Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tuesday 21 Feb 2006 06:41, you wrote: I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%) I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem.
Re: Quarantine your infected users spreading malware
Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. Are you saying that the problem of spreading worms and botnets is fading? Where do you get your data on this? I mean, it's all well and good to express an opinion but if you want to be believed you have to be prepared to back it up with data from another source. --Michael Dillon
Re: Quarantine your infected users spreading malware
How do you get the unwashed masses of ISPs to join the choir so you can preach to them? Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. And this program would do nothing but register itself with an encoded registry, and listen for an encoded command to activate itself. Rather like a botnet except with the user's consent and with a positive goal. When the community of bot/worm researchers determines that this machine is infected, they inform the central registry using their own encoded signal. When enough votes have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. At this point a friendly helpful webpage pops up and guides the user through the disinfection process. Unlike antivirus software, the application on the user's computer does not need to detect malware and it needs no database updates. It does only one thing and it relies on the collective intelligence of the anti-malware community. This won't stop worms or botnets, but it will slow them down and it will greatly speed the cleanup process. --Michael Dillon
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (04:15 +0200), Gadi Evron wrote: Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :( I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far. The philosophical discussion aside (latest one can be found under zotob port 445 nanog on Google), presenting some new technologies that shows this *can* be done changes the picture. http://www.quarantainenet.nl/ It works, we use it. It cuts down on support calls, customers generally react well to it and, at least when using Juniper core routers, it's not too intrusive in the network and will scale to pretty large networks of users. -- Jim Segrave [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Simon Waters wrote: I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem. Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, CC servers are mostly *nix machines. Gadi. -- http://blogs.securiteam.com/ Out of the box is where I live. -- Cara Starbuck Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: How do you get the unwashed masses of ISPs to join the choir so you can preach to them? Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. And this program would do nothing but register itself with an encoded registry, and listen for an encoded command to activate itself. Rather like a botnet except with the user's consent and with a positive goal. When the community of bot/worm researchers determines that this machine is infected, they inform the central registry using their own encoded signal. When enough votes have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. At this point a friendly helpful webpage pops up and guides the user through the disinfection process. Unlike antivirus software, the application on the user's computer does not need to detect malware and it needs no database updates. It does only one thing and it relies on the collective intelligence of the anti-malware community. This won't stop worms or botnets, but it will slow them down and it will greatly speed the cleanup process. --Michael Dillon Hi Michael, the only problem with that approach is that you think like a defender. As the defense is local to the user's machine, the attacker can just kick it away. -- http://blogs.securiteam.com/ Out of the box is where I live. -- Cara Starbuck Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 12:26 PM +0100 2/21/06, Jim Segrave wrote: The philosophical discussion aside (latest one can be found under zotob port 445 nanog on Google), presenting some new technologies that shows this *can* be done changes the picture. http://www.quarantainenet.nl/ From the web site: Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved. One hopes that the Apple web site and online credit form is included in the list... ;-) /John
Re: Quarantine your infected users spreading malware
Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. As the defense is local to the user's machine, the attacker can just kick it away. How are they going to identify the code to throw away? I believe that the state of the art for AV software is to create randomly named EXE files so that attackers cannot delete the running process, and then the EXE file ensures that the installed program and startup config are not tampered with. If AV software can protect itself this way, why would anyone build an infection blocker using any less protection? --Michael Dillon
Re: Quarantine your infected users spreading malware
How do you differentiate this infection from the ones they've been preached to to avoid? The same way that people currently differentiate bad software from good software before they install something on their machines. --Michael Dillon
Re: Quarantine your infected users spreading malware
