RE: Throwing out the NANOG AUP
... and I've made a few suggestions about what the MLC could be doing. I'm also curious about 'acting professionally' - there's always the conflict between a person acting for the MLC, and for themselves, but still posting from the same location. In the case of that conflict, then simply stating that the message is written with MLC hat on, or words to that effect, is sufficient to be acting professionally. Of course, it has to be true too, i.e. the author really is writing their message without letting their own personal likes and dislikes get in the way. Honestly, I think the problem here is mainly a failure of imagination. Maybe the mailing list can be managed in a MORE hands-on way without resorting to HEAVY-HANDED moderation. Maybe these borderline topic issues can be handled in a way other than BANNING them or ALLOWING them. Actually, the discussion just took a turn to the creative when people talked about wikis, RSS, alternate lists. Let me toss in another idea. Request that all such periodic postings (Aggregates, bots, etc.) be posted as short summary messages with URL's pointing to the data. The meat of the message should be in the first 20-25 lines, similar to the way you have to write executive summaries. Ask the repetitive posters of stuff (which often goes to multiple lists) to revise their postings to fit this model. --Michael Dillon
Re: Throwing out the NANOG AUP
Simon Lyall wrote: On Mon, 19 Feb 2007 [EMAIL PROTECTED] wrote: ...Request that all such periodic postings (Aggregates, bots, etc.) be posted as short summary messages with URL's pointing to the data. The meat of the message should be in the first 20-25 lines, similar to the way you have to write executive summaries. Ask the repetitive posters of stuff (which often goes to multiple lists) to revise their postings to fit this model. How about a monthly ( twice-monthly maybe) post listing them all and where to find them? I'd humbly ask that they continue to be sent to the list (at least the three I care about). Email is forever (for me, at least), and I can look at it off line, if desired. Grep is my friend. I'd rather not have to keep track of more web sites, when the Friday Three contain so much useful information. There may also be those that care about the botnet postings. I note that these also occur at some measured interval, but since I delete them, I don't remember the frequency, other than that it is no longer annoying. Are there other automated postings than those four? -- Any commercial institution that is serious about protecting their customers from phishing will stop sending mail marked up with HTML.
RE: Throwing out the NANOG AUP
Not worth it, bandwidth is not a cost here. Each message takes up about the same amount of space regardless of it's it 25 lines or 600. On every email client I have used, it is quick to glance at the first screenful of message, decide whether there is anything of interest and if not, delete it. If the CIDR report can't fit a summary of the important points of the week into a 20-25 line email message, then why post it at all. Also, more and more people are reading email from smartphones like Nokia E61, Treo and Blackberry. They often get truncated email messages to scan for important stuff. If these folks can come up with a good way of creating a summary message linked to a longer detailed report on a web server, then we can ENCOURAGE such postings (no more than once per week) for content which leads to flame wars. The people who get 10 copies from 10 lists will barely notice it as they keep on pressing the delete key. And when something interesting pops up, the web page linked in the summary can display lots of 8 by 10 glossy photographs with the circles and arrows and a paragraph on each slide. The overall discussion is about making things better, right? Well every well-thought out carefully written message on the NANOG list, that comes complete with URLs to references, makes the list better. --Michael Dillon
Re: Throwing out the NANOG AUP
Gadi Evron [EMAIL PROTECTED] writes: On Mon, 19 Feb 2007, Robert E. Seastrom wrote: Cat Okita [EMAIL PROTECTED] writes: Maybe I'm missing something here - I haven't seen Rob Seastrom send any personal attacks to the list. Are you talking about private email? If that's the case, could you make it clear (or presuming that Rob's willing), post examples of this unprofessional behaviour? I'm 100% OK with Gadi forwarding our personal correspondence and in fact encourage it (both my emails and his responses, please!) so that people can draw their own conclusions. Don't we both wish? What's private is private and has no place here. I was referring to a public discussion. I already apologized for bringing it up here even if my intention was full disclosure on the subject. This is the last email I send on this. I wonder if the regular suspects will follow up on this issue rather than once again, the issues. Res ipsa loquitur. ---rob
Re: Throwing out the NANOG AUP
On Mon, 19 Feb 2007, Gadi Evron wrote: On Mon, 19 Feb 2007, Robert E. Seastrom wrote: I'm 100% OK with Gadi forwarding our personal correspondence and in fact encourage it (both my emails and his responses, please!) so that people can draw their own conclusions. Don't we both wish? What's private is private and has no place here. I was referring to a public discussion. I already apologized for bringing it up here even if my intention was full disclosure on the subject. This is the last email I send on this. I wonder if the regular suspects will follow up on this issue rather than once again, the issues. I'm still waiting to find out which email(s) you're referring to - if the MLC are being deliberately rude and insulting, it's something that needs to be investigated. If on the other hand, this complaint is simply that you don't like what the MLC are saying (politely) to you, that's a different matter. Remind me again - what exactly are 'the issues' from your perspective? cheers! == A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now.
