Re: wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
On Fri, 12 Mar 2004, Suresh Ramasubramanian wrote: Wholesalebandwidth = Scott Richter. http://groups.google.com/groups?q=scott+richter+wholesalebandwidth You can safely nullroute 69.6.0.0/18 You can say that again. He's a strong third on my list: http://mrtg.snark.net/nullstats.cgi Behind all of LACNIC's 200/8 and Iskimaro, whoever the heck they are! matto [EMAIL PROTECTED]< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include
Re: New Solution: (was: Re: Counter DoS)
the thing is though, by allowing any /32's... what prevents /all/ customers from abusing it by curiosity of what would happen? :) the fact that you are allowing any /32's (up to 100 or whatever max prefix lim. you set) is like giving a can of worms to your customers. i don't think its even worth the effort to bother when you have more than couple customers abusing it security for one, SLA for the other, thirdly i just don't trust customers injecting routes into my backbone w/o telling us. i don't think bgp or a routing protocol is the right way to solve infected-machines participating in ddos nets. -J On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote: > > > Here is a solution I would like to propose -- it is not as > set-and-forget as network operators like, but we do know that some of > our customers have a lot of expertise with this stuff, and taking > advantage of that value helps. This is along the categories of > collateral damage, scorched earth and generally punitive action for > DDOS-compromised hosts. Because not everyone will read every line, I am > going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT > AWAY FROM THEM. This will be backfire if its used for Spam blackholes, > it will really only have an affect in the narrower DDOS space. > > Along with the idea of blackhole communities. I do NOT recommend it be > turned on across-the-board for every customer, and once it has reached > penetration, say 20-30% of the internet backbones use this feature -- it > should be phased back and only be an ICB item. (called Planned Obl.) > > Just like the blackhole community routes, certain /32's (only, nothing > shorter) can be exported from the customer to the backbone to be > blackholed at the edges. The twist, is that instead of limited the > customer announcement to the customer's IPs, you force only /32s to be > announced for the blackhole prefixes and limit the total number of > prefixes. Say 100 (or 10, or 1000 depends how much trust you have) > > So say, joe-customer has identified his top 50 DDOS sources, he > announces them to you, voila, DDOS gone. (even for spoofed traffic, > depending on how your filters are set up) Obviously these would be > no-export routes so no peer need be worried. > > The theory - It creates an actual, measured response to customer > machines being vulnerable. It makes parts ( ideally large parts ) of the > internet unavailable to those with vulnerable computers. > > The bad side - People could black hole important sites, until the > ALL-CAPS rule is applied. > > The somewhat less bad, bad side - Most of these /32s wouldn't be removed > until cable provider called the blackholing provider. > > The reality is that these filters are probably created today by backbone > security folks, so the question is how fast you want the > injections/rejections. > > IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. > > Comments? > > Deepak -- James JunTowardEX Technologies, Inc. Technical LeadNetwork Design, Consulting, IT Outsourcing [EMAIL PROTECTED] Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
Re: Automate router configs
Aditya writes on 3/12/2004 9:41 AM: On Thu, 11 Mar 2004 20:50:57 -0600, "Jason Graun" <[EMAIL PROTECTED]> said: Is anybody automating router/switch configs in any manner other then telnet scripts or Ciscoworks? I am just trying to get some ideas. are you talking about access routers or backbone/core/peering routers? Then there are a few others available in /usr/ports/net-mgmt/ on freebsd cisco_conf, ciscoconf (read / store cisco configs from rcs) - one of those is by Joe Abley, forgot which one. Then there's a perl module called p5-JUNOScript Rancid and a few other useful tools are there as well. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Automate router configs
> On Thu, 11 Mar 2004 20:50:57 -0600, "Jason Graun" <[EMAIL PROTECTED]> said: > Is anybody automating router/switch configs in any manner other then > telnet scripts or Ciscoworks? I am just trying to get some ideas. are you talking about access routers or backbone/core/peering routers? - for core/backbone routers, use rancid (www.shrubbery.net) whatever your automation scheme, it might not be your primary tool, but it will save you one day Something that doesn't get mentioned on NANOG very much is automating/managing lots and lots of access customers -- ie DSL/T1/Frame etc.. If that interests you, then maybe something I used circa 1999 but I haven't really heard being used recently (but probably is) might give you some ideas (an interview question yesterday reminded me): - we had a Redback SMS 1000 that we could preconfigure ATM PVCs/Frame DLCIs/DS3 Channels for T1s on with all the Layer 2 stuff - all the Layer 3 stuff like routed networks, interface IP addresses, IP filters etc. could be assigned out of radius. I believe Redback had plans to introduce a cable "blade" for their SMS boxes - we took DSL/T1 orders entered into a web front end and had IP/PVC etc. configs stored in an SQL database and updated radius within a few minutes (Covad had (has?) a very nice XML-RPC backend that let us assign the PVCs to our customers etc.. MCI/Worldcom also allowed us to assign channels on a DS3, so our software did that and sent them email with the order) - the Redback had an excellent feature by which, upon receipt of a packet on a hitherto "unbound" PVC (a few weeks after we were setup the DSL/Frame layer-2 circuit would be installed), it would read the config from radius and "bind" the PVC - when a customer cancelled or didn't pay their bill, a script, triggered by certain fields that support/billing-folks could set in the web-frontend, would log into the Redback and "unbind" the circuit Since most frequent "updates" and config changes happened to access routers, this minimized the amount of mundane work a router-monkey had to do. I only hope that all ISPs selling such services are doing things in a nice, automated way. FWIW, my ISP was swallowed by a cable provider who was well subsidized by Cisco. And the rest, you can probably guess. amazed by how little has changed in the ISP world since 2000, Adi
Re: Enterprise Multihoming
There are similar boxes from FatPipe and Radware (and others) that promise the same thing. I've done some light research on them and while I can see some positives, I don't prefer them to our current solution. Then again, I don't have any practical experience with them and I hope someone who has will chime in. On the fatpipe side, I can chime in. I've worked with their Superstream products. As with all products there are good points, but I have a LOT of bad points for the Superstream. It starts with being based on Caldera openlinux and a required Java interface for all management. I wouldn't use this product again if I could help it. They may have other products that work better, particularly in the case of true multihoming (the superstream is really so a business can pay for two DSL connections and get double the bandwidth) and such. If anyone wants more details, let me know.
Re: Automate router configs
On (11/03/04 20:50), Jason Graun wrote: > > Is anybody automating router/switch configs in any manner other then telnet > scripts or Ciscoworks? I am just trying to get some ideas. lexicon/netclarity - www.network-clarity.com - young, only cisco ios/catos devices right now, easy to tailor to your change management process, working on policy compliance auditing truecontrol - www.renditionnetworks.com - no juniper support yet, less flexible change process flow, can/will act as central access point for device access (will proxy ssh/telnet/etc based upon your login credentials), decent config/policy compliance auditing and reporting capabilities formulator - www.goldwiretech.com - more mature than truecontrol, more devices supported (including some servers), robust compliance auditing/reporting features and last, but not least, rancid - www.shrubbery.net/rancid/ - support for lots of devices (and easy to add more with a little expect knowledge), easily extended (perl, expect, awk, shell, etc), FREE - for more on what you can do see: http://www.shrubbery.net/rancid/NANOG29/index.html http://www.nanog.org/mtg-0210/abley.html i am using/have used rancid, and am evaluating the others hth /joshua -- Fixing Unix is easier than living with NT. Jonathan Gilpin signature.asc Description: Digital signature
Re: wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
On Fri, 12 Mar 2004, Suresh Ramasubramanian wrote: > > Henry Linneweh writes on 3/12/2004 8:41 AM: > > I have received almost 200 different spam messages from domains > > hosted by this provider from russain domains attempting to sell > > pharmacueticals and other unsolicited services that I do not want > > tekmailer.com and moosq.com are 2 of the primary abusers from this > > hosting company > > Wholesalebandwidth = Scott Richter. > > http://groups.google.com/groups?q=scott+richter+wholesalebandwidth > > You can safely nullroute 69.6.0.0/18 Don't forget to add 69.6.64.0/20 to your access list - they recently got this addition and quickly moved quite some number of spam servers there. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
Henry Linneweh writes on 3/12/2004 8:41 AM: I have received almost 200 different spam messages from domains hosted by this provider from russain domains attempting to sell pharmacueticals and other unsolicited services that I do not want tekmailer.com and moosq.com are 2 of the primary abusers from this hosting company Wholesalebandwidth = Scott Richter. http://groups.google.com/groups?q=scott+richter+wholesalebandwidth You can safely nullroute 69.6.0.0/18 srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
On Thursday, March 11, 2004 10:11 PM [EST], Henry Linneweh <[EMAIL PROTECTED]> wrote: > I have received almost 200 different spam messages from domains hosted by > this provider from russain domains attempting to sell pharmacueticals and > other unsolicited services that I do not want tekmailer.com and moosq.com > are 2 of the primary > abusers from this hosting company > > -Henry > > > > Message from yahoo.com. > Unable to deliver message to the following address(es). > > <[EMAIL PROTECTED]>: > 69.6.21.60 does not like recipient. > Remote host said: 550 5.7.1 <[EMAIL PROTECTED]>... Relaying > denied > Giving up on 69.6.21.60. Wholesalebandwidth is just a front-end for spammers. I've had them blacklisted for a long time with no ill affects (and alot less spam). -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
wholesalebandwidth.com major sponsor of spammers refuses to accept email at abuse
I have received almost 200 different spam messages from domains hosted by this provider from russain domains attempting to sell pharmacueticals and other unsolicited services that I do not want tekmailer.com and moosq.com are 2 of the primary abusers from this hosting company -Henry Message from yahoo.com.Unable to deliver message to the following address(es).<[EMAIL PROTECTED]>:69.6.21.60 does not like recipient.Remote host said: 550 5.7.1 <[EMAIL PROTECTED]>... Relaying deniedGiving up on 69.6.21.60.
