Re: botted hosts
[In the message entitled "Re: botted hosts" on Apr 4, 1:10, Sean Donelan writes:] > > On Sun, 3 Apr 2005, Dave Rand wrote: > > The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in > > it stopped about 41% of the spam last month. The QIL, a new product, > > stopped > > about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view > > of this from a different perspective (an unrelated ISP) is available at > > http://status.hiwaay.net/spam.html > > > > That means that if just the ISPs that we have identified as having > > "dynamically assigned" addresses were to install port 25 blocking, more than > > 1/3 of the spam would vanish. > > Why does anyone accept SMTP conenctions from known "dynamically assigned" > addresses? DUL, QIL, etc should drop all those connections on the floor. > If everyone was using DUL, QIL, etc, why do they still complain about > getting spam from dynamically assigned addresses? If mail admins were to > install DUL lists > > Does port 25 blocking actually make a difference? Any public data from > before and after? Or does it just annoy people, cause problems and not > fix anything? > I would not complain, mind you - having more customers is good for my business. But why do you think it is right to shift the burden on the recipient to block access, when it could be done at the source. Yes, it means that the people getting the cash from the customer would have to actually support said customer by making it non-annoying for them. Blocking port 25 has been a good idea for 8 years. Many ISPs have already done it (some better than others), and it absolutely does fix things. --
Re: botted hosts
On Mon, 4 Apr 2005, Suresh Ramasubramanian wrote: > That said, Joe St.Sauver put it fairly well in his presentation at > maawg san diego, when he said it is cough sirup for lung cancer, and > what you need along with the cough sirup of port 25 filtering, is some > stronger measures to locate and take down botted hosts, which of > course can be used for nastier things (DDoS botnets for example) as > well, things that do just fine without port 25. Yep. I've saying that for several years, and then immediately get shouted down. A secure computer doesn't spam, spy, ddos, attack, zombie, bot or any of the other awful things. A compromised computer can do all that and more. Locating bots is relatively easy. If you think that is the hard part, you don't understand the problem. Unfortunately, researchers haven't come up with a better way to fix compromised machines without destroying the innocent victims' work. Several grad students have told me they consider coming up with better ways to recover a compromised computer too hard of a problem for their thesis. Many people prefer to keep using a compromised computer rather than attempt to fix it. And as anyone with a relative and a computer knows, if you ever help someone with a compromised computer, everything that ever goes wrong with the computer in the future becomes your fault. So how do you encourage people to fix their computers, without the press writing lots of stories about "evil" ISPs cut off service to grandmother's on social security looking at pictures of their grandchildren. There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them?
Re: botted hosts
Suresh Ramasubramanian <[EMAIL PROTECTED]> wrote: [...] > Neither DUL, nor SORBS DUHL, nor the several other lesser known > variants can claim to do even a fraction of a perfect job - and > providers who do stuff like happily mix static IP and dynamic IP > netblocks, maintain vague or inconstant rDNS or even no rDNS at all > for these, etc don't help at all, leading to the usual funny > situation of someone's static IP dsl getting blocked as dynamic [but > that's another story altogether] I agree that blocking based on any sort of DUL is asking for trouble, but recent experiments on our customer MXers has shown that applying greylisting to said hosts works a treat. Personally, I'd apply it across the board, but customers moan that important mail is being delayed. Nobody has yet complained that junk from compromised hosts is being delayed :) A side-effect of the greylisting and other mail checks is that I've got a lovely list of compromised hosts. Is there any way I can usefully share these with the community? -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: botted hosts
--On 04 April 2005 04:59 -0400 Sean Donelan <[EMAIL PROTECTED]> wrote: I've saying that for several years, and then immediately get shouted down. Statistically, most anti-spam options (good and bad) have been brought up many times for several years, and have been shouted down. Why would you expect your views to be treated any differently? :-) We now return to the normal program of more heat than light... Alex
RE: Cisco to merge with Nabisco
It gives number crunching an entirely new meaning. -Original Message- From: Bill Nash [mailto:[EMAIL PROTECTED] Sent: 01 April 2005 19:09 To: Church, Chuck Cc: nanog@merit.edu Subject: RE: Cisco to merge with Nabisco On Fri, 1 Apr 2005, Church, Chuck wrote: > > Incorrectly chosen switching path can now result in lost packets AND > indigestion. > Is this mitigated by activating Nabisco Express Forwarding? Vodafone Group Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 3802001 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: botted hosts
On Mon, 4 Apr 2005, Brad Knowles wrote: > Microsoft will solve all problems. You just have to trust them > and use their DRM and their "trustworthy" computing initiatives. DRM isn't about keeping your computer secure. DRM is about letting other people install stuff on your computer they control, i.e. wait until DRM meets Bots (more than it already has). Although Microsoft probably did more to create the problem than anyone else, they finally have stepped up to the plate. In the last year they have been more successful than anyone else at fixing their piece of the problem. XP SP2 reduced the brand-new computer zombie problem. I think auto-update has helped a bit, but its harder to quantify. Microsoft hasn't fixed the "click here" to install bot problem. If you can track sources, rather than noise level, the bot graph is looking better. Most of the security vendors prefer to publish noise graphs. Although the noise level was increasing, the absolute number of bots has been amazingly constant for the last 12 months. That is good news because the overall infection rate declined. Some people are worried its "too quiet" and we're due for big incident soon.
