Re: Worms versus Bots
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up. Agreed, We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. We don't use an Integrated modem/router because most of them are junk. You won't find a single Windows/Linux/Mac machine directly connected to our DSL network. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Couple that with 3 levels of virus scanning on our mail server has reduced the effects of virus and worm spread inside the networks we control. We still get viruses worms to hit but it is at a more manageable rate. We are not a large provider by any means but I try my hardest to provide a solid network and protect the Internet from my users as much as possible. If only the users would not shop solely on price I would be all set :/ -Matt -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Network Card Theft Causes Internet Outage
One time Agis (remember Agis) hired me to go down to the local Pennsauken NAP to find out what was wrong with their remote access to what was then a core router. Someone had swiped the $.10 silver satin cord for the modem. Had to be the cheapest theft with the highest consequences I have seen. Bil P.S. Damm networking business has screwed up my english, I keep wanting to type swip instead of swipe and swipped instead of swiped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 10:04 AM To: [EMAIL PROTECTED] Subject: Re: Network Card Theft Causes Internet Outage On Tue, 4 May 2004, Andy Dills wrote: http://www.eweek.com/article2/0,1759,1583347,00.asp Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is Is this part really surprising to anyone who's got gear in unsupervised LEC colos where everyone is in open relay racks in a large open space? being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. This seems a bit over the top. A couple years ago when we had a part stolen out of one of our routers in a WCOM colo facility, we couldn't get the local PD to do jack. A report was filed...but I think they filed it in the circular file, because nobody ever investigated, despite the fact that WCOM had just installed a card reader system to replace the simplex door locks, so in theory, they knew who was in the room when our stuff was stolen, but they refused to release the info to us. I guess we should have suggested it was an act of terrorism. Trying to fix our terrorism problem like this is like trying to fix the spam problem using IP-based blacklists. No...I'd say it's more like fighting the spam problem with nuclear weapons...now there's an idea. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Worms versus Bots
Matthew Crocker wrote: We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. This makes a lot of sense to me. It's not a silver bullet, but it does help. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Tends to be a non-issue now, but it's a lot easier to deal with PPPoE on the Linksys than have the customer install a more or less crummy PPPoE client on their PC. The cost of dealing with one customer that trashed their PC installing an early PPPoE client (with the help of helpdesk :-( is worth ten Linksys. Michel.
RE: BGP Exploit
Of more interest.. does the router die (cpu load) before you brute force the sessions down Steve On Tue, 4 May 2004, Smith, Donald wrote: I have seen 3 pubic ally available tools that ALL work. I have seen 2 privately tools that work. A traffic generator can be configured to successfully tear down bgp sessions. Given src/dst ip and ports : I tested with a cross platform EBGP peering with md5 using several of the tools I could not tear down the sessions. I tested both Cisco and juniper BGP peering after code upgrades without md5 I could not tear down the sessions. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: Tuesday, May 04, 2004 11:54 AM To: Kurt Erik Lindqvist Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: BGP Exploit In message [EMAIL PROTECTED], Kurt Erik Lindq vist writes: Now that the firestorm over implementing Md5 has quieted down a bit, is anybody aware of whether the exploit has been used? Feel free to reply off list. Even more interesting, did anyone manage to reproduce it? I don't know if it's being used; I know that reimplementations of the idea are out there. --Steve Bellovin, http://www.research.att.com/~smb
Re: Yahoo Mail problems ? (queue issues in general)
On Wed, 05 May 2004 10:59:55 EDT, Mike Tancsa [EMAIL PROTECTED] said: Anyone else seeing Yahoo mail queue up today ?Some of their servers respond in about 10secs with the HELO banner, most others take more than 2m. Because of the recent increase in SPAM, I was looking to reduce the wait time for the initial HELO to 2m from 5m. However, the RFC calls for 5m on the HELO and another 5m for the MAIL command. Do you have a handle on whether the delay is between the first SYN packet and finally completing the 3-packet handshake, or is it between that and when the 220 banner actually arrives? Or are both phases an issue? Having a process block like that for up to 10m seems a bit excessive to deliver one email (and its probably a bounce to boot!). What are others doing? This problem seems to becoming more and more acute. What I do is the *first* attemt to deliver the mail has a highly-non-compliant 5 second timeout (which is just enough for an initial SYN, 2 retransmits, and a few hundred ms budget for RTT for a SYN+ACK) for the 3-packet handshake, and then subsequent retries in the background are given a longer 5-min timeout. (I gathered some stats for quite sime time before deploying that - out of several million connection attempts, I found less than a dozen that took over 5 seconds that did in fact complete in under 5 minutes). Once the 3-packet handshake succeeds, they then get a 5 minute timeout to get the 220 banner out. Probably not perfect, but it's close enough to keep the queues manageable... Also, YMMV, so gather your own stats pgpUhwi3hnfdB.pgp Description: PGP signature
