Re: Worms versus Bots
At 11:04 PM 5/2/2004, Sean Donelan wrote: The antivirus vendors are bemoaning the fact the Sasser worm has been slow to spread. On the other hand, most of the vulnerable computers seem to have already been taken over by one or more Bots days or weeks before the worms arrived. Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages. One of my concerns is that it's easy to download an anti-virus package which will most likely delete (it seems that unless it's a VBA macro virus the files can never be cleaned!) some of the 100% worm or virus files. The trojan programs, bots, and spyware stick around. It would be a wonderful program that scanned for and cleaned up BOTH virus and bot files... Rob Nelson [EMAIL PROTECTED]
Netlantis tools when are they returning ???
I miss this essential toolset now that I do not have it -Henry
Re: Netlantis tools when are they returning ???
On Mon, 3 May 2004, Henry Linneweh wrote: I miss this essential toolset now that I do not have it Try RIPE NCC's RIS project: www.ripe.net/ris, same data, similar tools. Henk -- Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.amsterdamned.org/~henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The NetherlandsThe NetherlandsMobile: +31.6.55861746 -- Process and Procedure are the last hiding place of people without the wit and wisdom to do their job properly. (David Brent).
Re: routing between AOL and 217.21.144.0/20
On Sun, May 02, 2004 at 02:06:09AM +0200, Anand Buddhdev wrote: Hi, I'm having trouble sending packets to AOL from the network 217.21.144.0/20. I've tried to contact AOL at the address [EMAIL PROTECTED] which I found from the RADB database, but my email bounced! Are there any engineers from AOL on this list would could contact me to try and resolve this issue? Hi everyone, Thanks to those who responded. It seems someone did see my email sent to [EMAIL PROTECTED] and an AOL engineer got in touch with me. However, the problem had been solved before that. It seems there was a route propagation problem between Level3 and AOL and Level3 fixed it last night. I have no details of the solution, so I can't say what was actually wrong. -- Anand Buddhdev
Infrastructure Mapping Project Website
Hi Everyone, We have a website up for our infrastructure mapping project here at George Mason that might be of interest to some of the folks on the list: http://policy.gmu.edu/imp/ Also I though we would add our little take from the thread a while back that asked if our maps showed the 2003 blackout. While is is hard to show a cascade or predict a blackout I think the maps do point out some structural vulnerability where the cascade started: http://policy.gmu.edu/imp/research.html (Map #6) If the work looks helpful to anyone or if you have an feedback please pass it along. best, sean
Re: Infrastructure Mapping Project Website
On Mon, 3 May 2004 [EMAIL PROTECTED] wrote: If the work looks helpful to anyone or if you have an feedback please pass it along. But what everyone wants to know: Did the school finally decide to award you a degree for your work?
Re: Infrastructure Mapping Project Website
Yup - on April 20th I passed my defense and I'll be walking May 15th. The committee agreed the dissertation was worth while, that is just four people, but I ain't complaining. Now Supposedly Dr. Gorman - Original Message - From: Sean Donelan [EMAIL PROTECTED] Date: Monday, May 3, 2004 1:55 pm Subject: Re: Infrastructure Mapping Project Website On Mon, 3 May 2004 [EMAIL PROTECTED] wrote: If the work looks helpful to anyone or if you have an feedback please pass it along. But what everyone wants to know: Did the school finally decide to awardyou a degree for your work?
Re: Worms versus Bots
Sean Donelan wrote: Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages. I personally stick with the BCP backup, reformat and reinstall from your original media. That goes for worms and bots. Just because a machine has a bot/worm/virus that didn't come with a rootkit, doesn't mean that someone else hasn't had their way with it. Then again, I've seen businesses who had sensitive client financial data on compromised systems completely ignore this advice, so it's generally given without much hope, esp. where the stakes are lower.
Re: Worms versus Bots
Hi, NANOGers. ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. A growing trend in the 0wnage category is the installation of multiple bots on a single host. This isn't intentional, but a result of the multiple infection vectors bots employ. Bot01 goes after open Win2K shares (TCP 445), and Bot02 comes along and enters through Kuang2 (TCP 17300). One of the more popular bots has at least 13 distinct scan and sploit methods. WebDav, NetBios, MSSQL, Beagle, Kuang2, and the list goes on. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. One bot, Coldlife, actually took advantage of this trend. It would hunt for certain bot configuration files on the host it infected, and report the contents to the Coldlife botherd. Ka-ching, another botnet stolen. Things have evolved in a distributed manner from this feature. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
FW: Worms versus Bots
I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of downloads you're luckier than most. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Worms versus Bots
On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. Ok, so you order Microsoft's patch CD. Unfortunately it only includes patches through October 2003. Microsoft is selling over 10 million Windows licenses every month. Patches not included. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. The problem with Bots is they aren't always active. That makes them difficult to find until they do something.
