Re: dealing with w32/bagle
At 07:39 PM 3/4/2004, Curtis Maurand wrote: Too many steps. Once it's installed and configured, this one is drag and drop: http://www.hilgraeve.com/dropchute/ They also have a solution for dynamic addressing: http://www.hilgraeve.com/KB/KnowledgeBase/index_html?topic=DropChutearticle=30002 DropChute can work with and connect to dynamic IP addresses through the use of the address server. ldap.dropchute.com. With the address server available to you, you can wait for calls on the Internet using a dynamic IP address assigned by your Internet service provider. Your DropChute will post the address on the address server so others can connect to you. jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
Re: dealing with w32/bagle
Curtis Maurand wrote: On Thu, 4 Mar 2004, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: There are others. unquote But nothing that's been developed. Joe user's ip address changes on a regular basis. One would still need to find that machine. DNS gets cached (some go past TTL's I've set.) and is too static to be an effective means to get a file. Most instant messengers have facilities for exchanging files, but both sides need to be connected at the same time. Having that file in an email is better. I like SCP, too. It works well, so well that I use that, instead of ftp. You still have to find the other end that has its address changed every day or two. With email, only one end needs to be connected at any one time. email is about the most convenient and easiest way that I know of to get pictures of little Johnnie to Grandmother in a way that is easy for her to understand. Whatever anyone proposes needs to be that easy. Chances are that Grandma's not a geek like most of us. In terms of whether the system is open to abuse or not, part of the problem is simplicity you need to achieve for it to take off in the first place. If it's simple, it can be automated. If it can be automated it's open to automated abuse. (NB/OT: Perhaps the only solution is systems that can detect when they are being abused and do something to force manual intervention. That could take whatever form it needs to, from manual account reactivation, more passwords, or reverse turing tests - depending on which party is required to take action. But I don't see systems like this being developed and deployed anytime soon ;) )
The Cidr Report
This report has been generated at Fri Mar 5 21:48:09 2004 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 27-02-04132022 92109 28-02-04132095 92116 29-02-04132186 92115 01-03-04132204 92062 02-03-0413 91984 03-03-04132040 92020 04-03-04132129 92142 05-03-04132261 92225 AS Summary 16688 Number of ASes in routing system 6718 Number of ASes announcing only one prefix 1385 Largest number of prefixes announced by an AS AS7018 : ATTW ATT WorldNet Services 73583360 Largest address span announced by an AS (/32s) AS568 : DISOUN DISO-UNRRA Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 05Mar04 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 132415922024021330.4% All ASes AS4323 694 205 48970.5% TWC-34 Time Warner Communications, Inc. AS7018 1385 963 42230.5% ATTW ATT WorldNet Services AS6197 676 302 37455.3% BNS-14 BellSouth Network Solutions, Inc AS701 1319 946 37328.3% UU UUNET Technologies, Inc. AS7843 491 120 37175.6% ADELPH-13 Adelphia Corp. AS27364 388 33 35591.5% ARMC Armstrong Cable Services AS6198 545 215 33060.6% BNS-14 BellSouth Network Solutions, Inc AS4134 646 326 32049.5% CHINANET-BACKBONE No.31,Jin-rong Street AS22909 354 34 32090.4% CMCS Comcast Cable Communications, Inc. AS22773 349 37 31289.4% CXAB Cox Communications Inc. Atlanta AS1239 939 655 28430.2% SPRN Sprint AS4355 385 101 28473.8% ERSD EARTHLINK, INC AS6347 367 87 28076.3% SAVV SAVVIS Communications Corporation AS9583 387 118 26969.5% SATYAMNET-AS Satyam Infoway Ltd., AS6140 373 110 26370.5% IMPSA ImpSat AS17676 295 42 25385.8% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS1221 888 644 24427.5% ASN-TELSTRA Telstra Pty Ltd AS6478 267 40 22785.0% ATTW ATT WorldNet Services AS25844 243 16 22793.4% SASMFL-2 Skadden, Arps, Slate, Meagher Flom LLP AS209720 507 21329.6% QWEST-4 Qwest AS14654 2144 21098.1% WAYPOR-3 Wayport AS11305 242 41 20183.1% INTERL-80 Interland Incorporated AS2386 431 240 19144.3% ADCS-1 ATT Data Communications Services