Re: Juniper "pepsi"
On Wed, 2004-03-03 at 14:52, Eric Kuhnke wrote: > I have heard rumors of a new low-end 1U Juniper router, aimed directly > at replacing the 2600/3600 series. Supposedly its code name is > "Pepsi"... Does anyone have more info on this? :-) > > > > No, but hope so. Dee -- W.D.McKinney <[EMAIL PROTECTED]>
Re: Bagle and other recent viruses (Was: warning - new trend of attempts to infect ISP users, possibly virus)
Also the followin is talking about same too: http://www.cmpnetasia.com/ViewArt.cfm?Artid=23047&Catid=3&subcat=50 "Dueling Hackers Sparked Bagle, Netsky Worm Blitz Gregg Keizer, TechWeb News , 3-Mar-2004 Security analysts are asking themselves whether the wave of malicious worms that began traversing the Internet Friday and continued their blitz Tuesday was a coordinated attack or mischievous coincidence. No question it has been a deluge of worms. Seven variations of Bagle and two of Netsky surfaced in the last five days. Was the flood just happenstance? Or was there something more devious behind the surge? The answer, said security experts, is a bit of both, with some fighting over hacker turf thrown in for good measure ..." On Thu, 4 Mar 2004, william(at)elan.net wrote: > On Wed, 3 Mar 2004, Stephen J. Wilcox wrote: > > > Perhaps I'm only following this as its affecting us more, but I dont recall a > > time previously when I've had so many viruses hitting us and getting thro our > > scanners with nothing we can do about it. I dont recall seeing viruses with > > variants as high as 'j' before, especially in the relatively short time since > > the previous variants were out > > > > Seriously, drop some references if I'm off-track.. its just my perception and > > I'm not an expert at all with viruses... > > This might be an interesting reading on this point - > http://www.pcpro.co.uk/news/news_story.php?id=54437 > "Rapid MyDoom, Bagle and Netsky variants do battle to control your computer > > New variants of MyDoom, Bagle and Netsky arrive in quick succession as the > battle to control infected computers heats up. > > Sophos has issued alerts this morning for MyDoom-G and H, Bagle-J and K > and Netsky F. > > The worms are fighting for the control of infected computers which the > virus writers can use for their nefarious activities. Bagle-J contains the > text 'Hey,NetSky, [expletives removed], don't ruine our bussiness, wanna > start a war?' > > 'You wish that they would have this slagging match on a message board or > in a dark alley, rather than on the Internet,' said Graham Cluley, senior > technology consultant for Sophos. 'It's like an argument where everyone > wants the last word.' So the flood of viruses doesn't look likely to end > any time soon. > > The text in Bagle-J supports the theories of antivirus companies that > virus writers are being given a financial incentive to write these worms - > perhaps by spammers who can send their emails through the infected > machines. > > And indeed previous variants of Bagle and Netsky remove evidence of > infection by their rivals > ..." > > -- William Leibzon Elan Networks [EMAIL PROTECTED]
Bagle and other recent viruses (Was: warning - new trend of attempts to infect ISP users, possibly virus)
On Wed, 3 Mar 2004, Stephen J. Wilcox wrote: > Perhaps I'm only following this as its affecting us more, but I dont recall a > time previously when I've had so many viruses hitting us and getting thro our > scanners with nothing we can do about it. I dont recall seeing viruses with > variants as high as 'j' before, especially in the relatively short time since > the previous variants were out > > Seriously, drop some references if I'm off-track.. its just my perception and > I'm not an expert at all with viruses... This might be an interesting reading on this point - http://www.pcpro.co.uk/news/news_story.php?id=54437 "Rapid MyDoom, Bagle and Netsky variants do battle to control your computer New variants of MyDoom, Bagle and Netsky arrive in quick succession as the battle to control infected computers heats up. Sophos has issued alerts this morning for MyDoom-G and H, Bagle-J and K and Netsky F. The worms are fighting for the control of infected computers which the virus writers can use for their nefarious activities. Bagle-J contains the text 'Hey,NetSky, [expletives removed], don't ruine our bussiness, wanna start a war?' 'You wish that they would have this slagging match on a message board or in a dark alley, rather than on the Internet,' said Graham Cluley, senior technology consultant for Sophos. 'It's like an argument where everyone wants the last word.' So the flood of viruses doesn't look likely to end any time soon. The text in Bagle-J supports the theories of antivirus companies that virus writers are being given a financial incentive to write these worms - perhaps by spammers who can send their emails through the infected machines. And indeed previous variants of Bagle and Netsky remove evidence of infection by their rivals ..." -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: dealing with w32/bagle
