Re: This may be stupid but
On Thu, 13 Nov 2003, Don Mills wrote: > Nah. I'm just a quick study and it's better than drinking all weekend. Oh, you _do_ have weekends :) --vadim
Re: This may be stupid but
I know, that e-bay used test to select a candidates, as well... - Original Message - From: "Fisher, Shawn" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 9:02 PM Subject: Re: This may be stupid but > > I created a test of my own that I typically give to candidates. This has > proved very helpful in determining if the prospective hire has strengths in > the areas I need. Everytime I have skipped using the "test" I get burned. > That being said I am still looking for attitude and work ethic as being a > major component of the decision. Uh..I just realized I started this thread, > I better be sit back and be quiet. > -- > Sent from my BlackBerry Wireless Handheld
Re: This may be stupid but
I created a test of my own that I typically give to candidates. This has proved very helpful in determining if the prospective hire has strengths in the areas I need. Everytime I have skipped using the "test" I get burned. That being said I am still looking for attitude and work ethic as being a major component of the decision. Uh..I just realized I started this thread, I better be sit back and be quiet. -- Sent from my BlackBerry Wireless Handheld
RE: Voice Compression
There is also something out there called IAX trunking. It can use a low bandwidth codec and put a bunch of simultaneous conversations into fewer packets, which helps to cut down on the high packet tax you'd normally get with packetizing individual voice channels. And works over any IP link. Ray Burkholder [EMAIL PROTECTED] http://www.oneunified.net 704 576 5101 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Bill Woodcock > Sent: November 13, 2003 21:10 > To: Anton L. Kapela > Cc: Robert White; [EMAIL PROTECTED] > Subject: Re: Voice Compression > > > > On Thu, 13 Nov 2003, Anton L. Kapela wrote: > > I would like to also suggest seeking devices that use > "iLBC" as a > > codec. I've been using this codec for interconnecting > voip systems and > > have been very pleased with the results. > > Check it out: http://www.ilbcfreeware.org > > Yep, although I haven't used it yet myself, I've been hearing it very > widely praised, particularly for traffic flowing across > high-congestion > Internet links. Apparently it can sustain 20% packet loss without > significant reduction in voice quality. However, this was > supposed to be > over "T1s" which I assumed to mean point-to-point serial. > > -Bill > > > > -- > Scanned for viruses and dangerous content at > http://www.oneunified.net and is believed to be clean. > -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean.
Re: Voice Compression
On Thu, 13 Nov 2003, Anton L. Kapela wrote: > I would like to also suggest seeking devices that use "iLBC" as a > codec. I've been using this codec for interconnecting voip systems and > have been very pleased with the results. > Check it out: http://www.ilbcfreeware.org Yep, although I haven't used it yet myself, I've been hearing it very widely praised, particularly for traffic flowing across high-congestion Internet links. Apparently it can sustain 20% packet loss without significant reduction in voice quality. However, this was supposed to be over "T1s" which I assumed to mean point-to-point serial. -Bill
RE: looking for pull traffic
> > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > > between providers to affect month-over-month or quarterly ratios? > > yes. because if you're a small provider then you only need a small flow > to balance yourself. and the 95th percentile cuts both ways. Depending on your value for "small", wouldn't the minimum traffic requirements for a major network peering relationship stymie this process? 95th percentile for 100-200 mb/s is one thing, 95th for 2-3 gb/s is very different [provider - provider peering, not total capacity]. Maybe I am overestimating peering coordinators here, but I'd like to think I know a few, and more than a few hundred mb/s of DDOS traffic has got to show up somewhere on the radar. DJ
Re: looking for pull traffic
On Thu, Nov 13, 2003 at 04:38:06PM -0800, Tom (UnitedLayer) wrote: > > On Thu, 13 Nov 2003, Deepak Jain wrote: > > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > > between providers to affect month-over-month or quarterly ratios? > > I know a webhoster/provider who consistently takes in 1Mpps DOS attacks, > and I'm presuming that the 95th percentile on that will be fairly high... > > Would I want that? Not especially... Having had a few large DoS-magnet customers behind me (and more than likely being the provider you're talking about :P), I can safely say that they do absolutely nothing to benefit ratios. The traffic is too short and bursty to be of any benefit, even when you can successfully filter it so that no other operations are impacted. I also stand by my opinion that DoS does not happen without a reason. Yes there may be that 1% who gets attacked because they are Yahoo or eBay and are public targets, but it takes a really really special kind of DoS magnet to consistantly receive enough traffic to affect 95th percentile. Those kinds of targets are generally not only engaged in some activity which invites attack (such as running an IRC server), they are actively encouraging it by their behavior, and probably should be booted anyways for other reasons that you just don't know about yet. The only benefit to having a hefty outbound ratio is that you have plenty of headroom to work with when attacks do come in. Unless you happen to notice that a large amount of the traffic is coming from certain Asian Pacific networks, and intentionally peer with them to setup choke points. :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: looking for pull traffic
On Thu, 13 Nov 2003, Deepak Jain wrote: > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > between providers to affect month-over-month or quarterly ratios? I know a webhoster/provider who consistently takes in 1Mpps DOS attacks, and I'm presuming that the 95th percentile on that will be fairly high... Would I want that? Not especially...
