Re: Information Warfare
On Fri, 5 Mar 2004, John Bishop wrote: Since it has the potential to make everyone's jobs here more interesting, I thought I'd bring it up and get everyone's opinion. This company claims to be developing a security solution that claims to fight back against attackers. I'm sure I'm not the only one here who thinks this is a tremendously bad idea. I'll let you guys tear it apart; take a look at their white paper and press release, both of which are dripping with enough war analogies and corporate bizspeak to make any self-respecting techie cringe. http://symbiot.com/ Read through it. Its almost as if it was written by our current president's staff - a lot of analagies come to me like SDI/starwars, 'protect your soil on foreign land' and 'strike back before they do' (without of course any serious proof that they are doing anything). And through it all you find absolutly know exact details on what they are planning to do and why. But to be perfectly honest after I saw that some of the press-release people were from Network Solutions (their information warfare specialist - wouldn't that be more proper to say about NSI/Verisign's marketing staff or their lawyers :), I'm not certain if this is just a big hupla to market itself and make big money on things you probably dont need and that are not effective or if it is really serious threat to stability of the net (from NSI you can expect either way...). But its only 30 days before they promise to provide details, so its fine by me to wait until they do and for now treat current info as just self- marketing that should be ignored until we know what they are going to offer. Here is a quote from their press-release I especially like: ... Symbiot has introduced the first and only tool that intelligently and accurately responds to hostile attacks against enterprise networks, said Richard Forno, former chief security officer for Network Solutions, and a noted information warfare specialist. While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system ... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: iMPLS benefit
David Meyer wrote: On Fri, Mar 05, 2004 at 10:02:10AM -0800, Yakov Rekhter wrote: Dave, Hey Suki, On Thu, Mar 04, 2004 at 02:14:20PM -0800, sonet twister wrote: Hello, i heard there is a way to run MPLS for layer3 VPN(2547) service without needing to run label switching in the core(LDP/TDP/RSVP) but straight IP (aka iMPLS). ftp://ftp.ietf.org/internet-drafts/draft-townsley-l2tpv3-mpls-01.txt See also Mark's talk from the last NANOG http://nanog.org/mtg-0402/townsley.html That requires to run L2TP. An alternative is to run GRE (or even plain IP). The latter (GRE) is implemented by quite a few vendors (and is known to be interoperable among multiple vendors). The only multi-vendor interoperable mode of GRE that I am aware of requires manual provisioning of point-to-point GRE tunnels between MPLS networks and to each and every IP-only reachable PE. The BGP extension defined in the draft below allows iMPLS for 2547 VPN support without requiring any manually provisioned tunnels (and works for mGRE or L2TPv3). http://www.watersprings.org/pub/id/draft-nalawade-kapoor-tunnel-safi-01.txt Note that mGRE (multipoint GRE) is *not* the same as the point-to-point GRE method that Yakov is referring to. Same header, different usage. Enabling MPLS over any type of IP tunnel changes the security characteristics of your 2547 deployment, in particular with respect to packet spoofing attacks. The L2TPv3 encapsulation used with the extension defined above provides anti-spoofing protection for blind attacks (e.g., the kind that a script kiddie could launch fairly easily) with miniscule operational overhead vs. GRE which relies on IPsec. - Mark The spec is draft-ietf-l3vpn-gre-ip-2547-01.txt. Yep, you are correct. Sorry not to cite that one too. Dave
Re: Information Warfare
On Sat, Mar 06, 2004 at 01:46:33AM -0800, william(at)elan.net wrote: http://symbiot.com/ Read through it. Its almost as if it was written by our current president's staff - a lot of analagies come to me like SDI/starwars, 'protect your soil on foreign land' and 'strike back before they do' (without of course any serious proof that they are doing anything). And through it all you find absolutly know exact details on what they are planning to do and why. Information Warfare? Given the state of the industry, what we need is Information Welfare. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Information Warfare
Richard A Steenbergen wrote: On Sat, Mar 06, 2004 at 01:46:33AM -0800, william(at)elan.net wrote: http://symbiot.com/ Read through it. Its almost as if it was written by our current president's staff - a lot of analagies come to me like SDI/starwars, 'protect your soil on foreign land' and 'strike back before they do' (without of course any serious proof that they are doing anything). And through it all you find absolutly know exact details on what they are planning to do and why. Information Warfare? Given the state of the industry, what we need is Information Welfare. I'd say so! SDI/starwars was several Presidents back, as I recall.