On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. And this program would do nothing but register itself with an encoded registry, and listen for an encoded command to activate itself. Rather like a botnet except with the user's consent and with a positive goal. Intruiging concept.. Why bother hiding itself though? Or is the idea to prevent itself from being removed by malware? When the community of bot/worm researchers determines that this machine is infected, they inform the central registry using their own encoded signal. When enough votes have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. Isn't there a risk of DoS though? What's to prevent someone from spoofing those signals and shutting down other users? Relative precautions would need to be taken, but to be sure, the end-user needs the ability to override the system. Thus leaving us in the same situation as before. Firewall? I don't need no stinking firewall.. :) Unlike antivirus software, the application on the user's computer does not need to detect malware and it needs no database updates. It does only one thing and it relies on the collective intelligence of the anti-malware community. Sure it does.. It doesn't need to remove it, per se, but it will need to know what the infection is so it can give the correct disinfection instructions.. --Michael Dillon -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: If AV software can protect itself this way, why would anyone build an infection blocker using any less protection? AV software can *try* and protect itself in this and other ways, but that is OT to NANOG. I don't mind discussing it in private though if software protection reversing technology interests you. :) Gadi. -- http://blogs.securiteam.com/ Out of the box is where I live. -- Cara Starbuck Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
When enough votes have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. Isn't there a risk of DoS though? What's to prevent someone from spoofing those signals and shutting down other users? The signal would be encoded using a unique key. I would also expect that the choice of listening port would be somehow randomized and registered in the central registry to make it less of a DOS target. Relative precautions would need to be taken, but to be sure, the end-user needs the ability to override the system. Thus leaving us in the same situation as before. Firewall? I don't need no stinking firewall.. I see no reason why the user needs the ability to override or remove the software. After all, during normal operation it does nothing at all therefore it does not interfere in any way with machine operation. The intent is to make it virtually impossible to remove this software so that a virus or worm cannot remove it either. Sure it does.. It doesn't need to remove it, per se, but it will need to know what the infection is so it can give the correct disinfection instructions.. If the quarantined state keeps open a port 443 connection to a specific trusted webserver run by the group of trusted security researchers then the specifics of combatting the worm can be made available on that site. If necessary the site could upload ActiveX controls to do malware scans or recommend the installation of such software. --Michael Dillon
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 7:45 AM -0500 2/21/06, John Curran wrote: From the web site: Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved. One hopes that the Apple web site and online credit form is included in the list... ;-) Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-) /John
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Gadi Evron wrote: Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, CC servers are mostly *nix machines. Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? Regards, Jess.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (08:45 -0500), John Curran wrote: At 7:45 AM -0500 2/21/06, John Curran wrote: From the web site: Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved. One hopes that the Apple web site and online credit form is included in the list... ;-) Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-) We have added mutlple sites, including on-line banking sites which are appropriate to the Netherlands to the list of reachable sites (we also use this to encourage paying your bills as well as getting people to fix their machines) -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program Offering them free software won't work to the levels you want. At first, you'll get a response, because consumers always jump at free shiny things, until something happens that makes them not like it anymore, and then they'll dig in and never use it again. If you want to get this kind of filtering into your core, you have a need to get this to a compulsory level for access. I don't think there's any disagreement as to the roots of this problem: - Modern users are generally clueless. - Most don't have firewalls or even the most basic of protections. - Getting tools deployed where they need to be most is the hardest. With that said.. If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. - billn
Re: Quarantine your infected users spreading malware
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. And then the privacy zealots would be livid.. Silently re-routing traffic like that.. How dare you suggest such a ... wait.. hrm.. The internet basically does this already.. I wonder if the zealots are aware of that.. :) - billn -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006 13:05:35 GMT, [EMAIL PROTECTED] said: How do you differentiate this infection from the ones they've been preached to to avoid? The same way that people currently differentiate bad software from good software before they install something on their machines. If people actually *knew* how to do this differentiation any better than flipping the quarter I have in my pocket, we wouldn't be having this discussion. pgpgniEg3BLLO.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006 10:42:20 EST, Jason Frisvold said: On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. Oddly enough, AOL and several other large providers seem to have no problems advertising some variant on 'free A/V software'. pgpGhWd4lHm6z.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
