Re: advise on network security report
On Tue, 31 Oct 2006, Rick Wesson wrote: > I beg to differ, wither I aggregate my announcements does not impact the > $50B charge identity theft puts on the US economy. > > would it assist if I associated a dollar value for each bot hosted, we > can estimate the number of credit cards stolen per bot and extrapolate > in to something with some zeros on it. I experimented with a lot of topics on NANOG which the charter suggests, and found that botnets and $-value only work if they directly impact an ISP (not its users or immense corporate networks), meaning - something which helps/stops an ISP from running. I.e., $$$ loss to the ISP. $ value to the US economy just fascilitates faster move toward the usual and inevitable forking of the thread and flaming. > > Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and > > other security mitigation communities along with a subscription web page > > that would allow an organization to get enough details to take action. > > nsp-sec players still won't let us in their sand-box... but we will > share to the communities you have enumerated. You heard what people here want/don't want, do your thing. From my experience, you also got about 10-20 emails off-list, in support. Most flames come on-list. Openly available data that will show us which networks we need to worry about will be valuable. In the C&C report we now have "networks with 100% resolved". Two years ago we wouldn't have even considered that category. We didn't even consider using exact numbers due to "help bad guys scare". We quantified it, found out what's useful (what ISPs want/ISPs REALLY don't want), and what would be useless. Of your data, do you have information which can tell us what ISPs keep sending out spam despite of continued listing/reporting? Can you tell us what ISPs do real good work? A not-too-often coming report would be very interesting, especially because it is public, if you can make it reliable. For more exact and regular figures, I'd say go with a private feed. It is possible we are all wrong. Start with once a month and grow to even once a day if we find it's just what we have all been looking for. > -rick > Gadi.
Re: FYI: Explosions Reported At eBay PayPal Building In SJ, All Cool Now
Police seeking buyer of Tower Bridge, enriched uranium and hawt teenage Russian bride. On 11/1/06, Fergie <[EMAIL PROTECTED]> wrote: No one injured, no operations interrupted on this, Oidhche Shamhna. http://cbs5.com/local/local_story_305004735.html Cheers, - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Cogent now peering with Sprint?
On Tue, Oct 31, 2006 at 09:51:47AM -0500, James Jun wrote: > > > On Oct 31, 2006, at 2:12 AM, Bob Collie wrote: > > > > > That looks like a transit connection that Cogent bought at Ashburn, > > > VA, > > > not SFI peering connection. > > > > Hrmm, I can't tell by looking at a traceroute who paid whom, if > > anyone. Care to explain your magic? Is there a code in the in- > > addrs? Perhaps "sl-$FOO" means something in Sprint-speak? > > > Yea, but most of xfer-nets in this case appear to be assigned by Cogent > (then again, how does that make any difference for special buy|peer cases): > > 2 sl-st21-la-13-0.sprintlink.net (144.232.20.69) 4 msec 4 msec 4 msec > 3 p12-3.core01.lax05.atlas.cogentco.com (154.54.13.41) [AS 174] 4 msec 4 > msec 4 msec customers have some say over whats what.. at least one of my transits is using a /30 we assign to be honest i'd be suspicious if 'most ' nets are from cogent as thats not indicative of an equal peering relationship they still buy from verio and they have /30s with them also: 58.13.54.154.in-addr.arpa domain name pointer verio.sjc03.atlas.cogentco.com. (of course, that may be a peer port too.. this is all conjecture! as patrick says the adjacencys are the interesting thing, not the $$) Steve
Re: advise on network security report
On Tue, 31 Oct 2006 17:02:15 PST, Rick Wesson said: > would it assist if I associated a dollar value for each bot hosted, we > can estimate the number of credit cards stolen per bot and extrapolate > in to something with some zeros on it. Well.. figure that if you're charging somebody by the megabyte for transit, there *is* a positive dollar value per bot hosted. Maybe that's the tactic to take with some of the more bot-infested cable providers - if they aren't 100% settlement-free, point out the cost savings at their exchanges if their outbound traffic drops because their bots aren't spewing. pgpqRi3kkbjEN.pgp Description: PGP signature
Re: rbnnetwork.org
* Alexander Harrowell: >66.36.240.2 AS14361 > HOPONE-DCA c-vl102-d1.acc.dca2.hopone.net.255 > US Unix: 14:38:16.496 > 2 0 2 6 0.6 ms [+0ms] Uhm, are you a Hop One customer? In this case, it's a bit ... strange that you complain about malicious services hosted on other people's networks.