NANOG30 Call for Presentations
* * * * * * * * * * * * * * * * * CALL FOR PRESENTATIONS NANOG 30 ** CELEBRATING OUR 30th MEETING and 10th YEAR ** General Session Tutorials Case Studies Research Forum February 8-10, 2004 * * * * * * * * * * * * * * * * * The North American Network Operators' Group (NANOG) will hold its 30th meeting February 8-10, 2004, in Miami, Florida. The meeting will be hosted by Terremark and held at the Radisson Miami Hotel. This is the second time Terremark has hosted NANOG - NANOG24 was also held in Miami, in February 2002. Registration for NANOG30 opens December 15. NANOG conferences provide a forum for the coordination and dissemination of technical information related to backbone/enterprise networking technologies and operational practices. Meetings are held three times each year, and include two days of short presentations, plus afternoon/evening tutorial sessions. The meetings are informal, with an emphasis on relevance to current backbone engineering practices. NANOG conferences draw over 450 participants, mainly consisting of engineering staff from national service providers, and members of the research and education community. For more information about NANOG meetings, schedules, and logistics, see: http://www.nanog.org -- CALL FOR PRESENTATIONS NANOG invites presentations on backbone/enterprise engineering, coordination, and research topics. Presentations should highlight issues relating to technology already deployed or soon to be deployed in core Internet backbones and exchange points. Vendors are encouraged to work with operators to present deployment experiences with the vendor's products. Researchers are invited to present short (10-minute) summaries of their work for operator feedback. Topics include routing, network performance, statistical measurement and analysis, and protocol development and implementation. Studies presented may be works in progress. Researchers from academia, government, and industry are encouraged to present. The community is invited to present talks on: -- Security attacks/mitigation, tools, and analysis -- Operator experience/how-to's on building packet-switched networks (e.g., IP or MPLS) that can carry TDM, Layer 2 (e.g., Frame Relay and ATM), IP services, and emerging services such as VPLS -- Experience with active DoS retaliation methods, e.g., reverse port scanning -- Operator case studies on: - Implementation experience with 10/100Gig E - VOIP architectures and deployment - Integration with optical control planes (GMPLS, ASON, etc.), voice (enterprise, Class 4 and Class 5), and video - Provisioning and automation - Enterprise network security, management, and route control - Network troubleshooting and problems solved -- Experience with active DoS retaliation methods, e.g., reverse port scanning. -- Implementation and use of measurement technologies in vendor devices Other potential topics include: -- Backbone traffic engineering -- Impact of BGP dynamics on backbone traffic patterns -- Route processor architecture -- Large-scale wireless deployment -- Building large-scale measurement infrastructure -- Inter-domain multicast deployment NANOG also welcomes suggestions/recommendations for tutorials, panels, and other presentation topics. -- HOW TO PRESENT Submit a detailed abstract or outline describing the presentation in email to [EMAIL PROTECTED] The deadline for proposals is December 22, 2003. While the majority of speaking slots will be filled by December 22, a limited number of slots will be available after that date for topics that are exceptionally timely and important. Submissions will be reviewed by the NANOG Program Committee, and presenters will be notified of acceptance by January 12. Final drafts of presentation slides are due by January 28, and final versions February 4. ---
Re: looking for pull traffic
On Thu, 13 Nov 2003, Paul Vixie wrote: > > support transit-exchange, there really ought to be a market for suck. apparently there is a huge market for suck > > (anybody have any guesses how much of the current ddos load is driven by > ratio concerns? that is, now that we know spammers are hiring folks to > ddos antispammers, can we finally admit that isp's are hiring folks to > fix their ratios for them by ddosing from larger-provider networks? > viva laissez faire, i guess.) I know of cases that sure looked like this in the late 1999/2000 timeframe.
Re: FW: Cost of Worm Attack Protection
Ideally you would have a different metric for each AS type depending on their tolerance for risk. The lower the tolerance for risk the higher the investment made in security precautions. Unfortanately classifying 14,000+ AS's is taking a little longer than I thought, but that is the end goal. Hopefully another few weeks. Even once you have some type of classification schema ideally you still need some kind of cost metric you can scale. There is also the problem of data. The only solid data I've seen at the AS level to approximate size is number of connections to other AS's. I've seen some stats with number of servers at the AS level but not for the whole AS population. - Original Message - From: Sean Donelan <[EMAIL PROTECTED]> Date: Thursday, November 13, 2003 5:35 pm Subject: Re: FW: Cost of Worm Attack Protection > On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > I guess the hypothetical would be if you were in charge of > security for > > an AS what would be the cost to put a best-effort worm > mitigation system > > in. > > What kind of AS? > > An AS used by a military organization that has authority over its > usersand can through them in the brig for failing to follow > commands and > policy? > > An AS used by a commercial enterprise that has authority over its > usersand can fire them for failing to follow commands and policy? > > An AS used by a university enterprise that has authority over its > usersand can expell them for failing to follow commands and policy? > > An AS used by a service provider that has authority over its users and > can terminate their network access for failing to follow commands and > policy? > > An AS used by a public agency that is required by law to permit all > citizens access to information until proven beyond reasonable > doubt the > access was misused? > > >
Re: Voice Compression
Bill Woodcock said: > > > I am looking for an economical solution to compress > > 1248 voice DS-0s to 240 DS0s. My application is to > > extend the voice and data for a call center that needs > > roughly 63 T-1 equivalents of bandwidth down 21 > > physical T-1 ciscuits. [snip] > Take a look at G.729a. It's widely > used, gives reasonably good quality, and only takes half that much > bandwidth. I would like to also suggest seeking devices that use "iLBC" as a codec. I've been using this codec for interconnecting voip systems and have been very pleased with the results. Check it out: http://www.ilbcfreeware.org >From the overview: "Bitrate 13.33 kbps (399 bits, packetized in 50 bytes) for the frame size of 30 ms and 15.2 kbps (303 bits, packetized in 38 bytes) for the frame size of 20 ms Basic quality higher then G.729A, high robustness to packet loss Computational complexity in a range of G.729A Royalty Free Codec" --Tk
Re: looking for pull traffic
> Ahh, but are you saying that current blow-based transit pricing is stable? ah. no. current transit pricing is way way lower than a non-bankrupt provider can afford to do it for on an ROI that the public markets would find worthy of their praise. eventually, all kinds of flies are going to hit all kinds of windshields. but there's so much bankrupt asset in the field right now that nobody still knows how much anything really costs them to produce. so it's apparently stable for now. > Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent > between providers to affect month-over-month or quarterly ratios? yes. because if you're a small provider then you only need a small flow to balance yourself. and the 95th percentile cuts both ways.
Re: FW: Cost of Worm Attack Protection
On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > I guess the hypothetical would be if you were in charge of security for > an AS what would be the cost to put a best-effort worm mitigation system > in. What kind of AS? An AS used by a military organization that has authority over its users and can through them in the brig for failing to follow commands and policy? An AS used by a commercial enterprise that has authority over its users and can fire them for failing to follow commands and policy? An AS used by a university enterprise that has authority over its users and can expell them for failing to follow commands and policy? An AS used by a service provider that has authority over its users and can terminate their network access for failing to follow commands and policy? An AS used by a public agency that is required by law to permit all citizens access to information until proven beyond reasonable doubt the access was misused?