No, just $24/month (or whatever it is now) for the whole service. You go to a keyword and it does a web based installation widget. It is free as long as you remain a subscriber. I'm not familiar with how this works in AOL land.. Does the end-user need to subscribe to anything other than AOL? ie, are there any hidden fees? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tuesday 21 February 2006 10:26, Jason Frisvold wrote: On 2/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Oddly enough, AOL and several other large providers seem to have no problems advertising some variant on 'free A/V software'. Key words there.. Large Provider .. I don't think A/V companies have any interest whatsoever in smaller providers.. Just not a big enough customer base I guess... It would be nice to see an A/V provider willing to take that first step and offer something like this to providers, regardless of size. No packaging needed, so there's a cost savings there for the vendor. I'm not familiar with how this works in AOL land.. Does the end-user need to subscribe to anything other than AOL? ie, are there any hidden fees? The problem with discussing AOL and large provider in the same sentence is that the complete AOL (connection, desktop, tools, etc) function are AOL controlled (walled garden) so they have the capability of doing much more in that arena that other providers. Secondly, to the best of my knowledge, A/V vendors do make their products available to any provider - it is just that small to medium sized ISP's cannot justify the cost/benefit ratio and keep their pricing anywhere near competitive with the big boys. At ten copies a month you get little to no discount - at 10,000 copies per month you get quite a cut... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. Oddly enough, AOL and several other large providers seem to have no problems advertising some variant on 'free A/V software'. When referring to AOL customers, though, you're talking about a target market that is accustomed to being offered a bundled package, and for lack of a better term, doing what it's told. Largely, AOL users aren't the problem. Comcast, Cox, Adelphia, and similiar providers with raw IP consumers are the problem.[1] A la carte services are all good and well for the end user, but it's a double edged sword in that they're good for the botnet crews, too. I used to sneer at offerings like AOL or Compuserv, because they weren't what I needed. Now, I'm actually kind of glad they exist because some users clearly need the training wheels. This is as much of a social problem as it is a technical one. I'm starting to understand the perspective of a legislative heavy federal government that has to pass laws to protect folks who are pretty much ignorant of the problem. - billn [1] I don't point those out because of specific problems, I point them out to describe service offering styles and network architecture. I have no interest in detailing why provider X sucks, or talking to your lawyers about it.
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, Jason Frisvold wrote: On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. Big deal. You're talking about volume licensing at that point, and offering vendors an opportunity to compete to get on every desktop in your customer base. That's a big stick to negotiate with, especially if you're an Earthlink or AOL. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. And then the privacy zealots would be livid.. Silently re-routing traffic like that.. How dare you suggest such a ... wait.. hrm.. The internet basically does this already.. I wonder if the zealots are aware of that.. :) Yeah, the privacy zealots, of which I'm one, don't have much of a leg to stand on, since as the direct service provider, you'd be directly within AUP/Contractually provided rights to do so, under that particular service model. They can't ding you for being active in your *response* to complaints about malicious activity sourced from your network, and taking the time to verify it. So long as you're keeping their personal information out of the hands of others, they don't have much to bitch about. The ISPs win because they've got ready means to tie complaints directly back to an active customer, AND verify the complaint. Consumers win because they've got cheap anti-virus they still don't have to do anything about. The internet wins because ISPs are sharing non-personally identifying information about naughty behaviour and maybe increasing the mean TTL for new Windows machines. In the long term, privacy advocates win because networks have implemented active responses to attacks that routinely lead to identity theft. The biggest hole I see in this concept is home routers that do NAT (linksys, linux boxes, etc). While capable of PPPOE, you can't quite mandate the A/V clients. You still have the option of doing packet inspection, which is still better than nothing. - billn
Re: Quarantine your infected users spreading malware
On 2/21/06, Bill Nash [EMAIL PROTECTED] wrote: Big deal. You're talking about volume licensing at that point, and offering vendors an opportunity to compete to get on every desktop in your customer base. That's a big stick to negotiate with, especially if you're an Earthlink or AOL. Agreed. And with that, the little guys go away. Yeah, the privacy zealots, of which I'm one, don't have much of a leg to stand on, since as the direct service provider, you'd be directly within AUP/Contractually provided rights to do so, under that particular service model. They can't ding you for being active in your *response* to complaints about malicious activity sourced from your network, and taking the time to verify it. So long as you're keeping their personal information out of the hands of others, they don't have much to bitch about. Agreed, but without publishing the exact procedures, protocols, etc, they can always complain that something might be happening.. Don't get me wrong, I'm just as much for privacy as most of the zealots, but there is a