Re: Block all servers?
On Fri, Oct 10, 2003 at 08:07:05PM -0600, Adam Selene wrote: IMHO, all consumer network access should be behind NAT. -snip- As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. These two requirements are mutually exclusive outside of a LAN environment, and if you're on a LAN, why require IPSEC? Filtering or NAT do not protect you from bad implementation or bad protocol design. Penalizing users that need (and will pay) for reasonably accessible two way communication is not the answer, and never will be. --msa
Re: Block all servers?
Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. I recommend my competition to do this Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. Because we lack clue and technology, we just block you for anything and make you pay for it. However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be added on or configured later. Systems need to be shipped completely locked down (incoming *and* outgoing IP ports), and there should be an API for applications to request permission to access a particular port or listen on a particular port (invoking a user dialog). Don´t underestimate the painfully slow rate of change in widely deployed systems. There is a lot of software out there which dates back 15 years or more. Can you afford to wait even five? Hardly any of the issues we see today would go away if such an API would be enforced on the applications because the issues are due to the legitimate applications legitimately talking to the network with permission. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. This is not a bad idea at all. Make sure to save a copy of this message in case somebody tried to patent this. Currently Windows 2000 can be configured to be extremely secure without any additional software. Unfortunately you must have a *lot* of clue to configure the Machine and IP security policies it provides. The box should have a sticker needs a resident computer mechanic :) Pete
RE: [6bone] Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts...
-BEGIN PGP SIGNED MESSAGE- Bill Manning [mailto:[EMAIL PROTECTED] wrote: % Another funny one: % 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN, % should be 4555 (now: 29216) welcome to more root server testing w/ IPv6. I don't mind that at all, I'd rather see them sticking 's into the glue :), but I do wonder why they are not using the RIPE space they got assigned and which is being announced. 2001:7fe::/32 is for I-rootserver-net-20030916 got assigned on 2003-09-16 and was to be seen since 2003-09-17 02:51:14. This new 6bone can be seen since yesterday, thus there is to wonder for what purpose. There is no difference between 6bone and RIR space, unless they want to make a sign that the '6bone is not production'... Also these are the current paths: 3ffe:3::/32 8447 1853 786 109 109 4555 29216 IGP 3ffe:3::/32 1213 3549 6939 109 4555 29216 IGP 3ffe:3::/32 12779 3549 6939 109 4555 29216 IGP 3ffe:3::/32 6939 109 4555 29216 IGP 2001:7fe::/32 has the same issue: 2001:7fe::/32 8954 4555 29216 2001:7fe::/32 12779 6175 4555 29216 2001:7fe::/32 15516 3257 2497 6939 109 4555 29216 As Cisco (109) and EP.Net are US based I wonder if Stockholm suddenly moved to the US :) That last one as from Stockholm - US - Japan - Denmark... If they really want to test then use some native european connectivity, there is a *lot* of that over here. And if they can't get native, please tunnel to a *local* ISP and not to something in the US, see Minimal IPv6 Peering: http://ip6.de.easynet.net/ipv6-minimum-peering.txt K has a RIPE delegation too, but that has not been seen (yet :) But I heared good stories about work being done on that. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP4fgXimqKFIzPnwjEQJl1ACcD2aK8TGQU/YD04sZsFuMQoMSex8AoLcH 7aO9jplhb76T11d5hALTf6BD =gyub -END PGP SIGNATURE-
RE: Block all servers?