Re: Information Warfare
On Sat, 06 Mar 2004 10:11:16 -0600 Laurence F. Sheldon, Jr. [EMAIL PROTECTED] wrote: Richard A Steenbergen wrote: Information Warfare? Given the state of the industry, what we need is Information Welfare. I'd say so! SDI/starwars was several Presidents back, as I recall. i was working on some government defense type projects (not SDI) back when SDI was the big rage. we all thought that the SDI was DoD contractor welfare at the time (mostly because it reduced the funds available to us non-SDI types.) richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Information Warfare
On Saturday, March 06, 2004 4:46 AM [EST], william(at)elan.net [EMAIL PROTECTED] wrote: Here is a quote from their press-release I especially like: ... Symbiot has introduced the first and only tool that intelligently and accurately responds to hostile attacks against enterprise networks, said Richard Forno, former chief security officer for Network Solutions, and a noted information warfare specialist. While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system ... Lovely. So not only do we now have to fend off attacks from script kiddies and packet monkies, we now have to fend off attacks from idiot sysadmins who set this tool up and allow it to go all out on supposed 'attacks' against their systems. I'll share my favorite goober with firewall story.When I was a sysadmin/netadmin at a large ISP, I used to get these 'attack' reports from clueless users all the time. I could identify which tool they used just by how the body of the message looked and how the 'attack' was described. Got ones saying that my performance testing server (which sometimes did ping scans across the dialups to see what the general response time was) was 'attacking' the user's machine with a single ICMP echo. Or how our IRC server was trying to attack the user on the ident port every time they tried to connect. Of course, the best one was when a supposed 'security expert' called up and complained how my two caching DNS servers for the T1 customers was attacking his entire network on port 53 UDP. He had naturally filtered the 'attack' because it was obvious that our Linux DNS servers were infected with one of the latest Windows viruses going around, and suddenly noone on his network could browse the web anymore. So, let me ask the question, do we really want people like that having a tool which autoresponds to attacks with attacks? At least when he filtered out our DNS traffic, it only affected his network... But imagine if he had launched an attack against my DNS servers in response? Yeah, thats a great idea. Of course, now that the AHBL does its own proxy testing, we get all sorts of fun reports from end users about our 'attacks' against their machines. Latest one demanded I tell her why we had scanned her, but wouldn't tell me her IP address or when the scan happened exactly, claiming that I had done the scan, so I should know what IP she is. Too bad I test over 100,000 IP addresses daily for open proxies Lets not even get into the legal consequences for a tool like this, especially if it backfires and launches an attack against the NIPC, for example. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: UUNet Offer New Protection Against DDoS
Christopher L. Morrow wrote: miniscule amounts of traffic in uunet's core is still enough to ddos many a victim into oblivion. anyone who has been ddos'd by uunet customers can appreciate that. miniscule is enough to cause problems in anyone's network the point here was: Core isn't the right place for this I wasn't really trying to argue the 'urpf is good' or 'urpf is bad' arguement, just the placement. Sorry if I made that confusing earlier. So we all agree that in the ideal world, everyone has anti-spoofing ACLs and route map filters and what not on every link into their network. But in the real world...given that you are going to be peering with ISPs (or their upstreams) that do not do uRPF or anything at all on their edges, if you want to drop the patently bogus traffic, or your customers don't want to pay you for delivering it to them over links they don't want congested with it, what do you do? I guess you can say peering links are not core, and that's fine if you run loose-uRPF there, and can be assured that all access to your network has filters on all links.I was thinking of large peering routers as part of the core of an ISP, so loose-uRPF is sufficient on those routers, if edges are protected. But if you are going to run loose-uRPF on your peering routers, why not run it on your core? Is there a technogical reason not to? Cisco OC48 line cards not support it (at least some do.), I'm almost sure Juniper does too. But I don't play in that area. And given that there are ISP's running it in the core; that it will block some malicious traffic; and spoofed traffic may well be used as an attack vector again (sometime people are going to have to catch on and patch machines, or worms will patch them for them, and reduce the botnet farm size. Maybe not this year, but sometime...), I still don't see why you are against it. I accept that filtering on all edges, including peering, is a better place to do it. So do you filter on, say, peering links to other tier 1's? Even so, why not have belt AND suspender, and run it in the core?