AS4766 436 245 19143.8% KIX Korea Internet Exchange for 96 World Internet Exposition AS5668 349 161 18853.9% CIH-12 CenturyTel Internet Holdings, Inc. AS20115 605 419 18630.7% CHARTE-72 Charter Communications AS4519 204 21 18389.7% MAASCO Maas Communications AS9929 209 30 17985.6% CNCNET-CN China Netcom Corp. AS6327 206 28 17886.4% SHAWC-2 Shaw Communications Inc. AS3356 849 681 16819.8% LEVEL3 Level 3 Communications Total 15456 7371 808552.3% Top 30 total Possible Bogus Routes 24.138.80.0/20 AS11260 AHSICHCL Andara High Speed Internet c/o Halifax Cable Ltd. 64.46.0.0/18 AS7850 IHIGHW iHighway.net, Inc. 64.46.4.0/22 AS11711 TULARO TULAROSA COMMUNICATIONS 64.46.12.0/24AS7850 IHIGHW iHighway.net, Inc. 64.46.27.0/24AS8674 NETNOD-IX Netnod Internet Exchange Sverige AB
The attachment mess, was w32/bagle
Speaking on Deep Background, the Press Secretary whispered: pass. I will be the first to admit that using mail as a file transfer protocol isn't the way to go, but getting people to realize that (and forcing them to change) is next to impossible. Until there's an easy way of getting a file to your friend down the street that's as easy as sending an email, we're stuck with this. Curtis I've pipedreamed a scheme that would do this: Sending Luser drops file on to Attached File line in the MUA {say, Eudora} and Sends. MUA opens https to its own MTA/server, encrypts uploads file and designates file name. It puts the unique URL/key into the pseudo-Attachment line of the mailer. [Attachment's encrypted so that if the mail itself is, the file would not be lesser-protected. Real security would require the MUA, not the MTA to do encryption, I guess] Receiving Luser (RL) gets message with Attachment link. {S}he clicks on it, not really knowing/caring it is a https link. Decrypted attachment is dumped on RL's desktop. Behind the scenes, the Sending MTA notes the file was grabbed. It has a set of expiration rules, whatever its local policy is -- X days if not yet grabbed one, Y days after the first, -- a history file al-la Usenet spool. SMTA expires old messages. The advantage to the MTA operators is no longer will people try to cram 35 MB Powerpoint files down mail pipes. Yes, they are stuck storing the files for a few days, and moving later; but ?some? will never be moved at all, saving BW. {The old what's cheaper, disk or pipe? issue arises here.} Further, Attachment transfer BW could be QOS'ed downscale. Variations might be the file is not stored by the SendingMTA but pushed to the ReceivingMTA/MX. Or when the RL opens mail, it's moved from SMTA to RMTA/MX, and then to the RL. I'd have thunk someone already thought of all this, but I've not seen such discussed. Even a clueless guy like me can see there are multiple reasons It Won't Fly, some perhaps solvable. a) Gripe: Attached Files would expire. Someone Would Complain. Response: BFD. Tell the sender to mail that file again.. b) G: Mail Systems operators are stuck storing files must run expiration scripts. R: And this is worse than the terrabytes now being queued? Plus, space could be limited and maybe chargeable. c) G: Critical Mass needed before it can be usable at all. You'll never ever get there unless Billy puts it into LookOut^H^H^HOutlook. R: Yea. In order to crack c); I guess it would take not just a solid RFC and running code; but a 900# Gorilla demanding such, maybe Earthlink or AOL. Flaming session is now open. I'm not awake yet, so I plead the Hypnos Defense. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Just for information - may be useful for someone. Task - we determined, that few infected machines was connected to one of our offices few days ago. They run one of this viruses, which generated a lot of scans and created sugnificant traffic (but traffic was not big enough to rais alarm on outgoing gateway). Activity was short. Computers are not connected in the time of investigation. IDS system and Cisco logs was not active in this office (few tricks with Cisco ACL's and logs allows to detect many viruses instantly; good IDS systems can do it as well). Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) 6; - in this ports, find ports with average packet size 256 bytes; It shows all ports with infected notebooks (even if notebook was connected for a half of day). PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).