Too many steps. On Thu, 4 Mar 2004, Stephen Milton wrote: > > dropload.com seems to me to be the perfect model for anonymous file > delivery over the internet. Their system doesn't use SSL yet, but it > would be the logical next step. > > Here is their description: > > Dropload is a place for you to drop your files off and have them > picked up by someone else at a later time. Recipients you specify are > sent an email with instructions on how to download the file. Files > are removed from the system after 48 hours, regardless if they have > been picked up or not. Recipients can be anyone with an email address > > The whole system uses HTTP for the transfer, no FTP hassles. -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com
Re: dealing with w32/bagle
On Thu, 4 Mar 2004, Laurence F. Sheldon, Jr. wrote: > > Jeff Shultz wrote: > > > ** Reply to message from "Laurence F. Sheldon, Jr." > > <[EMAIL PROTECTED]> on Wed, 03 Mar 2004 22:04:44 -0600 > > > > > > Okay, so what are several ways to share files with a friend, where you > > don't share any accounts or passwords, and where only your friend will > > be able to access them? [snip] > > Actually FTP can be made secure. > > That and all of the other ideas I might propose require some development > work and some change of attitudes. > > Here is the answer igave in private email to fundentally the same > question: > > quote [snip] > E realizes that persons G and H need to be at that meeting and > "forwards" the message _and_the_document_ to them. (In one case in my > past, "G" was the last person in Creation that should have gotten the > document early.) > > If the message is stored under PKI with A's key all of that and the > system overhead goes away. > > There are others. > unquote > But nothing that's been developed. Joe user's ip address changes on a regular basis. One would still need to find that machine. DNS gets cached (some go past TTL's I've set.) and is too static to be an effective means to get a file. Most instant messengers have facilities for exchanging files, but both sides need to be connected at the same time. Having that file in an email is better. I like SCP, too. It works well, so well that I use that, instead of ftp. You still have to find the other end that has its address changed every day or two. With email, only one end needs to be connected at any one time. email is about the most convenient and easiest way that I know of to get pictures of little Johnnie to Grandmother in a way that is easy for her to understand. Whatever anyone proposes needs to be that easy. Chances are that Grandma's not a geek like most of us. Curtis -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com
Re: dealing with w32/bagle
On Thu, 4 Mar 2004 10:17:47 -0800, Stephen Milton wrote: > >dropload.com seems to me to be the perfect model for anonymous file >delivery over the internet. I have also bookmarked, but have never used: http://www.sharemation.com/xythoswfs/webui?action=login&subaction=newuser http://www.kturn.com/ http://www.swapdrive.com/ Anyone who has used please report results back Jeffrey Race
Re: iMPLS benefit
Hey Suki, On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote: >> Hello, >> >> i heard there is a way to run MPLS for layer3 VPN(2547) >> service without needing to run label switching in the >> core(LDP/TDP/RSVP) but straight IP (aka iMPLS). ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt See also Mark's talk from the last NANOG http://nanog.org/mtg-0402/townsley.html >> Anyone running this in a live network yet? Thanks in advance >> for any information. Yes. Dave >> Suki Lim >> Blacksburg, VA >> ee.VA.TECH >> >> >> - >> Do you Yahoo!? >> Yahoo! Search - Find what you?re looking for faster.
iMPLS benefit
Hello, i heard there is a way to run MPLS for layer3 VPN(2547) service without needing to run label switching in the core(LDP/TDP/RSVP) but straight IP (aka iMPLS). Anyone running this in a live network yet? Thanks in advance for any information. Suki Lim Blacksburg, VA ee.VA.TECH Do you Yahoo!? Yahoo! Search - Find what youre looking for faster.
