[Brian Bruns]

Wish someone who was good with the clue-axe would take a swing at these
dolts.

We all know they are crying babies because their new method of profit was
shut down.

Now, the interesting question will be, how can we prevent them from adding
sitefinder again?


--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
- Original Message - 
From: "Kee Hinckley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2003 11:12 PM
Subject: Verisign's public opinion play


>
> Take your blood pressure medicine before reading this one.
> http://news.com.com/2010-1071-5086769.html
> Apparently our objections stem from our lingering resentment over the
> commercial use of the internet.
>
> In case you're wondering who the author is, since neither the bio on
> the page or Verisign's site is helpful.  Mark McLaughlin is a former
> lawyer who moved into Marketing and Biz Development (Caere, Gemplus,
> Signio and then Verisign payments).
> -- 
> Kee Hinckley
> http://www.messagefire.com/ Next Generation Spam Defense
> http://commons.somewhere.com/buzz/  Writings on Technology and Society
>
> I'm not sure which upsets me more: that people are so unwilling to accept
> responsibility for their own actions, or that they are so eager to
regulate
> everyone else's.
>

Re: [MEDIA] McLaughlin Defends Site Finder As 'Innovation'

[Brian Bruns]

You know who/what this sounds like?

Microsoft.

When smacked down about IE integration and WMP integration, they screamed
bloody murder and claimed freedom of innovation.  Exactly what
NetSol/Verisign is doing.  Maybe they have the same PR firm?

--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
- Original Message - 
From: "wayne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2003 11:14 PM
Subject: [MEDIA] McLaughlin Defends Site Finder As 'Innovation'


>
>
> As seen on /.
>
> http://news.com.com/2010-1071-5086769.html
>
> Mark McLaughlin, senior VP of Verislime, has an editorial on news.com
> claiming that ICANN is stifling innovation and forcing the internet to
> stagnate.
>
> The PR machine is out in force and painting anyone who disagrees with
> them as anti-capitalistic loonies.
>
> -wayne
>
>

Utah to deploy public owned fiber to 17 cities

[Eric Kuhnke]

 From the CANET-NEWS list, this seems relevant to network operations...

>For more information on this item please visit the CANARIE CA*net 4 Optical 
>Internet program web site at http://www.canarie.ca/canet4/library/list.html
>---
>
>[From www.convergedigest.com -- BSA]
>
>Utah's UTOPIA Project Plans Widescale FTTH Deployment
>Salt Lake City and 17 other cities across the state of Utah are planning to
>build a publicly-owned, fiber telecommunications network that would reach
>nearly 250,000 homes and 35,000 business, representing a population of about
>724,000. The Utah Telecommunications Open Infrastructure Agency (UTOPIA)
>plans to build the network and then act as a municipally-owned wholesale
>carrier. The project plans to issue 15 to 20 year bonds that would be paid
>for by leasing capacity on the network to various service providers and
>ISPs. It does not expected to raise the tax base for the communities served.
>
>UTOPIA plans to use an "Open Service Provider Network" model developed by
>Dynamic City, which serves as consultant for the project. The first phase of
>the rollout will connect some 15,000 homes beginning in early 2004. UTOPIA's
>Fiber-to-the-home (FTTH) will use an active architecture rather than a PON
>design. Riverstone Networks has been selected to provide core electronics
>and access distribution systems. Allied Telesyn's RG223 Residential Gateway
>has been chosen as the customer premises solution for the network. The RG223
>features two analog phone ports, three 10/100 Ethernet LAN ports, and
>supports IGMP for secure and efficient multicast video.Allied Telesyn's
>product distributes traditional voice and multiple IP-based services
>throughout a home, including broadband Internet access, VoIP, broadcast
>television, and video on demand. The gateway, which would be placed inside
>the home, directly terminates the fiber connection. A category 5 Ethernet
>cable is used to connect to an IP set-up box.
>http://www.utopianet.org/
>http://www.dynamiccity.com
>http://www.alliedtelesyn.com
>06-Oct-03
>
>Wave7 Optics Selected for Large FTTP Deployment in Tenn.
>The Jackson Energy Authority (JEA) of Jackson, Tennessee, a municipal
>utility, selected Wave7 Optics for a fiber-to-the-premises (FTTP) network
>that is expected to pass some 31,000 homes and businesses in 2005. Jackson
>Energy is the local electrical utility. Wave7 is scheduled to begin
>delivering network equipment in December 2003 and JEA anticipates it will
>initiate deployment in Q1 2004. The network will be used to deliver over 250
>analog and digital cable television channels, high-speed (up to 500 Mbps)
>two-way business and residential Internet connections, full featured POTS
>and IP telephony (as a carrier's carrier for local CLECs). Commercial
>activation of the network is expected in Q2 2004. Wave7's solution is an IP
>and Ethernet optical access system that provides all traditional
>"carrier-grade" telephone services (including fax), high-speed data (e.g.,
>Internet service) and both analog and digital video (including IP streaming
>video). Wave7 provides standard data, telephone and CATV interfaces at its
>customer premise devices, accommodating existing home and business
>telephone, television and computer systems. Financial terms were not
>disclosed.
>http://www.wave7optics.com
>http://www.jaxenergy.com
>06-Oct-03
>
>
>
>-
>To subscribe or unsubscribe to the CANARIE-NEWS list please send e-mail to:
>
>[EMAIL PROTECTED]
>
>In the body of the e-mail:
>
>subscribe news
>end
>
>-
>
>These news items and comments are mine alone and do not necessarily reflect
>those  of the CANARIE board or management.
>---
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>www.canarie.ca/~bstarn
> 

