Anit-Virus help for all of us??????

[McBurnett, Jim]

Thought this is on topic for the group with all the new 
virii and new problems out there.
Would anyone here consider sending this out to all customers?
Later,
Jim


Last week at the Comdex show in Las Vegas, Computer Associates 
International, Inc. (known to the world as CA) teamed up with 
Microsoft Corp to provide "qualified" Windows home computer 
users with a no-charge, one-year subscription to CA's eTrust 
EZ Armor antivirus and firewall desktop security suite. 
The move is designed to encourage home users to increase 
the protection of their Windows systems and CA has stated 
that the company will aggressively promote the offer as 
part of Microsoft's "Protect Your PC" campaign. 

SNIP
The EZ Armor software carries a value of $49.95 and the 
free subscription offer for will be available for download 
until June 30, 2004 and comes complete with one year of 
personal firewall and antivirus protection including daily 
virus signature updates. 


http://www.it-analysis.com/article.php?articleid=11450

Re: Anit-Virus help for all of us??????

[Suresh Ramasubramanian]

McBurnett, Jim  writes on 11/24/2003 9:29 AM:

Thought this is on topic for the group with all the new 
virii and new problems out there.
Would anyone here consider sending this out to all customers?
Most if not all computers that are sold (branded ones at least) do come 
with an antivirus + "personal firewall" (aka snake oil firewall, as 
vernon schryver keeps saying on news.admin.net-abuse.email and 
elsewhere) package, with 6 months to a year of free updates.

What, if anything, is new about this?

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

Optical media converters?

[Ben Buxton]

Hi,

Does anyone have any experience with optical media convertors and using
them directly with router interfaces? I have found one such supplier
what makes exactly the thing: http://www.mrv.com/product/MRV-FD-SFPMC/

I'm curious as to whether anyone has any experience with these or
knows of anyone else who makes a similar device...

BB

RE: RR/ATDN NYC

[Deepak Jain]

> > And Jared's list is excellent, but even contacting those not listed
> > there via ARIN info, etc. yielded quick responses.
>
> I removed our listing there because we were getting so much spam
> to the email address that was posted there (which can't really be
> spam-filtered, for obvious reasons) - that's the only place the
> address was posted except in the ARIN whois. After getting rid of the
> old POC, no problems. So a useful service, but I really wish they'd do
> more to at least try and trick address harvesting bots.

Maybe we could all setup NOC addresses that require a confirmation before
accepting email? At least for those of us that need to contact somebody, a
quick "Reply to this with code xxx to be on our whitelist) is a simple
hurdle. It will help lists like Jared's that are primarily about increasing
communication, not spam erradication. After someone gets whitelisted, they
can ask for the correct address to send abuse requests or draw attention to
issues that haven't been addressed through normal channels.

maybe [EMAIL PROTECTED] or [EMAIL PROTECTED] so everyone knows
what to expect.

Just an idea.

DJ

Re: RR/ATDN NYC

[Doug Barton]

On Sun, 23 Nov 2003, Will Yardley wrote:

>
> On Sun, Nov 23, 2003 at 11:25:22PM -0500, Charles Sprickman wrote:
>
> > The only two folks that I was not able to reach were Yahoo! and SBCGlobal.
>
> I've had good success reaching Yahoo based on the contact information in
> the Arin whois; called the number on there, and got through to a real
> person fairly quickly. This was a month ago.

That's good to hear! Over the last 2.5 years I've put a lot of work into
making sure our whois stuff is up to date. I still have a few things to
punch up before I fully transition to my new position, but if you notice
something that's out of date, please feel free to let me know.

> I'm told that you can also email ynoc-request at yahoo dot com (for
> normal NOC type queries only, I assume).

Correct. They do a great job of routing requests to the proper channels,
so if it's actually something significant, don't hesitate to mail them.

Doug

-- 
  Doug Barton, Yahoo! DNS Administration and Development

"You like pain? Try wearing a corset!"
Keira Knightley as Elizabeth Swann, in
"Pirates Of The Caribbean: The Curse of the Black Pearl"

Re: Anit-Virus help for all of us??????

[Sean Donelan]

On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
> Most if not all computers that are sold (branded ones at least) do come
> with an antivirus + "personal firewall" (aka snake oil firewall, as
> vernon schryver keeps saying on news.admin.net-abuse.email and
> elsewhere) package, with 6 months to a year of free updates.

If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?

Re: Anit-Virus help for all of us??????

[Jeff Shultz]

** Reply to message from Sean Donelan <[EMAIL PROTECTED]> on Mon, 24 Nov
2003 13:29:57 -0500 (EST)

> On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
> > Most if not all computers that are sold (branded ones at least) do come
> > with an antivirus + "personal firewall" (aka snake oil firewall, as
> > vernon schryver keeps saying on news.admin.net-abuse.email and
> > elsewhere) package, with 6 months to a year of free updates.
> 
> If most if not all computers that are sold include antivirus + personal
> firewalls, who is selling all the computers being infected with worms,
> virus, malware?

You know that the best AV program in the world isn't going to amount to
a hill of beans if the user doesn't 1. download updates, 2. run the
occasional scan [1], and 3. pay for more updates past the 1 year mark
(for those for which this is a requirement). 

Firewalls at least tend to be a bit more hands off... and I'd like to
hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
ships with default to "disabled?" 

As for Malware... right now neither firewalls nor AV programs seem to
stop it's installation. Personally I wish that there was something that
we could install on customer machines that would absolutely and totally
block the installation of net.net stuff, to the point of deleting any
installation files that have been downloaded. 

[1] When cleaning a customer's Nachi infected machine, I discovered
that the installed copy of NAV was completely up to date - but a system
scan hadn't been run since July 2002.

-- 
Jeff Shultz
Loose nut behind the wheel. 

Re: Anit-Virus help for all of us??????

[Suresh Ramasubramanian]

Sean Donelan  writes on 11/24/2003 1:29 PM:

If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
Er... two or three obvious reasons - there might be more.

