Re: dnsstealer.com
At 12:37 AM 3/14/2006, David Ulevitch wrote: On Mar 13, 2006, at 8:16 PM, Martin Hannigan wrote: Better yet, why don't the registrars police themselves? Many do. They just don't police each other. Sure seems like security is AWOL on the registrars agenda: http://www.google.com/search?hl=en&lr=&domains=icann.org&q=botnet&btnG=Search&sitesearch=icann.org http://www.google.com/search?hl=en&lr=&domains=icann.org&q=zombie&btnG=Search&sitesearch=icann.org -M< -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: dnsstealer.com
On Mar 13, 2006, at 8:16 PM, Martin Hannigan wrote: Better yet, why don't the registrars police themselves? Many do. They just don't police each other. -david
Re: dnsstealer.com
>> isn't this a job for super-icann? > Better yet, why don't the registrars police themselves? what you mean is why don't the registrars seriously vet their customers? i suspect the job is non-trivial, to say the least. and where is the financial motivation? at $10/year, what do you suggest they actually do? as a teensie registrar (for a half dozen small cctlds), and one who actually does try to verify that the admin poc answers the phone, etc. as well as server ops, 2182, etc, lemme tell you it is a major pita for me and for the folk who help vet. randy
Re: dnsstealer.com
At 11:00 PM 3/13/2006, Eric Brunner-Williams wrote: isn't this a job for super-icann? Better yet, why don't the registrars police themselves? -M< -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: dnsstealer.com
isn't this a job for super-icann?
Re: dnsstealer.com
add http://pny.metalfeels.com/clk/53708695.76.251.101
Re: dnsstealer.com
I think your missing out on the $250 JC Penny card. You can buy a lot of swag with that! Randy Bush wrote: i think someone needs to nuke this domain randy From: "Shopping" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Confirmation: JC Penney Card Date: Mon, 13 Mar 2006 20:23:05 -0600 Dear [EMAIL PROTECTED], We are attempting to contact you about the $250 JCPenney(R) Card and request you to complete your email address below: http://pny.dnsstealer.com/clk/53708886.15.251.101 Thank you for taking your time and on this offer. My best, List Manager If you no longer wish to receive Exclusive Gift Cards emails, visit the Exclusive Gift Cards site or visit the url: http://pny.dnsstealer.com/clk/53708886.15.251.102 Or, print a copy of this email and send it along with your request to: Exclusive Gift Cards, 13900 Jog Road, Suite 203-251, Delray Beach, FL 33446. http://pny.dnsstealer.com/uns/53708886.15.251 848 N. Rainbow Blvd. #1688 Las Vegas, NV 89107 -1020468834
dnsstealer.com
i think someone needs to nuke this domain randy From: "Shopping" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Confirmation: JC Penney Card Date: Mon, 13 Mar 2006 20:23:05 -0600 Dear [EMAIL PROTECTED], We are attempting to contact you about the $250 JCPenney(R) Card and request you to complete your email address below: http://pny.dnsstealer.com/clk/53708886.15.251.101 Thank you for taking your time and on this offer. My best, List Manager If you no longer wish to receive Exclusive Gift Cards emails, visit the Exclusive Gift Cards site or visit the url: http://pny.dnsstealer.com/clk/53708886.15.251.102 Or, print a copy of this email and send it along with your request to: Exclusive Gift Cards, 13900 Jog Road, Suite 203-251, Delray Beach, FL 33446. http://pny.dnsstealer.com/uns/53708886.15.251 848 N. Rainbow Blvd. #1688 Las Vegas, NV 89107 -1020468834
Re: Wiltel has gone pink.
On Mon, 13 Mar 2006, Jo Rhett wrote: > I went through 4 levels of management, and was informed that they no longer > had an abuse team -- that this was disbanded in a recent reorganization. > > In short, it would appear that Wiltel is now selling pink contracts. > what? no more dave rossbach?
Re: Wiltel has gone pink.