Re: Cost of Worm Attack Protection
While I can't give you a fixed cost, I can confidently say that the value or cost/benefit over time resembled a bathtub curve. It starts high, drops sharply close to zero, then climbs slowly over time as the infection rate dissipates while a fixed mitigation strategy is applied, with diminishing results. For blaster/nachi, we are starting to encounter side effects of the filters put in place, which is slowly incurring support costs as exceptions are made. -- Jamie.Reid, CISSP, [EMAIL PROTECTED] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> <[EMAIL PROTECTED]> 11/13/03 09:35am >>> I was hoping to get some estimates from folks on the costs of defending networks from various worm attacks. It is a pretty wide open question, but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof it would be of great assistance. We are doing some simulations of attack and defense strategies and looking for some good metrics to plug into a cost benefit model. We'd be happy to share the results if anyone is interested as well. Thanks in advance, sean While I can't give you a fixed cost, I can confidently say that the value or cost/benefit over time resembled a bathtub curve. It starts high, drops sharply close to zero, then climbs slowly over time as the infection rate dissipates while a fixed mitigation strategy is applied, with diminishing results. For blaster/nachi, we are starting to encounter side effects of the filters put in place, which is slowly incurring support costs as exceptions are made. --Jamie.Reid, CISSP, mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> <[EMAIL PROTECTED]> 11/13/03 09:35am >>>I was hoping to get some estimates from folks on the costs of defending networks from various worm attacks. It is a pretty wide open question, but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof it would be of great assistance. We are doing some simulations of attack and defense strategies and looking for some good metrics to plug into a cost benefit model. We'd be happy to share the results if anyone is interested as well.Thanks in advance,sean
Re: Voice Compression
g729 Has pretty "Decent" voice Quality. Each Call is 8k Compressed. G728 is 16k Compressed. Now, these values do not take into account IP Header overhead. VoIP Equipment for 51 DS1's is not going to be cheap. The best bet on the Cisco Side is the 6500 or even a router like the 7200 the with the Voice Card's. Again, not cheap, but it does work pretty well.. Spencer Spencer Wood, Network Manager Ohio Department Of Transportation 1320 Arthur E. Adams Drive Columbus, Ohio 43221 E-Mail: [EMAIL PROTECTED] Phone: 614.644.5422/Fax: 614.887.4021/Pager: 866.591.9954 * Robert White <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/13/2003 03:18 PM To [EMAIL PROTECTED] cc Subject Voice Compression I am looking for an economical solution to compress 1248 voice DS-0s to 240 DS0s. My application is to extend the voice and data for a call center that needs roughly 63 T-1 equivalents of bandwidth down 21 physical T-1 ciscuits.
integrity ptp-10 modems
These are broadband, cablemodem point-to-point type. I have a couple of them that need to be fixed but the company seems to be disapeared. I would really appreciate if you know a lab or where can I send these for repair. Please contact me off-list, I don't want to increase noise. Thanks in advance. -- Miguel Mata-Cardona Intercom El Salvador [EMAIL PROTECTED] voz: ++(503) 278-5068 fax: ++(503) 265-7024
RE: looking for pull traffic
> my guess is that when isp's start paying customers for suck in order to > balance their own ratios or to upset other people's ratios, that it will > stabilize at about 10% of current blow-based transit pricing. and that > there will all of a sudden be a lot more ddos'ing, fly-by-night crawlers, > and whatnot than there are today. gads, what a world. Ahh, but are you saying that current blow-based transit pricing is stable? > (anybody have any guesses how much of the current ddos load is driven by > ratio concerns? that is, now that we know spammers are hiring folks to > ddos antispammers, can we finally admit that isp's are hiring folks to > fix their ratios for them by ddosing from larger-provider networks? > viva laissez faire, i guess.) Maybe I am exceptionally naive, but are DDOSes *REALLY* that consistent between providers to affect month-over-month or quarterly ratios? DJ
Re: This may be stupid but
Nah. I'm just a quick study and it's better than drinking all weekend. On Thursday 13 November 2003 05:07 pm, Vadim Antonov wrote: > On Thu, 13 Nov 2003, Don Mills wrote: > > But it would > > be a tragic mistake on anyone's behalf to pre-assume that all those > > letters means I don't know what I am talking about. That's stereotyping, > > isn't it? > > Don (take it as a good-spirited needling, please) I'd like to point out > that this means that you have way too much spare time and an employer > who doesn't care much about squeezing from you all 110% of what you can > possibly do :) > > --vadim -- Don Mills SCSA SCNA CCNP CCDP CISSP CQS-VPN CQS-PIX Network Security/WAN Architect VA Dept. of Social Services [EMAIL PROTECTED]
re: This may be stupid but
On Thu, 13 Nov 2003, Don Mills wrote: > But it would > be a tragic mistake on anyone's behalf to pre-assume that all those letters > means I don't know what I am talking about. That's stereotyping, isn't it? Don (take it as a good-spirited needling, please) I'd like to point out that this means that you have way too much spare time and an employer who doesn't care much about squeezing from you all 110% of what you can possibly do :) --vadim
Re: FW: Cost of Worm Attack Protection
I guess the hypothetical would be if you were in charge of security for an AS what would be the cost to put a best-effort worm mitigation system in. The second question being how would you scale that cost with the size of the AS. Maybe it is a case that there is not a best practice to fix a cost to, too much variability in the market and theories of how best to defend, if defend at all. Just figured it would be prudent to ask before we made something up - usually not such a good idea. - Original Message - From: [EMAIL PROTECTED] Date: Thursday, November 13, 2003 4:40 pm Subject: Re: FW: Cost of Worm Attack Protection > > It would be great not to spend any money and let the worms run > their course. But when you have to deal with downed production at > the cost of give or take possibly 500K per attack it unfortunately > cannot be done without one loosing their job. The last worm that > spread throughout enterprises mentioned having to reinstall the > entire server. If that server is a critical production server > what would you do? > > Would spending 100K prevent the attack, very likely not. Would > spending 100K help track the offending machine(s) and enable > someone to remove them from the network until they are serviced, > possibly? > Would this help keep production rolling, possibly? > > The installation management and response time needed to implement > an IDS solution does have to be investigated to see if the ROI > comes in line with the cost. The ROI would need to include any > saved downtime. If someone has this information please pass it > along. > > A nicer solution would be an operating system that does not need a > critical patch every other week, due to it's exploitable nature. > > Yes I am dreaming :) > > Kim > > > > > From: "Braun, Mike" <[EMAIL PROTECTED]> > > Date: 2003/11/13 Thu PM 03:02:59 EST > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > Subject: FW: Cost of Worm Attack Protection > > > > > > The old saying of "you get what you pay for" seems to be well > directed when > > it comes to this topic. If you're willing to allocate $100K > more than you > > currently