Re: Discard the AUP and other discussions
the aup seems to work How do you come up with that? Not subscribed to the list? The MLC actions are not a measure of the AUP working or not. What percentage of this weeks load is on topic? -M
RE: botnets: web servers, end-systems and Vint Cerf
It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile. You need, at minimum, weeks of training in order to safely operate an automobile. But to safely operate on the Internet, you simply open the box, plug the DSL cable into the DSL port of the NAT/firewall/switch/gateway box, plug the brand new unsecured computer into the Ethernet port, and you can now safely operate on the Internet. The technical problem has been solved for a long, long time. The same factors which drive down the cost of computers, have also driven down the cost of NAT/firewall devices to the point where they could actually be integrated right into the PC's hardware. We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch. This is an entirely different issue. It's like trying to cure AIDS and syphilis. Maybe prevention is an easier problem to tackle. Condoms are also fairly simple technology that works. --Michael Dillon
R Scott Perry (HopOne/Superb.net collateral damage)
Anyone have an email for him, could they drop it to me off list. He seems to have stuff hosted with that the den of spammers at HopOne Internet. On the upside it seems there is at least one genuine service amongst the address space we blocked at HopOne. But that is 1 address out of 32 class Cs we blocked. They seem to have a virulent PayPal Phish sender at 66.36.228.37 as well this week. Ho Hum Simon
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
I really don't want to get into an OS debate here, but this does have major operational impact, so I will anyway but will be as brief as possible. Please see second (whitespace-separated) section for some sample hijacked system statistics which may or may not reflect overall network population. On Fri, Feb 16, 2007 at 04:27:55PM -, [EMAIL PROTECTED] wrote: I disagree. [...] Therefore, I assert that securing systems adequately for use on the Internet is indeed a SOLVED PROBLEM in computing. However, it isn't yet solved in a social or business sense. I think I understand your point about the social and business sense of the problem; if so, then we're probably in at least rough agreement on that. People do stupid things with computers (like reading email with a web browser, or replying to spam) and it's proven to be very difficult to convince them to stop doing those things. I'm reminded of Ranum's point (from http://www.ranum.com/security/computer_security/editorials/dumb/ ) about how if user education was going to work...it would have worked by now. I think the ongoing success of phishing operations, including those run by illiterate amateurs, in face of massive publicity via nearly every communications channel society has to offer, illustrates it nicely. But, and this may be where we disagree, it's not solved where Microsoft operating systems are concerned -- and I don't accept the notion that just putting such systems behind a firewall/NAT box is adequate. (I'll also argue that any OS which *requires* an external firewall to survive more than a few minutes' exposure is unsuitable for use on the Internet. *Not good enough*.) But suppose you put such a firewall in place. You'll need to configure the firewall properly -- paying as much attention to outbound rules as inbound. (And how many people ever do that? Even on corporate networks, there are still people stunningly incompetent enough to use default-permit policies on outbound traffic. And controlling outbound traffic from these systems is arguably more important than controlling inbound -- inbound likely only abuses the owner, outbound abuses the entire Internet.) You'll need to add anti-virus software. And anti-spyware software. Then you need to make sure the signature databases for both of those are updated early and often, keeping in mind that you have now elected to play a game that you will inevitably lose the first time that new malware propagates faster than the keepers of those databases can develop and distribute signatures. Vegas lives for suckers like this. And you'll need to de-install IE and Outlook, since everything else you've done will be defeated as soon as the next IE/Outlook-remotely-exploitable-and-leading-directly-to- full-system-compromise-here's-a-working-demo is published on full-disclosure, which should be, oh, about three hours from now. And this is before we even get to the licensing and DRM backdoors *designed into* Vista. Something which requires this much work just to make it through its first day online, while being used by J. Random Person, is hopelessly inadequate. Which is why systems like this are routinely compromised in huge numbers. Which is why we have a