RE: Even you can be hacked
Laurence F. Sheldon, Jr. wrote: Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Ok. Being resposible as network manager, if I think something is strange and I nor my staff can fix it. I call for help. Either Vendor support, a good consultant, or community help. In many cases the Victim always has some portion of responsibilty. If I leave a Windows 2000 server SP 0 no security fixes on my network, get it hacked and have a lawsuit cause XYZ company caught a hacker attack from it who is the Victim? who is responsible? This may be exactly what that guy did I think Sean sent out the California law reference last year that said the VICTIM of a security breach must report it to their customers... I think we have alot of operational issues that we must look at here.. What do we do? Many AUP's I have seen would have shut down that customer, if someone complained. Does this mean if we go to a for profit bandwidth charge system that we let people destroy others with the worms they have for money we would get chargeing for the worm attack? Jim
RE: SSH on the router - was( IT security people sleep well)
Ok back to the previous premise.. Linux with an IPSEC server load.. IPSEC to the Linux box, use Telnet or ??? to connect to the routers on the management VLAN/Net and your done Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to that to say 1 SSH enabled router or 1 IPSEC enabled router... Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -Rubens Kuhl Jr. -Sent: Monday, June 07, 2004 8:08 AM -To: [EMAIL PROTECTED]; [EMAIL PROTECTED] -Subject: Re: SSH on the router - was( IT security people sleep well) - - - - -I'd rather use IPSEC than SSH to connect to routers or to a -secure gateway -and then to routers. Flaw history in IPSEC is much better -than SSH, IPSEC -can easily be used to move files with FTP or TFTP (does your -router/client -suport SCP ? SFTP ?)... - -Unfortunately, IOS costs more to have IPSEC. - - -Rubens - -- Original Message - -From: [EMAIL PROTECTED] -To: [EMAIL PROTECTED] -Sent: Monday, June 07, 2004 7:39 AM -Subject: SSH on the router - was( IT security people sleep well) - - - - complaining that cisco charges extra for such a critical -component is - exactly the right thing to do; it is fucking scary. - - every damn network device which used to have telnet -should ship with - ssh, it's free. - - Why? - - The typical network architecture of an ISP sees routers located in - large clusters in a PoP or on a customer's site directly connected - to a PoP. Since it is dead simple to place a 1U Linux box or similar - SPARC server in a PoP to act as a secure gateway, why should router - vendors encourage laziness and sloppiness? IMHO routers should not - have SSH at all and should not accept any packets directed to them - unless they are coming from a small set of known addresses on the - network operator's management network. - - Once you open the router to SSH from arbitrary locations on the - Internet you also open the router to DDoS from arbitrary -locations and - to attacks from people with inside info (SSH keys stolen or -otherwise). - - It makes more sense to funnel everything through secure gateways and - then use SSH as a second level of security to allow staff to connect - to the secure gateways from the Internet. Of course these secure - gateways are more than just security proxies; they can also contain - diagnostic tools, auditing functions, scripting capability, etc. - - Now there is nothing fundamentally wrong with ADDING to that type - of architecture by enabling SSH between the routers and the security - gateways. But I believe that it is fundamentally wrong to consider - SSH on the router to be equivalent to opening the router to -any staff - member, anytime, anywhere on the Internet. There are still possible - man in the middle attacks that cannot be protected against by SSH. - Consider the case of a staff member lounging in the backyard on a - lazy Saturday afternoon with their iBook. They have an -802.11 wireless - LAN at home so they telnet to their Linux box in the kitchen and run - SSH to the router. Ooops! - - The only way to protect against that sort of situation is -to encourage - everyone to be security-minded and not take risks where the -network is - concerned. Funneling all access to routers through a secure -gateway is - part of that security-mindedness and is just plain good practice. - - --Michael Dillon - - - -
RE: Spring time fiber cuts (was Re: fiber cut 19 May/PM - 20 May/AM) (fwd)
..and you can deploy SONET without a protect. -and telcos usually do. but they almost always tell you it's protected. -force them to test, or pull one side yourself. and repeat the test every -quarter. -randy And if you find it is on a fiber mux-- DDM 1000, good luck.. a few years ago I spent at least 20-30 hours trouble shooting 4 t-1's to customers on a redundant mux going to an older but large business park. They seem to all drop within 5 minutes of each other. Bell claimed it to be us. long story short-- the protect was broken and we found out it had been so for months. all the data circuits (22 of em) seemed to experience 4-5 seconds are strangness daily... and the 1 voice customer on that OC-3 went to POTS because of the problems. Moral of the story-- Having a SONET ring, a protect, and all manner of things, may not really help Unless it really and truly does work J