Re: UUNet Offer New Protection Against DDoS
[EMAIL PROTECTED] (Steve Francis) writes: ... But in the real world...given that you are going to be peering with ISPs (or their upstreams) that do not do uRPF or anything at all on their edges, ... ok, i'll bite. why do we still do this? see the following from june 2001: http://www.cctec.com/maillists/nanog/historical/0106/msg00681.html (and according to that text, it was a 9-year-old idea at that time.) it's now 2004. how much longer do we want to have this problem? -- Paul Vixie
Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Paul Vixie wrote: (and according to that text, it was a 9-year-old idea at that time.) it's now 2004. how much longer do we want to have this problem? Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. Root and other DNS servers bear the brunt of misconfigured (not necessarily malicious attack) devices. So some people's point of view may be different. But relatively few DDOS attacks use spoofed packets. If more did, they would be easier to deal with. After all these years, perhaps its time to re-examine the assumptions.
Re: Information Warfare
At 12:32 PM 3/6/2004, Brian Bruns wrote: Lovely. So not only do we now have to fend off attacks from script kiddies and packet monkies, we now have to fend off attacks from idiot sysadmins who set this tool up and allow it to go all out on supposed 'attacks' against their systems. I think the company's name Symbiot, which is apparently a witty contraction of two English words, says it all: Main Entry: sym·bi·o·sis Pronunciation: sim-bE-'O-ss, -bI- Function: noun Inflected Form(s): plural sym·bi·o·ses /-sEz/ Etymology: New Latin, from German Symbiose, from Greek symbiOsis state of living together, from symbioun to live together, from symbios living together, from syn- + bios life -- more at QUICK 1 : the living together in more or less intimate association or close union of two dissimilar organisms 2 : the intimate living together of two dissimilar organisms in a mutually beneficial relationship; especially : MUTUALISM 3 : a cooperative relationship (as between two persons or groups) the symbiosis... between the resident population and the immigrants -- John Geipel - sym·bi·ot·ic /-'ä-tik/ adjective - sym·bi·ot·i·cal·ly /-ti-k(-)lE/ adverb Main Entry: id·i·ot Pronunciation: 'i-dE-t Function: noun Etymology: Middle English, from Anglo-French ydiote, from Latin idiota ignorant person, from Greek idiOtEs one in a private station, layman, ignorant person, from idios one's own, private; akin to Latin suus one's own -- more at SUICIDE 1 usually offensive : a person affected with idiocy 2 : a foolish or stupid person - idiot adjective It is apparently a system to allow idiots to live together with other idiots. I'm assuming that one of the idiots is the device manufacturer and the other is the customer. :) -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: UUNet Offer New Protection Against DDoS
--On 06 March 2004 23:02 + Paul Vixie [EMAIL PROTECTED] wrote: ok, i'll bite. why do we still do this? see the following from June 2001: http://www.cctec.com/maillists/nanog/historical/0106/msg00681.html Having had almost exactly that phrase in my peering contracts for $n years, the answer is because if you are A, and peer is B, if ( AB ) your spoofed traffic comes (statistically) from elsewhere so you don't notice. You are dealing with traffic from C, where CA else you've signed their peering agreement, and are 'peering' on their terms instead. Was I going to pull peering with $tier1 from whom the occasional DoS came? Nope. The only way this was ever going to work was if the largest networks cascaded the requirements down to the smallest. And the largest networks were the ones for whom (quite understandably) rpf was most difficult. DoS (read unpaid for, unwanted traffic) is one of the best arguments against settlement-free peering (FX: ducks runs). Alex
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