RE: Bagle, not that smart
Bagle seems to simply grab everything up to and not including the second '.' Right-to-Left. I doubt they took subdomains into consideration... Im sure that now that you mentioned it here, this will be fixed in the next revision (I wonder if they file bugs with themselves?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rubens Kuhl Jr. Sent: Thursday, March 04, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: Bagle, not that smart This is a bagle sample I've received; it seems they have somewhat to learn about ccTLDs (there is no org.br domain), and to what FROM to choose (an address for university adminissions wouldn't send you a support message). Rubens - Original Message - From: [EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 3:50 PM Subject: [blacklist] Notify about using the e-mail account. Dear user, the management of Org.br mailing system wants to let you know that, We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. For details see the attached file. In order to read the attach you have to use the following password: 46742. Kind regards, The Org.br teamhttp://www.org.br [As partes desta mensagem que não continham texto foram removidas] Enviar mensagens: mailto:[EMAIL PROTECTED] Sair do grupo : mailto:[EMAIL PROTECTED] eGroups : http://br.egroups.com/group/pataquada/ Links do Yahoo! Grupos Para visitar o site do seu grupo, acesse: http://br.groups.yahoo.com/group/pataquada/ Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] O uso que você faz do Yahoo! Grupos está sujeito aos: http://br.yahoo.com/info/utos.html
Bagle, not that smart
This is a bagle sample I've received; it seems they have somewhat to learn about ccTLDs (there is no org.br domain), and to what FROM to choose (an address for university adminissions wouldn't send you a support message). Rubens - Original Message - From: [EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 04, 2004 3:50 PM Subject: [blacklist] Notify about using the e-mail account. Dear user, the management of Org.br mailing system wants to let you know that, We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. For details see the attached file. In order to read the attach you have to use the following password: 46742. Kind regards, The Org.br teamhttp://www.org.br [As partes desta mensagem que não continham texto foram removidas] Enviar mensagens: mailto:[EMAIL PROTECTED] Sair do grupo : mailto:[EMAIL PROTECTED] eGroups : http://br.egroups.com/group/pataquada/ Links do Yahoo! Grupos Para visitar o site do seu grupo, acesse: http://br.groups.yahoo.com/group/pataquada/ Para sair deste grupo, envie um e-mail para: [EMAIL PROTECTED] O uso que você faz do Yahoo! Grupos está sujeito aos: http://br.yahoo.com/info/utos.html
Re: SPAM Prevention/Blacklists
From Richard Welty, received 3/3/04, 19:36 -0500 (GMT): Mind if I ask why you don't use the sbl-xbl? keep in mind that the sbl is the combination of "sbl classic" with the xbl, where the xbl is currently a feed of the cbl that may at a later date incorporate additional lists or data. I trust you mean sbl-xbl is the combination... sbl.spamhaus.org (direct spam sources & spam outfits) xbl.spamhaus.org (3rd party exploits/trojans/proxies/etc.) sbl-xbl.spamhaus.org (combination of the two) -- Steve Linford The Spamhaus Project http://www.spamhaus.org
Routing Policy
Does anybody have a list of the hot-potato/cold-potato routing policy of the 10-20 biggest ISP's (MCI, Sprint, AT&T, Verio, etc)? I know Boardwatch used to publish that in their yearly ISP guide, but I haven't been able to find it since they went out of print. Peder
Re: dealing with w32/bagle
Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: ** Reply to message from "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> on Wed, 03 Mar 2004 22:04:44 -0600 Curtis Maurand wrote: Until there's an easy way of getting a file to your friend down the street that's as easy as sending an email, we're stuck with this. [snip] My personal favorite that at one time would have been the easiest to develop has a MUA that "attaches" the document by storing the text in an HTTP-accessible archive (on the sender's machine? on the sender's MTA machine?) and including a URL in the email. And how is this going to slow viruses passed around by the mad clickers? The email has a link they click on and the MUA downloads the message. This is pretty much how IMAP works anyway, just that the attachment is available for download at their IMAP server and arrived there over SMTP rather than some remote HTTP, FTP, or whatever server. My personal objection to embedded attachments is not a product of the virus rage going on-- Ah, so this method of delivering content really is not meant to deal with this. We have to face it. The only real technical solution I am aware of is not allowing users to run arbitrary code on their systems. It looks like if you allow that, someone will be able to socially engineer enough moro^W users to download malicious code and execute it. C'mon, the current Bagle strains require the user to unzip the file, manually enter the password to the zip that's in the message body, then execute the unzipped file. It's spreading like wildfire. And we wonder who is gullible enough to buy spamvertized organ enlargement products or fall for a phishing scam? -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: UUNet Offer New Protection Against DDoS