NAT at the end of OC12 sounds hideous indeed. That's why I would prefer to see it as part of the modem in the house/business. I am sure (by guesswork and not by statistics) that a very large number of users would need relatively simple and secure systems. I guess this because of the way I see a lot of equipment being used in the groups I talk to. Does that mean that one size fits all? No of course not. Just in the same way that one car type fits all. If it did, wouldn't Skodas be looking great right about now?! Of course from an ISP or other provider's point of view, uniformity/standardization allows costs to be driven downwards. So in order to keep costs handled, a non-customizable service is the order of the day. By making the NAT router a part of the cable modem at least there is a lesser chance that a large number of people who want a simple network connection will have any trouble at all. Perhaps posting a security bond would be an interesting way of overcoming some behaviors. General society appears to have strong financial motivations (look what I can get for free (theft) by downloading music, etc.) Well make the standard service cheap, and add the premium features by control of the NAT router inside the modem from the support center. Remember that access is a privilege not a right. Of course as soon as you attempt to control a box from outside, that is throwing down the gauntlet to the malcommunity. So the NATRouter/Modem combo would have to be a bit clever. That of course may drive cost up.. As people who inhabit the network space, I think we do have some responsibilities to encourage the directions that service provider choose. If this isn't a good idea, what is? If we assume the following then we are forced to think broadly: Most PCs that people buy are configured too broadly with too many services open and are thus vulnerable. Most people do not want to mess with keeping their systems safe (for a variety of reasons). Most people have become accustomed to relatively inexpensive access Most people have brothers-in-law who know a bit about computers and can royally screw things up! Most people know a really bright 12 year old who can do very clever things with the computer that I can't understand Many people assume facility with some terminology and fast typing to be indicators of knowledge and responsibility. Many people do the computing equivalent of throwing trash out of the car window - i.e. not taking any responsibility for polluting the environment. These sociological phenomena demand that those who provide the services provide them responsibly or face the consequences. Sadly the consequences are societal in impact and don't just affect the providers. How much benefit would we get if we were to reduce the number of computers that could possibly be infected with something by 50%, 75%? How much benefit could we get by knowing which networks were potentially vulnerable - because they chose to open things up. I realize that we have a long way to go to get security. It is a bit like when cars first came out - we could/would drive anywhere. Eventually we agreed that we, in a given country, would drive on a particular side of the road. There is no obviously good reason why it should be one side or the other (as successful drivers in the UK and the US would agree!), but pick one. Once that happened, then some of the chaos disappeared. There is a (possibly true) story that when telephone adoption rates were analyzed in the 1930s, predictions were that every person in the US would have to be a telephone operator to keep up with the manual connecting of calls through plug-switchboards. The expected cross-over was sometime in the 1950s. Well, with the advent of Subscriber Trunk Dialing we are all telephone operators today! I see the same things happening in the computing world, we are all going to have to be network operators and sesames at some point! Sadly those interfaces are not as easy and standard as the familiar phone keypad! Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Saturday, October 11, 2003 1:47 AM To: [EMAIL PROTECTED] Subject: Re: Block all servers? Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. I recommend my competition to do this Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. Because we lack clue and technology, we just block you for anything and make you pay for it. However, the real solutions
Re: Block all servers?
Didn't susan ask for this topic to move off-list? Anybody (no...not Merit) care to step up and create a nanog-issues list where such discussions can continue unmolested when the nanog topic police declare an important topic off-topic? I can understand how some operators might not want to hang out with the masses in spam-l or spam-tools, or waste their time with the noise and kooks in nanae. But these are some pretty serious problems and if we can't come up with solutions soon, the internet is pretty much totally screwed. See more below On Sat, 11 Oct 2003, Petri Helenius wrote: Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) So do the NAT closer to the edge. If you're providing DSL, do many of your customers use DSL modems plugged into their PCs (USB, PCI)?, or are you selling/leasing them DSL routers? In the very beginning, we either sold or gave PCI or USB DSL modems to our customers, but those were usually a PITA to support due to problems with windows, driver issues, hardware becoming unsupported when customers upgraded to the next version of windows, etc. Now, we only hook up DSL customers using DSL routers, and all the DSL routers we've ever used can do NAT, so there'd be no need to try to do NAT at the DSL agg router. I suspect we could selectively do NAT or not for dial-up customers on our access-servers...though I'm not sure how the very large (like AS5400, AS5800) units would fare trying to do NAT for several hundred dial-up sessions. But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. She can still catch tuesday's email virus which will cause her PC to hang out in some IRC channel or monitor some web page, and be remotely controlled for the purpose of sending spam, participating in DDoS floods...and now things just got much harder to track down. When you get complaints that a.b.c.d is participating in some kind of attack, how do you tell which of the dozens or hundreds of customers NAT'd to that IP is responsible/infected? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: [6bone] Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts...