# Users not updating their virus / firewall definitions, not paying for 
new definitions after their year of free definitions is done.

# Users leaving open windows shares, clicking on random windows 
attachments etc

# Viruses keeping one step ahead of antivirus vendors

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

Re: Anit-Virus help for all of us??????

[Sean Donelan]

On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
> Er... two or three obvious reasons - there might be more.
>
> # Users not updating their virus / firewall definitions, not paying for
> new definitions after their year of free definitions is done.

I've been looking at some statistics on infected users.  One of the more
interesting was "new" computer users are more likely to have infected
computers than "old" computer users.  A computer bought in the last 30
days may be almost twice as likely to be infected than a computer more
than 1 year old.

Re: Anit-Virus help for all of us??????

[Suresh Ramasubramanian]

Jeff Shultz  writes on 11/24/2003 1:46 PM:

Firewalls at least tend to be a bit more hands off... and I'd like to
hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
ships with default to "disabled?" 
Interesting reading here -
http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

Re: Optical media converters?

[Mikael Abrahamsson]

On Mon, 24 Nov 2003, Ben Buxton wrote:

> Does anyone have any experience with optical media convertors and using
> them directly with router interfaces? I have found one such supplier
> what makes exactly the thing: http://www.mrv.com/product/MRV-FD-SFPMC/
> 
> I'm curious as to whether anyone has any experience with these or
> knows of anyone else who makes a similar device...

There are tons of them. Transmode, MRV, Transision Networks... Pretty much 
any CWDM manufacturer does CWDM in just this fashion.

-- 
Mikael Abrahamssonemail: [EMAIL PROTECTED]

Check your AS: Renesys Blackout Report Released

[todd]

Folx,

Hot off the presses, from the people who brought you the excellent (and
fun!) reports on the effects of worms on routing instabilities, how the
Internet fared on Sept 11, 2001, and other fine topics of interest to the
operator community, comes a new report:


"Impact of the 2003 Blackouts on Internet Communications"
available now at:
http://www.renesys.com/news/index.html
http://www.renesys.com/news/index.html";>here


It is an attempt to do a thorough, retrospective analysis of the impact of
the power outages from a purely routing perspective.  We tried to be quite
rigorous in our methodology and careful in our inferences.  However, we
came to what may be an unpopular conclusion:  the Internet fared worse
than others have previously reported.  The main difference in our
conclusions lies in different measurement strategies (core to core layer
3-4 monitoring versus global BGP routing monitoring).  Read the paper for
more information.

We also hoped to produce a definitive analysis of the network (routing, 
BGP) impact of the power outages so that others can compare future events.  

We're particularly interested in feedback from operators with assets in 
the affected regions of the US, Canada and Italy (see Appendix B for a 
good comparison of the Sept 28 Italy Blackout with the Aug 14 US 
Blackout).  

A few specific ASes are mentioned in the report. We would love to hear
feedback from those ASes or others who were affected to learn more about
the backstory behind the outage.  If your prefixes stayed up, why?  If
some went down and some didn't, what caused that?  Did your upstreams and
peers stay up?  Were local power outages at routers the primary cause of
outages, or did other factors enter into the equation?  We saw one AS with 
nine (9!) upstream ASes lose all of it's prefixes.  Could it be that 
someone with 9 upstream adjacencies didn't have reliable power? 

These questions, plus a general discussion of Internet edge reliability 
(power and interconnectedness) seem on-topic for the list.

Of course, we read nanog :-), so we'd love to see those stories discussed
here in a context that would help all of us understand the causes and
mitigation strategies better, but private mail will also be gratefully
accepted.  If you don't ever want us to mention your name in public, be
sure to let us know.

Todd Underwood
[EMAIL PROTECTED]

RE: Anit-Virus help for all of us??????

[Wesley Vaux]

"if you build it they will come"

Goes right along with 

"if you send it out you will support it"

Think about it. 

-Original Message-
From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 24, 2003 2:08 PM
To: Jeff Shultz
Cc: [EMAIL PROTECTED]
Subject: Re: Anit-Virus help for all of us??


Jeff Shultz  writes on 11/24/2003 1:46 PM:

> Firewalls at least tend to be a bit more hands off... and I'd like to 
> hear more about the "snake oil" parts. Doesn't the 1/2wall that XP 
> ships with default to "disabled?"

Interesting reading here -
http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com
security and antispam operations

Re: Anit-Virus help for all of us??????

[Richard Cox]

On Mon, 24 Nov 2003 10:46:26 -0800
"Jeff Shultz" <[EMAIL PROTECTED]> wrote:
| Personally I wish that there was something that we could install
| on customer machines that would absolutely and totally block the
| installation of net.net stuff, to the point of deleting any
| installation files that have been downloaded.

The latest version of Zone Alarm Pro does stop all applications from
accessing the net outbound unless specifically authorised, and it does
check the executable by checksum to make sure it hasn't been changed.

Of course, this doesn't cope with the clueless who are willing to click
on just about anything, particularly if it looks cute, but the one good
point about Zone Alarm Pro is that it requires a separate authorisation
before any executable is allowed to access an external site on Port 25.

-- 
Richard Cox

Re: Anit-Virus help for all of us??????

[Jason LeBlanc]

I tend to encourage people to use PestPatrol for the malware on windoze 
boxes.

Suresh Ramasubramanian wrote:

Jeff Shultz  writes on 11/24/2003 1:46 PM:

Firewalls at least tend to be a bit more hands off... and I'd like to
hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
ships with default to "disabled?" 


Interesting reading here -
http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall

Re: Check your AS: Renesys Blackout Report Released

[Mike Tancsa]

On page 9, table 1 you list Allstream as being "was Bell Canada."  They 
were the network formerly known as AT&T Canada.