RE: Cisco to merge with Nabisco
Well, they already eat into your profits. -Original Message- From: Wayne E. Bouchard [mailto:[EMAIL PROTECTED] Sent: 01 April 2005 22:34 To: Fergie (Paul Ferguson) Cc: nanog@merit.edu Subject: Re: Cisco to merge with Nabisco Does this mean our routers will be edible? :-) On Fri, Apr 01, 2005 at 04:45:17PM +, Fergie (Paul Ferguson) wrote: > > > Priceless. ;-) > > The Register: > Published Friday 1st April 2005 15:22 GMT > > "Cisco Systems and Kraft Foods shocked investors today > with an unlikely mega-acquisition that will see Cisco > buy Kraft's Nabisco unit for $15bn. Perhaps even more > surprising, former RJR Nabisco and IBM CEO Lou Gerstner > has come out of retirement to head the new firm > tentatively called NaCisco." > > http://www.theregister.co.uk/2005/04/01/cisco_buys_nabisco/ > > - ferg > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > [EMAIL PROTECTED] or [EMAIL PROTECTED] --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/ Vodafone Group Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 3802001 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
Re: botted hosts
On Mon, 4 Apr 2005, Dave Rand wrote: > But why do you think it is right to shift the burden on the recipient to > block access, when it could be done at the source. Yes, it means that > the people getting the cash from the customer would have to actually support > said customer by making it non-annoying for them. Do you want an Internet where your provider decides for you, with whom and when you are allowed to communicate? Or do you want to decide for yourself whether to accept or not accept the communication? There are always at least two customers to the communications. The sender and the recipient. Both the sender and the recipient are paying someone. Both sender and recipient providers are getting "cash." And if you believe your argument, both the sender and receiver are engaged in "cost-shifting." Blocking the communications a priori also prevents the two parties from deciding on a call-by-call basis whether or not they want the communications. If the e-mail is in your bulk mail folder, you can decide what you want. If the e-mail is blocked by the sender's ISP, you don't have the option anymore. A lot of people want to use inexpensive broadband connections, and use mail servers at their university or company. For whatever reason, the university and company mail admins only support port 25. If the ISP blocks port 25, the university and company mail admins loose their choice and have to spend money to upgrade their mail servers to support port 587 or something else. So there is lots of "cost-shifting." Do a google search for universities and mail hosting providers that aren't supporting port 587 and offer to help them update their mail servers. When you are finished, then you can advocate ISPs block port 25.
Re: botted hosts
On Apr 4, 2005 2:18 PM, Dave Rand <[EMAIL PROTECTED]> wrote: > > But why do you think it is right to shift the burden on the recipient to > block access, when it could be done at the source. Yes, it means that > the people getting the cash from the customer would have to actually support > said customer by making it non-annoying for them. > On that point - here's what Carl Hutzler has to say. Several of you have read it before on circleid, or on the list where Carl's email was first posted, but anyway.. http://www.circleid.com/article/917_0_1_0_C/ -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Apr 4, 2005 2:29 PM, Sean Donelan <[EMAIL PROTECTED]> wrote: > Unfortunately, researchers haven't come up with a better way to fix > compromised machines without destroying the innocent victims' work. Sad. Then what the man does is to hire someone to take a backup of everything and go over the backup for virus infections. Or maybe he could wait for when the infections in his PC finally ruin it beyond use for him .. > So how do you encourage people to fix their computers, without the press > writing lots of stories about "evil" ISPs cut off service to grandmother's > on social security looking at pictures of their grandchildren. > > There are at least 20 million and probably more compromised computers on > the Internet. Who has a plan to fix them? Cut them off at any rate. Symantec's turntide "antispam router" (really an IDS + stateful firewall for spam) seems a godawful idea for inbound mail right now, given the current behavior of proxy trojans, but I can see where it'd be quite useful on an outbound mail stream from an ISP's IP space Find them, isolate them into what some providers call a "walled garden" - vlan them into their own segment from where all they can access are antivirus / service pack downloads and an 1-800 number to call tech support at their ISP -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Cisco to merge with Nabisco
Pendergrass, Greg wrote: > Well, they already eat into your profits. In Nibbles, or in Bytes ? :P -Original Message- From: Wayne E. Bouchard [mailto:[EMAIL PROTECTED] Sent: 01 April 2005 22:34 To: Fergie (Paul Ferguson) Cc: nanog@merit.edu Subject: Re: Cisco to merge with Nabisco Does this mean our routers will be edible? :-)
Re: report of .biz outage...
Ed, The occasional connectivity problems with Neulevel of March 31st persist. Eric
Re: report of .biz outage...
