Re: The Internet's Immune System
On Wed, 12 Nov 2003 18:56:50 EST, Jamie Reid <[EMAIL PROTECTED]> said: > It would be useful if these sites allowed you to query them with CIDR ranges > to see if your site had originated any traffic that triggered their sensor > array I've always wondered how to do this securely in an ad-hoc manner. The guys at MAPS send me a report once a week of stuff that's in my netblocks, but that involved contacting them and presumably at least some verification that I was affiliated with the netblocks. How do you prevent Joe Scriptkid from asking it "what vulnerable machines are coming out of ASrandom"? pgp0.pgp Description: PGP signature
Re: GFI Security Suite
My company is using GFI MailSecurity for Exchange/SMTP 8 now. We have tested GFI MailEssentials for Exchange/SMTP. They work like they say they do. They give us very little trouble. It seems like the products from GFI are getting better. I wouldn't say they are perfect. http://kbase.gfi.com/showarticle.asp?id=KBID001840 They are building a knowledge base which is helpful. On Wed, 12 Nov 2003 14:38:24 -0500 "Wesley Vaux" <[EMAIL PROTECTED]> writes: Has anyone or does anyone currently or recently used any of the products by GFI? What are your thoughts about these products if you have. Thanks for your input. Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com
Re: ARIN, where art thou?
On Wed, 12 Nov 2003, Randy Bush wrote: > > > It looks like they are back up now. > > s/they/you/ It wasnt just him. I can see in the log period when recusive lookups to arin were failing (connection timed out). There was definetly a problem 20 minutes ago. I can actually see two periods of about 5 minutes each separated by period of 5 minutes when it was partially working (some time outs still). I think there were under DoS attack or something similar. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: ARIN, where art thou?
> It looks like they are back up now. s/they/you/
Re: ARIN, where art thou?
It looks like they are back up now. I think it was short outage. Sorry to those who got distracted by the false alarm here.. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Wed, Nov 12, 2003 at 08:01:11PM -0600, Chris Adams wrote: > > Once upon a time, Haesu <[EMAIL PROTECTED]> said: > > I am trying from different locations and its not connecting.. traceroute > > dies after arin-gw.customer.alter.net > > whois.arin.net and www.arin.net are working from here. It appears they > block traceroute. > -- > Chris Adams <[EMAIL PROTECTED]> > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble.
Re: Google down?
On Wed, 12 Nov 2003, Jim Wood wrote: > Looks like google is down too ARIN and Google both work fine from AS4927. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Portable Cooling
Speaking on Deep Background, the Press Secretary whispered: > > > There are air to water a/c units or chillers. We used one such unit. > They can be located just about anywhere since they can pump, or be fed > water through a hose, and drain via another hose. > > In fact we have the unit still for sale if anyone is interested they may > contact me privately and I'd be glad to give you any details you may need. > The manuf. is Koldwave BTW. I recall a company called ADEPT in Springfield VA stocked the H2O based systems. They are useful for buildings where the central AC is off at night, etc. as well as a hot-spare. -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Google down?
> > Looks like google is down too > Both google and arin are working fine from here; could be a localized upstream provider issue on your end?
Re: ARIN, where art thou?
Once upon a time, Haesu <[EMAIL PROTECTED]> said: > I am trying from different locations and its not connecting.. traceroute > dies after arin-gw.customer.alter.net whois.arin.net and www.arin.net are working from here. It appears they block traceroute. -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Google down?
Looks like google is down too
ARIN, where art thou?