---Mike

At 02:16 PM 24/11/2003, [EMAIL PROTECTED] wrote:

Folx,

Hot off the presses, from the people who brought you the excellent (and
fun!) reports on the effects of worms on routing instabilities, how the
Internet fared on Sept 11, 2001, and other fine topics of interest to the
operator community, comes a new report:
"Impact of the 2003 Blackouts on Internet Communications"
available now at:
http://www.renesys.com/news/index.html
http://www.renesys.com/news/index.html";>here
It is an attempt to do a thorough, retrospective analysis of the impact of
the power outages from a purely routing perspective.  We tried to be quite
rigorous in our methodology and careful in our inferences.  However, we
came to what may be an unpopular conclusion:  the Internet fared worse
than others have previously reported.  The main difference in our
conclusions lies in different measurement strategies (core to core layer
3-4 monitoring versus global BGP routing monitoring).  Read the paper for
more information.
We also hoped to produce a definitive analysis of the network (routing,
BGP) impact of the power outages so that others can compare future events.
We're particularly interested in feedback from operators with assets in
the affected regions of the US, Canada and Italy (see Appendix B for a
good comparison of the Sept 28 Italy Blackout with the Aug 14 US
Blackout).
A few specific ASes are mentioned in the report. We would love to hear
feedback from those ASes or others who were affected to learn more about
the backstory behind the outage.  If your prefixes stayed up, why?  If
some went down and some didn't, what caused that?  Did your upstreams and
peers stay up?  Were local power outages at routers the primary cause of
outages, or did other factors enter into the equation?  We saw one AS with
nine (9!) upstream ASes lose all of it's prefixes.  Could it be that
someone with 9 upstream adjacencies didn't have reliable power?
These questions, plus a general discussion of Internet edge reliability
(power and interconnectedness) seem on-topic for the list.
Of course, we read nanog :-), so we'd love to see those stories discussed
here in a context that would help all of us understand the causes and
mitigation strategies better, but private mail will also be gratefully
accepted.  If you don't ever want us to mention your name in public, be
sure to let us know.
Todd Underwood
[EMAIL PROTECTED]

Re: Anit-Virus help for all of us??????

[Petri Helenius]

Sean Donelan wrote:

If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
 

Just got a new off the shelf PC, manufactured on 13th Nov 2003. Comes with
NAV2003 and virus definitions from late 2002 installed. This is on a model
that has been shipping for less than two months. Probably is not worth 
mentioning
that windowsupdate provided with 10+ critical and 10+ other updates (the OS
had Service Pack 1 installed)

The box should have been labeled "don´t connect this device to the 
public internet".

Pete

Re: Check your AS: Renesys Blackout Report Released

[todd]

Mike, all,

On Mon, 24 Nov 2003, Mike Tancsa wrote:

> On page 9, table 1 you list Allstream as being "was Bell Canada."  They 
> were the network formerly known as AT&T Canada.

thanks for the note.  we'll fix that.  sometimes it's hard to keep all of 
the bell pieces separate in my head :-) (plus, we have a former bell labs 
scientist on staff, making it all the easier to call everything 'bell' 
:-).

todd

RE: Anit-Virus help for all of us?????? Must have more Free!

[Brennan_Murphy]

If only free could become contagious (no pun intended) and we could
all accomplish what we need to with, for example,
free bandwidth, free server hardware, free network
engineeringfree apple macintoshes :-)... Ha-ha, ho-ho, he-he.  

---

All kidding aside...is "free" the answer to the current
insecurity of the Internet?  I hope not! :-) Speaking
as someone who knows at least a fraction of what's 
involved in AV/FW research... free is not likely to deliver
us any time soon. Free is almost always marketing. 
But of course, people and their pocketbooks tend to decide
how these things go...

-BM

PS http://us.mcafee.com/root/catalog.asp?catid=free  
 
...neener-neener... :)


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
McBurnett, Jim
Sent: Monday, November 24, 2003 9:29 AM
To: [EMAIL PROTECTED]
Subject: Anit-Virus help for all of us??



Thought this is on topic for the group with all the new 
virii and new problems out there.
Would anyone here consider sending this out to all customers? Later, Jim


Last week at the Comdex show in Las Vegas, Computer Associates 
International, Inc. (known to the world as CA) teamed up with 
Microsoft Corp to provide "qualified" Windows home computer 
users with a no-charge, one-year subscription to CA's eTrust 
EZ Armor antivirus and firewall desktop security suite. 
The move is designed to encourage home users to increase 
the protection of their Windows systems and CA has stated 
that the company will aggressively promote the offer as 
part of Microsoft's "Protect Your PC" campaign. 

SNIP
The EZ Armor software carries a value of $49.95 and the 
free subscription offer for will be available for download 
until June 30, 2004 and comes complete with one year of 
personal firewall and antivirus protection including daily 
virus signature updates. 


http://www.it-analysis.com/article.php?articleid=11450

Re: Anit-Virus help for all of us??????

[Valdis . Kletnieks]

On Mon, 24 Nov 2003 22:24:58 +0200, Petri Helenius said:

> that windowsupdate provided with 10+ critical and 10+ other updates (the OS
> had Service Pack 1 installed)
> 
> The box should have been labeled "don´t connect this device to the 
> public internet".

Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?


pgp0.pgp
Description: PGP signature

Re: Anit-Virus help for all of us??????

[Petri Helenius]

[EMAIL PROTECTED] wrote:

Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?
 

Since windows updates are downloaded only from one server at a time, 
none of those
servers are connected to the public Internet at high enough speed.

Pete

Re: Anit-Virus help for all of us??????

[Suresh Ramasubramanian]

[EMAIL PROTECTED]  writes on 11/24/2003 3:43 PM:

Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?
That'd have to be very fast indeed, given that only one windows update 
mirror is used at a time, and patches are downloaded and applied in 
sequence.

Two ways to get at least some safety -

# Machine behind NAT while it is being updated
# Patches preferably downloaded onto a CD and applied offline
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

Re: Anit-Virus help for all of us??????

