ITU: Submarine Cable Cuts Acts of Sabatoge?

2008-02-19 Thread Paul Ferguson 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sound of heads exploding:

http://www.nationalterroralert.com/updates/2008/02/18/undersea-cables-may-h
ave-been-cut-by-saboteurs/

- - ferg


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHuojiq1pz9mNUZTMRAtxbAKCgCAaYP8t7xrLpSCHu+WmL00TH6ACfVvh4
L69ssdTbENlls6ZaRdA/U/k=
=JGmT
-END PGP SIGNATURE-

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: A couple or advanced references...

2008-02-19 Thread Fred Heutte 

Follow-up to fergdawg, the Georgia Tech/Google study made it on
the wires today (including the front section of our local Oregonian,
below is the Times of India version).

Congrats to NANOG and all the presenters for the network center
energy efficiency segment today.  I'm not really active on the network
side these days (though a NANOG lurker since 1996 or so) but my
history in energy efficiency work goes back to 1983 and it's great
to see this finally getting really top-level attention and the session
was really good today in covering many if not all of the layered
aspects of the issue.

cheers, and back to mode.lurk


Fred

-

http://infotech.indiatimes.com/articleshow/2785722.cms

Did you know servers can lie

AP

SAN FRANCISCO: They're called “servers that lie.”

Mendacious machines controlled by hackers that re-route Internet
traffic from infected computers to fraudulent websites are
increasingly being used to launch attacks, according to a paper
published this week by researchers with the Georgia Institute of
Technology and Google Inc.

The paper estimates roughly 68,000 servers on the Internet are
returning malicious Domain Name System results, which means people
with compromised computers are sometimes being directed to the wrong
websites -- and often have no idea.

The peer-reviewed paper, which offers one of the broadest
measurements yet of the number of rogue DNS servers, was presented
at the Internet Society's Network and Distributed System Security
Symposium in San Diego.

The fraud works like this: When a user with an affected computer
tries to go to, for example, Google's website, they are redirected
to a spoof site loaded with malicious code or to a wall of ads whose
profits flow back to the hackers.

The hackers who hijack DNS queries are looking to steal personal
information, from email login credentials to credit data, and take
over infected machines.

The spoof sites run the gamut. Some are stunningly convincing,
others amusingly bogus with spelling errors and typos.

The DNS system is a critical part of the Internet's infrastructure,
used to make sure computers know how to contact each other. People
usually automatically use the DNS servers of their Internet
providers, but the recent wave of attack modifies the settings on
victims' computers to send traffic to rogue DNS servers.

Attacks using manipulated DNS results aren't new. Profit-driven
hackers have a strong incentive to control where users go on the
Web. The paper looked at viruses that started appearing in 2003
designed to alter the DNS settings on infected computers.

The report noted that the rogue DNS servers don't always return
incorrect results, often fooling users into believing their Internet
access is working properly. Hackers thus can route users to
malicious websites whenever they choose.

Most up-to-date antivirus software will catch and banish the viruses
used to change DNS settings. Once a computer has been infected,
users need to run a new scan with the latest software and change
their DNS settings back -- which is easy.

Security experts not involved in preparing the paper said it adds
valuable data about the scope of an increasingly popular type of
attack.

“A lot of people don't realize the seriousness of it,” said Paul
Ferguson, a threat researcher with Trend Micro Inc. “The problem is
getting worse.”

Re: A couple or advanced references...

2008-02-19 Thread Adrian Chadd 

On Tue, Feb 19, 2008, Iljitsch van Beijnum wrote:
> 
> On 19 feb 2008, at 7:27, Paul Ferguson wrote:
> 
> >According to the FTC, total consumer fraud losses totaled $1.2
> >billion, with the average monetary loss for an individual at
> >$349.
> 
> >Credit card fraud was the most common form of reported identity
> >theft at 23 percent,
> 
> In many countries in Europe, people pay with debit cards that have a  
> PIN number. You need to both copy the magnetic strip on the card and  
> obtain the PIN to get at someone's money. And that's 1990s, if not  
> 1980s, technology.

And defrauding that is now a bulk produced scam - companies in .asia
mass-producing bar scanning and key input devices customised for various
ATM models.




Adrian

Re: ITU: Submarine Cable Cuts Acts of Sabatoge?

2008-02-19 Thread Alexander Harrowell 
On Tue, Feb 19, 2008 at 7:44 AM, Paul Ferguson <[EMAIL PROTECTED]> wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Sound of heads exploding:
>
>
> http://www.nationalterroralert.com/updates/2008/02/18/undersea-cables-may-h
> ave-been-cut-by-saboteurs/
>

""Some experts doubt the prevailing view that the cables were cut by
accident, especially as the cables lie at great depths under the sea and are
not passed over by ships," Murshed said on the sidelines of a conference on
cyber-crime held in Gulf state of Qatar."

