Re: Fwd: 41/8 announcement
william(at)elan.net wrote: On Wed, 24 May 2006, Richard Mikisa wrote: Well, the noise helped some. We now have connectivity to fastweb net. How was that achieved if their users still are within 41/8 locally? Can't be sure what they did, but I received an e-mail asking me to check on my connectivity to them and well, it worked. From e-mails received, turns out they have known about this for awhile now but just didn't want to foot the cost of re-numbering. They claim they the clean up work is on-going. -- Richard
Re: Fwd: 41/8 announcement
well they're not really hijacking it - as in they are not announcing it or affecting unrelated networks on the internet its no different than a private firewall/security policy, except we know they're doing it because they're broken not because they intend to be denying connectivity to those networks. Steve On Wed, May 24, 2006 at 10:31:24AM +, [EMAIL PROTECTED] wrote: so how many ISPs will shun fastweb for hijacking address space? (please do -NOT- respond, its a retorical question...) --bill On Wed, May 24, 2006 at 11:37:12AM +0300, Richard Mikisa wrote: This came in from someone in Italy.. -- Forwarded message -- From: * Date: May 24, 2006 11:15 AM Subject: Re: 41/8 announcement To: [EMAIL PROTECTED] Turns out the folks at fastweb (Italy) NAT there adsl clients but instead of using the rfc1918 space like most people, they use unassigned global /8s. Well 41/8 is one of there NATted allocations for Turin. No amount of emails will get them to respond, calling isn't any better as I get only Italian speaking people at the other end. Any ideas out there? Yes: you lose, sorry. :-) Many of their networking people are less than clueful, and I fear that they are not going to renumber a whole city just to let their customers communicate with a few African networks... Let me know if you need more information. (Feel free to repost this if needed, but please remove my name.) -- ciao, *** -- cheers Richard -- Stephen J. Wilcox BSc (Hons). CCIE #10730 Technical Director, Telecomplete http://www.telecomplete.co.uk/
Re: Black Frog - the botnets keep coming
On Thu, 25 May 2006, Sean Donelan wrote: On Thu, 25 May 2006, Gadi Evron wrote: I hate for this to be a quote by me, but Super Worms which steal credit card, account data, login info. etc. for banks, credit card companies and ecommerce sites online number at the millions a day. Including repeat customers. As to signle banks, forget my numbers for a second, I am willing to accept yours for the sake of argument (we can argue digits over the phone). A million in losses a day is enough. According to you, 500,000 bots a day and $1,000,000 in losses a day; so there is about 50 cents of potential savings per bot to pay for fixing those computers. How much does it cost to repair the average compromised computer? For some people its cheaper to buy a new computer than to fix the old one. I don't believe most of the numbers published, but lets use some other people's numbers. One consulting firm estimates $2 Billion in losses a year. That results in less than $10 of savings per new bot (assuming 500,000/day) to fix the computers. If there are even more bots, the numbers just get worse. For comparison, Cardweb's estimate of credit card fraud is about $14 Billion in 2004. Merchants are hit with about 90% of credit card fraud, and banks about 10%. CFCA's estimate for telecommunications fraud is about $55-60 Billion in 2003. Regardless of the numbers, I think we are currently stuck in a very nasty spot 1. Reduce the cost of fixing/protecting a computer 2. or increase the losses from compromised computers Either way, the consumer will eventually end up paying for it. Indeed, but even worse. The problem is moving to the user side. Regular type fake site phishing is going to be with us for a long time yet but several of the organized crime groups involved are hard at work at released Trojan horses using root kit technology daily, which basically steals your credentials to every HTTPS site you enter, and reports home. How do banks, ISP's, or whoever else defend from the roblem moving to the user-side? That is a very interesting question indeed. :) Gadi.
