Re: sniffer/promisc detector
DJ> Date: Sat, 17 Jan 2004 14:57:19 -0500 DJ> From: Deepak Jain DJ> I know most people don't take the time to hard code their DJ> MACs onto their switch ports, but it really only takes a few DJ> seconds per switch with a little cutting & pasting -- as DJ> customer switches a network port, they just need to open a DJ> ticket to have the address changed. In the same vein, hardcoded router ARP entries in router configs also help. Yes, spoofed gratuitous ARP packets are detectable, but they can still cause trouble. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: SMTP problems from *.ipt.aol.com
SR> Date: Sat, 17 Jan 2004 08:24:06 +0530 SR> From: Suresh Ramasubramanian SR> AOL has, since the past several months (over a year I think) SR> set up their dynamic IP pool *.ipt.aol.com to hijack port 25 I recall seeing this in November 2002, and believe it had already been in place for a few months... SR> outbound requests and reroute it through a set of their own SR> mailservers, that do some elementary rate limiting and SR> filtering. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: What's the best way to wiretap a network?
On Sun, 18 Jan 2004, Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, Paul Vixie writes: > >i'm fairly sure that this is what law enforcement uses for wiretap warrants. > > I believe you're correct. In fact, I first learned of these devices > from government documents during the Carnivore discussions a few years > ago. Lots of people seem to be making the assumption that all networks work the same way or everyone wants the same data. Tapping an OC192 SONET circuit is expensive, but relatively straightforward. Tapping a V.92 analog modem is expensive and not straightforward. Tapping WiFi-to-WiFi traffic is cheap, but only if you are local. A sniffer on an upstream switch won't see the traffic below a network access point. But a Title III warrant for "full content" is relatively difficult to obtain in the US. The public reports filed with the courts show a small percentage of wiretaps require full content. What's also interesting is if you read the various public submissions to many different working groups since the Carnivore discussions a few years a go, you'll notice a dramatic re-definition of more and more data as "call identification information" instead of "content." The public proposals also seems to be somewhat arbitrary which provider gets "tasked" with collecting the wiretap data. Should the first mile or last mile or middle mile provider be tasked with isolating call identification information and decoding it? So what is the best way to wiretap a target using public WiFi hotspots connected through multiple wholesale providers and service providers to collect call identificaiton information to call identification information about who the target is communicating with through multiple application protocols including Webmail, IM and massively multi-player role playing games.
Re: What's the best way to wiretap a network?
> You can plug a mini-hub in line and use that as a tap point to monitor > the stream. Up side is its cheap and easy. Down side is you have to > drop to half duplex. Not a problem in most situations but in some the > drop in performance can be an issue. Don't throw out your old hubs. It's hard to find a 10/100 hub for sale any more. Even the cheap consumer devices are switches. I picked up a $25 hub at Fry's a few weeks ago just in case I ever wanted to casually snoop some traffic. But Fry's is sold out. The netoptics.com link posted was "priceless". I'm always wary of simple products that are expensive enough to have a request for quote, rather than a price, on their web page.
Re: Nanog30 socialising
If your too-many-frequent-flyer-miles aren't on United, you may not have noticed the following: http://www.hemispheresmagazine.com/three/2003/south-beach.htm This month's "Three Perfect Days" column in the United in-flight magazine features South Beach. And they have a previous one on Miami generally: http://www.hemispheresmagazine.com/three/1998/miami.htm -Bill
OT: tos bits - current usage
Can anyone point me to any resources describing the current usage of the tos precedence bits. Specifically what happens in practice, not what is suppose to happen (I can find the RFC's and IETF documents okay). Prompted by noting that a lot of spambots set the lowest precedence bit (tos 0x20 in tcpdump), I assume this is just a reflection of what operating system is in use/has been compromised? Internet search engines seem to think the whole point of the tos bits is to allow you to more accurately fingerprint remote operating systems, at least that is what the naive searcher might conclude. pgp0.pgp Description: PGP signature
Re: What's the best way to wiretap a network?
In message <[EMAIL PROTECTED]>, Paul Vixie writes: > >i'm fairly sure that this is what law enforcement uses for wiretap warrants. I believe you're correct. In fact, I first learned of these devices from government documents during the Carnivore discussions a few years ago. --Steve Bellovin, http://www.research.att.com/~smb
Re: What's the best way to wiretap a network?