spend to mitigating the effects from Worms and > Viruses, I'm sure > > you will have some increased success. If you allocate 1 mill > more, your > > success will increase substantially. The true cost really boils > down to > > what you are trying to protect, such as how many servers, users, > network> segments, and other critical devices you are willing to > encompass in your > > protection plan. Also, you may be able to mitigate the cost by > using the > > functionality built into devices you may already own. A good > protection> schema needs to address the use and benefits from the > following: Firewalls, > > VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a > good network > > security policy that grows with your network. You may already > have most of > > this in place and need only a little extra funding allocated to > give you the > > protection level you feel comfortable with. > > > > If you're looking for pricing on each component, they will vary > widely> depending on the brand and model you go with. You should > shop around for > > components that suit your budget. An example of this price > variance can be > > found by looking at a Net Forensics project priced at $500k > compared to a > > similar solution going will Network Intelligence at $40K. The > Network> Intelligence solution may not have all the functionality > offered by Net > > Forensics, but it may be enough for your needs. > > > > Best of luck in fighting this ever growing problem, > > > > Mike Braun > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Thursday, November 13, 2003 7:59 AM > > To: Joel Jaeggli > > Cc: [EMAIL PROTECTED] > > Subject: Re: Cost of Worm Attack Protection > > > > > > > > Good point - then what is the cost of attempting to mitigate or > handle> attacks vs. doing nothing? > > > > - Original Message - > > From: Joel Jaeggli <[EMAIL PROTECTED]> > > Date: Thursday, November 13, 2003 10:14 am > > Subject: Re: Cost of Worm Attack Protection > > > > > I haven't seen any network or customer site that has protected > > > itself from > > > worms... only mitigated them. > > > > > > joelja > > > > > > On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > > > > > > > > > > > > > > I was hoping to get some estimates from folks on the costs > of > > > defending> networks from various worm attacks. It is a pretty > > > wide open question, > > > > but if anyone has some rough estimates of what it costs per > edge,> > > manpower vs. equipment costs, or any combination > thereof it > > > would be of > > > > great assistance. We are doing some simulations of attack > and > > > defense> strategies and looking for some good metrics to plug > into > > > a cost benefit > >
RE: FW: Cost of Worm Attack Protection
You misunderstood me if you though I was saying the key to this problem is to throw money at it. You can spend a load of cash and accomplish nothing. In fact, you can do far worse damage this way by giving you a false sense of security than if you did nothing at all. There is a right way to view security and a wrong way. If you let a couple fast talking sales people sell you their "kitchen sink" solution without the full understanding on your part as to what you've just purchased, or the understanding on how to install and maintain the product, then you don't belong in your company's security group and should look for a new line of work. I think we can all think of security installations or practices we've seen in the past that we can find fault in, or ones that are so bad they need to fire the security staff and reevaluate the entire infrastructure. The point I was making in my original email was that you need to understand your network. This includes the users and how they interact. You can spend $0 in the way of new hardware and instead work to change the bad habits of users on the network and be in a much more secure position months from now. By understanding your network and the security risks associated in each element, as well as the options available to closing (or mitigating) those security risks, you will find yourself in a better position to spend allocated funds more wisely. You'll never be able to make a network hacker proof, but you can work to mitigate risk to varying degree. Here is where the money comes in. How wisely you spend is up to you. Mike Braun -Original Message- From: Rob Thomas [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 12:56 PM To: NANOG Subject: Re: FW: Cost of Worm Attack Protection Hi, NANOGers. ] The old saying of "you get what you pay for" seems to be well directed when ] it comes to this topic. If you're willing to allocate $100K more than you ] currently spend to mitigating the effects from Worms and Viruses, I'm sure ] you will have some increased success. If you allocate 1 mill more, your ] success will increase substantially. The true cost really boils down to This sort of thinking, unsupported by any data, runs rampant in the security industry. I have yet to see anyone document the ROI on security tools and services. Do they help at all? Does an increase in security spending result in a decrease in pain? In some cases, as already documented here, an increase in security measures can actually increases costs. Let's not fall into the trap that more $$$ equates to greater security or awareness. I've seen many sites that installed numerous pods of the latest IDS at their borders, only to be owned from within or owned by a method not yet in the ever-behind signature database of the IDS devices. One can waste money on security just as easily as one can waste money on anything else. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty); "MMS " made the following annotations on 11/13/2003 01:54:54 PM -- "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ==
Re: FW: Cost of Worm Attack Protection
It would be great not to spend any money and let the worms run their course. But when you have to deal with downed production at the cost of give or take possibly 500K per attack it unfortunately cannot be done without one loosing their job. The last worm that spread throughout enterprises mentioned having to reinstall the entire server. If that server is a critical production server what would you do? Would spending 100K prevent the attack, very likely not. Would spending 100K help track the offending machine(s) and enable someone to remove them from the network until they are serviced, possibly? Would this help keep production rolling, possibly? The installation management and response time needed to implement an IDS solution does have to be investigated to see if the ROI comes in line with the cost. The ROI would need to include any saved downtime. If someone has this information please pass it along. A nicer solution would be an operating system that does not need a critical patch every other week, due to it's exploitable nature. Yes I am dreaming :) Kim > > From: "Braun, Mike" <[EMAIL PROTECTED]> > Date: 2003/11/13 Thu PM 03:02:59 EST > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: FW: Cost of Worm Attack Protection > > > The old saying of "you get what you pay for" seems to be well directed when > it comes to this topic. If you're willing to allocate $100K more than you > currently spend to mitigating the effects from Worms and Viruses, I'm sure > you will have some increased success. If you allocate 1 mill more, your > success will increase substantially. The true cost really boils down to > what you are trying to protect, such as how many servers, users, network > segments, and other critical devices you are willing to encompass in your > protection plan. Also, you may be able to mitigate the cost by using the > functionality built into devices you may already own. A good protection > schema needs to address the use and benefits from