Re: Verisign's public opinion play

[Mike Tancsa]

The one that pisses me off more is

http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top

The article makes me wonder if CNET is the press, or an outlet for press 
releases.  The Internet community is almost uniform in expressing outrage 
for numerous REAL reasons, yet CNET says its from the Internet's technical 
"old guard"  Sorry, so where is the "new guard" calling for Verisign to 
come back with sitefinder ?  Also CNET leaves un challenged the 'excuse of 
the day' that Verisign without site finder "will not be able to protect the 
Net's critical infrastructure"...

---Mike

At 11:12 PM 06/10/2003, Kee Hinckley wrote:

Take your blood pressure medicine before reading this one.
http://news.com.com/2010-1071-5086769.html
Apparently our objections stem from our lingering resentment over the 
commercial use of the internet.

In case you're wondering who the author is, since neither the bio on the 
page or Verisign's site is helpful.  Mark McLaughlin is a former lawyer 
who moved into Marketing and Biz Development (Caere, Gemplus, Signio and 
then Verisign payments).
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

sitefinder technical discussions

[Mark Kosters]

In the interest in gaining more community review and comment, a discussion 
list has been setup to discuss factually-based technical issues
and solutions surrounding the operational impact of wildcards in
top-level domains on Internet applications.

VeriSign technical people will participate in discussions that are within
the scope for this mailing list.

The list is [EMAIL PROTECTED]

To subscribe or unsubscribe the usual "-request" convention works.  Send
a message to:

[EMAIL PROTECTED]

Put "subscribe" or "unsubscribe" in the body of the message.

Regards,
Mark

-- 

Mark Kosters[EMAIL PROTECTED]   Verisign Applied Research

Re: Verisign's public opinion play

[Mark Rogaski]

An entity claiming to be Mike Tancsa ([EMAIL PROTECTED]) wrote:
: 
: 
: The one that pisses me off more is
: 
: http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top
: 

Here's an interesting slip:


At the press conference Monday, VeriSign said it is convening
a panel of Internet experts to evaluate the technical fallout 
from its change.


Are they saying that they had neglected to evaluate the impact before they
inserted the wildcard?

Mark

-- 
[] Mark 'Doc' Rogaski   |  Consistency requires you to be as
[] [EMAIL PROTECTED]|  ignorant today as you were a year ago.
[] 1994 Suzuki GS500ER  |-- Bernard Berenson
[] 1975 Yamaha RD250B   |


pgp0.pgp
Description: PGP signature

Re: sitefinder technical discussions

[Alex Rubenstein]

Translation:


> In the interest in gaining more community review and comment, a discussion
> list has been setup to discuss factually-based technical issues
> and solutions surrounding the operational impact of wildcards in
> top-level domains on Internet applications.
>
> VeriSign technical people will participate in discussions that are within
> the scope for this mailing list.

