RE: Worms versus Bots
True, but this isn't just an XP issue. Look at how many ppl are still infected with Code Red/Nimda/Slammer/etc. A Windows 2000 box doesn't fair any better. Heck, I still see Happy99. Eric -Original Message- From: Buhrmaster, Gary [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:28 PM To: Eric Krichbaum; [EMAIL PROTECTED] Subject: RE: Worms versus Bots Microsoft has said Windows XP SP2 will have the firewall turned on by default, and that they have "considered" reissuing the installation CD's such that a new installation will have the firewall enabled to deal with just this problem. I do not know the current state of the consideration, but to me it seems reasonable that Microsoft should at least make the offer of a new CD (to anyone who has a valid XP license key?) No, many people will not request a new CD, but then many people never apply patches either. I think this is a horse and water problem. Gary > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Eric Krichbaum > Sent: Monday, May 03, 2004 8:13 PM > To: [EMAIL PROTECTED] > Subject: FW: Worms versus Bots > > > I see times more typically in the 5 - 10 second range to infection. > As a test, I unprotected a machine this morning on a single T1 to get > a sample. 8 seconds. If you can get in 20 minutes of downloads > you're luckier than most. > > Eric > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of william(at)elan.net > Sent: Monday, May 03, 2004 11:49 PM > To: Sean Donelan > Cc: Rob Thomas; NANOG > Subject: Re: Worms versus Bots > > > On Mon, 3 May 2004, Sean Donelan wrote: > > > On Mon, 3 May 2004, Rob Thomas wrote: > > > ] Just because a machine has a bot/worm/virus that didn't > come with > > > a ] rootkit, doesn't mean that someone else hasn't had their way > with it. > > > > > > Agreed. > > > > Won't help. What's the first thing people do after > re-installing the > > operating system (still have all the original CDs and keys > and product > > > activation codes and and and)? Connect to the Internet to > download the > > > patches. Time to download patches 60+ minutes. > > Time to infection 5 minutes. > > Its possible its a problem on dialup, but in our ISP office I setup > new win2000 servers and first thing I do is download all the patches. > I've yet to see the server get infected in the 20-30 minutes it takes > to finish it > (Note: I also disable IIS just in case until everything is patched..). > > Similarly when settting up computers for several of my relatives (all > have dsl) I've yet to see any infection before all updates are > installed. > > Additional to that many users have dsl router or similar device and > many such beasts will provide NATed ip block and act like a firewall > not allowing outside servers to actually connect to your home > computer. > On this point it would be really interested to see what percentage of > users actually have these routers and if decreasing speed of > infections by new virus (is there real numbers to show it decreased?) > have anything to do with this rather then people being more carefull > and using antivirus. > > Another option if you're really afraid of infection is to setup proxy > that only allows access to microsoft ip block that contains windows > update servers > > And of course, there is an even BETTER OPTION then all the above - > STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) > > > Patches are Microsoft's > > intellectual property and can not be distributed by anyone without > > Microsoft's permission. > I don't think this is quite true. Microsoft makes available all > patches as indidual .exe files. There are quite many of these updates > and its really a pain to actually get all of them and install updates > manually. > But I've never seen written anywhere that I can not download these > .exe files and distribute it inside your company or to your friends as > needed to fix the problems these patches are designed for. > > > The problem with Bots is they aren't always active. That > makes them > > difficult to find until they do something. > As opposed to what, viruses? > Not at all! Many viruses have period wjhen they are active and > afterwards they go into "sleep" mode and will not active until some > other date! > > Additionally bot that does not immediatly become active is good thing > because of you do weekly or monthly audits (any many do it like that) > you may well find it this way and deal with it at your own time, > rather then all over a sudden being awaken 3am and having to clean up > infected system. > > -- > William Leibzon > Elan Networks > [EMAIL PROTECTED] > > >
FW: Worms versus Bots
I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of downloads you're luckier than most. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote: > On Mon, 3 May 2004, Rob Thomas wrote: > > ] Just because a machine has a bot/worm/virus that didn't come with > > a ] rootkit, doesn't mean that someone else hasn't had their way with it. > > > > Agreed. > > Won't help. What's the first thing people do after re-installing the > operating system (still have all the original CDs and keys and product > activation codes and and and)? Connect to the Internet to download the > patches. Time to download patches 60+ minutes. > Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) > Patches are Microsoft's > intellectual property and can not be distributed by anyone without > Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. > The problem with Bots is they aren't always active. That makes them > difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into "sleep" mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Anyone from AT&T here? (AT&T bogus DNSBL answers)
I've personally seen them blackhole a customer ip and never contact them. The excuse was that, normally, their customers can't get the mail because it's a mailserver that gets blacklisted. I'm not sure that it's an excuse. I don't even mind that they blackholed a security problem. It's the lack of contact in association with the action that I consider bad customer service. Eric Krichbaum, Chief Engineer Citynet -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick W.Gilmore Sent: Monday, April 19, 2004 12:26 PM To: [EMAIL PROTECTED] Cc: Patrick W.Gilmore Subject: Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) On Apr 19, 2004, at 11:54 AM, [EMAIL PROTECTED] wrote: >>> "I finally talked to someone who knows what the problem is. Your >>> sbl > sites >>> have been blocked by the standard DNS forwarders supplied by ATT. >>> This > is >>> due to the workload being generated on them from mailservers." >> >> Duh! This is really dumb. > > It's not dumb at all. Yes, it is. It is not only dumb, it is a disservice to their customers. AT&T is intentionally distributing known bad information. Worse, they hid this fact from their customer. When customers called the AT&T support line to find out what happened, they were told nothing was wrong and it must be on the customer side. My understanding is this was an intentional lie. Lying to your customers is a Bad Thing [tm], IMHO. Perhaps it was just a bunch of front line people who did not know / understand, but considering that they made a change which they knew - they *KNEW* - would break things, they should have made damned sure each and every front line person was prepared for the customer calls. They did not, so they are at best guilty of pathetically poor customer service, and possibly guilty of outright lying to their customers. If I paid AT&T for name service (even as part of a larger package of offerings - e.g. transit), I would be *VERY* upset. > DNSBLs are using the DNS to do general purpose database > lookups instead of using a generic database lookup > protocol like LDAP. It's not surprising that this sort > of ugly hack has unintended side effects. After all, people > who build DNS infrastructure intend it to be used to > for generic DNS translations, not generic database lookups. A DNS query is a database lookup. It is probably the most widely distributed, robust database ever designed an implemented. But it is a database, and the DNSBL queries are well formed DNS queries. The only difference between a DNSBL query and a normal host lookup is the source zone file and rate. I wonder if Google gets too many DNS hits if AT&T will decide to filter that zone? > Funny thing is that most mailer software that uses > DNSBLs also supports LDAP database lookups so there is > really no good reason why DNSBLs exist in the first > place. Have the mailers always supported LDAP? Do all firewalls which work as MTAs in many 1000s of corporations allow LDAP queries by default? Perhaps the creators and maintainers of the DNSBLs like to use DNS and do not like LDAP? There are many, many possible "good reasons" for the DNSBLs to exist. > IMHO, the DNSBL experiment has proved the usefulness > of having a variety of blacklist/whitelist/greylist databases > for mail servers to query. It's high time that folks > shift these databases onto a protocol that does not interfere > with the Internet's critical DNS systems and I believe that > LDAP is that protocol. That is possible, and much more reasonable than claiming that they have no good reason to exist in the first place. If you believe this so fervently, perhaps you should put in effort to make it happen, instead of discarding out of hand the effort, time, and money the current maintainers have donated out to make the community better. -- TTFN, patrick
RE: Lazy network operators
We do that here, and I agree it should be a standard practice from the dialup/broadband/etc. provider standpoint. Aren't some of the newer malware/viri using the SMTP setting out of the email client to send through now to get around that anyway? It really shouldn't matter though. I'd rather be: a.) blocking the port 25 traffic and b.) virus scanning the outbound mail, than dealing with the thousands of "Your user tried to hack my system. I'm calling the FBI on you." messages. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Curran Sent: Tuesday, April 13, 2004 3:53 PM To: Stephen J. Wilcox Cc: [EMAIL PROTECTED] Subject: Re: Lazy network operators At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote: >Most of the spam I'm seeing comes directly from end user hosts that >have either an open proxy on them or some kind of malware with its own >SMTP engine designed to send out junk.. in this model the only port 25 >traffic is that from the end host coming outwards, I believe you're >suggestion is to filter port 25 towards hosts. > >Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP >relay) will not stop the emails. It is possible to extend this and >implement some sort of statistical sanity checking on the mail being >relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution. Steve, I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. /John
SWIP vs. RWHOIS
Has anyone run into other providers that refuse to take RWHOIS information? As I understand the general goings on, ARIN just wants the information available so that we can generally contact the correct people to deal with issues as the arise. Now, I'm having an issue where verizon is telling a customer of mine that they can't use an assigned block because it isn't in SWIP form. And they're quoting back ARIN to us. " PLEASE DO NOT RESPOND TO THIS EMAIL ADDRESS. PLEASE USE THE [EMAIL PROTECTED] EMAIL ADDRESS for ALL correspondence While I understand your point, it is currently the Verizon policy to have the SWIP beforehand. It is possable to have the greater range with one name and the subdomain regestered to you. For example look at 162.84.100.160 on ARIN's site. Search results for: 162.84.100.160 Verizon Internet Services VIS-162-84 (NET-162-84-0-0-1) 162.84.0.0 - 162.84.255.255 Performance Group INC VZ-PRFMNCG-1 (NET-162-84-100-160-1) 162.84.100.160 - 162.84.100.191 # ARIN WHOIS database, last updated 2004-03-29 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. Also look at this link : http://www.arin.net/library/guidelines/swip.html If you have any questions, please contact the Network Support Center at 1.800.475.7840 Option 1, 1, 1 or e-mail [EMAIL PROTECTED] Regards Charles Leitner [EMAIL PROTECTED] Verizon Enterprise Customer Service 1.800.475.7840 Option 1, 1, 1 " Have they ignored: http://www.arin.net/tools/rwhois.html and the policy itself says "ISPs must provide reassignment information on the entire previously allocated block(s) via SWIP or RWhois server for /29 or larger blocks." Am I wrong for assuming that they are unreasonable in this? Eric Krichbaum Chief Engineer Citynet
FW: Where is this info coming from?
When I use a looking glass tool like GASP or lg.level3.net etc. on our 66.118.64.0/19 space, it's shows up as MOUNTAINNET which we haven't used for years. ARIN's whois info shows it correctly. Where should I go to correct this, please? Eric Krichbaum