Nonsense. The Straits of Hormuz are not "great depths of the sea", and they
are constantly full of shipping. The same goes for the eastern
Mediterranean. Murshed seems ill-informed.

Further, looking at "National Terror Alert.com", I have my doubts; it seems
to be a private enterprise with links to lots of really, really,
extreme-right wing blogs that's trying to look like an official US
Government product. Also, it's an old journo trick to headline a story about
- say - aircraft accident investigators not ruling something unlikely out
(they never rule anything out until there is good reason to) as if they were
suggesting it was the truth.

Alex

RE: Submarine Cable Cuts Acts of Sabatoge?

2008-02-19 Thread Rod Beck 
Well, I guess the experts need an education. Cable cuts do occur in deep sea. 

Roderick S. Beck
Director of European Sales
Hibernia Atlantic
1, Passage du Chantier, 75012 Paris
http://www.hiberniaatlantic.com
Wireless: 1-212-444-8829.

Re: A couple or advanced references...

2008-02-19 Thread Iljitsch van Beijnum 


On 19 feb 2008, at 7:27, Paul Ferguson wrote:


According to the FTC, total consumer fraud losses totaled $1.2
billion, with the average monetary loss for an individual at
$349.



Credit card fraud was the most common form of reported identity
theft at 23 percent,


In many countries in Europe, people pay with debit cards that have a  
PIN number. You need to both copy the magnetic strip on the card and  
obtain the PIN to get at someone's money. And that's 1990s, if not  
1980s, technology.


The other issue is that banks and credit card companies don't have any  
interest in getting rid of fraud: as long as there is fraud, they can  
sell you the service of compensating you for that, which of course we  
all pay for through the credit card commissions on our purchases. And  
in many cases, the vendor ends up eating the loss rather than the  
bank, anyway.


If you want stuff to work, you need to align the costs and benefits.  
See growth of the routing table: the community pays for the larger  
routers, the users of PI space get the benefits.


BTW, about identity theft: if someone takes out a bank loan in my  
name, how is that my problem and not the bank's?

what the cause?

2008-02-19 Thread Frank 
Hi guys,

Can you help me correct my our router? please see the details below.
BTW, our ISP told me that there's no problem with their side but still i
can't find any of my configuration that causing this.

Looking forward for your help thanks your.

./fRank

#traceroute nanog.org

Type escape sequence to abort.
Tracing the route to nanog.org (198.108.1.50)

 1 61.9.31.21.mozcom.net (61.9.31.21)* [AS 6163] *4 msec 4 msec 4 msec
  2 fe0-0.peak-7206-border-2.mozcom.net (61.9.0.243)* [AS 6163]* 4 msec 0
msec 0 msec
 3 203.177.211.41 *[AS 6163] *4 msec 4 msec 4 msec
  4 203.177.59.5 *[AS 6163]* 8 msec 4 msec 4 msec
 5 203.177.31.166 *[AS 6163]* 4 msec 8 msec 4 msec
 6 203.177.254.185 *[AS 6163]* 180 msec 176 msec 180 msec
  7 gi1-16.ccr01.lax04.atlas.cogentco.com (38.104.82.129)* [AS 6163] *184
msec 188 msec 188 msec
 8 te4-3.mpd01.lax01.atlas.cogentco.com (154.54.24.69) *[AS 6163]* 352 msec
te3-3.mpd01.lax01.atlas.cogentco.com (154.54.24.61)* [AS 6163]* 196 msec
180 msec
 9 te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101)* [AS 6163] *216 msec
te8-2.mpd01.iah01.atlas.cogentco.com (154.54.3.37) *[AS 6163] *216 msec
   te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101) *[AS 6163]* 212 msec
 10 te8-3.mpd01.dfw01.atlas.cogentco.com (154.54.2.14) *[AS 6163]* 220 msec
   te3-2.mpd01.mci01.atlas.cogentco.com (154.54.5.218)* [AS 6163] *228 msec
te7-3.mpd01.dfw01.atlas.cogentco.com (154.54.5.129) *[AS 6163]* 220 msec
11 te7-4.mpd01.ord01.atlas.cogentco.com (154.54.2.190) *[AS 6163]* 240 msec
te8-2.mpd01.mci01.atlas.cogentco.com (154.54.5.126) *[AS 6163] *232 msec
   te7-3.mpd01.mci01.atlas.cogentco.com (154.54.3.18) *[AS 6163]* 232 msec
 12 vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18) *[AS 6163]* 232 msec
   te2-1.mpd01.ord01.atlas.cogentco.com (154.54.2.234) *[AS 6163]* 228 msec
te2-3.mpd01.ord01.atlas.cogentco.com (154.54.7.137) *[AS 6163]* 232 msec
13  *
   vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18)* [AS 6163]* 368 msec
436 msec
 14 Merit.demarc.cogentco.com (38.112.7.10) *[AS 6163] *228 msec *
   fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
 15 fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
   nanog.org (198.108.1.50) *[AS 6163] *240 msec
fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec

Re: what the cause?

2008-02-19 Thread Elmar K. Bins 

[EMAIL PROTECTED] (Frank) wrote:

> all the AS numbers are the same

Yes, one can see that.

Looks like you only get a default from your transit.

Background: The AS number in [brackets] is determined by a
lookup in the router's RIB. So if you only have the default
(from AS6163 as it seems), the lookup result will always be
6163.

Elmar.

-- 

"Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche
 Eigenschaft von Vergleichen angesehen werden."   (Marius Fränzel in desd)

--[ ELMI-RIPE ]---

Re: what the cause?

2008-02-19 Thread Frank 
all the AS numbers are the same

On Feb 19, 2008 10:39 PM, Frank <[EMAIL PROTECTED]> wrote:

> Hi guys,
>
> Can you help me correct my our router? please see the details below.
> BTW, our ISP told me that there's no problem with their side but still i
> can't find any of my configuration that causing this.
>
> Looking forward for your help thanks your.
>
> ./fRank
>
> #traceroute nanog.org
>
> Type escape sequence to abort.
> Tracing the route to nanog.org (198.108.1.50)
>
>  1 61.9.31.21.mozcom.net (61.9.31.21)* [AS 6163] *4 msec 4 msec 4 msec
>   2 fe0-0.peak-7206-border-2.mozcom.net (61.9.0.243)* [AS 6163]* 4 msec 0
> msec 0 msec
>  3 203.177.211.41 *[AS 6163] *4 msec 4 msec 4 msec
>   4 203.177.59.5 *[AS 6163]* 8 msec 4 msec 4 msec
>  5 203.177.31.166 *[AS 6163]* 4 msec 8 msec 4 msec
>  6 203.177.254.185 *[AS 6163]* 180 msec 176 msec 180 msec
>   7 gi1-16.ccr01.lax04.atlas.cogentco.com (38.104.82.129)* [AS 6163] *184
> msec 188 msec 188 msec
>  8 te4-3.mpd01.lax01.atlas.cogentco.com (154.54.24.69) *[AS 6163]* 352
> msec
> te3-3.mpd01.lax01.atlas.cogentco.com (154.54.24.61)* [AS 6163]* 196
> msec 180 msec
>  9 te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101)* [AS 6163] *216
> msec
> te8-2.mpd01.iah01.atlas.cogentco.com (154.54.3.37) *[AS 6163] *216
> msec
>te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101) *[AS 6163]* 212
> msec
>  10 te8-3.mpd01.dfw01.atlas.cogentco.com (154.54.2.14) *[AS 6163]* 220
> msec
>te3-2.mpd01.mci01.atlas.cogentco.com (154.54.5.218)* [AS 6163] *228
> msec
> te7-3.mpd01.dfw01.atlas.cogentco.com (154.54.5.129) *[AS 6163]* 220
> msec
> 11 te7-4.mpd01.ord01.atlas.cogentco.com (154.54.2.190) *[AS 6163]* 240
> msec
> te8-2.mpd01.mci01.atlas.cogentco.com (154.54.5.126) *[AS 6163] *232
> msec
>te7-3.mpd01.mci01.atlas.cogentco.com (154.54.3.18) *[AS 6163]* 232 msec
>  12 vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18) *[AS 6163]* 232
> msec
>te2-1.mpd01.ord01.atlas.cogentco.com (154.54.2.234) *[AS 6163]* 228
> msec
> te2-3.mpd01.ord01.atlas.cogentco.com (154.54.7.137) *[AS 6163]* 232
> msec
> 13  *
>vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18)* [AS 6163]* 368
> msec 436 msec
>  14 Merit.demarc.cogentco.com (38.112.7.10) *[AS 6163] *228 msec *
>fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
>  15 fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
>nanog.org (198.108.1.50) *[AS 6163] *240 msec
> fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
>
>
>
>


-- 
./fRank

Re: what the cause?