RE: Question about obtaining ASN #
-i think you only need to wait until 30 days before, not 11 -hours before. - -ARIN in my experience responds with reasonable promptness to -ASN requests, -and assuming your paperwork is in order, you really are -worrying unnecessarily. - I second that.. When we multihomed, I gave the info and had my AS in about 24 hours. We had the IP's were using them, both providers in house. Went multihomed the day after the AS was given. The only thing I suggest you worry about is making sure the 2 providers give you time/date for an engineer's time. It took me more time to set that up than anything else... and even then only 2 calls at my sales support engineers staff Later, Jim
RE: Winstar says there is no TCP/BGP vulnerability
Well, CERT thought it was Jim -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Technical Cyber Security Alert TA04-111A archive Vulnerabilities in TCP Original release date: April 20, 2004 Last revised: -- Source: US-CERT Systems Affected * Systems that rely on persistent TCP connections, for example routers supporting BGP Overview Most implementations of the Border Gateway Protocol (BGP) rely on the Transmission Control Protocol (TCP) to maintain persistent unauthenticated network sessions. There is a vulnerability in TCP which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition; in the case of BGP systems, portions of the Internet community may be affected. Routing operations would recover quickly after such attacks ended. I. Description In 2001, the CERT Coordination Center released CA-2001-09, describing statistical weaknesses in various TCP/IP Initial Sequence generators. In that document (http://www.cert.org/advisories/CA-2001-09.html), it was noted by Tim Newsham: [I]f a sequence number within the receive window is known, an attacker can inject data into the session stream or terminate the connection. If the ISN value is known and the number of bytes sent already sent is known, an attacker can send a simple packet to inject data or kill the session. If these values are not known exactly, but an attacker can guess a suitable range of values, he can send out a number of packets with different sequence numbers in the range until one is accepted. The attacker need not send a packet for every sequence number, but can send packets with sequence numbers a window-size apart. If the appropriate range of sequence numbers is covered, one of these packets will be accepted. The total number of packets that needs to be sent is then given by the range to be covered divided by the fraction of the window size that is used as an increment. Paul Watson has performed the statistical analysis of this attack when the ISN is not known and has pointed out that such an attack could be viable when specifically taking into account the TCP Window size. He has also created a proof-of-concept tool demonstrating the practicality of the attack. The National Infrastructure Security Co-Ordination Centre (NISCC) has published an advisory summarizing Paul Watson's analysis in NISCC Vulnerability Advisory 236929, available at http://www.uniras.gov.uk/vuls/2004/236929/index.htm. Since TCP is an insecure protocol, it is possible to inject transport-layer packets into sessions between hosts given the right preconditions. The TCP/IP Initial Sequence Number vulnerability (http://www.kb.cert.org/vuls/id/498440) referenced in CA-2001-09 is one example of how an attacker could inject TCP packets into a session. If an attacker were to send a Reset (RST) packet for example, they would cause the TCP session between two endpoints to terminate without any further communication. The Border Gateway Protocol (BGP) is used to exchange routing information for the Internet and is primarily used by Internet Service Providers (ISPs). For detailed information about BGP and some tips for securing it, please see Cisco System's documentation (http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.htm or Team Cymru (http://www.cymru.com/). A vulnerable situation arises due to the fact that BGP relies on long-lived persistent TCP sessions with larger window sizes to function. When a BGP session is disrupted, the BGP application restarts and attempts to re-establish a connection to its peers. This may result in a brief loss of service until the fresh routing tables are created. In a TCP session, the endpoints can negotiate a TCP Window size. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate an valid sequence number that falls within the next expected ISN plus or minus half the window size. Therefore, the larger the TCP Window size, the the larger the range of sequence numbers that will be accepted in the TCP stream. According to Paul Watson's report, with a typical xDSL data connection (80 Kbps, upstream) capable of sending of 250 packets per second (pps) to a session with a TCP Window size of 65,535 bytes, it would be possible to inject a TCP packet approximately every 5 minutes. It would take approximately 15 seconds with a T-1 (1.544 Mbps) connection. These numbers are significant when large numbers of compromised machines (often called botnets or zombies) can be used to generate large amounts of packets that can be directed at a particular host. To protect against such injections,
RE: Postmaster, hostmaster etc....