the following: Firewalls, > VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a good network > security policy that grows with your network. You may already have most of > this in place and need only a little extra funding allocated to give you the > protection level you feel comfortable with. > > If you're looking for pricing on each component, they will vary widely > depending on the brand and model you go with. You should shop around for > components that suit your budget. An example of this price variance can be > found by looking at a Net Forensics project priced at $500k compared to a > similar solution going will Network Intelligence at $40K. The Network > Intelligence solution may not have all the functionality offered by Net > Forensics, but it may be enough for your needs. > > Best of luck in fighting this ever growing problem, > > Mike Braun > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 13, 2003 7:59 AM > To: Joel Jaeggli > Cc: [EMAIL PROTECTED] > Subject: Re: Cost of Worm Attack Protection > > > > Good point - then what is the cost of attempting to mitigate or handle > attacks vs. doing nothing? > > - Original Message - > From: Joel Jaeggli <[EMAIL PROTECTED]> > Date: Thursday, November 13, 2003 10:14 am > Subject: Re: Cost of Worm Attack Protection > > > I haven't seen any network or customer site that has protected > > itself from > > worms... only mitigated them. > > > > joelja > > > > On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > > > > > > > > > > I was hoping to get some estimates from folks on the costs of > > defending> networks from various worm attacks. It is a pretty > > wide open question, > > > but if anyone has some rough estimates of what it costs per edge, > > > manpower vs. equipment costs, or any combination thereof it > > would be of > > > great assistance. We are doing some simulations of attack and > > defense> strategies and looking for some good metrics to plug into > > a cost benefit > > > model. We'd be happy to share the results if anyone is > > interested as > > > well. > > > > > > Thanks in advance, > > > > > > sean > > > > > > > -- > > --- > > --- > > Joel Jaeggli Unix Consulting > > [EMAIL PROTECTED] > > GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB > > B67F 56B2 > > > > > > > > > "MMS " made the following > annotations on 11/13/2003 12:03:21 PM > -- > "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE > USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR > PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR > RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PER
Re: Cost of Worm Attack Protection
On Thursday, 2003-11-13 at 13:49 EST, [EMAIL PROTECTED] wrote: > On Thu, 13 Nov 2003 12:59:30 EST, Jared Mauch said: > > > (how i wish microsoft would release a stinking patch CD) > > Be careful what you ask for. They may actually release a CD of stinking > patches. :) They just did (perhaps not on a CD) - viz. MS03-048. See news://news.microsoft.com/eJnPecXqDHA.3504%40TK2MSFTNGP11.phx.gbl Tony Rall
Re: looking for pull traffic
i'm sure search engines like google or altavista or microsoft or yahoo
would happily charge you less for suck than your peers/transits would
(like to) change you for blow. with transit-exchange businesses coming
into existence, and with older peering-exchange businesses willing to
support transit-exchange, there really ought to be a market for suck.
there's certainly no reason for a search engine to pay for their suck;
it's extremely valuable, no matter who they pull it through, big or
small. and it's arguable that quality of suck will be less of a revenue
driver than quality of blow, so arguments of the form "you should suck
through us because we have a better network" aren't very weighty.
my guess is that when isp's start paying customers for suck in order to
balance their own ratios or to upset other people's ratios, that it will
stabilize at about 10% of current blow-based transit pricing. and that
there will all of a sudden be a lot more ddos'ing, fly-by-night crawlers,
and whatnot than there are today. gads, what a world.
(anybody have any guesses how much of the current ddos load is driven by
ratio concerns? that is, now that we know spammers are hiring folks to
ddos antispammers, can we finally admit that isp's are hiring folks to
fix their ratios for them by ddosing from larger-provider networks?
viva laissez faire, i guess.)
re:
[EMAIL PROTECTED] ("matthew zeier") writes:
> Higher powers have decided our 95/5 traffic slit needs to move closer to
> 60/40 (transit pricing).
>
> I'm looking for legitimate ways to generate a significant amount of pull
> traffic, including partnerships with Southern California ISPs.
>
> Thanks.
--
Paul Vixie
NASA DNS contact
I am having an issue with accessing the nasa.gov zone. It looks like either a routing or firewalling issue that is unique to my network. Does anyone have a good contact for either their NOC or the dns server group? thanks, -chris
Re: FW: Cost of Worm Attack Protection
Hi, NANOGers. ] The old saying of "you get what you pay for" seems to be well directed when ] it comes to this topic. If you're willing to allocate $100K more than you ] currently spend to mitigating the effects from Worms and Viruses, I'm sure ] you will have some increased success. If you allocate 1 mill more, your ] success will increase substantially. The true cost really boils down to This sort of thinking, unsupported by any data, runs rampant in the security industry. I have yet to see anyone document the ROI on security tools and services. Do they help at all? Does an increase in security spending result in a decrease in pain? In some cases, as already documented here, an increase in security measures can actually increases costs. Let's not fall into the trap that more $$$ equates to greater security or awareness. I've seen many sites that installed numerous pods of the latest IDS at their borders, only to be owned from within or owned by a method not yet in the ever-behind signature database of the IDS devices. One can waste money on security just as easily as one can waste money on anything else. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: looking for pull traffic
DoS yourself? On Thu, 13 Nov 2003, matthew zeier wrote: > Higher powers have decided our 95/5 traffic slit needs to move closer to > 60/40 (transit pricing). > > I'm looking for legitimate ways to generate a significant amount of pull > traffic, including partnerships with Southern California ISPs. > > Thanks. > > > -- > matthew zeier - "Curiosity is a willing, a proud, an eager confession > of ignorance." - Leonard Rubenstein > >
Re: FW: Cost of Worm Attack Protection
On Thu, 13 Nov 2003, Braun, Mike wrote: > The old saying of "you get what you pay for" seems to be well directed when > it comes to this topic. If you're willing to allocate $100K more than you > currently spend to mitigating the effects from Worms and Viruses, I'm sure > you will have some increased success. If you allocate 1 mill more, your > success will increase substantially. The true cost really boils down to Actually that is not true. There is substantial evidence that spending more does not change behavor when it comes to worms. Offering anti-virus software, firewalls, consulting, email, telephone calls, letters, etc have the exact same impact as doing nothing on the average ISP consumer. As Jared points out, doing "more" substantially increases the support costs for ISPs and doesn't reduce the number or severity of worms. On the other hand, individuals can have a dramatic impact on the security of his or her own computer. Unfortunately, computer security is a bit like the light bulb joke. How many psychologists does it take to change a light bulb? One, but the light bulb has to want to change.