point at which there has to be an acceptable risk. The ISPs win because they've got ready means to tie complaints directly back to an active customer, AND verify the complaint. Consumers win because they've got cheap anti-virus they still don't have to do anything about. The internet wins because ISPs are sharing non-personally identifying information about naughty behaviour and maybe increasing the mean TTL for new Windows machines. In the long term, privacy advocates win because networks have implemented active responses to attacks that routinely lead to identity theft. I wish everyone had this view. Fixing, or at least patching, this problem would help out a lot in the long run. But there's a lot to be done to handle it. An ISP can deal with it themselves or, more often than not, can ignore it. As I was saying before, if there were some sort of standards body that set forth a best practices guide of some sort, that might go a long way. Education for the end-user is key here too. Educate them to understand what precautions are in place at the ISP level, and what they can do to protect themselves. I think it's gotten better in recent years, despite the increase in viral activity. I think the increase is due to better propogation techniques rather then hordes of dumb users. The biggest hole I see in this concept is home routers that do NAT (linksys, linux boxes, etc). While capable of PPPOE, you can't quite mandate the A/V clients. You still have the option of doing packet inspection, which is still better than nothing. Hrm.. Unless some sort of shim was required on the end-user computer.. something transparent that merely identified itself in the background to the central authority and verified signatures and the like.. - billn -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, Feb 21, 2006 at 07:17:38AM +0200, Gadi Evron wrote: [EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. The information, quite a bit of it, comes before the link. If you'd like I can send it you you again. Thanks! Gadi. It appears the quality of nanog mailing list is becoming on the par with that of Full-Disclosure. James
anybody here from verizon's e-mail department?
last week i became unable to send mail to verizon users: Diagnostic-Code: X-Postfix; host relay.verizon.net[206.46.232.11] said: 550 You are not allowed to send mail:sv18pub.verizon.net (in reply to MAIL FROM command) (the above was from me trying to ask [EMAIL PROTECTED] about it) i'd hate to think that i've simply sent too many why-are-you-spamming-me complaints and have been blacklisted.
Maximun effective range of an excuse is... [Was: Re: Quarantine your i nfected users spreading malware]
QED: ATT/SBC also does this for their DSL subscribers... - ferg -- Larry Smith [EMAIL PROTECTED] wrote: The problem with discussing AOL and large provider in the same sentence is that the complete AOL (connection, desktop, tools, etc) function are AOL controlled (walled garden) so they have the capability of doing much more in that arena that other providers. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: anybody here from verizon's e-mail department?
last week i became unable to send mail to verizon users: Diagnostic-Code: X-Postfix; host relay.verizon.net[206.46.232.11] said: 550 You are not allowed to send mail:sv18pub.verizon.net (in reply to MAIL FROM command) (the above was from me trying to ask [EMAIL PROTECTED] about it) i'd hate to think that i've simply sent too many why-are-you-spamming-me complaints and have been blacklisted. Probably a better question on SPAM-L. Since it's been suggested that we help with this problem of using NANOG as a personal paging service: http://puck.nether.net/netops/nocs.cgi?ispname=Verizon Now, can someone forward this to Paul? I am pleasantly residening in his killfile, according to his last response to my email. YMMV. -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of the Technical Staff Network Operations [EMAIL PROTECTED]
Re: anybody here from verizon's e-mail department?
i'd hate to think that i've simply sent too many why-are-you-spamming-me complaints and have been blacklisted. Now, can someone forward this to Paul? I am pleasantly residening in his killfile, according to his last response to my email. are you suggesting that paul might be hoist by his own petard? goose, gander, and all that? randy
Re: Quarantine your infected users spreading malware
- Original Message Follows - From: [EMAIL PROTECTED] Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. Are you saying that the problem of spreading worms and botnets is fading? Where do you get your data on this? I mean, it's all well and good to express an opinion but if you want to be believed you have to be prepared to back it up with data from another source. I'm not saying that at all and that'd be the silliest position to support anyway. We all know better than that. All I was saying is *every* position on the subject was expressed about two months ago in the thread that wouldn't die even in the clear evidence of an exponential decrease in quality of responses on the subject and I don't things have changed significantly since then. No biggie, I can delete when the quality of respones degrades below my threshold of ability to carry on reading... :-) scott
Re: MLPPP over MPLS
I've also heard a variety of comments about difficulties in getting Cisco MLPPP working in MPLS environments, mostly in the past year when our product development people weren't buried in more serious problems (:--) I've got the vague impression that it was more buggy for N2 than N=2. There are a number of ways to bond NxT1 together, including MLFR and IMA, and we've generally used IMA for ATM and MPLS services and CEF for Internet. IMA has the annoyance of extra ATM overhead, but doesn't have problems with load-balancing or out-of-order delivery, and we've used it long enough to be good at dealing with its other problems.