Re: Black Frog - the botnets keep coming
Gadi Evron wrote: [...] Regular type fake site phishing is going to be with us for a long time yet but several of the organized crime groups involved are hard at work at released Trojan horses using root kit technology daily, which basically steals your credentials to every HTTPS site you enter, and reports home. How do banks, ISP's, or whoever else defend from the roblem moving to the user-side? That is a very interesting question indeed. :) Over here some banks issue customers a password token device that uses a combination of your card, a number sent by the web site and a PIN to generate a one-time password. It seems a reasonable system, and isn't really new technology. However, while bank web site security may be on-topic for other lists I suspect it's wandering off-topic for NANOG. Regards, -- leo vegoda Registration Services Manager RIPE NCC
Re: AS12874 - FASTWEB
[EMAIL PROTECTED] (Marco d'Itri) writes: On May 24, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: Fastweb seems to think 41/8 is a dsl pool for its users in Turin Indeed. But that list is a bit old, they are also using 59/8 (in use in the APNIC region) and a few private DoD networks like 26/8 and 29/8: http://plany.fasthosting.it/dbmap.asp?table=Mappatura Some customers tried complaining, but I understand that this did not have any effect. I take it that this means we can use any ip range allocated to Fastweb as if it were RFC1918 space, including the necessary border filters? Bjørn
BGP Update Report
BGP Update Report Interval: 16-May-06 -to- 16-May-06 (0 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS855 25437 2.4% 44.7 -- CANET-ASN-4 - Aliant Telecom 2 - AS17430 21625 2.1% 655.3 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 3 - AS912121139 2.0% 35.3 -- TTNET TTnet Autonomous System 4 - AS10139 10601 1.0% 76.3 -- MERIDIAN-PH-AP Meridian Telekoms 5 - AS114929701 0.9% 18.3 -- CABLEONE - CABLE ONE 6 - AS179749449 0.9% 27.2 -- TELKOMNET-AS2-AP PT TELEKOMUNIKASI INDONESIA 7 - AS9940 9425 0.9% 162.5 -- WOLCST-AS-AP World online AS, Cybersoft Technologies. 8 - AS2386 9108 0.9% 10.3 -- INS-AS - ATT Data Communications Services 9 - AS156118893 0.8% 109.8 -- Iranian Research Organisation 10 - AS3475 8816 0.8% 629.7 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 11 - AS4795 8760 0.8% 41.7 -- INDOSAT2-ID INDOSATNET-ASN 12 - AS175577661 0.7% 20.0 -- PKTELECOM-AS-AP Pakistan Telecom 13 - AS337667521 0.7% 358.1 -- NYALA-COMMUNICATIONS-PTY-LTD NYALA-COMMUNICATIONS-PTY-LTD 14 - AS5803 7007 0.7% 92.2 -- DDN-ASNBLK - DoD Network Information Center 15 - AS9425 6883 0.7% 112.8 -- CONCENTRIX-PH-AS-AP Concentrix Technologies, Inc 16 - AS7018 6760 0.7% 9.7 -- ATT-INTERNET4 - ATT WorldNet Services 17 - AS702 6650 0.6% 27.1 -- AS702 MCI EMEA - Commercial IP service provider in Europe 18 - AS680 6438 0.6% 26.5 -- DFN-IP service G-WiN 19 - AS239186304 0.6% 49.6 -- CBB-BGP-IBARAKI Connexion By Boeing Ibaraki AS 20 - AS252335904 0.6% 79.8 -- AWALNET-ASN Autonomus System number for Awalnet TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS210273127 0.3%3127.0 -- ASN-PARADORES PARADORES Autonomous System 2 - AS3043 2607 0.2%2607.0 -- AMPHIB-AS - Amphibian Media Corporation 3 - AS199824923 0.5%1230.8 -- TOWERSTREAM-PROV - Towerstream 4 - AS368772444 0.2%1222.0 -- 5 - AS144105565 0.5%1113.0 -- DALTON - MCM, Inc., DBA: [EMAIL PROTECTED] 6 - AS34382 916 0.1% 916.0 -- ASSYRUS-SRL-AS Assyrus Srl Maintainer 7 - AS167051704 0.2% 852.0 -- STORAGEAPPS - Storage Apps Inc. 8 - AS22988 840 0.1% 840.0 -- CAMBARASN1 - Cameron and Barkley Company 9 - AS34378 836 0.1% 836.0 -- RUG-AS Razguliay-UKRROS Group 10 - AS36000 786 0.1% 786.0 -- NHA-ASN1 - Northern Health Authority 11 - AS236071973 0.2% 657.7 -- ITXPRESS-AS-AP itXpress Pty Ltd. Network AS ISP and DSL 12 - AS17430 21625 2.1% 655.3 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 13 - AS35339 655 0.1% 655.0 -- CZ-AS Clemens Zauner 14 - AS3475 8816 0.8% 629.7 -- LANT-AFLOAT - NCTAMS LANT DET HAMPTON ROADS 15 - AS3319 3038 0.3% 607.6 -- KSNET KSNet 16 - AS338715823 0.6% 582.3 -- NORILSK-TELECOM-AS Norilsk-Telecom Ltd. 17 - AS7442 577 0.1% 577.0 -- FEDERATED-CA-ASN - Federated Insurance Company of Canada 18 - AS219441723 0.2% 574.3 -- DTSI-1 - Data Technology Services Inc. 19 - AS36715 571 0.1% 571.0 -- GSA-ASN - GLOBAL SECURITIES ADVISORS LLC 20 - AS18173 556 0.1% 556.0 -- AKU-AS-PK Aga