Re: Voice Compression
> I am looking for an economical solution to compress > 1248 voice DS-0s to 240 DS0s. My application is to > extend the voice and data for a call center that needs > roughly 63 T-1 equivalents of bandwidth down 21 > physical T-1 ciscuits. Um, do you mean that you need to move 1248 _simultaneous calls_ across 21 T1 circuits? There's no problem there, just pick any reasonable codec. All you need is one that uses less than 26kbps of bandwidth, and nearly all of them meet that criterion. Take a look at G.729a. It's widely used, gives reasonably good quality, and only takes half that much bandwidth. -Bill
Re: Voice Compression
On Thu, 13 Nov 2003, Robert White wrote: > I am looking for an economical solution to compress > 1248 voice DS-0s to 240 DS0s. My application is to > extend the voice and data for a call center that needs > roughly 63 T-1 equivalents of bandwidth down 21 > physical T-1 ciscuits. ECI Telecom Ltd. www.ecitele.com ><> Nathan Stratton nathan at robotics.net http://www.robotics.net
looking for pull traffic
Higher powers have decided our 95/5 traffic slit needs to move closer to 60/40 (transit pricing). I'm looking for legitimate ways to generate a significant amount of pull traffic, including partnerships with Southern California ISPs. Thanks. -- matthew zeier - "Curiosity is a willing, a proud, an eager confession of ignorance." - Leonard Rubenstein
Voice Compression
I am looking for an economical solution to compress 1248 voice DS-0s to 240 DS0s. My application is to extend the voice and data for a call center that needs roughly 63 T-1 equivalents of bandwidth down 21 physical T-1 ciscuits.
FW: Cost of Worm Attack Protection
The old saying of "you get what you pay for" seems to be well directed when it comes to this topic. If you're willing to allocate $100K more than you currently spend to mitigating the effects from Worms and Viruses, I'm sure you will have some increased success. If you allocate 1 mill more, your success will increase substantially. The true cost really boils down to what you are trying to protect, such as how many servers, users, network segments, and other critical devices you are willing to encompass in your protection plan. Also, you may be able to mitigate the cost by using the functionality built into devices you may already own. A good protection schema needs to address the use and benefits from the following: Firewalls, VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a good network security policy that grows with your network. You may already have most of this in place and need only a little extra funding allocated to give you the protection level you feel comfortable with. If you're looking for pricing on each component, they will vary widely depending on the brand and model you go with. You should shop around for components that suit your budget. An example of this price variance can be found by looking at a Net Forensics project priced at $500k compared to a similar solution going will Network Intelligence at $40K. The Network Intelligence solution may not have all the functionality offered by Net Forensics, but it may be enough for your needs. Best of luck in fighting this ever growing problem, Mike Braun -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 7:59 AM To: Joel Jaeggli Cc: [EMAIL PROTECTED] Subject: Re: Cost of Worm Attack Protection Good point - then what is the cost of attempting to mitigate or handle attacks vs. doing nothing? - Original Message - From: Joel Jaeggli <[EMAIL PROTECTED]> Date: Thursday, November 13, 2003 10:14 am Subject: Re: Cost of Worm Attack Protection > I haven't seen any network or customer site that has protected > itself from > worms... only mitigated them. > > joelja > > On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > > > > > > I was hoping to get some estimates from folks on the costs of > defending> networks from various worm attacks. It is a pretty > wide open question, > > but if anyone has some rough estimates of what it costs per edge, > > manpower vs. equipment costs, or any combination thereof it > would be of > > great assistance. We are doing some simulations of attack and > defense> strategies and looking for some good metrics to plug into > a cost benefit > > model. We'd be happy to share the results if anyone is > interested as > > well. > > > > Thanks in advance, > > > > sean > > > > -- > --- > --- > Joel Jaeggli Unix Consulting > [EMAIL PROTECTED] > GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB > B67F 56B2 > > > "MMS " made the following annotations on 11/13/2003 12:03:21 PM -- "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ==
Re: RFI: Intrusion Detection Systems
At 03:29 AM 11/13/2003, Suresh Ramasubramanian wrote: [EMAIL PROTECTED] writes on 11/13/2003 5:35 AM: My apologies to anyone that receives duplicates of this email stemming from it being cross posted. There was a recent network computing article that evaluated quite a lot of these. However, I'd suggest that you avoid NAI / Norton stuff for IDSs .. See these articles, written in 2002: http://www.nwfusion.com/techinsider/2002/0624security.html http://www.nwfusion.com/columnists/2002/0916testerschoice.html and in 2003: http://www.nwfusion.com/reviews/2003/1013idsrev.html jc -- I do not need or want cc'd copies of replies to the list. Please reply to the list or to me (whichever you prefer), but not both.
Re: Cost of Worm Attack Protection
On Thu, 13 Nov 2003 12:59:30 EST, Jared Mauch said: > (how i wish microsoft would release a stinking patch CD) Be careful what you ask for. They may actually release a CD of stinking patches. :) pgp0.pgp Description: PGP signature
Re: Point of sale RAS hardware?
> Does anyone know of a good RAS product that supports the fast train > times needed for point of sale terminals (specifically the ability to > turn off data compression, error detection, and speed negotiation)? > Most every one I've seen is aimed at serving as-fast-as-possible > dialup > network access to normal modems, but I need something that will do > 1200bps (or even better yet, v.22FC) with no frills. > > Can anyone suggest a product or manufacturer? We use the Cisco AS5400 in which you can enable/disable any option as you see fit using resource pooling. We use it to support KFLEX modems which fail to connect properly w/ the v.92 tones. The way it deterimes which settings to use is based on called station id. We also find modems that try to to retain to highest speed tend to reach the limit and drop the connection. Most of our customers are in rural areas w/ poor quality phone lines. We found it was easier to create resource groups to lock people to 21000 baud via setting their connection number than giving the customer init strings to limit the connection that way. Sure there are probably better solutions, but this has solved nearly all connection problems we've seen. I realize you may end up not using cisco, but I'll include a small example just in case it's useful to anyone. IOS (tm) 5400 Software (C5400-IS-M), Version 12.3(1a), RELEASE SOFTWARE (fc1) resource-pool enable ! resource-pool group resource MICA-modems range port 1/0 1/107 range port 2/0 2/107 range port 3/0 3/107 range port 4/0 4/107 range port 5/0 5/107 range port 6/0 6/107 ! resource-pool profile customer any limit base-size all limit overflow-size all resource isdn-ports digital resource MICA-modems speech service any dnis group default ! resource-pool profile customer v90 limit base-size all limit overflow-size all resource MICA-modems speech service v90 dnis group v90 ! resource-pool profile customer k56flex limit base-size all limit overflow-size all resource MICA-modems speech service k56flex dnis group k56flex ! resource-pool profile customer v34-28800 limit base-size all limit overflow-size all resource MICA-modems speech service v34-28800 dnis group v34-28800 ! resource-pool profile service v90 modem min-speed any max-speed 56000 modulation v90 ! resource-pool profile service k56flex modem min-speed any max-speed any modulation k56flex ! resource-pool profile service v34-28800 modem min-speed any max-speed 28800 modulation v34 ! resource-pool profile service any dialer dnis group v90 number 2533219668 number 3605459668 [trimed] ! dialer dnis group k56flex number 3605429667 number 3605459667 [trimed] !