"Verisign will discuss the technical impact of this issue on this list.
However, we all agree there is no technical impact, since this works.
Furthermore, by limiting this list to a technical conversation, we will
completely ignore the political impact, and political correctness of these
acts in any forum."

Having been involved in the community internet for as long as I have, I
want to wretch. I'd think Mark would be one of those, as well.

Re: Verisign's public opinion play

[Howard C. Berkowitz]

At 11:15 PM -0400 10/6/03, Brian Bruns wrote:
Wish someone who was good with the clue-axe would take a swing at these
dolts.
We all know they are crying babies because their new method of profit was
shut down.
Now, the interesting question will be, how can we prevent them from adding
sitefinder again?
/* begin Karnak the Magnificent soothsaying

Next, they will put an "improvement" into reverse DNS.  Whenever 
there's no corresponding domain, it will take you to rednifetis.com.

Baghdad Bob, fresh from "there is no tank behind me", will be the new 
spokesman.

/* end sooth

You know, I almost looked to see if rednifetis.com is assigned, and 
decided I don't want to know.

RE: Re[2]: CCO/cisco.com issues.

[Terry Baranski]

>> We've been handling a multi-vector DDoS - 40-byte spoofed 
>> SYN-flooding towards www.cisco.com 
>
> Now that they've come for cisco, maybe law enforcement,
> network operators, and router vendors will all get their 
> $h!t together and do something to put a stop to these DDoS 
> attacks that have been going on in various forms for several 
> years.

Maybe this will have the positive effect of motivating Cisco to do more
to encourage best practices such as edge anti-spoof filtering.  To begin
with, Barry Green's presentations on these issues are hidden away on
his/Cisco's FTP server (ftp://ftp-eng.cisco.com/cons/) -- maybe it would
be beneficial to put them (along with write-ups) in an easily-accessible
and often-visited area of the main site where people will see them. 

These issues aren't just for ISPs: if edge networks would filter their
borders, ISPs wouldn't have to do it for them. (Or in most cases, fail
to do it for them.)

-Terry

Re: CCO/cisco.com issues.

[Suresh Ramasubramanian]

Terry Baranski [10/7/2003 6:05 AM] :

Maybe this will have the positive effect of motivating Cisco to do more
to encourage best practices such as edge anti-spoof filtering.  To begin
with, Barry Green's presentations on these issues are hidden away on
his/Cisco's FTP server (ftp://ftp-eng.cisco.com/cons/) -- maybe it would
be beneficial to put them (along with write-ups) in an easily-accessible
and often-visited area of the main site where people will see them. 
There is of course BCP 38 for starters - 
http://www.armware.dk/RFC/bcp/bcp38.html

	srs

--
Suresh Ramasubramanian <[EMAIL PROTECTED]> gpg# EDEDEFB9
Security and Antispam Operations Manager, Outblaze Limited

Re: Verisign's public opinion play

[william]

On Mon, 6 Oct 2003, Mike Tancsa wrote:
> 
> The one that pisses me off more is
> 
> http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top
"Lewis said the company needs to make money from new services such as 
SiteFinder, or it will not be able to protect the Net's critical 
infrastructure. He cited a hacker's attack on the domain name system last 
year, in which VeriSign servers remained relatively unscathed--largely 
because of the 'substantial amount of capital we've had to invest,' he said."

I propose we make it easier for everyone and first of all Verisign and 
relocate "Net's critical infrastrastructure" away from Verisign and let
others who have shown to be just as good at handling these complex issues 
without compromising "Net's critical infrastructure" in order to promote 
its own commercial goals.

P.S. Blood pressure medicine is not enough, after reading these two 
articles from CNET, I'm now sick to my stomach... Are we really going
to let Verisign play this corporate interest misinformation compaign in 
the media like that? I don't want the rest of the net ending up like 
netscape (corporation, not the browser software), especially considering
such a clear parallels between Verisign and Microsoft.