Re: dealing with w32/bagle
On Thu, 04 Mar 2004 22:35:03 EST, Curtis Maurand said: I like SCP, too. It works well, so well that I use that, instead of ftp. I love SCP/SSH, and so does everybody else around here, to the point where we're slowly stamping out the last remnants of telnet and non-anonymous FTP. However I might want to send you a file, but you probably don't want to give me a userid on the machine you'll receive it on, and I probably don't want to give you a userid on my laptop Somewhat limits the options for the general case. pgp0.pgp Description: PGP signature
RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -Alexei Roudnev -Sent: Friday, March 05, 2004 11:20 AM -To: Sam Stickland; [EMAIL PROTECTED] -Subject: One hint - how to detect invected machines _post -morten_... Re: -dealing with w32/bagle - - - -Just for information - may be useful for someone. - -Task - we determined, that few infected machines was -connected to one of our -offices few days ago. -They run one of this viruses, which generated a lot of scans -and created -sugnificant traffic (but traffic was not -big enough to rais alarm on outgoing gateway). Activity was short. - -Computers are not connected in the time of investigation. - -IDS system and Cisco logs was not active in this office (few -tricks with -Cisco ACL's and logs allows to detect many viruses instantly; good IDS -systems can do it as well). - -Solution: -- get all port statistics from switch (using SNMPGET and using simple -'telnetting' script - we have 'RUN-cmd' tool allowing to run -switch commands -from shell file; -- remove all ports with traffic less than some threshold; -- calculate IN/OUT packets ratio for the rest of ports; -- find ports, where IN/OUT ratio (IN - to switch) 6; -- in this ports, find ports with average packet size 256 bytes; - -It shows all ports with infected notebooks (even if notebook -was connected -for a half of day). - -PS. Of course, after this few additional monitoring tools was -installed, and -we added _all_ switches and _all_ ports to 'snmpstat' -monitoring system (it -allows to see a traffic in real time, and analiz historical charts, -including such things as packet size). - - - - -
Re: dealing with w32/bagle
** Reply to message from JC Dill [EMAIL PROTECTED] on Fri, 05 Mar 2004 00:11:48 -0800 At 07:39 PM 3/4/2004, Curtis Maurand wrote: Too many steps. Once it's installed and configured, this one is drag and drop: http://www.hilgraeve.com/dropchute/ They also have a solution for dynamic addressing: http://www.hilgraeve.com/KB/KnowledgeBase/index_html?topic=DropChutearticle=30002 DropChute can work with and connect to dynamic IP addresses through the use of the address server. ldap.dropchute.com. With the address server available to you, you can wait for calls on the Internet using a dynamic IP address assigned by your Internet service provider. Your DropChute will post the address on the address server so others can connect to you. jc Looks like IM with an accent on file transfer instead of chatting - if I'm not mistaken it requires both computers to be on at the same time? Please don't forget all those dialup users out there - they still outnumber the DSL's and cablemodems of the world. This needs to be store-n-forward in some way. -- Jeff Shultz Loose nut behind the wheel.