[Internal error while calling pgp, raw data follows] % -BEGIN PGP SIGNED MESSAGE- % % Bill Manning [mailto:[EMAIL PROTECTED] wrote: % % % Another funny one: % % 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN, % % should be 4555 (now: 29216) % % welcome to more root server testing w/ IPv6. % % I don't mind that at all, I'd rather see them sticking 's % into the glue :), but I do wonder why they are not using the % RIPE space they got assigned and which is being announced. they are, for the production service. this is for experimental activities. % % 2001:7fe::/32 is for I-rootserver-net-20030916 got assigned on % 2003-09-16 and was to be seen since 2003-09-17 02:51:14. % This new 6bone can be seen since yesterday, thus there is to % wonder for what purpose. There is no difference between 6bone % and RIR space, unless they want to make a sign that the % '6bone is not production'... bing! the 3ffe:: entries are for experimental services -only- while the 2001:: will eventually be production services. and the test are -not- primarly about connectivity. % % Also these are the current paths: % % 3ffe:3::/32 8447 1853 786 109 109 4555 29216 IGP % 3ffe:3::/32 1213 3549 6939 109 4555 29216 IGP % 3ffe:3::/32 12779 3549 6939 109 4555 29216 IGP % 3ffe:3::/32 6939 109 4555 29216 IGP % % 2001:7fe::/32 has the same issue: % 2001:7fe::/32 8954 4555 29216 % 2001:7fe::/32 12779 6175 4555 29216 % 2001:7fe::/32 15516 3257 2497 6939 109 4555 29216 % % As Cisco (109) and EP.Net are US based I wonder if % Stockholm suddenly moved to the US :) % That last one as from Stockholm - US - Japan - Denmark... % If they really want to test then use some native european % connectivity, there is a *lot* of that over here. % And if they can't get native, please tunnel to a *local* % ISP and not to something in the US, see Minimal IPv6 Peering: % http://ip6.de.easynet.net/ipv6-minimum-peering.txt % % K has a RIPE delegation too, but that has not been seen (yet :) % But I heared good stories about work being done on that. % % Greets, % Jeroen % % -BEGIN PGP SIGNATURE- % Version: Unfix PGP for Outlook Alpha 13 Int. % Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ % % iQA/AwUBP4fgXimqKFIzPnwjEQJl1ACcD2aK8TGQU/YD04sZsFuMQoMSex8AoLcH % 7aO9jplhb76T11d5hALTf6BD % =gyub % -END PGP SIGNATURE- % [End of raw data] -- --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
Re: Block all servers?
Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. It already is deployed upon a large scale. When I had @Home in Seattle (one of the first subscribers), I had a 10.x address. Here in Costa Rica, broadband (cable modem) connections for the entire country are behind NAT. Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? I use IPSEC and it works fine behind NAT. Unfortunately something like this would make the PC close to useless which is not the intent of the software provider. Thus you see everything open, security be damned. No. You default open the common and popular internet ports for outbound, and 90% of users never use anything else. As for plug-in workgroup networking (the main reason why everything is open by default), when you create a Workgroup, it should require a key for that workgroup and enable shared-key IPSEC. And joe user will understand this because. That's the point, he doesn't have to. A workgroup becomes a name + a key/phassphrase instead of just a name. What that accomplishes is completely hidden. Adam
Re: Block all servers?
Penalizing users that need (and will pay) for reasonably accessible two way communication is not the answer, and never will be. By all means, make a non-NAT IP address a optional premium service, and hope those that request it are sophisticated enought to secure their machine. Adam
Re: Block all servers?
On Sat, 11 Oct 2003, Adam Selene wrote: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? I use IPSEC and it works fine behind NAT. Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance. bye, ken emery
Re: Block all servers?
Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Alex
internet consumers forum?