Khan University TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 211.162.88.0/215405 0.4% AS17430 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 2 - 220.114.32.0/215395 0.4% AS17430 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 3 - 81.212.141.0/243980 0.3% AS9121 -- TTNET TTnet Autonomous System 4 - 81.212.149.0/243848 0.3% AS9121 -- TTNET TTnet Autonomous System 5 - 152.74.0.0/16 3730 0.3% AS11340 -- Red Universitaria Nacional 6 - 220.114.40.0/223311 0.3% AS17430 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 7 - 211.162.82.0/233309 0.3% AS17430 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 8 - 211.162.84.0/223309 0.3% AS17430 -- GWBN-CHENGDU Great Wall Broadband Network Service Co.,Ltd 9 - 62.81.240.0/24 3127 0.2% AS21027 -- ASN-PARADORES PARADORES Autonomous System 10 - 61.0.0.0/8 2993 0.2% AS4678 -- FINE CANON NETWORK COMMUNICATIONS INC. 11 - 209.140.24.0/242607 0.2% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 12 - 195.175.82.0/232333 0.2% AS9121 -- TTNET TTnet Autonomous System 13 -
The Cidr Report
This report has been generated at Fri May 26 21:54:13 2006 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 19-05-06184902 121903 20-05-06185014 121753 21-05-06184990 121700 22-05-06184924 122087 23-05-06185186 122046 24-05-06185090 122143 25-05-06185297 122155 26-05-06185408 122244 AS Summary 6 Number of ASes in routing system 9303 Number of ASes announcing only one prefix 1482 Largest number of prefixes announced by an AS AS7018 : ATT-INTERNET4 - ATT WorldNet Services 91495424 Largest address span announced by an AS (/32s) AS721 : DLA-ASNBLOCK-AS - DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 26May06 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 185562 1222796328334.1% All ASes AS4323 1290 261 102979.8% TWTC - Time Warner Telecom, Inc. AS4134 1181 283 89876.0% CHINANET-BACKBONE No.31,Jin-rong Street AS18566 940 158 78283.2% COVAD - Covad Communications Co. AS721 1001 311 69068.9% DLA-ASNBLOCK-AS - DoD Network Information Center AS22773 656 47 60992.8% CCINET-2 - Cox Communications Inc. AS4755 857 319 53862.8% VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System AS7018 1482 961 52135.2% ATT-INTERNET4 - ATT WorldNet Services AS6197 1005 486 51951.6% BATI-ATL - BellSouth Network Solutions, Inc AS19916 563 65 49888.5% ASTRUM-0001 - OLM LLC AS855553 64 48988.4% CANET-ASN-4 - Aliant Telecom AS17488 513 47 46690.8% HATHWAY-NET-AP Hathway IP Over Cable Internet AS3602 539 110 42979.6% AS3602-RTI - Rogers Telecom Inc. AS9498 566 149 41773.7% BBIL-AP BHARTI BT INTERNET LTD. AS18101 411 28 38393.2% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS15270 426 50 37688.3% AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. AS17676 486 110 37677.4% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS4766 655 307 34853.1% KIXS-AS-KR Korea Telecom AS11492 611 269 34256.0% CABLEONE - CABLE ONE AS22047 417 76 34181.8% VTR BANDA ANCHA S.A. AS812368 29 33992.1% ROGERS-CABLE - Rogers Cable Inc. AS6467 385 52 33386.5% ESPIRECOMM - Xspedius Communications Co. AS19262 660 355 30546.2% VZGNI-TRANSIT - Verizon Internet Services Inc. AS16852 355 51 30485.6% FOCAL-CHICAGO - Focal Data Communications of Illinois AS8151 705 406 29942.4% Uninet S.A. de C.V. AS6167 343 64 27981.3% CELLCO-PART - Cellco Partnership AS3352 308 30 27890.3% TELEFONICA-DATA-ESPANA Internet Access Network of TDE AS14654 291 15 27694.8% WAYPORT - Wayport AS5668 529 254 27552.0% AS-5668 - CenturyTel Internet Holdings, Inc. AS16814 330 59 27182.1% NSS S.A. AS6198 509 242 26752.5% BATI-MIA - BellSouth Network
Re: AS12874 - FASTWEB
Bjørn Mork wrote: [EMAIL PROTECTED] (Marco d'Itri) writes: On May 24, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: Fastweb seems to think 41/8 is a dsl pool for its users in Turin Indeed. But that list is a bit old, they are also using 59/8 (in use in the APNIC region) and a few private DoD networks like 26/8 and 29/8: http://plany.fasthosting.it/dbmap.asp?table=Mappatura Some customers tried complaining, but I understand that this did not have any effect. I take it that this means we can use any ip range allocated to Fastweb as if it were RFC1918 space, including the necessary border filters? Bjørn Bjørn, I'd personally contract to build a moat around their NOC for Homeland Security reasons using as many backhoes as I could get on short notice. Andrew
Are botnets relevant to NANOG?