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
On 05.03.2004 17:26 McBurnett, Jim wrote: Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). You can't live without rancid if you have to do router/switch manipulation/polling ... Arnold
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
It is interesting, I wil look. We have the same system (CCR 1.1 - Cisco Configuration Repository), which can read configurations (manually or on schedule), keep change history in CVS, and can be easily adapted for running commands (in reality, it have few tools to run a command) and we was thinking about putting it on sourceforge as a part of 'snmpstat' system, but I found a few interesting _existing_ systems, as well, so we will look. What we did additionally - add some security - if, for some reason, company do not want to keep passwords in public/private key encrypted format (which means, that root can decrypt them), you can use PASSPHRASE mode (which allows to crypt passwords using passphrase, so operators must know this phrase but do not require to know exact passwords) or you can use explicit passwords. One more quesstion - did anyone know tools, alllowing to generate 'cisco update' based on 2 configurations (old and new)? We wrote such thing 4 years ago (in Russia), but it was still limited to our scope of configurations. - Original Message - From: McBurnett, Jim [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED]; Sam Stickland [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, March 05, 2004 8:26 AM Subject: RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -Alexei Roudnev -Sent: Friday, March 05, 2004 11:20 AM -To: Sam Stickland; [EMAIL PROTECTED] -Subject: One hint - how to detect invected machines _post -morten_... Re: -dealing with w32/bagle - - - -Just for information - may be useful for someone. - -Task - we determined, that few infected machines was -connected to one of our -offices few days ago. -They run one of this viruses, which generated a lot of scans -and created -sugnificant traffic (but traffic was not -big enough to rais alarm on outgoing gateway). Activity was short. - -Computers are not connected in the time of investigation. - -IDS system and Cisco logs was not active in this office (few -tricks with -Cisco ACL's and logs allows to detect many viruses instantly; good IDS -systems can do it as well). - -Solution: -- get all port statistics from switch (using SNMPGET and using simple -'telnetting' script - we have 'RUN-cmd' tool allowing to run -switch commands -from shell file; -- remove all ports with traffic less than some threshold; -- calculate IN/OUT packets ratio for the rest of ports; -- find ports, where IN/OUT ratio (IN - to switch) 6; -- in this ports, find ports with average packet size 256 bytes; - -It shows all ports with infected notebooks (even if notebook -was connected -for a half of day). - -PS. Of course, after this few additional monitoring tools was -installed, and -we added _all_ switches and _all_ ports to 'snmpstat' -monitoring system (it -allows to see a traffic in real time, and analiz historical charts, -including such things as packet size). - - - - -
Bangalore Connectivity to USA
I'm investigating connectivity options between Bangalore and the US. Hoping to talk with others who have gone through the same process. What can be done to cut costs on E3+ capacity circuits? Any recommendations such as fiber plays, wireless last mile, satellite, etc. I prefer to hear from actual customers rather than sales persons. I guess basically, I'm looking for a clue on how to cut costs.
Re: dealing with w32/bagle
On Fri, 05 Mar 2004 11:23:37 -0500 [EMAIL PROTECTED] wrote: I might want to send you a file, but you probably don't want to give me a userid on the machine you'll receive it on, and I probably don't want to give you a userid on my laptop Somewhat limits the options for the general case. yes, ultimately you end up falling back on http or some traditional form of ftp, but for intermediate cases, i've had good luck using rssh in chroot mode at customer sites where there is a need to provide carefully constrained, secure access. rssh: http://www.pizzashack.org/rssh/index.shtml richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Email security poll
Hello all, We are conducting an informal poll regarding email security practices. Reply to me offlist and I will publish the results this weekend. Identity of replies will be kept confidential and all replies deleted after tabulation. Thanks! I will publish results this weekend. If for some reason our anti-spam filter bounces you, or you want to remain anonymous, please set your sender email address to be SURVEY _AT_ ASET.COM. -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 Please respond YES (Y), NO (N), or Not Applicable (N/A): Does your organization perform any screening of email attachments? Does your organization perform A-V checks on all email attachments? Does your organization perform any checks on email attachment file type? Does your organization allow users to receive executable content attachments? Does your organization allow users to receive zip file or similar compressed attachments? Does your organization allow users to receive MS Office and similar type files that may contain macro viruses? Does your organization allow users to receive embedded or attached HTML email? Does your organization allow users to receive active content attachments, such as HTML with SCRIPT tags? Please respond as appropriate: -- What AV engine do you use to screen email attachments (Symantec, NAI, FProtect, Trend, ClamAV, etc)? How often does your organization update its AV signatures? == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Also take a look at Neo at http://www.ktools.org/ which is scriptable and does all the SNMP work behind the scenes for you. A beta of the new 2.0 version (in Python) will be out within a week. kretch Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) 6; - in this ports, find ports with average packet size 256 bytes; It shows all ports with infected notebooks (even if notebook was connected for a half of day). PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).