Automate router configs
Is anybody automating router/switch configs in any manner other then telnet scripts or Ciscoworks? I am just trying to get some ideas. Thanks Jason
Re: New Solution: (was: Re: Counter DoS)
On Thu, Mar 11, 2004 at 05:17:35PM -0500, Deepak Jain wrote: > > Just like the blackhole community routes, certain /32's (only, nothing > shorter) can be exported from the customer to the backbone to be > blackholed at the edges. The twist, is that instead of limited the > customer announcement to the customer's IPs, you force only /32s to be > announced for the blackhole prefixes and limit the total number of > prefixes. Say 100 (or 10, or 1000 depends how much trust you have) > > So say, joe-customer has identified his top 50 DDOS sources, he > announces them to you, voila, DDOS gone. (even for spoofed traffic, > depending on how your filters are set up) Obviously these would be > no-export routes so no peer need be worried. 1. Why is BGP the right tool for this? 2. Is your idea to block only packets destined for the customer making the request, or to 0/0? -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: Counter DoS
VA> Date: Thu, 11 Mar 2004 08:12:04 -0500 VA> From: Vinny Abello VA> Plus imagine an attack originates behind one of these devices VA> for some reason attacking another device. It'll just create a VA> massive loop. :) That would be interesting. I wonder if it pays attention to the "evil bit"? ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Enterprise Multihoming
PH> Date: Thu, 11 Mar 2004 20:31:52 +0200 PH> From: Petri Helenius PH> I´m refering to the most popular way of causing an IGP PH> meltdown. Obviously there are other ways, like software PH> defects to make your IGP go mad. But when your upstream´s IGP PH> does that, you want to have provider B to switch over to. Okay. I was unsure if you were referring to a clueless downstream bloating their IGP, or a clueless transit network redistributing downstream routes. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Counter DoS
Get involved with your local high schools. Sponsor user groups at the high school. Offer to teach some mini courses. The teenage crowd needs our help learning best practices and ethics. The hacking problem is multi-faceted, of course, and this is just one facet of a partial solution, but still, do consider it. Thanks for listening. :-) Priscilla Oppenheimer Is this a new way to recruit low-cost entry level employees, for cheap remote hands service? Everybody needs a high school student in their cage at $9/hour... :-)
RE: Counter DoS
One aspect of the problem with DoS attacks and warlike responses to these attacks is that the younger generation is getting their computer science training via gaming and hacking. Many high schools in the U.S. are so financially strapped that they can't afford to teach programming, networking, etc., and if they can, the teachers are often also the shop teacher or the journalism teacher who happened to "be good with computers" but is actually rather clueless about real computer science issues and the computer industry. Tekkie high school students aren't being challenged. They are learning their computing skills without mentors. We can help with that aspect of the problem. Get involved with your local high schools. Sponsor user groups at the high school. Offer to teach some mini courses. The teenage crowd needs our help learning best practices and ethics. The hacking problem is multi-faceted, of course, and this is just one facet of a partial solution, but still, do consider it. Thanks for listening. :-) Priscilla Oppenheimer At 04:48 PM 3/11/04, Pendergrass, Greg wrote: By "The Art of War on the Internet" I didn't mean information warfare, that's been with us as long as there's been information and the internet is certainly going to be a major part of that. What I am against is anyone trying to popularize the idea of the internet as a battleground where one uses force and deception to "gain ground". It's just another case of people wrongly attempting to fit somthing that they don't understand into a framework that they do understand, thereby creating a fallacy. Trying to base a product off of a flawed idea is bound to fail but also likely be a major irritation before it does. GP -Original Message- From: Etaoin Shrdlu [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 14:58 To: Nanog Subject: Re: Counter DoS "Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?us erid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion. Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged. ___ Priscilla Oppenheimer www.priscilla.com When your Daemon is in charge, do not try to think consciously. Drift, wait, and obey. -- Kipling.
Re: Counter DoS
On Thursday, March 11, 2004 6:16 PM [EST], william(at)elan.net <[EMAIL PROTECTED]> wrote: >> >> Which RBL operators flood /24's or /16's? What do they flood them >> with? > > I think he meant that RBLs sometimes include entire /24 in RBL list when > only one or two ips are at fault and some would go even highier to include > entire ISP allocation. This is probably talking about SPEWs and alike RBLs That usually only happens when providers ignore abuse reports and don't do something about their abusive customers. Thats how we do it at the AHBL - you ignore abuse reports for long enough and pretend like the problem doesn't exist, you get a /24 listed. You move the spammer to another block, inside your network, and it grows to encompass the new block as well as the old one. And it keeps going from there. Thats how the rima-tde blocks that are in the AHBL got started - single /32s, then as the spam and 419 scams came in faster, it expanded to /24s, and finally after 2 dozen or so /24s blocked, I started going for /20s and larger. Now I've got two /13s, and a /16 of theirs blocked until Telefonica decides to contact us and discuss the situation with the abuse coming from their network. When providers dont act on abuse, you have to put the pressure on. Sometimes, that means forcing their legit customers to start to complain and thow a fit with their provider over the blocks. Yes, its ugly and unfair, but thats the only way to get them to act. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Counter DoS
william(at)elan.net wrote: On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote: Petri Helenius wrote: Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Which RBL operators flood /24's or /16's? What do they flood them with? I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs I thought "RBL" was a tademark of Abovenet or MAPS or somebody. -- Requiescas in pace o email
New Solution: (was: Re: Counter DoS)
Here is a solution I would like to propose -- it is not as set-and-forget as network operators like, but we do know that some of our customers have a lot of expertise with this stuff, and taking advantage of that value helps. This is along the categories of collateral damage, scorched earth and generally punitive action for DDOS-compromised hosts. Because not everyone will read every line, I am going to say this twice. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. This will be backfire if its used for Spam blackholes, it will really only have an affect in the narrower DDOS space. Along with the idea of blackhole communities. I do NOT recommend it be turned on across-the-board for every customer, and once it has reached penetration, say 20-30% of the internet backbones use this feature -- it should be phased back and only be an ICB item. (called Planned Obl.) Just like the blackhole community routes, certain /32's (only, nothing shorter) can be exported from the customer to the backbone to be blackholed at the edges. The twist, is that instead of limited the customer announcement to the customer's IPs, you force only /32s to be announced for the blackhole prefixes and limit the total number of prefixes. Say 100 (or 10, or 1000 depends how much trust you have) So say, joe-customer has identified his top 50 DDOS sources, he announces them to you, voila, DDOS gone. (even for spoofed traffic, depending on how your filters are set up) Obviously these would be no-export routes so no peer need be worried. The theory - It creates an actual, measured response to customer machines being vulnerable. It makes parts ( ideally large parts ) of the internet unavailable to those with vulnerable computers. The bad side - People could black hole important sites, until the ALL-CAPS rule is applied. The somewhat less bad, bad side - Most of these /32s wouldn't be removed until cable provider called the blackholing provider. The reality is that these filters are probably created today by backbone security folks, so the question is how fast you want the injections/rejections. IF THE CUSTOMER ABUSES THIS FEATURE - TAKE IT AWAY FROM THEM. Comments? Deepak
Re: Counter DoS
On Thu, 11 Mar 2004, Laurence F. Sheldon, Jr. wrote: > Petri Helenius wrote: > > > Maybe there is a lesson to be learned from many RBL operators. To make > > sure, just send packets to the whole /24 or /16 you got an "attack" > > packet from. > > Which RBL operators flood /24's or /16's? What do they flood them > with? I think he meant that RBLs sometimes include entire /24 in RBL list when only one or two ips are at fault and some would go even highier to include entire ISP allocation. This is probably talking about SPEWs and alike RBLs -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Counter DoS
Petri Helenius wrote: Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Which RBL operators flood /24's or /16's? What do they flood them with? -- Requiescas in pace o email
Re: Counter DoS
Deepak Jain wrote: If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on? Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately. Maybe there is a lesson to be learned from many RBL operators. To make sure, just send packets to the whole /24 or /16 you got an "attack" packet from. Pete
Re: Counter DoS