> At 11:12 PM 06/10/2003, Kee Hinckley wrote:
> 
> >Take your blood pressure medicine before reading this one.
> >http://news.com.com/2010-1071-5086769.html
> >Apparently our objections stem from our lingering resentment over the 
> >commercial use of the internet.
> >
> >In case you're wondering who the author is, since neither the bio on the 
> >page or Verisign's site is helpful.  Mark McLaughlin is a former lawyer 
> >who moved into Marketing and Biz Development (Caere, Gemplus, Signio and 
> >then Verisign payments).
> >--
> >Kee Hinckley
> >http://www.messagefire.com/ Next Generation Spam Defense
> >http://commons.somewhere.com/buzz/  Writings on Technology and Society
> >
> >I'm not sure which upsets me more: that people are so unwilling to accept
> >responsibility for their own actions, or that they are so eager to regulate
> >everyone else's.

Re: CCO/cisco.com issues.

[Matt]

As the bandwidth ramps up on the access side, this problem is only going 
to become more and more prevalent (as if it's not already enough of a 
problem).  While I don't think filtering is the silver bullet, it can 
certainly help at times.  I think some of the larger watch sites (eg 
SANS, etc.) out there have the right idea - even though reactive in 
nature, almost real-time dissemination of attack vectors and trending of 
 methods goes a long way towards slowing down some of these attacks. 
Unfortunately, these single target attacks, such as attacks on Cisco, 
Ebay, Yahoo, etc. cannot be entirely thwarted if the attacker(s) is/are 
determined enough.  We could go down the client side discussion (you 
know, the one about certain software vendors, etc.) but that topic has 
already been covered in great length.

Re: Verisign's public opinion play

[Mark Radabaugh]

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2003 10:04 PM
Subject: Re: Verisign's public opinion play



> its own commercial goals.
>
> P.S. Blood pressure medicine is not enough, after reading these two
> articles from CNET, I'm now sick to my stomach... Are we really going
> to let Verisign play this corporate interest misinformation compaign in
> the media like that? I don't want the rest of the net ending up like
> netscape (corporation, not the browser software), especially considering
> such a clear parallels between Verisign and Microsoft.
>

How much money from each .com/.net registration goes to Verisign for
gtld-servers?  I thought it was a couple of dollars anyway.  I find it hard
to believe that Verisign is not making a profit (not that that is a bad
thing since they are playing that angle) off of this.   I'm sure there are
plenty of other entities that would be happy to do this service for the
money they get for it.

If the firestorm Verisign ignited burns down their own house I don't think
there will be many people crying.  Note to Verisign - now is the time to
slink home with your tail between your legs.   Keep fanning the flames any
you might find out that this 'vocal minority' is capable of creating
considerable blowback.

Mark Radabaugh
Amplex
(419) 720-3635

Comcast - Atlanta?

[Ian Wilson]

Could someone with a clue from Comcast in the Atlanta, GA area please send
me an email off-list?

Thanks;

Ian
-- 
Ian Wilson  IWCG.net
Ian()iwcg!net PO Box 304
.Ada, Ohio 45810

The authors at Microsoft were nice enough to credit LSD in their latest
security bulletin.  It's nice to see that they're finally admitting that
they were on LSD when they wrote their code.

Architectural issues involving Sitefinder & related functions

[Howard C. Berkowitz]

(since I haven't gotten back my enrollment confirmation, it seemed 
appropriate to crosspost this to NANOG.  While I will address 
Sitefinder, there are broader architectural and operational issues).

Let me assume, for the sake of this discussion, that Sitefinder is an 
ideal tool for the Web user, helping with the problem of 
not-quite-correct URLs.  Given that, I'll stipulate in this 
discussion that the implementation of Sitefinder, along with the .com 
and .net wildcards that lead to it for unresolved domains, is a true 
benefit for the Web user.

The Internet, however, is more than the World-Wide Web. It seems only 
logical to be able to discuss Sitefinder in two contexts:

  1. Where it becomes the default, as with the recent Verisign
 wildcards
  2. Where it is reached in some other manner.

My architectural concern is defining a way in which context #1 serves 
the _non-Web_ services of the Internet.  If DNS were purely an 
information service for Web users, the architectural conflict would 
go away, and only commercial and policy issues remain.

I would hope that within the scope of the Sitefinder discussion list, 
or alternatively in another forum, is an approach to reconciling the 
IP-level DNS such that it continues to serve non-Web applications.