[OT: slightly]Looking for Engineers
Currently Progress Telecom LLC is in need of 1 or 2 qualified IP engineers in the St. Pete area. The open positions are full time positions engineering PTC's IP network (EPIK Communications old network) and BGP AS 19962. The Network consists of Juniper M160/M20 routers and Foundry NetIron switches. Candidate must be highly skilled in BGP and MPLS, have an ability to communicate with customers (both internal and external), have a good working knowledge if IRR's, and have strong trouble resolution skills. If you are interested in applying, or for more information please contact [EMAIL PROTECTED] Shane
Re: SPAM Prevention/Blacklists
[EMAIL PROTECTED] (Brandon Shiers) writes: We are using the following RBL's on our MTA right now: Spamhaus (sbl-xbl) DSBL NJABL (dynablock) Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks, 1. here's a chunk of my personal /usr/local/etc/postfix/main.cf file: smtpd_recipient_restrictions = ... reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client nonconfirm.mail-abuse.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dynablock.easynet.nl, reject_rbl_client proxies.easynet.nl 2. but the most effective list i have is one i build from the apache log, grepping for worm spoor. most spam is sent through proxies left behind by worms, so if you autoblackhole worm-infected hosts you'll stop a HUGE amount of spam in the hours and days that follow. (spammers are now writing and releasing worms just to create proxy nets, and are also paying malfeasants to write and release worms just to create proxy nets.) 3. furthermore, DCC (see www.rhyolite.com/dcc) is hereby highly recommended. -- Paul Vixie
Re: SPAM Prevention/Blacklists
on Fri, Mar 05, 2004 at 07:36:36PM +, Paul Vixie wrote: reject_rbl_client blackholes.easynet.nl, reject_rbl_client dynablock.easynet.nl, reject_rbl_client proxies.easynet.nl FYI, easynet.nl stopped hosting their DNSBLs in December. http://groups.google.com/groups?selm=q60srv0prtpgqobe9icdlk4birg0t61v77%40thor.wirehub.nl -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier
Re: [OT: slightly]Looking for Engineers
Currently Progress Telecom LLC is in need of 1 or 2 qualified IP engineers in the St. Pete area. so anyone who is willing to be a whore for a list spammer should just sign up right now. ... and the horse you rode in on. randy
Re: [OT: slightly]Looking for Engineers
On Mar 5, 2004, at 2:52 PM, Randy Bush wrote: so anyone who is willing to be a whore for a list spammer should just sign up right now. I don't see anything specifically in NANOG's AUP or in the Charter implying that this sort of thing is prohibited. Am I not looking hard enough? ... and the horse you rode in on. randy
Re: [OT: slightly]Looking for Engineers
Jason Lixfeld wrote: I don't see anything specifically in NANOG's AUP or in the Charter implying that this sort of thing is prohibited. Am I not looking hard enough? It mentioned BGP and stuff as I recall, so that should be OK.