Jo Rhett wrote: This morning we have started receive an abundance of spam from Wiltel customers, pointing boldly back to websites hosted in Wiltel space. OrgAbuseHandle: WAC18-ARIN OrgAbuseName: Wiltel Abuse Contact OrgAbusePhone: +1-918-547-2000 OrgAbuseEmail: [EMAIL PROTECTED] Messages to [EMAIL PROTECTED] are being rejected. This phone number goes to their "conferencing group", which doesn't know what 'abuse' is, or even what an IP network is. I went through 4 levels of management, and was informed that they no longer had an abuse team -- that this was disbanded in a recent reorganization. In short, it would appear that Wiltel is now selling pink contracts. WilTel's abuse department has long been MIA. I never even got an acknowledgment from them much less getting the problem fixed. The only difference now is that they are bouncing the messages rather than dev-nulling them They also don't believe in edge filtering.. Here are some stats for today 10 deny ip 0.0.0.0 1.255.255.255 any (111 matches) 20 deny ip 2.0.0.0 0.255.255.255 any (97 matches) 30 deny ip 5.0.0.0 0.255.255.255 any (102 matches) 40 deny ip 7.0.0.0 0.255.255.255 any (106 matches) 50 deny ip 10.0.0.0 0.255.255.255 any (6487 matches) 60 deny ip 23.0.0.0 0.255.255.255 any (120 matches) 70 deny ip 27.0.0.0 0.255.255.255 any (126 matches) 80 deny ip 31.0.0.0 0.255.255.255 any (107 matches) 90 deny ip 36.0.0.0 1.255.255.255 any (1458 matches) 100 deny ip 39.0.0.0 0.255.255.255 any (137 matches) 110 deny ip 42.0.0.0 0.255.255.255 any (127 matches) 120 deny ip 49.0.0.0 0.255.255.255 any (146 matches) 130 deny ip 50.0.0.0 0.255.255.255 any (124 matches) 140 deny ip 77.0.0.0 0.255.255.255 any (138 matches) 150 deny ip 78.0.0.0 1.255.255.255 any (243 matches) 160 deny ip 92.0.0.0 3.255.255.255 any (868 matches) 170 deny ip 96.0.0.0 15.255.255.255 any (2754 matches) 180 deny ip 112.0.0.0 7.255.255.255 any (1896 matches) 190 deny ip 120.0.0.0 0.255.255.255 any (337 matches) 200 deny ip 169.254.0.0 0.0.255.255 any (744 matches) 210 deny ip 172.16.0.0 0.15.255.255 any (827 matches) 220 deny ip 173.0.0.0 0.255.255.255 any (150 matches) 230 deny ip 174.0.0.0 1.255.255.255 any (870 matches) 240 deny ip 176.0.0.0 7.255.255.255 any (3860 matches) 250 deny ip 184.0.0.0 3.255.255.255 any (765 matches) 260 deny ip 192.0.2.0 0.0.0.255 any 270 deny ip 192.168.0.0 0.0.255.255 any (873 matches) 280 deny ip 197.0.0.0 0.255.255.255 any (127 matches) 290 deny ip 198.18.0.0 0.1.255.255 any 300 deny ip 223.0.0.0 0.255.255.255 any (121 matches) 310 deny ip 224.0.0.0 31.255.255.255 any Maybe Level3 can straighten some of it out. Roy Engehausen
Re: Security problem in PPPoE connection
From: "Martin Hannigan" <[EMAIL PROTECTED]> As well, pvlans are prone to fail if not a forethought of architecture instead of an after effect. Trying to put legacy networks into a pvlan architecture is like putting square pegs in round holes. My experience has been pvlans cause more trouble than they are worth. Could you elaborate on this a bit? My situation is different, as I am a server hosting provider dealing with thousands of customer servers instead of thousands of customer residential WAN links (and thus, no PPPoE), but so far I've had good results with pvlans and local-proxy-arp. I've found it to be almost a drop-in replacement for large VLANs, solving 95% of the standard huge-l2-network issues with near-zero additional hassle. Perhaps my different situation avoids whatever issues you ran into. I'm just curious what sort of trouble you had just to make sure I avoid them myself. I've already migrated thousands of customer servers to this over the past few years, but I still have thousands to go. :)
Covad contact?
Hello, Could someone from Covad please contact me off list? Thank you, Ken -
RE: Security problem in PPPoE connection
At 03:25 PM 3/13/2006, James R. Cutler wrote: At 3/13/2006 11:16 AM -0800, Bora Akyol wrote: "Any info on percentages of users that use routers vs Windows boxes? " Almost 100% of Careful Windows Users use routers. Almost 100% of Potential Victims connect directly. Now, you really meant to ask, what is the ratio of Victims to Careful. Too big, whatever it is. That depends, maybe you mean Windows->NAT vs. Windows non NAT. I think there's implications in router, unless your assuming NAT. As well, pvlans are prone to fail if not a forethought of architecture instead of an after effect. Trying to put legacy networks into a pvlan architecture is like putting square pegs in round holes. My experience has been pvlans cause more trouble than they are worth. -M< -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Wiltel has gone pink.
This morning we have started receive an abundance of spam from Wiltel customers, pointing boldly back to websites hosted in Wiltel space. OrgAbuseHandle: WAC18-ARIN OrgAbuseName: Wiltel Abuse Contact OrgAbusePhone: +1-918-547-2000 OrgAbuseEmail: [EMAIL PROTECTED] Messages to [EMAIL PROTECTED] are being rejected. This phone number goes to their "conferencing group", which doesn't know what 'abuse' is, or even what an IP network is. I went through 4 levels of management, and was informed that they no longer had an abuse team -- that this was disbanded in a recent reorganization. In short, it would appear that Wiltel is now selling pink contracts. -- Jo Rhett senior geek SVcolo : Silicon Valley Colocation
RE: Wiltel has gone pink.