In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. In a press release announcing the last CSI/FBI survey http://www.gocsi.com/press/20050714.jhtml the following statement appears: Highlights of the 2005 Computer Crime and Security Survey include: - The total dollar amount of financial losses resulting from security breaches is decreasing, with an average loss of $204,000 per respondent-down 61 percent from last year's average loss of $526,000. - Virus attacks continue as the source of the greatest financial losses, accounting for 32 percent of the overall losses reported. - Unauthorized access showed a dramatic increase and replaced denial of service as the second most significant contributor to computer crime losses, accounting for 24 percent of overall reported losses, and showing a significant increase in average dollar loss. So where do botnets come in? First of all, botnets are used to distribute viruses, the largest source of financial losses. Second, botnets are built on what the CSI calls unauthorised access, the second largest source of loss. And denial of service, which used to be the 2nd largest, is also something that botnets do. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. --- Michael Dillon Capacity Management, 66 Prescot St., London, E1 8HG, UK Mobile: +44 7900 823 672Internet: [EMAIL PROTECTED] Phone: +44 20 7650 9493Fax: +44 20 7650 9030 http://www.btradianz.com One Community One Connection One Focus
Re: AS12874 - FASTWEB
http://plany.fasthosting.it/dbmap.asp?table=Mappatura I take it that this means we can use any ip range allocated to Fastweb as if it were RFC1918 space, including the necessary border filters? I'd personally contract to build a moat around their NOC for Homeland Security reasons using as many backhoes as I could get on short notice. I would strongly advise against such actions. European governments take a dim view of terrorist activities and some countries such as Italy are particularly sensitive about this. I'm surprised that an American on an Internet operations mailing list would be promoting terrorist activity in another NATO member country. In any case, you can't CONTRACT to do this. The law does not consider an agreement to perform illegal acts to be a contract. The action you describe is clearly illegal, therefore it cannot be contracted for. --Michael Dillon P.S. this is NANOG, not IRC
Re: Fwd: 41/8 announcement
On Fri, 26 May 2006, Mikisa Richard wrote: Can't be sure what they did, but I received an e-mail asking me to check on my connectivity to them and well, it worked. Presumably they're double-natting. I had to do that once for Y2K compliance for three large governmental networks that were all statically addressed in net-10 and wouldn't/couldn't renumber in time. In fact, there were _specific hosts_ which had the same IP address, and _had to talk to each other_. Gross. But it can be done. -Bill
Re: Are botnets relevant to NANOG?
[EMAIL PROTECTED] wrote: In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. They can. All you have to do is look for free software and join the devellopers or the testers or report whatever you have found out. When working for Exodus and GLC I have seen I could change security practices. I was working in London, Munich and Frankfurt NOCs. Sorry I did not know about NANOG that time. It would have made my live a lot more interesting. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. Botnets are networks. We should have the network operators on the NANOG list. (I am afraid we do already have them :) One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. Maybe it is high time for a transparent frog. Invisible for secure systems but as soon as one of the bots tries to infect it, it will ... In case you are not Gadi or working for Gadi, feel free to ignore the tranparent frog. I have never met one :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Fwd: 41/8 announcement
On Fri, 26 May 2006, Bill Woodcock wrote: On Fri, 26 May 2006, Mikisa Richard wrote: Can't be sure what they did, but I received an e-mail asking me to check on my connectivity to them and well, it worked. Presumably they're double-natting. I had to do that once for Y2K compliance for three large governmental networks that were all statically addressed in net-10 and wouldn't/couldn't renumber in time. In fact, there were _specific hosts_ which had the same IP address, and _had to talk to each other_. Gross. But it can be done. Please explain how. I simply can't imagine my computer communicating with another one with exactly same ip address - the packet would never leave it. The only way I see to achieve this is to have dns resolver on the fly convert remote addresses from same network into some other network and then NAT from those other addresses. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Fwd: 41/8 announcement
On Fri, 26 May 2006, william(at)elan.net wrote: The only way I see to achieve this is to have dns resolver on the fly convert remote addresses from same network into some other network and then NAT from those other addresses. Split-horizon DNS, external to the clients, but basically, yes. Like I said, horrifically gross. -Bill
Re: Are botnets relevant to NANOG?
Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | 9325 | XTRA-AS Telecom XTRA, Auckland | 1415 | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/
Re: Fwd: 41/8 announcement
On Fri, May 26, 2006 at 07:44:04AM -0700, william(at)elan.net wrote: On Fri, 26 May 2006, Bill Woodcock wrote: On Fri, 26 May 2006, Mikisa Richard wrote: Can't be sure what they did, but I received an e-mail asking me to check on my connectivity to them and well, it worked. Presumably they're double-natting. I had to do that once for Y2K compliance for three large governmental networks that were all statically addressed in net-10 and wouldn't/couldn't renumber in time. In fact, there were _specific hosts_ which had the same IP address, and _had to talk to each other_. Gross. But it can be done. Please explain how. I simply can't imagine my computer communicating with another one with exactly same ip address - the packet would never leave it. The only way I see to achieve this is to have dns resolver on the fly convert remote addresses from same network into some other network and then NAT from those other addresses. Here's how with dual proxies. Presumably dual NATs use multiple IPs from different parts of the intermediary network. proxy1+ +-proxy2 |.1 |.1 |.2 |.1 === 10.0.0.0/24=== x.y.z.0/24 === 10.0.0.0/24 |.15|.15 host server If you are using a good mail reader, the above ASCII art will come through unscathed. If it does not come through unscathed, you are not using a good mail reader. ;-) net1: 10.0.0.0/24 host = 10.0.0.15 proxy1 = 10.0.0.1 net2: x.y.z.0/24 (NOT 10.0.0.0) proxy1 = x.y.z.1 proxy2 = x.y.z.2 net3: 10.0.0.0/24 [it used to belong to the guy down the block but i bought it at a garage sale and had to merge the two networks] proxy2 = 10.0.0.1 server = 10.0.0.15 Host has proxy set to 10.0.0.1. Rather than resolving server, it sends a Web query for http://server; to 10.0.0.1. Proxy1 gets it. It has been told that server is on the other side of proxy2. Rather than resolving server, it forwards the Web query for http://server; to proxy2, at x.y.z.2. Proxy2 breaks this query down, resolves server using _local_ DNS to 10.0.0.15. Sends the query to server, receives the response. Passes the response back to proxy1, which passes it back to host. Capisci? -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Are botnets relevant to NANOG?
I think the numbers speak for themselves. - ferg -- Rick Wesson [EMAIL PROTECTED] wrote: Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | 9325 | XTRA-AS Telecom XTRA, Auckland | 1415 | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006 10:21:10 -0700 Rick Wesson [EMAIL PROTECTED] wrote: lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. Hi Rick, What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending an awful lot of time with DNS these days, I'll actually provide a cite related to that (and not simply suggest you just quote me :-). See sections 3.3.2 and 4.4 of the following: Availability, Usage and Deployment Characteristics of the Domain Name System, Internet Measurement Conference 2004, J. Pang, et. al At some point transient address pools are limited and presumably so are the possible numbers of new bots, particularly within netblocks. Is there any accounting for that? Shouldn't there be? What will the effect of doing that be on the numbers? John
Re: Black Frog - the botnets keep coming
* Gadi Evron: Ignoring is the high-road. How long are we going to cry about the Internet being a battle-ground, the wild west, or whatever else if we legitimize DDoS? The project needs to gather supporters before they can do any real damage. Reports exposing their nefarious practices are probably the best kind of publicity they can get.
Re: Are botnets relevant to NANOG?