--On 06 March 2004 18:39 -0500 Sean Donelan [EMAIL PROTECTED] wrote: Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. ... But relatively few DDOS attacks use spoofed packets. If more did, they would be easier to deal with. AIUI that's cause effect: the gradual implementation of source-address validation has made attacks dependent on spoofing less attractive to perpetrators. Whereas the available of large pools of zombie machines has made the use of source spoofing unnecessary. Cisco et al have shut one door, but another one (some suggest labeled Microsoft) has opened. Those with long memories might draw parallels with the evolution of phreaking from abuse of the core, which became (reasonably) protected to abuse of unprotected PABXen. As I think I said only a couple of days ago, there is nothing new in the world. Alex
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
After all these years, perhaps its time to re-examine the assumptions. it's always fun and useful to re-example assumptions. for example, anyone who assumes that because the attacks they happen to see, or the attacks they hear about lately, don't use spoofed source addresses -- that spoofing is no longer a problem, needs to re-examine that assumption. for one thing, spoofed sources could be occurring outside local viewing. for another thing, spoofed sources could be plan B when other attacks aren't effective. the last thing is, this is war. information warfare. the enemy knows us better than we know them, and their cost of failure is drastically lower than our cost of failure. don't be lulled into some kind of false sense of security by the fact that YOU are not seeing spoofed packets TODAY. let's close the doors we CAN close, and give attackers fewer options.
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Paul Vixie wrote: don't be lulled into some kind of false sense of security by the fact that YOU are not seeing spoofed packets TODAY. let's close the doors we CAN close, and give attackers fewer options. sadly the prevailing thought seems to be 'we cant block every exploit so we will block none'. this (and others) are used as an excuse to not deploy urpf on edge interfaces facing singlehomed customers. its a fatalistic approach to dealing with network abuse, and its retarded. -Dan
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sun, 7 Mar 2004, Paul Vixie wrote: don't be lulled into some kind of false sense of security by the fact that YOU are not seeing spoofed packets TODAY. let's close the doors we CAN close, and give attackers fewer options. I don't have a false sense of security. We have lots of open doors and windows and even missing walls. Let's close the doors we can close, but buying screen doors for igloos may not be the best use of resources. uRPF doesn't actually prevent any attacks. Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Sean Donelan wrote: Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports? Why are we limited to that set?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Dan Hollis wrote: sadly the prevailing thought seems to be 'we cant block every exploit so we will block none'. this (and others) are used as an excuse to not deploy urpf on edge interfaces facing singlehomed customers. This is one of the few locations SAV/uRPF consistently works. SAV/uRPF is widely (but not 100%) deployed int those location. However I think you are mis-stating the issue. I do not know of anyone that has stated your reason as the reason not to deploy SAV/uRPF on non-routing interfaces. The issue which prompt this thread was deploying uRPF on multi-path backbone interfaces using active routing. How many exploits does uRPF block? Biometric smart cards may do wonders for credit card fraud. Why don't credit card companies replace all existing cards with them? Does uRPF solve more problems than it causes, and saves more than it costs?
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
... buying screen doors for igloos may not be the best use of resources. uRPF doesn't actually prevent any attacks. actually, it would. universal uRPF would stop some attacks, and it would remove a plan B option for some attack-flowcharts. i would *much* rather play defense without facing this latent weapon available to the offense. Would you rather ISPs spend money to 1. Deploying S-BGP? 2. Deploying uRPF? 3. Respond to incident reports? yes. and i can remember being sick and tired of competing (on price, no less) against providers who couldn't/wouldn't do #2 or #3. i'm out of the isp business at the moment, but the race to the bottom mentality is still a pain in my hindquarters, both present and remembered.