large-scale problem on our hands. Which brings me to the second point, and that is skepticism over the 100M ballpark figure that's been bandied about. Personally, I wouldn't even blink if someone produced convincing proof that the real number was 300M. I think that's completely plausible -- plausible but still, I very much hope, unrealistically high. So from my point of view, this 100M stuff is old news -- i.e., I'm telling you the ocean is wet. A tiny example: some data (summarized below) from a small experiment last month using a single test mail server. I threw away all the data blocked outright by the firewall in front of it. I threw away all data that didn't involve connections directed at port 25. I threw away all the data for connecting hosts without rDNS. I threw away all the data for connecting hosts with rDNS that looked even vaguely server-like. I threw away repeat visits. All of which means that my sampling method is akin to waving a thimble in a hurricane and will thus provide a gross (and likely skewed) underestimate. This left me with 1.5M observed hosts seen in a month. They're all sending spam. (How do I know? Because 100% of the mail traffic sent to that server is spam.) And they're all running Windows, except for a handful which aren't or which were indeterminate. Note that rDNS lookups were from local long-lived cache, so rDNS may be well out-of-date in some cases. Some random examples: 41.241.32.87dsl-241-32-87.telkomadsl.co.za 89.28.3.133 89-28-3-133.starnet.md 190.49.152.243 190-49-152-243.speedy.com.ar 218.178.50.40 softbank218178050040.bbtec.net 200.171.123.83 200-171-123-83.dsl.telesp.net.br 74.132.179.31
RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
But suppose you put such a firewall in place. You'll need to configure the firewall properly -- paying as much attention to outbound rules as inbound. Sounds like a good thing to document in a best practices document that can be used to certify firewall implementations. When trying to solve a social problem, techniques like the Good Housekeeping seal of approval are quite effective. As recommended by the editors of... You'll need to add anti-virus software. And anti-spyware software. Then you need to make sure the signature databases for both of those are updated early and often, What if the guidelines state that subscription and database oriented techniques for virus detection are not adequate and therefore not compliant. Only heuristic, capability-based systems are acceptable. And you'll need to de-install IE and Outlook, Thus ensuring that Firefox/Thunderbird will be the main target of the malware people. Is this necessarily any better? Note that Windows provides an extensive series of hooks which can be used by an application which wishes to subvert the normal operation of the OS. That subversive application could be the security monitor which is required by the ISP for Internet access because it is recommended in your guidelines. Something which requires this much work just to make it through its first day online, while being used by J. Random Person, is hopelessly inadequate. Which is why systems like this are routinely compromised in huge numbers. Which is why we have a large-scale problem on our hands. We live in a complex world. Computers are more complex than they were. OSes are more complex. Apps are more complex. Networks are more complex. And SOLUTIONS are more complex. But if the designers of computers, OSes, apps and networks can deal with the complexity, why can't security folks do likewise? This left me with 1.5M observed hosts seen in a month. They're all sending spam. (How do I know? Because 100% of the mail traffic sent to that server is spam.) What you did sounds dumb except that you said this is an experiment. Unfortunately, real live email servers do exactly the same, i.e. talk to all comers, because the email architecture is flat like a pancake. Some people consider this to be a Windows malware problem. I consider it to be an email architecture problem. We all know that you need hierarchy to scale networks and I submit that any email architecture without hierarchy is broken by design and no amount of ill-thought-out bandaids will fix it. Pop quiz, bonus round: how much does it cost Comcast to defend its mail servers from Verizon's spam, and vice versa? Heck, how much does it cost Comcast to defend its mail servers from its own spam? That actually sounds like an answerable question, if a company took it seriously enough. If the senders and receiver are both on your network, your finance department should be able to come up with some cost figures. --Michael Dillon
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