Re: Worms versus Bots
On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: BGP Exploit
On May 3, 2004, at 6:26 PM, [EMAIL PROTECTED] wrote: Now that the firestorm over implementing Md5 has quieted down a bit, is anybody aware of whether the exploit has been used? Feel free to reply off list. I would also be interested in what %-age of peers are MD5-ized? And if anyone has had any operational issues with the MD5 process - issues contacting peers, software incompatibility, varying key synchronization processes, additional CPU, re-writing internal tools, monitoring MD5-ness, etc.? Happy to collect the data off-list and reply with the summarized / anonymized stats. -- TTFN, patrick
BGP Exploit
Now that the firestorm over implementing Md5 has quieted down a bit, is anybody aware of whether the exploit has been used? Feel free to reply off list. Thanks, Keith Wallace Director, Telecommunications PC Connection Services
Don't forget physical security: Network Card Theft Causes Internet Outage
Network Card Theft Causes Internet Outage May 3, 2004 By Sean Gallagher A handful of corporate customers were left without e-mail and Internet access Monday after the theft of networking equipment from a New York City office late Sunday. Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. http://www.eweek.com/article2/0,1759,1583359,00.asp
RE: Worms versus Bots
Microsoft has said Windows XP SP2 will have the firewall turned on by default, and that they have considered reissuing the installation CD's such that a new installation will have the firewall enabled to deal with just this problem. I do not know the current state of the consideration, but to me it seems reasonable that Microsoft should at least make the offer of a new CD (to anyone who has a valid XP license key?) No, many people will not request a new CD, but then many people never apply patches either. I think this is a horse and water problem. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Krichbaum Sent: Monday, May 03, 2004 8:13 PM To: [EMAIL PROTECTED] Subject: FW: Worms versus Bots I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of downloads you're luckier than most. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Worms versus Bots
William wrote: but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it It can happen in 5 or 10 minutes (I've seen it) but only if all of the following conditions are met simultaneously: a) administrator's password blank (or something _really_ easy to guess) b) public IP (no NAT) c) no firewall In other words: if one is stupid, one gets worm'ed or bot'ed. (Note: I also disable IIS just in case until everything is patched..). Not a bad idea, but sometimes you don't have the choice of doing it (with scripted installs or things like SBS). Besides, IIS is not the main source of trouble on a machine that sits on the Internet unprotected. I consider disabling IIS a second or third line of defense, to be used after you implemented the steps not to get screwed in the first place (which you described). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Me too. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. Indeed. I have a $10 one that I use for installations (even when I install from a trusted environment), because the danger does not come only from the Internet, it can also come from your own LAN. By putting the machine being installed alone on its own segment behind a NAT box, you also shield yourself from crud that could be on the trusted network. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Difficult to measure, and here's why: recent worms are polymorphic and propagate/replicate using many different mechanisms. How do you make the difference between a) a worm that arrived trough email and then contaminated x machines on your LAN and b) a worm that arrived through a vulnerability of IIS and then contaminated x machines on your LAN? The trouble here is that if you had all the time in the world _and_ if you did not have x users screaming, you could look at logs and such and finally figure out which of the egg or the chicken was first. In a real world, you clean the mess and when you are done you have to catch up with all the stuff you did not do while cleaning, and you never know. Michel.
Network Card Theft Causes Internet Outage
Just in case any of you don't read slashdot: http://www.eweek.com/article2/0,1759,1583347,00.asp Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. 4 DS3 cards and the joint terrorism task force is called in? Aren't there enough gas tanks being stolen around the country for the joint terrorism task force to be kept busy? Trying to fix our terrorism problem like this is like trying to fix the spam problem using IP-based blacklists. Anyway, late in the article a spokesman for Sprint is quoted: Fleckenstein said that the outage was not major, and not large enough to require a report to the Federal Communications Commission. I just thought it was hilarious that a this outage is major enough to suspect terrorist motives and involve the appropriate agency, but not major enough to warrant reporting to the FCC. Sure, it didn't knock down the service of 50,000 customers, but doesn't it seem sad that an entire mid-sized city must lose service before the FCC gets to know about it? I think every fricking trouble ticket generated at an ILEC should be recorded at the FCC. It's not like they don't have the means and technology. It would be near-trivial, in fact, given their capabilities when properly motivated. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Network Card Theft Causes Internet Outage
On Tue, 4 May 2004, Andy Dills wrote: Just in case any of you don't read slashdot: http://www.eweek.com/article2/0,1759,1583347,00.asp Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. 4 DS3 cards and the joint terrorism task force is called in? Especially silly considering it's not a totally uncommon thing for bad things to happen to co-located CLEC gear/cabling in ex-Nynex territory. Charles Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---