[Jeff Shultz]

** Reply to message from [EMAIL PROTECTED] on Mon, 24 Nov 2003
15:43:34 -0500

> On Mon, 24 Nov 2003 22:24:58 +0200, Petri Helenius said:
>
> > that windowsupdate provided with 10+ critical and 10+ other updates (the OS
> > had Service Pack 1 installed)
> >
> > The box should have been labeled "don´t connect this device to the
> > public internet".
>
> Question: What speed access is needed to guarantee "mean time to download
> patches" is significantly less than "mean time to probed by packet-to-0wn"
> (significantly == 20x lower still gives a 5% chance of getting 0wned while
> patching)?

I tend to install the freebie Zonealarm before hooking those systems up
to the Internet
Snake-Oil they may claim, but it does seem to chop the chances of my
getting wormed before getting the updates downloaded.

--
Jeff Shultz
Loose nut behind the wheel.

Re: Anit-Virus help for all of us??????

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Valdis.Kletni
[EMAIL PROTECTED] writes:

>
>Question: What speed access is needed to guarantee "mean time to download
>patches" is significantly less than "mean time to probed by packet-to-0wn"
>(significantly == 20x lower still gives a 5% chance of getting 0wned
>while patching)?
>

It's not just the download time, it's the install time.  I recently 
upgraded a win2k box to winxp.  Download was very fast -- my office has 
excellent connectivity.  But the patch installation took so long that I 
had to disconnect the Ethernet cable so I could go home. 


--Steve Bellovin, http://www.research.att.com/~smb

Re: Anit-Virus help for all of us??????

[Gerardo Gregory]

Suresh Ramasubramanian wrote:

[EMAIL PROTECTED]  writes on 11/24/2003 3:43 PM:

Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by 
packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned 
while
patching)?


That'd have to be very fast indeed, given that only one windows update 
mirror is used at a time, and patches are downloaded and applied in 
sequence.

Two ways to get at least some safety -

# Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real 
security, just one to one translations.  PAT fall into the same 
category.  Just cause your broadband router (ahem, switch) vendor states 
that NAT (in reality PAT) as one of their security 'knobs' does not make 
it in any way a security feature when implemented.  Only thing that 
might benefit is IPv4 address space.

Make a NAT Translation to a workstation (nothing else) and see if you 
can still carryout some of the exploits making the rounds.

NAT and PAT do not prohibit any TCP/UDP connections to egress.

Most broadband providers still perform a NAT translation downstream, is 
it helping alleviate any of the attacks/compromises?  NOT!

# Patches preferably downloaded onto a CD and applied offline
I know Microsoft has a product that allows you to donwload patches to a 
centralized server (within your infrastructure) and let's you patch your 
internal systems from it.  Heard our MS admins talking about it a while 
back



--
Gerardo A. Gregory

Re: Anit-Virus help for all of us??????

[Suresh Ramasubramanian]

Gerardo Gregory  writes on 11/24/2003 4:20 PM:

NAT is not a security feature, neither does it provide any real 
security, just one to one translations.  PAT fall into the same 
It is not a cure all and I never said it was one.  It cuts the risk down 
a little, is all.

Most broadband providers still perform a NAT translation downstream, is 
it helping alleviate any of the attacks/compromises?  NOT!
A lot of it is because of infected hosts in a subnet searching around 
for open windows shares on IPs around it.

I know Microsoft has a product that allows you to donwload patches to a 
centralized server (within your infrastructure) and let's you patch your 
internal systems from it.  Heard our MS admins talking about it a while 
back
Sounds like a good thing to have around.

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations

Re: Anit-Virus help for all of us??????

[Valdis . Kletnieks]

On Mon, 24 Nov 2003 15:20:59 CST, Gerardo Gregory said:

> I know Microsoft has a product that allows you to donwload patches to a 
> centralized server (within your infrastructure) and let's you patch your 
> internal systems from it.  Heard our MS admins talking about it a while 
> back

Two words: Joe Sixpack.

Phrased differently - the sites that have enough clue and infrastructure to
deploy that product are not, in general, the sites that are getting whacked
the first time their single box connects to the net.


pgp0.pgp
Description: PGP signature

Re: Anit-Virus help for all of us??????

[Gerardo Gregory]

Funny you mentioned ol' Joe...

An article on the paper today stated that only 33% of U.S. citizens are 
"Tech Savvy".  Meaning allot of Joe's out there are clueless

I bet ol' Joe's AV signatures where last updated in 98 or 99...

:)

G.

[EMAIL PROTECTED] wrote:

On Mon, 24 Nov 2003 15:20:59 CST, Gerardo Gregory said:


I know Microsoft has a product that allows you to donwload patches to a 
centralized server (within your infrastructure) and let's you patch your 
internal systems from it.  Heard our MS admins talking about it a while 
back


Two words: Joe Sixpack.

Phrased differently - the sites that have enough clue and infrastructure to
deploy that product are not, in general, the sites that are getting whacked
the first time their single box connects to the net.


--
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)

Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net

looking for a review of traffic shapers

[William Caban]

I'm looking for a review/report on traffic/packet shapers products with
a side-by-side comparison. Did any one has a clue where I can find one
such report?

Thanks,
-W
-- 
William Caban <[EMAIL PROTECTED]>

Re[2]: Anit-Virus help for all of us??????

[Richard Welty]

On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <[EMAIL PROTECTED]> wrote:
> Gerardo Gregory  writes on 11/24/2003 4:20 PM:
 
> > NAT is not a security feature, neither does it provide any real 
> > security, just one to one translations.  PAT fall into the same 
 
> It is not a cure all and I never said it was one.  It cuts the risk down 
> a little, is all.

Dan Senie called me on this one once, and he was right.

1-to-1 NAT is not much of a security feature.

Port NAT (PNAT) does, *as a side effect*, provide a measure of
meaningful security.

as Dan pointed out to me, the code required to implement PNAT is
nearly identical to the code required to provide a state keeping
firewall similar to what might be done with OpenBSD's PF or
Linux's IPTables packages. it doesn't provide the additional useful
features of such firewalls, but it does do the minimum.

now the consumer PNAT appliances have other issues, and of course
PNAT often breaks protocols that make end to end assumptions
(which is why i don't like it), but the "not a security feature" thing is
not really accurate. the security feature is a side effect, and wasn't
the original intent of PNAT, but that doesn't mean it's not there.

richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re: Anit-Virus help for all of us??????