Is there disagreement that Sitefinder provides no functionality to 
SMTP trying to deliver to an unresolved domain? To a user who 
mistypes the name of an FTP site and does not intend to use a Web 
browser?

What about failover schemes for non-HTTP cooperative research across 
the Internet, where the inability to resolve a host name (assume that 
cached records have a zero lifetime) triggers selection of an 
alternate server?

Seriously, technical people at Verisign may have thought about this 
and actually have suggestions. They may be very good ones, but, 
judging on the reactions to the Sitefinder deployment, it might be 
well to discuss them in open technical forums before a change is made.

I'm really not trying to make it a matter of personalities, but there 
have been public statements by Verisign executives that such a 
process inhibits innovation.  If Verisign policy is that as operator 
of .com and .net, it has the right to make unilateral changes, I 
think that needs to be clear to all concerned. I recognize that a 
number of independent parties suggest that the ICANN contract does 
not explicitly prohibit such unilateral action.

Ironically, I worked with the original founders of Network Solutions, 
and almost was a principal back when it was a couple of rooms in 
McLean. Gary Desler, the founder  and a fine engineer, always used to 
say "there is no technical solution to a management problem".  In the 
current context, I simply want to know the rules for the playing 
field.

Trying to subscribe to Sitefinder list

[Howard C. Berkowitz]

Well, I've been trying. I got a double opt-in that gave me a deadline 
to respond of 5AM Wednesday. I replied.

No confirmation.

Tried to post (crossposted to NANOG).

Got error message telling me I was not yet on the list.  Of course, 
with the apparent assumption the Internet is the Web, the first 
directions were to use a browser. Another option was to respond with 
a token in the message, a common enough procedure for mailing lists.

I didn't read the fine print well enough.  The first time, I 
discovered that the token had "confirm no" in it.  Removed "no".

Reread instructions.  Just removing wasn't enough. Had to edit it to 
"confirm yes".

Is there something wrong with the user friendliness of this picture, 
assuming that people actually use something other than a web browser, 
shocking as that might be for a m-a-i-l-i-n-g  l-i-s-t?

g.

Re: Trying to subscribe to Sitefinder list

[Brian Bruns]

I got on OK, but I used the web based confirmation method.

Maybe their mail server got flooded?
--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
- Original Message - 
From: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 07, 2003 1:41 AM
Subject: Trying to subscribe to Sitefinder list


> 
> Well, I've been trying. I got a double opt-in that gave me a deadline 
> to respond of 5AM Wednesday. I replied.
> 
> No confirmation.
> 
> Tried to post (crossposted to NANOG).
> 
> Got error message telling me I was not yet on the list.  Of course, 
> with the apparent assumption the Internet is the Web, the first 
> directions were to use a browser. Another option was to respond with 
> a token in the message, a common enough procedure for mailing lists.
> 
> I didn't read the fine print well enough.  The first time, I 
> discovered that the token had "confirm no" in it.  Removed "no".
> 
> Reread instructions.  Just removing wasn't enough. Had to edit it to 
> "confirm yes".
> 
> Is there something wrong with the user friendliness of this picture, 
> assuming that people actually use something other than a web browser, 
> shocking as that might be for a m-a-i-l-i-n-g  l-i-s-t?
> 
> g.
> 

Re: Trying to subscribe to Sitefinder list

[ken emery]

On Tue, 7 Oct 2003, Brian Bruns wrote:

> I got on OK, but I used the web based confirmation method.
>
> Maybe their mail server got flooded?

I'm thinking that perhaps this is part of the problem and why Verisign
thinks they did nothing wrong.  It seems they expect one to use a
web browser for everything.  Thus all those other protocols are not
necessary in the Verisign world.

bye,
ken emery

> - Original Message -
> From: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, October 07, 2003 1:41 AM
> Subject: Trying to subscribe to Sitefinder list
>
>
> >
> > Well, I've been trying. I got a double opt-in that gave me a deadline
> > to respond of 5AM Wednesday. I replied.
> >
> > No confirmation.
> >
> > Tried to post (crossposted to NANOG).
> >
> > Got error message telling me I was not yet on the list.  Of course,
> > with the apparent assumption the Internet is the Web, the first
> > directions were to use a browser. Another option was to respond with
> > a token in the message, a common enough procedure for mailing lists.
> >
> > I didn't read the fine print well enough.  The first time, I
> > discovered that the token had "confirm no" in it.  Removed "no".
> >
> > Reread instructions.  Just removing wasn't enough. Had to edit it to
> > "confirm yes".
> >
> > Is there something wrong with the user friendliness of this picture,
> > assuming that people actually use something other than a web browser,
> > shocking as that might be for a m-a-i-l-i-n-g  l-i-s-t?
> >
> > g.
> >
>