_please reply offlist_ i've sent some time (at least 20 minutes) considering that while there are forums for operators and engineers to discuss issues (nanog, ietf, others too numerous to mention), there aren't really forums for informed consumers of internet services to exchange notes (or for uninformed consumers to become informed.) if anyone knows of such, please let me know. otherwise, i'm considering starting an unmoderated but carefully monitored mailing list for business oriented discussion from the viewpoint of consumers. i'd probably want to tie this in with the development of FAQs and tutorials targeted at business consumers of internet services. again, comments offlist, please. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Block all servers?
Adam Selene wrote: By all means, make a non-NAT IP address a optional premium service, and hope those that request it are sophisticated enought to secure their machine. NAT is more expensive to produce, so it should be an optional premium service, and that seems to be more and more the case. Pete
Re: internet consumers forum?
On Sat, 11 Oct 2003 12:06:22 EDT, Richard Welty [EMAIL PROTECTED] said: i've sent some time (at least 20 minutes) considering that while there are forums for operators and engineers to discuss issues (nanog, ietf, others too numerous to mention), there aren't really forums for informed consumers of internet services to exchange notes (or for uninformed consumers to become informed.) There used to be Usenet, but then the spammers found it. Remember that Nanog probably has *significant* market penetration - I'll hazard a guess that at least 40-50% of the service providers in the US have at least one person lurking here. Now consider the number of consumers of network services in the US, and estimate what a 1% market penetration would be. Ask yourself: How do I keep spammers out of a group that size? And if I don't reach that size, what good am I really doing? pgp0.pgp Description: PGP signature
Re: Block all servers?
NAT is more expensive to produce, so it should be an optional premium service, and that seems to be more and more the case. Not necessarily when you consider the cost (in bandwidth, network reliability and support staff) imposed by worms and kiddies from other networks scanning your IP space for unsecured machines. That's not even to mention the cost imposed by compromised systems. Even if NAT only reduces compromised systems by 20%, that's a cost savings. Given that most edge hardware supports NAT, the additional cost is nominal. Getting IP space allocation is not without cost either. Adam PS. Is this off-topic for NANOG? If so, I apologize. Given my networks are repeatedly the victim of distributed DoS attacks from compromised machines on other networks, it seemed relevant to me.
Re: Block all servers?
In message [EMAIL PROTECTED], Alex Yurie v writes: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you can find a copy. --Steve Bellovin, http://www.research.att.com/~smb
Re: internet consumers forum?
[EMAIL PROTECTED] wrote: On Sat, 11 Oct 2003 12:06:22 EDT, Richard Welty [EMAIL PROTECTED] said: i've sent some time (at least 20 minutes) considering that while there are forums for operators and engineers to discuss issues (nanog, ietf, others too numerous to mention), there aren't really forums for informed consumers of internet services to exchange notes (or for uninformed consumers to become informed.) There used to be Usenet, but then the spammers found it. Remember that Nanog probably has *significant* market penetration - I'll hazard a guess that at least 40-50% of the service providers in the US have at least one person lurking here. Now consider the number of consumers of network services in the US, and estimate what a 1% market penetration would be. Ask yourself: How do I keep spammers out of a group that size? And if I don't reach that size, what good am I really doing? Ask yourself (in addition): How is this useful to business users? I would think that either businesses are small enough that they depend on someone else for information of this sort, or large enough that they have multiple listening presences on NANOG. What is a business user? Spammers, after all, are a business. Do you mean them? MSN is a business. Do you mean them? Am I a business (you don't know the answer to that, trust me)? Do I represent one (you don't know the answer to that one, either)? Outside of a gripe list, what purpose(s) will this server? There used to be *.advocacy.* groups, alt.fan.* groups, *.discuss groups, all on usenet (as Valdis has already pointed out). They were all nice for letting off steam, but they were never really useful in any meaningful way. If this is just a place where you can discuss things that are not really on charter for NANOG, it seems like there are already a bunch of places to do that. Personally, I don't see that there's a raging desire by the consumers of packets to find some place to talk outside of the places already there. It sounds like you have a solution looking for a problem. There is no such thing as informed consumers of internet services, at least not in any reality I inhabit. YMMV, HTH, HAND. USENET: *sob* I miss usenet. :-( -- When you wish to instruct be brief -- so that people's minds can quickly grasp what you have to say, understand your point, and retain it accurately. Unnecessary words just spill over the side of a mind already crammed to the full. (Cicero)
Re: DDOS Today?