Does any one know if ARIN just went down? I am trying from different locations and its not connecting.. traceroute dies after arin-gw.customer.alter.net Thanks, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
Re: The Internet's Immune System
As far as reporting is concerned, we do have a number of ways you can query our DShield data. First of all, by prefix (right now only /8, /16, /24). But we do send out daily custom reports per request. Just send me an e-mail. There is also a test version of a report by ASN: http://www.dshield.org/asreport.php its experimental and feedback is welcome. It is setup to be machine parsable. On Wed, 2003-11-12 at 18:56, Jamie Reid wrote: > It would be useful if these sites allowed you to query them with CIDR ranges to > see if your site had originated any traffic that triggered their sensor arrays. The > IDS community never seems to have wrapped its collective head around routing > information. Looking up single IP addrs is just cosmetic. A real service would > allow for concerned sites to check their entire address allocations. > > The solution we have takes a massive amount of data munging of a routing > table and is still experimental, but until attacks can be mapped to meaningful > Internet > topographical information, the real value of these distributed IDS efforts cannot be > fully > exploited. > > I can forsee the argument that people shouldn't be able to look up other sites > which might be compromised, but if they are really so concerned, they should > get their sites patched. > > > > > -- > Jamie.Reid, CISSP, [EMAIL PROTECTED] > Senior Security Specialist, Information Protection Centre > Corporate Security, MBS > 416 327 2324 > >>> "Bryan Bradsby" <[EMAIL PROTECTED]> 11/12/03 04:25pm >>> > > > Devise a system that assumes owners of IP space WANT to know about problems. > > report --open-proxy 192.168.1.1 > and have a report sent to whoever needed to know about it. > > http://www.Incidents.org > http://www.Dshield.org/howto.php > http://www.MyNetWatchman.com > > -bryan bradsby -- -- Johannes Ullrich [EMAIL PROTECTED] pgp key: http://johannes.homepc.org/PGPKEYS -- "We regret to inform you that we do not enable any of the security functions within the routers that we install." [EMAIL PROTECTED] --
Re: The Internet's Immune System
here's what i learned about a white-hat registry. nobody cares. this is perceived as an assymetric benefit, where the costs (even if there's no money, there's still effort in registering initial and new address space or AS#'s or whatever) are borne by the network owner and the benefits are felt by victims of various forms of abuse (spam, ddos, virus, whatever.) now, anyone who thinks this through will realize that the benefit is NOT assymetric. this is a tide (storm) that can lift (destroy) all boats. a network owner who deals swiftly with abuse becomes an anathema for abusers and thus has lower overall abuse costs. and a network of network-owners who all behaved that way would make abuse rare enough to be worth tracking again. however, from a marketing/perception standpoint, the benefit appears to be assymetric, and in this economy, network owners don't feel generous. so the first task isn't upgrading incidents.org or mail-abuse.org to handle white-hat network owner registration, but rather, convincing network owners that it's in their own selfish best interests to receive rapid and reliable complaints when abuse comes from/through their customer. and frankly, if that were possible, the [EMAIL PROTECTED] would not be a blackhole with robothanks at the door. so, i'm not hopeful that the internet's immune system is simply in need of better incident reporting. we need a "sea change" in network-owner attitudes. if you're feeling holier than thou for any reason, find out if your peering agreements require your peers to permanently disconnect repeat abuse sources, and to temporarily disconnect first time abuse sources. assuming that $YOU do these things, but that $YOUR_PEERS do not, then what have you really accomplished? -- Paul Vixie
Re: The Internet's Immune System
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations. The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited. I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. -- Jamie.Reid, CISSP, [EMAIL PROTECTED] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Bryan Bradsby" <[EMAIL PROTECTED]> 11/12/03 04:25pm >>> > Devise a system that assumes owners of IP space WANT to know about problems. > report --open-proxy 192.168.1.1 and have a report sent to whoever needed to know about it. http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com -bryan bradsby It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations. The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited. I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. --Jamie.Reid, CISSP, mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Bryan Bradsby" <[EMAIL PROTECTED]> 11/12/03 04:25pm Devise a system that assumes owners of IP space WANT to know about problems.> report --open-proxy 192.168.1.1and have a report sent to whoever needed to know about it.http://www.Incidents.org";>http://www.Incidents.orghttp://www.Dshield.org/howto.php";>http://www.Dshield.org/howto.phphttp://www.MyNetWatchman.com";>http://www.MyNetWatchman.com-bryan bradsby
Re: The Internet's Immune System