> > Assuming lawful purposes, what is the best way to tap a network > > undetectable > > ... > The best solution I've found is to use an Ethernet tap. It allows you to > piggy back off of an existing connection and monitor all the traffic > going to and from that system. Its pretty undetectable, does not use any > additional switch ports, and allows you to run full duplex. A number of > vendors sell them and a Google will give you sites on how to make them. > ... i hadn't thought of making my own -- that sounds like a fun project. for f-root, we've (isc) been installing the netoptics version of this: http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=439813.237927026&menuitem=1 works great. it's basically a hub, but with the interesting feature of letting you monitor TX and RX separately, and full duplex is preserved. (it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it also fails into "connected" mode if power is dropped. so if both power blobs die, you lose monitoring, but not connectivity. there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos. i'm fairly sure that this is what law enforcement uses for wiretap warrants. -- Paul Vixie
Re: New IPv4 Allocation to ARIN
On Sun, 18 Jan 2004, Petri Helenius wrote: > >It's those dang Nachi-sized ICMP echo/echo-replies. We block those at all > >our transit points and dial-up ports. Nachi was killing our cisco ^^^ > >access-servers until we did this to stop the spread. > I know what they are and how to get around them. I just look down on people > dropping my packets in their backbones without reason. I wasn't joking or kidding about the above. Many others who run dialup services saw similar problems (both with cisco and other vendor's gear). Blocking these size/type packets, as per suggestions from cisco's web site was the easiest way to keep our network up, and prevent additional infections both into and out from our customers. Have others who implemented them dropped their echo/echo-reply 92-byte filters? If tracert defaulted to udp like just about every "unix" traceroute or allowed you to vary the packet size or protocol, this wouldn't be as much of an issue. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: New IPv4 Allocation to ARIN
Pete Templin wrote: He has a reason: that virus was melting down his network (and was melting down lots of networks). I point to the word "backbone". If your dial servers melt, block the packets at dial servers, don´t launch weapon of mass packet destruction to all traffic. Filtering should be more targeted so it does not kill or hamper what it´s supposed to protect in the first place. Pete
Re: New IPv4 Allocation to ARIN
Petri Helenius wrote: [EMAIL PROTECTED] wrote: It's those dang Nachi-sized ICMP echo/echo-replies. We block those at all our transit points and dial-up ports. Nachi was killing our cisco access-servers until we did this to stop the spread. I know what they are and how to get around them. I just look down on people dropping my packets in their backbones without reason. He has a reason: that virus was melting down his network (and was melting down lots of networks). If viruses came with instructions, documentation, and source code, we could all rest assured that it did completely self-destruct this month. Instead, we're all watching in wait, and leaving filters handy or in place. (I'd mention the Nachi filtering I had to do and the implications of how I had to do it based on the platform I'm using, but my flamesuit is all tattered just trying to find a safe tool to read my mail.) pt
Re: New IPv4 Allocation to ARIN
[EMAIL PROTECTED] wrote: It's those dang Nachi-sized ICMP echo/echo-replies. We block those at all our transit points and dial-up ports. Nachi was killing our cisco access-servers until we did this to stop the spread. Unfortunately, this breaks Windows tracert as it uses 92-byte echo requests. Use a "real" traceroute, and you won't see this problem. I know what they are and how to get around them. I just look down on people dropping my packets in their backbones without reason. Pete
Re: What's the best way to wiretap a network?
On Sat, 2004-01-17 at 21:08, Sean Donelan wrote: > > Assuming lawful purposes, what is the best way to tap a network > undetectable The best way to go undetectable is easy, run the sniffer without an IP address. The best way to tap a network varies with your setup. If your repeated, just plug in and go. If your switched (which most of us are), you need to figure out how to get in the middle of the data stream you want to monitor. The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. You can plug a mini-hub in line and use that as a tap point to monitor the stream. Up side is its cheap and easy. Down side is you have to drop to half duplex. Not a problem in most situations but in some the drop in performance can be an issue. Many switch vendors include a copy or mirror port that allows you to replicate all traffic to and from a specific port, to some other port where you can plug in your sniffer. Up side here is ease of configuration. If you want to start monitoring a different port its a simple configuration change within your switch. Down side is you could end up missing packets (I've run into this myself). Seems when some/many switches get busy the first thing they stop doing is copying packets to the mirror port. There are tools out there like Dsniff and Ettercap that allow you to sniff in a switched environment. I recommend you avoid them because they tend to either work or hose your network. You don't want to DoS yourself. ;-) > to the surveillance subject, not missing any > relevant data, and not exposing the installer to undue risk? Sniffing is a passive function so its always possible you are going to miss data. It all depends on the capabilities of the box recording the packets. As for "risk", that's always there as well. For example check the Bugtraq archives and you are going to find exploits that work against tools like Tcpdump and Snort. The attacks go after the way the software processes the packet. So even if you are running without an IP address its possible that someone with malicious intent can DoS the box. HTH, C
Re: One-element vs two-element design
Eric Kuhnke wrote: Last year, a Boeing in flight over the middle of the pacific ocean had its entire glass cockpit system go dark. After frantic conversation with the air traffic controllers a decision was made to toggle the circuit breakers for the TRIPLE-REDUNDANT computer system onboard, which brought back the displays. Even with a 2+1 setup, things can still go wrong... Most, if not all, redundant systems have a single instance of synchronization protocol. One significant vendor of packet forwarding gear was known for hanging the secondary RP almost every time when the primary failed. The hang was usually associated with chatter failing with the failed card :-) Pete