[Scott Call]

>
> NAT is not a security feature, neither does it provide any real
> security, just one to one translations.  PAT fall into the same
> category.

While it may not be a cure-all, a NAT solution offered by most entry-level
routers is an effective, if incomplete security tool.

While it does not prevent stupid user tricks (downloading malware,
misconfiguring NAT to allow incoming connections, etc) it does stop most
non-email worms in their tracks.

For example, from an nmap or other scan of the IP address of my home DSL
connection you would onot see any interesting ports open, even if one or
more of the hosts behind the router were accessing content of some kind.

Worms that spread over open shares and insecure services (windows or
otherwise) do not ever hit any of the machines behind the NAT.

I, of course, run other security solutions (IDS detection/etc) to keep my
skills sharp, but I've pleasantly suprised at the wherewithall of my
little Efficient router and it's NAT implementation.  It's never allowed
any unwanted traffic through from the out side (port 135 crud/etc).

I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT
with PAT holes to allow access to servers) "keeps honest people honest".
Could somebody figure out a way (TCP intercept, etc) to get to a machine
bhind the NAT?  I supose so, but like the blinking red light on the
dashboard of your car, it makes the lazy thief move on to the next car
that doesn't present the apperance of protection.



-Scott



-- 
Scott Call  Router Geek, ATGi, home of $6.95 Prime Rib
"These are the last days of peace in America as you know it.
And we will never be the same." -Mark Morford

Re: Anit-Virus help for all of us??????

[Stephen J. Wilcox]

On Mon, 24 Nov 2003, Gerardo Gregory wrote:

> > # Machine behind NAT while it is being updated
> 
> NAT is not a security feature, neither does it provide any real 
> security, just one to one translations.  PAT fall into the same 
> category.  Just cause your broadband router (ahem, switch) vendor states 
> that NAT (in reality PAT) as one of their security 'knobs' does not make 
> it in any way a security feature when implemented.  Only thing that 
> might benefit is IPv4 address space.
> 
> Make a NAT Translation to a workstation (nothing else) and see if you 
> can still carryout some of the exploits making the rounds.

Nor does it stop the user inviting an exploit to run on their PC, eg web 
download, email attachment.. based on seeing plenty of virused/exploited 
machines at companies I've worked at which all had AV, FW, NAT etc they still 
had the human factor who would override a warning because they got sent what 
looks like a joke email with an attached .scr that later turns out to be a new 
virus/worm..

Steve

Re: looking for a review of traffic shapers

[Kevin C Miller]

I'm looking for a review/report on traffic/packet shapers products with
a side-by-side comparison. Did any one has a clue where I can find one
such report?
We put together a report after our analysis a year ago.

You may want to review our more recent presentation on traffic control..

-Kevin

Re: Anit-Virus help for all of us??????

[Valdis . Kletnieks]

On Mon, 24 Nov 2003 21:50:48 GMT, "Stephen J. Wilcox" said:

> Nor does it stop the user inviting an exploit to run on their PC, eg web 
> download, email attachment.. based on seeing plenty of virused/exploited 
> machines at companies I've worked at which all had AV, FW, NAT etc they still
> had the human factor who would override a warning because they got sent what 
> looks like a joke email with an attached .scr that later turns out to be a new 
> virus/worm..

The average user will say "OOH! SHINY!! [clicky-click]" when offered content
promising either dancing hampsters or pop stars wearing less clothing than
appropriate. Any security model that doesn't allow for this is doomed to
failure.



pgp0.pgp
Description: PGP signature

Re: Anit-Virus help for all of us??????

[Niels Bakker]

* [EMAIL PROTECTED] (Richard Cox) [Mon 24 Nov 2003, 20:30 CET]:
> 
> The latest version of Zone Alarm Pro does stop all applications from
> accessing the net outbound unless specifically authorised, and it does
> check the executable by checksum to make sure it hasn't been changed.

Right up to the moment the end user, annoyed by the continuous popups,
authorises mshtml.dll - which is used by several malicious-by-design
worms (including Outlook).


-- Niels.

Re: Anit-Virus help for all of us??????

[Brian Bruns]

Being that I wasn't paying attention, heres the message I accidentally
responded to in private e-mail rather then the list...
-


- Original Message - 
From: "Jeff Shultz" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 24, 2003 1:46 PM
Subject: Re: Anit-Virus help for all of us??



> You know that the best AV program in the world isn't going to amount to
> a hill of beans if the user doesn't 1. download updates, 2. run the
> occasional scan [1], and 3. pay for more updates past the 1 year mark
> (for those for which this is a requirement).

Thats how they make money off of the antivirus stuff - the yearly
subscriptions.  Many people just go out and buy a new version of Norton
whenever their defs expire (yeah, I've done that before for my personal
machines, as sometimes they improve the detection stuff between versions -
like Norton 2002 adds script protection and better e-mail virus filtering).

The only completely and utterly free with no catches or nagware antivirus
software I know of is clamav.  But, its only for UNIX/Linux (although people
have gotten it working in cygwin - I might just package it up for people and
make an installer for it).  Has an autoupdate script as well.  If someone
spent the time to play with it, who knows, it might be able to do realtime
scanning.  Its pretty fast too.


>
> Firewalls at least tend to be a bit more hands off... and I'd like to
> hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
> ships with default to "disabled?"
>

Yep, though in SP2 for XP, it will be turned on by default, IIRC.

I actually like McAffee Personal Firewall Express (given away free by AOL to
all of their users), have it installed on my mothers' Win98SE desktop and
works like a charm.  Not that many features or controls, so its slightly
less confusing, but then again, you can't do very complicated stuff with it
either, so its not good for everyone, but for someone like my mother, its
more then enough.