I am still trying to confirm what happened, but it looks like we got whacked today. Around 2:35 EST all our BGPpeers dropped pretty much at the same time. Our mrtg systems have all fallen over too - so I can't confirm a traffic spike. Anybody else? Dan. Greg Valente wrote: I just got on today. Was there any large DDOS attacks today. Any specific networks impacted? -Original Message- From: Jeroen Massar [mailto:[EMAIL PROTECTED]] Sent: Friday, October 10, 2003 8:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts... -BEGIN PGP SIGNED MESSAGE- Checking http://www.sixxs.net/tools/grh/lg/?show=bogonsfind=::/0 People might want to filter on private ASN's also when that ASN is being used as "transit"... 2001:a40::/32 AS64702 is reserved (path: 15516 3257 2497 4697 2914 10109 4538 4787 64702 20646 8763 5539 1930 9186) Ghost Route (14/12) 3ffe:3500::/24 3ffe:4005:fefe:: 25396 1752 10109 4538 4787 64702 20646 8319 We still have these 6to4 specifics btw: 2002:c2b1:d06e::/48 More specific 6to4 prefix (194.177.208.110/32) from AS5408 2002:c8a2::/33 More specific 6to4 prefix (200.162.0.0/17) from AS15180 2002:c8c6:4000::/34 More specific 6to4 prefix (200.198.64.0/18) from AS15180 2002:c8ca:7000::/36 More specific 6to4 prefix (200.202.112.0/20) from AS15180 And nopes, no contact has been made yet, apparently having your email address listed in the registry frees you of any obligations... Another funny one: 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN, should be 4555 (now: 29216) While there also is an announcement for: 2001:7fe::/32 I-rootserver-net-20030916 The ghosts of this month: 3ffe:1f00::/24 3ffe:2400::/24 Both with "10318 5623" common in their paths, obvious isn't it ? Oh and yes, still no contact from anybody at nortel, apparently that company doesn't know what IPv6 is. AS10318 (check above also) is still announcing *their* block and still haven't made any comment or reply back whatsoever. AS10318 have their own pTLA but apparently are not contactable for that pTLA either. If anybody knows someone alive for 3ffe:1300::/24 or AS762 or AS10318 please notify them. Maybe posting to nanog raises some people from sleep. Mailing the whois contacts directly doesn't help apparently. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP4dLximqKFIzPnwjEQKluACglQJ+2QtJZ6O2fJZShwxLe0Z6Fz8AnRym p0Clq/HyC9EoC/RsaYudqZey =XBo4 -END PGP SIGNATURE-
Re: internet consumers forum?
On Sat, 11 Oct 2003 12:01:49 PDT, Etaoin Shrdlu [EMAIL PROTECTED] said: Do you mean them? Am I a business (you don't know the answer to that, trust me)? Do I represent one (you don't know the answer to that one, either)? Heck, some days I don't even know if *I* am a business or not. We get to straddle the line between IT/networking for a $400M/yr organization and ISP for 30-80K users (depending how you count) and a few other things. sounds like you have a solution looking for a problem. There is no such thing as informed consumers of internet services, at least not in any reality I inhabit. YMMV, HTH, HAND. A case could be made that the lack of such informed consumers is part of the reason we're having the concurrent block all servers thread. On the other hand, a forum isn't the solution there. We collectively decided that letting unclued Joe Sixpack get connected for $19.95/mo was a good idea, and we're stuck with it (though if anybody gets a workable way to charge $24.95/mo for a premier secure filtered service I'll not fight it unless they flagrantly break truth-in-advertising laws. ;) pgp0.pgp Description: PGP signature
Re: Block all servers?