Summary (in no particular order, well almost ;) 1. Sure do it, We will list you on RFC Ignorant, will you give me your domain list and save me some time? 2. Forward to the holder of the domain, bouncing webmaster and listing contacts on website in reply. 3. All Abuse to go to one account, disable none. 4. Consolidate, consolidate consolidate 5. Webmaster to client, postmaster to support, abuse to abuse with CC to client 6. Drop them, the smart user will do a lookup to the IP owner via whois. 7. RFC 2142 says you should have them. 8. Single accounts and SPAM filter the dickens out of it.. Ok, So this is the result we will work from: ALL Postmaster will go to a single mailbox called postmaster Webmaster will go to IT and remote office staff. Hostmaster like postmaster. Security like postmaster Abuse like postmaster. IP whois update to say other addresses. SPAM filter set to Stun plus 5, With spam summaries sent to staff once daily containing subject line, and from address, and option to view / unspam. Thanks to all that responded. Later, Jim
Postmaster, hostmaster etc....
All, My company has a large # of divisions, each with their own domain. Currently we are maintaining hostmaster, webmaster, postmaster, security, and abuse accounts for nearly all domains. After our recent testing of some new spam filtering software, I am really wondering about the operational necessity of all these addresses. (total of about 200 or so) What is truly required? Our IP whois lists where we truly answer problems. But we still review all the others. Our spam software shows 98% of all email to the RFC accounts is spam. So what will we have to deal with if we did discontinue those addresses for all but 1 of our domains. how do some ISP's handle it? You host hundreds or thousands of domains. most with no webmaster etc... does it matter for the small company domain? Comments appreciated on or off list... Summary will be posted back to list. thanks, Jim
RE: US Extradition rights (was Re: Spamhaus Exposed)
-Joshua Brady wrote: - The Child you speak of caused destruction over a network, the same - applied for the 2 hackers here who were sent over without even - questioning the UK. If the US Government is Satan then I -suppose I am - going to hell, because I sure as hell support it. - -Do you support the converse, where some little s*** hacks my -London network -from some random US college ? At the moment, I have no -recourse of any kind -and the UK authorities have no power, and as a consequence, -no interest. - -Peter The world is full of Attorneys.. And I bet you could find a nice one in the states to sue him.. Or report it to the FBI.. Http://www.fbi.gov US authorities had no ability to hand those hackers in Taiwan, so what did someone do? they contacted the Taiwan Gov't... Can you do that? J
RE: Enterprise Multihoming
Look at it this way: If Multi-homing to ensure maximum reliabilty was not a good thing: why would XYZ isp do it? Take this example: Remember last year (or year before?) when MCI had the routing issue on the east coast? I had a friend that had 2 T-1's to MCI, he lost all reachability for over 5 hours. I had another friend that had a T-1 from MCI and one from ATT. He stayed up, and so did his ecommerce site. So the end questions is: Do you trust your upstream enough to bank your business, or more importantly your reputation as an IT professional, on the ability of everyone at your ISP to maintain their network and everything that gives you access 99.999% of the time? Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -Gregory Taylor -Sent: Thursday, March 11, 2004 11:41 AM -To: John Neiberger; [EMAIL PROTECTED] -Subject: Re: Enterprise Multihoming - - - -Mutli-homing a non-ISP network or system on multiple carriers -is a good -way to maintain independent links to the internet by means of -different -peering, uplinks, over-all routing and reliability. My -network on NAIS -is currently multi-homed through ATT. I use a single -provider as both -of my redundant links via 100% Fiber network. Even though this is -cheaper for me, all it takes is for ATT to have some major -outage and I -will be screwed. If I have a backup fiber line from say, Global -Crossing, then it doesn't matter if ATT takes a nose dive, I -still have -my redundancy there. - -That is why most non-ISPs hold multihoming via different providers as -their #1 choice. - -Greg - -John Neiberger wrote: - -On another list we've been having multihoming discussions again and I -wanted to get some fresh opinions from you. - -For the past few years it has been fairly common for non-ISPs to -multihome to different providers