I just can't stand personal firewalls on my machines though - they have this
nasty habit of either slowing down the machine, or causing issues with the
various tools I run.  Being that my primary machine is a PII 266mhz laptop,
I really can't handle a personal firewall dragging down my laptop.

> As for Malware... right now neither firewalls nor AV programs seem to
> stop it's installation. Personally I wish that there was something that
> we could install on customer machines that would absolutely and totally
> block the installation of net.net stuff, to the point of deleting any
> installation files that have been downloaded.
>
> [1] When cleaning a customer's Nachi infected machine, I discovered
> that the installed copy of NAV was completely up to date - but a system
> scan hadn't been run since July 2002.

Spybot SD is a nifty program, installs some protection against malware that
gets delivered by IE, and is generally good at ripping it out if it does get
in.

One thing that many people don't realize (from my personal experience) is
that contrary to popular belief, Win98SE is a good all around desktop OS to
use.  It can run most things like productivity apps and games, and with
128-256MB of RAM, its quite fast even on an old laptop like mine.  Unlike
XP, it doesn't have a million services running, nor does it have the nasty
UPnP stuff from WinME.  I've run my Win98SE laptop with Norton Antivirus
2002, Outlook Express, and K-Meleon 0.8 (even with its more annoying bugs)
as my primary browser and have never gotten infected by one of these mass
mailing worms, or the DCOM exploits, or IE exploits, etc.

The one thing I should mention though - I have a user, long time friend of
mine, I got her setup with WinXP last year, patched her, then installed
Norton Antivirus 2002, set it to autoupdate and do weekly scans (which, btw,
are on by default, but I check nonetheless), and turned on the XP firewall
and set it to block all inbound but RDP (so I could do remote management if
she needed it).  I also turned off auto-updating of Windows patches (since
I've had situations where my customer's machines have been trashed because
of bad/faulty patches).

The machine survived the RPC/DCOM exploit nightmares as well as rounds of
Outlook Express exploits with no problem.  I only recently fully updated her
machine with the latest patches (I didn't want to neglect her machine, but
being my recent bout of health problems and personal issues left me with no
choice).

Even if users don't take advantage of the built in windows update because
its risky, you can still make sure that you have (autoupdated) AV and the XP
firewall, and you *should* be ok for the most part.  All you need to do is
make sure it is turned on.


On a side note

I've been developing some a little GUI tool which automate the process of
securing a machine - run it, it turns on the XP firewall, turns off Windows
Messenger service, asks for antivirus CD and auto installs it quietly (only

Re: Anit-Virus help for all of us??????

[Henry Linneweh]

The latest Zone Alarm Pro also invites subscribed users to participate in creating a 
more robust solution
 
-HenryNiels Bakker <[EMAIL PROTECTED]> wrote:
* [EMAIL PROTECTED] (Richard Cox) [Mon 24 Nov 2003, 20:30 CET]:> > The latest version of Zone Alarm Pro does stop all applications from> accessing the net outbound unless specifically authorised, and it does> check the executable by checksum to make sure it hasn't been changed.Right up to the moment the end user, annoyed by the continuous popups,authorises mshtml.dll - which is used by several malicious-by-designworms (including Outlook).-- Niels.

SORBS DUL (Dynamic User List) announcement and suggestions welcome.

[Matthew Sullivan]

For those that didn't see it, I believe it is on topic as it is relating 
to connectivity/locations of ISPs mailservers.

---
Subject: Notice SORBS DNSbl users, regarding the easynet blacklists 
being discontinued Dec 1 2003

Hi All,

As of a last night SORBS imported and merged the Easynet (Wirehub) 
Dynablock database into the SORBS DUL.

SORBS also has included the Dynablock exceptions list and now has a 
mechanism to include more exceptions to the DUL should they be nessesary.

Users of the EasyNet Dynablock are welcome to use the SORBS DUL, however 
please remember that the Dynablock list was merged with the SORBS DUL.  
The DUL is available on its own as: dul.dnsbl.sorbs.net  It is also 
available via the aggregate zone: dnsbl.sorbs.net

Any positive entry in the DUL will return 127.0.0.10

Yours

Matthew
@ SORBS
---
Network operators, you are welcome and requested to submit your 
networks, both static and dynamic to SORBS for inclusion/exclusion from 
the list.  A number of you already do, for which I thank you, however 
with the import of a massive amount of data there are likely to be a 
couple or errors here and there , if you see any please mail me directly 
and I will be happy to correct the entry by either removing it or by 
creating an exclusion.

My next planned work on SORBS is as mentioned a few days ago, creating a 
whitehat system for the spam databases.  Again assuming I am not called 
off topic when it is complete I will announce it here and discuss it 
offlist.  If anyone wishes to talk to me about SORBS which would be 
considered offtopic please mail me privately or subscribe and post to 
the public '[EMAIL PROTECTED]' list.

Also network listed over the last few days in the spam database are 
requested to contact me as soon as possible as there are some virus 
mails that got into a spamtrap that made it into the system, these need 
to be removed asap, so if you are blocked or see any, please mail me 
offlist and I will sort them aout as soon as possible. (Earthlink 
representitive (if you are listening) I think one of your servers got in 
it, but I am unable to get an IP from your users at the moment)

Thanks

Yours

Matthew

Re: Anit-Virus help for all of us??????

[William Allen Simpson]

[EMAIL PROTECTED] wrote:
> 
> The average user will say "OOH! SHINY!! [clicky-click]" when offered content
> promising either dancing hampsters or pop stars wearing less clothing than
> appropriate. Any security model that doesn't allow for this is doomed to
> failure.
> 
Yep.  I've already told the story about my niece a few months back -- 
right before my eyes.

The solution that's worked so far, keeping her machine clean for months: 
Norton AV can detect every attempt to write to an executable, and it 
turns off the Windows screen, takes over the display, flashes a big 
warning screen, and asks whether it should continue.  That causes the 
startled niece to go running to momma to call uncle.

