Re: dealing with w32/bagle

[JC Dill]

At 07:39 PM 3/4/2004, Curtis Maurand wrote:
Too many steps.
Once it's installed and configured, this one is drag and drop:

http://www.hilgraeve.com/dropchute/

They also have a solution for dynamic addressing:

http://www.hilgraeve.com/KB/KnowledgeBase/index_html?topic=DropChutearticle=30002

DropChute can work with and connect to dynamic IP addresses through the 
use of the address server. ldap.dropchute.com. With the address server 
available to you, you can wait for calls on the Internet using a dynamic 
IP address assigned by your Internet service provider. Your DropChute will 
post the address on the address server so others can connect to you.
jc



--

p.s.  Please do not cc me on replies to the list.  Please reply to the list 
only, or to me only (as you prefer) but not to both. 

Re: dealing with w32/bagle

[Sam Stickland]

Curtis Maurand wrote:
 On Thu, 4 Mar 2004, Laurence F. Sheldon, Jr. wrote:


 Jeff Shultz wrote:

 There are others.
 unquote


 But nothing that's been developed.  Joe user's ip address changes on a
 regular basis.  One would still need to find that machine.  DNS gets
 cached (some go past TTL's I've set.)  and is too static to be an
 effective means to get a file.

 Most instant messengers have facilities for exchanging files, but both
 sides need to be connected at the same time.  Having that file in an
 email is better.

 I like SCP, too.  It works well, so well that I use that, instead of
 ftp. You still have to find the other end that has its address
 changed every day or two.  With email, only one end needs to be
 connected at any one time.  email is about the most convenient and
 easiest way that I know of to get pictures of little Johnnie to
 Grandmother in a way that is easy for her to understand.  Whatever
 anyone proposes needs to be that easy. Chances are that Grandma's not
 a geek like most of us.

In terms of whether the system is open to abuse or not, part of the problem
is simplicity you need to achieve for it to take off in the first place. If
it's simple, it can be automated. If it can be automated it's open to
automated abuse.

(NB/OT: Perhaps the only solution is systems that can detect when they are
being abused and do something to force manual intervention. That could take
whatever form it needs to, from manual account reactivation, more passwords,
or reverse turing tests - depending on which party is required to take
action.

But I don't see systems like this being developed and deployed anytime soon
;) )

The Cidr Report

[cidr-report]

This report has been generated at Fri Mar  5 21:48:09 2004 AEST.
The report analyses the BGP Routing Table of an AS4637 (Reach) router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org/as4637 for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
27-02-04132022   92109
28-02-04132095   92116
29-02-04132186   92115
01-03-04132204   92062
02-03-0413   91984
03-03-04132040   92020
04-03-04132129   92142
05-03-04132261   92225


AS Summary
 16688  Number of ASes in routing system
  6718  Number of ASes announcing only one prefix
  1385  Largest number of prefixes announced by an AS
AS7018 : ATTW ATT WorldNet Services
  73583360  Largest address span announced by an AS (/32s)
AS568  : DISOUN DISO-UNRRA


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 05Mar04 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 132415922024021330.4%   All ASes

AS4323   694  205  48970.5%   TWC-34 Time Warner
   Communications, Inc.
AS7018  1385  963  42230.5%   ATTW ATT WorldNet Services
AS6197   676  302  37455.3%   BNS-14 BellSouth Network
   Solutions, Inc
AS701   1319  946  37328.3%   UU UUNET Technologies, Inc.
AS7843   491  120  37175.6%   ADELPH-13 Adelphia Corp.
AS27364  388   33  35591.5%   ARMC Armstrong Cable Services
AS6198   545  215  33060.6%   BNS-14 BellSouth Network
   Solutions, Inc
AS4134   646  326  32049.5%   CHINANET-BACKBONE
   No.31,Jin-rong Street
AS22909  354   34  32090.4%   CMCS Comcast Cable
   Communications, Inc.
AS22773  349   37  31289.4%   CXAB Cox Communications Inc.
   Atlanta
AS1239   939  655  28430.2%   SPRN Sprint
AS4355   385  101  28473.8%   ERSD EARTHLINK, INC
AS6347   367   87  28076.3%   SAVV SAVVIS Communications
   Corporation
AS9583   387  118  26969.5%   SATYAMNET-AS Satyam Infoway
   Ltd.,
AS6140   373  110  26370.5%   IMPSA ImpSat
AS17676  295   42  25385.8%   JPNIC-JP-ASN-BLOCK Japan
   Network Information Center
AS1221   888  644  24427.5%   ASN-TELSTRA Telstra Pty Ltd
AS6478   267   40  22785.0%   ATTW ATT WorldNet Services
AS25844  243   16  22793.4%   SASMFL-2 Skadden, Arps, Slate,
   Meagher  Flom LLP
AS209720  507  21329.6%   QWEST-4 Qwest
AS14654  2144  21098.1%   WAYPOR-3 Wayport
AS11305  242   41  20183.1%   INTERL-80 Interland
   Incorporated
AS2386   431  240  19144.3%   ADCS-1 ATT Data
   Communications Services
AS4766   436  245  19143.8%   KIX Korea Internet Exchange
   for 96 World Internet
   Exposition
AS5668   349  161  18853.9%   CIH-12 CenturyTel Internet
   Holdings, Inc.
AS20115  605  419  18630.7%   CHARTE-72 Charter
   Communications
AS4519   204   21  18389.7%   MAASCO Maas Communications
AS9929   209   30  17985.6%   CNCNET-CN China Netcom Corp.
AS6327   206   28  17886.4%   SHAWC-2 Shaw Communications
   Inc.
AS3356   849  681  16819.8%   LEVEL3 Level 3 Communications