Drew, While I believe something should be done, the fact is that two wrongs do not make a right. If I hit you, is it ok for you to hit me right back? This kind of retaliation takes the internet community into a grade school playground fight. What needs to be done, although easier said than done, is the following. Companies producing software with serious security issues need to address those issues alot faster and more efficiently. (i.e. Microsoft shouldn't push their OS's out the door until their code is audited and tested thouroughly.) If medicine had the same practices as alot of these software companies, there'd be a whole bunch of dead people out there. The Federal agencies who deal with computer crimes need to step up and start putting people behind bars, for a loong time. Kiddies get away with DDoS attacks because they know they can. If even half of the kiddies were to get thrown into prison for their acts, it'd definately deter the other half. Maybe that wont stop the problem, but it would definately reduce it overall. Networks that allow random host spoofing (or bogon headers) need to program their routers and border routers to filter or re-set the headers of TCP traffic outgoing and incoming to the correct source. This way a DDoS kiddie can only spoof at most, the subnet, thus leaving his DDoS net open to investigation and tracing. Networks that knowingly house and harbor DDoS kiddies should take a pro-active role in turning them in, or kicking them off their networks. Just because they aren't launching attacks from your network doesn't mean they aren't coordinating the attacks from it. Those networks that house DDoS networks need to maintain closer surveilance of their systems and customers and shut down any systems or networks hosting known DDoS nets. Denial of Service is probably never going to go away, but while DDoS attacks are so easy to commit, the problem is only going to get worse until appropriate steps are taken to reduce the problem overall. Greg Drew Weaver wrote: -Original Message- From: Gregory Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 3:55 PM To: Rachael Treu Cc: [EMAIL PROTECTED] Subject: Re: Counter DoS Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg --- Rant/ Their solution isn't the best idea out there, but something definitely needs to be done, and quickly. Network providers shouldn't have to purchase 4x the amount of bandwidth that they need just in case someone hijacks a bunch of cable modems and wants to party. Perhaps their bad idea will lead to a better idea, its happened before with how many countless practices on the internet? You start with a blurry idea, then someone else takes it and makes it work. Im not saying ddosing people back is the best idea, but something needs to happen, we waste way too much time and money mitigating these attacks, when in reality they cant be mitigated unless you continue to throw cash into the bandwidth bucket. These DSL and cable modem companies need to tighten things up so that if their users are abusive (and I don't claim to know how exactly the parameters of abuse should be measured) that their systems automatically choke them. For example, I have a Cable modem /w rr at my home, they have my upstream limited to next to nothing, how much damage could I possibly do? On the other hand I've seen attacks from some residential DSL providers that have hit with over 500KB(bytes)ps from a single machine, if you have maybe 20 of these hitting one of your interfaces, its going to cause latency, unless your upstream, or their downstream is doing something to protect you, which they wont. /Rant -Drew
Re: Counter DoS
On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of: > > If you wanted to do that, wouldn't the firewall just need > directed-broadcast left open or emulate similar behavior, or even > turning ip unreachables back on? Exactly my point in using the word "amplifier" earlier. No special config or sploit-du-jour required. The play-by-play below is even more complicated than the process. > > Flooding pipes accidentally is easy enough. Now people are selling > products to do it deliberately. They'll be sorry. > > Yeesh. > > I saw a license plate this week (Virginia -IWTFM) I thought that was clever. Nice. :D > -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > Deepak > > Gregory Taylor wrote: > > > > > > >Yes, lets allow the kiddies who already get away with as little work as > >they can in order to produce the most destruction they can, the ability > >to use these 'Security Systems' as a new tool for DoS attacks against > >their enemies. > > > >Scenerio: > > > >Lets say my name is: l33th4x0r > > > >I want to attack joeblow.cable.com because joeblow666 was upset that I > >called his mother various inappropriate names. > > > >I find IP for joeblow.cable.com to be 192.168.69.69 > > > >I find one of these 'security' systems, or multiple security systems, > >and i decide to forge a TCP attack from 192.168.69.69 to these 'security > >systems'. > > > >These 'security systems' then, thinking joeblow is attacking their > >network, will launch a retaliatory attack against the offender, > >192.168.69.69 thus destroying his connectivity. > > > >Kiddie 1 Joeblow 0The Internet as a whole 0 > > > > > >Greg > > > >Rachael Treu wrote: > > > >>Mmm. A firewall that lands you immediately in hot water with your > >>ISP and possibly in a courtroom, yourself. Hot. > >> > >>Legality aside... > >> > >>I don't imagine it would be too hard to filter these retaliatory > >>packets, either. I expect that this would be more wad-blowing > >>than cataclysm after the initial throes, made all the more ridiculous > >>by the nefarious realizing the new attack mechanism created by these > >>absurd boxen. A new point of failure and an amplifier rolled all > >>into one! Joy! > >> > >>More buffoonery contributed to the miasma. Nice waste of time, > >>Symbiot. Thanks for the pollution, and shame on the dubious ZDnet > >>for perpetuating this garbage. > >> > >>ymmv, > >>--ra > >> > >> > >> > > > > > > > >
Re: Counter DoS
If you wanted to do that, wouldn't the firewall just need directed-broadcast left open or emulate similar behavior, or even turning ip unreachables back on? Flooding pipes accidentally is easy enough. Now people are selling products to do it deliberately. Yeesh. I saw a license plate this week (Virginia -IWTFM) I thought that was clever. Deepak Gregory Taylor wrote: Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg Rachael Treu wrote: Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra
RE: Counter DoS
-Original Message- From: Gregory Taylor [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 3:55 PM To: Rachael Treu Cc: [EMAIL PROTECTED] Subject: Re: Counter DoS Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg --- Rant/ Their solution isn't the best idea out there, but something definitely needs to be done, and quickly. Network providers shouldn't have to purchase 4x the amount of bandwidth that they need just in case someone hijacks a bunch of cable modems and wants to party. Perhaps their bad idea will lead to a better idea, its happened before with how many countless practices on the internet? You start with a blurry idea, then someone else takes it and makes it work. Im not saying ddosing people back is the best idea, but something needs to happen, we waste way too much time and money mitigating these attacks, when in reality they cant be mitigated unless you continue to throw cash into the bandwidth bucket. These DSL and cable modem companies need to tighten things up so that if their users are abusive (and I don't claim to know how exactly the parameters of abuse should be measured) that their systems automatically choke them. For example, I have a Cable modem /w rr at my home, they have my upstream limited to next to nothing, how much damage could I possibly do? On the other hand I've seen attacks from some residential DSL providers that have hit with over 500KB(bytes)ps from a single machine, if you have maybe 20 of these hitting one of your interfaces, its going to cause latency, unless your upstream, or their downstream is doing something to protect you, which they wont. /Rant -Drew
Re: Counter DoS
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies. Scenerio: Lets say my name is: l33th4x0r I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names. I find IP for joeblow.cable.com to be 192.168.69.69 I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'. These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity. Kiddie 1 Joeblow 0The Internet as a whole 0 Greg Rachael Treu wrote: Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra
Re: Counter DoS
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of: > > On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> > wrote: ..snip snip.. > > How the hell could a company put something like this out, and expect not to > > get themselves sued to the moon and back when it fires a shot at an innocent > > party? Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged. > ..snip snip..> > Whats going to happen when they find a nice little exploit in these buggers > (even if they have anti-spoof stuff in them) that allows the kids to take > control of them or trick them into attacking innocents? Instead of thousands > of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these > 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use > the current trojans? This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet. > > No product is 100% secure (especially not something that runs under Windows, > but thats another issue), so how are they going to deliver updates? This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even. > Or make sure that the thing is configured right? Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > I could see blacklists (BGP based) > cropping up of these systems, so that you can filter these networks from ever > being able to come near your network. > > This is starting to sound more and more like a nuclear arms race - on one side > we have company a, on the other company b. Company A fears that B will attack > it, so they get this super dooper nuclear strike system. Company B follows > suit and sets one up as well. Both then increase their bandwidth, outdoing > the other until finally, script kiddie comes along, and spoofs a packet from A > to B, and B attacks A, and A responds with its own attack. ISPs hosting the > companies fall flat on their face from the attack, the backbone between the > two ISPs gets lagged to death, and stuff starts griding to a halt for others > caught in the crossfire. > > So, and who thinks that this is a good idea? :) > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org
Re: Counter DoS
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of: > > On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> > wrote: ..snip snip.. > > How the hell could a company put something like this out, and expect not to > > get themselves sued to the moon and back when it fires a shot at an innocent > > party? Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged. > ..snip snip..> > Whats going to happen when they find a nice little exploit in these buggers > (even if they have anti-spoof stuff in them) that allows the kids to take > control of them or trick them into attacking innocents? Instead of thousands > of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these > 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use > the current trojans? This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet. > > No product is 100% secure (especially not something that runs under Windows, > but thats another issue), so how are they going to deliver updates? This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even. > Or make sure that the thing is configured right? Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > I could see blacklists (BGP based) > cropping up of these systems, so that you can filter these networks from ever > being able to come near your network. > > This is starting to sound more and more like a nuclear arms race - on one side > we have company a, on the other company b. Company A fears that B will attack > it, so they get this super dooper nuclear strike system. Company B follows > suit and sets one up as well. Both then increase their bandwidth, outdoing > the other until finally, script kiddie comes along, and spoofs a packet from A > to B, and B attacks A, and A responds with its own attack. ISPs hosting the > companies fall flat on their face from the attack, the backbone between the > two ISPs gets lagged to death, and stuff starts griding to a halt for others > caught in the crossfire. > > So, and who thinks that this is a good idea? :) > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org