On Monday 19 February 2007 13:27, you wrote: people consider this to be a Windows malware problem. I consider it to be an email architecture problem. We all know that you need hierarchy to scale networks and I submit that any email architecture without hierarchy is broken by design and no amount of ill-thought-out bandaids will fix it. I look forward to your paper on the end to end concept, and why it doesn't apply to email ;) I'm not convinced there is an email architecture problem of relevance to the discussion. People mistake a security problem for its most visible symptoms. The SMTP based email system has many faults, but it seems only mildly stressed under the onslaught of millions of hosts attempting to subvert it. Most of the attempts to fix the architecture problem so far have moved the problem from blacklisting IP addresses, to blacklisting domains, or senders, or other entities which occupy a larger potential space than the IPv4 addresses, which one can use to effectively deal with most of the symptom. In comparison, people controlling malware botnets, have demonstrated their ability to completely DDoS significant chunks of network, suggesting perhaps that other protocols are potentially more vulnerable than SMTP, or more approrpiate layers to address the problem at. We may need a trust system to deal with identity within the existing email architecture, but I see no reason why that need be hierarchical, indeed attempts to build such hierarchical systems have often failed to gather a critical mass, but peer to peer trust systems have worked fine for decades for highly sensitive types of data. I simply don't believe the higher figures bandied about in the discussion for compromised hosts. Certainly Microsoft's malware team report a high level of trojans around, but they include things like the Jar files downloaded onto many PCs, that attempt to exploit a vulnerability that most people patched several years ago. Simply identifying your computer downloaded (as designed), but didn't run (because it was malformed), malware, isn't an infection, or of especial interest (other than indicating something about the frequency with which webservers attempt to deliver malware).
Re: botnets: web servers, end-systems and Vint Cerf
On Feb 19, 2007, at 1:24 AM, [EMAIL PROTECTED] wrote: You need, at minimum, weeks of training in order to safely operate an automobile. But to safely operate on the Internet, you simply open the box, plug the DSL cable into the DSL port of the NAT/firewall/switch/gateway box, plug the brand new unsecured computer into the Ethernet port, and you can now safely operate on the Internet. That's right, you've made my point for me. Weeks and weeks of training. People don't need weeks and weeks of training to operate a television, or a blender, or even a videogame console. The technical problem has been solved for a long, long time. The same factors which drive down the cost of computers, have also driven down the cost of NAT/firewall devices to the point where they could actually be integrated right into the PC's hardware. NATting firewalls don't help at all with email-delivered malware, browser exploits, etc. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
On Feb 19, 2007, at 6:04 AM, Simon Waters wrote: I look forward to your paper on the end to end concept, and why it doesn't apply to email The end-to-end principle has no bearing upon this discussion at all, unless you're referring to firewalls/NATs. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
Datapipe.net
Can someone from Datapipe.net contact me off list? Thanks, Eric Ortega Midcontinent Communications Network Engineer 605.357.5720 [EMAIL PROTECTED] -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.18.2/692 - Release Date: 2/18/2007 4:35 PM
Re: wifi for 600, alex
Alexander, as you might imagine, conceptually there is no disagreement whatsoever here ;-) And, in fact, that already exists on some platforms, but it's somewhat limited at the moment due to lack of support for standards body/bodies at this time. But I'm hopeful that we're closer to meaningful improvements. This is just as important for managing the available spectrum as it is for device power efficiency. Best regards, Christian On Feb 16, 2007, at 6:36 AM, Alexander Harrowell wrote: Another mobile-land feature 802.11 could do with - dynamic TX power management. All the cellular systems have the ability to dial down the transmitter power the nearer to the BTS/Node B you get. This is not just good for batteries, but also good for radio, as s/n has diminishing returns to transmitter power. WLAN, though, shouts as loud next to the AP as on the other side of the street, which is Not Good for a system that operates in unlicensed spectrum. UMTS, for example, has a peak tx wattage an order of magnitude greater than WLAN, but due to the power management, in a picocell environment comparable to a WLAN the mean tx wattage is less by a factor of 10.
Re: wifi for 600, alex
It shouldn't be that difficult, because one device that does manage its power output shouldn't affect anyone else who doesn't.