Re: UUNet Offer New Protection Against DDoS
Terranson, Alif wrote: As long as we're doing Me Too... Savvis has had prefix:666 for around 18 months as well. Do you know if CW does? Or will that wait until the integration? This thread has caused me to add this as a requirement for a new gigabit ISP circuit I am ordering, as well as uRPF in the core, etc. I've had two ISPs say We don't do this yet, but based on the fact you are making it a requirement, we will role those functions out into our core. Steve Voting with his money for better net-security Alif Terranson OpSec Engineering Manager Operations Security Department Savvis Communications Corporation (314) 628-7602 Voice (314) 208-2306 Pager (618) 558-5854 Cell -Original Message- From: Michael Hallgren [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: UUNet Offer New Protection Against DDoS Global Crossing has this, already in production. Idem, Teleglobe, mh I was on the phone with Qwest yesterday this was one of this things I asked about. Qwest indicated they are going to deploy this shortly. (i.e., send routes tagged with a community which they will set to null) James Edwards Routing and Security [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
Re: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Steve Francis wrote: Terranson, Alif wrote: As long as we're doing Me Too... Savvis has had prefix:666 for around 18 months as well. Do you know if CW does? Or will that wait until the integration? This thread has caused me to add this as a requirement for a new gigabit ISP circuit I am ordering, as well as uRPF in the core, etc. uRPF in the core seems like a bad plan, what with diverse routes and such. Loose-mode might help SOME, but really spoofing is such a low priority issue why make it a requirement? Customer triggered blackholing is a nice feature though. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
RE: UUNet Offer New Protection Against DDoS
snip uRPF in the core seems like a bad plan, what with diverse routes and such. Loose-mode might help SOME, but really spoofing is such a low priority issue why make it a requirement? Customer triggered blackholing is a nice feature though. /snip Shared view, mh (Teleglobe, btw) --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: UUNet Offer New Protection Against DDoS
Christopher L. Morrow wrote: uRPF in the core seems like a bad plan, what with diverse routes and such. Loose-mode might help SOME, but really spoofing is such a low priority issue why make it a requirement? Customer triggered blackholing is a nice feature though. Obviously loose-mode. Spoofing may not be the current weapon of choice, but why not encourage the best net infrastructure?
RE: UUNet Offer New Protection Against DDoS
Terranson, Alif wrote: As long as we're doing Me Too... Savvis has had prefix:666 for around 18 months as well. Do you know if CW does? Or will that wait until the integration? While I am not 100% certain (and there are plenty of new-Savvis folks here who *do* know for sure ;-), I believe the CW network does support a BH tag. This thread has caused me to add this as a requirement for a new gigabit ISP circuit I am ordering, as well as uRPF in the core, Woah! Never said *anything* about that! No plans for it that I am aware of. No reason I can think of to do this either. etc. I've had two ISPs say We don't do this yet, but based on the fact you are making it a requirement, we will role those functions out into our core. This is really not new, and considering how easy it is to implement, I'm surprised it isn't *much* more widely implemented. Steve Voting with his money for better net-security Go Steve! Go!! Alif Terranson OpSec Engineering Mgr. Operations Security Dept. Savvis Communications Corp. (314) 628-7602 Voice (618) 558-5854 Cell (314) 628-7710 Fax
Re: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Steve Francis wrote: Christopher L. Morrow wrote: uRPF in the core seems like a bad plan, what with diverse routes and such. Loose-mode might help SOME, but really spoofing is such a low priority issue why make it a requirement? Customer triggered blackholing is a nice feature though. Obviously loose-mode. Spoofing may not be the current weapon of choice, but why not encourage the best net infrastructure? Loose mode will not save you very much, many larger backbones route lots of 'unused' or 'unallocated' ip space internally for various valid reasons, some even related to security issues for their customers. So, does stopping rfc-1918 (maybe) space help much? not really... atleast not that I can see. Many flooding tools now flood from legittimate space, so the ONLY way to limit this is by filtering as close to the device sourcing the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###
Re: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Christopher L. Morrow wrote: the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. uunet does operate lots of dialup RAS though correct? any reason why urpf is not reasonable there? just because its not perfect and doesnt solve every problem doesnt mean its useless. miniscule amounts of traffic in uunet's core is still enough to ddos many a victim into oblivion. anyone who has been ddos'd by uunet customers can appreciate that. -Dan
RE: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Christopher L. Morrow wrote: the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. Agreed. uunet does operate lots of dialup RAS though correct? any reason why urpf is not reasonable there? Nobody I know terminates a dial connection on a *core router* ;-) //Alif Alif Terranson OpSec Engineering Mgr. Operations Security Dept. Savvis Communications Corp. (314) 628-7602 Voice (618) 558-5854 Cell (314) 628-7710 Fax
Re: How relable does the Internet need to be?