Re: Enterprise Multihoming
John As already stated by lots of folks on the list, this is largely a business decision rather than a technical one. However, there are some more useful thoughts: 1. Is the decision to multi-home consistent with your other redundancy plans? For example, why go through all the trouble of multi-homing and setting up BGP, only for both circuits to be plugged into the same router? ..or, two routers but neither of them on UPS. This is akin to insisting on a Class A bank-grade firewall but not bothering to put a lock on the server room door... 2. Multi-homing is usually considered critical when one is discussing hosting of some kind. Could you be served with multiple servers in geographically separate collocation centers inside one ASN? While many MIS departments like to have direct access to their own servers, this can often be an emotional preference rather than a technical one. Often only the "public facing" servers need BGP redundancy. The back-ends can be set up to fail-over to separate VPN/IPs in separate ASNs. Having said all that, I prefer physical access to my machines too. So I'm a hypocrite. 3. If you are not doing hosting, a two-ISP NAT solution may make more sense than BGP. In addition to burdening the global routing tables; good BGP management is expensive. It involves either hiring someone with the proper expertise/experience or purchasing that expertise. Relatively speaking, there are not a lot good experienced BGP admins out there. 4. What is the price of downtime, in real dollars? For many business, this really can be estimated. Consider lost time (wages, utilities, etc.) and lost sales. Then compare it to the various options. Just my two cents, John At 10:04 AM 3/11/2004, you wrote: On another list we've been having multihoming discussions again and I wanted to get some fresh opinions from you. For the past few years it has been fairly common for non-ISPs to multihome to different providers for additional redundancy in case a single provider has problems. I know this is frowned upon now, especially since it helped increase the number of autonomous systems and routing table prefixes beyond what was really necessary. It seems to me that a large number of companies that did this could just have well ordered multiple, geographically separate links to the same provider. What is the prevailing wisdom now? At what point do you feel that it is justified for a non-ISP to multihome to multiple providers? I ask because we have three links: two from Sprint and one from Global Crossing. I'm considering dropping the GC circuit and adding another geographically-diverse connection to Sprint, and then removing BGP from our routers. I see a few upsides to this, but are there any real downsides? Flame on. :-) Thanks, John --
Re: Counter DoS
Two words (well...one hyphenated-reference): spoofed-source bah, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:50:56PM -0800, Gregory Taylor said something to the effect of: > > Oh yes, lets not forget the fact that if enough sites have this > 'firewall' and one of them gets attacked by other sites using this > firewall it'll create a nuclear fission sized chain reaction of looping > Denial of Service Attacks that would probably bring most major backbone > providers to their knees. > > (Popcorn's in the microwave as I speak) > > Greg > > Jay Hennigan wrote: > > >On Wed, 10 Mar 2004, Gregory Taylor wrote: > > > > > > > >>After reading that article, if this product really is capable of > >>'counter striking DDoS attacks', my assumption is that it will fire > >>packets back at the nodes attacking it. Doing such an attack would not > >>be neither feasible or legal. You would only double the affect that the > >>initial attack caused to begin with, plus you would be attacking hacked > >>machines and not the culprit themselves, thus pouring gasoline all over > >>an already blazing inferno. > >> > >> > > > >On the other hand, they could become immensely popular, reaching the > >critical mass when one of them detects what is interpreted as an attack > >from a network protected by another. Grab the popcorn and watch as they > >all bludgeon each other to death. :-) > > > > > > >
Re: Counter DoS
Mmm. A firewall that lands you immediately in hot water with your ISP and possibly in a courtroom, yourself. Hot. Legality aside... I don't imagine it would be too hard to filter these retaliatory packets, either. I expect that this would be more wad-blowing than cataclysm after the initial throes, made all the more ridiculous by the nefarious realizing the new attack mechanism created by these absurd boxen. A new point of failure and an amplifier rolled all into one! Joy! More buffoonery contributed to the miasma. Nice waste of time, Symbiot. Thanks for the pollution, and shame on the dubious ZDnet for perpetuating this garbage. ymmv, --ra -- rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 10, 2004 at 11:25:20PM -0800, Gregory Taylor said something to the effect of: > > After reading that article, if this product really is capable of > 'counter striking DDoS attacks', my assumption is that it will fire > packets back at the nodes attacking it. Doing such an attack would not > be neither feasible or legal. You would only double the affect that the > initial attack caused to begin with, plus you would be attacking hacked > machines and not the culprit themselves, thus pouring gasoline all over > an already blazing inferno. > > This product is a bad bad idea and anyone who invests money into it > should slap themselves very hard with a metal gauntlet for being so > gullible. > > Greg > > >>>In message <[EMAIL PROTECTED]>, "Joshua Brady" > >>>writes: > >>> > >>> > http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm > > Comments? > > >>> >
Re: Enterprise Multihoming
Jay Ford wrote: [snip] Many/most of my external connectivity problems are provider-related rather than circuit-related. Having two circuits to a single provider doesn't help when that provider is broken. I'm not saying that multi-ISP BGP-based multi-homing is risk-free, but I don't see multi-circuit single-provider as a viable alternative. FWIW, I've had almost the exact opposite experience. Almost all of our connectivity problems have been circuit issues. Two T1s to the same ISP at one site has saved us from a lot of pain. OTOH, we also do have some ISP diversity, though we haven't needed it nearly as much as redundant circuits. YMMV. HAND. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Enterprise Multihoming
John Neiberger wrote: Whilst the topic's under discussion may I present myself as a lightning rod :) by asking: (a) Has anyone here used any of the 'basement multi-homing in a box' products such as Checkpoint's ISP Redundancy feature? http://www.checkpoint.com/products/connect/vpn-1_isp_redundancy.html (The 'VPN-1' brand is slightly misleading - it's a generic firewall.) You can do the same thing with your existing cisco: http://www.cisco.com/warp/customer/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm
Re: Counter DoS
Eric Gauthier wrote: Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet You mis-spelled "faculty, researcher, and staff populations". Today's students (as well as non-trivial portions of the the other populations) tend to be purpose and objective focused, with what the folks on the 19th tee being somewhat less important. -- Requiescas in pace o email
Re: Counter DoS
> > Fortunately people with less clue usually have less bandwidth. > > Don't be so sure that people with no clue don't have bandwidth, large > companies with enourmouse resources sometimes end up with really clueless > people at the top and similarly clueless network techs. Most Universities have a large clueless.. um, I mean, student population sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet Eric :)
Re: Ipal project (was - Summary: Web Based tool for tracking circuits)
Wow, I had no idea somebody already used this name for same product... Hold on everybody from signup up then, we'll talk about the name first among the group. I'll repost when new name is ready. On Thu, 11 Mar 2004, Dennis Boylan wrote: > You might want to change the name. IPal is a commercial product available > from Internet Associates LLC. (www.internetassociatesllc.com). > > - Dennis > > On Thu, Mar 11, 2004 at 11:17:12AM -0800, william(at)elan.net wrote: > > > > > > We're starting project to create opensource software help ISPs to provision > > network services and track information related to that afterwards. This would > > include allocation of ip addresses and database of such allocations, database > > of circuits and network devices, administration and colloboration on actual > > provisioning process for new connections (both for physical circuits and > > logical connections such as for colo customer), etc. > > The project homepage is at sourceforce: > > http://sourceforge.net/projects/ipal/ > > If you're interested in helping, please join the mail list: > > http://lists.sourceforge.net/mailman/listinfo/ipal-discuss > > Or send email to [EMAIL PROTECTED] > > with usual "subscribe" in subject and body > > > > Currently there are people being added there from two separate mail lists > > and once everyone is in, later today we'll start talking about general > > goals of the project, so if there are more people at nanog, interested, > > please signup. > > > > -- > > William Leibzon > > Elan Networks > > [EMAIL PROTECTED] > -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Enterprise Multihoming