An Open Letter of corrections to Mark McLaughlin's Innovation and the Internet

[Owen DeLong]

While I realize that your Perspectives area is a place where various people
are allowed to submit editorials, your publication of this particular
very skewed piece without checking some of the stated facts within it
does not meet CNet's usual standard of journalism.
In addition to Mr. McLaughlin's errors or omissions of fact, he makes a 
number
of misleading statements and outright incorrect implications.  As such, I
will simply address the article paragraph by paragraph, beginning with the
bold paragraph being considered paragraph 1.

Paragraph 1:
It's not about whether innovation should be encouraged.  I think if
you were to survey the opponents of Verisign's maneuver, you would
find that each and every one of them would say they are in strong
support of innovation on the internet.  What Verisign did was not
innovation.  It was a move to line their pockets with significant
additional revenue while simultaneously abusing their monopoly
position in control of a resource contracted to them to manage
in the public trust.  They do not OWN the domains that they modified,
instead, they are entrusted with the management of said domains
(namely .NET and .COM).  None of Verisigns competitors is in a
position to place wildcard records in these zones, so, Verisign also
was abusing it's position of public trust to gain unfair advantage
over competitors.
Paragraph 2:
The error page simply indicates that they URL they typed involved
the name of a host which did not exist.  Verisign ignored the fact
that DNS does not only effect web services.  While it is true that
some may say that this is an improvement for web browsers, it creates
significant problems for other applications.  More on this below.
Paragraph 3:
Site finder is not about improving the user experience.  If it were,
Verisign would have solicited public input prior to inflicting this
change on a critical are of internet infrastructure.  Verisign is
now launching this PR campaign to try and make ICANN look like the
bad guys for finally saying no to Verisign's repeated abuses of their
position.  Site finder is about profits for Verisign.  In fact,
substantial profits on the order of Millions of dollars per day.
This is why they were so reluctant to take it down in spite of a
polite request from ICANN.  ICANN had to point out that Verisign
was in violation of several clauses of their contract and threaten
them with legal action to get them to comply.
Paragraph 4:
Similar services were tested in a manner which did not break existing
infrastructure for non-web oriented applications which were well known
on the internet.  Verisign didn't do any testing, they simply unleashed
this on the two most popular top level domains without review, notice,
or even a heads up to the operational community.  In fact, the first
notification to the NANOG (North American Network Operators Group)
mailing list by Verisign came several hours after the debate had
already started.  Verisign's site finder service didn't trigger debate
because they hadn't been tried for .com and .net, it triggered debate
because it disrupted services, constituted a change which was not
subjected to appropriate public review beforehand, and, represented
a cavalier and mistaken attitude by Verisign that these top level
domains were theirs to manage however they saw fit.  These domains
have a long history on the internet, and, they have always been
considered a public-trust type of resource.  The contract to Verisign
to manage these domains clearly calls for Verisign to manage them
in the public interest.  This was Verisign managing the domain in
their own interest, the public be damned.
While it is true that during the three weeks it took to get Verisign
to fix their abomination, DNS continued to function for most visible
levels, the internet continued to route packets, and, most things
functioned as before, that does not mean that their change did not
break things.  As an example, prior to Verisign's change, if I sent
an email to [EMAIL PROTECTED] intending to send it to [EMAIL PROTECTED],
I would get an answer back immediately saying "noexist.com" does not
exist.  After Verisign's change, their mail rejector would either
simply drop my mail in a black hole, or, when it was too busy,
fail to respond for long periods of time.  Either way, since I don't
get an error message, I don't know that my mail didn't get through.
Another problem comes from anti-spam utilities which depend on
being able to determine if a domain name being used in m

Re: Verisign's public opinion play

[Owen DeLong]