Re: Measurement data on transit traffic in IP routers?
Your statement makes something of a presumption as to the architecture of a network. In many networks, edge aggregation devices do not participate in backbone routing, but simply pass the traffic they are aggregating into the core. My first reaction, as well. However, I was reminded by Andrew Odlyzko that the cable tv industry's (MSOs') peering universe constitute a form of flattened 'edge', if one were to consider the larger Internet's core against the MSO community, which makes for another form of interesting analysis, since much of today's (especially more capacious) residential broadband flows begin and end on MSOs' networks, and sometimes never touch the larger core, fwiw. And this opens the door to other forms of walled garden environments, including intranets, some providers' CDNs, extranets, and so on. Frank A. Coluccio DTI Consulting Inc. 212-587-8150 Office 347-526-6788 Mobile On Sun Feb 18 10:54 , Andrew Lee sent: Hi Chris Your statement makes something of a presumption as to the architecture of a network. In many networks, edge aggregation devices do not participate in backbone routing, but simply pass the traffic they are aggregating into the core. One fairly well instrumented network that does have this edge/core collapsed model is the Internet2 network. You can find a lot of traffic and other data for the network at: http://noc.net.internet2.edu/i2network/live-network-status.html You should be able to extract all the info you need from there. /Andrew Chris Develder wrote, On 2/18/07 5:46 AM: Hi All, In preparation of a course, I'm looking for reference material (paper, report, talk...) giving real world data on the amount of transit traffic (ie. not locally dropped or added, but passing through to other (backbone) routers) in a typical edge router of a core network, esp. ratio of local vs passthrough traffic (is it 30%, 40%...?) -- I don't need absolute figures, just realistic estimates of that ratio. Any help in locating such references would be highly appreciated. Kind regards, Chris
RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
I look forward to your paper on the end to end concept, and why it doesn't apply to email ;) Clearly the answer is that it never has applied to email in the pasts. Hosts don't email each other, people do. People have always relied on Internet postmaster services to enable Internet email. Given that we have already thrown out the end-to-end concept from day one, why must we maintain such a brain-dead flat architecture. People who wanted the end-to-end concept used to use talk on UNIX and Windows popup messages until recently. Now, even those people have shifted to a hierarchical architecture of instant-messaging servers. I'm not convinced there is an email architecture problem of relevance to the discussion. People mistake a security problem for its most visible symptoms. There is more than one security problem here. A well-thought-out email architecture will only address one of those security problems. The SMTP based email system has many faults, but it seems only mildly stressed under the onslaught of millions of hosts attempting to subvert it. It depends where you measure that stress. The decline of Internet email mindshare in favour of IM and Web forums indicates to me that it is severely stressed at the user level. We may need a trust system to deal with identity within the existing email architecture, Bingo! but I see no reason why that need be hierarchical, indeed attempts to build such hierarchical systems have often failed to gather a critical mass, but peer to peer trust systems have worked fine for decades for highly sensitive types of data. Peer-to-peer is a form of hierarchy. If you decide to trust X, Y, and Z and also trust all the hosts that X, Y and Z trust, then you have a trust hierarchy carved out of the peer-to-peer space. So if I trust AOL, Earthlink and Verizon, and I also trust all those trusted by these three, then you can't talk to my mail server until you arrange trust with me, or with one of the three trusted mail systems. Fact is that the email architecture does not include any form of trust and things like Sender-ID and DKIM are only bandaids that don't solve the problem and introduce additional insecurities. Additionally, if we can introduce hierarchy into the mail flow, we also introduce points at which cost-based models of spam prevention can be tried. If you can pay a penny a message to guarantee that your mail gets delivered quickly, bypassing any spam-filtering checkpoints, then that is something that the majority of users would buy into and the money provides grease for the wheels of the system, making it worthwhile to do things like set up an email peering agreement. Let's face it, the Internet of the early 90's is gone. It won't be coming back either. The challenge now is to operate a network that is capable of being *THE* global communications infrastructure. If the public Internet doesn't adapt to this job, then other networks will leverage the IETF's technology to do so. --Michael Dillon