>Whilst the topic's under discussion may I present myself as a lightning >rod :) by asking: > >(a) Has anyone here used any of the 'basement multi-homing in a box' >products such as Checkpoint's ISP Redundancy feature? > >http://www.checkpoint.com/products/connect/vpn-1_isp_redundancy.html >(The 'VPN-1' brand is slightly misleading - it's a generic firewall.) > >This allows edge networks to multihome between separate ISPs. When it was >first mentioned around the office I explained that it couldn't possibly >work, and my colleagues explained to me that I was full of it and that the >product is on the market and in use. (It has subsequently been lab'd here >and seemed to work between our main link (UUnet) and a humble BT DSL line.) >As far as I understand it, it's a form of NAT - the device keeps track of >which session's packets are going where and spreads traffic around. If one >ISP goes down it'll fail over to the other link. There are similar boxes from FatPipe and Radware (and others) that promise the same thing. I've done some light research on them and while I can see some positives, I don't prefer them to our current solution. My boss asked me to take a look at them, again, because he's concerned that there's little BGP experience in our department apart from me and he thought that might be one possible solution. It still may be but I don't like the hoops you have to jump through to make these devices work. Then again, I don't have any practical experience with them and I hope someone who has will chime in. John --
Re: Ipal project (was - Summary: Web Based tool for tracking circuits)
You might want to change the name. IPal is a commercial product available from Internet Associates LLC. (www.internetassociatesllc.com). - Dennis On Thu, Mar 11, 2004 at 11:17:12AM -0800, william(at)elan.net wrote: > > > We're starting project to create opensource software help ISPs to provision > network services and track information related to that afterwards. This would > include allocation of ip addresses and database of such allocations, database > of circuits and network devices, administration and colloboration on actual > provisioning process for new connections (both for physical circuits and > logical connections such as for colo customer), etc. > The project homepage is at sourceforce: > http://sourceforge.net/projects/ipal/ > If you're interested in helping, please join the mail list: > http://lists.sourceforge.net/mailman/listinfo/ipal-discuss > Or send email to [EMAIL PROTECTED] > with usual "subscribe" in subject and body > > Currently there are people being added there from two separate mail lists > and once everyone is in, later today we'll start talking about general > goals of the project, so if there are more people at nanog, interested, > please signup. > > -- > William Leibzon > Elan Networks > [EMAIL PROTECTED]
Re: Enterprise Multihoming
E.B. Dreger wrote: PH> Date: Thu, 11 Mar 2004 18:21:03 +0200 PH> From: Petri Helenius PH> Depending on your requirements, the option of having somebody PH> redistribute all their BGP routes into ISIS or OSPF might not PH> worth looking forward to. Couldn't quite parse this, but it sounds scary. I´m refering to the most popular way of causing an IGP meltdown. Obviously there are other ways, like software defects to make your IGP go mad. But when your upstream´s IGP does that, you want to have provider B to switch over to. It probably has gotten better when the Internet has matured but a few years back when I was more involved in day-to-day operations it was a few times a year when excersizing this option was the best course of action. Pete
Re: Enterprise Multihoming
John Neiberger wrote: On another list we've been having multihoming discussions again and I wanted to get some fresh opinions from you. Whilst the topic's under discussion may I present myself as a lightning rod :) by asking: (a) Has anyone here used any of the 'basement multi-homing in a box' products such as Checkpoint's ISP Redundancy feature? http://www.checkpoint.com/products/connect/vpn-1_isp_redundancy.html (The 'VPN-1' brand is slightly misleading - it's a generic firewall.) This allows edge networks to multihome between separate ISPs. When it was first mentioned around the office I explained that it couldn't possibly work, and my colleagues explained to me that I was full of it and that the product is on the market and in use. (It has subsequently been lab'd here and seemed to work between our main link (UUnet) and a humble BT DSL line.) As far as I understand it, it's a form of NAT - the device keeps track of which session's packets are going where and spreads traffic around. If one ISP goes down it'll fail over to the other link. (b) I suspect the answer will be a vehement 'no!' -- if so, why? Obviously this won't scale terribly well at the service provider level but for edge networks - what's wrong with it? Obviously this only works for outbound sessions but there are plenty of large enterprises happy to keep the majority of inbound services (web etc) off in a nice secure hosting centre where real netops will use BGP for real multihoming. cheers \a -- Andrew Simmons Penetration Tester | Security Consultant MIS Corporate Defence Solutions, Ltd. Hermitage Court, Hermitage Lane, Maidstone, Kent ME16 9NT Tel: 01622 723432 / Mobile: 07739 834833 (sorry about the disclaimer - there's nothing I can do about it :( ) The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the intended recipient. If you are not the intended recipient any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on +44 (01622) 723410. This email is intended for the recipient only and contains confidential information, some or all of which may be legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or rely on this email or any information contained within it. Please notify the sender by return and delete it from your computer. Thank you.
Re: Enterprise Multihoming
On Thu, 11 Mar 2004, Marshall Eubanks wrote: > There is another thing - if you are multi-homed, and want to switch > providers, it is pretty seamless and painless - no renumbering, no > loss of connection, etc., as you always have a redundant path. Sure -- though many ISPs will probably let you keep the address space, even if you switch away completely -- as long as you pay them enough (or the other ISP to route it). Bad practice, but has happened a lot, and probably still does :) FWIW, even if you are multihomed, that does not in and of itself require that you "own" address space. Public AS number is often enough (and even private will do, but that leads to other kind of mess.) -- Pekka Savola "You each name yourselves king, yet the Netcore Oykingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Ipal project (was - Summary: Web Based tool for tracking circuits)
We're starting project to create opensource software help ISPs to provision network services and track information related to that afterwards. This would include allocation of ip addresses and database of such allocations, database of circuits and network devices, administration and colloboration on actual provisioning process for new connections (both for physical circuits and logical connections such as for colo customer), etc. The project homepage is at sourceforce: http://sourceforge.net/projects/ipal/ If you're interested in helping, please join the mail list: http://lists.sourceforge.net/mailman/listinfo/ipal-discuss Or send email to [EMAIL PROTECTED] with usual "subscribe" in subject and body Currently there are people being added there from two separate mail lists and once everyone is in, later today we'll start talking about general goals of the project, so if there are more people at nanog, interested, please signup. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Enterprise Multihoming
There is another thing - if you are multi-homed, and want to switch providers, it is pretty seamless and painless - no renumbering, no loss of connection, etc., as you always have a redundant path. On Thursday, March 11, 2004, at 12:34 PM, Pekka Savola wrote: Mutli-homing a non-ISP network or system on multiple carriers is a good way to maintain independent links to the internet by means of different peering, uplinks, over-all routing and reliability. My network on NAIS is currently multi-homed through AT&T. I use a single provider as both of my redundant links via 100% Fiber network. Even though this is cheaper for me, all it takes is for AT&T to have some major outage and I will be screwed. If I have a backup fiber line from say, Global Crossing, then it doesn't matter if AT&T takes a nose dive, I still have my redundancy there. Well, I think this, in many cases, boils down to being able to pick the right provider. I mean, some providers go belly-up from time to time. Others are designed/run better. For a major provider, complete outage of all of its customers is such a big thing they'll want to avoid it always. If it happens, for a brief moment, once in five years (for example), for most companies that's an acceptable level of risk. -- Pekka Savola "You each name yourselves king, yet the Netcore Oykingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings Regards Marshall Eubanks T.M. Eubanks e-mail : [EMAIL PROTECTED] http://www.telesuite.com
Re: Enterprise Multihoming
> >JN> My current opinion is that since we can't accept much >JN> downtime in the case of a single provider failure, it's >JN> probably not wise to put all of our eggs in Sprint's basket >JN> even if all circuits are geographically diverse. > >Use multiple border routers. Keep your IGP lean and nimble. >Think about BGP/IGP synchronization. > >WAN links can fail, but so can ethernet links and entire routers. We have multiple border routers and are fairly redundant internally. As it is now, any single piece of equipment could fail (except in one case that I intend to rectify soon) or any two of our three Internet connections could fail and no one would notice much except for perhaps slower connections. I've discovered the wonders of fault-tolerant transceivers and I'll be redesigning a portion of that part of the network around them. Once I'm done, quite literally any single device could fail and no one would notice. John --
Re: Enterprise Multihoming
JN> Date: Thu, 11 Mar 2004 10:10:17 -0700 JN> From: John Neiberger JN> My current opinion is that since we can't accept much JN> downtime in the case of a single provider failure, it's JN> probably not wise to put all of our eggs in Sprint's basket JN> even if all circuits are geographically diverse. Use multiple border routers. Keep your IGP lean and nimble. Think about BGP/IGP synchronization. WAN links can fail, but so can ethernet links and entire routers. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Enterprise Multihoming
PH> Date: Thu, 11 Mar 2004 18:21:03 +0200 PH> From: Petri Helenius PH> Depending on your requirements, the option of having somebody PH> redistribute all their BGP routes into ISIS or OSPF might not PH> worth looking forward to. Couldn't quite parse this, but it sounds scary. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Enterprise Multihoming