Title: Re: How relable does the Internet need to be? The question in all cases is what is the level of service acceptable to regulators and emergency services coordinators? Clearly there are problems of both power and call routing which must be addressed. It's unlikely NANOG is the forum for specifying standards in this area. It is similarly unlikely the IETF is the appropriate body, though it may be a place to figure out how to meet the requirements specifications of some other body. Active discussion ongoing: http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-243851A1.pdf /John
Information Warfare
Since it has the potential to make everyone's jobs here more interesting, I thought I'd bring it up and get everyone's opinion. This company claims to be developing a security solution that claims to fight back against attackers. I'm sure I'm not the only one here who thinks this is a tremendously bad idea. I'll let you guys tear it apart; take a look at their white paper and press release, both of which are dripping with enough war analogies and corporate bizspeak to make any self-respecting techie cringe. http://symbiot.com/ -- John Bishop -- [EMAIL PROTECTED] http://lasthome.net/~moonwick/ When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong. -- R. Buckminster Fuller
Re: How relable does the Internet need to be?
Please...I'm not a browser On Sat, 2004-03-06 at 02:57, John Curran wrote: The question in all cases is what is the level of service acceptable to regulators and emergency services coordinators? Clearly there are problems of both power and call routing which must be addressed. It's unlikely NANOG is the forum for specifying standards in this area. It is similarly unlikely the IETF is the appropriate body, though it may be a place to figure out how to meet the requirements specifications of some other body. Active discussion ongoing: http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-243851A1.pdf /John -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: iMPLS benefit
Dave, Hey Suki, On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote: Hello, i heard there is a way to run MPLS for layer3 VPN(2547) service without needing to run label switching in the core(LDP/TDP/RSVP) but straight IP (aka iMPLS). ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt See also Mark's talk from the last NANOG http://nanog.org/mtg-0402/townsley.html That requires to run L2TP. An alternative is to run GRE (or even plain IP). The latter (GRE) is implemented by quite a few vendors (and is known to be interoperable among multiple vendors). The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt. Yakov.
Re: iMPLS benefit
On Fri, Mar 05, 2004 at 10:02:10AM -0800, Yakov Rekhter wrote: Dave, Hey Suki, On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote: Hello, i heard there is a way to run MPLS for layer3 VPN(2547) service without needing to run label switching in the core(LDP/TDP/RSVP) but straight IP (aka iMPLS). ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt See also Mark's talk from the last NANOG http://nanog.org/mtg-0402/townsley.html That requires to run L2TP. An alternative is to run GRE (or even plain IP). The latter (GRE) is implemented by quite a few vendors (and is known to be interoperable among multiple vendors). The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt. Yep, you are correct. Sorry not to cite that one too. Dave
Re: UUNet Offer New Protection Against DDoS
On Fri, 5 Mar 2004, Dan Hollis wrote: On Fri, 5 Mar 2004, Christopher L. Morrow wrote: the packets as possible. Nebulous filtering and dropping of miniscule amounts of traffic in the core of a large network is just a waste of effort and false panacea. uunet does operate lots of dialup RAS though correct? any reason why urpf is not reasonable there? For some sure, for others perhaps not :( We have some customers with dedicated networks over dial, some with dial-backup and even some with dsl backup. just because its not perfect and doesnt solve every problem doesnt mean its useless. Sure, I'm just not really sure that the core is the right place to do this... I agree that the edge is a fine place, I'd prefer not my edge :) but the edge is the right place. You can make all the decisions correctly there, you can not in the core. miniscule amounts of traffic in uunet's core is still enough to ddos many a victim into oblivion. anyone who has been ddos'd by uunet customers can appreciate that. miniscule is enough to cause problems in anyone's network the point here was: Core isn't the right place for this I wasn't really trying to argue the 'urpf is good' or 'urpf is bad' arguement, just the placement. Sorry if I made that confusing earlier. --Chris (formerly [EMAIL PROTECTED]) ### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-886-3823 (C)703-338-7319 ## ###