On Thu, Mar 04, 2004 at 03:39:30PM +, Alex Bligh wrote: > >A lot of people seem to be doing this. > > there is nothing (well very little) new in the world: > http://www.merit.edu/mail.archives/nanog/1999-07/msg00083.html Does anyone know if Cogent offer such a community? Anyone from Cogent on the line? -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
Re: SPAM Prevention/Blacklists
Also, I like sender verification, but that's me. i used it for some time, and reluctantly shut it down. blocked a lot of email abuse, but too many false positives for my taste. Could you go into more detail? ... Maybe I have others I just don't know about? How many people send legit e-mail with return addresses which are bogus? On a related note, for those of you interested, the IADB (ISIPP Accreditation Database) is now up and running, although not publicly announced yet. You can read information about it at: http://www.isipp.com/iadb.php What is unique about the IADB is that it is designed to list not only IP addresses, but also associated domains *if* the listee is publishing an SPF record, and conversely IADB listees will be able to get a unique "accreditation code" to put into their SPF records. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy Professor of Law, Lincoln Law School of SJ
w32/bagle variants
For the people talking about how quickly the variants have been produced ;) http://news.bbc.co.uk/1/hi/technology/3532009.stm Seems the authors are taunting each other in the code. Sam
Re: UUNet Offer New Protection Against DDoS
They also are not guaranteeing that opening up the ticket won't take more than 15 minutes. I know a number of networks (when they hear you want to open a ticket for something important), put you on hold, call/page whoever it is and then take 10 minutes to open a ticket. I know I may be nitpicking, but having been on hold BEFORE I've opened a ticket doesn't make me very happy with time-sensitive SLAs. DJ Lumenello, Jason wrote: No, but it sounds like SLA payouts are made in the event that they fail to respond in 15 minutes after a call is made. Maybe I am misinterpreting their SLA, but this seems much different then offering blanket payments for DoS down time. I will give them credit for guaranteeing a response in 15 minutes or less. Now is a response the opening of a ticket or the null routing of the attack traffic in 15 minutes? Jason -Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 7:21 PM To: Randy Bush Cc: [EMAIL PROTECTED]; Lumenello, Jason Subject: Re: UUNet Offer New Protection Against DDoS Randy Bush [3/4/2004 6:40 AM] : i think the north american idiom is putting your money where your mouth is. Thank you. That's exactly what I was driving at. Hmm.. one of the people in that "we've been doing this too" thread was XO. Do I take it then that XO provides for DDoS downtime in its SLA? -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: dealing with w32/bagle
dropload.com seems to me to be the perfect model for anonymous file delivery over the internet. Their system doesn't use SSL yet, but it would be the logical next step. Here is their description: Dropload is a place for you to drop your files off and have them picked up by someone else at a later time. Recipients you specify are sent an email with instructions on how to download the file. Files are removed from the system after 48 hours, regardless if they have been picked up or not. Recipients can be anyone with an email address The whole system uses HTTP for the transfer, no FTP hassles. On Thu, Mar 04, 2004 at 05:20:49PM +, Roland Perry wrote: > > In article <[EMAIL PROTECTED]>, Jeff Shultz > <[EMAIL PROTECTED]> writes > >Okay, so what are several ways to share files with a friend, where you > >don't share any accounts or passwords, and where only your friend will > >be able to access them? > > Putting the files into an obscurely named and unlinked directory of a > website will normally be as good as necessary. The sender still has to > mess with ftp, unless he has a web-based uploading system at his > disposal (see fotopic.net for an example user interface). > > If you are prepared to concede that both parties must be subscribed to > the same online community (be it Yahoo-Groups-alike or a messenger > product) then the possibilities are endless, and many are not beyond > granny's capabilities. > -- > Roland Perry > -- Stephen Milton - Founder/VP Internet (425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services(425) 869-9437 Fax [EMAIL PROTECTED]http://www.isomedia.com
RE: UUNet Offer New Protection Against DDoS