Mutli-homing a non-ISP network or system on multiple carriers is a good > way to maintain independent links to the internet by means of different > peering, uplinks, over-all routing and reliability. My network on NAIS > is currently multi-homed through AT&T. I use a single provider as both > of my redundant links via 100% Fiber network. Even though this is > cheaper for me, all it takes is for AT&T to have some major outage and I > will be screwed. If I have a backup fiber line from say, Global > Crossing, then it doesn't matter if AT&T takes a nose dive, I still have > my redundancy there. Well, I think this, in many cases, boils down to being able to pick the right provider. I mean, some providers go belly-up from time to time. Others are designed/run better. For a major provider, complete outage of all of its customers is such a big thing they'll want to avoid it always. If it happens, for a brief moment, once in five years (for example), for most companies that's an acceptable level of risk. -- Pekka Savola "You each name yourselves king, yet the Netcore Oykingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Re: Enterprise Multihoming
Hello; On Thursday, March 11, 2004, at 12:10 PM, John Neiberger wrote: Thanks to everyone who has responded so far. I'm glad that I got some opinions here before I proceeded. I also participate in another list that has some fairly experienced people on it. They prevailing opinion there was that multihoming to multiple providers was overrated and largely unnecessary, and they just about had me convinced. Let me guess - they are with big providers ? I keep track of new ASN's appearing in BGP - of the last few thousand or so, the number that do not appear to be small multi-homers is about 1 in 500. (The metric is, no transit prefixes and only 1 or 2 small prefixes announced in BGP.) That does not prove they are correct, but a lot of people clearly are of this opinion. My current opinion is that since we can't accept much downtime in the case of a single provider failure, it's probably not wise to put all of our eggs in Sprint's basket even if all circuits are geographically diverse. Thanks again, John -- Regards Marshall Eubanks T.M. Eubanks e-mail : [EMAIL PROTECTED] http://www.telesuite.com
Re: Enterprise Multihoming
John Neiberger wrote: Thanks to everyone who has responded so far. I'm glad that I got some opinions here before I proceeded. I also participate in another list that has some fairly experienced people on it. They prevailing opinion there was that multihoming to multiple providers was overrated and largely unnecessary, and they just about had me convinced. My current opinion is that since we can't accept much downtime in the case of a single provider failure, it's probably not wise to put all of our eggs in Sprint's basket even if all circuits are geographically diverse. This decision should be a business decision. Business decisions are made for a number of reasons. There is no message in the order I list the ones that come quickly to mind, I personally think some of them are faulty, but all are real. Engineered designs. Political needs. Personal prejudices. Posturing. Appearances. I personally favor the engineering approach, which if properly done will account for the meaningful parts of the others. A recent employer had a very low cost plan that had for practical purposes unlimited capacity available which were required to throttle to reduce commodity Internet expenses. New management decided multi- homing was necessary at relatively huge expense for reasons that must have made sense to somebody. -- Requiescas in pace o email
RE: Enterprise Multihoming
Look at it this way: If Multi-homing to ensure maximum reliabilty was not a good thing: why would XYZ isp do it? Take this example: Remember last year (or year before?) when MCI had the routing issue on the east coast? I had a friend that had 2 T-1's to MCI, he lost all reachability for over 5 hours. I had another friend that had a T-1 from MCI and one from AT&T. He stayed up, and so did his ecommerce site. So the end questions is: Do you trust your upstream enough to bank your business, or more importantly your reputation as an IT professional, on the ability of everyone at your ISP to maintain their network and everything that gives you access 99.999% of the time? Jim ->-Original Message- ->From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of ->Gregory Taylor ->Sent: Thursday, March 11, 2004 11:41 AM ->To: John Neiberger; [EMAIL PROTECTED] ->Subject: Re: Enterprise Multihoming -> -> -> ->Mutli-homing a non-ISP network or system on multiple carriers ->is a good ->way to maintain independent links to the internet by means of ->different ->peering, uplinks, over-all routing and reliability. My ->network on NAIS ->is currently multi-homed through AT&T. I use a single ->provider as both ->of my redundant links via 100% Fiber network. Even though this is ->cheaper for me, all it takes is for AT&T to have some major ->outage and I ->will be screwed. If I have a backup fiber line from say, Global ->Crossing, then it doesn't matter if AT&T takes a nose dive, I ->still have ->my redundancy there. -> ->That is why most non-ISPs hold multihoming via different providers as ->their #1 choice. -> ->Greg -> ->John Neiberger wrote: -> ->>On another list we've been having multihoming discussions again and I ->>wanted to get some fresh opinions from you. ->> ->>For the past few years it has been fairly common for non-ISPs to ->>multihome to different providers for additional redundancy in case a ->>single provider has problems. I know this is frowned upon now, ->>especially since it helped increase the number of autonomous ->systems and ->>routing table prefixes beyond what was really necessary. It ->seems to me ->>that a large number of companies that did this could just have well ->>ordered multiple, geographically separate links to the same provider. ->> ->>What is the prevailing wisdom now? At what point do you feel ->that it is ->>justified for a non-ISP to multihome to multiple providers? I ask ->>because we have three links: two from Sprint and one from Global ->>Crossing. I'm considering dropping the GC circuit and adding another ->>geographically-diverse connection to Sprint, and then ->removing BGP from ->>our routers. ->> ->>I see a few upsides to this, but are there any real downsides? ->> ->>Flame on. :-) ->> ->>Thanks, ->>John ->>-- ->> ->> ->> ->> -> -> ->
Re: Enterprise Multihoming
In my opinion, these are all decisions that each company and it's management and IT departments must reach for themselves. There are no universally right or wrong answers. There are tradeoffs either way, and, evaluating those tradeoffs is a big part of why an IT department and managers get paid. For some companies, a single connection might be all they need. For others, multiple circuits to a provider they think is reliable enough may do the trick. Many companies may feel they need more than that, so, they may choose to go to BGP and true multihoming. Any of those answers can be the right answer. There are other possible "right" answers too. The important thing is for the IT department to do their homework on ALL the tradeoffs associated with each possible scenario, and, help their management reach a decision that is right for the company. As you mentioned, there are other risks to BGP and multihoming, and, additional responsibilities that come with it. As such, the staff to meet those responsibilities should be factored in as an additional cost in that solution. Owen pgp0.pgp Description: PGP signature
Re: Enterprise Multihoming
Thanks to everyone who has responded so far. I'm glad that I got some opinions here before I proceeded. I also participate in another list that has some fairly experienced people on it. They prevailing opinion there was that multihoming to multiple providers was overrated and largely unnecessary, and they just about had me convinced. My current opinion is that since we can't accept much downtime in the case of a single provider failure, it's probably not wise to put all of our eggs in Sprint's basket even if all circuits are geographically diverse. Thanks again, John --
Re: Enterprise Multihoming
At what point do you feel that it is : justified for a non-ISP to multihome to multiple providers? If the business model allows for the downtime caused by putting all your internet connectivity in one bucket. james
RE: Counter DoS
By "The Art of War on the Internet" I didn't mean information warfare, that's been with us as long as there's been information and the internet is certainly going to be a major part of that. What I am against is anyone trying to popularize the idea of the internet as a battleground where one uses force and deception to "gain ground". It's just another case of people wrongly attempting to fit somthing that they don't understand into a framework that they do understand, thereby creating a fallacy. Trying to base a product off of a flawed idea is bound to fail but also likely be a major irritation before it does. GP -Original Message- From: Etaoin Shrdlu [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 14:58 To: Nanog Subject: Re: Counter DoS "Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?us erid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion. Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: Enterprise Multihoming
Mutli-homing a non-ISP network or system on multiple carriers is a good way to maintain independent links to the internet by means of different peering, uplinks, over-all routing and reliability. My network on NAIS is currently multi-homed through AT&T. I use a single provider as both of my redundant links via 100% Fiber network. Even though this is cheaper for me, all it takes is for AT&T to have some major outage and I will be screwed. If I have a backup fiber line from say, Global Crossing, then it doesn't matter if AT&T takes a nose dive, I still have my redundancy there. That is why most non-ISPs hold multihoming via different providers as their #1 choice. Greg John Neiberger wrote: On another list we've been having multihoming discussions again and I wanted to get some fresh opinions from you. For the past few years it has been fairly common for non-ISPs to multihome to different providers for additional redundancy in case a single provider has problems. I know this is frowned upon now, especially since it helped increase the number of autonomous systems and routing table prefixes beyond what was really necessary. It seems to me that a large number of companies that did this could just have well ordered multiple, geographically separate links to the same provider. What is the prevailing wisdom now? At what point do you feel that it is justified for a non-ISP to multihome to multiple providers? I ask because we have three links: two from Sprint and one from Global Crossing. I'm considering dropping the GC circuit and adding another geographically-diverse connection to Sprint, and then removing BGP from our routers. I see a few upsides to this, but are there any real downsides? Flame on. :-) Thanks, John --