At 10:03 -0400 4/4/05, Eric Brunner-Williams in Portland Maine wrote: The occasional connectivity problems with Neulevel of March 31st persist. I can assure you that our registration services have been up and running continually during the time period in question. In the spirit of diligent troubleshooting, I suggest that you consult with any intermediary parties that may be involved. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar Achieving total enlightenment has taught me that ignorance is bliss.
Re: report of .biz outage...
Its between the CORE SRS and the NS SRS. Now if your position is that NS is inerrant, and by assertion, the failure lies somewhere else, fine. Who cares?
Re: botted hosts
On Mon, 4 Apr 2005, Dave Rand wrote: > > [In the message entitled "Re: botted hosts" on Apr 4, 1:10, Sean Donelan > writes:] > > > > On Sun, 3 Apr 2005, Dave Rand wrote: > > > > > > That means that if just the ISPs that we have identified as having > > > "dynamically assigned" addresses were to install port 25 blocking, more > > > than > > > 1/3 of the spam would vanish. > > > > Does port 25 blocking actually make a difference? Any public data from > > before and after? Or does it just annoy people, cause problems and not > > fix anything? > > > Blocking port 25 has been a good idea for 8 years. Many ISPs have already > done it (some better than others), and it absolutely does fix things. just to be clear, from which 'customer' types are you asking to have tcp/25 blocked? Dial? DSL? Cable-modem? Dedicated? can your providers go block tcp/25 from your links today?
Re: report of .biz outage...
On Mon, 4 Apr 2005, Eric Brunner-Williams in Portland Maine wrote: > The occasional connectivity problems with Neulevel of March 31st persist. And is this something you're discussing with the Neulevel NOC, or just posting to NANOG? -Bill
Re: botted hosts
On Mon, Apr 04, 2005 at 07:09:51AM -0400, Sean Donelan wrote: > A lot of people want to use inexpensive broadband connections, and use > mail servers at their university or company. For whatever reason, the > university and company mail admins only support port 25. If the ISP > blocks port 25, the university and company mail admins loose their > choice and have to spend money to upgrade their mail servers to support > port 587 or something else. So there is lots of "cost-shifting." > > Do a google search for universities and mail hosting providers that > aren't supporting port 587 and offer to help them update their > mail servers. When you are finished, then you can advocate ISPs > block port 25. With all due respect to Sean and others, could we all please read "block outgoing traffic from your net to other people's port 25" as including "except for users who request the block be removed" at all times? Yes, I realize that it means you have to approach the block slightly differently, and that it's slightly more work and money to do it that way. But it *does*, does it not, fix most of both sides of the problem, if you do it that way? Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth & AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
[EMAIL PROTECTED] (Sean Donelan) writes: > Do you want an Internet where your provider decides for you, with whom and > when you are allowed to communicate? Or do you want to decide for yourself > whether to accept or not accept the communication? i want weak protocols restricted to LANs or at most campuses or ISPs. that means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be adding more. oh and as long as you're considering whether to restrict things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... #sfo2b.f:i386# tcpdump -n -c 10 src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 16:55:10.349179 IP 172.16.1.2.1063 > 192.5.5.241.53: 5330 [1au] MX? mails.hu. (37) 16:55:10.351035 IP 172.16.8.1.1158 > 192.5.5.241.53: 3130 A? www.consumerinput.com. (39) 16:55:10.351528 IP 172.16.8.1.1158 > 192.5.5.241.53: 5184 A? www.consumerinput.com. (39) 16:55:10.352908 IP 172.16.8.1.1158 > 192.5.5.241.53: 15435 A? www.consumerinput.com. (39) 16:55:10.513272 IP 10.14.0.16.32768 > 192.5.5.241.53: 7623% [1au] A? smtp107.apmailer.com. (49) 16:55:10.609281 IP 10.204.1.19.1075 > 192.5.5.241.53: 8176 [1au] PTR? 25.2.0.192.in-addr.arpa. (52) 16:55:10.669655 IP 192.168.240.250.33753 > 192.5.5.241.53: 29750 A? as.adwave.com.L19212.wflu.com. (47) 16:55:10.750369 IP 10.8.224.32.59429 > 192.5.5.241.53: 44783% [1au] A6? ns.mint.net. (40) 16:55:10.770704 IP 192.168.240.250.33753 > 192.5.5.241.53: 56680 A? img07.allegro.pl. (34) 16:55:10.770709 IP 192.168.240.250.33753 > 192.5.5.241.53: 61108 A? img10.allegro.pl. (34) 10 packets captured hell, as long as we're making a list of the things sender-side network admins should filter on their end since they're innappropriate for the wide area, could we increase the readership of BCP38 (if your hair isn't pointy) and/or SAC004 (otherwise)? oh and if 15,000 of your dsl-connected hosts all start sending one packet per second to the same distant endpoint, please stop them. senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) don't try to make this about right-to-communicate or who-gets-to-decide. -- Paul Vixie
so, how would you justify giving users security? [was: Re: botted hosts]
senders and sender-isp's have a long list of things they have to do in order to not be compared to toxic polluters (a term i believe michael rathbun coined for use in this context, and for which i am thankful.) don't try to make this about right-to-communicate or who-gets-to-decide. I don't see why not? Point is, most ISP's today try and sell "security" in the form of a shiny new AV suite, maybe a personal firewall. Anyone ever considered just closing these ports? People will pay you more and just for your ACL services! You can put all your troubles behind some firewall and forget about 9/8th of the helpdesk calls about: - My connection is slow! - My computer is slow! - Whatever else doesn't work! Oooh, shiny! More costs savings! Ooh, shiny, less warez servers, pr0n and what not servers running on your bandwidth. Less DDoS coming from you - less bandwidth - more fun! More profit! Then if they (the users) want ports open (oh gosh, a smart luser in the bunch!) you can take a bit more money again and make them a customer that can pollute. Why is this such a bad idea? I believe the above suggestions make such perfect sense in any reasoning that not going through with getting off blacklists and a nutty house of worms is pretty much ludicrous. Give me a break people. Most people won't care about their "freedom" if they can do whatever they want by asking for it. Most users want Web, Mail and IM. Three things. How are any of these guys who could easily get their privileges (and your responsibilities) back again even going to guess that some big right is being taken away? They have complete freedom and x9000 more safety. They can even sign a paper stating exactly that. So, costs savings on bandwidth and support. Less net abuse. Ouch - less demand on AV sales? Run the numbers people. Gadi.
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On 04/04/05, Gadi Evron <[EMAIL PROTECTED]> wrote: > Most people won't care about their "freedom" if they can do whatever > they want by asking for it. Most users want Web, Mail and IM. Three > things. How are any of these guys who could easily get their privileges > (and your responsibilities) back again even going to guess that some big > right is being taken away? They have complete freedom and x9000 more > safety. They can even sign a paper stating exactly that. > > So, costs savings on bandwidth and support. Less net abuse. Ouch - less > demand on AV sales? Run the numbers people. Problem is, this conversation is mostly taking place amongst geeks -- and most of us geeks /do/ want open access. So the gut reaction is "oh shit, I won't be able to run my personal mail server at home anymore!" even though the consumers of consumer- grade services don't know how to do that, and don't care. -- J.D. Falk uncertainty is only a virtue <[EMAIL PROTECTED]>when you don't know the answer yet
Re: so, how would you justify giving users security? [was: Re: botted hosts]
J.D. Falk wrote: On 04/04/05, Gadi Evron <[EMAIL PROTECTED]> wrote: Most people won't care about their "freedom" if they can do whatever they want by asking for it. Most users want Web, Mail and IM. Three things. How are any of these guys who could easily get their privileges (and your responsibilities) back again even going to guess that some big right is being taken away? They have complete freedom and x9000 more safety. They can even sign a paper stating exactly that. So, costs savings on bandwidth and support. Less net abuse. Ouch - less demand on AV sales? Run the numbers people. Problem is, this conversation is mostly taking place amongst geeks -- and most of us geeks /do/ want open access. So the gut reaction is "oh shit, I won't be able to run my personal mail server at home anymore!" even though the consumers of consumer- grade services don't know how to do that, and don't care. Okay, as a geek; do you want to be on an ISP where you will get scanned 1000 times a minute or just twice? As a geek, do you want service-on-demand or just getting all the lusers around you roaming free with phasers? As a geek, do you not want the Internet to still be here *completely* OPEN and FREE in the future? Lastly, I suppose that as a geek ISP, one might want to sell more bandwidth. After all, the more sh*t that goes through the tubes the bigger tubes people buy. Between spam, spyware and worms, not to mention scans ad attacks, I suppose that a large percentage of the Internet already is pay-for-junk? Gadi.
Re: so, how would you justify giving users security? [was: Re: botted hosts]
Gadi Evron wrote: Between spam, spyware and worms, not to mention scans ad attacks, I suppose that a large percentage of the Internet already is pay-for-junk? No. Most of the Internet is p2p file sharing, which does not fall into the categories mentioned. (at least mostly it doesn't) Pete
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On Mon, Apr 04, 2005 at 08:46:42PM +0200, Gadi Evron wrote: > As a geek, do you not want the Internet to still be here *completely* > OPEN and FREE in the future? And this is the point question. Much innovation is due to the open end-to-end characteristic of the current network. By all means, let's trap port 25 where possible, for those who don't care (or ask), but let's not go all baby-and-bathwater by filtering *everything* either... Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth & AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
Peter Corlett wrote: A side-effect of the greylisting and other mail checks is that I've got a lovely list of compromised hosts. Is there any way I can usefully share these with the community? Set up a website where one can input a route and can see hosts covered with it? Pete
Re: so, how would you justify giving users security? [was: Re: botted hosts]
On Mon, 4 Apr 2005, Gadi Evron wrote: > Anyone ever considered just closing these ports? People will pay you > more and just for your ACL services! You can put all your troubles you would need to do this on a per customer interface basis ie not at an aggregation point but on each ppp interface.. does that scale? i've not tried it, what i mean by scale is if this is eg auto-config'd by radius to cisco does it move the switching path to software or do anything else that would crash a fully load dialup/lac/lns/etc ? Steve
Re: botted hosts
Sean Donelan wrote: Locating bots is relatively easy. If you think that is the hard part, you don't understand the problem. It's easy to some extent, databases to a few hundred thousand are easy to collect but going to the millions is harder. So how do you encourage people to fix their computers, without the press writing lots of stories about "evil" ISPs cut off service to grandmother's on social security looking at pictures of their grandchildren. Experience tells that telling (obviously automatically) the users that their computer is too unsafe to be on the public internet and it'll stay that way until they either fix it or change to a less clueful provider works wonders. There are at least 20 million and probably more compromised computers on the Internet. Who has a plan to fix them? If the nanog readership is a few thousands, that's only ~5-10k for each of us. Piece of cake. And I still don't buy the number. I might buy 2M. Pete
Re: botted hosts
* Paul Vixie: > hell, as long as we're making a list of the things sender-side network admins > should filter on their end since they're innappropriate for the wide area, Technically, HTTP is inappropriate for wide-area networks. A lot of HTTP applications still do not support persistent connections (resulting in lots of unnecessary round trip delays). HTTP does not perform any checksums, and the TCP checksum alone is insufficient across the Internet (failures are rare, but when they happen, they are reproducible across the affected router). HTTP does not provide confidentiality. The frameworks usually used to build HTTP applications do not offer adequate security, and often encourage risky programming styles. Implementation quality is as poor as it can get. And so on. DNS is even worse, and thanks to DNSSEC, we will never see fixes for the most pressing issues. So "inappropriate" is the wrong word here, "you can filter it and you can get away with it" is closer to reality IMHO. > senders and sender-isp's have a long list of things they have to do in order > to not be compared to toxic polluters (a term i believe michael rathbun coined > for use in this context, and for which i am thankful.) But detection and response are more important than prevention. You cannot block 80/TCP bidirectionally, so there will always be a malware problem. At the moment, 25/TCP &c blocks are sufficient to outrun the competition, but this will change as such filters become more and more common. Blocks might be cheaper at this point, but I hope it's economically viable to skip this stage (because it's so disruptive and will only result in more SOAP lookalikes) and invest into the next one.
Re: botted hosts
> * Paul Vixie: > > > hell, as long as we're making a list of the things sender-side network > > admins > > should filter on their end since they're innappropriate for the wide area, > 'sender side' == 'network owner' or if you are an ISP 'your customer'. So, read this as: "your customers should really be filtering these protocols at their edge to 'you'". Is that your intent here Paul?
Re: botted hosts
On Mon, 04 Apr 2005 22:31:50 +0300, Petri Helenius said: > >There are at least 20 million and probably more compromised computers on > >the Internet. Who has a plan to fix them? > > > > > If the nanog readership is a few thousands, that's only ~5-10k for each > of us. Piece of cake. And I still don't buy the number. I might buy 2M. The problem is that of my 10K share, probably at most 2-4K are actually inside an AS that I can do anything about, and the other 6-8K are inside other AS's that are both clueless and not represented on NANOG... pgpjEmw0wg9Te.pgp Description: PGP signature
Re: botted hosts
On Sun, 3 Apr 2005, Dave Rand wrote: > [In the message entitled "botted hosts" on Apr 3, 19:13, Petri Helenius > writes:] > > > > I run some summaries about spam-sources by country, AS and containing > > BGP route. > > These are from a smallish set of servers whole March aggregated. > > Percentage indicates incidents out of total. > > Conclusion is that blocking 25 inbound from a handful of prefixes would > > stop >10% of spam. > > > > This would be correct. In the bigger perspective, blocking port 25 on all > ISP's consumer circuits would currently stop over 99% of the spam. Yes, > spammers would adjust to this over time. It is still a great idea to block > port 25 by default, and unblock it on customer request. It would probably stop 99% of ALL email, too. What, your customers don't have email servers? But __you__ have an email server. Unblocking on customer request is an expensive operation, for both the ISP and the customer. > That means that if just the ISPs that we have identified as having > "dynamically assigned" addresses were to install port 25 blocking, more than > 1/3 of the spam would vanish. Err, not likely. SPF came out, and now bots can find the ISPs "closed relays" with very little trouble at all. (Funny coincidence that SPF should come out just as the open relay blacklists are mostly closing down) But even without SPF, if it was really made necessary, without doubt abusers would include code to figure out the config files for the roughly 1000+ email clients out there. Or perhaps, bots would start to sniff packets looking for an outgoing SMTP connection by an authorized user. For many years I've told people (but they never seem to listen): __Everyone__ is authorized to send email, and to have relay services, right up until their access is terminated. Bots can use that. Schemes for blocking port 25 assume that bots aren't upgradeable. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, "sneaky channel" in the network liturature and other names in other areas of liturature--e.g. "covert channel" is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. And the conclusion is that a technical solution to spam doesn't exist. Yes, there are things that can still be done---one can continue to play whack-a-mole, but it never gets better than whack-a-mole. There are still technical methods that aren't fully exploited (text analysis for intent, bayesian, etc) but for each of these things, there are countermeasures that the abuser can do to fool them. If you want to talk information theory and spam, contact me off-list. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: so, how would you justify giving users security?
* Gadi Evron: > Anyone ever considered just closing these ports? People will pay you > more and just for your ACL services! People call me mad because I designed a system which can handle 10,000+ ACL entries with negligible personal overhead (keep in mind that you cannot give end users direct access to ACL settings because they don't know what to do). Some issues I ran into clearly showed that this was a very, very unusual thing to do. It still has to be this way if you look at the number of hoops you have to jump through if you want to atomically replace an ACL on a Cisco router. In other words, neither people nor technology are quite ready. > Why is this such a bad idea? My fear is that most organizations will opt for blocks without exceptions (or ridiculous processes to obtain exceptions). AFAICS, this is what happened on most academic networks. As a result, protocol designers make sure that their application looks like HTTP at layer 4, and everyone loses.
Re: botted hosts
On Sun, 3 Apr 2005, Dave Rand wrote: > The problem has always been that ISPs do not see any tangible benefit to > stopping spam *leaving* their networks. And just what blacklists work to detect spam in outgoing email? Spam leaving the network is stopped as soon as abuse complaints roll in. This is a tremendous exaggeration. Most networks spend a lot of time and money dealing with abuse on their network. "no tangible benefit", indeed. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: so, how would you justify giving users security?
* Gadi Evron: > As a geek, do you not want the Internet to still be here *completely* > OPEN and FREE in the future? And this is not related to blocking. Universal liability for content, be it your own or from third parties, is far more threatening. At least in a country which can offer a widely deployed B-ISDN lookalike (Germany does, don't know about the US or IL), you can always connect to a business-type ISPs to get past simple port filters. > Lastly, I suppose that as a geek ISP, one might want to sell more > bandwidth. After all, the more sh*t that goes through the tubes the > bigger tubes people buy. Only if the end user market is ready for volume pricing. 8-) In Germany, we aren't quite there yet. And it would neatly solve the P2P problem.
Re: so, how would you justify giving users security? [was: Re: botted hosts]
As a point of discussion regarding port 25 filtering. Let's look at two possible future models: For both these models, today's weak-security SMTP is still used for email. The ISP having the sender of email is called "SendISP". The ISP with the recipient mailserver is called "RecvISP". MODEL A: ISPs filter at the source; spam is reduced ISP's filter outgoing port 25 traffic from networks; allowing exceptions. SendISP limits outgoing mail. RecvISP has less incentive to block incoming. If a customer of SendISP want's to run a mail server, SendISP has motivation to make an exception. Customer's wanting exceptions tend to be rare. MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic IPs; allowing exceptions as requested by the mail server admins/users. (Filtering may occur at network level or in mail servers.) SendISP does not limit outgoing mail. RecvISP has strong incentives to block. If a customer of SendISP want's to run a mail server, RecvISP has almost no motivation to make a blacklist exception. RecvISP is more concerned about _their_ customers/users. Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. (As if I have to ask...) John At 01:25 PM 4/4/2005, Jay R. Ashworth wrote: On Mon, Apr 04, 2005 at 08:46:42PM +0200, Gadi Evron wrote: > As a geek, do you not want the Internet to still be here *completely* > OPEN and FREE in the future? And this is the point question. Much innovation is due to the open end-to-end characteristic of the current network. By all means, let's trap port 25 where possible, for those who don't care (or ask), but let's not go all baby-and-bathwater by filtering *everything* either... Cheers, -- jra -- Jay R. Ashworth [EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: botted hosts
I think many folks agree with you. Spam, at it's heart, is an intractable social problem, not a technical problem. I'll refrain from my regular "tragedy of the commons" economics discussion. However, most of the folks on this list must work at the technical angle. How do we reduce spam by making it more difficult to spam? I'd be interested in seeing your proof when you finish it. John On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, "sneaky channel" in the network liturature and other names in other areas of liturature--e.g. "covert channel" is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. And the conclusion is that a technical solution to spam doesn't exist. Yes, there are things that can still be done---one can continue to play whack-a-mole, but it never gets better than whack-a-mole. There are still technical methods that aren't fully exploited (text analysis for intent, bayesian, etc) but for each of these things, there are countermeasures that the abuser can do to fool them. If you want to talk information theory and spam, contact me off-list. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
Re: botted hosts
On Mon, 04 Apr 2005 16:12:51 EDT, Dean Anderson said: > On a deeper level, I discovered (its not at proof level, but probably at > 'strong conjecture' level) that results from information theory show that > spam cannot be stopped technically. I'll write it up a bit more formally, > and post a link. (And I'll see if I can carry it out to a proof) To > summarize, I show that spam is equivalent to a covert/sneaky channel [or > rather, "sneaky channel" in the network liturature and other names in > other areas of liturature--e.g. "covert channel" is usually specific to > multi-user OS analysis, but the concepts are the same]. Then I show that > since one can't prove an information system is free of covert/sneaky > channels, it can't be proven free of spam either. The thing your analysis will probably fall short on is that although you can *at best* limit the bandwidth of a covert channel (a well understood concept as far back as the old Orange Book), there's the assumption that a covert channel has a cooperating sender and receiver, both doing the moral equivalent of an FFT to extract the signal from the noise. The problem arises when you are trying to push signal (spam) to a non-cooperating recipient. I've seen spam that's so obfuscated that it's unclear whether it's trying to sell me a R00leckss or medications. At that point, it may be able to pass under the effective-bandwidth filter of your covert channel. But it's also likely to be under the effective bandwidth needed to actually deliver a message to an end-user. If you hide the spam in a steganographic message inside a .JPG of a giraffe, it will almost certainly make it to the mailbox. But at that point, the user is left looking at a picture of a giraffe.. pgpENAu3bSivn.pgp Description: PGP signature
Re: so, how would you justify giving users security?
* Stephen J. Wilcox: > On Mon, 4 Apr 2005, Gadi Evron wrote: > >> Anyone ever considered just closing these ports? People will pay you >> more and just for your ACL services! You can put all your troubles > > you would need to do this on a per customer interface basis ie not > at an aggregation point but on each ppp interface.. Not necessarily. Some Windows malware prefers local address ranges, but not all. If you quickly disconnect those who caught something, it's a great help in keeping the number of infected machines down. You could even spin this in a way that encourages your customers to recommend you to their friends: no hassle with the filters.
Re: botted hosts
My apologies to the list for sending HTML email. A plain text version: As a point of discussion regarding port 25 filtering. Let's look at two possible future models: For both these models, today's weak-security SMTP is still used for email. The ISP having the sender of email is called "SendISP". The ISP with the recipient mailserver is called "RecvISP". MODEL A: ISPs filter at the source; spam is reduced ISP's filter outgoing port 25 traffic from networks; allowing exceptions. SendISP limits outgoing mail. RecvISP has less incentive to block incoming. If a customer of SendISP want's to run a mail server, SendISP has motivation to make an exception. Customer's wanting exceptions tend to be rare. MODEL B: ISPs filter incoming mail traffic; spam is reduced. ISP's increase the effectiveness of blacklists and locating dynamic IPs; allowing exceptions as requested by the mail server admins/users. (Filtering may occur at network level or in mail servers.) SendISP does not limit outgoing mail. RecvISP has strong incentives to block. If a customer of SendISP want's to run a mail server, RecvISP has almost no motivation to make a blacklist exception. RecvISP is more concerned about _their_ customers/users. Which model really provides us with the best of both worlds: less spam yet more freedom to innovate? I would say model A does. However, I am not convinced of this. Please pick apart my models.. (As if I have to ask...) John
Re: botted hosts
* Suresh Ramasubramanian: > Find them, isolate them into what some providers call a "walled > garden" - vlan them into their own segment from where all they can > access are antivirus / service pack downloads Service pack downloads? Do you expect ISPs to pirate Windows (or large parts thereof)? Or has Microsoft finally seen the light?
Re: botted hosts
* Dean Anderson: > Spam leaving the network is stopped as soon as abuse complaints roll > in. Apparently, complaints are no longer a sufficient indicator because there are too few complaints. Maybe we are not quite at this point, but look at non-spoofed DDoS attacks and port scans. We will get there eventually.
Re: botted hosts
Unblocking on customer request is an expensive operation, for both the ISP and the customer. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. Anyone can come up with a number to convince themselves that they don't need to do the 'right thing'. Comcast is probably using Docsis. Docsis makes applying filters on a per user basis pretty darn easy. AOL blocks outbound 25. Earthlink for the most part does (we only refused 148 emails from them yesterday from places like user-0c2i2vr.cable.earthlink.net and user-0c2if7q.cable.earthlink.net, they might block port 25 by fefault for as much as I know) We block outbound port 25 on our residential connections by default. Of those, only 2.4% currently have requested that we not filter them. The $ excuse just doesn't fly. RR and Comcast know this. Other providers have tackled the problem. I've seen the Spamcop reports on our retail connections drop to just about nothing since filtering our users. On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. Yep. Cannot be stopped. But if I disable what I am currently doing to keep the rest of the world out, my users damn sure notice. I do what I can, grab the low lying fruit, get them knocked out of the way and then go for the harder problems. sam
Re: botted hosts
On Mon, 04 Apr 2005 15:45:01 CDT, John Dupuy said: > MODEL A: ISPs filter at the source; spam is reduced > MODEL B: ISPs filter incoming mail traffic; spam is reduced. > ISP's increase the effectiveness of blacklists and locating dynamic > Which model really provides us with the best of both worlds: less spam yet > more freedom to innovate? I would say model A does. > > However, I am not convinced of this. Please pick apart my models.. Obviously, the filtering has to be done at least at one end. And although it would be nice if I lived in a world where the ISP originating the mail was filtering it, I don't live there. So unless you have a *realistic* proposal to make all the spam-haven ISPs find religion, see the light, and oust their spammers *without* the "do it or be blocked everyplace" (your plan B), it's not going to happen in our lifetime... pgpTm20evVCmd.pgp Description: PGP signature
Re: botted hosts
Petri Helenius <[EMAIL PROTECTED]> wrote: [...] > If the nanog readership is a few thousands, that's only ~5-10k for > each of us. Piece of cake. And I still don't buy the number. I might > buy 2M. If the nanog readership is a few thousands, I suspect most of the readership is small fry looking after a small amount of address space. For example, I'm pretty much lost on the radar given my purview is but a pair of /19s. Not everybody can be a Tier 1 provider... Even though my user base may not be considered the most well-behaved netizens (IRCNet I-lines were probably invented for them) I suspect that trying to find 5-10k rogue users in an address space covering about 16,000 hosts may still be a tad optimistic. -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: botted hosts
* Petri Helenius: >>There are at least 20 million and probably more compromised computers on >>the Internet. Who has a plan to fix them? >> >> > If the nanog readership is a few thousands, that's only ~5-10k for each > of us. Piece of cake. And I still don't buy the number. I might buy 2M. 2M was a rather conservative estimate for Agobot/Phatbot infections *alone* when it started to hit big. The number of distinct IP addresses per day at the load-test servers was surprisingly high and matched the published estimates (which must have looked like fearmongering to most operators back then).