Whatever we use has to be flashier than dancing hamsters

Of course, anything that happens too often will just get the OK option 
selected anyway.
-- 
William Allen Simpson
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Re: Anit-Virus help for all of us??????

[William Allen Simpson]

Brian Bruns wrote:
> 
> One thing that many people don't realize (from my personal experience) is
> that contrary to popular belief, Win98SE is a good all around desktop OS to
> use.  It can run most things like productivity apps and games, and with
> 128-256MB of RAM, its quite fast even on an old laptop like mine.  Unlike
> XP, it doesn't have a million services running, nor does it have the nasty
> UPnP stuff from WinME.  

I agree!  I don't run much M$Windows, with the exception of dual boot 
for occasional games, but I stopped at 98SE, having had problems with 
everything later.

Unfortunately, I cannot keep my relatives and customers from buying 
new machines with XP, the worst thing I've seen yet.
-- 
William Allen Simpson
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

68.0.0.0/7 from 3303

[william]

Would swisscom AS3303 please check your routers and stop this from
propogating into routeviews...

route-views.oregon-ix.net>sh ip bgp 68.0.0.0/7
BGP routing table entry for 68.0.0.0/7, version 12278613
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  3277 13062 20485 8437 3303
194.85.4.249 from 194.85.4.249 (194.85.4.249)
  Origin IGP, localpref 100, valid, external, best

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[Stuart Staniford]

[Sorry for responding to old mail, but I'm catching up]

On Sunday, November 16, 2003, at 02:12 PM, Sean Donelan wrote:
I've often tried to explain that ISPs generally view worms as a 
"capacity
planning" issue.  Worms change the "eco-system" of the Internet and 
ISPs
have to adapt.  But ISPs generally can't "fix" the end-users or their
computers.
I'm curious to know if doing this is at all well understood?

Those of us doing research on worm spread, I don't think have a 
completely clear understanding of the interaction of Internet bandwidth 
and worm spread.  Slammer, we are pretty clear became bandwidth limited 
(the rate of spread slowed down dramatically about 40 seconds into the 
spread).  But we don't really know where those chokepoints live (at the 
edge, or in the middle).

It would seem for the Internet to reliably resist bandwidth attacks 
from future worms, it has to be, roughly "bigger in the middle than at 
the edges".  If this is the case, then the worm can choke edges at the 
sites it infects, but the rest of the net can still function.  If it's 
bigger at the edges than in the middle, you'd expect a big enough worm 
would be able to choke the core.  For a given ISP, you'd want capacity 
to the upstream to be bigger than the capacity to downstream customers. 
 (It would seem like this would be the reverse of what economics would 
tend to suggest).

Do we really know much about the capacity of the Internet to carry worm 
traffic?  (We believe Slammer used a peak bandwidth of roughly 200 
Gbps).

Stuart.

Stuart Staniford, President Tel: 707-840-9611 x 15
Silicon Defense - Worm Containment - http://www.silicondefense.com/
The Worm/Worm Containment FAQ: http://www.networm.org/faq/

Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[jmalcolm]

Stuart Staniford writes:
>It would seem for the Internet to reliably resist bandwidth attacks 
>from future worms, it has to be, roughly "bigger in the middle than at 
>the edges".  If this is the case, then the worm can choke edges at the 
>sites it infects, but the rest of the net can still function.  If it's 
>bigger at the edges than in the middle, you'd expect a big enough worm 
>would be able to choke the core.  For a given ISP, you'd want capacity 
>to the upstream to be bigger than the capacity to downstream customers. 
>  (It would seem like this would be the reverse of what economics would 
>tend to suggest).

So, essentially, you are saying that the edges (customers, presumably)
need to be bandwidth-limited to protect the core? This tends to happen
anyway due to statistical multiplexing, but is usually not what the
customers would want if they considered the question, and is not what
ISPs want if they bill by the bit.

>Do we really know much about the capacity of the Internet to carry worm 
>traffic?  (We believe Slammer used a peak bandwidth of roughly 200 
>Gbps).

I suspect that in the end the main backbone constaint will be peering
links, for larger ISPs.

Re: Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[Stuart Staniford]

On Monday, November 24, 2003, at 04:59 PM, [EMAIL PROTECTED] wrote:
So, essentially, you are saying that the edges (customers, presumably)
need to be bandwidth-limited to protect the core?
I wasn't advocating a solution, just observing the way things would 
have to be for worms to be purely a "buy a bigger box" problem (as I 
think Sean was suggesting if I didn't misunderstand him).

This tends to happen
anyway due to statistical multiplexing, but is usually not what the
customers would want if they considered the question, and is not what
ISPs want if they bill by the bit.
It would generally seem that ISPs would provide more downstream 
capacity than upstream, since this saves money and normally not all the 
downstream customers will use all their bandwidth at the same time.  
But a big worm could well break that last assumption.

So it would seem that worms are, at a minimum, not a simple or 
unproblematic capacity management problem.

Stuart.

Stuart Staniford, President Tel: 707-840-9611 x 15
Silicon Defense - Worm Containment - http://www.silicondefense.com/
The Worm/Worm Containment FAQ: http://www.networm.org/faq/

Re: Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[jmalcolm]

Stuart Staniford writes:
>I wasn't advocating a solution, just observing the way things would 
>have to be for worms to be purely a "buy a bigger box" problem (as I 
>think Sean was suggesting if I didn't misunderstand him).

Ah.

>It would generally seem that ISPs would provide more downstream 
>capacity than upstream, since this saves money and normally not all the 
>downstream customers will use all their bandwidth at the same time.  

Right; statistical multiplexing.

>But a big worm could well break that last assumption.

Yes, as could a number of events, but the response to a worm would
probably be different from the latest streaming video event, or
whatever.

>So it would seem that worms are, at a minimum, not a simple or 
>unproblematic capacity management problem.