John, The short answer is no. The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. I believe that understanding our tcp fingerprinting of spam senders might be more interesting and relevant to NANOG than how dynamic address assignments discounts the numbers i posted earlier. -rick John Kristoff wrote: On Fri, 26 May 2006 10:21:10 -0700 Rick Wesson [EMAIL PROTECTED] wrote: lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. Hi Rick, What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending an awful lot of time with DNS these days, I'll actually provide a cite related to that (and not simply suggest you just quote me :-). See sections 3.3.2 and 4.4 of the following: Availability, Usage and Deployment Characteristics of the Domain Name System, Internet Measurement Conference 2004, J. Pang, et. al At some point transient address pools are limited and presumably so are the possible numbers of new bots, particularly within netblocks. Is there any accounting for that? Shouldn't there be? What will the effect of doing that be on the numbers? John
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John
Re: Are botnets relevant to NANOG?
John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response Tool to help you. Try natnum form the IASON tools. $ natnum echnaton.serveftp.com host_look(84.167.246.104,echnaton.serveftp.com,1420293736). host_name(84.167.246.104,p54A7F668.dip.t-dialin.net). You can feed natnum a hostname or an ip-address or even a long integer. If you want to dump an address range use name2pl. $ name2pl 84.167.246.100 8 host_name(84.167.246.100,p54A7F664.dip.t-dialin.net). host_name(84.167.246.101,p54A7F665.dip.t-dialin.net). ... host_name(84.167.246.106,p54A7F66A.dip.t-dialin.net). host_name(84.167.246.107,p54A7F66B.dip.t-dialin.net). Dumps you 8 ip-addresses starting from 84.167.246.100. Without the 8 you will get 256 http://iason.site.voila.fr/ http://www.kokoom.com/ Sorry the sourceforge still gives me hickups :) Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only. None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Fwd: 41/8 announcement
Thus spake william(at)elan.net [EMAIL PROTECTED] On Fri, 26 May 2006, Bill Woodcock wrote: Presumably they're double-natting. I had to do that once for Y2K compliance for three large governmental networks that were all statically addressed in net-10 and wouldn't/couldn't renumber in time. In fact, there were _specific hosts_ which had the same IP address, and _had to talk to each other_. Gross. But it can be done. Please explain how. I simply can't imagine my computer communicating with another one with exactly same ip address - the packet would never leave it. The only way I see to achieve this is to have dns resolver on the fly convert remote addresses from same network into some other network and then NAT from those other addresses. Unfortunately, I've done this several times, most notably within one company that had multiple instances of 10/8 that needed to talk to each other. A decent (if one can use that term) NAT device will translate the addresses in DNS responses, so two hosts that both live at 10.1.2.3 will see the other's address as, for example, 192.168.1.2, both in DNS and in the IP headers. It's extremely ugly, but that's what one gets for using private address space. This exact scenario was a large part of why I supported ULAs for IPv6. S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm
Re: Are botnets relevant to NANOG?
Sean Donelan wrote: On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
NANOG 37 agenda posted
The complete agenda for the upcoming NANOG 37 meeting, June 4-7 in San Jose, has been posted at: http://www.nanog.org/mtg-0606/agenda.html If you haven't already, please register at http://www.nanog.org, and we'll see you in San Jose! Steve Feldman Program Chair
Re: Are botnets relevant to NANOG?