On Sat, 11 Oct 2003, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Alex Yurie v writes: Also what about folks who need to VPN in to their office (either via PPTP or IPSEC)? How would you take care of that situation? IPSEC works over NATs just fine. Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you can find a copy. This internet draft is available at: http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt I can't figure out if anything happened with this draft (I'm guessing nothing went on). The draft expired on December 1, 2001. bye, ken emery
Re: Finding clue at comcast.net
On Fri, 10 Oct 2003, Matt wrote: As far as networking problems, I think most folks on NANOG would agree that to run a stable network, the network needs to be designed and operated by a single organization. I guess it depends on your geographic definition of an organization. Perhaps that's where our opinions diverge. I never meant to imply that there was any relationship in this matter to geography. I strongly believe, however, that everyone with the passwords to the routers report to the same relatively flat organization (i.e. to find the person in management who is responsible for the whole thing shouldn't take going all the way up to the CTO or CEO). I think it makes sense especially in larger organizations to have a centralized reporting structure and to geographically centralize other functions such as network monitoring and ordering. Indeed. However, I don't believe it's often in customers' or an organization's best interests to move technical expertise to a national NOC. I've been on both sides of the fence, and there are good examples of organizations that maintained a centralized reporting structure while maintaining a local market technical base (Mediaone was a good example of that model). I don't disagree here, but like both of us have said, those technical bases MUST report up into the same, relatively flat structure. -- Brandon Ross AIM: BrandonNR ICQ: 2269442 Yahoo: BrandonNRoss
RE: Block all servers?
This internet draft is available at: http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt Ken Emery wrote: I can't figure out if anything happened with this draft (I'm guessing nothing went on). The draft expired on December 1, 2001. IPSec NAT Traversal is still being standardized, but has already been implemented in a good number of products. Current drafts: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-05.txt Jon Lewis wrote: But why all this talk of NAT? Even if we all universally deployed it on monday, it wouldn't solve the problem. All it would do is keep the spammer/hackers from turning grandma's PC into a web server/proxy. As well as preventing infection from worms like Blaster, and so forth. It's hard to imagine one solution solving the entire laundry list of problems. One step at a time. That being said, NAT does break stuff and as has been mentioned, filtering is certainly possible without having to bring NAT into the mix. Microsoft assures us that the Windows firewall will be enabled by default starting with WinXP patches early next year. How easy will it be to turn it off? Will a virus be able to do it for you? -Terry
Abuse Departments
After 3 Denial of Service attacks in the last 4 days, I'm beginning to wonder if there should be a standardization of some sort of abuse departments. Or perhaps if there are some companys that should REALLY THINK (TM) about perhaps installing some. When my domain is under attack by yours, that means you've done something WRONG, and you need to take care of it, the same as I would if mine is under attack. How it's even concievable that you can operate without someone that has the authority to act on abuse 24/7 from your AS number's Org-Abuse is inconceivable. Quite frankly the FBI cares not at all about Denial of Service attacks, because if they did such attacks wouldn't happen. If I try to break into and cease the abusive actions of these hosts, I am myself committing a felony to defend my site from attack. They however don't have someone on hand to stop the attacks and quite honestly the damage of not having a connection to the internet isn't expressable simply in monatary loss. Real change needs to happen as far as accountability across the internet. If everyone's going to run windows and kiddies are going to have packetnets that extend to millions of hosts, then someone needs to be on call at large consumer ISP's to yank cords when their customers boxes get compromised, the next ISP that tells me we'll have someone call you about that tomorrow is going to get listed on nanog, and CC'd to an ISP hall of shame somewhere of my own making. Please, please impart clue on your abuse department. Allowing hosts in your domain to participate in DoS attacks is WRONG. -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
Re: Abuse Departments
On Sat, 11 Oct 2003, Andrew D Kirch wrote: apologies for the grammar, after suffering from a 2 hour site outage due to DoS attack and the best reply I got was well we'll call you I'm at wits end. On Sat, 11 Oct 2003 20:22:25 -0500 Andrew D Kirch [EMAIL PROTECTED] wrote: no need to suffer, vote with your bandwidth to a provider that can help... There are several on this list, eh? :)
Re: DDOS Today?