Well, it would seem reasonable for an ISP to minimize a worm's effect
on its non-worm customer traffic, and that might mean increasing
capacity in some places, but I don't think the goal would be to move
more worm traffic, but rather to reduce impact to other
traffic. Presumably such activity would be combined with other
anti-worm efforts.

Re: Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[Sean Donelan]

On Mon, 24 Nov 2003, Stuart Staniford wrote:
> So it would seem that worms are, at a minimum, not a simple or
> unproblematic capacity management problem.

Things are rarely as simple as they appear.  Even buying a military
grade black box may not solve the worm problem.

There are some natural choke points in the Internet between ISPs and
customers.  The customer may have a 1000 Mbps GigE LAN and the ISP may
have an OC192 backbone, but the link between them is normally much
smaller. Slammer, Blaster, etc had very little impact on the major ISP
backbones, but did severaly congest some of the smaller choke points.  Go
ahead and ask UUNET, Sprint, AT&T, etc. what impact the worms had their
networks.

ISPs don't have (much) control over third-party computers. But they can
control their network capacity.  Of course, its not a complete solution.
If you are a mid-level ISP, you may have a choke point to your customer
but are vulnerable from your upstream provider. A better designed worm
could impact even major backbones.

Re: Worm Bandwidth [was Re: Santa Fe city government computers knocked out by worm]

[Stuart Staniford]

On Monday, November 24, 2003, at 08:00 PM, Sean Donelan wrote:

There are some natural choke points in the Internet between ISPs and
customers.  The customer may have a 1000 Mbps GigE LAN and the ISP may
have an OC192 backbone, but the link between them is normally much
smaller. Slammer, Blaster, etc had very little impact on the major ISP
backbones, but did severaly congest some of the smaller choke points.  
Go
ahead and ask UUNET, Sprint, AT&T, etc. what impact the worms had their
networks.
So you believe that the edges of the net are smaller, bandwidth-wise, 
than the core?  So the (approximate) picture you would advocate would 
be that Slammer was rate limited at the customer/ISP interface?  (I 
agree this is consistent with the fact that the tier-1s stayed up 
during Slammer).

(I'm not trying to be difficult here - I'm just trying to figure out if 
we actually have any good understanding of this issue - and therefore 
any ability to predict what future worms might do to the Internet).

(Blaster was not bandwidth limited so that's a whole different animal - 
it seems to have been limited by a slow scanning rate, and a poor 
transmission probability).

Stuart.

Stuart Staniford, President Tel: 707-840-9611 x 15
Silicon Defense - Worm Containment - http://www.silicondefense.com/
The Worm/Worm Containment FAQ: http://www.networm.org/faq/

Re: Re[2]: Anit-Virus help for all of us??????

[Alexei Roudnev]

In reality, PAT provides 99.99% of all firewall protection, so if some _very
smart whitehat gay_ is writing _PNAT is not a firewall_, this means only,
that he is very far from reality. Show me, please, any attack, addressed to
the PNAT based system? PNAT is not enioough for a firewall to be a full
featured firewall - it is true; but PNAT provides the same protection, as
any firewall (it just do not allow inbound connections, so you can not
expose any service).

1 - 1 NAT, of course, do not provide any protection. But the _MOST_
important part of all enterprise firewalls (I mean  -not most complex, but
those which protects 99.99% of their users) is just PNAT.

Of course, it is true _untl_ we are talking only about _direct_ network
level attacks. What many people missed is that, in _real_ word,
network level firewalls is not enough for the protection, if you use
_standard_ software, you are exposed to worms, viruses and other,
application level, dangers (and firewalls can not help here too much).

Of course, PNAT applianses created  a very strange protocol meaning - if
protocl can not work thru PNAT, it 'is not a protocol' - you can not use it
in many cases... And, on the other hand, the better is  protocol security,
the worst is this protocol for PNAT - in reality, secure protocol can not be
multi-connection one /as FTP or H.323/.



- Original Message - 
From: "Richard Welty" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 24, 2003 1:39 PM
Subject: Re[2]: Anit-Virus help for all of us??


>
> On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian
<[EMAIL PROTECTED]> wrote:
> > Gerardo Gregory  writes on 11/24/2003 4:20 PM:
>
> > > NAT is not a security feature, neither does it provide any real
> > > security, just one to one translations.  PAT fall into the same
>
> > It is not a cure all and I never said it was one.  It cuts the risk down
> > a little, is all.
>
> Dan Senie called me on this one once, and he was right.
>
> 1-to-1 NAT is not much of a security feature.
>
> Port NAT (PNAT) does, *as a side effect*, provide a measure of
> meaningful security.
>
> as Dan pointed out to me, the code required to implement PNAT is
> nearly identical to the code required to provide a state keeping
> firewall similar to what might be done with OpenBSD's PF or
> Linux's IPTables packages. it doesn't provide the additional useful
> features of such firewalls, but it does do the minimum.
>
> now the consumer PNAT appliances have other issues, and of course
> PNAT often breaks protocols that make end to end assumptions
> (which is why i don't like it), but the "not a security feature" thing is
> not really accurate. the security feature is a side effect, and wasn't
> the original intent of PNAT, but that doesn't mean it's not there.
>
> richard
> -- 
> Richard Welty
[EMAIL PROTECTED]
> Averill Park Networking
518-573-7592
> Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
>

Re: 68.0.0.0/7 from 3303

[Michael Whisenant]

Well looks like that have more BOGON problems. They are sending 
128.161.0.0/3. These guys love claiming default gateway traffic?

At 07:00 PM 11/24/2003, [EMAIL PROTECTED] wrote:

Would swisscom AS3303 please check your routers and stop this from
propogating into routeviews...
route-views.oregon-ix.net>sh ip bgp 68.0.0.0/7
BGP routing table entry for 68.0.0.0/7, version 12278613
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  3277 13062 20485 8437 3303
194.85.4.249 from 194.85.4.249 (194.85.4.249)
  Origin IGP, localpref 100, valid, external, best
--
William Leibzon
Elan Networks
[EMAIL PROTECTED]



pgp0.pgp
Description: PGP signature