Wiltel is owned by Level3 now. Try contacting them, although with the integration just starting I suspect it will be difficult.
RE: Wiltel has gone pink.
[EMAIL PROTECTED] wrote: > This morning we have started receive an abundance of spam > from Wiltel customers, pointing boldly back to websites > hosted in Wiltel space. > > OrgAbuseHandle: WAC18-ARIN > OrgAbuseName: Wiltel Abuse Contact > OrgAbusePhone: +1-918-547-2000 > OrgAbuseEmail: [EMAIL PROTECTED] > > Messages to [EMAIL PROTECTED] are being rejected. > > This phone number goes to their "conferencing group", which > doesn't know what 'abuse' is, or even what an IP network is. > > I went through 4 levels of management, and was informed that > they no longer had an abuse team -- that this was disbanded > in a recent reorganization. > > In short, it would appear that Wiltel is now selling pink contracts. Or perhaps there's a more reasonable explanation like being assimilated with Level3 and perhaps some contact info. is a little stale at this point in the merger process... Never attribute to malfeasance what can be explained by everyday corporate beauracracy. Andrew Cruse
RE: Security problem in PPPoE connection
At 3/13/2006 11:16 AM -0800, Bora Akyol wrote: "Any info on percentages of users that use routers vs Windows boxes? " Almost 100% of Careful Windows Users use routers. Almost 100% of Potential Victims connect directly. Now, you really meant to ask, what is the ratio of Victims to Careful. Too big, whatever it is. - James R. Cutler [EMAIL PROTECTED]
RE: Security problem in PPPoE connection
Any info on percentages of users that use routers vs Windows boxes? > > Microsoft has some suggestions for configuring PPPOE for MS-Windows. > > http://www.microsoft.com/technet/prodtechnol/winxppro/maintain > /pppoe.mspx > > A problem is many of your customers won't follow the > directions, and may still be vulnerable to man-in-the-middle > attacks for the login if they don't disable PAP. Because > things will appear to work, i.e. Windows will use CHAP first > and fallback to PAP, your customers may not notice when an > attack does occur. > > Although PPPOE is a layer 2 protocol, the user data may be > vulnerable to many of the same ethernet CAM table, denial of > service and sniffing weaknesses even if the login credentials > are kept secret with CHAP (or more advanced EAP options). > PPPOE and PPP tend to assume the access networks are 1) > "free" and 2) "secure." This may be constrained using > point-to-point connections, but often require additional > configuration of multi-access networks. > > The configuration details will vary by equipment vendor. But > you should find some good information by doing a few web > searches for metro ethernet security, private vlan, broadcast > security. > >
Re: Security problem in PPPoE connection
On Mon, 13 Mar 2006, Joe Shen wrote: > > >What's your method to deal with such problem? Will > > CHAP in PPPoE help? > > > > That may help against password sniffing but won't > > help against sniffing > > traffic by an active attacker once the session has > > been established. > > Also, you'll have to revisit all CPE to explicitly > > disable PAP, or an > > active attacker could still steal the password if he > > impersonates the > > real PPPoE server. > > If we enable CHAP on BRAS, is it enough that asking > subscriber to enable Chap on MS-windows dial > connection or Linux ? Need we install some other > tools? Microsoft has some suggestions for configuring PPPOE for MS-Windows. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/pppoe.mspx A problem is many of your customers won't follow the directions, and may still be vulnerable to man-in-the-middle attacks for the login if they don't disable PAP. Because things will appear to work, i.e. Windows will use CHAP first and fallback to PAP, your customers may not notice when an attack does occur. Although PPPOE is a layer 2 protocol, the user data may be vulnerable to many of the same ethernet CAM table, denial of service and sniffing weaknesses even if the login credentials are kept secret with CHAP (or more advanced EAP options). PPPOE and PPP tend to assume the access networks are 1) "free" and 2) "secure." This may be constrained using point-to-point connections, but often require additional configuration of multi-access networks. The configuration details will vary by equipment vendor. But you should find some good information by doing a few web searches for metro ethernet security, private vlan, broadcast security.
Need remote hands in Marin (San Rafael, CA)
Familiarity with Copper Mountain Copper Edge 150 DSLAM a bonus. Will exchange cash or at a future NANOG meeting for assistance. Call or email if available: p. 206-838-1630, option 1, ext 2001 e. [EMAIL PROTECTED] Thanks, --chuck goolsbee, digital.forest, seattle