I wish it were lack of clue.  This is something far more evil than lack
of clue, and, the bottom line is that these guys are much better at
PR than most of us.  Since they can't win on engineering, because they
are wrong, they are trying to make it a PR battle instead.  They are
having some success.  We _MUST_ fight this as a PR battle.  We _MUST_
write courteous, prompt, and, factual replies to these publications.
The more people who do that, the better our side will look.  We must point
out where Verisign is lying, and, we must concede where they are not.
We must clarify where their technically accurate statements lead to
wildly inaccurate perceptions.
Owen

--On Monday, October 6, 2003 23:15 -0400 Brian Bruns <[EMAIL PROTECTED]> 
wrote:

Wish someone who was good with the clue-axe would take a swing at these
dolts.
We all know they are crying babies because their new method of profit was
shut down.
Now, the interesting question will be, how can we prevent them from adding
sitefinder again?
--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
- Original Message -
From: "Kee Hinckley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2003 11:12 PM
Subject: Verisign's public opinion play

Take your blood pressure medicine before reading this one.
http://news.com.com/2010-1071-5086769.html
Apparently our objections stem from our lingering resentment over the
commercial use of the internet.
In case you're wondering who the author is, since neither the bio on
the page or Verisign's site is helpful.  Mark McLaughlin is a former
lawyer who moved into Marketing and Biz Development (Caere, Gemplus,
Signio and then Verisign payments).
--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/  Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to
regulate
everyone else's.

Re: Verisign's public opinion play

[Brian Bruns]

Well, I donno about anyone else, but I absolutely suck on the PR end of
things.

Now, I *am* good at writing documentation for end users (I used to work
helldesk).

So, my question is, is there any place on the web where we can go, see whats
been written up so far, find out what still needs to be written, and get
people to fill in the blanks?

I know personally I would love to put out a paper, but I have no idea where
to begin.

--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
- Original Message - 
From: "Owen DeLong" <[EMAIL PROTECTED]>
To: "Brian Bruns" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, October 07, 2003 2:00 AM
Subject: Re: Verisign's public opinion play


> I wish it were lack of clue.  This is something far more evil than lack
> of clue, and, the bottom line is that these guys are much better at
> PR than most of us.  Since they can't win on engineering, because they
> are wrong, they are trying to make it a PR battle instead.  They are
> having some success.  We _MUST_ fight this as a PR battle.  We _MUST_
> write courteous, prompt, and, factual replies to these publications.
> The more people who do that, the better our side will look.  We must point
> out where Verisign is lying, and, we must concede where they are not.
> We must clarify where their technically accurate statements lead to
> wildly inaccurate perceptions.
>
> Owen
>
>
> --On Monday, October 6, 2003 23:15 -0400 Brian Bruns <[EMAIL PROTECTED]>
> wrote:
>
> >
> > Wish someone who was good with the clue-axe would take a swing at these
> > dolts.
> >
> > We all know they are crying babies because their new method of profit
was
> > shut down.
> >
> > Now, the interesting question will be, how can we prevent them from
adding
> > sitefinder again?
> >
> >
> > --
> > Brian Bruns
> > The Summit Open Source Development Group
> > Open Solutions For A Closed World / Anti-Spam Resources
> > http://www.2mbit.com
> > ICQ: 8077511
> > - Original Message -
> > From: "Kee Hinckley" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, October 06, 2003 11:12 PM
> > Subject: Verisign's public opinion play
> >
> >
> >>
> >> Take your blood pressure medicine before reading this one.
> >> http://news.com.com/2010-1071-5086769.html
> >> Apparently our objections stem from our lingering resentment over the
> >> commercial use of the internet.
> >>
> >> In case you're wondering who the author is, since neither the bio on
> >> the page or Verisign's site is helpful.  Mark McLaughlin is a former
> >> lawyer who moved into Marketing and Biz Development (Caere, Gemplus,
> >> Signio and then Verisign payments).
> >> --
> >> Kee Hinckley
> >> http://www.messagefire.com/ Next Generation Spam Defense
> >> http://commons.somewhere.com/buzz/  Writings on Technology and Society
> >>
> >> I'm not sure which upsets me more: that people are so unwilling to
accept
> >> responsibility for their own actions, or that they are so eager to
> > regulate
> >> everyone else's.
> >>
> >
> >
>
>
>
>
>