Re: SPAM Prevention/Blacklists
Are there any other good lists out there that you folks have had good experience with? Any that we might want to consider taking a look at? Thanks, As a follow-up to my previous post, for those interested, the IADB (ISIPP Accreditation Database) is now officially up and running. We'll give a courtesy listing to anyone from NANOG who is *not* a commercial sender (and listings for individuals are always free). Querying is, of course, also always free. http://www.isipp.com/iadb.php Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam and Internet Public Policy
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
We have the same freeware system, but I 100% agree with _you can not live without it_. - Original Message - From: Arnold Nipper [EMAIL PROTECTED] To: McBurnett, Jim [EMAIL PROTECTED] Cc: Alexei Roudnev [EMAIL PROTECTED]; Sam Stickland [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, March 05, 2004 8:37 AM Subject: Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle On 05.03.2004 17:26 McBurnett, Jim wrote: Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. And not to forget the magic RANCID (http://www.shrubbery.net/rancid/). You can't live without rancid if you have to do router/switch manipulation/polling ... Arnold
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote: Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. Try saying that after running a major DDoS target, with HIT ME your forehead. No offense Sean but I'd like you to back your claim up with some impirical data first. From experience the majority of TCP based denial of service attacks (which usually seem to be balanced with UDP, but ICMP is not as frequent as it once was), use spoofed sources. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com
Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)
On Sat, 6 Mar 2004, Avleen Vig wrote: On Sat, Mar 06, 2004 at 06:39:21PM -0500, Sean Donelan wrote: Source address validation (or Cisco's term uRPF) is perhaps more widely deployed than people realize. Its not 100%, but what's interesting is despite its use, it appears to have had very little impact on DDOS or lots of other bad things. Try saying that after running a major DDoS target, with HIT ME your forehead. No offense Sean but I'd like you to back your claim up with some impirical data first. Has the number of DDOS attacks increased or decreased in the last few years has uRPF has become more widely deployed? Do you have any evidence the number of attacks are decreasing?
looking for broadwing IP engineer
I'm having problems tracking down a Broadwing IP engineer who can help me with what appears to be a partial hijacking of my netblock. Please contact me off-list. -- matthew zeier - Nothing in life is to be feared. It is only to be understood. - Marie Curie
Re: Source address validation (was Re: UUNet Offer New Protection
[EMAIL PROTECTED] (Sean Donelan) writes: How many exploits does uRPF block? that's hard to measure since we end up not receiving those. but one can assume that spoofed-source attacks aren't tried, either because (1) it's easier to just use a high number of windows-xp drones, or because of (2) uRPF deployment. Does uRPF solve more problems than it causes, and saves more than it costs? until you know what percentage of the attacks you don't see is due to (1) vs (2) above, you can't really pose that question meaningfully. anytime there's a way to protect against a whole class of attack weapons, we have to deploy it. this is war, information warfare. let's deprive the enemy of options until we can force them to meet us on our own chosen terms. -- Paul Vixie
Re: Source address validation (was Re: UUNet Offer New Protection
[EMAIL PROTECTED] (Sean Donelan) writes: Try saying that after running a major DDoS target, with HIT ME your forehead. No offense Sean but I'd like you to back your claim up with some impirical data first. Has the number of DDOS attacks increased or decreased in the last few years has uRPF has become more widely deployed? the number of spoofed-source attacks is down only-slightly. Do you have any evidence the number of attacks are decreasing? the overall number of attacks and their volume seems to be decreasing ever-so-slightly, but the ferocity of the attacks that come through seems to be increasing more-than-slightly. and, when defending against one of these, every valid source address is worth its figurative weight in gold, and constitutes a minor compromise for the attacker, even if the host it helps to identify is disposable, easily replaced, and difficult to repair. [ of course, sean, i could just be making that part up. but since i keep saying it and since i get attacked pretty frequently, i might be telling the truth. it could be worth assuming a little credibility and seeing where that leads you. (but, we digress.) ] -- Paul Vixie
Re: Source address validation (was Re: UUNet Offer New Protection
On 7 Mar 2004, Paul Vixie wrote: [EMAIL PROTECTED] (Sean Donelan) writes: Try saying that after running a major DDoS target, with HIT ME your forehead. No offense Sean but I'd like you to back your claim up with some impirical data first. Has the number of DDOS attacks increased or decreased in the last few years has uRPF has become more widely deployed? the number of spoofed-source attacks is down only-slightly. the % of spoofed and bogon traffic was measured recently at several of the root nameservers. iirc it was suprisingly high. -Dan