Re: botnets: web servers, end-systems and Vint Cerf
On Feb 19, 2007, at 8:06 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And if the system designer is creative enough, then this firewall thingy which is reputed to protect you from bad stuff, would also download and install the latest patches to protect against browser exploits. If this is all run on a separate CPU it can also do some pretty in-depth inspection and do things like block .exe attachements in email. If we had some cheese, we could make a ham-and-cheese sandwich, if we had some ham. ; This discussion started out with an assertion that that security problem for general-purpose OS endpoints had been 'solved'. It in fact has not been solved for any reasonable degree of solved - there are basic layer-7 problems with the fundamentals such as HTTP (which to most users is 'the Internet), and while there are various efforts to attempt to mitigate these problems via the insertion of inspection/ removal by network devices, these efforts are in their infancy and also introduce other complexities which are corollaries of the canonical end-to-end principle (vs. the common misperception of what the end-to-end principle actually encompasses). --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
I look forward to your paper on the end to end concept, and why it doesn't apply to email ;) I think the problem here is that people invoke something they think of as 'the end-to-end principle', but actually isn't. from http://web.mit.edu/Saltzer/www/publications/endtoend/ endtoend.pdf: - . . . functions placed at low levels of a system may be redundant or of little value when compared with the cost of providing them at that low level. - *That* is the actual 'end-to-end principle'. The imposition of hierarchy in application-layer email routing (or DNS infrastructure, etc.) has nothing to do with the actual end-to-end principle, except as a good example of honoring it. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan
RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
On Mon, 19 Feb 2007, [EMAIL PROTECTED] wrote: Now, even those people have shifted to a hierarchical architecture of instant-messaging servers. In what way is IM hierarchial? The commercial IM systems have a star topology with a tightly controlled core and basically no inter-domain federation, so I don't know why you claim they are hierarchial. Jabber/XMPP has a mesh-of-stars topology which is the same as email's modulo some simplifications (mainly owing to the lack of forwarding). ISTR that you were arguing in favour of a chain-of-trust system for email back in November on the IETF list. I pointed out that the architecture you are proposing is essentially the same as inter-domain routing (IP BGP) and Usenet, and you failed to explain how your ideas would solve the unwanted traffic problem for email given that the same architecture doesn't solve the unwanted traffic problem for IP or NNTP. http://www1.ietf.org/mail-archive/web/ietf/current/msg44467.html Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: SOUTHERLY 4 OR 5, OCCASIONALLY 6 IN PORTLAND. SLIGHT OR MODERATE, OCCASIONALLY ROUGH IN PORTLAND. DRIZZLE THEN RAIN. MODERATE OR GOOD.
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
[EMAIL PROTECTED] wrote: And you'll need to de-install IE and Outlook, This will not happen. Not even remotely. Thus ensuring that Firefox/Thunderbird will be the main target of the malware people. Is this necessarily any better? Note that Windows provides an extensive series of hooks which can be used by an application which wishes to subvert the normal operation of the OS. That subversive application could be the security monitor which is required by the ISP for Internet access because it is recommended in your guidelines. I concur with ISP's looking for IE as some form of guideline. Stupid story... So I call Cox because for the 8mb down I am supposed to be getting, I was maxing out at 2mb, not a big deal. TechGirl: Can you go to your start menu... Me: No I don't use Windows TechGirl: Please hold TechGirl: (five minutes later) Are you using OSX? Me: No. Using Solaris, what would you like me to do? TechGirl: Please hold TechGirl: (minutes later) We don't support Solaris Me: What does an operating system have to do with lousy bandwidth... TechGirl: Please hold TechGirl: (minutes later) I have to escalate this to my manager TechGirl: Please hold Manager: Please go to your start menu... Me: No. As stated