Re: rbnnetwork.org
Alexander Harrowell wrote: Is hosting a phishing site and bouncing abuse reports.. -- Forwarded message -- From: Alexander Harrowell <[EMAIL PROTECTED]> Date: Oct 31, 2006 2:38 PM Subject: Phisher To: [EMAIL PROTECTED] We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum:81.95.144.0 - 81.95.147.255 netname:RBNET descr: Russian Business Network admin-c:RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country:RU remarks:INFRA-AW changed:[EMAIL PROTECTED] 20060 Alexander, Please contact our Abuse department at [EMAIL PROTECTED] with your complaint. Or online at http://abuse.hopone.net/ Thanks -Bill -- Bill Sehmel - [EMAIL PROTECTED] -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.netASN 14361
RE: advise on network security report
>I beg to differ, wither I aggregate my announcements does not impact the >$50B charge identity theft puts on the US economy. Perhaps a better start on impacting this would be for the credit card companies to pursue the people that abuse their cards/systems instead of just writing fraudulent purchases off as a loss and not pursuing them any further. I been through it myself and I know for a fact that at least one major cc company operates in this way. In this model there's nothing to discourage someone from using stolen numbers. Just my $.02 ~M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Wesson Sent: Tuesday, October 31, 2006 8:02 PM To: Barry Greene (bgreene) Cc: nanog@merit.edu Subject: Re: advise on network security report Barry Greene (bgreene) wrote: > Postings like this to NANOG will not have any impact. So if your goal is > instigate action, posting is not going to work. The core data point is > the weekly CIDR report. It only works if you have peers using the weekly > list to apply peer pressure to the networks listed to act. I beg to differ, wither I aggregate my announcements does not impact the $50B charge identity theft puts on the US economy. would it assist if I associated a dollar value for each bot hosted, we can estimate the number of credit cards stolen per bot and extrapolate in to something with some zeros on it. > Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and > other security mitigation communities along with a subscription web page > that would allow an organization to get enough details to take action. nsp-sec players still won't let us in their sand-box... but we will share to the communities you have enumerated. -rick
Re: advise on network security report
On Wed, 01 Nov 2006 15:09:59 EST, Mike Callahan said: > Perhaps a better start on impacting this would be for the credit card > companies to pursue the people that abuse their cards/systems instead of > just writing fraudulent purchases off as a loss and not pursuing them > any further. Let's take a hypothetical $300 fraudulent charge. If the card company spends more than $300 pursuing it, it's losing money on it and is better off just swallowing it. Now what does $300 get you? If you're lucky, that gets you 5 hours of a tech's time to chase logs, make phone calls, and get all the evidence together, and 1 hour of a lawyer's time to get the ball rolling if you pursue it as a civil matter. How much pursuit can you get done in 5 hours? The credit card companies are *acutely* aware of *exactly* how much it costs to swallow any given fraud, and how much it costs to chase a particular miscreant down. And barring some major economic/political/legal changes that alter the price/performance ratio, they're unlikely to change the way they do things. (Hint - $50B sounds like a lot, but what percent of the total Visa/MasterCard business per year is that, really? Not much compared against the $1,325B done by the top 4 card networks in 2004: http://www.fdic.gov/bank/analytical/banking/2005nov/Art2table1.html The whole article is here: http://www.fdic.gov/bank/analytical/banking/2005nov/article2.html and discusses in fair amount of detail what the credit card companies *really* worry about, and why pgp79JTDHH7WB.pgp Description: PGP signature
Re: advise on network security report
Hint, hint, hint. When the abuse and security folks at ISPs give suggestions on how to best work with them, its sometimes a good idea to listen. If you just want to shout "You Suck" at them, please have a seat in the waiting room and someone will be with you later, possibly before the heat death of the universe. If you pay an ISP enough money, you're paying for the right to shout You Suck at progressively higher level executives. ISP security and abuse folks generally know how bad the problems are. That isn't useful to getting their jobs done. They usually have better information about how bad it is than most third-parties. ISP security and abuse teams already receive reports from almost every group in existence. After they process the high priority work, e.g. court orders from countries around the world, reports from customers, etc; figuring out how to make the security and abuse teams lives easier is the key to getting your complaints to the top of the pile. Rankings of other ISPs doesn't change their workload. Although every ISP security and abuse group is different, I think most of them have their favorite third-party sources. Listening to why they like using particular resources over other third-party resources could help make your third-party resource more relevant to their work. "You Suck" doesn't help them get home any earlier.