> Devise a system that assumes owners of IP space WANT to know about problems. > report --open-proxy 192.168.1.1 and have a report sent to whoever needed to know about it. http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com -bryan bradsby
GFI Security Suite
Has anyone or does anyone currently or recently used any of the products by GFI? What are your thoughts about these products if you have. Thanks for your input. Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com
Re: Portable Cooling
--On Wednesday, November 12, 2003 16:07 + [EMAIL PROTECTED] wrote: I searched the archives and couldn't find anything about a portable cooling units so am resorting to posting, sorry if its redundant. I am setting up a development lab and need additional cooling on a temporary basis. IMHO, portable coolers are a bad idea. They add noise to the environment and increase the overall heat level due to the consumption of electricty. When we had them in our office for a week, I started working 3 hour days to escape the hellish atmosphere. In the past I regularly worked in buildings that were 35 degrees Celsius indoors (2 degrees C less than core body temperature) and it was much more comfortable than that week with the portable coolers. There are air to water a/c units or chillers. We used one such unit. They can be located just about anywhere since they can pump, or be fed water through a hose, and drain via another hose. In fact we have the unit still for sale if anyone is interested they may contact me privately and I'd be glad to give you any details you may need. The manuf. is Koldwave BTW. -- Undocumented Features quote of the moment... "It's not the one bullet with your name on it that you have to worry about; it's the twenty thousand-odd rounds labeled `occupant.'" --Murphy's Laws of Combat
Re: The Internet's Immune System
On Wed, 12 Nov 2003, David A. Ulevitch wrote: > Automated techniques are the only thing that will stop it but is your > idea "fast enough?" I don't think so. Relying on user reports is good > for compromises and spambots but it won't do anything to stop CodeRed or > Nimda. True -- but I did say that this was a: >> mechanism for various firewalls, intrusion detection systems, etc to talk >> to each other to solve problems as quickly as possible. > I don't think anything comes close to that today. No, nothing does. This is a start. The example I gave of a command line tool was just that. The idea is a framework that people and tools can use to exchange information. I think the protocol itself -- the underlying system -- is what will be important. The command line program would be the second part of "Rough consensus and working code". As with DNS and web servers, I expect there would be many implementations, from inclusion in firewall programs to CPAN modules. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: The Internet's Immune System
Christopher X. Candreva wrote: So in the above example, if I receive the report for 192.168.1.1 being an open proxy, I might have my system configured, because that is a residential DSL IP, to automaticly do a full port scan on it to look for open proxies, and if I confirm that it is open shut the line down, or just kick out a ticket for someone to call the customer. Or, start a netflow analysis on it to look for virus/worm traffic. Or not do anything until a certain number of reports are received, weighted based on the ranking of PGP sigs. That's a start, but think about this. Worms are fast now. [1] Lets say you have 30 seconds to stop a worm from the time it hits the internet to until the time it's fully propagated to the point of serious network disruption. Automated techniques are the only thing that will stop it but is your idea "fast enough?" I don't think so. Relying on user reports is good for compromises and spambots but it won't do anything to stop CodeRed or Nimda. Paul's use of the word immune system hit it on the head. An immune system kicks in automaticly to fight infection, and right now there isn't one on the net. It has to automatically fight it, it has to be accurate and it has to be fast. I don't think anything comes close to that today. -davidu [1]: http://www.cs.berkeley.edu/~nweaver/cdc.web/ David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
The Internet's Immune System
On Sun, 2 Nov 2003, Paul Vixie wrote: > so listen up. just because many of the infected hosts won't be disinfected, > don't assume that there's no value in tracking and reporting them, or that > there's no reason to spend money listening to and acting on complains about > them. the internet's immune system needs *more* resources, not fewer. I've had an idea kicking around my head since Paul posted this. Most of the reporting work seems to be centered around finding who to report problems to. I think we need to turn the problem around: Devise a system that assumes owners of IP space WANT to know about problems. In simple terms, a system that would let me issue a command such as report --open-proxy 192.168.1.1 (or even report --open-proxy 192.168.1.1 http://www.westnet.com/
RE: Portable Cooling
Might you be referring to a "MovinCOOL" by the company named DENSO ? We have one of the model 10SFU-1 - got them from the Grainger catalog. We named ours Snuffleupagus :) Dave Hilton Staff System Administrator entelos(r) Foster City, CA "Linux is like a wigwam - No Gates, no Windows, Apache inside."