I'm not on Windows nor OSX. I use Solaris and I AM CONNECTED the service is horrible Manager: Well we only support Windows and OSX Me: (*ponders what this has to do with cruddy connectivity) Forget it... (Plugs in Windows laptop to make things easier). ISP's have come to rely on the bane of their client's issues. Asking someone to remove IE only to have their support group look for it is a nightmare in itself. Too many people have become so overdependent on Windows. We live in a complex world. Computers are more complex than they were. OSes are more complex. Apps are more complex. Networks are more complex. And SOLUTIONS are more complex. But if the designers of computers, OSes, apps and networks can deal with the complexity, why can't security folks do likewise? The issue of security folks dealing with complexities is, they shouldn't have to when it comes to 65% of the problems which lead to incidents. Why should an ISP have to deal with issues that have nothing to do with their networks. I get calls day and night from VoIP customers: My service is down your service sucks 2007-02-19 00:23:36 '212XXX6428' at [EMAIL PROTECTED]:5060 for 3600 2007-02-19 07:59:43 '212XXX6428' at [EMAIL PROTECTED]:5060 for 3600 2007-02-19 10:58:44 '212XXX6428' at [EMAIL PROTECTED]:5060 for 3600 2007-02-19 12:58:05 '212XXX6428' at [EMAIL PROTECTED]:5060 for 3600 This client goes up and down like a see-saw at least 8 times a day. Their provider is horrible. Why should I spend resources trying to fix what has nothing to do with my company. Same applies to anyone in the security industry to a degree. A security engineer can only do so much given parameters most work with. We're a Windows only shop! touted the MCSE with glee as he wondered why he spent so much time rebooting. That actually sounds like an answerable question, if a company took it seriously enough. If the senders and receiver are both on your network, your finance department should be able to come up with some cost figures. They won't because they haven't been pressed to do so, and it is rare that someone will take it upon themselves to do a good deed when it comes to situations like this. Roland Dobbins wrote: NATting firewalls don't help at all with email-delivered malware, browser exploits, etc. Antivirus and ad-aware like programs almost often do when used appropriately. It boils down to education which won't happen. If forced however it is a different story so again I will point to customer sandboxing. And yes firewalls do help if configured properly on the business side of things. I use the same brute forcing script to create firewall rules to block IN AND OUT those offensive networks. So even if say a machine were to get infected, its only momentarily before I catch it, but this is my network(s) and those I manage/maintain. I have zero tolerance for junk and don't mind blocking a /8 if needed. People want to complain then I point out logfiles with information on why their entire class is blocked. [EMAIL PROTECTED] wrote: None of this is rocket science. The hardware available today can do this. This hardware is not expensive. It does, however, require systems vendors to have a bit of imagination and that seems to be in rather short supply in the modern world. Why would a vendor put all their eggs in one basket. Brand New AntiVirus software... Guaranteed to stop hackers! Only $49.99 per year..., Brand New AntiMalware software... Guaranteed to stop hackers! Only $19.99 a year!, Brand New Intrusion Detection Prevention Dissemination Articulation software... Guaranteed to stop nuclear weapons of mass destruction... Guaranteed to keep you off of the Internet... A vendor
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
My Mom kicks all you's buttocks. Got a Radio Shack franchise in 1983, we kids got in on the ground floor of personal computing (on Color Computers and TRS-80's). She does tech support for others her age. Or did, in Colorado in a community for older folks, and is now in Costa Rica figuring out how to get online. Seth Johnson Marshall Eubanks wrote: On Feb 12, 2007, at 4:31 AM, Alexander Harrowell wrote: On 2/12/07, Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi. Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.) Regards Marshall -- RIAA is the RISK! Our NET is P2P! http://www.nyfairuse.org/action/ftc DRM is Theft! We are the Stakeholders! New Yorkers for Fair Use http://www.nyfairuse.org [CC] Counter-copyright: http://realmeasures.dyndns.org/cc I reserve no rights restricting copying, modification or distribution of this incidentally recorded communication. Original authorship should be attributed reasonably, but only so far as such an expectation might hold for usual practice in ordinary social discourse to which one holds no claim of exclusive rights.
RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
Now, even those people have shifted to a hierarchical architecture of instant-messaging servers. In what way is IM hierarchial? Jabber/XMPP has a mesh-of-stars topology That is hierarchy. One level is a star topology, the next level is a mesh. which is the same as email's modulo some simplifications (mainly owing to the lack of forwarding). In other words, it is not the same as email's. Of course it may end up that way but we can hope. ISTR that you were arguing in favour of a chain-of-trust system for email back in November on the IETF list. I pointed out that the architecture you are proposing is essentially the same as inter-domain routing (IP BGP) and Usenet, and you failed to explain how your ideas would solve the unwanted traffic problem for email given that the same architecture doesn't solve the unwanted traffic problem for IP or NNTP. An abstract simplification of an architecture is not equal to the architecture itself. The fact that you can simplify different architectures into a similar abstract model, doesn't mean that they have the same problems. Problems often arise in the details of implementation, not in the theoretical models. I never claimed that my proposed email model would solve the unwanted mail problem. It was intended to carry authenticated sender info to the receiver, and to provide an authenticated reverse path for complaints to postmaster. And since it was based on negotiated bilateral email peering agreements, if the chain of trust was subverted at some point in the chain, the peer would have legal recourse to cut service. --Michael Dillon
Road Runner (as10994) NOC contact?
All of their listed contact info is for abuse and that just gets you a voice greeting that tells you to email abuse and then hangs up on you. Trying to troubleshoot an issue between Road Runner Tampa and Level 3. Thanks, David
Drone Armies CC Report - 19 Feb 2007
This is a periodic public report from the ISOTF's affiliated group 'DA' (Drone Armies (botnets) research and mitigation mailing list / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. For purposes of this report we use the following terms openthe host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 5730 unique, domains (or IPs) with port suspect CCs. This list is extracted from the BBL which has a historical base of 15292 reported CCs. Of the suspect CCs surveyed, 682 reported as Open, 1990 reported as closed, and 749 issued resets to the survey instrument. Of the CCs listed by domain name in the our CC database, 7228 are mitigated. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. Percent_ ASN Responsible Party Total OpenResolved 19318 NJIIX-AS-1 - NEW JERSEY INTERN133 16 88 13301 UNITEDCOLO-AS Autonomous System of 89 35 61 4766 KIXS-AS-KR 63 17 73 30058 FDCSE FDCservers.net LLC 45 14 69 23522 CIT-FOONET 45 24 47 7132 SBC Internet Services 41 3 93 13213 UK2NET-AS UK-2 Ltd Autonomous Syste39 8 79 8560 SCHLUND-AS 37 3 92 14779 INKT Inktomi Corporation 36 0100 9318 HANARO-AS 35 2 94 33597 InfoRelay Online Systems, Inc. 31 0100 174 Cogent Communications 31 27 13 4713 OCN NTT Communications Corporation 28 24 14 3561 Savvis 28 0100 4134 CHINANET-BACKBONE 27 6 78 16265 LEASEWEB AS26 5 81 24611 AS24611 Datacenter Luxembourg S.A. 26 0100 12832 Lycos Europe 25 0100 9121 TTNet 25 1 96 3786 ERX-DACOMNET 23 9 61 Top 20 ASNes by number of active suspect CCs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total OpenResolved 13301 UNITEDCOLO-AS Autonomous System of 89 35 61 174 Cogent Communications 31 27 13 4713 OCN NTT Communications Corporation 28 24 14 23522 CIT-FOONET 45 24 47 25973 Mzima Networks, Inc. 20 18 10 4766 KIXS-AS-KR 63 17 73 30506 Blacksun Technologies 17 17 0 19318 NJIIX-AS-1 - NEW JERSEY INTERN133 16 88 30058 FDCSE FDCservers.net LLC 45 14 69 23832 SPACELAN KANAZAWA CABLE TELEVISION 11 11 0 29339 MBBG-AS Markus Bach Betriebs Gesell10 10 0 31103 KEYWEB-AS Keyweb AG11 10 9 11260 Andara High Speed Internet c/o Hali10 9 10 3786 ERX-DACOMNET 23 9 61 4837 CHINA169-Backbone 22 8 64 9800 UNICOM 18 8 56 13213 UK2NET-AS UK-2 Ltd Autonomous Syste39 8 79 24989 IXEUROPE-DE-FRANKFURT-ASN IX Europe21 7 67 25761 STAMIN-2 Staminus Communications 21 7 67 8001 Net Access Corporation 13 7 46 A version of this report with addition rankings can be found via the isotf.org home page. Randal Vaughn Gadi Evron Professor ge at linuxbox.org Baylor University Waco, TX (254) 710 4756 randy_vaughn at baylor.edu