Re: Enterprise Multihoming
>>> Daniel Roesen <[EMAIL PROTECTED]> 3/11/04 9:13:04 AM >>> > >On Thu, Mar 11, 2004 at 09:04:57AM -0700, John Neiberger wrote: >> For the past few years it has been fairly common for non-ISPs to >> multihome to different providers for additional redundancy in case a >> single provider has problems. I know this is frowned upon now, >> especially since it helped increase the number of autonomous systems and >> routing table prefixes beyond what was really necessary. > >Who defines what is "really necessary"? What is your understanding >of "really necessary" when it comes to the desire to be commercially >and technically independent of your suppliers? > >It's this discussion again. That goes off in entirely the wrong direction but I guess I'll clarify that statement. :-) My point was that most companies could have met their connectivity requirements by simply getting multiple connections to the same provider from the beginning. However, among the less-technical managers it seemed to be popular to demand connectivity to multiple ISPs. It seems that me that this was not really necessary from a technical perspective in many cases, it just made people feel good. I don't really want to focus on that, though; I'm more interested in the situation as it stands today. If a company were going to add brand new Internet connectivity where it didn't exist before, what factors would you use to determine if multiple ISPs should even be considered? Given the stability of the larger ISPs and the general lack of true BGP expertise at many companies, is the potential benefit of multihoming to different ISPs worth the added risk and responsbility that comes with using BGP? Our BGP configuration isn't very difficult to understand but we do have a lack of BGP knowledge in the department and some additional training is in order. However, might it not be better to just simplify our connectivity and remove BGP altogether? Sure, I like BGP as much as the next guy but there's no sense in running it just because we can. :-) Thanks, John --
Re: Enterprise Multihoming
John Neiberger wrote: I see a few upsides to this, but are there any real downsides? Connecting to single AS makes you physically resilient but logically dependent on single entity, be that a provisioning system, routing protocol instance, etc. Depending on your requirements, the option of having somebody redistribute all their BGP routes into ISIS or OSPF might not worth looking forward to. Pete
Re: Enterprise Multihoming
On 11.03.2004 17:04 John Neiberger wrote: What is the prevailing wisdom now? At what point do you feel that it is justified for a non-ISP to multihome to multiple providers? IMHO you do not need a justification. If you think multiple links to the same provider don't buy you what you need (e.g. if the ISP has severe problems with its internal network multiple links do not buy you anything. Same holds when your ISP goes south which still happens now and then these days) go for real multihoming. Arnold
Re: Enterprise Multihoming
On Thu, 11 Mar 2004, John Neiberger wrote: > On another list we've been having multihoming discussions again and I > wanted to get some fresh opinions from you. > > For the past few years it has been fairly common for non-ISPs to > multihome to different providers for additional redundancy in case a > single provider has problems. I know this is frowned upon now, > especially since it helped increase the number of autonomous systems and > routing table prefixes beyond what was really necessary. It seems to me > that a large number of companies that did this could just have well > ordered multiple, geographically separate links to the same provider. > > What is the prevailing wisdom now? At what point do you feel that it is > justified for a non-ISP to multihome to multiple providers? I ask > because we have three links: two from Sprint and one from Global > Crossing. I'm considering dropping the GC circuit and adding another > geographically-diverse connection to Sprint, and then removing BGP from > our routers. > > I see a few upsides to this, but are there any real downsides? Many/most of my external connectivity problems are provider-related rather than circuit-related. Having two circuits to a single provider doesn't help when that provider is broken. I'm not saying that multi-ISP BGP-based multi-homing is risk-free, but I don't see multi-circuit single-provider as a viable alternative. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: [EMAIL PROTECTED], phone: 319-335-, fax: 319-335-2951
Re: Enterprise Multihoming
On Thu, Mar 11, 2004 at 09:04:57AM -0700, John Neiberger wrote: > For the past few years it has been fairly common for non-ISPs to > multihome to different providers for additional redundancy in case a > single provider has problems. I know this is frowned upon now, > especially since it helped increase the number of autonomous systems and > routing table prefixes beyond what was really necessary. Who defines what is "really necessary"? What is your understanding of "really necessary" when it comes to the desire to be commercially and technically independent of your suppliers? It's this discussion again. Regards, Daniel
Enterprise Multihoming
On another list we've been having multihoming discussions again and I wanted to get some fresh opinions from you. For the past few years it has been fairly common for non-ISPs to multihome to different providers for additional redundancy in case a single provider has problems. I know this is frowned upon now, especially since it helped increase the number of autonomous systems and routing table prefixes beyond what was really necessary. It seems to me that a large number of companies that did this could just have well ordered multiple, geographically separate links to the same provider. What is the prevailing wisdom now? At what point do you feel that it is justified for a non-ISP to multihome to multiple providers? I ask because we have three links: two from Sprint and one from Global Crossing. I'm considering dropping the GC circuit and adding another geographically-diverse connection to Sprint, and then removing BGP from our routers. I see a few upsides to this, but are there any real downsides? Flame on. :-) Thanks, John --
Re: Counter DoS
"Pendergrass, Greg" wrote: > > I can see now that it's only a matter of time before some nut writes "The > Art of War in the Internet". I read the whitepaper, it goes on a lot about > how defensive policies are ineffective but doesn't really say why active > response has never been tried: Ask, and ye shall receive. http://btobsearch.barnesandnoble.com/textbooks/booksearch/isbnInquiry.asp?userid=2XH986JPUE&btob=Y&isbn=1581128576&TXT=Y&itm=1 I thought that someone mentioned that Mr. Forno was reputed to be on staff with these folk. > Their proposition is a terrible idea and their "rules of engagement" would > be funny instead of frightening if it wasn't serious I note that he also has a title from last year, which seems applicable here: Weapons of Mass Delusion (ISBN 15896X) I will point out that I cannot take seriously a company (Symbiot) that depends on a shockwave plugin to put up a web page. Pity that they came out so aggressively; it might have been an interesting product. Hype can kill as well as sell. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion.
Re: Counter DoS
On Thu, 11 Mar 2004 03:21:29 EST, Brian Bruns <[EMAIL PROTECTED]> said: > So, and who thinks that this is a good idea? :) What's the going rate per megabyte for transit traffic? :) pgp0.pgp Description: PGP signature
Re: Counter DoS
On 10.03 20:55, Steven M. Bellovin wrote: > > The phrase "seriously bad idea" comes to mind. Other phrases include > "illegal", "collateral damage", and "stupid". Those plus "escalation of agression" and "uncontrollable feedback loop". Daniel Karrenberg PS: I will spare you the re-run of a recent discussion I had with some 5-year-olds, but there *is* a certain similarity.
Re: Counter DoS
On Thu, 11 Mar 2004, Petri Helenius wrote: > Gregory Taylor wrote: > > Oh yes, lets not forget the fact that if enough sites have this > > 'firewall' and one of them gets attacked by other sites using this > > firewall it'll create a nuclear fission sized chain reaction of > > looping Denial of Service Attacks that would probably bring most major > > backbone providers to their knees. > > > Fortunately people with less clue usually have less bandwidth. Obviously > there are exceptions. I would expect to see localized tragedies if > something like this would get deployed but predicting death of the > internet is clueless. Don't be so sure that people with no clue don't have bandwidth, large companies with enourmouse resources sometimes end up with really clueless people at the top and similarly clueless network techs. But reality is it does not matter. Even five years ago, DoS attacks were already usually distributed coming mostly from comprimised servers. Now thanks to Microsoft's constantly buggy software and large deployment of broadband, its so easy for script-kiddies and alike to get hold of computers to be used for such purposes (but at least our unix servers don't get hacked as much...). And I really hate this kind of script-kiddie attitude that if you stike me, I'll strike you back even harder - revenge by the same means is not the answer (and in many cases its not the revenge but they just want to show themselve off as being more daring then the last guy). But then again since in US most people support death penalty and the government itself did not care how many innocent afghans died when they were doing their own revenge, then what are we expecting from the company execs - they might well buy this crap strike-back with a vengence firewall. I do hope, that if it were to happen, it'll quickly become clear that this is totally illegal and both Simbiot and those who bought it will end up in court and bankrupt and that will establish good precidence for the future. But as I mentioned in thread last week and as Sean Donelan mentioned today too - all this looks a like like a publicity hype in the making for a probably crappy product (but not crappy in the way that it'll actually force its users to break the law). We have about 20 days to wait before its released, so lets just wait and see how bad it really is. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Counter DoS
Gregory Taylor wrote: Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees. Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless. Pete
Re: Counter DoS
At 02:25 AM 3/11/2004, Gregory Taylor wrote: After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno. Plus imagine an attack originates behind one of these devices for some reason attacking another device. It'll just create a massive loop. :) That would be interesting. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
10GigaEthernet on GSR feedback ...