Re: Cost of Worm Attack Protection
Back Ground: I come from a company of 5K users spread across a large campus with several remote sites. We have had various worms intrude on our day to day activities. Without anything other than up to date anti-virus and some simple PIX type configurations it has been unpleasant. Time cost: One attack slowing Internet traffic to a crawl. Manpower: 2-3 Network 2-3 Data fairly dedicated over the course of a few days. Do the math for the cost of 6 senior people finding and cleaning infected machines. Quotes todate to implement a NIDS solution that encompasses external, DMZ, internal, server farms, 6 mid range devices 100K. Quotes on HIDS solutions vary as per desktop and server but basically you are looking at 1-2K per server and 50-80 dollars per desktop licence. Kim > > From: [EMAIL PROTECTED] > Date: 2003/11/13 Thu AM 09:35:47 EST > To: [EMAIL PROTECTED] > Subject: Cost of Worm Attack Protection > > > > I was hoping to get some estimates from folks on the costs of defending networks > from various worm attacks. It is a pretty wide open question, but if anyone has > some rough estimates of what it costs per edge, manpower vs. equipment costs, or any > combination thereof it would be of great assistance. We are doing some simulations > of attack and defense strategies and looking for some good metrics to plug into a > cost benefit model. We'd be happy to share the results if anyone is interested as > well. > > Thanks in advance, > > sean > >
Re: Cost of Worm Attack Protection
On Thu, Nov 13, 2003 at 10:58:38AM -0500, [EMAIL PROTECTED] wrote: > > > Good point - then what is the cost of attempting to mitigate or handle attacks vs. > doing nothing? > I've found that they're usually higher than doing nothing at all. In the case of the fun in august, people who blocked the microsoft ports that worms were spreading across (i mean newly blocked them that is) saw increased support costs associated with what was broken vs just leaving the network in the state it was. While the increased traffic and infection was a problem, the network devices mostly yawned at the activity and the irate customers who were (ab)using the network to use these MS RPC features were quite vocal about the filtering. This also helped raise customer awareness that we can not filter for them. They must manage their devices in order to keep their network secure or get cut off from our network. - Jared (how i wish microsoft would release a stinking patch CD) -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Cost of Worm Attack Protection
On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > I was hoping to get some estimates from folks on the costs of defending > networks from various worm attacks. It is a pretty wide open question, > but if anyone has some rough estimates of what it costs per edge, > manpower vs. equipment costs, or any combination thereof it would be of > great assistance. We are doing some simulations of attack and defense > strategies and looking for some good metrics to plug into a cost benefit > model. We'd be happy to share the results if anyone is interested as > well. I don't know of any existing worms that attack Cisco or Juniper or other network backbone equipment. For a NSP or ISP, worms are primarly an issue of capacity planning. According to bankruptcy filings, companies such as Worldcom spent billions increasing their backbone capacity throughout the 1990's. So the backbones still have a massive capacity glut. But I don't know if they increased their network capacity due to worms or for other reasons. If the worms don't cause problems for the network provider, what should they do? On the other hand, would it make the problem worse? The US Forest Service used to have a policy of aggressively fighting all forest fires. This resulted in a build-up of fuel load throughout the forest lands, and then massive forest fires. The regular smaller fires served an important purpose in the eco-system, and limited the fuel load. If NSPs aggressively blocked worms, would this result in end-users doing even less than they currently do to keep their systems up to date and protected? Then instead of the occasional 1% to 5% infection rate for worms, would we be faced with a user population with even worse defenses than they have now? You often see this effect in enterprise networks with massive firewalls on the perimeter, and no protection on the inside. When a worm gets past the perimeter firewall, it wrecks havoc on the out-of-date systems in the enterprise.
RE: The Internet's Immune System
On Thu, 13 Nov 2003, Roy wrote: > > Unfortunately myNetWatchman is one of the wordt services I have seen. We > can't even get them to send the reports to our abuse address. I've found that anything marketed starting with "my" is not something I would ever want to call mine. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Cost of Worm Attack Protection
Good point - then what is the cost of attempting to mitigate or handle attacks vs. doing nothing? - Original Message - From: Joel Jaeggli <[EMAIL PROTECTED]> Date: Thursday, November 13, 2003 10:14 am Subject: Re: Cost of Worm Attack Protection > I haven't seen any network or customer site that has protected > itself from > worms... only mitigated them. > > joelja > > On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > > > > > > I was hoping to get some estimates from folks on the costs of > defending> networks from various worm attacks. It is a pretty > wide open question, > > but if anyone has some rough estimates of what it costs per edge, > > manpower vs. equipment costs, or any combination thereof it > would be of > > great assistance. We are doing some simulations of attack and > defense> strategies and looking for some good metrics to plug into > a cost benefit > > model. We'd be happy to share the results if anyone is > interested as > > well. > > > > Thanks in advance, > > > > sean > > > > -- > --- > --- > Joel Jaeggli Unix Consulting > [EMAIL PROTECTED] > GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB > B67F 56B2 > > >
RE: The Internet's Immune System
Unfortunately myNetWatchman is one of the wordt services I have seen. We can't even get them to send the reports to our abuse address. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel Medina Sent: Thursday, November 13, 2003 6:40 AM To: [EMAIL PROTECTED] Subject: Re: The Internet's Immune System myNetWatchman has a work-in-progress search-by-AS http://www.mynetwatchman.com/ListIncidentbyASSummary.asp?AS=YOUR_AS_HERE Dan
Re: Cost of Worm Attack Protection
I haven't seen any network or customer site that has protected itself from worms... only mitigated them. joelja On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > > I was hoping to get some estimates from folks on the costs of defending > networks from various worm attacks. It is a pretty wide open question, > but if anyone has some rough estimates of what it costs per edge, > manpower vs. equipment costs, or any combination thereof it would be of > great assistance. We are doing some simulations of attack and defense > strategies and looking for some good metrics to plug into a cost benefit > model. We'd be happy to share the results if anyone is interested as > well. > > Thanks in advance, > > sean > -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Reachability problems for www.listen-to.com