Re: Yahoo Mail problems ? (queue issues in general)
At 01:26 PM 05/05/2004, [EMAIL PROTECTED] wrote: On Wed, 05 May 2004 10:59:55 EDT, Mike Tancsa [EMAIL PROTECTED] said: Anyone else seeing Yahoo mail queue up today ?Some of their servers respond in about 10secs with the HELO banner, most others take more than 2m. Because of the recent increase in SPAM, I was looking to reduce the wait time for the initial HELO to 2m from 5m. However, the RFC calls for 5m on the HELO and another 5m for the MAIL command. Do you have a handle on whether the delay is between the first SYN packet and finally completing the 3-packet handshake, or is it between that and when the 220 banner actually arrives? Or are both phases an issue? Both, depending on which A record I get Also mixed in are things like 421 mta174.mail.scd.yahoo.com Resources temporarily unavailable. Please try again later. Here is an example of one which took quite a long time to respond to the S and then the HELO banner never came up 14:03:10.653498 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 74: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 198626121 0 (DF) [tos 0x10] (ttl 64, id 21505, len 60) 14:03:13.649303 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 74: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 198626421 0 (DF) [tos 0x10] (ttl 64, id 21521, len 60) 14:03:16.849310 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 74: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 198626741 0 (DF) [tos 0x10] (ttl 64, id 21531, len 60) 14:03:20.049332 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 60: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460 (DF) [tos 0x10] (ttl 64, id 21536, len 44) 14:03:23.249367 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 60: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460 (DF) [tos 0x10] (ttl 64, id 21543, len 44) 14:03:26.449416 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 60: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460 (DF) [tos 0x10] (ttl 64, id 21547, len 44) 14:03:32.649436 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 60: 205.211.164.51.2013 64.156.215.5.25: S [tcp sum ok] 944590797:944590797(0) win 57344 mss 1460 (DF) [tos 0x10] (ttl 64, id 21576, len 44) 14:03:32.728687 0:90:27:5d:4e:ee 0:1:29:2c:b6:30 0800 60: 64.156.215.5.25 205.211.164.51.2013: S [tcp sum ok] 4275443659:4275443659(0) ack 944590798 win 65535 mss 1460 (ttl 55, id 11594, len 44) 14:03:32.728717 0:1:29:2c:b6:30 0:90:27:5d:4e:ee 0800 60: 205.211.164.51.2013 64.156.215.5.25: . [tcp sum ok] 1:1(0) ack 1 win 58400 (DF) [tos 0x10] (ttl 64, id 21579, len 40) So in the above case, the process just blocks (with sendmail, it does eat a lot of RAM) waiting to hit the HELO timeout. Having a process block like that for up to 10m seems a bit excessive to deliver one email (and its probably a bounce to boot!). What are others doing? This problem seems to becoming more and more acute. What I do is the *first* attemt to deliver the mail has a highly-non-compliant Yes, this is sort of what I have as well. 9 seconds on the initial connect in my case. That gets the lion's share through. The subsequent deliverys are much more patient. In this day and age, you would think define(`confTO_HELO', `1m') define(`confTO_MAIL', `2m') would be safe ---Mike
Re: Worms versus Bots
--On Wednesday, May 05, 2004 6:04 AM -0400 Matthew Crocker [EMAIL PROTECTED] wrote: We have all been through this before. Linux out of the box is generally no more secure than Windows. Linux can also be misconfigured and hacked. The reason why you don't see as many linux virus/worms is because there aren't as many linux desktops. Once Linux becomes a real player in the residential desktop OS market you'll see more and more worms/viruses running around because of it. Now, I love Linux, I have 30 linux servers in production but it isn't the be all, end all to mass user security. In the past this may have been true, it's been my experience that most modern Linux distributions have adopted (more or less) the approach that OpenBSD has: Leave services turned off by default. In fact, a typical RedHat workstation installation goes a step further by not even installing a lot of services by default. Sure, Joe Sixpack can still install everything and uncomment everything from /etc/inetd.conf[1] and get himself pwned, but I don't think we have to worry much about your average computer user doing this. -J [1] Actually since RedHat uses xinetd, it involves a little more work to turn _everything_ on. -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: What percentage of the Internet Traffic is junk?
William B. Norton wrote: With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? I don't know the answer in any case, but I would need a definition for Internet traffic before I could even start. Do we include the image and tabular date to and from the EROS Data Center? How about the radiographic images and resulting readings (or what ever the correct term is) to and from the hospital in Atkinson? Credit card transactions at FDR? I have a morbid fascination with weather so I am forever looking at maps, satellite images, and all sorts of stuff that some people tell me is a waste of my time, so I presume that is junk What are we talking about? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
RE: BGP Exploit
No. The router stays up. The tool I use is very fast. It floods the GIGE to the point that that interface is basically unusable but the router itself stays up only the session is torn down. I did preformed these tests in a lab and did not have full bgp routing tables etc ... so your mileage may vary. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 10:16 AM To: Smith, Donald Cc: Steven M. Bellovin; Kurt Erik Lindqvist; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: BGP Exploit Of more interest.. does the router die (cpu load) before you brute force the sessions down Steve On Tue, 4 May 2004, Smith, Donald wrote: I have seen 3 pubic ally available tools that ALL work. I have seen 2 privately tools that work. A traffic generator can be configured to successfully tear down bgp sessions. Given src/dst ip and ports : I tested with a cross platform EBGP peering with md5 using several of the tools I could not tear down the sessions. I tested both Cisco and juniper BGP peering after code upgrades without md5 I could not tear down the sessions. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: Tuesday, May 04, 2004 11:54 AM To: Kurt Erik Lindqvist Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: BGP Exploit In message [EMAIL PROTECTED], Kurt Erik Lindq vist writes: Now that the firestorm over implementing Md5 has quieted down a bit, is anybody aware of whether the exploit has been used? Feel free to reply off list. Even more interesting, did anyone manage to reproduce it? I don't know if it's being used; I know that reimplementations of the idea are out there. --Steve Bellovin, http://www.research.att.com/~smb
Re: [NANOG-LIST] What percentage of the Internet Traffic is junk?
One mans junk is another mans treasure :) -Brent At 11:21 AM 5/5/2004, William B. Norton wrote: With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
Re: What percentage of the Internet Traffic is junk?
It might be interesting to get a sense of percentages of traffic that are undesireable (spam, DDOS, etc), administrative (logging, snmp, rmon, etc), and user traffic. On Wed, May 05, 2004 at 01:35:09PM -0500, Laurence F. Sheldon, Jr. wrote: William B. Norton wrote: With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? I don't know the answer in any case, but I would need a definition for Internet traffic before I could even start. Do we include the image and tabular date to and from the EROS Data Center? How about the radiographic images and resulting readings (or what ever the correct term is) to and from the hospital in Atkinson? Credit card transactions at FDR? I have a morbid fascination with weather so I am forever looking at maps, satellite images, and all sorts of stuff that some people tell me is a waste of my time, so I presume that is junk What are we talking about? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/ --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/
RE: What percentage of the Internet Traffic is junk?
Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
Re: What percentage of the Internet Traffic is junk?
So instead of trying to determine what percentage of internet traffic is junk, why don't we set up categories (I saw someone make a start at it a couple of messages back) and figure out what percentage of traffic fits under each category. We can come up with our own opinions as to which of those categories is junk. So I guess we would start with stuff that stands as a major category: e-mail, nntp, ftp, telnet, ssh, web... and then you start doing a lot of subcategorizations. I imagine it would start looking like a hierarchical org chart. ** Reply to message from Mike Damm [EMAIL PROTECTED] on Wed, 5 May 2004 11:51:19 -0700 Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill -- Jeff Shultz A railfan pulls up to a grade crossing hoping that there will be a train.
Re: BGP Exploit
On May 5, 2004, at 2:39 PM, Smith, Donald wrote: No. The router stays up. The tool I use is very fast. It floods the GIGE to the point that that interface is basically unusable but the router itself stays up only the session is torn down. I did preformed these tests in a lab and did not have full bgp routing tables etc ... so your mileage may vary. That is DAMNED impressive. I've never seen a router which can take a Gigabit of traffic to its CPU and stay up. What kind of router was this? You mentioned Juniper and Cisco before, but I know a cisco will fall over long before a gigabit and a Juniper either does or drops packets destined for the CPU (but keeps routing). Perhaps it was rate limiting the # of packets which reached the CPU, and the session stayed up because the magic packet was dropped in the rate limiting? -- TTFN, patrick
RE: What percentage of the Internet Traffic is junk?
If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric. The harder pieces are going to be defining what traffic is unwanted in a way that scales to large-scale measurement. Worm traffic is presumably measurable with Netflow, as are various protocol-types used mainly in DOS attacks. Spam is harder to pinpoint by watching raw traffic, but perhaps comparing the total volume of TCP/25 traffic to the SpamAssassain hit rates at some representative sample of mail servers could provide some reasonable numbers there. So, any of you security types have a list of the protocols that are more likely to be attack traffic than legitimate? -Steve On Wed, 5 May 2004, Mike Damm wrote: Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
Re: What percentage of the Internet Traffic is junk?
Jeff Shultz wrote: So instead of trying to determine what percentage of internet traffic is junk, why don't we set up categories (I saw someone make a start at it a couple of messages back) and figure out what percentage of traffic fits under each category. We can come up with our own opinions as to which of those categories is junk. So I guess we would start with stuff that stands as a major category: e-mail, nntp, ftp, telnet, ssh, web... and then you start doing a lot of subcategorizations. I imagine it would start looking like a hierarchical org chart. I imagine there are places that already produce statistics by protocol, and I am reluctant to endorse a program that says one protocol is junk and another is not. I would prefer (but have no clue as to how to do) a catagorization that has handles like business transactions, student research, warehouse transfers, recreational, and so on until what ever is left is counted as junk or some ephemistically similar term. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
RE: What percentage of the Internet Traffic is junk?
At 12:55 PM 5/5/2004, Steve Gibbard wrote: If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric. Thanks Steve - good point. I have to believe that some of those that have solutions to some of these problems have made *some* measures so they can quantify the value of their solution. The harder pieces are going to be defining what traffic is unwanted in a way that scales to large-scale measurement. Worm traffic is presumably measurable with Netflow, as are various protocol-types used mainly in DOS attacks. Spam is harder to pinpoint by watching raw traffic, but perhaps comparing the total volume of TCP/25 traffic to the SpamAssassain hit rates at some representative sample of mail servers could provide some reasonable numbers there. Yea, we can't get absolute #'s, but I think it would be helpful to have a defensible approximation. So, any of you security types have a list of the protocols that are more likely to be attack traffic than legitimate? Or maybe those in the Research Community that have been doing traffic capture and analysis? -Steve On Wed, 5 May 2004, Mike Damm wrote: Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
RE: What percentage of the Internet Traffic is junk?
--- Steve Gibbard [EMAIL PROTECTED] wrote: If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric. I'm not sure that I'd agree with this statement. What about the traffic from compromised sources? The pps floods or spam emails are not being created with the knowledge of the source, so it would be hard to say that the source wanted to send it. -David Barak -Fully RFC 1925 Compliant- __ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
Re: [NANOG-LIST] What percentage of the Internet Traffic is junk?
On 5/5/04 2:41 PM, Brent Van Dussen [EMAIL PROTECTED] wrote: One mans junk is another mans treasure :) -Brent At 11:21 AM 5/5/2004, William B. Norton wrote: With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill Once we can determine what percentage of nanog-l traffic is junk, we can start to tackle the bigger question :) -- Daniel Golding Network and Telecommunications Strategies Burton Group
Re: What percentage of the Internet Traffic is junk?
Whenever I hear a question like this, I think of the weekly I2 netflow reports http://netflow.internet2.edu/weekly/ http://netflow.internet2.edu/weekly/20040426/ Look at Table's 6, 7 and 8 - email, for example, is 1/2 %, so even if all email is spam, it's not that big a flow. Unidentified is typically about 30%, but most of that is probably file sharing. My opinion, from looking at these tables, is that probably little is junk, at least in the eye's of the receiver. Regards Marshall Eubanks On Wed, 05 May 2004 13:17:45 -0700 William B. Norton [EMAIL PROTECTED] wrote: At 12:55 PM 5/5/2004, Steve Gibbard wrote: If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric. Thanks Steve - good point. I have to believe that some of those that have solutions to some of these problems have made *some* measures so they can quantify the value of their solution. The harder pieces are going to be defining what traffic is unwanted in a way that scales to large-scale measurement. Worm traffic is presumably measurable with Netflow, as are various protocol-types used mainly in DOS attacks. Spam is harder to pinpoint by watching raw traffic, but perhaps comparing the total volume of TCP/25 traffic to the SpamAssassain hit rates at some representative sample of mail servers could provide some reasonable numbers there. Yea, we can't get absolute #'s, but I think it would be helpful to have a defensible approximation. So, any of you security types have a list of the protocols that are more likely to be attack traffic than legitimate? Or maybe those in the Research Community that have been doing traffic capture and analysis? -Steve On Wed, 5 May 2004, Mike Damm wrote: Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
Re: [NANOG-LIST] What percentage of the Internet Traffic is junk?
Once we can determine what percentage of nanog-l traffic is junk, we can start to tackle the bigger question :) Sturgeon's Law provides a sufficient approximation, I think. Stephen
Re: What percentage of the Internet Traffic is junk?
At 01:56 PM 5/5/2004, Marshall Eubanks wrote: Look at Table's 6, 7 and 8 - email, for example, is 1/2 %, so even if all email is spam, it's not that big a flow. Unidentified is typically about 30%, but most of that is probably file sharing. Thanks Marshall - a few others have said (paraphrasing): On average we have seen about 30% by packets (but only 10% by bandwidth) are junk, with higher %'s during major attacks and worm infestations. For those who say things like can't define 'junk' precisely, I would agree, but I think we also can agree that we all have a general idea of what junk is. Just looking for round #'s really. It isn't 0%, and it isn't 90% (although it seems that way sometimes). I would also agree that it would be valuable for the community to track this # over time. You can't manage it if you can't measure it. Bill My opinion, from looking at these tables, is that probably little is junk, at least in the eye's of the receiver. Regards Marshall Eubanks On Wed, 05 May 2004 13:17:45 -0700 William B. Norton [EMAIL PROTECTED] wrote: At 12:55 PM 5/5/2004, Steve Gibbard wrote: If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. Presumably, if it's being sent that means somebody wanted to send it, so the senders' desires are a pretty meaningless metric. Thanks Steve - good point. I have to believe that some of those that have solutions to some of these problems have made *some* measures so they can quantify the value of their solution. The harder pieces are going to be defining what traffic is unwanted in a way that scales to large-scale measurement. Worm traffic is presumably measurable with Netflow, as are various protocol-types used mainly in DOS attacks. Spam is harder to pinpoint by watching raw traffic, but perhaps comparing the total volume of TCP/25 traffic to the SpamAssassain hit rates at some representative sample of mail servers could provide some reasonable numbers there. Yea, we can't get absolute #'s, but I think it would be helpful to have a defensible approximation. So, any of you security types have a list of the protocols that are more likely to be attack traffic than legitimate? Or maybe those in the Research Community that have been doing traffic capture and analysis? -Steve On Wed, 5 May 2004, Mike Damm wrote: Very very very near to, but not quite 100%. Since almost all of the traffic on the Internet isn't sourced by or destined for me, I consider it junk. Also remember that to a packet kid, that insane flood of packets destined for his target is the most important traffic in the world. And to a spammer, the very mailings that are making him millions are more important than pictures of someone's grandkids. I guess my point is junk is a very relative term. A study would need to first be done to identify what junk actually is, then measuring it is trivial. -Mike -Original Message- From: William B. Norton [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: What percentage of the Internet Traffic is junk? With all the spam, infected e-mails, DOS attacks, ultimately blackholed traffic, etc. I wonder if there has been a study that quantifies What percentage of the Internet traffic is junk? Bill
RE: What percentage of the Internet Traffic is junk?
I'm not sure that I'd agree with this statement. What about the traffic from compromised sources? The pps floods or spam emails are not being created with the knowledge of the source, so it would be hard to say that the source wanted to send it. Exactly. A great example is a web server struggling to continue to accept connections in the face of a spoofed SYN flood. The SYN/ACK packets are junk. The definition of junk is that the sender would not have wanted to send it or the receiver would not have wanted to receive it if either had had a chance to have the appropriate human or humans investiage the transaction in full detail. Traffic you are duped into sending by traffic you wish you hadn't received or cannot distinguish from legitimate traffic is junk.
RE: What percentage of the Internet Traffic is junk?