for additional redundancy in case a -single provider has problems. I know this is frowned upon now, -especially since it helped increase the number of autonomous -systems and -routing table prefixes beyond what was really necessary. It -seems to me -that a large number of companies that did this could just have well -ordered multiple, geographically separate links to the same provider. - -What is the prevailing wisdom now? At what point do you feel -that it is -justified for a non-ISP to multihome to multiple providers? I ask -because we have three links: two from Sprint and one from Global -Crossing. I'm considering dropping the GC circuit and adding another -geographically-diverse connection to Sprint, and then -removing BGP from -our routers. - -I see a few upsides to this, but are there any real downsides? - -Flame on. :-) - -Thanks, -John --- - - - - - - -
RE: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
Take a look at Kiwi-cattools. It has some great Cisco Automation ability.. Well, Cisco, Entersys, Redhat etc. www.kiwisyslog.com You can run commands on hundreds of devices on a schedule.. I use to pull config backups and certain reports I want directly from the devices.. Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -Alexei Roudnev -Sent: Friday, March 05, 2004 11:20 AM -To: Sam Stickland; [EMAIL PROTECTED] -Subject: One hint - how to detect invected machines _post -morten_... Re: -dealing with w32/bagle - - - -Just for information - may be useful for someone. - -Task - we determined, that few infected machines was -connected to one of our -offices few days ago. -They run one of this viruses, which generated a lot of scans -and created -sugnificant traffic (but traffic was not -big enough to rais alarm on outgoing gateway). Activity was short. - -Computers are not connected in the time of investigation. - -IDS system and Cisco logs was not active in this office (few -tricks with -Cisco ACL's and logs allows to detect many viruses instantly; good IDS -systems can do it as well). - -Solution: -- get all port statistics from switch (using SNMPGET and using simple -'telnetting' script - we have 'RUN-cmd' tool allowing to run -switch commands -from shell file; -- remove all ports with traffic less than some threshold; -- calculate IN/OUT packets ratio for the rest of ports; -- find ports, where IN/OUT ratio (IN - to switch) 6; -- in this ports, find ports with average packet size 256 bytes; - -It shows all ports with infected notebooks (even if notebook -was connected -for a half of day). - -PS. Of course, after this few additional monitoring tools was -installed, and -we added _all_ switches and _all_ ports to 'snmpstat' -monitoring system (it -allows to see a traffic in real time, and analiz historical charts, -including such things as packet size). - - - - -
RE: Dns help.
Ejay, I found a great link some time ago: www.dnsstuff.com http://www.dnsstuff.com/pages/expert.htm This one has an option to do a lookup to any public DNS server... Pick some of the random Internation DNS servers and try it out.. It helped me out awhile back when an old DNS hoster still had us in their named.conf.. Later, Jim ---From Ejay--- Hi all. nanog(signal,noise++) I have a customer that is reporting intermittent reachability issues to Stormpay.com, and need a off-network perspective on dns. The end-user reports not being able to resolve the domain, but it's been okay everywhere I looked. Most of the complaints have been international, but there are a couple of charter and EarthLink addresses mixed in. Last dns change was 2 almost weeks ago, so I don't suspect a propagation issue. It should resolve to 207.65.19.39. Thanks, Ejay. (Who now owes two rounds at the next 400mi from Nashville after-nanog-bar-huddle)
RE: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
- - Why is that bad? I have no objection to giving vendors a reasonable - amount of time to fix problems before announcing the whole. - Or is your - point that two days hardly seems like enough time to develop -- and - *test* -- a fix? HMMM, If I was a real hacker, and I found the problem, might I also know the fix? And if I was really nice, would I give that fix to the vendor? Or could it be that a former Checkpoint employee is now an ISS employee? Or .? J
RE: Don't Panic II (Re: updated root hints file)
I wonder if Someone from Microsoft is here and will add this to an update for the Active Directory DNS that will most likely be the user of the old addresses in 5 years. FROM: Bill I wonder how many systems will _still_ be trying to get to b.root-servers.net at the old address in 5 or even 10 years.
RE: New IPv4 Allocation to ARIN
-Perhaps ARIN (or others) could supply their respective portions of -unallocated space to a common BOGON project? - -pt - Great idea.. HMM.. Rob, how about it? Say take in BGP feed from ARIN, APNIC etc. And then use that for redis? Or go even farther IANA-- Could you give a feed and make the same effort? Jim
RE: /24s run amuck
Ok, I am often outgunned and off target here. But I have to ask this: 1. If filtering is used, as suggested by someone, what happens to the small/mid-sized company that is multi-homed out of an ISP's /20 or larger block? In this case, I can see an ISP with a /20 bust that up to /21s smaller to accommodate this user. 2. Wasn't /24 filtering something that a few large ISP's did a few years ago and everyone complained? I don't have a reference here but I seem to remember some flack about that. 3. What happens in the case of a carrier that has given /24s to a downstream out of different blocks? I guess the real question is this: If X company can not be reached, how/who would you complain to? And would this be like the RR and AOL email filtering lists where we all complain, and this filtering is an effort by some to force others to clean up their act? Am I out in Left field? Jim
Sprint Netop contact?
hi, I am seing root shell attempts and SNMP (Approx 1200 in an hour) sweeps coming from what appears to be a netops system at Sprint. If someone from there is online, Please drop me a line offlist... Thanks, Jim
RE: Upcoming change to SOA values in .com and .net zones
RFC 2182 Section 7 covers this as Randy Bush mentioned earlier.. If They do serial # updates, in a scripted manner or they just change the serial number to 4000 let it propagate and then change to 100 something all will be fine... The RFC above explains it well, no need to repost here Jim ... and not as MMDDHHMMSS or any contracted version thereof! Right, but, the _OLD_ format is. Therefore, the old zone file prior to the conversion will be SN 2004020800 through 2004020901. After the change, the SN will be in the range 1076284800 through 1076371200 inclusive. This complete range is less than 2004020800, so, the serial number will, indeed, be going backwards at the time of the change. This should only matter to things doing automated zone transfers and a forced manual zone transfer should solve the problem. Presumably, the responsible TLD operators are being coordinated with to take the necessary steps. Anyone else doing zone transfers of COM and NET has now been warned and should take appropriate action. Owen
RE: Out of office/vacation messages
Microsoft Mail server is configureable so as not to send the out of office emails out to the internet for the entire server.. This is an ADMIN config.. ALSO if a user goes to the out of office attendent in Outlook, they has the option of creating rules.. RULE #1: If from [EMAIL PROTECTED] Move the email to NANOG EMAILS WHILE I WAS OUT SO I DON'T GET FLAMED FOLDER. Stop Processing more rules Rule # 2: Reply to Jerry WITH I am taking 6 Month leave of ABSENSE to learn how to wear asbestos underwear Stop Preccessing more rules Rule # 3: everyone else THERE that should settle it.. THIS WORKS I USE IT! Enough already folks! If anyone using exchange out there wants some nice screen shots, drop me a line, off list please, I will create it and send it to all at once via a BCC so no one needs to know who you are. Later, Jim --Original Message- -From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -[EMAIL PROTECTED] -Sent: Friday, January 02, 2004 1:32 PM -To: Rachel K. Warren -Cc: [EMAIL PROTECTED] -Subject: Re: Out of office/vacation messages - - -On Fri, 02 Jan 2004 10:13:28 PST, Rachel K. Warren -[EMAIL PROTECTED] said: - - Sometimes you have no choice but to run a Windows mail -client - it's called - your company forcing you to a standard mailer. It's not -something I have - liked doing in the past, but having your management heavily -disaprove of - using something outside of standard is usually not a good thing. - -Wave the security issue flag at them on this one. There's -a number of good -security reasons to not use software that blabs in response -to mailing list mail: - -1) If this is a reply to a message from a mailing list that -you usually lurk -on, your subscription to the list has just been revealed -(probably to every -person who is posting - possibly to the entire list if your -responder replied -to the list). - -2) The fact you are Out of your office could reveal -information to a hacker. - -2a) The hacker now knows that you aren't watching your PC -very carefully, and -thus it's possibly a better target for a hacking attempt. - -2b) If the hacker has gotten a message George Smith is at a -client site until -Aug 30, he can try calling your company and saying This is -George.. I'm at -the client's site, and I can't get to the corporate net. Can -you reset my -password so I can get the documents I need to close this -deal?. This is an -amazingly effective social engineering attack. - -2c) The software most responsible for these errant messages -is also well-known -for multiple security issues - and quite often even puts its -exact version in -the X-Mailer header. This allows an attacker to send you a -malicious e-mail -message (specially selected for your software version), for -you to read when -you get back (and are probably buried under many messages and -not paying as -much attention to the contents as you should). - -If that doesn't work, point the PHB at this: - -http://news.bbc.co.uk/1/hi/technology/3290251.stm - -Only 2 out of the top 10 viruses/worms for last year did -*NOT* target Outlook. - -Then ask the PHB if they have any legal criterion of due -care that would put -them at risk of being negligent for continuing to run their -business in a known -dangerous manner. - -
RE: Out of office/vacation messages
-Must really suck to put ALL those rules on and take them off -every time you go -on vacation. (Yes, I'm on at least 65 mailing lists - and -that's just the ones -high-volume enough to warrant filtering to their own folder). - And even if you're -on only 4 or 5 lists, that's enough work to mean it's likely -you'll forget one. No, you setup the rules once and then turn on the OoO when necessary.. I have 40 or so rules.. and they are relatively easy.. - -Hardly a selling point for your choice of software. Unless -it's a disguised -My management makes me use software so broken I have to story? I seem remember a conversation about a big business standard would not be a big business standard without good reason.. ALMOST PUT AN EMOTICON
RE: [Activity logging archiving tool]
If you are really just looking for changes and change comparison's check out Kiwi Cat tools.. www.kiwisyslog.com This software can connect via SSH, Telnet etc, and even do non-Cisco, Linux etc.. Works good as a backup for configs... Later, Jim CiscoWorks also polls the devices for configuration changes and generates a diff if you so desire. If you have set up AAA you will have an audit log of when changes were applied and who applied them. Scott C. McGrath
Anit-Virus help for all of us??????
Thought this is on topic for the group with all the new virii and new problems out there. Would anyone here consider sending this out to all customers? Later, Jim Last week at the Comdex show in Las Vegas, Computer Associates International, Inc. (known to the world as CA) teamed up with Microsoft Corp to provide qualified Windows home computer users with a no-charge, one-year subscription to CA's eTrust EZ Armor antivirus and firewall desktop security suite. The move is designed to encourage home users to increase the protection of their Windows systems and CA has stated that the company will aggressively promote the offer as part of Microsoft's Protect Your PC campaign. SNIP The EZ Armor software carries a value of $49.95 and the free subscription offer for will be available for download until June 30, 2004 and comes complete with one year of personal firewall and antivirus protection including daily virus signature updates. http://www.it-analysis.com/article.php?articleid=11450
RE: Port 41170 traffic
Google: http://www.google.com/search?as_q=tcp+udp+41170num=10hl=enie=UTF-8oe=UTF-8btnG=Google+Searchas_epq=as_oq=as_eq=lr=as_ft=ias_filetype=as_qdr=allas_occt=anyas_dt=ias_sitesearch=safe=images http://cert.uni-stuttgart.de/archive/incidents/2003/06/msg00130.html It appears to be a file sharing program called Blubster, at least for udp www.blubster.com Later, Jim SNIP Anyone has any idea what is carried on tcp and udp port 41170? Adi
RE: The Cidr Report
On Fri, 14 Nov 2003, Suresh Ramasubramanian wrote: Stephen J. Wilcox writes on 11/14/2003 7:16 AM: So anyway, was discussing the cidr report at the last nanog.. I was pointing out that deaggregation is discouraged by the naming and shaming and then someone else pointed out that this list has scarcely altered in months. So, what can we do as the operator community if this report isnt having the desired effect? Stop accepting /24 type routes? Please no... That will drop me off the map.. Yeah maybe but what about where the RIRs have assigned independent /24 space.. or ISPs have subdelegated the IPs to a multihomed customer, was more thinking about where a bunch of routes originating from a single ASN can be aggregated rather than routing bloat in general. There are numerous such examples of people with eg a /19 announcing 32x /24 etc Steve I don't have the stats handy at the moment, but we decided to Multi-home I researched several issues with /24 blocks. One thing that seemed to stick out was that some providers were using /20 and /21 as multi-home blocks. They were reserving that block just for /24 multi-homing.. and I also remember that of the /24 being annouced independently, a majority of them were not multihomed... just how bad is the auto-summarization at the upstream for the route propagation via BGP in the large routers anyway? Jim
RE: more on VeriSign to revive redirect service