Re: botted hosts
--Dean On 4 Apr 2005, Paul Vixie wrote: > > [EMAIL PROTECTED] (Sean Donelan) writes: > > > Do you want an Internet where your provider decides for you, with whom and > > when you are allowed to communicate? Or do you want to decide for yourself > > whether to accept or not accept the communication? > > i want weak protocols restricted to LANs or at most campuses or ISPs. that > means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be > adding more. oh and as long as you're considering whether to restrict > things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... Does that include DNS? That's a pretty weak protocol. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000
The Register: .NET report was fudged
The Register: "The controversial report over ownership of the .net registry was fudged and the evidence is contained within the report itself." http://www.theregister.co.uk/2005/04/04/telcordia_report_slammed/ - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: botted hosts
On Mon, 04 Apr 2005 19:14:26 EDT, Dean Anderson said: > On 4 Apr 2005, Paul Vixie wrote: > > i want weak protocols restricted to LANs or at most campuses or ISPs. that > > means UDP/137, UDP/139, and TCP/25 at the moment. stay tuned, we might be > > adding more. oh and as long as you're considering whether to restrict > > things to your LAN/campus/ISP, i'm ready to see rfc1918 filters deployed... > > Does that include DNS? That's a pretty weak protocol. One must wonder if this proposal would get more traction, or less, if we changed from "weak protocol" to "lame protocol". Now where's my asbestos skivvies? :) pgp03UmtNEP1H.pgp Description: PGP signature
Reports or data on data centres without access to competitive fibre
Hello, I was looking around for any reports, press releases or even yarns about the issues data centres face when they are built without access to competitive fibre optic cable. Any links or other data appreciated. Cheers, SB -- Stephen Baxter Technical Director - PIPE Networks Winner Australian Telecommunications Users Group 2005 award for 'Best Communication Solution for Large Business' Peering,IX points and dark fiber in Australia. Largest peering network downunder. phone : 07 3233 9800/ 0417 818 695 fax : 07 3220 1800 web : www.pipenetworks.com
Re: botted hosts
On Apr 5, 2005 2:18 AM, Florian Weimer <[EMAIL PROTECTED]> wrote: > * Suresh Ramasubramanian: > > > Find them, isolate them into what some providers call a "walled > > garden" - vlan them into their own segment from where all they can > > access are antivirus / service pack downloads > > Service pack downloads? Do you expect ISPs to pirate Windows (or > large parts thereof)? Or has Microsoft finally seen the light? > I do believe I heard somewhere about ISPs bundling a pack of free AV / spyware remover tools with their install CD - AVG and such. However when it comes to allowing downloads, I guess something like cisco's NBAR would help even if it were offsite downloads - these URLs / URL regexes are allowed, the rest are not, at least till the user disinfects his PC. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: botted hosts
On Mon, 4 Apr 2005 [EMAIL PROTECTED] wrote: > On Mon, 04 Apr 2005 15:45:01 CDT, John Dupuy said: > > > MODEL A: ISPs filter at the source; spam is reduced > > > MODEL B: ISPs filter incoming mail traffic; spam is reduced. > > ISP's increase the effectiveness of blacklists and locating dynamic > > > Which model really provides us with the best of both worlds: less spam yet > > more freedom to innovate? I would say model A does. > > > > However, I am not convinced of this. Please pick apart my models.. > > Obviously, the filtering has to be done at least at one end. And although it > would be nice if I lived in a world where the ISP originating the mail was > filtering it, I don't live there. where ISP could be, for instance, cable-modem-provider-C that forces their customers through their relays and would filter outbound email? > > So unless you have a *realistic* proposal to make all the spam-haven ISPs > find religion, see the light, and oust their spammers *without* the "do it or FAUSP ?