Hi, I hadn't noticed that this has something to do with us, until Dave Lugo pointed it out. I really don't know who has anything to do with IPV6 here, I suspect very much it's a product group's test block. Or something. I had forwarded a previous note about an IPV6 block with no longer valid WHOIS contact info to our people who interact with the registries for DNS and IP, but I don't know if it's the same block. Chances are that they're having almost as much trouble as you tracking down who is responsible for this block. I've forwarded a copy of this to some of the people I know in networking who may know about this or what to do with it. In the meantime, I strongly suggest that you call 1-800-684-4357 (our 7x24 support line) and enter a ticket. I'd do it for you, but I don't have your contact information, nor understand this issue well enough to describe it. That help line normally gets support calls from employees, and they'll expect an employee number. I'll email you my employee number directly, so you can give them an ID to tie it to if they insist. Greg Valente wrote: I just got on today. Was there any large DDOS attacks today. Any specific networks impacted? -Original Message- From: Jeroen Massar [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 8:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts... -BEGIN PGP SIGNED MESSAGE- Checking http://www.sixxs.net/tools/grh/lg/?show=bogonsfind=::/0 People might want to filter on private ASN's also when that ASN is being used as transit... 2001:a40::/32 AS64702 is reserved (path: 15516 3257 2497 4697 2914 10109 4538 4787 64702 20646 8763 5539 1930 9186) Ghost Route (14/12) 3ffe:3500::/24 3ffe:4005:fefe:: 25396 1752 10109 4538 4787 64702 20646 8319 We still have these 6to4 specifics btw: 2002:c2b1:d06e::/48 More specific 6to4 prefix (194.177.208.110/32) from AS5408 2002:c8a2::/33 More specific 6to4 prefix (200.162.0.0/17) from AS15180 2002:c8c6:4000::/34 More specific 6to4 prefix (200.198.64.0/18) from AS15180 2002:c8ca:7000::/36 More specific 6to4 prefix (200.202.112.0/20) from AS15180 And nopes, no contact has been made yet, apparently having your email address listed in the registry frees you of any obligations... Another funny one: 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN, should be 4555 (now: 29216) While there also is an announcement for: 2001:7fe::/32I-rootserver-net-20030916 The ghosts of this month: 3ffe:1f00::/24 3ffe:2400::/24 Both with 10318 5623 common in their paths, obvious isn't it ? Oh and yes, still no contact from anybody at nortel, apparently that company doesn't know what IPv6 is. AS10318 (check above also) is still announcing *their* block and still haven't made any comment or reply back whatsoever. AS10318 have their own pTLA but apparently are not contactable for that pTLA either. If anybody knows someone alive for 3ffe:1300::/24 or AS762 or AS10318 please notify them. Maybe posting to nanog raises some people from sleep. Mailing the whois contacts directly doesn't help apparently. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ iQA/AwUBP4dLximqKFIzPnwjEQKluACglQJ+2QtJZ6O2fJZShwxLe0Z6Fz8AnRym p0Clq/HyC9EoC/RsaYudqZey =XBo4 -END PGP SIGNATURE-
BellSouth prefix deaggregation (was: as6198 aggregation event)
More on this - Two of BellSouth's AS's (6197 6198) have combined to inject around 1,000 deaggregated prefixes into the global routing tables over the last few weeks (in addition to their usual load of ~600+ for a total of ~1,600). This does indeed appear to be having an operational impact on some folks, an example of which is here: http://isp-lists.isp-planet.com/isp-bgp/0310/msg00059.html The vast majority (if not all) of these prefixes are covered within aggregates announced by BellSouth AS6389, which acts as an upstream to these and around 20 other BellSouth AS's. (These other AS's combine for another ~700 deaggregated announcements, meaning that BellSouth may currently be advertising more deaggregated prefixes into the global routing tables than any other entity.) Some of these AS's appear to use Qwest as backup transit, so presumably the motive behind the vast deaggregation is failover. Is there a better way of achieving this than forcing the Internet to store ~2,300 extra routes? Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry