Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006 23:54:38 EST, Sean Donelan said: > On the other hand, the number of infected computers never seems to spiral > out of control. I've been wondering, instead of trying to figure out why > some computers get infected, should we be trying to figure out why most > computers don't become infected? I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%) and if the site that was tracking 1M new zombies/day is to be believed, they *are* spiraling out of control. And when a significant fraction of all new computers are bought as a virus/worm control method, things *are* out of control: http://www.nytimes.com/2005/07/17/technology/17spy.html?ei=5090&en=5b2b6783f66a7422&ex=1279252800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1121859260-edx1SJD7lWy7D6PMipItjw I suspect that in fact, a *lot* of computers have crud on them, but people's expectations have dropped - as long as the virus doesn't actually kill the host, it's tolerated. If Aunt Matilda is avoiding all this stuff, the most likely reason that Aunt Matilda doesn't get more crudware on her system is because she wouldn't be caught dead visiting non-reputable websites that you're likely to get caught in a drive-by fruiting - and none of her friends would either, so she never gets her e-mail address scraped and used as a target... But we already knew that, and there's no good way to leverage it when everybody who *isn't* an Aunt Matilda *does* visit those kind of sites, or knows people who do... pgpGwIawzSi3A.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. The vast majority of what I see is based on financial gain. Popping a web+database server, installing a rootkit, and transferring off the day's business transactions is a lot more certain than popping 10K Windows boxes and hoping the users go shopping. Yep, seen it more than once. Check your PHP-based tools, folks. According to the criminals, Internet-wide mayhem would really get in the way of the revenue stream. They need a stable Internet to get the cash. Cleaning out bank accounts is more lucrative than one might suspect. The current record observed by us is approximately US $3M in one take. Most of them are much smaller. That bothers me more, actually. What person with only US $800 to their name has a hope of rapid response to the loss of all their cash? Just to be clear I agree that home users using Windows are at risk for all sorts of nasty things, and they need help. I also didn't want folks to believe that it is a problem related to one OS or demographic. It's a problem of crime, mostly. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Subject: drone armies C&C report - February/2006
Below is an automatically generated periodic public report from the
ISOTF's affiliated group "DA" ("Drone Armies (botnets) research and
mitigation mailing list" / TISF DA) with the ISOTF affiliated ASreport
project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
In the past few months we did not publish this report, allowing for
responsible parties to ask for regular reports from us on suspected
botnet C&C activity on their networks. As you can see below, the
Internet drastically changed its face positively because these reports
(compared to when we started), and now a lot more so due to direct
reporting.
For purposes of this report we use the following terms:
openthe host completed the TCP handshake
closedNo activity detected
resetissued a RST
This month's survey is of 4271 unique domain with port or IP with port
suspect C&Cs. This list is extracted from the BBL which currently has a
historical base of 7780 reported C&Cs. Of the suspect C&Cs surveyed, 685
reported as Open, 3353 reported as closed and 572 issued resets to the
survey instrument. Of the C&Cs listed by domain name, 1847 are mitigated
via remapping.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
ASN Responsible Party Total Open Percent_Resolved
14744 PNAP Internap Network Services 91 0 100%
10913 PNAP Internap Network Services 67 0 100%
30058 FDCSE FDCservers.net LLC65 18 72%
25761 STAMIN-2 Staminus Communications58 6 90%
3356Level 3 Communications, LLC 53 0 100%
13301 UNITEDCOLO-AS Autonomous System of 52 35 33%
14779 INKT Inktomi Corporation42 0 100%
21844 THE PLANET 41 2 95%
19318 AIC-81 Albany International Corp. 40 11 73%
13749 EVRY Everyones Internet 37 5 86%
4766KIXS-AS-KR 35 2 94%
30315 Everyones Internet 31 12 61%
12182 PNAP Internap Network Services 31 0 100%
9318HANARO-AS 30 9 70%
21840 SAGONE Sago Networks30 5 83%
13790 PNAP Internap Network Services 30 0 100%
22822 LLNW Limelight Networks 29 10 66%
27595 ATRIV Atrivo27 5 81%
12832 Lycos Europe26 3 88%
3561Savvis 24 1 96%
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
ASN Responsible Party Total Open Percent_Resolved
13301 UNITEDCOLO-AS Autonomous System of 52 35 33%
32748 NOZON NoZone21 20 5%
30058 FDCSE FDCservers.net LLC65 18 72%
174 Cogent Communications 20 16 20%
25700 SWIFTDESK VENTURE 19 13 32%
30315 Everyones Internet 31 12 61%
4134CHINANET-BACKBONE 17 12 29%
19318 AIC-81 Albany International Corp. 40 11 73%
9121TTNet 15 11 27%
22822 LLNW Limelight Networks 29 10 66%
8972INTERGENIA-ASN intergenia autonomou 21 10 52%
15083 IIS-129 Infolink Information Servic 24 9 63%
30407 Velcom.com 12 9 25%
9318HANARO-AS 30 9 70%
20115 Charter Communications 20 9 55%
23522 CIT-FOONET 14 9 36%
16265 LEASEWEB AS 15 9 40%
3269TELECOM ITALIA 16 8 50%
8560SCHLUND-AS 19 7 63%
19166 Alpha Red, INC 14 7 50%
33569 ALLHOSTSHOP.COM 16 6 63%
Re: Cisco 3550 replacement
On (2006-02-20 21:54 -0600), [EMAIL PROTECTED] wrote: > > Reality Check: > > 32Gbps Backplane (Counted packet-in, packet-out, each direction, with all > packets the same size, multicast?) and 52 GE interfaces. > Not exactly non-blocking. > Gotsta do the CiscoMath. And no hierarchial QoS, which was requirement of the original poster, of course 3550 offer no such either. > ;-) > > > > > > > > > On Mon, 20 Feb 2006, Jean-Francois Vaillancourt wrote: > > > Check out the Cisco 3560 with "IP Services" software: > > > http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html > > > it's basically a less expensive version of the 3750, without the > > external > > > 32 Gbps stack connection. Anything the 3550 did it does, faster. > > > > ...and with 52 GigE ports, instead of 4. > > > > -Bill > > > > > -- ++ytti
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote: > ] true enough. but "auntie jane" doesn't have linux/unix web server(s) > ] or router(s) (other than the one provided by her ISP and managed by > them) > ] and has zero clue about overly permissive machines. > > Agreed. Instead all of her financial records are on those > unix web/database servers, or transit through those routers, > etc. There's a reason why such devices are popular with > the criminals. :( whats the objective? ID theft, fiscal mahem - go for the infrastructure stuff (like you say). lowest visable impact for very high fiscal return. destablize the trust model, perceptions of availability? large zombie packs might be your best bet. (we're not in it for the money, we want social change!) > > -- > Rob Thomas > Team Cymru > http://www.cymru.com/ > ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
[EMAIL PROTECTED] wrote: On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill You described it best, and home users are indeed the problem discussed. However, the amount of insecure routers out there is scary by itself. Rob has a lot more data on that than me and I don't doubt what he said. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
] true enough. but "auntie jane" doesn't have linux/unix web server(s) ] or router(s) (other than the one provided by her ISP and managed by them) ] and has zero clue about overly permissive machines. Agreed. Instead all of her financial records are on those unix web/database servers, or transit through those routers, etc. There's a reason why such devices are popular with the criminals. :( -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. > > Thanks, > Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. The information, quite a bit of it, comes before the link. If you'd like I can send it you you again. Thanks! Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Sean Donelan wrote: On Tue, 21 Feb 2006, Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected? Comment only on last paragraph: Many *home* computers do, quite a few *corporate* do as well, in my experience. Even if they didn't the numbers we face are significant enough. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] > I'll update on these as I find out more on: http://blogs.securiteam.com > > This write-up can be found here: > http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. Moderators: doesn't this border on spam?
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Christopher L. Morrow wrote: > it's also not just a 'i got infected over the net' problem... where is > that sean when you need his nifty stats :) Something about no matter what > you filter grandpa-jones will find a way to click on the nekkid jiffs of > Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Re: Cisco 3550 replacement
Reality Check: 32Gbps Backplane (Counted packet-in, packet-out, each direction, with all packets the same size, multicast?) and 52 GE interfaces. Not exactly non-blocking. Gotsta do the CiscoMath. ;-) > > On Mon, 20 Feb 2006, Jean-Francois Vaillancourt wrote: > > Check out the Cisco 3560 with "IP Services" software: > > http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html > > it's basically a less expensive version of the 3750, without the > external > > 32 Gbps stack connection. Anything the 3550 did it does, faster. > > ...and with 52 GigE ports, instead of 4. > > -Bill > >
Re: Cisco 3550 replacement
On Mon, 20 Feb 2006, Jean-Francois Vaillancourt wrote: > Check out the Cisco 3560 with "IP Services" software: > http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html > it's basically a less expensive version of the 3750, without the external > 32 Gbps stack connection. Anything the 3550 did it does, faster. ...and with 52 GigE ports, instead of 4. -Bill
Re: Quarantine your infected users spreading malware
On 2/20/06, Edward W. Ray <[EMAIL PROTECTED]> wrote: > ISPs should not police users, just like auto manufacturers should not police > drivers. That is what driver's licenses are for. So the state polices the drivers.. Should the state police the internet as well? And how would that be implemented? The ISP will take the brunt of the operational interference anyways as the "police" have no other way of stopping those drivers. And when Joe Drivers gets busted and banned, he'll make up a new identity to use at ISP B. I tend to agree with Gadi that we, the ISPs, need to do at least some blocking. I don't see it happening anytime soon though. There's still way too many ops out there who take something like this as a challenge to their ablility to operate a network when in fact, it's the users who are the problem. I'd rather open up everything and allow a user 100% unfiltered access, but most users don't know what to do with that and don't take proper precautions. So, for residential users I think that a reasonable filter should be applied. Block stuff like Netbios. Implement spoofing filters. Do whatever you can to "protect" the users without impacting their ability to use the internet. For commercial users, offer simple protection, or make sure they know that they will be help responsible for virus activity sourcing from them. Shut down those ports if they become active. I also like the idea of putting infected users in a quarantine. Alert them via an automated process. Give them access to updates, but prevent them from infecting others. I think this is a more than reasonable expectation from end-users. In fact, I'd be more inclined to use an ISP that has safe-guards like this in place. It might even be worth it to put together a best practices guide that lays out the "minimum" requirements for something like this. (It may even exist.. If so, I'd be interested in reading it if someone would be kind enough to provide a link) > Ed Ray Go Go Gadget Flame-Retardent Suit! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006 04:15:25 +0200, Gadi Evron said: > The philosophical discussion aside (latest one can be found under "zotob > port 445 nanog" on Google), presenting some new technologies that shows > this *can* be done changes the picture. OK. The tech exists, or can be made to exist. The unanswered question is still "How do you get a disinterested ISP to be interested in it?" The horse has been led. Now make him drink the kook-aid. pgp8KlluahPOX.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :( I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far. The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture. I believe it was actually Randy Bush's idea in that last thread, to use such software. Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
botnets for good? [was: and here are some answers]
[EMAIL PROTECTED] wrote: Hey Bill, i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ... I quite agree, you are more than right. Botnets have proven themselves as a very powerful "construct", if that is how we are to call them. You are more than right. And indeed, bots were not originally bad entities on the Internet, numbering in the hundreds of millions, DDoSing, spamming, stealing Aunty Jame's credit card and your identity. No, they are very useful for numerous reasons, just very few of which are IRC channel operating related. Combine them with a distributed environment, and you get very powerful computing engines to do quite a bit of tasks. Point them at a problem, and they will address it as one. Create Akamai, and you will even get some redundancy. I am not saying SETI#Home or Akamai are botnets, but these are some good uses for similar technology, at least in concept. :) The distinction should be made when one speaks of botnets as we know them today, for good. As breaking into a machine in order to fix it, as an example, is in no way different than breaking into it in order to spy on it, use it or destroy it. You may eventually cause these anyway, as; - You don't know how a machine will respond. - You don't know who else may (ab)use your system. - You can't know if you won't get sued. - Etc. This is an on-going ethical and legal debate in botnet fighting circles. If we see a 1 million hosts botnet just waiting to attack, and we can use the back-door to upload an executable and remove the bot, is that OK? Aside to it being illegal, you possibly causing the remote machine to crash, triggering some IDS/entering into a log/getting sued/whatever, you will most likely discover that machine coming back infected yet again, or already a member of 30 other botnets with other malware. We should also remember that when talking of botnets for practical uses, they should probably be addressed as a 'concept' rather than structure. Today's structure looks mostly like a terrorism cell as David Dagon likes to mention, but the structure may vary considerably. Today's IRC based C&C's may be the most prevalent and most useful STILL, but in no way constitute the only way C&C's are run and botnets are constructed. :) of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes. burrowing from you with another analogy... So is spam. Spam proved itself to be the most efficient way of selling and advertising ever invented. One could say legalizing and regulating it will bring in incredible amount of good taxes for the different governments, as well as then concentrating only on those who creak the law, such as by using botnets, sending kiddie porn, phishing, etc. Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
RE: Quarantine your infected users spreading malware
-Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 7:35 PM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Quarantine your infected users spreading malware Frank Bulk wrote: > We're one of those user/broadband ISPs, and I have to agree with the > other commentary that to set up an appropriate filtering system > (either user, port, or conversation) across all our internet access > platforms would be difficult. Put it on the edge and you miss the > intra-net traffic, put it in the core and you need a box on every > router, which for a larger or graphically distributed ISPs could be cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? FB> Most of the repeat offenders tend to be people who lack the ability to choose website judiciously, to put it kindly. But when we encourage them to get a pop-up blocker, update their antivirus (either the whole program or definitions), and install a firewall (Windows XP or cheap NAT router), the problem usually fades away. Most "just didn't know" that their computer was spewing forth spam or viruses, being used as a proxy, or part of some kind of botnet. > In relation to that ThreatNet model, we just could wish there was a > place we could quickly and accurately aggregate information about the > bad things our users are doing -- a combination of RBL listings, > abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic > monitoring and analysis system in place, and even if we did, I'm > afraid our work would still be very reactionary. > > And for the record, we are one of those ISPs that blocks ports 139 and > 445 on our DSLAM and CMTS, and we've not received one complaint, but > I'm confident it has cut down on a host of infections. Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? FB> We don't look at the logs for entries regarding ports 139/445, but when we last looked it was a few unique IP addresses per day. And due our size, we have no idea how much it reduced abuse reports. It's been in place for several years. > > Frank Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
> Edward W. Ray wrote: > >IMHO, a user should have to demonstrate a minimum amount of expertise and > >have a up-to-date AV, anti-spyware and firewall solution for their PCs. > > The mostly-user ISP's will have to eventually do something or end up > being either regulated, spending more and more and more on tech support > and/OR abuse personnel, or written down as blackhat AS's. > > Gadi. if i may to borrow a bit more from the "licensed to net" analogy... are vendors being let off scott free and leaving the burden of responsibility to the consumer? ISPs are the roads (likley toll) and they should not be forced to create barriers, speed bumps, and control mthods for poor drivers who are sold crap for vechiles. wht is the mean-time-to-infection for a stock windows XP system when plugged intot he net?... 2-5minutes? you can't get patches down that fast. i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ... of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes. --bill (who really has better things todo, but slugs are still in bed...)
Re: Quarantine your infected users spreading malware
Frank Bulk wrote: We're one of those user/broadband ISPs, and I have to agree with the other commentary that to set up an appropriate filtering system (either user, port, or conversation) across all our internet access platforms would be difficult. Put it on the edge and you miss the intra-net traffic, put it in the core and you need a box on every router, which for a larger or graphically distributed ISPs could be cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? In relation to that ThreatNet model, we just could wish there was a place we could quickly and accurately aggregate information about the bad things our users are doing -- a combination of RBL listings, abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic monitoring and analysis system in place, and even if we did, I'm afraid our work would still be very reactionary. And for the record, we are one of those ISPs that blocks ports 139 and 445 on our DSLAM and CMTS, and we've not received one complaint, but I'm confident it has cut down on a host of infections. Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? Thanks! Frank Gadi.
Re: Cisco 3550 replacement
Check out the Cisco 3560 with "IP Services" software: http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html it's basically a less expensive version of the 3750, without the external 32 Gbps stack connection. Anything the 3550 did it does, faster. JF At 20/02/2006, Jacky Lam wrote: Hi all, I'm currently looking for a CPE that can replace the Cisco 3550 we currently deploy in our network. Key features that I'm looking for are as follows: Hierarchical QOS Traffic shaping/policing L3VPN functionality(VRF-lite) BGP OSPF dot1q some sort of spanning tree Any help would be really appreciated, Jacky
RE: Quarantine your infected users spreading malware
We're one of those user/broadband ISPs, and I have to agree with the other commentary that to set up an appropriate filtering system (either user, port, or conversation) across all our internet access platforms would be difficult. Put it on the edge and you miss the intra-net traffic, put it in the core and you need a box on every router, which for a larger or graphically distributed ISPs could be cost-prohibitive. In relation to that ThreatNet model, we just could wish there was a place we could quickly and accurately aggregate information about the bad things our users are doing -- a combination of RBL listings, abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic monitoring and analysis system in place, and even if we did, I'm afraid our work would still be very reactionary. And for the record, we are one of those ISPs that blocks ports 139 and 445 on our DSLAM and CMTS, and we've not received one complaint, but I'm confident it has cut down on a host of infections. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Monday, February 20, 2006 3:41 PM To: nanog@merit.edu Subject: Quarantine your infected users spreading malware Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average user) is your biggest risk to the Internet today, and how to fix the user non of us have a good idea quite yet. Especially since it's not quite one as I put in an Heinlein quote below. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? One of them has been around for a while, but just now begins to mature: Quarantining your users. Infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does "spread the joy" on your network as well as others', and you could simply firewall him (or her) out of the world (VLAN, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it's pretty nifty. As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too. Which one would you prefer? Jose (Nazario) points to many interesting papers on the subject on his blog: http://www.wormblog.com/papers/ Is it the ISP's place to do this? Should the ISP do this? Does the ISP have a right to do this? If the ISP is nice enough to do it, and users know the ISP might. Why not? This (as well as port blocking) is more true for organizations other than ISP's, but if they are indeed user/broadband ISP's, I see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. Then all the "don't be the Internet's firewall" debate goes away. I respect the "don't be the Internet's firewall issue", not only for the sake of the cause but also because friends such as Steven Bellovin and other believe in them a lot more strongly than I do. Bigger issues such as the safety of the Internet exist now. That doesn't mean user rights are to be ignored, but certainly so shouldn't ours, especially if these are mostly unaffected? I believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. What's good for one may be horrible for another. "You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie. I don't think the second part of the quote is quite right (to say the least), but I felt bad leaving it out, it's Heinlein after all... anyone who claims he is a fascist though will have to deal with me. :) This isn't only about users, it's about the bad guys and how they out-number us, too. They h
RE: Quarantine your infected users spreading malware
ISPs hold the relevent data to contact the users. This needs a feedback loop, in that ISPs need to know which traffic leaving their networks is misbehaviour somewhere else. Between firewall logs, IDS logs, netflow headers, apache logs, whatever. It's all there. It just needs to be used. - billn On Mon, 20 Feb 2006, Edward W. Ray wrote: And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways. ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for. IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this. Ed Ray
and here are some answers [was: Quarantine your infected users spreading malware]
Edward W. Ray wrote: IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. That is why we have hundreds of millions of bots in the wild. The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's. Some PRODUCTS, PRO and AGAINST links from people on quarantining of infected users, thanks to all those who shared so far! Products so far (haven't tried or verified them myself): http://www.rommon.com/sandbox.html http://www.forescout.com/index.php?url=products§ion=counteract Other: Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in 2003): http://www.nanog.org/mtg-0402/gauthier.html Other choice papers from Jose's blog: http://www.iab.org/documents/docs/2003-10-18-edge-filters.html http://www.csl.sri.com/users/linda/bibs/publications/mmsm2005.pdf http://www.csl.sri.com/papers/sri-csl-2005-03/ http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf http://www.icir.org/vern/worm04/porras.pdf http://www.icir.org/vern/worm04/xiong.pdf http://www.cs.rpi.edu/research/pdf/05-01.pdf Gadi.
RE: Quarantine your infected users spreading malware
And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways. ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for. IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this. Ed Ray
Re: Quarantine your infected users spreading malware
While i'm not being told to shut up because this is off topic (yet), I'm going to suggest that people interested in continuing this conversation contact me off list and coordinate something ad hoc. The amount of bullshit I've already recieved in response to thinking that this has operational merit when it comes to mitigating both risk and effects is pretty astounding, even by nanog standards. Thanks. - billn On Mon, 20 Feb 2006, Bill Nash wrote: On Tue, 21 Feb 2006, Gadi Evron wrote: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly? Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great. If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit. I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers. As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium. Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma. - billn
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, Gadi Evron wrote: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly? Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great. If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit. I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers. As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium. Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma. - billn
Re: Quarantine your infected users spreading malware
scott, these are all just gadi's self-promotion ads. i recommend procmail. randy
Re: Quarantine your infected users spreading malware
> > Oh geez, here we go again... Search the archives and > > read until you're content. It's a non-thread. This > > horse isn't only dead, it's not even a grease spot on > > the road any more. :-( > > I quite agree, which is why I trived to cover the > philosophical part from both sides. Now, how about some > solutions that came about since our last discussion that > was nothing BUT philosophy? You can't get there from here. scott
Re: Quarantine your infected users spreading malware
Scott Weeks wrote: - Original Message Follows - From: Gadi Evron <[EMAIL PROTECTED]> Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-( I quite agree, which is why I trived to cover the philosophical part from both sides. Now, how about some solutions that came about since our last discussion that was nothing BUT philosophy?
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Thanks.
Re: Quarantine your infected users spreading malware
On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said: > Many ISP's who do care about issues such as worms, infected users > "spreading the love", etc. simply do not have the man-power to handle > all their infected users' population. > > It is becoming more and more obvious that the answer may not be at the > ISP's doorstep, but the ISP's are indeed a critical part of the > solution. What their eventual role in user safety will be I can only > guess, but it is clear (to me) that this subject is going to become a > lot "hotter" in coming years. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? pgpUmKafoFaYu.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
- Original Message Follows - From: Gadi Evron <[EMAIL PROTECTED]> > Many ISP's who do care about issues such as worms, > infected users "spreading the love", etc. simply do not > have the man-power to handle all their infected users' > population. > Some who are user/broadband ISP's (not say, tier-1 and > tier-2's who would be against it: "don't be the > Internet's Firewall") are blocking ports such as 139 and > 445 for a long time now, successfully preventing many of > their users from becoming infected. This is also an > excellent first step for responding to relevant outbreaks > and halting their progress. > > Philosophy aside, it works. It stops infections. Period. > > Back to the philosophy, there are some other solutions as > well. Plus, should this even be done? Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-( scott
Re: Cisco 3550 replacement
We used the 3750 as a replacement for the 3550. Jacky Lam wrote: Hi all, I'm currently looking for a CPE that can replace the Cisco 3550 we currently deploy in our network. Key features that I'm looking for are as follows: Hierarchical QOS Traffic shaping/policing L3VPN functionality(VRF-lite) BGP OSPF dot1q some sort of spanning tree Any help would be really appreciated, Jacky -- -- Tom Sands Chief Network Engineer Rackspace Managed Hosting (210)447-4065 --
Quarantine your infected users spreading malware
Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average user) is your biggest risk to the Internet today, and how to fix the user non of us have a good idea quite yet. Especially since it's not quite one as I put in an Heinlein quote below. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? One of them has been around for a while, but just now begins to mature: Quarantining your users. Infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does "spread the joy" on your network as well as others', and you could simply firewall him (or her) out of the world (VLAN, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it's pretty nifty. As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too. Which one would you prefer? Jose (Nazario) points to many interesting papers on the subject on his blog: http://www.wormblog.com/papers/ Is it the ISP's place to do this? Should the ISP do this? Does the ISP have a right to do this? If the ISP is nice enough to do it, and users know the ISP might. Why not? This (as well as port blocking) is more true for organizations other than ISP's, but if they are indeed user/broadband ISP's, I see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. Then all the "don't be the Internet's firewall" debate goes away. I respect the "don't be the Internet's firewall issue", not only for the sake of the cause but also because friends such as Steven Bellovin and other believe in them a lot more strongly than I do. Bigger issues such as the safety of the Internet exist now. That doesn't mean user rights are to be ignored, but certainly so shouldn't ours, especially if these are mostly unaffected? I believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. What's good for one may be horrible for another. "You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie. I don't think the second part of the quote is quite right (to say the least), but I felt bad leaving it out, it's Heinlein after all... anyone who claims he is a fascist though will have to deal with me. :) This isn't only about users, it's about the bad guys and how they out-number us, too. They have far better cooperation to boot. There are several such products around and they have been discussed here on NANOG before, but I haven't tried them myself as of yet, so I can't really recommend any of them. Can you? I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
RE: Cisco 3550 replacement
Or a Security bundle with an Etherswitch. http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8022e567.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacky LamSent: Monday, February 20, 2006 13:47To: nanog@merit.eduSubject: Cisco 3550 replacement Hi all,I'm currently looking for a CPE that can replace the Cisco 3550 we currentlydeploy in our network. Key features that I'm looking for are as follows:Hierarchical QOSTraffic shaping/policingL3VPN functionality(VRF-lite) BGPOSPFdot1qsome sort of spanning treeAny help would be really appreciated,Jacky-- Scanned for viruses & dangerous content at One Unified and is believed to be clean. -- Scanned for viruses & dangerous content at One Unified and is believed to be clean.
RE: Cisco 3550 replacement
Maybe a 2811 with an Etherswitch module? http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016fa68.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacky LamSent: Monday, February 20, 2006 13:47To: nanog@merit.eduSubject: Cisco 3550 replacement Hi all,I'm currently looking for a CPE that can replace the Cisco 3550 we currentlydeploy in our network. Key features that I'm looking for are as follows:Hierarchical QOSTraffic shaping/policingL3VPN functionality(VRF-lite) BGPOSPFdot1qsome sort of spanning treeAny help would be really appreciated,Jacky-- Scanned for viruses & dangerous content at One Unified and is believed to be clean. -- Scanned for viruses & dangerous content at One Unified and is believed to be clean.
RE: MLPPP over MPLS
Title: Message I've been told by Juniper that the MTU negotiation problem was fixed in the 7.x versions. We're upgrading soon, so I hope to find out for myself. Diane Turley Sr. Network Engineer Xspedius Communications Co. 636-625-7178 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent A O'KeeffeSent: Monday, February 20, 2006 7:57 AMTo: Jon LewisCc: Jon R. Kibler; [EMAIL PROTECTED]Subject: Re: MLPPP over MPLSIt may also be worth noting that if the provider is running Juniper and not Cisco, there are fragmentation issues with certain versions of Juniper code. The MLPPP session cannot agree on an MTU and usually stop somewhere around 100 bytes if they do. The workaround is to implement "ppp multilink fragment disable" on the Cisco Multilink interface. Brent Jon Lewis <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02/17/2006 03:38 PM To "Jon R. Kibler" <[EMAIL PROTECTED]> cc [EMAIL PROTECTED] Subject Re: MLPPP over MPLS On Fri, 17 Feb 2006, Jon R. Kibler wrote:> We have a customer that is implementing an MPLS network that will have 2 > to 6 T1 feeds at some locations that will be using MLPPP for channel > bonding. This is a telco provided network that will be customer managed.It's not clear from your message, but I'm assuming the MLPPP will be from PE to CE and that the MPLS you speak of is MPLS VPN. If that's the case, on the customer end, it's just a MLPPP, and on your end, it's an MLPPP with an "ip vrf forwarding foo" statement. It's probably more than the average CCNA can handle (but so are MLPPP, MPLS, and most day to day IOS config work). Anyone who actually uses IOS on a regular basis (as opposed to someone who crammed for an exam and knows squat) should have no trouble with it.> The customer is being told by their router vendor that an MLPPP/MPLS > network is 'too complex' to be managed by anyone except for the router > vendor's VARs or the telco. They indicated that it would be impossible > for the customer's router vendor certified network person to come up to > speed on MLPPP/MPLS configurations and manage such a network -- that it > takes years to adequately learn how to manage that type of network > configuration.I think someone may be confusing "providing MPLS service" with "buying MPLS service". A customer buying MPLS VPN service never sees any of the MPLS tags or messes with MPLS/tag-switching commands. There is no added complexity...or at least there doesn't need to be any.> ==> Filtered by: TRUSTEM.COM's Email Filtering Service> http://www.trustem.com/> No Spam. No Viruses. Just Good Clean Email.Virus-free, because I say it is...and I run Pine on Linux :)-- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net |_ http://www.lewis.org/~jlewis/pgp for PGP public key_
Cisco 3550 replacement
Hi all,I'm currently looking for a CPE that can replace the Cisco 3550 we currentlydeploy in our network. Key features that I'm looking for are as follows:Hierarchical QOSTraffic shaping/policingL3VPN functionality(VRF-lite) BGPOSPFdot1qsome sort of spanning treeAny help would be really appreciated,Jacky
Re: MLPPP over MPLS
It may also be worth noting that if the provider is running Juniper and not Cisco, there are fragmentation issues with certain versions of Juniper code. The MLPPP session cannot agree on an MTU and usually stop somewhere around 100 bytes if they do. The workaround is to implement "ppp multilink fragment disable" on the Cisco Multilink interface. Brent Jon Lewis <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02/17/2006 03:38 PM To "Jon R. Kibler" <[EMAIL PROTECTED]> cc [EMAIL PROTECTED] Subject Re: MLPPP over MPLS On Fri, 17 Feb 2006, Jon R. Kibler wrote: > We have a customer that is implementing an MPLS network that will have 2 > to 6 T1 feeds at some locations that will be using MLPPP for channel > bonding. This is a telco provided network that will be customer managed. It's not clear from your message, but I'm assuming the MLPPP will be from PE to CE and that the MPLS you speak of is MPLS VPN. If that's the case, on the customer end, it's just a MLPPP, and on your end, it's an MLPPP with an "ip vrf forwarding foo" statement. It's probably more than the average CCNA can handle (but so are MLPPP, MPLS, and most day to day IOS config work). Anyone who actually uses IOS on a regular basis (as opposed to someone who crammed for an exam and knows squat) should have no trouble with it. > The customer is being told by their router vendor that an MLPPP/MPLS > network is 'too complex' to be managed by anyone except for the router > vendor's VARs or the telco. They indicated that it would be impossible > for the customer's router vendor certified network person to come up to > speed on MLPPP/MPLS configurations and manage such a network -- that it > takes years to adequately learn how to manage that type of network > configuration. I think someone may be confusing "providing MPLS service" with "buying MPLS service". A customer buying MPLS VPN service never sees any of the MPLS tags or messes with MPLS/tag-switching commands. There is no added complexity...or at least there doesn't need to be any. > == > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. Virus-free, because I say it is...and I run Pine on Linux :) -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
