Re: Confidentiality disclaimers, was: GoDaddy DDoS

[Dan Hollis]

On Thu, 1 Dec 2005, Jay Hennigan wrote:

On Thu, 1 Dec 2005, Mark Smith wrote:
[Dire threats regarding confidentiality, etc. snipped.]

On Wed, 30 Nov 2005 16:18:52 -0700
"Sam Crooks" <[EMAIL PROTECTED]> wrote:
This confidentiality notice almost DoS'd my MUA !

One would think that those posting here would have the clue to realize
that they are sending mail to a widely read and archived mailing list,
making any such confidentiality warning rather ludicrous.


IMO, such disclaimers are incompatible with the nanog ml, anyone posting 
from such disclaimer-encumbered accounts should be forcefully
unsubscribed. If you can't post from a disclaimer-free account, you 
shouldn't be posting to the list, period.


-Dan

Re: a record?

[Dan Hollis]

Enjoy scanning, even I and I guess the rest of this list will be long
time retired and sipping pina coladas and other good stuff (hot
chocolate milk with whipcream and baileys anyone? :) in hawaii or some
other heavenly place the day that the hardware and pipes are available
to scan a single /64 efficiently.


google/altavista/excite/etc are incredibly useful for gathering target 
lists, even for ipv4. if you truly believe ipv6 is a magic bullet which 
will stop scanning, i have a bridge to sell you.


-Dan

Re: .iq [ was: Re: Paul Vixie serving ORSN ]

[Dan Hollis]

On Fri, 30 Sep 2005, Eric Brunner-Williams at a VSAT somewhere wrote:

For those who care about excesses of zeal, the Elashi brothers (operators
as well as sponsor delagees of .iq) of someplace in Texas, were charged with
giving money to Hamas or a charity linked to Hamas, and sending a PC to Syria,
and parts of a PC -- perhaps a mouse pad -- to Libya.


http://www.usdoj.gov/usao/txn/PressRel04/Elashi.pdf

Re: 209.68.1.140 (209.68.1.0 /24) blocked by bellsouth.net for SMTP

[Dan Hollis]

On Tue, 20 Sep 2005, Suresh Ramasubramanian wrote:

Blocking is fine - happens.  Postmaster and other role accounts not
replying at all to email that they're sent is just not a good thing to
do.


speaking of which:

   - The following addresses had permanent fatal errors -
[EMAIL PROTECTED]
(reason: 550 5.7.1 )

   - Transcript of session follows -
... while talking to mailb.microsoft.com.:

DATA

<<< 550 5.7.1 
554 5.0.0 Service unavailable

running a spam filter on [EMAIL PROTECTED] does not seem terribly wise...

-Dan

Re: image stream routers

[Dan Hollis]

On Sun, 18 Sep 2005, Lincoln Dale wrote:
right.  what i'm pointing out is that if Imagestream routers really ARE 
capable of >OC12 (and perhaps multiple of them) then its unlikely its 
s/w-based forwarding.


doesnt mean they are violating GPL to do it. look at nvidia for example.

-Dan

Re: Katrina: directNIC Stays Online - Blog + Images

[Dan Hollis]

On Thu, 1 Sep 2005, Todd Vierling wrote:

On Thu, 1 Sep 2005, Dan Hollis wrote:

There are other reasons too. People have been following NOPD police scanners
and posting news that the mainstream media refuse to cover:
http://www.freerepublic.com/focus/news/1474267/posts

If you're going to post a URL on *that* site (for other NANOG'ers, it's a
highly politically charged site), I am obliged to exercise equal time.
Louisiana forum:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topics&forum=155


listen to the police scanner yourself.

-Dan

Re: Katrina: directNIC Stays Online - Blog + Images

[Dan Hollis]

On Thu, 1 Sep 2005, Simon Waters wrote:

I think the issue is not staying at home or work, but rather deciding whetehr
or not to follow advice to evacuate an area, where you risk becoming a
liability for other rescue and recovery workers.


There are other reasons too. People have been following NOPD police 
scanners and posting news that the mainstream media refuse to cover:


http://www.freerepublic.com/focus/news/1474267/posts

Some rescue services are refusing to enter due to armed thugs roaming the 
streets with ak47 assault rifles, carjacking, mugging and murdering 
people.


Law enforcement officials have been captured on videotape participating in 
the looting.


Does not sound like a place any sane person would choose to go to. I don't 
think "risking your life to protect your employer's property" is on the

job description...

-Dan

Re: Cisco crapaganda

[Dan Hollis]

On Tue, 9 Aug 2005, J. Oquendo wrote:
> Anyhow, sorry for the rants... The article is pseudo-worth the read
> if you can filter out marketing and crapaganda.

Someone made a video of cisco hard at work fixing router security holes:
http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html

Cisco is also fixing web security holes:
http://www.dslreports.com/shownews/66078

With all this and the FBI investigation of Lynn, I feel so much safer now. 

Thanks cisco.

-Dan

RE: "Cisco gate" - Payload Versus Vector

[Dan Hollis]

On Tue, 2 Aug 2005, Randy Bush wrote:
> even without stiffling the heap check via crashing_already (i.e. a
> 'fix' is developed for that weakness), is the 30-60 second window
> sufficient to do serious operational damage.  i.e. what could an
> attacker do with a code injection with a mean life as short as
> 15-30 seconds?

change the passwords and write to nvram, and come back later?

-Dan

Re: "Cisco gate" and "Meet the Fed" at Defcon....

[Dan Hollis]

On Sun, 31 Jul 2005, Fergie (Paul Ferguson) wrote:
> No one ever said the Internet wasn't chock full of contradictions.
> One one hand, we have what some are now calling "Cisco gate":
> http://news.com.com/Hackers+rally+behind+Cisco+flaw+finder/2100-1002_3-5812044.html

Alder then blasted Cisco for going after Lynn.
"Cisco, you are really screwing up," she said, followed by a round of 
applause. "Suing researchers is not going to make you secure. Alienating 
the security community is not going to encourage people to come to you and 
report problems and work with you."

Agreed 100%.

Cisco, are you listening?

By this misbehavior you are seriously discouraging researchers from 
releasing info to you. They will suspect you'll sit on the exploit for 
months and not tell anyone (as you did with this one). They'll be afraid 
you'll try to kill the messenger (as you did with this one).

Instead, they're just going to release exploits into the wild anonymously. 
Is this what you want? Then keep it up.

-Dan

Re: More info on the Exploit from Black Hat conference

[Dan Hollis]

On Sun, 31 Jul 2005, Piotr KUCHARSKI wrote:
> > I took pictures of the slides but may have missed one or two.  Grab them
> > here: http://164.106.251.250/docs/netsec/defcon13/7-27-05.zip 

Looks like its already gone. ISS/Cisco threat?

> PS I took the liberty of mirroring it at 42.pl/lynn/

Let us know if you get a c&d :)

-Dan

Re: Boing Boing: Michael Lynn's controversial Cisco security presentation

[Dan Hollis]

On Sat, 30 Jul 2005, Simon Lyall wrote:
> On Sat, 30 Jul 2005, Brad Knowles wrote:
> > BTW, the original slides are supposed to be at
> > .  However,
> > what's there now is currently a place-holder, although it does tell
> > you that if you're looking for the original PDF file that you can
> > still access that at
> > .
> The PDFs at infowarrior.org have been replaced with a letter from ISS's
> lawyers requesting the paper be removed (with the attached Injunction).
> I guess it means we are all safe now.

I guess at this point ISS realizes their reputation is so deep in the 
shitter that nothing they do could make it worse.

-Dan

Re: eWeek: Cisco Comes Clean on Extent of IOS Flaw

[Dan Hollis]

On Fri, 29 Jul 2005, Fergie (Paul Ferguson) wrote:
> As an aside, I like John Murrell's headline in "Good Morning,
> Silicon Valley" best of all --
> "Cisco patches security researcher vulnerability"
> http://blogs.siliconvalley.com/gmsv/2005/07/cisco_patches_s.html

cisco's firewalls are made of lawyers and fbi agents? :-)

-Dan

Re: eWeek: Cisco Comes Clean on Extent of IOS Flaw

[Dan Hollis]

On Fri, 29 Jul 2005, Fergie (Paul Ferguson) wrote:
> http://www.eweek.com/article2/0,1759,1841669,00.asp

Like I said, PR disaster.

As more information comes out, the levels of misbehavior on behalf of 
Cisco and ISS are reaching comical levels. I mean really, someone at ISS 
filed a _criminal complaint_ over the _presentation_?

ISS' integrity has been questioned before, and this only seems to confirm 
peoples' worst fears.

-Dan

Re: Cisco and the tobacco industry

[Dan Hollis]

On Fri, 29 Jul 2005, Fergie (Paul Ferguson) wrote:

> 
> Hey, Dan...
> 
> What's that they say abou 800 lb. Gorillas...
> 
> :-)
> 
> - ferg
> 
> -- Daniel Golding <[EMAIL PROTECTED]> wrote:
> 
> Cisco's conduct in this case may or may not be improper - we'll have to wait
> for a little more information. From a PR point of view, they probably should
> have let things ride and allowed the Blackhat talk to occur. They look like
> bullies now, which is never good. Hindsight is 20/20, though.
> 
> That being said, their policy of offering free updates for certain bug fixes
> to those who don't pay them for support is generous. See that hand feeding
> you? Don't bite it.
> 
> 

what about cisco's policy of sabotaging ebay sales and harassing used 
equipment resellers? the food that hand is feeding you is loaded with rat 
poison.

-Dan

Re: Cisco IOS Exploit Cover Up

[Dan Hollis]

On Thu, 28 Jul 2005, Jason Frisvold wrote:
> On 7/27/05, Jeff Kell <[EMAIL PROTECTED]> wrote:
> > Cisco's response thus far:
> >
> > http://www.cisco.com/en/US/about/security/intelligence/MySDN_CiscoIOS.html
> More fuel on the fire...  Cisco and ISS are suing Lynn now...
> http://news.zdnet.co.uk/internet/security/0,39020375,39211011,00.htm 

Not the first time Cisco has had a highly questionable attitude toward 
security issues, even recently: http://kerneltrap.org/node/5382
(cisco, lawyers, and patents).

Is this the start of a new pattern of behavior for cisco, or just more of 
the same?

-Dan

RE: Cisco IOS Exploit Cover Up

[Dan Hollis]

On Wed, 27 Jul 2005, Fergie (Paul Ferguson) wrote:
> For what ot's worth, this story is running in the
> popular trade press:
> 
> "Cisco nixes conference session on hacking IOS router code"
> http://www.networkworld.com/news/2005/072705-cisco-ios.html

This is looking like a complete PR disaster for cisco. They would have 
been better off allowing the talk to take place, and actually fixing the 
holes rather than wasting money on a small army of razorblade-equipped 
censors.

-Dan

MCI billing fraud ... again

[Dan Hollis]

We're being hit up by MCI's billing fraud again. You'd think after the 
multiple settlements, the $4 billion accounting fraud and Ebbers' 
25 year prison sentence that MCI would have learned something, but
apparently not.

Anyone have a definitive method of dealing with these clowns? Any contacts 
for someone skilled in getting MCI to FOAD?

-Dan

Re: On the-record - another "off-topic" post

[Dan Hollis]

On Tue, 3 May 2005, Gadi Evron wrote:
> Where are our brand new and shiny moderators?

When you respond quoting someone can you please include the quote 
attribution line so our procmail filters can work properly? most of us 
have procmail'd dean out, but your response cutting off his name from the 
quote let it get through.

-Dan

Re: Schneier: ISPs should bear security burden

[Dan Hollis]

On Thu, 28 Apr 2005, Iljitsch van Beijnum wrote:
> The problem is that the maliciousness of packets or email is largely  
> in the eye of the beholder. How do you propose ISPs determine which  
> packets the receiver wants to receive, and which they don't want to  
> receive? (At Mpps rates, of course.)

Its not up to the ISP to determine outbound malicious traffic, but its up 
to the ISP to respond in a timely manner to complaints. Many (most?) do not.

> There are many ISPs that do less than they should, though. (Allow  
> spoofed sources, don't do anything against hosts that are reported to  
> send clearly abusive traffic, sometimes even at DoS rates...)

This is what I mean by the environmental polluter model. Providers who 
continually spew sewage and do nothing to shut off attackers under their 
domain despite repeated pleas from victims.

An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf
was written about the spam problem, but touches on fraud and other 
malicious activity. The general attitude in the paper regarding provider's 
responses to spam complaints also applies to ddos and other attacks. It's 
also interesting to note where Mr. Ebbers is today.

Has the situation gotten better? Maybe at uunet it has since mr. ebbers 
"departure", but most other places it appears to only have gotten worse[1]. 

Bigpond let things get so out of hand that their own network began to 
crumble, which is the only time I can think of in recent history that 
they've ever taken action to disconnect zombies. You can be certain the 
victims on the receiving end of bigpond's zombied customers have little 
sympathy for bigpond's situation. Remember, this is the ISP whos abuse@ 
box auto-deleted complaints for "unacceptable language". When you're so 
bad that AOL has to block you[2], you should  probably consider cleaning 
up your network.

Sadly these official policies of 'do nothing' come from the top, so 
engineers and administrators who are in a position to actually take action 
against blatant network abuse, are actually explicitly forbidden to take 
any action.

So the real question seems to be how to effectively apply a cluebat to 
CEOs to get a reasonable abuse policy enforced. Nanog can host all the 
meetings it wants and members can write all the RFCs they want, but until 
attitudes change at the top, nobody will be allowed to do anything at the 
bottom.

-Dan

[1] http://sucs.org/~sits/articles/ntl_dont_care/
[2] http://www.smh.com.au/articles/2003/04/29/1051381931239.html?oneclick=true

Re: Schneier: ISPs should bear security burden

[Dan Hollis]

On Wed, 27 Apr 2005, Owen DeLong wrote:
> From that perspective, in my experience, things are better today than they
> ever have been.

The only thing I've seen in the past 20 years which has made any positive
impact on overall internet reliability is BGP dampening. In all other 
cases its gotten worse as networks are ground to dust by daily DDOS 
attacks. You can read daily about sites xyz or networks xyz being 
unreachable for hours/days/weeks/months due to DDOS attacks. Compared to 
20 years ago I would have to say overall things are worse not better.

-Dan

Re: Internet2

[Dan Hollis]

On Wed, 27 Apr 2005, Randy Bush wrote:
> to source is still the big gap.  imiho, from the ops perspective,
> only sally's ecn has made any useful approach.  sadly, we may be
> able to judge the actual demand for e2e qos by ecn's very slow
> deployment.  i think this is unfortunate, as ecn is pretty cool.

The low demand is partially due to IWF[0] who unwittingly block it. Many 
OSes deploy with ecn support but default it off due to the IWF problem.

And there are so many IWF that applying enough cluebats to clear the path 
for ECN is going to take enormous effort.

We could demonstrate how cool ECN is, if there werent so many IWF making 
this impossible. Entities who try to deploy ECN are deluged with "hey wtf 
I cant reach site XYZ anymore, your shit is broken, fix it you ***!"

I have no idea if microsoft supports ECN yet, but if they dont then I 
suspect that a sufficiently embarassing benchmark would prod them into 
adding it.

I wonder how many network operators on nanog block ECN. If you do, why?

-Dan

[0]Idiots With Firewalls. See http://urchin.earth.li/cgi-bin/ecn.pl

Re: Schneier: ISPs should bear security burden

[Dan Hollis]

On Wed, 27 Apr 2005, Owen DeLong wrote:
> Strangely, for all the FUD in the above paragraph, I'm just not buying it.
> The internet, as near as I can tell, is functioning today at least as well
> as it ever has in my 20+ years of experience working with it.

You must not have used it much in those 20 years. I can definitely say 
worms, trojans, spam, phishing, ddos, and other attacks is up several 
orders of magnitude in those 20 years. Malicious packets now account for 
a significant percentage of all ip traffic. Eventually I expect malicious 
packets will outnumber legitimate packets, just like malicious email 
outnumbers legitimate email today.

As long as the environmental polluter model continues to be championed and 
promoted on nanog (of all places), the problem will only get worse.

-Dan

Re: New IANA IPv4 allocation to AfriNIC (41/8)

[Dan Hollis]

On Wed, 13 Apr 2005, Randy Bush wrote:
> > The largest part (>90%) does originate in Nigeria.  The remainder comes
> > from countries adjacent to Nigeria such as Togo, Senegal, etc (~6%) or
> > from the Netherlands (~4%)
> would love to see the cite for this, please
> randy

I have a collected archive of nearly 1000 nigerian scam emails if anyone 
would like to do an analysis.

>From what I recall a large % of origin IP (where origin IP is 
identifiable) are registered directly to Lagos.

-Dan

Re: SORBS Identity theft alert

[Dan Hollis]

On Mon, 11 Apr 2005, Bill Nash wrote:
> On Sun, 10 Apr 2005, Randy Bush wrote:
> >> SORBS lists Dean.  I suspect this makes him angry.
> > who's dean?
> > the problem with feeding trolls is that they puke it up on
> > the carpet.
>   Negative reinforcement is better than procmail. The problem with 
> trolls is that they keep coming back if you don't beat them properly.
> I'm a great example. ;)

The other problem with procmail is it doesnt catch people replying to our 
resident list.kook. I'm going to have to start procmailing everything with 
"dean" in the body now... :-/

-Dan

Re: potpourri (Re: Clearwire May Block VoIP Competitors )

[Dan Hollis]

On Fri, 1 Apr 2005, Randy Bush wrote:
> > (speaking of amazon, i found that usb headsets are down to ~$34.94
> > now. yay!)
> if you mean the logitech 980130-0403, $32 at newegg
> why is usb better than the headset/mic jacks?

because integrated or pci audio are often plagued by internal electrical 
noise.

USB largely avoids this by doing all the conversion externally and largely 
isolated.

-Dan

RE: Utah governor signs Net-porn bill

[Dan Hollis]

On Tue, 22 Mar 2005, Kathryn Kessey wrote:
> ...this bill... requires the attorney general to establish and maintain a 
> database, called the adult content registry, of certain Internet sites 
> containing material harmful to minors...
> ...$100,000 from the General Fund to the attorney general, for fiscal year 
> 2005-06 only,
> to establish the adult content registry...
> They are going to create publicly accessible, highly available database 
> service of the all the world's porn sites and maintain it with up to the 
> minute data... with 100K.  Right.
> Seems like a more rational answer to Utah's pr0n phobia is for a certain 
> religious entity to publish their own net-nanny software/service for their 
> parishioners.

somehow I suspect more than just pr0n sites will end up in that 'adult content 
registry'.
dont be suprised if sites critical of mormonism get blocked too. they can be as 
bad as
scientologists in this respect.

-Dan

Re: sorbs.net

[Dan Hollis]

On Tue, 15 Mar 2005, Micah McNelly wrote:
> Do you really think opinion has a place in mail delivery?

Yes. My mailbox. My computer. My private property. My rules.

> What if the USPS decided any magazine you subscribed to was 
> suddenly unfit for delivery and decided it should blocked (thrown away)?

They don't decide. I do.

-Dan

Re: Fire Code/UFC Regs?

[Dan Hollis]

On Sun, 13 Mar 2005, Mark Radabaugh wrote:
> >  Perhaps someone who knows EE can enlighten me?
> OK - my considered opinion as a BSEE is:
> It's a pile of BS designed to sell PDU's.
> "but do not efficiently distribute the power, meaning that some
> equipment may be deprived of the necessary amperage it requires to run
> properly"
> Yeah.  Sure.

I asked an EE friend, he says it sounds like a convenient excuse for APC 
to reject claims.

-Dan

Re: ChinaNet Contacts

[Dan Hollis]

On Thu, 17 Feb 2005, Gadi Evron wrote:
> It would still be my guess there are more black hats in the US.

yahoo and hotmail come close, but it will take some real balls to top 
chinanet's official blackhat lying autoresponder:

"In your SPAM eMail,I can't find the IP or the IP is not by my 
control.Please give me the correct IP.Thank you."

hats dont get any darker than that.

-Dan

RE: ChinaNet Contacts

[Dan Hollis]

On Thu, 17 Feb 2005, Hannigan, Martin wrote:
> I wouldn't go as far as label it systemic. Both Chinese and 
> Korean organizations are participating in some of the behind
> the scenes security/mitigation activities going on and have been
> helpful. Not all. Some.

Remember that chinanet was the one who setup the infamous lying 
autoresponder:

"In your SPAM eMail,I can't find the IP or the IP is not by my 
control.Please give me the correct IP.Thank you."

Then they attend regional meetings and complain that people are blocking 
them. Gee I wonder why.

-Dan

Re: ChinaNet Contacts

[Dan Hollis]

On Thu, 17 Feb 2005, Jon R. Kibler wrote:
> I know that this is a REALLY sore point, but has anyone ever 
> established any good working relations with anyone in CHINANET or other 
> China-based ISPs? 

>From what I understand the answer is no. People I know who have attended 
asia-pacific regional network meetings described them as "clueless".
Unfortunately the same goes for kornet. :-/

-Dan

Re: broke Inktomi floods?

[Dan Hollis]

On Thu, 20 Jan 2005, Suresh Ramasubramanian wrote:
> On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron <[EMAIL PROTECTED]> wrote:
> > Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
> > some of our systems are reporting that they open many HTTP connections
> > to our web sites, without ever sending any data and immediately
> > disconnecting. This is getting to a level where it disturbs us.
> I have heard previous stories of inktomi ignoring robots.txt (not seen
> this for myself though).  And there are threads like this -
> Quoting from http://www.webmasterworld.com/forum11/1968-1-15.htm

back in 1999 inktomi hammered our nameserver (which never has, and never 
will run http. ever.) After _weeks_ of complaining to them and to their 
upstream exodus (hah!) I finally got them to stop. Only to have them 
start up again a month later.

not suprising to see them up to their old antics again.

time to nullroute i guess?

-Dan

Re: panix hijack press

[Dan Hollis]

On Wed, 19 Jan 2005, Darrell Greenwood wrote:
> customers' domains. Panix.com says its domain name was locked, and
> that despite this, it was still transferred. ®

I seem to recall someone saying it wasnt locked, now theyre saying it was?

-Dan

Re: Smallest Transit MTU

[Dan Hollis]

On Thu, 30 Dec 2004, Florian Weimer wrote:
> * Dan Hollis:
> > Because tcp connection endpoints have to implement ECN in order to manage 
> > the flow.
> Your wording suggests that ECN is purely an end-to-end signaling
> protocol

it does? where?

> (and so does a lot of propaganda from the ECN zealots).

an "ecn zealot" is someone who wants firewalls to work correctly? someone 
who wants idiots to stop blocking all icmp a  "pmtud zealot"?

> But is this really true?  If I read the RFC correctly, you need *routers*
> that use ECN to indicate congestion instead of packet drops.

anything along the path can *indicate* congestion, but its up to the 
*endpoints* to *respond* to the ECN indication and mitigate their flows.

read rfc3168 paying close attention to 6.1.2 and 6.1.3

-Dan

Re: Smallest Transit MTU

[Dan Hollis]

On Wed, 29 Dec 2004, Florian Weimer wrote:
> * Dan Hollis:
> > On Wed, 29 Dec 2004, Jerry Pasker wrote:
> >> Is there an RFC that clearly states: "The internet needs to transit 
> >> 1500 byte packets without fragmentation."??
> > Actually the bigger problem imo is the number of sites which block ECN
> > http://urchin.earth.li/ecn/
> Why is this a problem?  ECN has to be deployed on routers, and it
> currently isn't.

Because tcp connection endpoints have to implement ECN in order to manage 
the flow.

Many OSes (Linux/bsd/aix/solaris/etc) support ECN but due to the large 
number of braindamaged firewalls out there (http://urchin.earth.li/ecn/), 
it defaults to off.

Any host which tries to negotiate ECN in a tcp connection will run into 
lots of problems as millions of idiotic firewalls drop the packets on the 
floor. Quite often the same firewalls which drop 69/8 on the floor.

Its sad because ECN is quite useful. Though the damage by clueless
network admins blocking 69/8 is worse.

> Cisco seems to offer it on some platforms, but their implementation
> provides a strong incentive to constantly set the ECN flags in a
> certain way, to push the packets into a different QoS class.
> (This is from memory, and it might have been corrected.)

http://www.icir.org/floyd/ecn.html

-Dan

Re: Smallest Transit MTU

[Dan Hollis]

On Wed, 29 Dec 2004, Jerry Pasker wrote:
> Is there an RFC that clearly states: "The internet needs to transit 
> 1500 byte packets without fragmentation."??

Actually the bigger problem imo is the number of sites which block ECN
http://urchin.earth.li/ecn/

Even worse are the networks which incorrectly block the new allocations eg 
69.0.0.0/8 - http://not69box.atlantic.net/ - the list is worryingly large.

-Dan

Re: Sanity worm defaces websites using php bug

[Dan Hollis]

On Tue, 21 Dec 2004, Fergie (Paul Ferguson) wrote:
> These people don't waste much time when a new exploit
> found, do they? Geez.
>  http://isc.sans.org/diary.php?date=2004-12-21

Its exploiting a bug in old versions of phpbb, it's not using the recent 
php exploit.

-Dan

ddos?

[Dan Hollis]

Anyone aware of ddos affecting savvis, level3, or qwest at the moment?

-Dan

Re: Unflattering comments about ISPs and DDOS

[Dan Hollis]

On Mon, 6 Dec 2004, Rich Kulawiec wrote:
>   "Based on my conversations last week, Comcast's network engineers
>   would like to be more aggressive. But the marketing department
>   shot down a ban on port 25 because of its circa $58 million price
>   tag--so high partially because some subscribers would have to be
>   told how to reconfigure their mail programs to point at Comcast's
>   servers, and each phone call to the help desk costs $9."

Thats quite ok, if theyre unwilling to filter port 25 on their end, we 
are more than happy to filter port 25 on our end. Many have already done 
this.

-Dan

Re: [OT] Re: Banned on NANOG

[Dan Hollis]

On Sat, 4 Dec 2004, Richard Irving wrote:
>   It seems controversial subjects may trigger
> suppres^suspension of speech.   :P
> 
> Dissing Bush backed agendas appear to be one of the triggers.
> (See current Doonesbury, this is not a limited trend, BTW  ;)

Indeed, my last "ban" was from a perfectly on-topic posting in an on-topic 
thread, with a single sentence buried inside it that was less than 
praising the b*sh adm*nistration.

Glad to know I'm not the only one who noticed this.

-Dan

Re: yahoo abuse contact please

[Dan Hollis]

On Tue, 12 Oct 2004, Gadi Evron wrote:
> Give the guy a break, finding an abuse contact for Yahoo! is easy, 
> however, I doubt there are many sites that are as oblivious towards 
> abuse of its services and abuse reports as Yahoo!
> Yahoo! seems to have made a choice to go with functionality, period. 
> Even when it doesn't collide with security.
> Good luck finding a caring contact there.

there is an rbl listing all yahoo space (and all their subsidiaries), 
operated by an ex-yahoo abuse employee. tells you something.

for most of us, yahoo is block-on-sight.

-Dan

Re: BCP38 making it work, solving problems

[Dan Hollis]

On Mon, 11 Oct 2004, Fergie (Paul Ferguson) wrote:
> I wrote it, I stand beside it. I'm sick of hearing why people
> haven't implemented it yet -- it's almost five years later
> and there's simply no excuse. It's sickening.

it's cheaper to ignore bcp38 than to implement it.

operators are reactive to abuse, not proactive. though this is slowly 
changing as abuse becomes a significant % of network traffic.

-Dan

Re: APNIC Privacy of customer assignment records - implementation update

[Dan Hollis]

On Thu, 23 Sep 2004, Patrick W Gilmore wrote:
> But that will also depend on how APNIC responds to problems.  If 
> Network X has a customer who is a problem, and we can't find out 
> customer's name / e-mail / whatever, then Network X better be 
> responsive.  If not, then APNIC better be responsive.

I guess the thinking is that apnic address space is so widely nullrouted
already, so things cant get any worse.

-Dan

Re: Verisign vs. ICANN

[Dan Hollis]

On Fri, 10 Sep 2004, Joe Rhett wrote:
> > On Fri, 10 Sep 2004, Joe Rhett wrote:
> > > In short, if you want to make money selling your patent to someone then you
> > > must have a valid business that loses money so that your lawsuit against
> > > them will have teeth.
> On Fri, Sep 10, 2004 at 12:46:07AM -0700, Dan Hollis wrote:
> > So the attorney creates an IP holding company to which the patent is 
> > assigned, and the company offers to license the patent to Verisign. 
> > When Verisign refuses, they get sued for lost revenue.
> The holding company must be making money from the patent to demonstrate the 
> value of the loss.  It can't be a silent owner -- these have been fairly
> routinely tossed out of court as meritless.

Do you have an example of such a case?

-Dan

Re: Verisign vs. ICANN

[Dan Hollis]

On Fri, 10 Sep 2004, Joe Rhett wrote:
> On Thu, Sep 09, 2004 at 04:01:46PM -0700, Dan Hollis wrote:
> > If the patent is strong enough, wouldnt some patent attorney be willing to 
> > defend it on a contingency basis?
> > With the potential $$ in a patent violation judgement against verisign, I 
> > would think attorneys would be all over it.
> Patent violation can be easily gathered, but the penalty is always based on
> the lost revenue, which must be documented and validated.
> In short, if you want to make money selling your patent to someone then you
> must have a valid business that loses money so that your lawsuit against
> them will have teeth.

So the attorney creates an IP holding company to which the patent is 
assigned, and the company offers to license the patent to Verisign. 
When Verisign refuses, they get sued for lost revenue.

There are companies whos entire revenue stream revolves around licensing 
patents / litigating. This is quite normal.

-Dan

Re: Verisign vs. ICANN

[Dan Hollis]

On Fri, 10 Sep 2004, Matthew Sullivan wrote:
> Dan Hollis wrote:
> >On Mon, 16 Aug 2004, Andre Oppermann wrote:
> >>PS: I will patent it myself to prevent Versign from doing this.
> >Wouldnt it be beautiful if a bunch of people patented the hell out of 
> >various ways to exploit dns wildcarding, thus preventing verisign from 
> >doing anything useful with it at all...
> It would only be useful if those people were also in a position to 
> vigorously defend said patents when (and if) they were infringed.
> / Mat

If the patent is strong enough, wouldnt some patent attorney be willing to 
defend it on a contingency basis?

With the potential $$ in a patent violation judgement against verisign, I 
would think attorneys would be all over it.

-Dan

Re: Senator Diane Feinstein Wants to know about the Benefits of P2P

[Dan Hollis]

On Mon, 30 Aug 2004, james edwards wrote:
> > Not true.  For those of us who host Akamai servers, we could download SP2
> > with no problems.  We did not need P2P, or MSDN.  In fact, I would be very
> > reluctant to trust a Windows update downloaded via P2P.
> Have you heard of MD5 sum ?

yep md5 made the news recently because it's been cracked:

http://techrepublic.com.com/5100-22-5314533.html
http://www.rtfm.com/movabletype/archives/2004_08.html#001055

-Dan

Re: Senator Diane Feinstein Wants to know about the Benefits of P2P

[Dan Hollis]

On Mon, 30 Aug 2004, Petri Helenius wrote:
> Byron L. Hicks wrote:
> >Not true.  For those of us who host Akamai servers, we could download SP2
> >with no problems.  We did not need P2P, or MSDN.  In fact, I would be very
> >reluctant to trust a Windows update downloaded via P2P.
> How is the p2p checksum different from any other checksum on the file?

the cynic in me says that the senator is looking for our arguments in 
favor of p2p, so that she knows exactly how to argue against us and 
exactly how to write a bill to hurt us the most.

recall that feinstein is one of the loudest anti-p2p legislators.

i am not sure anyone should be helping her.

-Dan

Re: Verisign vs. ICANN

[Dan Hollis]

On Mon, 16 Aug 2004, Andre Oppermann wrote:
> PS: I will patent it myself to prevent Versign from doing this.

Wouldnt it be beautiful if a bunch of people patented the hell out of 
various ways to exploit dns wildcarding, thus preventing verisign from 
doing anything useful with it at all...

-Dan

Re: low-latency bandwidth for cheap?

[Dan Hollis]

On Fri, 6 Aug 2004, Arnold Nipper wrote:
> On 06.08.2004 15:10 Sam Stickland wrote:
> > I hear a lot of ISPs in the states are turning on interleaving by default 
> > these days, while in the UK I've never actually encountered it. Some ADSL 
> > modems have an option to disable it also.
> Here in Germany interleaving is default. You may order "FastPath" as
> additional "service" (~ 1.5$ extra). Mostly gamers want to have FastPath
> enabled to cut down RTT.

If you want low-latency you dont use ADSL.

My SDSL connection:

rtt min/avg/max/mdev = 2.454/2.544/6.587/0.187 ms

-Dan

Re: Reporting the state of an apparatus to a remote computer patented

[Dan Hollis]

On Wed, 4 Aug 2004, Scott Whyte wrote:
> http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=6,757,714.WKU.&OS=PN/6,757,714&RS=PN/6,757,714

Would avoiding use of XML be enough to circumvent this?

-Dan

Re: sms messaging without a net?

[Dan Hollis]

On Tue, 3 Aug 2004, Stephen J. Wilcox wrote:
> One thing to watch.. these can be temperamental and liable to be disconnected 
> without warning (or perhaps thats just here in the uk!)

This is exactly what happened with AT&T. They shutdown their TAP gateway 
without warning, much to the surpise of many.

-Dan

sms messaging without a net?

[Dan Hollis]

Does anyone know of a way to send SMS messages without an internet 
connection?

Having a network monitoring system send sms pages via email very quickly 
runs into chicken-egg scenario. How do you email a page to let the admins 
know their net has gone down. :-P

AT&T shut down their TAP dialup late last year.

The only method that comes to mind is to buy a GSM modem which has SMS 
messaging capability.

Has anyone done this?

-Dan

Re: Spyware becomes increasingly malicious

[Dan Hollis]

On Mon, 12 Jul 2004, Richard A Steenbergen wrote:
> http://www.webhelper4u.com/CWS/cwsoriginial.html
> These folks? Looks like it's all Cogent. Surely someone has contacted 
> Cogent about this?

I'm sure someone has.

The real question should be, does cogent care?

http://www.spamhaus.org/sbl/listings.lasso?isp=cogentco.com

Magic 8-ball: "all signs point to no"

Re: (UPDATE) Can a Customer take their IP's with them? (Court says yes!)

[Dan Hollis]

On Wed, 30 Jun 2004, Sabri Berisha wrote:
> And then I'm not even taking into account the fact that the UCI/Pegasus
> is a well-known spammer (http://www.spews.org/html/S2649.html).

I imagine NAC is pretty tired of being RBL'd. Can't blame them for being 
eager to rid themselves of this pest.

The next provider who ends up with pegasus is going to regret it.

-Dan

Re: BGP list of phishing sites?

[Dan Hollis]

On Tue, 29 Jun 2004 [EMAIL PROTECTED] wrote:
> If they are notified that they are an 
> accessory to a crime and do not take any
> action, then doesn't this make the provider
> liable to criminal charges?

You would think it would. But who bothers to prosecute? No one.

> Did you really inform the provider's legal department of
> this fact or did you just send an email to some dumb droids in the 
> abuse department?

Yes and I was told they would not do anything unless they received a 
subpoena or law enforcement forced them to shut it down, and that if I 
wanted action I should talk to the police instead.

> Quite frankly, I don't consider messages to
> the complaints/abuse department to be "notice".
> How long does it take to find a head office
> fax number and draft up a legalistic looking
> "notice" document addressed to their legal 
> department?

Not long, but its a waste of time because they wont do anything anyway.

The only way to get their attention is with blacklists.

-Dan

RE: Can a customer take IP's with them?

[Dan Hollis]

On Tue, 29 Jun 2004, Michel Py wrote:
> > william(at)elan.net
> > I've suspicions this maybe Pegasus Web Technologies (AS25653),
> Good catch William!

This pegasus? http://www.spews.org/html/S2649.html

-Dan

Re: BGP list of phishing sites?

[Dan Hollis]

On Mon, 28 Jun 2004, Patrick W Gilmore wrote:
> Unfortunately, I worry that this cure is worse than the disease.  
> Filtering IP addresses are not the right way to attack these sites - 
> the move too quickly and there is too much danger of collateral damage.

I think part of the point of this blacklist is similar to other 
blacklists. It makes providers remove their head from their ass and
actually start cleaning up their networks.

When a provider hosts a phishing site for _weeks on end_ and does 
_nothing_ despite being notified repeatedly, sometimes a blacklist is the 
only cluebat strong enough to get through the provider's thick skull.

-Dan

Re: Math 011 (Re: "Default" Points on your Internet "Re: Re: Re:")

[Dan Hollis]

On Tue, 15 Jun 2004, Edward B. Dreger wrote:
> (You'd not believe how many network admins were on vacation...)

Some tier1's have entire staffs permanently on vacation

-Dan

RE: IT security people sleep well

[Dan Hollis]

On Mon, 7 Jun 2004, Michel Py wrote:
> > Henning Brauer wrote:
> > not seeing the problem with cleartext telnet for remote
> > logins in 2004, wether ACL'd or not, is just ... oh man,
> > I don't have words for this.
> I have: I encourage my competitors to do it.

Now you see the motivation behind a lot of the (bogus) responses on nanog 
:-)

-Dan

Re: Barracuda Networks Spam Firewall

[Dan Hollis]

On Thu, 20 May 2004, Stephen J. Wilcox wrote:
> On Wed, 19 May 2004, Richard Cox wrote:
> > While this is verging off our remit here, I would clarify the point
> > originally made, which is that if a URL - that is, a URL cited in the
> > body of a message - points to an IP physically located in China, then
> > that signals a high probability of the message being spam.
> Altho this is probably not true if you're one of the billion or so people who 
> live in or around China or are of Chinese origin.. 

Actually mainland chinese non-spammers seem to prefer offshore hosting eg 
hk, taiwan, japan or north america.

I guess all the mainland chinese webhosting is all taken up by spam 
operators or something.

-Dan

Re: Barracuda Networks Spam Firewall

[Dan Hollis]

On Wed, 19 May 2004, James Couzens wrote:
> On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote:
> > There's one rule that will wipe out ~90% of spam, but nobody seems to have
> > written it yet.
> >   if URL IP addr is in China then score=100
> I beg to differ Eric A. Hall.  

No Eric is quite correct. Read what he wrote again. Carefully.

-Dan

Re: Winstar says there is no TCP/BGP vulnerability

[Dan Hollis]

Is there any way to move BGP completely out-of-band?

I know multihop may be out of the question but maybe someone should write 
up a proposal for PTP links. :-)

-Dan

Re: Ad blocking with squid

[Dan Hollis]

On Wed, 21 Apr 2004 [EMAIL PROTECTED] wrote:
> On Mon, Apr 19, 2004 at 04:33:49PM -0400, Paul Khavkine wrote:
> > Anyone doing ad blocking with Squid cache engine out there ?
> This is what I've been using with Squid:
> http://adzapper.sourceforge.net/

Adzapper works very well, and is highly configurable.

-Dan

Re: Winstar says there is no TCP/BGP vulnerability

[Dan Hollis]

On Tue, 20 Apr 2004, Rodney Joffe wrote:
> The only network engineer who may NOT have been aware of the building
> BGP vulnerability issue over the last week has to be the engineer who is
> currently on his annual vacation in Mauritius, and who refuses to take
> his Blackberry, Palm, or Satellite phone with him.

Wouldnt anti-spoofing filters largely eliminate the need for all this 
panic about MD5?

-Dan

Re: Ordering Windows Security Update CD (was Re: Microsoft XP SP2)

[Dan Hollis]

On Tue, 20 Apr 2004, Sean Donelan wrote:
> I do not know if Microsoft plans to refresh the CD, or make it available
> through other channels.

Bittorrent? :-)

Does anyone have a BT iso of these CDs btw? I cant imagine microsoft 
objecting to its distribution...

-Dan

Re: TCP RST attack (the cause of all that MD5-o-rama)

[Dan Hollis]

On Tue, 20 Apr 2004, Crist Clark wrote:
> But it has limited effectiveness for multi-hop sessions. There is the
> appeal of a solution that does not depend of the physical layout of the
> BGP peers.

Does MD5 open the door to cpu DOS attacks on routers though? Eg can 
someone craft a DOS attack to take out the CPU on a router by forcing it 
to MD5 authenticate torrents of junk packets, using less bandwidth than 
it would take to DOS the links themselves?

As has been pointed out, blind attacker needs to guess the source port as 
well, which would seem to multiply the search space blind attackers need 
to hit (the tcpsecure paper states as much - "assuming the attacker can
accurately guess both ports")

Are such attacks still practical in that light?

-Dan

Re: TCP RST attack (the cause of all that MD5-o-rama)

[Dan Hollis]

On Tue, 20 Apr 2004, Mike Tancsa wrote:
> http://www.uniras.gov.uk/vuls/2004/236929/index.htm

A huge round of applause for everyone not doing RPF and egress filtering 
where it is trivial to do so. You make everyones job that little bit 
harder.

You know who you are.

-Dan

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Dan Hollis]

On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote:
> ** Reply to message from Drew Weaver <[EMAIL PROTECTED]> on Mon,
> 19 Apr 2004 13:42:53 -0400
> > However, awhile ago we tried an idea of sending out E-Mail alerts to
> > our customers whenever a critical update of "Remote execution" or worse was
> > released. We found that most of our users were annoyed by this, a different
> > time we used a network sniffing tool to find a few dozen handfuls of your
> > average home Dial-Up users who were infected with various malicious agents
> > (I.e. Nimda, et cetera) and we actually contacted those users, to let them
> > know and again we were met with more hostility. 
> You definitely don't have our customers then.  Our usually appreciate
> being told that their systems are screwed up. 

He's right.

Most customers get defensive/hostile when you tell them there's something 
wrong with their system.

However I've encountered the same attitude with many NOCs when informing 
them they have open relays / smurf amps / owned servers. First they deny 
it - "you must be mistaken", then get defensive "what business is it of 
yours anyway?" or hostile "you can't possibly know that without having 
broken into our network, I'm calling the police" (yeah right, I need to 
break into your network in order to be smurfed by your broken routers.)

So this isnt unique to end users. It seems most people would rather 
discover problems themselves, and go into a sort of panic mode when 
informed by a third party. Many (including NOCs) aren't emotionally 
prepared to handle anything beyond "hit ctrl-alt-del".

I'm still looking for a good way to gently inform end users/nocs of 
problems without having them fly off the handle.

-Dan

Re: Automated Copyright Notice System

[Dan Hollis]

On Mon, 19 Apr 2004, Sean Donelan wrote:
> Someone coming up with tools to solve Paul's problems.  Anyone can send an
> XML formated notice to an ISP, and the user's Internet access is
> automatically restricted.  Spoofing?

I can't wait for the first viruses to start flooding bogus acns messages 
in order to make acns worthless.

Also expect spammers to start flooding forged acns messages in order to 
try to take down RBLs etc.

-Dan

Re: google.

[Dan Hollis]

On Fri, 16 Apr 2004, Micah McNelly wrote:
> is anyone having google reachability issues?

We noticed for a while today that google was unreachable by any path 
except sprint. Seems ok now though.

-Dan

Re: Abuse mail boxese (was Re: Lazy network operators)

[Dan Hollis]

On Mon, 12 Apr 2004, Richard Cox wrote:
> Nothing even close to that can be said of NTL.  Unfortunately.

NTL put their head in the sand in the hopes their spam problem will go 
away. Unfortunately for NTL what will end up happening is NTL mail will go 
away, into global RBLs and thousands of private block lists.

-Dan

Re: Packet anonymity is the problem?

[Dan Hollis]

On Sat, 10 Apr 2004, Todd Vierling wrote:
> Of course, the still high number of bogon routes illustrate that very few
> folks (if any) really care.

Worse; the registries make it trivial to steal registrations and  
assignments, but nigh impossible to get them back to the rightful owners.

-Dan

Re: Lazy network operators

[Dan Hollis]

On Sat, 10 Apr 2004, Sean Donelan wrote:
> Should anonymous use of the Internet be eliminated so all forms
> of abuse can be tracked and dealt with?

As long as there are tier1's who allow abuse as long as the checks dont 
bounce, this will have zero effect.

exodus for example had a hands off policy, dont do a single thing until 
law enforcement arrives with a search warrant.

looks like yahoo has adopted a similar policy.

-Dan

Re: Anti-Spam Router -- opinions?

[Dan Hollis]

On Tue, 6 Apr 2004, Petri Helenius wrote:
> Dan Hollis wrote:
> >On Tue, 6 Apr 2004 [EMAIL PROTECTED] wrote:
> >>If you rate-limit 2 million compromised machines to 20 msgs/day each,
> >>there's only  400 million spams.  Total.
> >this implies network operators will suddenly find a clue, something which 
> >will never happen. ever.
> Clue is generally available in exchange of money. However it requires a 
> seed of foresight or clue to hire more in. Or a business neccessity and 
> a strike of luck. Clue only pays in the long run, so todays 
> quarter-capitalism does not promote clue.

So we need to make it expensive to avoid clue.

-Dan

Re: Anti-Spam Router -- opinions?

[Dan Hollis]

On Tue, 6 Apr 2004 [EMAIL PROTECTED] wrote:
> If you rate-limit 2 million compromised machines to 20 msgs/day each,
> there's only  400 million spams.  Total.

this implies network operators will suddenly find a clue, something which 
will never happen. ever.

(well, they sometimes suddenly find clue when it is forced upon them, like 
say with a subpoena or search warrant.)

-Dan

Re: Anti-Spam Router -- opinions?

[Dan Hollis]

On 5 Apr 2004, Paul Vixie wrote:
> that's why greylisting has been so effective -- to combat it the 
> spammers would have to add the one thing they cannot afford: "state."  
> see http://www.rhyolite.com/dcc/ for how to get started.

why is 'state' so hard to afford? they already have a list of email 
addresses to spam, and they already have compromised boxes -- those are 
the big costs for spammers. another byte of state per email address is 
cheap (or if you are clever, a single bit stored in the email address 
itself, which doesnt cost you anything).

i see greylisting being effective only as long as it doesnt get widely 
deployed. as soon as greylisting starts having any impact on spammers, 
they'll start spooling -- and it is very cheap to do so. after all, just 
about everything on compromised boxes costs them nothing. and compromised
are the source of 99.999% of all spam.

-Dan

clueful yahoo abuse contact?

[Dan Hollis]

Does anyone have a clueful abuse admin contact at yahoo.com?

I have already tried the 'usual methods'. Eg picking up a phone and 
calling every publically available number for yahoo I can find, and 
emailing [EMAIL PROTECTED] etc.

Attempts via phone result in being blown off, that unless we are a 
direct yahoo business partner or a customer of purchased yahoo services, 
they will not talk to me, and that I have to use 'the web' to report 
abuse originating from yahoo servers and yahoo owned+operated ip space.

Reports via 'the web' and email result in clueless (or auto-denybot) 
responses.

-Dan

Re: Compromised Hosts?

[Dan Hollis]

On Sun, 21 Mar 2004, Deepak Jain wrote:
>   Would any broadband providers that received automated, detailed 
> (time/date stamp, IP information) with hosts that are being used to 
> attack (say as part of a DDOS attack) actually do anything about it?

Most of them dont even do anything when you send them registered postal 
mail. Why would they do anything about automated email? They ignore 
regular manual emails, I imagine they would doubly ignore automated ones.

-Dan

Re: Spamhaus Exposed

[Dan Hollis]

On Wed, 17 Mar 2004, Steve Linford wrote:
>  From Deep Throat, received 17/3/04, 21:10 + (GMT):
> >  Disturbing information on one of the founders of Spamhaus.org
> >  http://www.geocities.com/jackjack9872004/
> Not just a load of BS, but posted to NANOG anonymously, through a 
> hijacked machine at 198.26.130.36 (The Pentagon) no less.

federal interest site. thats automatic prison time, isnt it?

i suspect the culprit could be prosecuted under PATRIOT, and sent away for 
quite a _long_ time...

-Dan

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

[Dan Hollis]

On Sun, 7 Mar 2004, Sean Donelan wrote:
> This confirms my statement.  You save nothing by deploying SAV on your
> network.

This isnt the point. The point is, why should others suffer the burden of
your clients spewing bogon/spoofed/nonsense garbage at them?

The effect is cumulative. If everyone takes this lazy apathetic approach 
to network administration, it hurts everyone.

Its the difference between being a good neighbor and being the fat 
beerbelly neighbor with dogs barking all night and rusting camaro with no 
tires up on cinderblocks on his beercan littered lawn.

Just because everyone else doesnt maintain a good network doesnt mean you 
shouldnt.

-Dan

Re: Source address validation (was Re: UUNet Offer New Protection

[Dan Hollis]

On 7 Mar 2004, Paul Vixie wrote:
> [EMAIL PROTECTED] (Sean Donelan) writes:
> > > Try saying that after running a major DDoS target, with "HIT ME" your
> > > forehead.  No offense Sean but I'd like you to back your claim up with
> > > some impirical data first.
> > Has the number of DDOS attacks increased or decreased in the last few
> > years has uRPF has become more widely deployed?
> the number of spoofed-source attacks is down only-slightly.

the % of spoofed and bogon traffic was measured recently at several of 
the root nameservers. iirc it was suprisingly high.

-Dan

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

[Dan Hollis]

On Sun, 7 Mar 2004, Paul Vixie wrote:
> don't be lulled into some kind of false sense of security by the fact
> that YOU are not seeing spoofed packets TODAY.  let's close the doors we
> CAN close, and give attackers fewer options.

sadly the prevailing thought seems to be 'we cant block every exploit so 
we will block none'. this (and others) are used as an excuse to not deploy 
urpf on edge interfaces facing singlehomed customers.

its a fatalistic approach to dealing with network abuse, and its retarded.

-Dan

Re: UUNet Offer New Protection Against DDoS

[Dan Hollis]

On Fri, 5 Mar 2004, Christopher L. Morrow wrote:
> the packets as possible. Nebulous filtering and dropping of miniscule
> amounts of traffic in the core of a large network is just a waste of
> effort and false panacea.

uunet does operate lots of dialup RAS though correct? any reason why urpf 
is not reasonable there?

just because its not perfect and doesnt solve every problem doesnt mean 
its useless.

miniscule amounts of traffic in uunet's core is still enough to ddos many 
a victim into oblivion. anyone who has been ddos'd by uunet customers can 
appreciate that.

-Dan

dealing with w32/bagle

[Dan Hollis]

I am curious how network operators are dealing with the latest w32/bagle 
variants which seem particularly evil.

Also, does anyone have tools for regexp and purging these mails from unix 
mailbox (not maildir) mailspool files? Eg purging these mails after the 
fact if they were delivered to user's mailboxes before your virus scanner 
got a database update.

-Dan

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Dan Hollis]

On Tue, 24 Feb 2004, Paul Vixie wrote:
> > Unlaterally forcing it upon everyone and breaking non www based apps is 
> > the wrong way to do it.
> if you have well founded views on this topic and you have not yet shared
> them with ICANN's SSAC, please do so.  see .

There is nothing I can say that hasn't already been said explicitly and 
clearly and multiple times already.

I can only speak as a network engineer, and Verisign has already made it 
abundantly clear they dismiss engineering views entirely, they see us as a 
bunch of whiny anti-business geeks with no grip on reality.

Does SSAC have any authority over what Verisign does? If SSAC recommends 
something contrary to Verisign's designs, what's stopping Verisign from 
going ahead and doing it anyway? My questions to SSAC are not what they're 
currently asking for input for (according to their page, they are only 
looking for security and stability input at the moment).

If you know the proper ICANN committee for these questions, I'm all ears.

-Dan

Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls

[Dan Hollis]

On Tue, 24 Feb 2004, Jason Nealis wrote:
> It's a module plug-in into bind and if you prefer to try and do this in a
> opt-in basis they have a client program that you download and it gets hooked
> into the users browser.

This is the right way to do it, end user opt in, and browser only.

Unlaterally forcing it upon everyone and breaking non www based apps is 
the wrong way to do it.

-Dan

Re: Any way to P-T-P Distribute the RBL lists?

[Dan Hollis]

On Thu, 25 Sep 2003, Jay Kline wrote:
> How about publishing a list of servers, but use the PGP web of trust model to
> allow updating of each other?  That way there is no centralized source.  If a
> group of admins dont like the updates coming from a server, dont trust it any
> longer. If you make this more like a social network, you dont have to have a
> central authority. 

exactly. to be immune from ddos you MUST remove any centralized source.

> The trick then will be to have as many different participants as possible,
> and to have each participant share who it thinks the other participants are
> (or explicitly are not).  Then if you take out one node, the others are not
> prevented from functioning.

the problem is that automated crawlers could amass a list of nodes to 
attack. i shy away from automated discovery.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: Any way to P-T-P Distribute the RBL lists?

[Dan Hollis]

On Thu, 25 Sep 2003, Eric A. Hall wrote:
> on 9/25/2003 2:44 PM Aaron Dewell wrote:
> > So why couldn't you follow this plan without the VPN and anycast?
> Multiple anycast channels would make distributed attacks ineffective,
> since each source would be attacking its closest target.

script kiddies can easy amass zombie nets of several 10k's, widely 
distributed enough to kill an entire anycast system.

also, the individual anycast targets likely wouldnt be very happy when 
they do get ddosed.

this talk about architectures of static targets really has got to stop. 
start thinking outside the box, mmkay?

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: williams spamhaus blacklist

[Dan Hollis]

On Wed, 24 Sep 2003, Andy Walden wrote:
> On Wed, 24 Sep 2003, Leo Bicknell wrote:
> > Osama and his followers told us for years they didn't like what we
> > were doing, and then escalated by flying a plane into a building
> > to "get our attention".  That must have been ok by the same logic.
> Godwin's Law should probably be extended to September 11 references.

I was thinking exactly the same thing. 9/11 has become the rallying cry of 
those on the losing side of a debate.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

RE: Another DNS blacklist is taken down

[Dan Hollis]

On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:
> Perhaps, but it also seems like moving an RBL onto a P2P network would
> making poisoning the RBL far too easy...

nope. updates will be crypto signed, thus poisoned updates will be dropped 
instantaneously.

Re: monkeys.dom UPL being DDOSed to death

[Dan Hollis]

On Tue, 23 Sep 2003, John Payne wrote:
> --On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting 
> <[EMAIL PROTECTED]> wrote:
> > - BGP anycast, ideally suited for such forwarding proxies.
> >   Anyone here feeling very adapt with BGP anycast (I don't) for
> >   the purpose of running such a service? This is a solution that
> >   has to be suggested and explained to some of the DNSBL operators.
> Anyone want to offer hardware, colo, bandwidth and a bgp session for a 
> dnsbl anycast solution?

they still make static targets for ddos, the only difference is theres 
a few more of them.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: monkeys.dom UPL being DDOSed to death

[Dan Hollis]

On Wed, 24 Sep 2003, Petri Helenius wrote:
> Dan Hollis wrote:
> >china seems hellbent on becoming a LAN. i see the same thing eventually 
> >happening to networks which refuse to deal with their ddos sources.
> This invites the question if the hijacked PC or the hijacker in the 
> sunshine state is more guilty of the spam and ddos?

the operator hosting the hijacked PC is guilty if they are notified and 
refuse to take action. which seems to be all too common these days with 
universities and colocation companies.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: monkeys.dom UPL being DDOSed to death

[Dan Hollis]

On Tue, 23 Sep 2003, Joe Abley wrote:
> If transit was uniformly denied to every operator who was not equipped 
> to deal with DDoS tracking in a timely manner, I think 90% of the 
> Internet would disappear immediately.

it gets worse. there are operators who *are* equipped, but refuse to deal 
not only with ddos tracking but with shutting off confirmed sources within 
their networks. the response is 'we will deal with it when we get a 
subpoena'.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: monkeys.dom UPL being DDOSed to death

[Dan Hollis]

On Tue, 23 Sep 2003, Joe St Sauver wrote:
> There are absolutely *no* consequences to their security inactivity, and
> because of that, none of us should be surprised that the problem is 
> becoming a worsening one.

china seems hellbent on becoming a LAN. i see the same thing eventually 
happening to networks which refuse to deal with their ddos sources.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: monkeys.dom UPL being DDOSed to death

[Dan Hollis]

On Tue, 23 Sep 2003, Raymond Dijkxhoorn wrote:
> After Osirusoft was shut down most likely Infinite-Monkeys are doing down 
> also ?? 

Anyone SERIOUSLY interested in designing a new PTP RBL system 100% immune 
to DDOS, please drop me a line.

By seriously, i mean those who actually want to solve the problem, not 
those who want to be whiny pedants.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: Verisign Responds

[Dan Hollis]

On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
> > On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
> > > > On Mon, 22 Sep 2003, Dave Stewart wrote:
> > > > > Courts are likely to support the position that Verisign has control of .net 
> > > > > and .com and can do pretty much anything they want with it.
> > > > ISC has made root-delegation-only the default behaviour in the new bind, 
> > > > how about drafting up an RFC making it an absolute default requirement for 
> > > > all DNS?
> > >   That would be making a fundamental change to the DNS
> > >   to make wildcards illegal anywhere. Is that what you
> > >   want?
> > no it wouldnt. it would ust make wildcards illegal in top level domains, 
> > not subdomains.
>   really? and how would that work? (read be enforced...)

Well yes thats part of the problem. It looks like verisign doesnt care 
what anyone (ICANN, IAB, operators) thinks. But if we can mandate via RFC 
it for dns software (servers, resolvers) etc. Then we go a ways to 
removing verisign from the equation. Verisign can do what they like, 
everyone will just ignore their hijacking.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: Verisign Responds

[Dan Hollis]

On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
> > On Mon, 22 Sep 2003, Dave Stewart wrote:
> > > Courts are likely to support the position that Verisign has control of .net 
> > > and .com and can do pretty much anything they want with it.
> > ISC has made root-delegation-only the default behaviour in the new bind, 
> > how about drafting up an RFC making it an absolute default requirement for 
> > all DNS?
>   That would be making a fundamental change to the DNS
>   to make wildcards illegal anywhere. Is that what you
>   want?

no it wouldnt. it would ust make wildcards illegal in top level domains, 
not subdomains.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: Verisign Responds

[Dan Hollis]

On Mon, 22 Sep 2003, Dave Stewart wrote:
> Courts are likely to support the position that Verisign has control of .net 
> and .com and can do pretty much anything they want with it.

ISC has made root-delegation-only the default behaviour in the new bind, 
how about drafting up an RFC making it an absolute default requirement for 
all DNS?

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]