Re: Point of sale RAS hardware?
Last time I did this I cheated and bought a bunch of the old 4-to-a-card USR Rackmount Couriers second hand and shoved a Digiboard in the back of a PC and sent them init strings to lock them to V22 negotiation. Worked well. Obviously this isn't an option if you want to do it on a large scale, or if you want supportable hardware. P. On Wednesday 12 November 2003 4:12 pm, Jeffrey Paul wrote: > Does anyone know of a good RAS product that supports the fast train > times needed for point of sale terminals (specifically the ability to > turn off data compression, error detection, and speed negotiation)? > Most every one I've seen is aimed at serving as-fast-as-possible dialup > network access to normal modems, but I need something that will do > 1200bps (or even better yet, v.22FC) with no frills. > > Can anyone suggest a product or manufacturer? > > Thanks, > -j > > -- > Jeffrey Paul - [EMAIL PROTECTED] > Senior Network Administrator; CCNA, MCSE, BOFH > Diamond Financial Products - Southfield, MI > Cell: 877-748-3467 > Desk: 248-331- x244 > PGP Key: F8D0 E107 9913 A938 8521 5D01 17B1 D2A1 84E4 10FD
Re: Portable Cooling
Yea, I got one in my little server room in the office. Building gave me the choice of getting one of those when I moved in, or throwing a full blown water chiller based system in the AC room, I took the cheaper path. Works OK, wish I had gotten one model bigger than what I have (the smallest). John On Wed, Nov 12, 2003 at 10:43:20AM -0500, Fisher, Shawn wrote: > > I searched the archives and couldn't find anything about a portable cooling > units so am resorting to posting, sorry if its redundant. > > I am setting up a development lab and need additional cooling on a temporary > basis. I recall a product called, "move n kool"? It looked like the robot > on lost in space. They used to advertise in Boardwatch when Boardwatch was > cool. (when Jack was running it) Not sure of the spelling, but wondered if > anyone has had experience that or anything like it. > > TIA > > Shawn >
Re: uRPF-based Blackhole Routing System Overview
Vendor C calls it DHCP snooping and to the best of my knowledge it is only available under IOS not CatOS Scott C. McGrath On Fri, 7 Nov 2003, Greg Maxwell wrote: > > On Fri, 7 Nov 2003, Robert A. Hayden wrote: > > [snip] > > One final note. This system is pretty useless for modem pools, VPN > > concentrators, and many DHCP implementations. The dynamic IP nature of > > these setups means you will just kill legitimate traffic next time someone > > gets the IP. You can attempt to correlate your detection with the time > > they were handed out, of course, in the hopes you find them. > > Another approach to address this type of problem is the source spoofing > preventing dynamic-acls support that some vendors have been adding to > their products. I don't know if it's in anyone's production code-trains > yet. > > The basic idea is that your switch snoops DHCP traffic to the port and > generates an ACL based on the address assigned to the client. Removing a > host is as simple as configuring your DHCP server to ignore it's requests > and perhaps sending a crafty packet (custom written DECLINE) to burp the > existing ACL out of the switch. > > Vendor F calls this feature "Source IP Port Security", I'm not sure what > vendor C calls it. > > Since this is a layer 2 feature you can configure it far out on the edge > and not just at the router. > >
Point of sale RAS hardware?