Not effective against botnets. Think of it this way, thousands of compromised hosts (zombies), distributed to the four corners of the Internet, hundreds (if not thousands) of AS's -- all recieving their instructions via IRC from a CC server somewhere, that probably also may change due to dynamic DNS, or pump-and-dump domain registrations, or any other various ways to continually move the CC. Simply going after (what may _seem_to_be_) the last-hop router is like swinging a stick after a piñata that you can't actually reach when you are blind-folded. :-) - ferg -- Peter Dambier [EMAIL PROTECTED] wrote: Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
for this community would trend analysis with the best of who is getting better and the worst of who is getting worse and some baseline counts be enough for this group to understand if the problem is getting better. I am suggesting that NANOG is an appropriate forum to publish general stats on who the problem is getting better/worse for and possibly why things got better/worse. I'd like to see a general head nod that there is a problem and develop some stats so we can understand if it is getting better or worse. -rick Fergie wrote: Not effective against botnets. Think of it this way, thousands of compromised hosts (zombies), distributed to the four corners of the Internet, hundreds (if not thousands) of AS's -- all recieving their instructions via IRC from a CC server somewhere, that probably also may change due to dynamic DNS, or pump-and-dump domain registrations, or any other various ways to continually move the CC. Simply going after (what may _seem_to_be_) the last-hop router is like swinging a stick after a piñata that you can't actually reach when you are blind-folded. :-) - ferg -- Peter Dambier [EMAIL PROTECTED] wrote: Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
At 07:09 PM 5/26/2006, Rick Wesson wrote: for this community would trend analysis with the best of who is getting better and the worst of who is getting worse and some baseline counts be enough for this group to understand if the problem is getting better. I am suggesting that NANOG is an appropriate forum to publish general stats on who the problem is getting better/worse for and possibly why things got better/worse. I'd like to see a general head nod that there is a problem and develop some stats so we can understand if it is getting better or worse. We all know there is a problem. Botnets/zombies/et. al. are the number one threat to the infrastructure and the attacks may be deliberate or they may be a distraction. The motive is unclear because attacking, for example, root servers, is an effort without some obvious economic incentive, at least that I can see. It doesn't make a lot of sense because the conventional wisdom before they open recursive attacks was that it was in the miscreants best interest to not attack infrastructure so that it could facilitate their reachable goals. The DA report went through a large thread(s) to post statistics here and I'm not sure why yours will be any better, or, just another set of statistics which further de-sensitizes everyone to the problem. I mean, it looks like, all of a sudden, the DNS community has a big problem with these open recursive attacks, ran off privately, and have now determined that it's a feature, not a bug, and well, heck, operators are now responsible. I am not saying that is the answer, but I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Are botnets relevant to NANOG?
I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. Yes, we have worked with Gati and Randy Vaugh; infact randy helped me out today; thanks randy! There is a difference in how Randy/Gati collect data and how we collect data. The stuff we publish are from numerous dns based realtime blacklists and spam traps we run. Other folks black-hole botnets and capture data. We both come up with a dataset that overlaps but we don't yet know by how much. So our data is another view using a different methodology and isn't supposed to be better but confirming of where the problem is and estimates of its magnitude. -rick
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to [EMAIL PROTECTED] If you have any comments please contact Philip Smith [EMAIL PROTECTED]. Routing Table Report 04:00 +10GMT Sat 27 May, 2006 Analysis Summary BGP routing table entries examined: 189144 Prefixes after maximum aggregation: 104309 Unique aggregates announced to Internet: 92654 Total ASes present in the Internet Routing Table: 22317 Origin-only ASes present in the Internet Routing Table: 19409 Origin ASes announcing only one prefix:9291 Transit ASes present in the Internet Routing Table:2908 Transit-only ASes present in the Internet Routing Table: 63 Average AS path length visible in the Internet Routing Table: 3.5 Max AS path length visible: 18 Max AS path prepend of ASN (32609) 16 Prefixes from unregistered ASNs in the Routing Table:14 Unregistered ASNs in the Routing Table: 12 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space: 9 Number of addresses announced to Internet: 1539919976 Equivalent to 91 /8s, 201 /16s and 80 /24s Percentage of available address space announced: 41.5 Percentage of allocated address space announced: 60.1 Percentage of available address space allocated: 69.1 Total number of prefixes smaller than registry allocations: 93724 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:40065 Total APNIC prefixes after maximum aggregation: 16729 Prefixes being announced from the APNIC address blocks: 37758 Unique aggregates announced from the APNIC address blocks:18447 APNIC Region origin ASes present in the Internet Routing Table:2582 APNIC Region origin ASes announcing only one prefix:744 APNIC Region transit ASes present in the Internet Routing Table:394 Average APNIC Region AS path length visible:3.5 Max APNIC Region AS path length visible: 15 Number of APNIC addresses announced to Internet: 226969056 Equivalent to 13 /8s, 135 /16s and 69 /24s Percentage of available APNIC address space announced: 71.0 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 121/8, 122/7, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes: 97552 Total ARIN prefixes after maximum aggregation:57717 Prefixes being announced from the ARIN address blocks:71556 Unique aggregates announced from the ARIN address blocks: 26470 ARIN Region origin ASes present in the Internet Routing Table:10740 ARIN Region origin ASes announcing only one prefix:4041 ARIN Region transit ASes present in the Internet Routing Table: 994 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 18 Number of ARIN addresses announced to Internet: 292813056 Equivalent to 17 /8s, 115 /16s and 249 /24s Percentage of available ARIN address space announced: 75.9 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks24/8, 63/8, 64/5, 72/6, 76/8, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary Prefixes being announced by RIPE Region ASes: 37960 Total RIPE prefixes after maximum aggregation:25293 Prefixes being announced from the RIPE address blocks:34974 Unique aggregates announced from the RIPE address blocks: 23530 RIPE Region origin ASes present in the Internet Routing Table: 8089 RIPE Region origin ASes announcing only one prefix:4233 RIPE Region transit ASes present in the Internet Routing Table:1328 Average RIPE Region AS path
And Now.... Data Retention. Enjoy!