2008-02-19 Thread Justin M. Streiner 


On Tue, 19 Feb 2008, Frank wrote:


all the AS numbers are the same


Are you running this trace from a BGP speaking router on your network? 
I'm also going to guess you're not taking full BGP routes from your 
upstreams?


What exactly do you think is broken?

As for the dropped traceroute probes, are you doing any sort of filtering 
of ICMP that could account for that?  Note that dropped traceroute probes 
should _not_ be equated to packet loss without further investigation.


jms


On Feb 19, 2008 10:39 PM, Frank <[EMAIL PROTECTED]> wrote:


Hi guys,

Can you help me correct my our router? please see the details below.
BTW, our ISP told me that there's no problem with their side but still i
can't find any of my configuration that causing this.

Looking forward for your help thanks your.

./fRank

#traceroute nanog.org

Type escape sequence to abort.
Tracing the route to nanog.org (198.108.1.50)

 1 61.9.31.21.mozcom.net (61.9.31.21)* [AS 6163] *4 msec 4 msec 4 msec
  2 fe0-0.peak-7206-border-2.mozcom.net (61.9.0.243)* [AS 6163]* 4 msec 0
msec 0 msec
 3 203.177.211.41 *[AS 6163] *4 msec 4 msec 4 msec
  4 203.177.59.5 *[AS 6163]* 8 msec 4 msec 4 msec
 5 203.177.31.166 *[AS 6163]* 4 msec 8 msec 4 msec
 6 203.177.254.185 *[AS 6163]* 180 msec 176 msec 180 msec
  7 gi1-16.ccr01.lax04.atlas.cogentco.com (38.104.82.129)* [AS 6163] *184
msec 188 msec 188 msec
 8 te4-3.mpd01.lax01.atlas.cogentco.com (154.54.24.69) *[AS 6163]* 352
msec
te3-3.mpd01.lax01.atlas.cogentco.com (154.54.24.61)* [AS 6163]* 196
msec 180 msec
 9 te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101)* [AS 6163] *216
msec
te8-2.mpd01.iah01.atlas.cogentco.com (154.54.3.37) *[AS 6163] *216
msec
   te2-4.mpd01.iah01.atlas.cogentco.com (154.54.5.101) *[AS 6163]* 212
msec
 10 te8-3.mpd01.dfw01.atlas.cogentco.com (154.54.2.14) *[AS 6163]* 220
msec
   te3-2.mpd01.mci01.atlas.cogentco.com (154.54.5.218)* [AS 6163] *228
msec
te7-3.mpd01.dfw01.atlas.cogentco.com (154.54.5.129) *[AS 6163]* 220
msec
11 te7-4.mpd01.ord01.atlas.cogentco.com (154.54.2.190) *[AS 6163]* 240
msec
te8-2.mpd01.mci01.atlas.cogentco.com (154.54.5.126) *[AS 6163] *232
msec
   te7-3.mpd01.mci01.atlas.cogentco.com (154.54.3.18) *[AS 6163]* 232 msec
 12 vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18) *[AS 6163]* 232
msec
   te2-1.mpd01.ord01.atlas.cogentco.com (154.54.2.234) *[AS 6163]* 228
msec
te2-3.mpd01.ord01.atlas.cogentco.com (154.54.7.137) *[AS 6163]* 232
msec
13  *
   vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18)* [AS 6163]* 368
msec 436 msec
 14 Merit.demarc.cogentco.com (38.112.7.10) *[AS 6163] *228 msec *
   fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
 15 fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec
   nanog.org (198.108.1.50) *[AS 6163] *240 msec
fe0-0-0x43.michnet10.mich.net (198.108.22.243) *[AS 6163]* 240 msec







--
./fRank

Re: what the cause?

2008-02-19 Thread Frank 
Thank you guys for your help.

No Webcast of IPv4 Free Pool BoF today

2008-02-19 Thread Owen DeLong 


I have been informed by Merit that there will be no webcast of this  
afternoon's
AC Hosted BoF.  I apologize for any inconvenience.  I am posting this  
because

I received a number of inquiries on this topic.

Owen

RE: IPV4 as a Commodity for Profit

2008-02-19 Thread Paul Ferguson 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

>1. Where is the current demand for IPv4 coming from? Plenty of analysis
here.
>

I never thought I'd be doing this but:

Can we please move this thread elsewhere?

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHu9n1q1pz9mNUZTMRAh93AKDSBuNQZqcrXlNOhdytdEYVJDGLRACfSN7k
dhZMaUnjtOofL5gsOJ2Db/E=
=cMU1
-END PGP SIGNATURE-


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/