Does anyone know of a good RAS product that supports the fast train times needed for point of sale terminals (specifically the ability to turn off data compression, error detection, and speed negotiation)? Most every one I've seen is aimed at serving as-fast-as-possible dialup network access to normal modems, but I need something that will do 1200bps (or even better yet, v.22FC) with no frills. Can anyone suggest a product or manufacturer? Thanks, -j -- Jeffrey Paul - [EMAIL PROTECTED] Senior Network Administrator; CCNA, MCSE, BOFH Diamond Financial Products - Southfield, MI Cell: 877-748-3467 Desk: 248-331- x244 PGP Key: F8D0 E107 9913 A938 8521 5D01 17B1 D2A1 84E4 10FD
Re: Portable Cooling
>I searched the archives and couldn't find anything about a portable cooling >units so am resorting to posting, sorry if its redundant. >I am setting up a development lab and need additional cooling on a temporary >basis. All cooling units move heat from point A to point B. The end result is that point A gets cooler, but, and it's a BIG but, point B gets hotter. If you use portable coolers, you have to decide where point B is and can you get away with increasing the heat there? Will you blow the heat back into the development lab? Or into the office space next door? Or into the space above the suspended ceiling which indirectly channels the heat into every room on the same floor? Or under the raised flooring where it can raise the temperature of every cabinet that is not being cooled by the portable units? IMHO, portable coolers are a bad idea. They add noise to the environment and increase the overall heat level due to the consumption of electricty. When we had them in our office for a week, I started working 3 hour days to escape the hellish atmosphere. In the past I regularly worked in buildings that were 35 degrees Celsius indoors (2 degrees C less than core body temperature) and it was much more comfortable than that week with the portable coolers. --Michael Dillon P.S. it would be interesting to know if anyone has some creative solutions to data center design to cope with cooling system failure other than n+1 redundant coolers.
RE: Portable Cooling
www.ppe.com shows them there. Geo. -Original Message- >basis. I recall a product called, "move n kool"? It looked like the robot
Re: Portable Cooling
On Nov 12, 2003, at 10:43 AM, Fisher, Shawn wrote: I searched the archives and couldn't find anything about a portable cooling units so am resorting to posting, sorry if its redundant. I am setting up a development lab and need additional cooling on a temporary basis. I recall a product called, "move n kool"? It looked like the robot on lost in space. They used to advertise in Boardwatch when Boardwatch was cool. (when Jack was running it) Not sure of the spelling, but wondered if anyone has had experience that or anything like it. TIA Shawn http://www.movincool.com/ --Phil Rosenthal ISPrime, Inc.
RE: Portable Cooling
Check with Home Depot, they have some for about $400 - from Maytag; also APC makes one, but not sure of cost or source. -Keith -Original Message- From: Fisher, Shawn [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 10:43 AM To: Nanog List (E-mail) Subject: Portable Cooling I searched the archives and couldn't find anything about a portable cooling units so am resorting to posting, sorry if its redundant. I am setting up a development lab and need additional cooling on a temporary basis. I recall a product called, "move n kool"? It looked like the robot on lost in space. They used to advertise in Boardwatch when Boardwatch was cool. (when Jack was running it) Not sure of the spelling, but wondered if anyone has had experience that or anything like it. TIA Shawn
Portable Cooling
I searched the archives and couldn't find anything about a portable cooling units so am resorting to posting, sorry if its redundant. I am setting up a development lab and need additional cooling on a temporary basis. I recall a product called, "move n kool"? It looked like the robot on lost in space. They used to advertise in Boardwatch when Boardwatch was cool. (when Jack was running it) Not sure of the spelling, but wondered if anyone has had experience that or anything like it. TIA Shawn
Re: Router with 2 (or more) interfaces in same network
> I think it will if you specify a netmask, otherwise it uses, wrongly in my > view, an old style classless netmask based on the old class A B and C rules. On a side issue then.. : Why do so many vendors automatically generate a classful netmask? Surely the correct practice is to force the input of a mask as there is these days (cidr) no system to state what your netmask is.. even a /24 would be better than typing in 10.3.2.1 and getting a /8 Steve
Re: Router with 2 (or more) interfaces in same network
> Errr, no. FreeBSD won't let you do this. I think it will if you specify a netmask, otherwise it uses, wrongly in my view, an old style classless netmask based on the old class A B and C rules. Neil.