Re: Verisign's public opinion play

[Steve Feldman]

On Mon, Oct 06, 2003 at 11:41:14PM -0400, Mike Tancsa wrote:
> 
> 
> The one that pisses me off more is
> 
> http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top
> 
> The article makes me wonder if CNET is the press, or an outlet for press 
> releases.  The Internet community is almost uniform in expressing outrage 
> for numerous REAL reasons, yet CNET says its from the Internet's technical 
> "old guard"  Sorry, so where is the "new guard" calling for Verisign to 
> come back with sitefinder ?  Also CNET leaves un challenged the 'excuse of 
> the day' that Verisign without site finder "will not be able to protect the 
> Net's critical infrastructure"...

>From the bottom of those CNET articles:
Contact us: http://news.com.com/2040-1096_3-0.html

Couldn't hurt to try...

Also, Declan's articles on Sept. 16 was most definitely not
a Verisign press release, see:
http://news.com.com/2100-1032_3-5077530.html?tag=st_rn

Steve

Re: Verisign's public opinion play

[Will Yardley]

On Mon, Oct 06, 2003 at 11:24:08PM -0700, Steve Feldman wrote:
> On Mon, Oct 06, 2003 at 11:41:14PM -0400, Mike Tancsa wrote:
 
> > The one that pisses me off more is
> > 
> > http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top

> From the bottom of those CNET articles:
> Contact us: http://news.com.com/2040-1096_3-0.html
> 
> Couldn't hurt to try...
> 
> Also, Declan's articles on Sept. 16 was most definitely not
> a Verisign press release, see:
> http://news.com.com/2100-1032_3-5077530.html?tag=st_rn

Maybe he would be willing to help draft (or at least edit) a response
from the community at large. I do agree with other posters that a
response is in order, and I think it's important that it's concise,
reasonable, well written, and focuses on the main issues at hand. While
this list is not the place to create such a response, I imagine someone
could throw together an open list to create one.

It's true that the majority of the people on this list are not PR or
marketing people, and that's why it's important that we respond, and
respond in a way that's easy for the general public to understand.

It might also be a good idea to try to get some opinions from
non-technical people; most of the non-technical people I've spoken to
also find SiteFinder annoying and / or confusing.

-- 
"Since when is skepticism un-American?
Dissent's not treason but they talk like it's the same..."
(Sleater-Kinney - "Combat Rock")

Re: Verisign's public opinion play

[Owen DeLong]

I think this list may be a very good choice of where to construct
such a response.  This is certainly an issue requiring coordination,
and, the results of this PR battle definitely have strong operational
ramifications.  As such, I believe it EXACTLY fits the charter of this
list, while, being a bit outside it's traditional subject matter.
Owen

--On Monday, October 6, 2003 23:46 -0700 Will Yardley 
<[EMAIL PROTECTED]> wrote:

On Mon, Oct 06, 2003 at 11:24:08PM -0700, Steve Feldman wrote:
On Mon, Oct 06, 2003 at 11:41:14PM -0400, Mike Tancsa wrote:

> The one that pisses me off more is
>
> http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top

From the bottom of those CNET articles:
Contact us: http://news.com.com/2040-1096_3-0.html
Couldn't hurt to try...

Also, Declan's articles on Sept. 16 was most definitely not
a Verisign press release, see:
http://news.com.com/2100-1032_3-5077530.html?tag=st_rn
Maybe he would be willing to help draft (or at least edit) a response
from the community at large. I do agree with other posters that a
response is in order, and I think it's important that it's concise,
reasonable, well written, and focuses on the main issues at hand. While
this list is not the place to create such a response, I imagine someone
could throw together an open list to create one.
It's true that the majority of the people on this list are not PR or
marketing people, and that's why it's important that we respond, and
respond in a way that's easy for the general public to understand.
It might also be a good idea to try to get some opinions from
non-technical people; most of the non-technical people I've spoken to
also find SiteFinder annoying and / or confusing.
--
"Since when is skepticism un-American?
Dissent's not treason but they talk like it's the same..."
(Sleater-Kinney - "Combat Rock")