Total  15456 7371 808552.3%   Top 30 total


Possible Bogus Routes

24.138.80.0/20   AS11260 AHSICHCL Andara High Speed Internet c/o Halifax 
Cable Ltd.
64.46.0.0/18 AS7850  IHIGHW iHighway.net, Inc.
64.46.4.0/22 AS11711 TULARO TULAROSA COMMUNICATIONS
64.46.12.0/24AS7850  IHIGHW iHighway.net, Inc.
64.46.27.0/24AS8674  NETNOD-IX Netnod Internet Exchange Sverige AB
  

The attachment mess, was w32/bagle

[David Lesher]

Speaking on Deep Background, the Press Secretary whispered:
 
 
 
 
 
 
  pass.  I will be the first to admit that using mail as a file transfer protocol
  isn't the way to go, but getting people to realize that (and forcing them to
  change) is next to impossible.  
 
  Until there's an easy way of getting a file to your friend down the 
 street that's as easy as sending an email, we're stuck with this.
 
 Curtis

I've pipedreamed a scheme that would do this:

Sending Luser drops file on to Attached File line in the MUA
{say, Eudora} and Sends.

MUA opens https to its own MTA/server, encrypts  uploads
file and designates file name. It puts the unique
URL/key into the pseudo-Attachment line of the mailer. 
[Attachment's encrypted so that if the mail itself is,
the file would not be lesser-protected. Real security would
require the MUA, not the MTA to do encryption, I guess]

Receiving Luser (RL) gets message with Attachment link. {S}he
clicks on it, not really knowing/caring it is a https link.
Decrypted attachment is dumped on RL's desktop.

Behind the scenes, the Sending MTA notes the file was grabbed. It
has a set of expiration rules, whatever its local policy is --
X days if not yet grabbed one, Y days after the first, -- 
a history file al-la Usenet spool. SMTA expires old messages.

The advantage to the MTA operators is no longer will people try
to cram 35 MB Powerpoint files down mail pipes. Yes, they are
stuck storing the files for a few days, and moving later; but
?some? will never be moved at all, saving BW. {The old what's
cheaper, disk or pipe? issue arises here.} Further, Attachment
transfer BW could be QOS'ed downscale.

Variations might be the file is not stored by the SendingMTA but
pushed to the ReceivingMTA/MX. Or when the RL opens mail,
it's moved from SMTA to RMTA/MX, and then to the RL.

I'd have thunk someone already thought of all this, but I've not
seen such discussed.

Even a clueless guy like me can see there are multiple reasons
It Won't Fly, some perhaps solvable.

a) 
Gripe:  Attached Files would expire. Someone Would Complain.

Response:   BFD. Tell the sender to mail that file again..

b) 
G:  Mail Systems operators are stuck storing files  must run
expiration scripts.

R:  And this is worse than the terrabytes now being queued? Plus,
space could be limited and maybe chargeable.

c)
G:  Critical Mass needed before it can be usable at
all. You'll never ever get there unless Billy
puts it into LookOut^H^H^HOutlook.

R:  Yea.


In order to crack c); I guess it would take not just a solid
RFC and running code; but a 900# Gorilla demanding such, maybe
Earthlink or AOL.