RE: anybody here from verizon's e-mail department?
First, I'm not on the mail team, so I can't help you directly. Second, your best bet is to attempt contact thru the following web form: www.verizon.net/whitelist - Wayne ___ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___ Can you ping me now? Good! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Tuesday, February 21, 2006 12:58 PM To: nanog@merit.edu Subject: anybody here from verizon's e-mail department? last week i became unable to send mail to verizon users: Diagnostic-Code: X-Postfix; host relay.verizon.net[206.46.232.11] said: 550 You are not allowed to send mail:sv18pub.verizon.net (in reply to MAIL FROM command) (the above was from me trying to ask [EMAIL PROTECTED] about it) i'd hate to think that i've simply sent too many why-are-you-spamming-me complaints and have been blacklisted.
Re: MLPPP over MPLS
Since PPP doesn't have any way to identify different PVC from physical circuit, MLPPP can not be used for sub-interface required field. For example, if you want to use different VLAN id with dot1q or Frame Relay DLCI, you can not use it with MPLS. Since our customer requires to use multiple VLANs from same physical, we decided not to use MLPPP and to use MLFR for this issue. MLFR has DLCI field, so we can identify mutlple source of a sort of PVC. If you wants to use QoS from MLPPP, you have to disable CEF from the interface. That's another consideration. If you use FlexWan from Cisco 7600 platform, you can not change MTU size for MLPPP/MPLS because of bug CSCdj40945. That problem said it is fixed, but you still need to check your IOS whether it has a fix for this or not. Hyun Hyunseog Ryu wrote: Maybe next monday I can ask for detailed info, but I wasn't on the meeting to discuss this in detail. Based on outcome of discussion with Cisco, we decided to go with MLFR instead of MLPPP. Hyun Jon R. Kibler wrote: Hyunseog Ryu wrote: What I heard from Cisco is that there may be some issue with MLPPP and MPLS - maybe QoS? -. The issue is for general IOS support issue for MLPPP/MPLS combination. For that reason, Cisco recommended Multi-link Frame Relay(MLFR) to overcome that issue. Hyun Hyun, Would you happen to have a source for additional information as to exactly what the problem may be? THANKS! Jon Kibler
Re: MLPPP over MPLS
Overall, MLPPP may work fine with MPLS as long as you have single virtual circuit from each physical circuit. Such as T1 channel from Channelized DS3... But you have to use sub-interface (logical interface) other than sub-channel from channeliezed circuit, you may have some problem. If you want to use QoS with MLPPP, some cases you may have to disable CEF because of side effects. Overall, what I was recommended by Cisco source, is, if possible, to use MLFR instead of MLPPP for MPLS integration. If you need more information, you can contact your local Cisco System Engineer, and he/she will give more information to you. Hyun Bill Stewart wrote: I've also heard a variety of comments about difficulties in getting Cisco MLPPP working in MPLS environments, mostly in the past year when our product development people weren't buried in more serious problems (:--) I've got the vague impression that it was more buggy for N2 than N=2. There are a number of ways to bond NxT1 together, including MLFR and IMA, and we've generally used IMA for ATM and MPLS services and CEF for Internet. IMA has the annoyance of extra ATM overhead, but doesn't have problems with load-balancing or out-of-order delivery, and we've used it long enough to be good at dealing with its other problems.
Re: a radical proposal (Re: protocols that don't meet the need...)