All, I hate to agree but he is right. With companies like godaddy out there. Does it make sense to pay Verislime money to fund sitefinder and our headaches? To change this: what else can we do to prevent this? Does the last BIND version truly break sitefinder? Later, Jim --Original Message- -From: Miles Fidelman [mailto:[EMAIL PROTECTED] -Sent: Thursday, October 16, 2003 9:24 AM -To: nanog list -Subject: Re: more on VeriSign to revive redirect service - - - -Just out of curiousity, I wonder how many domain -registrations those of us -on nanog represent? Contract sanctions from ICANN are one -thing, taking -all of our business elsewhere might also be effective at -getting a point -across (though it might also backfire - pushing Verisign to -be even more -agressive at taking advantage of their positioning). - -Miles - -
RE: Pitfalls of annoucing /24s
--Original Message- -From: Phil Rosenthal [mailto:[EMAIL PROTECTED] -As long as it's provider assigned, and your provider announces the -supernet that the /24 is from, it will still work. If you -announce PI -space out of the old class A space in /24's, many networks -wont be able -to reach you. I am not sure I agree with this. We are annoucing a /24 from the 66 /8 block and I have only found 2 ISP's (according the the netlantis project) that can't reach me. We are multihomed. I suspect that may be due to aggregation. But even with our backup online, I still saw the routes propogate via Netlantis.. Or am I out in left field going nuts? Later, Jim
RE: BellSouth prefix deaggregation (was: as6198 aggregation event)
IMHO, I think we should create a route-set obj like call it... RS-DEAGGREGATES and list all the major irresponsible providers's specific /24's in it... CASE: Business has a /24 from X provider in order to multihome. That /24 is de-aggregated from a /19, with this policy that /24 may not be routed. possible exception: When 2002-3 get passed by ARIN, this could even take on new meaning. ARIN says they will use a single /8 for the handing out of /22-/24 for multihoming end users. will you then filter those /24's also? Also: What happens when that /24 for Business Y noted above is dual routed by ISP A and ISP B, and ISP A's upstream filters but ISP B's does not? Will there be asymmetric routing? Finally: Can anyone from BellSouth, explain the end goal of the de-aggregation? I suspect with 40 + ASs they may be rebuilding their network with a recently announced list of new IP services and DSL growth as asked for under the Federal government Rural DSL regulations... (I'm not trying to defend them, just giving some possibilities) So some ASes who wish to not accept deaggregated specifics using RPSL can update their AS import policy to not import RS-DEAGGREGATES... Just my humble opinion.. Comments/critics welcome :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Oct 12, 2003 at 11:26:49AM -0400, Jared Mauch wrote: On Sun, Oct 12, 2003 at 01:02:57PM +, Stephen J. Wilcox wrote: Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible This clearly stands out to me as a reason to keep and use prefix filtering on peers to reduce the amount of junk in the routing tables. If bellsouth needs to leak more specifics for load balancing purposes, fine, just make sure those routes don't leave your upstreams networks and waste router memory for the rest of us that don't need to see it. - Jared (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
- -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Jim
RE: williams spamhaus blacklist
this is not without precedent.. Anyone from Cable and Wireless listening? If I remember correctly, Cable and Wireless was blocked last year or earlier this year by a similiar ploy. And I also seem to remember them making major complaints over on the SPAM-L list.. Later, J -Original Message- From: Leo Bicknell [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 6:30 PM To: [EMAIL PROTECTED] Subject: Re: williams spamhaus blacklist In a message written on Wed, Sep 24, 2003 at 05:14:04PM -0400, [EMAIL PROTECTED] wrote: The moment they started blacklisting IPs that never sent spam. (AKA williams corporate mail servers). For those who care: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL10731 I quote: ] WilTel Communications Group's Corporate Mail Relays ] Continued hosting of Eddy Marin spam gang and others have caused this ] listing. Previous warnings and spam reports had no effect. So, they have decided since WilTil has one (alleged?) spammer customer none of wiltel should be allowed to send or receive e-mail anymore. The complete list of Williams issues is at: http://www.spamhaus.org/sbl/listings.lasso?isp=wcg As per usual, no amount of collateral damage is deemed unacceptable. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
RE: Route failures to behosting.com