Perhaps now I'm the one being pedantic, but you're confusing somebody with the owner of the resources involved in the sending. What I said was, presumably, if it's being sent that means *somebody* wanted to send it. Otherwise, we have to consider somebody doing what would otherwise be legitimate web browsing from an untentionally open wireless access point to be junk traffic, which is both very hard to figure out in any large-scale analysis, and gives the numbers a very different meaning. -Steve On Wed, 5 May 2004, David Schwartz wrote: I'm not sure that I'd agree with this statement. What about the traffic from compromised sources? The pps floods or spam emails are not being created with the knowledge of the source, so it would be hard to say that the source wanted to send it. Exactly. A great example is a web server struggling to continue to accept connections in the face of a spoofed SYN flood. The SYN/ACK packets are junk. The definition of junk is that the sender would not have wanted to send it or the receiver would not have wanted to receive it if either had had a chance to have the appropriate human or humans investiage the transaction in full detail. Traffic you are duped into sending by traffic you wish you hadn't received or cannot distinguish from legitimate traffic is junk. Steve Gibbard [EMAIL PROTECTED] +1 415 717-7842 (cell) http://www.gibbard.org/~scg +1 510 528-1035 (home)
Re: BGP Exploit
On Wed, 5 May 2004, Patrick W.Gilmore wrote: On May 5, 2004, at 2:39 PM, Smith, Donald wrote: No. The router stays up. The tool I use is very fast. It floods the GIGE to the point that that interface is basically unusable but the router itself stays up only the session is torn down. I did preformed these tests in a lab and did not have full bgp routing tables etc ... so your mileage may vary. That is DAMNED impressive. I've never seen a router which can take a Gigabit of traffic to its CPU and stay up. What kind of router was this? You mentioned Juniper and Cisco before, but I know a cisco will fall over long before a gigabit and a Juniper either does or drops packets destined for the CPU (but keeps routing). recieve-path acl and recieve-path-limits perhaps on a cisco will allow survival? Though if this is 'bgp' from a valid peer it seems likely to crunch it either way. Perhaps it was rate limiting the # of packets which reached the CPU, and the session stayed up because the magic packet was dropped in the rate limiting? That sees likely.
RE: What percentage of the Internet Traffic is junk?
Steve Gibbard wrote: If a few of you can stop being so pedantic for a second, the definition looks pretty easy to me: traffic unlikely to be wanted by the recipient. This looks good to me although it also needs to include _return_ traffic from junk traffic (say, you flood a target with ICMP echo request, and the target does not rate-limit the ICMP echo reply; in that case the reply is junk as well as the request although it is wanted by the destination which is the attacker). Another way at looking at the issue is to measure how much traffic is legitimate. Your mileage may vary and I made up the following figures as they can greatly vary depending on the network, but... Let's say there's 50% of p2p file sharing, 10% of downloading pr0n, 5% of downloading services packs and anti-virus signatures and 15% of misc HTTP surfing, all of which I would consider legitimate and would also match Steve's definition, this already makes for 80% legit. Legal != legit IMHO. Although 99% of p2p file sharing traffic is likely illegal, it is legitimate (the destination wants to receive it). Michel.
RE: What percentage of the Internet Traffic is junk?
Perhaps now I'm the one being pedantic, but you're confusing somebody with the owner of the resources involved in the sending. Look, we're the ones asking what percentage of Internet traffic is junk, so we're the somebody. We know what we mean and can do a reasonably good job of explaining it. Basically, it's junk if the sender wouldn't have wanted to send it, the receiver wouldn't have wanted to receive it, the owner of a computer was duped or tricked into sending it, or it's an attack, and so on. It's not complicated. We do have to pass some value judgments. But any number of things we measure requires such value judgments. DS
RE: What percentage of the Internet Traffic is junk?
Bill, What percentage of the Internet traffic is junk? I think two things needs to be clarified: 1. What is junk (my $0.02: junk is what is as follows and associated by-product traffic of: - Viruses - Worms - Attacks of all kinds including DOS/dDOS - Spam - Crapware (which includes unwanted pop-up windows while surfing, challenging to measure) 2. Assuming that we a) have a clear definition of 1. and b) are able to netflow-measure it (both of which present challenges), how do you define Internet traffic and WHERE would you measure it (if it was technically possible to sniff/netflow everywhere). In other words, does Internet traffic include: - Peering traffic between tier-1s (at Equinix facilities, of course :-) - Transit traffic from/to tier-1s to smaller operators. - Peering between content providers and eyeballs. - Peering between eyeballs. - Peering between x and y (you should read Bill Norton's papers about peering, me thinks) - Internal traffic within eyeballs. - Non-data traffic (VOIP..)? - Etc? Michel.