Flaming session is now open. I'm not awake yet, so I plead
the Hypnos Defense.




-- 
A host is a host from coast to [EMAIL PROTECTED]
 no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

[Alexei Roudnev]

Just for information - may be useful for someone.

Task - we determined, that few infected machines was connected to one of our
offices few days ago.
They run one of this viruses, which generated a lot of scans and created
sugnificant traffic (but traffic was not
big enough to rais alarm on outgoing gateway). Activity was short.

Computers are not connected in the time of investigation.

IDS system and Cisco logs was not active in this  office (few tricks with
Cisco ACL's and logs allows to detect many viruses instantly; good IDS
systems can do it as well).

Solution:
- get all port statistics from switch (using SNMPGET and using simple
'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
from shell file;
- remove all ports with traffic less than some threshold;
- calculate IN/OUT packets ratio for the rest of ports;
- find ports, where IN/OUT ratio (IN - to switch)  6;
- in this ports, find ports with average packet size  256 bytes;

It shows all ports with infected notebooks (even if notebook was connected
for a half of day).

PS. Of course, after this few additional monitoring tools was installed, and
we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
allows to see a traffic in real time, and analiz historical charts,
including such things as packet size).

Re: dealing with w32/bagle

[Valdis . Kletnieks]

On Thu, 04 Mar 2004 22:35:03 EST, Curtis Maurand said:

 I like SCP, too.  It works well, so well that I use that, instead of ftp.  

I love SCP/SSH, and so does everybody else around here, to the point where
we're slowly stamping out the last remnants of telnet and non-anonymous FTP.
However

I might want to send you a file, but you probably don't want to give me a
userid on the machine you'll receive it on, and I probably don't want to give
you a userid on my laptop  Somewhat limits the options for the general
case.



pgp0.pgp
Description: PGP signature

RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

[McBurnett, Jim]

Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..

Jim
--Original Message-
-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
-Alexei Roudnev
-Sent: Friday, March 05, 2004 11:20 AM
-To: Sam Stickland; [EMAIL PROTECTED]
-Subject: One hint - how to detect invected machines _post 
-morten_... Re:
-dealing with w32/bagle
-
-
-
-Just for information - may be useful for someone.
-
-Task - we determined, that few infected machines was 
-connected to one of our
-offices few days ago.
-They run one of this viruses, which generated a lot of scans 
-and created
-sugnificant traffic (but traffic was not
-big enough to rais alarm on outgoing gateway). Activity was short.
-
-Computers are not connected in the time of investigation.
-
-IDS system and Cisco logs was not active in this  office (few 
-tricks with
-Cisco ACL's and logs allows to detect many viruses instantly; good IDS
-systems can do it as well).
-
-Solution:
-- get all port statistics from switch (using SNMPGET and using simple
-'telnetting' script - we have 'RUN-cmd' tool allowing to run 
-switch commands
-from shell file;
-- remove all ports with traffic less than some threshold;
-- calculate IN/OUT packets ratio for the rest of ports;
-- find ports, where IN/OUT ratio (IN - to switch)  6;
-- in this ports, find ports with average packet size  256 bytes;
-
-It shows all ports with infected notebooks (even if notebook 
-was connected
-for a half of day).
-
-PS. Of course, after this few additional monitoring tools was 
-installed, and
-we added _all_ switches and _all_ ports to 'snmpstat' 
-monitoring system (it
-allows to see a traffic in real time, and analiz historical charts,
-including such things as packet size).
-
-
-
-
-

Re: dealing with w32/bagle

[Jeff Shultz]

** Reply to message from JC Dill [EMAIL PROTECTED] on Fri, 05 Mar
2004 00:11:48 -0800

 At 07:39 PM 3/4/2004, Curtis Maurand wrote:
 Too many steps.
 
 Once it's installed and configured, this one is drag and drop:
 
 http://www.hilgraeve.com/dropchute/
 
 They also have a solution for dynamic addressing:
 
 http://www.hilgraeve.com/KB/KnowledgeBase/index_html?topic=DropChutearticle=30002
 
 DropChute can work with and connect to dynamic IP addresses through the 
 use of the address server. ldap.dropchute.com. With the address server 
 available to you, you can wait for calls on the Internet using a dynamic 
 IP address assigned by your Internet service provider. Your DropChute will 
 post the address on the address server so others can connect to you.
 
 jc

Looks like IM with an accent on file transfer instead of chatting - if
I'm not mistaken it requires both computers to be on at the same time?
Please don't forget all those dialup users out there - they still
outnumber the DSL's and cablemodems of the world. This needs to be
store-n-forward in some way.

-- 
Jeff Shultz
Loose nut behind the wheel. 

Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

[Arnold Nipper]

On 05.03.2004 17:26 McBurnett, Jim wrote:

Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..
And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). 
You can't live without rancid if you have to do router/switch 
manipulation/polling ...



Arnold

Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

[Alexei Roudnev]

It is interesting, I wil look. We have the same system (CCR 1.1 - Cisco
Configuration Repository), which can read configurations (manually or on
schedule), keep change history in CVS, and can be easily adapted for running
commands (in reality, it have
few tools to run a command) and we was thinking about putting it on
sourceforge as a part of 'snmpstat' system, but
I found a few interesting _existing_ systems, as well, so we will look.

What we did additionally - add some security - if, for some reason, company
do not want to keep passwords in public/private key encrypted format (which
means, that root can decrypt them), you can use PASSPHRASE mode (which
allows to crypt passwords using passphrase, so  operators must know this
phrase but do not require to know exact passwords) or you can use explicit
passwords.

One more quesstion - did anyone know tools, alllowing to generate 'cisco
update' based on 2 configurations (old and new)? We wrote such thing 4 years
ago (in Russia), but it was still limited to our scope of configurations.



- Original Message - 
From: McBurnett, Jim [EMAIL PROTECTED]
To: Alexei Roudnev [EMAIL PROTECTED]; Sam Stickland
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, March 05, 2004 8:26 AM
Subject: RE: One hint - how to detect invected machines _post morten_... Re:
dealing with w32/bagle


Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..

Jim
--Original Message-
-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
-Alexei Roudnev
-Sent: Friday, March 05, 2004 11:20 AM
-To: Sam Stickland; [EMAIL PROTECTED]
-Subject: One hint - how to detect invected machines _post
-morten_... Re:
-dealing with w32/bagle
-
-
-
-Just for information - may be useful for someone.
-
-Task - we determined, that few infected machines was
-connected to one of our
-offices few days ago.
-They run one of this viruses, which generated a lot of scans
-and created
-sugnificant traffic (but traffic was not
-big enough to rais alarm on outgoing gateway). Activity was short.
-
-Computers are not connected in the time of investigation.
-
-IDS system and Cisco logs was not active in this  office (few
-tricks with
-Cisco ACL's and logs allows to detect many viruses instantly; good IDS
-systems can do it as well).
-
-Solution:
-- get all port statistics from switch (using SNMPGET and using simple
-'telnetting' script - we have 'RUN-cmd' tool allowing to run
-switch commands
-from shell file;
-- remove all ports with traffic less than some threshold;
-- calculate IN/OUT packets ratio for the rest of ports;
-- find ports, where IN/OUT ratio (IN - to switch)  6;
-- in this ports, find ports with average packet size  256 bytes;
-
-It shows all ports with infected notebooks (even if notebook
-was connected
-for a half of day).
-
-PS. Of course, after this few additional monitoring tools was
-installed, and
-we added _all_ switches and _all_ ports to 'snmpstat'
-monitoring system (it
-allows to see a traffic in real time, and analiz historical charts,
-including such things as packet size).
-
-
-
-
-

Bangalore Connectivity to USA

[Brennan_Murphy]

I'm investigating connectivity options between Bangalore and the US.
Hoping to talk with others who have gone through the same process. 
What can be done to cut costs on E3+ capacity circuits? Any
recommendations such as fiber plays, wireless last mile, satellite, etc.


I prefer to hear from actual customers rather than sales persons. I
guess basically, I'm looking for a clue on how to cut costs. 

Re: dealing with w32/bagle

[Richard Welty]

On Fri, 05 Mar 2004 11:23:37 -0500 [EMAIL PROTECTED] wrote:
 I might want to send you a file, but you probably don't want to give me a
 userid on the machine you'll receive it on, and I probably don't want to give
 you a userid on my laptop  Somewhat limits the options for the general
 case.

yes, ultimately you end up falling back on http or some traditional form
of ftp, but for intermediate cases, i've had good luck using rssh in
chroot mode at customer sites where there is a need to provide
carefully constrained, secure access.

rssh:

   http://www.pizzashack.org/rssh/index.shtml

richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Email security poll

[Jon R. Kibler]

Hello all,

We are conducting an informal poll regarding email security practices.
Reply to me offlist and I will publish the results this weekend.
Identity of replies will be kept confidential and all replies deleted after tabulation.

Thanks! I will publish results this weekend. If for some reason our anti-spam filter 
bounces you, or you want to remain anonymous, please set your sender email address to 
be SURVEY _AT_ ASET.COM.
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214



Please respond YES (Y), NO (N), or Not Applicable (N/A):

Does your organization perform any screening of email attachments?

Does your organization perform A-V checks on all email attachments?

Does your organization perform any checks on email attachment file type?

Does your organization allow users to receive executable content attachments?

Does your organization allow users to receive zip file or similar compressed 
attachments?

Does your organization allow users to receive MS Office and similar type files that 
may contain macro viruses?

Does your organization allow users to receive embedded or attached HTML email?

Does your organization allow users to receive active content attachments, such as HTML 
with SCRIPT tags?


Please respond as appropriate:
--
What AV engine do you use to screen email attachments (Symantec, NAI, FProtect, Trend, 
ClamAV, etc)?

How often does your organization update its AV signatures?




==
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle

[James M. Kretchmar]

Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you.  A beta of the
new 2.0 version (in Python) will be out within a week.

kretch

 Solution:
 - get all port statistics from switch (using SNMPGET and using simple
 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
 from shell file;
 - remove all ports with traffic less than some threshold;
 - calculate IN/OUT packets ratio for the rest of ports;
 - find ports, where IN/OUT ratio (IN - to switch)  6;
 - in this ports, find ports with average packet size  256 bytes;
 
 It shows all ports with infected notebooks (even if notebook was connected
 for a half of day).
 
 PS. Of course, after this few additional monitoring tools was installed, and
 we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
 allows to see a traffic in real time, and analiz historical charts,
 including such things as packet size).

[OT: slightly]Looking for Engineers

[Owens, Loren]

Currently Progress Telecom LLC is in need of 1 or 2 qualified IP
engineers in the St. Pete area.  The open positions are full time
positions engineering PTC's IP network (EPIK Communications old network)
and BGP AS 19962.  The Network consists of Juniper M160/M20 routers and
Foundry NetIron switches.  Candidate must be highly skilled in BGP and
MPLS, have an ability to communicate with customers (both internal and
external), have a good working knowledge if IRR's, and have strong
trouble resolution skills.  If you are interested in applying, or for
more information please contact [EMAIL PROTECTED]

Shane

Re: SPAM Prevention/Blacklists

[Paul Vixie]

[EMAIL PROTECTED] (Brandon Shiers) writes:

 We are using the following RBL's on our MTA right now:
 
 Spamhaus (sbl-xbl)
 DSBL
 NJABL (dynablock)
 
 Are there any other good lists out there that you folks have had good 
 experience with? Any that we might want to consider taking a look at? 
 Thanks,

1. here's a chunk of my personal /usr/local/etc/postfix/main.cf file:

smtpd_recipient_restrictions =
...
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client nonconfirm.mail-abuse.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client http.dnsbl.sorbs.net,
reject_rbl_client socks.dnsbl.sorbs.net,
reject_rbl_client misc.dnsbl.sorbs.net,
reject_rbl_client web.dnsbl.sorbs.net,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dynablock.easynet.nl,
reject_rbl_client proxies.easynet.nl

2. but the most effective list i have is one i build from the apache log,
grepping for worm spoor.  most spam is sent through proxies left behind
by worms, so if you autoblackhole worm-infected hosts you'll stop a HUGE
amount of spam in the hours and days that follow.  (spammers are now
writing and releasing worms just to create proxy nets, and are also paying
malfeasants to write and release worms just to create proxy nets.)

3. furthermore, DCC (see www.rhyolite.com/dcc) is hereby highly recommended.
-- 
Paul Vixie

Re: SPAM Prevention/Blacklists

[Steven Champeon]

on Fri, Mar 05, 2004 at 07:36:36PM +, Paul Vixie wrote:
 reject_rbl_client blackholes.easynet.nl,
 reject_rbl_client dynablock.easynet.nl,
 reject_rbl_client proxies.easynet.nl

FYI, easynet.nl stopped hosting their DNSBLs in December.

http://groups.google.com/groups?selm=q60srv0prtpgqobe9icdlk4birg0t61v77%40thor.wirehub.nl

-- 
hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com
Book publishing is second only to furniture delivery in slowness. -b. schneier

Re: [OT: slightly]Looking for Engineers

[Randy Bush]

 Currently Progress Telecom LLC is in need of 1 or 2 qualified IP
 engineers in the St. Pete area.

so anyone who is willing to be a whore for a list spammer should
just sign up right now.

... and the horse you rode in on.

randy

Re: [OT: slightly]Looking for Engineers

[Jason Lixfeld]

On Mar 5, 2004, at 2:52 PM, Randy Bush wrote:

so anyone who is willing to be a whore for a list spammer should
just sign up right now.
I don't see anything specifically in NANOG's AUP or in the Charter 
implying that this sort of thing is prohibited.  Am I not looking hard 
enough?

... and the horse you rode in on.

randy

Re: [OT: slightly]Looking for Engineers

[Laurence F. Sheldon, Jr.]

Jason Lixfeld wrote:

  I don't see anything specifically in NANOG's AUP or in the Charter
implying that this sort of thing is prohibited.  Am I not looking hard 
enough?
It mentioned BGP and stuff as I recall, so that should be OK.

Re: UUNet Offer New Protection Against DDoS

[Steve Francis]

Terranson, Alif wrote:

As long as we're doing Me Too...

Savvis has had prefix:666 for around 18 months as well.
 

Do you know if CW does? Or will that wait until the integration?

This thread has caused me to add this as a requirement for a new gigabit 
ISP circuit I am ordering, as well as uRPF in the core, etc.
I've had two ISPs say We don't do this yet, but based on the fact you 
are making it a requirement, we will role those functions out into our 
core.

Steve
Voting with his money for better net-security
Alif Terranson
OpSec Engineering Manager
Operations Security Department
Savvis Communications Corporation
(314) 628-7602 Voice
(314) 208-2306 Pager
(618) 558-5854 Cell
 

-Original Message-
From: Michael Hallgren [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 03, 2004 3:45 PM
To: [EMAIL PROTECTED]
Subject: RE: UUNet Offer New Protection Against DDoS



   

Global Crossing has this, already in production.
 

Idem, Teleglobe,

mh

   

I was on the phone with Qwest yesterday  this was one of
this things I asked about. Qwest indicated they are going to 
deploy this shortly. (i.e., send routes tagged with a 
community which they will set to null)

James Edwards
Routing and Security
[EMAIL PROTECTED]
At the Santa Fe Office: Internet at Cyber Mesa Store hours:
9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965


 

   

 

Re: UUNet Offer New Protection Against DDoS

[Christopher L. Morrow]

On Fri, 5 Mar 2004, Steve Francis wrote:


 Terranson, Alif wrote:

 As long as we're doing Me Too...
 
 Savvis has had prefix:666 for around 18 months as well.
 
 
 Do you know if CW does? Or will that wait until the integration?

 This thread has caused me to add this as a requirement for a new gigabit
 ISP circuit I am ordering, as well as uRPF in the core, etc.

uRPF in the core seems like a bad plan, what with diverse routes and such.
Loose-mode might help SOME, but really spoofing is such a low priority
issue why make it a requirement? Customer triggered blackholing is a nice
feature though.

--Chris
(formerly [EMAIL PROTECTED])
###
## UUNET Technologies, Inc.  ##
## Manager   ##
## Customer Router Security Engineering Team ##
## (W)703-886-3823 (C)703-338-7319   ##
###

RE: UUNet Offer New Protection Against DDoS

[Michael Hallgren]

 snip
 
 uRPF in the core seems like a bad plan, what with diverse 
 routes and such.
 Loose-mode might help SOME, but really spoofing is such a low 
 priority issue why make it a requirement? Customer triggered 
 blackholing is a nice feature though.
 
/snip

Shared view,

mh (Teleglobe, btw)


 --Chris
 (formerly [EMAIL PROTECTED])
 ###
 ## UUNET Technologies, Inc.  ##
 ## Manager   ##
 ## Customer Router Security Engineering Team ##
 ## (W)703-886-3823 (C)703-338-7319   ##
 ###
 
 

Re: UUNet Offer New Protection Against DDoS

[Steve Francis]

Christopher L. Morrow wrote:



uRPF in the core seems like a bad plan, what with diverse routes and such.
Loose-mode might help SOME, but really spoofing is such a low priority
issue why make it a requirement? Customer triggered blackholing is a nice
feature though.
 

Obviously loose-mode. 
Spoofing may not be the current weapon of choice, but why not encourage 
the best net infrastructure?

RE: UUNet Offer New Protection Against DDoS

[Terranson, Alif]

 Terranson, Alif wrote:
 
 As long as we're doing Me Too...
 
 Savvis has had prefix:666 for around 18 months as well.
   
 
 Do you know if CW does? Or will that wait until the integration?

While I am not 100% certain (and there are plenty of new-Savvis folks here who *do* 
know for sure ;-), I believe the CW network does support a BH tag.

 This thread has caused me to add this as a requirement for a 
 new gigabit  ISP circuit I am ordering, as well as uRPF in the core, 

Woah!  Never said *anything* about that!  No plans for it that I am aware of.  No 
reason I can think of to do this either.

 etc.
 I've had two ISPs say We don't do this yet, but based on the 
 fact you are making it a requirement, we will role those functions out 
 into our core.

This is really not new, and considering how easy it is to implement, I'm surprised 
it isn't *much* more widely implemented.

 Steve
 Voting with his money for better net-security

Go Steve!  Go!!

Alif Terranson
OpSec Engineering Mgr.
Operations Security Dept.
Savvis Communications Corp.
(314) 628-7602 Voice
(618) 558-5854 Cell
(314) 628-7710 Fax
 

Re: UUNet Offer New Protection Against DDoS

[Christopher L. Morrow]

On Fri, 5 Mar 2004, Steve Francis wrote:

 Christopher L. Morrow wrote:

 
 
 uRPF in the core seems like a bad plan, what with diverse routes and such.
 Loose-mode might help SOME, but really spoofing is such a low priority
 issue why make it a requirement? Customer triggered blackholing is a nice
 feature though.
 
 
 
 Obviously loose-mode.
 Spoofing may not be the current weapon of choice, but why not encourage
 the best net infrastructure?


Loose mode will not save you very much, many larger backbones route lots
of 'unused' or 'unallocated' ip space internally for various valid
reasons, some even related to security issues for their customers. So,
does stopping rfc-1918 (maybe) space help much? not really... atleast not
that I can see. Many flooding tools now flood from legittimate space, so
the ONLY way to limit this is by filtering as close to the device sourcing
the packets as possible. Nebulous filtering and dropping of miniscule
amounts of traffic in the core of a large network is just a waste of
effort and false panacea.

--Chris
(formerly [EMAIL PROTECTED])
###
## UUNET Technologies, Inc.  ##
## Manager   ##
## Customer Router Security Engineering Team ##
## (W)703-886-3823 (C)703-338-7319   ##
###

Re: UUNet Offer New Protection Against DDoS

[Dan Hollis]

On Fri, 5 Mar 2004, Christopher L. Morrow wrote:
 the packets as possible. Nebulous filtering and dropping of miniscule
 amounts of traffic in the core of a large network is just a waste of
 effort and false panacea.

uunet does operate lots of dialup RAS though correct? any reason why urpf 
is not reasonable there?

just because its not perfect and doesnt solve every problem doesnt mean 
its useless.

miniscule amounts of traffic in uunet's core is still enough to ddos many 
a victim into oblivion. anyone who has been ddos'd by uunet customers can 
appreciate that.

-Dan

RE: UUNet Offer New Protection Against DDoS

[Terranson, Alif]

 On Fri, 5 Mar 2004, Christopher L. Morrow wrote:
  the packets as possible. Nebulous filtering and dropping of 
  miniscule amounts of traffic in the core of a large network is 
  just a waste of effort and false panacea.

Agreed.  

 uunet does operate lots of dialup RAS though correct? any 
 reason why urpf 
 is not reasonable there?

Nobody I know terminates a dial connection on a *core router* ;-)
//Alif

Alif Terranson
OpSec Engineering Mgr.
Operations Security Dept.
Savvis Communications Corp.
(314) 628-7602 Voice
(618) 558-5854 Cell
(314) 628-7710 Fax

 

Re: How relable does the Internet need to be?

[John Curran]

Title: Re: How relable does the Internet need to
be?


The question in all cases is what is the level of
service acceptable to regulators and emergency services coordinators?
Clearly there are problems of both power and call routing which must
be addressed. It's unlikely NANOG is the forum for specifying
standards in this area. It is similarly unlikely the IETF is the
appropriate body, though it may be a place to figure out how to meet
the requirements specifications of some other
body.

Active discussion ongoing:
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-243851A1.pdf

/John

Information Warfare

[John Bishop]

Since it has the potential to make everyone's jobs here more interesting, I
thought I'd bring it up and get everyone's opinion.  This company claims to be
developing a security solution that claims to fight back against attackers.

I'm sure I'm not the only one here who thinks this is a tremendously bad idea.

I'll let you guys tear it apart; take a look at their white paper and press
release, both of which are dripping with enough war analogies and corporate
bizspeak to make any self-respecting techie cringe.

http://symbiot.com/

-- 
John Bishop -- [EMAIL PROTECTED]
http://lasthome.net/~moonwick/

When I'm working on a problem, I never think about beauty. I think only how to
solve the problem. But when I have finished, if the solution is not beautiful,
I know it is wrong.  -- R. Buckminster Fuller

Re: How relable does the Internet need to be?

[Erik Haagsman]

Please...I'm not a browser

On Sat, 2004-03-06 at 02:57, John Curran wrote:
  The question in all cases is what is the level of service acceptable
  to regulators and emergency services coordinators? Clearly there are
  problems of both power and call routing which must be addressed.
  It's unlikely NANOG is the forum for specifying standards in this
  area. It is similarly unlikely the IETF is the appropriate body,
  though it may be a place to figure out how to meet the requirements
  specifications of some other body.
 
 
 Active discussion ongoing:
 http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-243851A1.pdf
 
 /John
-- 
---
Erik Haagsman
Network Architect
We Dare BV
tel: +31.10.7507008
fax: +31.10.7507005
http://www.we-dare.nl

Re: iMPLS benefit

[Yakov Rekhter]

Dave,

 Hey Suki,
 
 On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote:
  Hello, 
   
  i heard there is a way to run MPLS for layer3 VPN(2547)
  service without needing to run label switching in the
  core(LDP/TDP/RSVP) but straight IP (aka iMPLS). 
 
   ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt
 
   See also Mark's talk from the last NANOG
 
   http://nanog.org/mtg-0402/townsley.html

That requires to run L2TP. An alternative is to run GRE (or even plain
IP). The latter (GRE) is implemented by quite a few vendors (and is
known to be interoperable among multiple vendors).

The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt.

Yakov.

Re: iMPLS benefit

[David Meyer]

On Fri, Mar 05, 2004 at 10:02:10AM -0800, Yakov Rekhter wrote:
 Dave,
 
  Hey Suki,
  
  On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote:
   Hello, 

   i heard there is a way to run MPLS for layer3 VPN(2547)
   service without needing to run label switching in the
   core(LDP/TDP/RSVP) but straight IP (aka iMPLS). 
  
 ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt
  
 See also Mark's talk from the last NANOG
  
 http://nanog.org/mtg-0402/townsley.html
 
 That requires to run L2TP. An alternative is to run GRE (or even plain
 IP). The latter (GRE) is implemented by quite a few vendors (and is
 known to be interoperable among multiple vendors).
 
 The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt.

Yep, you are correct. Sorry not to cite that one too.

Dave

Re: UUNet Offer New Protection Against DDoS

[Christopher L. Morrow]

On Fri, 5 Mar 2004, Dan Hollis wrote:

 On Fri, 5 Mar 2004, Christopher L. Morrow wrote:
  the packets as possible. Nebulous filtering and dropping of miniscule
  amounts of traffic in the core of a large network is just a waste of
  effort and false panacea.

 uunet does operate lots of dialup RAS though correct? any reason why urpf
 is not reasonable there?

For some sure, for others perhaps not :( We have some customers with
dedicated networks over dial, some with dial-backup and even some with dsl
backup.


 just because its not perfect and doesnt solve every problem doesnt mean
 its useless.


Sure, I'm just not really sure that the core is the right place to do
this... I agree that the edge is a fine place, I'd prefer not my edge :)
but the edge is the right place. You can make all the decisions correctly
there, you can not in the core.

 miniscule amounts of traffic in uunet's core is still enough to ddos many
 a victim into oblivion. anyone who has been ddos'd by uunet customers can
 appreciate that.

miniscule is enough to cause problems in anyone's network the point
here was: Core isn't the right place for this I wasn't really trying to
argue the 'urpf is good' or 'urpf is bad' arguement, just the placement.

Sorry if I made that confusing earlier.



--Chris
(formerly [EMAIL PROTECTED])
###
## UUNET Technologies, Inc.  ##
## Manager   ##
## Customer Router Security Engineering Team ##
## (W)703-886-3823 (C)703-338-7319   ##
###