I looked at some of these models back in ~2000, but the dotcom boom ended and I didn't get laid off from my day job, so I didn't go trolling for venture capitalists, and my employer sold off their cable companies - since then, the market economics have changed a lot, and routers have started to support enough memory to keep up with the demand. The big questions about the dual-homed customer base are what kind of connectivity they really need - Primary/Backup, or Primary / Backup+extrabandwidth, or truly load-shared, and also what diverse topology is available at the bandwidth they need. For a reasonably large chunk of the ~Y2K market, the answer was A T1 or two with cable-modem backup, and another chunk was T3 or bigger, able to afford a telco or CLEC access ring, and most customers were more concerned about backhoe fade, which takes a long time to fix, than about ISP routing glitches, which were less common than 5 years earlier and usually had a much shorter mean time to repair. None of these solutions requires a World Domination Grand Master Plan agreed to buy everybody before it can be deployed - almost anything can start out with two carriers or a transit-buying service provider and then grow. One obvious business model to serve the smaller market was to start a Slash-19.net, which would get a routable chunk of address space, buy transit from one or two colo providers, and use GRE/IPSEC/L2TPv3 tunnels to connect to the customer through whatever Layer 3 media is available, e.g. cable modems, and optionally use LEC frame or similar transport where available. In the emerging IPv6 world, a tunnel broker service could do something like this. And for equipment-cost reasons, you'd probably use PCs instead of routers as your tunnel servers. Another business model would be for a Tier 1 or Tier 2 ISP to do something similar, using a smaller chunk of their own address space, and using a tunnel server at one of their peering points (or colo space served by another ISP) to handle tunnels through the secondary carrier, such as cable modem companies. Making the addresses work well would require them to use the dual-homing address space for those customers' interfaces instead of whatever probably-geographical schema they use for single-homed customers. The cable companies would be an obvious ISP to do this - they've got control over the most common small diverse access methods, and most of them use PPPoE to connect to their customers so they've already got tunnelling. New wireless access ISPs could do much of the same business. Another model is cooperation between big carriers - if you're doing the N**2 pairs-of-carriers model, there are ~30-35 Tier 1 carriers in the US, so ~1000 address blocks would be enough (if it sounds like a cabal, too bad), and probably a similar but smaller number for Europe. Tier 2 players might need to arrange separate deals with one or more of their upstream Tier1s, so they might double their address space (still only adds ~10K routes), or else they might do an exchange point approach (e.g. somebody like Linx starts Diverse-Linx.) If somebody can get more than two Tier 1s to cooperate, they could do the geographic approach, which can make a major dent with ~50-100 cities in their market.
Re: Quarantine your infected users spreading malware
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Nash wrote: On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program Offering them free software won't work to the levels you want. At first, you'll get a response, because consumers always jump at free shiny things, until something happens that makes them not like it anymore, and then they'll dig in and never use it again. If you want to get this kind of filtering into your core, you have a need to get this to a compulsory level for access. I don't think there's any disagreement as to the roots of this problem: - Modern users are generally clueless. - Most don't have firewalls or even the most basic of protections. - Getting tools deployed where they need to be most is the hardest. With that said.. If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. - - - From my past discussion at nanog sessions, it appears this sink-hole like process has been extremely helpful for AOL. Maybe Vijay from AOL could chime in and enlighten us or folks could look at the archives. regards, /virendra - billn -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD+4sWpbZvCIJx1bcRAq2oAJ4z9xmrBYwppdTpYTtLkNow+N17ZQCeJsnE xr6y99lCbEAnO60SUEtv9Xk= =av1X -END PGP SIGNATURE-
RE: anybody here from verizon's e-mail department?
No, but I have forwaded this to the abuse team I used to work in. Some of them are also on Z. Normally this is because the MAIL FROM: failed or rejected sender verfication. -Dennis
RE: anybody here from verizon's e-mail department?
Second, your best bet is to attempt contact thru the following web form: www.verizon.net/whitelist Good one Wayne! Wasn't that only for all those who were blocked last Christmas even other than ARIN IP space? ;) I sent an email to the mail team and CC'd Paul. Good to see you bud! -Dennis
Re: anybody here from verizon's e-mail department?
On 2/22/06, Dennis Dayman [EMAIL PROTECTED] wrote: No, but I have forwaded this to the abuse team I used to work in. Some of them are also on Z. Normally this is because the MAIL FROM: failed or rejected sender verfication. Which probably means Paul is blocking whatever server Verizon is using for its sender verification -- Suresh Ramasubramanian ([EMAIL PROTECTED])