On Thu, 13 Nov 2003 [EMAIL PROTECTED] wrote: > > We received a 69.144/16 from ARIN and spent the following few months > > requesting numerous operators to take that space out of their filters. > > Apparently for various historical reasons many operators filter the entire > > 69. Block. That could be part of the problem. > > http://not69box.atlantic.net/ > http://not69box.atlantic.net/cgi-bin/bogon If you tried these links recently and got an odd message about "Your web site is currently down.", please try again. Someone just pointed out that I'd managed to break the site for access from outside our network while making some IP changes on it a few weeks ago. I've tested it from off-net now and verified it's back up at both not69box.atlantic.net (209.208/17 IP) and 69box.atlantic.net (69/8 IP). -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: The Internet's Immune System
myNetWatchman has a work-in-progress search-by-AS http://www.mynetwatchman.com/ListIncidentbyASSummary.asp?AS=YOUR_AS_HERE On Wed, Nov 12, 2003 at 06:56:50PM -0500, Jamie Reid wrote: > > It would be useful if these sites allowed you to query them with CIDR ranges to > see if your site had originated any traffic that triggered their sensor arrays. The > IDS community never seems to have wrapped its collective head around routing > information. Looking up single IP addrs is just cosmetic. A real service would > allow for concerned sites to check their entire address allocations. > > The solution we have takes a massive amount of data munging of a routing > table and is still experimental, but until attacks can be mapped to meaningful > Internet > topographical information, the real value of these distributed IDS efforts cannot be > fully > exploited. > > I can forsee the argument that people shouldn't be able to look up other sites > which might be compromised, but if they are really so concerned, they should > get their sites patched. > -- > Jamie.Reid, CISSP, [EMAIL PROTECTED] > Senior Security Specialist, Information Protection Centre > Corporate Security, MBS > 416 327 2324 > >>> "Bryan Bradsby" <[EMAIL PROTECTED]> 11/12/03 04:25pm >>> > > > Devise a system that assumes owners of IP space WANT to know about problems. > > report --open-proxy 192.168.1.1 > and have a report sent to whoever needed to know about it. > > http://www.Incidents.org > http://www.Dshield.org/howto.php > http://www.MyNetWatchman.com -- Dan
re: This may be stupid but
I just had to respond to this thread and throw my 2 cents in. I can certainly see the frustration of hiring managers (having done so myself) that receive a load of resumes full of "certified" individuals who don't know squat. That is what a tech interview is for, though isn't it? Unfortunately to get to that interview you need a bit of flash to get your foot in the door. The world is as full of people claiming to be a linux guru as it is of MCSE's. I think some certs at least show that you are capable of learning, and some of the higher level ones show that you are capable of understanding/using concepts as well. Now I freely admit to being a cert collector/whore - I just do it for fun nowadays but I am willing to back every bit of it up in a tech interview - in fact I normally ask to tech interview with the heads of the unix, security, AND networking groups to prove I know what I claim to know (and I'm pretty sure I could pass as a high-level Microsoft guy if I desired). But it would be a tragic mistake on anyone's behalf to pre-assume that all those letters means I don't know what I am talking about. That's stereotyping, isn't it? -- Don Mills SCSA SCNA CCNP CCDP CISSP CQS-VPN CQS-PIX Chief Network Security/WAN Architect VA Dept. of Social Services [EMAIL PROTECTED]
Cost of Worm Attack Protection
I was hoping to get some estimates from folks on the costs of defending networks from various worm attacks. It is a pretty wide open question, but if anyone has some rough estimates of what it costs per edge, manpower vs. equipment costs, or any combination thereof it would be of great assistance. We are doing some simulations of attack and defense strategies and looking for some good metrics to plug into a cost benefit model. We'd be happy to share the results if anyone is interested as well. Thanks in advance, sean
Re: Reachability problems for www.listen-to.com
On Thu, 13 Nov 2003, Fisher, Shawn wrote: > We received a 69.144/16 from ARIN and spent the following few months > requesting numerous operators to take that space out of their filters. > Apparently for various historical reasons many operators filter the entire > 69. Block. That could be part of the problem. http://not69box.atlantic.net/ http://not69box.atlantic.net/cgi-bin/bogon That second page makes it really easy to see if 69/8 filters are the problem. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Reachability problems for www.listen-to.com
We received a 69.144/16 from ARIN and spent the following few months requesting numerous operators to take that space out of their filters. Apparently for various historical reasons many operators filter the entire 69. Block. That could be part of the problem. -- Sent from my BlackBerry Wireless Handheld
Re: RFI: Intrusion Detection Systems
[EMAIL PROTECTED] writes on 11/13/2003 5:35 AM: My apologies to anyone that receives duplicates of this email stemming from it being cross posted. There was a recent network computing article that evaluated quite a lot of these. However, I'd suggest that you avoid NAI / Norton stuff for IDSs .. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
RFI: Intrusion Detection Systems
My apologies to anyone that receives duplicates of this email stemming from it being cross posted. I have been asked to investigate an Intrusion Detection/Prevention System. Could anyone that has knowledge of the following products give me the good, bad or the ugly concerning them. Reply to myself online or off line If anyone would like a summary of the results please do not hesitate to ask. NIDS: Cisco Intrusion Detection Sensors Version 4.x 4235, 4250 NAI Intrusion Prevention Sensors IntruShield 2600, 4000 (IntruVert) HIPS: Cisco Security Agent Entercept Management Systems: Cisco VMS - VPN/Security Management System NAI: ISM Security Management System. Any thoughts would be appreciated. Kim
Reachability problems for www.listen-to.com
Some of my users are saying they cannot get to www.listen-to.com, www.talk-servers.com and www.electro-tech-online.com One of them claims he's observed a pattern and that things hosted by ev1servers.net aren't working. I can get to them from several different places, but I notice that e.g. www.listen-to.com has a 69.* address, which might still be listed as bogus by some people. -- Adam Atkinson Damovo UK What I say may or may not represent the opinion of Damovo UK: I wouldn't know.
Re: GFI Security Suite
> Has anyone or does anyone currently or recently used any of the products by > GFI? What are your thoughts about these products if you have. > > Thanks for your input. I've not used the security suite but: I used the GFI fax suite on an exchange server and I couldn't believe how well it worked and how good the local support was, they proactively helped me resolve a number of modem issues that were not really an issue with GFI's software. They seem to understand how to properly interface to Exchange. Regards, Neil.