> -Original Message- > From: Christopher L. Morrow [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 11:50 AM > To: Lumenello, Jason > Cc: Suresh Ramasubramanian; Randy Bush; [EMAIL PROTECTED] > Subject: RE: UUNet Offer New Protection Against DDoS > > > On Thu, 4 Mar 2004, Lumenello, Jason wrote: > > > > > No, but it sounds like SLA payouts are made in the event that they fail > > to respond in 15 minutes after a call is made. Maybe I am > > fail to get you in touch with 'security expertise' in 15 minutes... > > > misinterpreting their SLA, but this seems much different then offering > > blanket payments for DoS down time. > > > > downtime is seperate from this SLA. > > > I will give them credit for guaranteeing a response in 15 minutes or > > less. Now is a response the opening of a ticket or the null routing of > > the attack traffic in 15 minutes? > > Just speaking to an engineer that can help you. There is no way to > guarantee and end to a DoS in any reasonable amount of time ;( For > instance, Suresh's main 'job' is email, so null routing his MX hosts will > stop the attack, but it is hardly desirable, eh? Same for filtering tcp/25 > syn packets :( > > There is no magic here, you all are smart enough to understand how DoS > works, how to stop it and the complications inherent in both. Well, kudos to you guys for raising the SLA bar to include this provision then. Jason
Re: dealing with w32/bagle
In article <[EMAIL PROTECTED]>, Jeff Shultz <[EMAIL PROTECTED]> writes Okay, so what are several ways to share files with a friend, where you don't share any accounts or passwords, and where only your friend will be able to access them? Putting the files into an obscurely named and unlinked directory of a website will normally be as good as necessary. The sender still has to mess with ftp, unless he has a web-based uploading system at his disposal (see fotopic.net for an example user interface). If you are prepared to concede that both parties must be subscribed to the same online community (be it Yahoo-Groups-alike or a messenger product) then the possibilities are endless, and many are not beyond granny's capabilities. -- Roland Perry
RE: UUNet Offer New Protection Against DDoS
This sounds like a good idea for us to consider. I think DoS attacks typically get erased in the 95% discard a lot of people use in billing though, but it still has value for the customer. Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Kasten Sent: Wednesday, March 03, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: Re: UUNet Offer New Protection Against DDoS We actually accept up to the customers aggregate. So if they have a /16, they can tag the whole /16. And we do not tag no-export. I saw some time ago on a list, and I think Bill Manning suggested it, that if you are getting bits for unused address space, to announce that address space (up to host specific) with the DDoS community string. That keeps the packets off of your link and thus you don't get charged for them. The same can be done in reverse. We have a customer that is advertising their larger block with the DDoS community string, and then advertising the addresses they are actually using more specifically, so we blackhole everything less specific. These are a couple of applications that can be utilized if you don't tag no-export and accept more than just /32's within their address space. FWIW. Also, we are utilizing Juniper's DCU for tracebacks, which makes life MUCH easier when tracing an attack. :-) SNMP polling the DCU counters every few minutes is relatively fast and painless, and provides quick results. Mark Lumenello, Jason wrote: Oh, and I strip their communities, and apply no-export, on the firstterm of my route map so the /32 does not get out. Of course my peerfacing policy requires specific communities to get out as well (belt andsuspenders). This method works very well, and you do not have to give up lengthrestrictions or maintain two sets of customer prefix/access lists. Jason -Original Message-From: Lumenello, JasonSent: Wednesday, March 03, 2004 4:52 PMTo: 'Stephen J. Wilcox'; jamesCc: [EMAIL PROTECTED]Subject: RE: UUNet Offer New Protection Against DDoS I struggled with this, and came up with the following. We basically use a standard route-map for all customers where the first term looks for the community. The customer also has a prefix-list on their neighbor statement allowing their blocks le /32. The following terms (term 2 and above) in the route-map which do NOT look for the customer discard community, have a different standard/generic prefix-list evaluation which blocks cruft and permits 0.0.0.0/0 ge 8 le 24. By doing this, I only accept a customer /32 from his dedicated prefix-list when it has the DOS discard community, otherwise I catch them with the ge 8 le 24 in the following terms. Jason LumenelloIP EngineeringXO Communications -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stephen J. WilcoxSent: Wednesday, March 03, 2004 3:48 PMTo: jamesCc: [EMAIL PROTECTED]Subject: Re: UUNet Offer New Protection Against DDoS I'm puzzled by one aspect on the implementation.. how to build yourcustomerprefix filters.. that is, we have prefix-lists for prefix and length. Thereforeat present we can only accept a tagged route for a whole block.. not good if theannouncement is a /16 etc ! Now, I could do as per the website at secsup.org which means we have a route-mapentry to match the community before the filtering .. but that would allow thecustomer to null route any ip. What we need is one to allow them to announce any route including more specifics of the prefix list - how are folks doing this? Steve On Wed, 3 Mar 2004, james wrote: Global Crossing has this, already in production.I was on the phone with Qwest yesterday & this was oneof this things I asked about. Qwest indicated they aregoing to deploy this shortly. (i.e., send routes tagged witha community which they will set to null) James EdwardsRouting and Security[EMAIL PROTECTED]At the Santa Fe Office: Internet at Cyber MesaStore hours: 9-6 Monday through Friday505-988-9200 SIP:1(747)669-1965 �
RE: UUNet Offer New Protection Against DDoS
No, but it sounds like SLA payouts are made in the event that they fail to respond in 15 minutes after a call is made. Maybe I am misinterpreting their SLA, but this seems much different then offering blanket payments for DoS down time. I will give them credit for guaranteeing a response in 15 minutes or less. Now is a response the opening of a ticket or the null routing of the attack traffic in 15 minutes? Jason > -Original Message- > From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 03, 2004 7:21 PM > To: Randy Bush > Cc: [EMAIL PROTECTED]; Lumenello, Jason > Subject: Re: UUNet Offer New Protection Against DDoS > > Randy Bush [3/4/2004 6:40 AM] : > > > i think the north american idiom is putting your money where your > > mouth is. > > Thank you. That's exactly what I was driving at. > > Hmm.. one of the people in that "we've been doing this too" thread was > XO. Do I take it then that XO provides for DDoS downtime in its SLA? > > -- > srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 > manager, outblaze.com security and antispam operations
Re: dealing with w32/bagle
Jeff Shultz wrote: ** Reply to message from "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> on Wed, 03 Mar 2004 22:04:44 -0600 Curtis Maurand wrote: Until there's an easy way of getting a file to your friend down the street that's as easy as sending an email, we're stuck with this. There are actually several, some with features much superior to using email as the truck. The problem with them is: Nobody wants to consider them. Okay, so what are several ways to share files with a friend, where you don't share any accounts or passwords, and where only your friend will be able to access them? FTP'ing to a web site is out - you either have no guarantee that they'll be the only one to be able to access the file, or you have to mess with password protected websites, not something a person is going to do to send the kids photos to Grandma. Actually FTP can be made secure. That and all of the other ideas I might propose require some development work and some change of attitudes. Here is the answer igave in private email to fundentally the same question: quote My personal favorite that at one time would have been the easiest to develop has a MUA that "attaches" the document by storing the text in an HTTP-accessible archive (on the sender's machine? on the sender's MTA machine?) and including a URL in the email. My personal objection to embedded attachments is not a product of the virus rage going on--it goes back a lot farther and has to do with system efficiency, security and privacy issues. (Consider a situation that I have found to common: Person A sends a message transmitting a document containing sensitive information to person B. For reasons that make sense, Person A sends "CC" or "BCC" copies to persons C, D, E, and F.--perhaps to "document" the transmission to B. C-F have no interest in the document, just the fact that it was transmitted. But the get copies of it. A in the process of preparing the message mentions that the document will be made public at a meeting on a future date. E realizes that persons G and H need to be at that meeting and "forwards" the message _and_the_document_ to them. (In one case in my past, "G" was the last person in Creation that should have gotten the document early.) If the message is stored under PKI with A's key all of that and the system overhead goes away. There are others. unquote
Re: dealing with w32/bagle
** Reply to message from "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> on Wed, 03 Mar 2004 22:04:44 -0600 > Curtis Maurand wrote: > > > > Until there's an easy way of getting a file to your friend down the > > street that's as easy as sending an email, we're stuck with this. > > There are actually several, some with features much superior to using > email as the truck. > > The problem with them is: Nobody wants to consider them. Okay, so what are several ways to share files with a friend, where you don't share any accounts or passwords, and where only your friend will be able to access them? FTP'ing to a web site is out - you either have no guarantee that they'll be the only one to be able to access the file, or you have to mess with password protected websites, not something a person is going to do to send the kids photos to Grandma. -- Jeff Shultz Loose nut behind the wheel.