Hi, We recently installed 10GE interface on GSR boxes (Engine4+). I are experiencing a SNMP counter issue with 802.1q VLAN. We were used to have counters by 802.1q VLAN on GSR on 1GE, but it looks to be broken for 10GE subinterfaces. Counters are available by SNMP, but are buggy on Inbound. ifHCInUcastPkts is OK, but ifHCInOctets is not. Does anyone experienced such problem on 10GE with GSR ? Counters from physical interace are fine. We experiences this on SubInterfaces only. Thanks. Vincent. BTW : YES, we already opened a case with vendor, but we would like to share Operations feedbacks on this.
RE: Counter DoS
>I wonder, are they planning to launch these DDoS attacks from >compromised hosts belonging to unwitting accomplices like the >bad guys do? Could they be the people behind NetSky? We know now that Bagle and MyDoom come from spammer gangs but I haven't heard if anyone has identified a motive behind Netsky yet. I suppose that Symbiot is the logical next step. Now that there is a market for compromised hosts to build distributed networks for DoS, DNS, or anonymous hosting the logical next step is for a legitimate company (or semi-legitimate) to step into that market and try to dominate it. If the ISP and the vendor community won't work together to build the tools and systems needed to identify and block DDoS emitters then this is the inevitable result. If it goes much further then ISPs risk being sued for blocking DDoS because they will also be blocking somebody's revenue stream as well. --Michael Dillon
RE: Counter DoS
I can see now that it's only a matter of time before some nut writes "The Art of War in the Internet". I read the whitepaper, it goes on a lot about how defensive policies are ineffective but doesn't really say why active response has never been tried: A. Most of the time dDOS traffic is from spoofed sources anyway so whichever machine you "return fire" on is probably not the one that attacked you. B. NAT translation means a hacker has a tailor-made defense against any active repsonse. C. Even if you can directly attack a machine being used against you it's almost certainly not the perpetrator's box, he/she is sitting half a world away. The box you intentionally destroy is likely some innocent family PC that was taken over using some unplugged windows security hole. D. Widely deployed active defense will give an attacker a new form of dDOS attack, spoof the source of the one you want to hit in attacking several "active defense" systems and watch them attack your target for you. Their proposition is a terrible idea and their "rules of engagement" would be funny instead of frightening if it wasn't serious GP -Original Message- From: Joshua Brady [mailto:[EMAIL PROTECTED] Sent: 11 March 2004 01:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Counter DoS http://news.zdnet.co.uk/internet/security/0,39020375,39148215,00.htm Comments? Vodafone Global Content Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 4064873 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: Counter DoS
At 09:43 AM 11-03-04 +, Brandon Butterworth wrote: > The Symbiot whitepaper on their service describes a process with a > little more imagination Like hooking it up to DARPA Grand Challenge winners? http://abcnews.go.com/sections/SciTech/WorldNewsTonight/robot_race_darpa_040310-1.html They recently revised the rules downward: http://www.wired.com/news/technology/0,1282,62608,00.html?tw=wn_tophead_3 > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" trouble with sending a droid round to kick ass is you've just made Skynet V0.1 But: http://www.wired.com/wired/archive/12.03/robot.html ...which has the classic Battlebots line of "Can you drive over a competitor's vehicle? "I wouldn't describe running over another vehicle as incidental contact," says Negron. "What if it is a carefully navigated maneuver?" the guy asks. Negron shakes his head. "No."" :-) -Hank brandon
Re: Counter DoS
> The Symbiot whitepaper on their service describes a process with a > little more imagination Like hooking it up to DARPA Grand Challenge winners? http://abcnews.go.com/sections/SciTech/WorldNewsTonight/robot_race_darpa_040310-1.html > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" trouble with sending a droid round to kick ass is you've just made Skynet V0.1 brandon
Re: Counter DoS
On Thu, 11 Mar 2004, Baldwin, James wrote: > I applaud the idea of a outsourced department that will manage the > denial of service, and "hordes of script kiddie" (nod to Ranum) problems > that plague modern networks. Anything that keeps me from being > distracted from more interesting lines of thought, rather than > constantly following up on outside nuisances is a Good Thing (tm). There are hundreds of managed security providers which happily take your money, analyze your firewall and other security logs, monitor "underground" sources, notify service providers on your behalf, etc. There a many "black lists" operated by for-profit and non-profit organizations which will block not only the compromised computer, but also hundreds of other computers to "get the attention" of people. Most are reputable. But the security industry is full of puffery like home alarm companies promising their customers "armed response." "Armed response" may be armed, but its doubtful they will go charging into your house with guns blazing when your house alarm goes off. This company's P.R. firm has succeeded in getting people talking about a company without a released product. I suspect when they finally do release their product, it will be much less than the hype. Perhaps people could recommend some managed security firms with good reputations. Unfortunately, the best ones also seem rather dull. They understand there are no magic solutions and don't pretend to have "secret sauce." It just basic hard work.
Re: Counter DoS
http://www.symbiot.com/media/iwROE.pdf The Symbiot whitepaper on their service describes a process with a little more imagination and use than simply flooding attacking nodes with packets. It describes a process which appears to require human intervention through an Operations Center to aid in tracking down offending nodes and notifying the offenders service providers prior to an deployment of active defenses. That being said, it also specifically mentions "distributed denial of service counterattacks" as a not quite so last resort, and possibly automated response gesture for multiple identified offenders with whom intervention from service providers and other authorities has not been forth coming. I applaud the idea of a outsourced department that will manage the denial of service, and "hordes of script kiddie" (nod to Ranum) problems that plague modern networks. Anything that keeps me from being distracted from more interesting lines of thought, rather than constantly following up on outside nuisances is a Good Thing (tm). However, the deployment of "active defenses" in response to a failure of service providers to adequately secure their egress and ingress points is not a choice any reasonable person would make. Vigilante justice might be rewarding in the short term, but I choose not to leave the judgment of friend and foe in the hands of someone with large amounts of bandwidth at the tips their itchy trigger fingers. James Baldwin WorldWide Technology, Services, and Operations Operations Center Electronic Arts, Inc.
Check Your Routing Table! Production Use of 84/8 Imminent.
The first allocation out of 84/8 has happened. It is *now* high time to check whether you see the pilot prefixes 84.192/16 and 84.255.248/21. If you do not see both of these prefixes it is extremely likely that you will have a connectivity problem very shortly. We also suggest that you check any packet filters you may be responsible for. Regards Daniel Karrenberg RIPE NCC -- Notes: 84/8 has been allocated by the IANA on November 17th 2003, almost 4 months ago. The fact has been announced on this list a couple of times since. Routing decisions are fully within the responsibility of the network operators. The IANA and the RIRs will only announce which parts of the address space are currently in use. They have no authority whatsoever over routing decisions taken by you and other network operators. More details about the pilot prefixes can be found at http://www.ripe.net/ripe/draft-documents/deboganising-draft.html A visibility comparison of the pilot prefixes with some production prefixes can be found at http://www.ris.ripe.net/debogon/debogon.html Those interested in history, see http://www.ris.ripe.net/debogon/ More information on how to do Bogon filtering efficiently and reliably can be found at Team CYMRU: http://www.cymru.com/Bogons/index.html Unfortunately we are not currently able to provide a host within the pilot prefixes that can reliably answer pings, nor are we able to do connectivity checks from there. The allocation had to happen before we were ready with this part of the pilot prefix pilot.
Re: Counter DoS
My mom likes the idea, she thinks it'll help her get her hotmail faster. (shrugs) Brian Bruns wrote: On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> wrote: Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :)
Re: Counter DoS
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[EMAIL PROTECTED]> wrote: > > Sounds like efnet channel wars on a much more interesting scale. > > Like I've said in previous posts - do we really want these people having > tools like this? Doesn't this make them the equivelant of 'script kiddies'? > > How the hell could a company put something like this out, and expect not to > get themselves sued to the moon and back when it fires a shot at an innocent > party? I hit send way to fast, heh. Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans? No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates? Or make sure that the thing is configured right? I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Steadfast Networks
>> for irc channel == group of nonrelated self-serving script kiddies? > He was banned from #nanog, not #trelane who gives a rat's a**? please take all this back to alt.chat.jr.high. randy
Re: Counter DoS
On Thursday, March 11, 2004 2:43 AM [EST], Jay Hennigan <[EMAIL PROTECTED]> wrote: > > On the other hand, they could become immensely popular, reaching the > critical mass when one of them detects what is interpreted as an attack > from a network protected by another. Grab the popcorn and watch as they > all bludgeon each other to death. :-) Sounds like efnet channel wars on a much more interesting scale. Like I've said in previous posts - do we really want these people having tools like this? Doesn't this make them the equivelant of 'script kiddies'? How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org