Just a heads-up. CALEA compliance ain't your only concern anymore. [snip] U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on Friday urged telecommunications officials to record their customers' Internet activities, CNET News.com has learned. In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity. [snip] More here: http://news.com.com/2100-1028_3-6077654.html Cheers, - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Are botnets relevant to NANOG?
[top-posting] Time differentials, time-limiting, proxies and NATs, dynamic addresses, different malware, different OS, etc. are all things taken into acount. At some point you just need to have a best guess.. When the situation was by far less horrible, the numbers still didn't matter. Wasn't it your countrymen who said why should you need to be able to destroy the world a thousand times over when once is more than enough? I think 3 times for redundancy sounds like fun. The numbers are for years now not relevant. I often count active groups, active attacks per time-frame, money made/lost and number of user ID's compromised / sites targetted. Gadi. On Fri, 26 May 2006, John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, Peter Dambier wrote: Sean Donelan wrote: On Fri, 26 May 2006, John Kristoff wrote: What I'd be curious to know in the numbers being thrown around if there has been any accounting of transient address usage. Since I'm spending I worked with Adlex to update their software to identify and track dynamic addresses associated with subscriber RADIUS information. At the time, Adlex (now CompuWare) was the only off-the-shelf software that matched unique subscriber RADIUS instead of just IP address. It is behavior based, so not absolutely 100% accurate, but it is useful for long term trending bot-like unique subscribers instead of dynamic IP addresses. I presented some public numbers at an NSP-SEC BOF. There is a large difference between the number of unique subscribers versus the number of dynamic IP addresses detected by various public detectors. http://www.compuware.com/products/vantage/4920_ENG_HTML.htm Just an afterthought, traceroute and take the final router. I guess for aDSL home users you will find some 8 or 11 routers in germany. My final router never changes. Of course there can hide more than one bad guy behind that router. Actually, some anti spam veterns keep lists of dynamic blocks as negative scoring marks in their filters. I still believe that even ignoring those the numbers are still too high. I honestly want to know why a precise number matters? It will only be higher than our facts based upon our different observation points. Gadi. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
On Fri, 26 May 2006, Rick Wesson wrote: I am saying I am reading the OARC comments and this is sort of what it fees like. As much as Gadi seems to appropriate others credit, Randy Vaugh and him have been doing this work for some time and deserves some credit so I'd say have you spoken to them about how to make their report better yet instead of create more. Yes, we have worked with Gati and Randy Vaugh; infact randy helped me out today; thanks randy! There is a difference in how Randy/Gati collect data and how we collect data. The stuff we publish are from numerous dns based realtime blacklists and spam traps we run. Other folks black-hole botnets and capture data. We both come up with a dataset that overlaps but we don't yet know by how much. So our data is another view using a different methodology and isn't supposed to be better but confirming of where the problem is and estimates of its magnitude. The more we know, the better. I believe the time for action has come and gone, but I was not born a pessimist. :) If the first step is to de-classify what's public so that people are aware of what's going on, I say bring it on. Great work, Rick. Beer is on me this defcon. Gadi. -rick
Re: And Now.... Data Retention. Enjoy!
Duh, Those crazy americans... - (on the premise of: network data for two years) Some republicans have stocks in SAN/NAS/DVD/Hard Drive/etc markets and need a boost? Around here we're talking about only 70,000 DVD. I see a way to mirror each pipe into a device capable of compressing it real time to disks and then spew DVD... But I fail to grasp the scope of the challenge that could be for the big players out there. It would be fun to see some numbers. - Subcriber infos is no big deals, we kept records from day 0. (13 years+) Thanks Fergie for the entertainment. Fergie wrote: Just a heads-up. CALEA compliance ain't your only concern anymore. [snip] U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on Friday urged telecommunications officials to record their customers' Internet activities, CNET News.com has learned. In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity. [snip] More here: http://news.com.com/2100-1028_3-6077654.html Cheers, - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443