Re: UUNet Offer New Protection Against DDoS
--On 03 March 2004 18:17 -0500 "Patrick W.Gilmore" <[EMAIL PROTECTED]> wrote: A lot of people seem to be doing this. there is nothing (well very little) new in the world: http://www.merit.edu/mail.archives/nanog/1999-07/msg00083.html Alex
Re: dealing with w32/bagle
Or, like me, nobody knows about them. Maybe its time we educate our users. Curtis On Wed, 3 Mar 2004, Laurence F. Sheldon, Jr. wrote: > > Curtis Maurand wrote: > > > > Until there's an easy way of getting a file to your friend down the > > street that's as easy as sending an email, we're stuck with this. > > There are actually several, some with features much superior to using > email as the truck. > > The problem with them is: Nobody wants to consider them. > > -- -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com
Re: UUNet Offer New Protection Against DDoS
in our case, we do the following setup: 1. allow up to /32 within customer's prefix(es) 2. check for 27552:666 (null comm), if matched, set to null'd nexthop 3. now match any prefixes that are longer than /22 on 0.0.0.0/1, that are longer than /22 on 128.0.0.0/2, that are longer than /24 on 192.0.0.0/3. if any of these longer prefixes are matched, tag them with 27552:31337 (which is our equivalent of no-export). If a customer has a legitimate reason to send a /24 within say, 0.0.0.0/1, then we can always override it by adding a deny rule to the matching prefix-list used by the route-map. 4. finally, add maximum-prefix limit to 500 I'll be more than glad to provide config template if anyone is interested. Also have ipv6 version of it as well if interested. -J On Wed, Mar 03, 2004 at 10:22:16PM +, Stephen J. Wilcox wrote: > > > > I'm puzzled by one aspect on the implementation.. how to build your customer > > > prefix filters.. that is, we have prefix-lists for prefix and length. > > > Therefore at present we can only accept a tagged route for a whole block.. > > > not good if the announcement is a /16 etc ! > > > > MCI handles this by only filtering on prefix, not length. Well, > > allowing you to only announce up to your length, not shorter, but > > longer is allowed. > > Hmm not keen, have moved acl->prefix w/len to stop folks from doing this, in > addition we have an extra filter which overrides anything that would deny > anything longer than a /24. I'm not keen to change that.. LART appears to have > little or no effect with my customers, preemption appears to be the only way! > > Steve > > > > > Now, I could do as per the website at secsup.org which means we have a > > > route-map > > > entry to match the community before the filtering .. but that would > > > allow the > > > customer to null route any ip. > > > > > > What we need is one to allow them to announce any route including more > > > specifics of the prefix list - how are folks doing this? > > > > It's not hard. I think the old UUNET just used standard ACLs (1->99). > > :) But with prefix filters, you can set gt & lt prefix lengths on the > > filters trivially. > > > > Of course, your customers can then deaggregate to their hearts content. > > If they do, you should hunt them down and LART them. But it is useful > > for some things, especially when combined with no_export, the > > black-hole communities, or other communities. > > > > -- James JunTowardEX Technologies, Inc. Technical LeadNetwork Design, Consulting, IT Outsourcing [EMAIL PROTECTED] Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