good from ATT and Broadwing J -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2003 9:46 PM To: Henry Yen; [EMAIL PROTECTED] Subject: Re: Route failures to behosting.com Also accessible no problem from Qwest and Nlayer. -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [EMAIL PROTECTED] Cell: (978) 394-2867 On Wed, Sep 17, 2003 at 09:35:54PM -0400, Henry Yen wrote: On Wed, Sep 17, 2003 at 09:29:57AM -0400, Brian Bruns wrote: Attempts to access behosting.com were successful from several different locations, which included ameritech and sprint. I'm not going to include traceroutes here (if you would like them, I can email them to you privately). What ISPs are you using to try and get to them? behosting.com/www.behosting.com (aka 216.121.96.160) also accessible without problem from sprint and uunet. - Original Message - From: Lou Katz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 17, 2003 9:23 PM Subject: Route failures to behosting.com I am unable to reach them via several different ISPs. It looks to my naive eyes like routes to them have vanished. Can anyone shed any light on this? -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
RE: Fun new policy at AOL
-On Thursday, August 28, 2003 4:18 PM, Matthew Crocker [EMAIL PROTECTED] -wrote: - - Shouldn't customers that purchase IP services from an ISP use the ISPs - mail server as a smart host for outbound mail? - -At least here in DE there are resellers of DTAG which offer DSL connections -without any SMTP relay. If you want relaying you also have to order a domain -via them. More funny: you cannot deliver mails to DTAG (actually T-Online) -as the resellers use address space of DTAG and hence the DTAG servers -believe you are a customer of them and should use the internal relays ... - -Arnold I wouldn't say that the answer is to use a relay.. I have had the problem, and due to the business we are in, we sometimes are forced to email proofs that can be as big at 10 Meg, zipped Don't think many would allow us to realy that.. J
RE: Navy Marine Corps Internet hit
On Tue, 19 Aug 2003, Scott Weeks wrote: - on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most - likely, though, they did not create security zones to keep problems - contained within certain network segments and not let them out to destroy - other networks. -Luck is very important. -Like most other people I have no knowledge about how the Navy Marine -Internet works, but that won't stop me from commenting. -It sounds like a turnkey operation, with EDS managing everything. They -may have 100,000 users with identical configurations (software, patch -levels, etc) in one big flat network. A large homogeneous population is -vulnerable to a common infection. Nachia has a very effecient scanning -and infection process, particularly if your entire network uses RFC1918 -address space internally. As a former Marine, and IT support staff member.. The Military uses REAL WORLD IP's on ALL systems. I won't mention IP's. BUT they have all RW on every system. Not quite a flat net either... It is rather a unique system, to say the least. J
RE: virus or hacked?
-| -Original Message- -| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf -Of -| Chris Todd -| Sent: Wednesday, August 20, 2003 12:33 PM -| To: '[EMAIL PROTECTED]' -| Subject: virus or hacked? -| -| -| Good morning: -| I was wondering if anyone has seen this message on a win2k server -before -| and -| might be able to help me -| -| Message from destroyer to you on 8/19/2003 11:24:53pm -| Make this your last pop-up ever Destroy all these pop-up for a -fraction of -| the price of our competitors!!! -| go to www. messagdestroyer.net -| -| This is all in a plain windows box(gray box with an ok button at the -| bottom -| and the X is the upper right corner) -| - -This is a standard Windows messenger (not MSN messenger) spam. If you -don't use the Windows messenger service, disable the messenger -service. SPAM will stop. - -Todd If you have this showing up on a server that is behind a firewall, you may have a MUCH bigger problem. The access to the messenger service requires access to a specific port, and this problem normally only manifests itslef when the server/workstation is plugged directly into an internet pipe with a real world IP on one of it's network cards! If you are not behind a firewall/router of even the linksys family, shame on you. If you are behind a firewall... Oh boy, better look for some security problems later, J
RE: Rules and Regs for a LEC's and Non LEC's
-RBOCs (note, not ILECs) cannot move inter-lata traffic without being -approved by PUC in each state for interstate long distance. (I believe -this is part of 1984 MFJ). -CLECs have no restrictions on that. Neither do non-CLEC ISPs. ---alex I thought this only applied to VOICE traffic. AS far as I know Internet access traffic is non-regulated. I used to work at a CLEC and we never worried about PUC complaints on an Internet access level of service. now if the T-1 level was down, that was a different story. -J
RE: East Coast outage?
--Huh ? Where in the physics of ohms law is Hz a factor ? Having lived off --the grid, where systems are often at max 48v, yes the wires have to be --several 0's of gage to carry the lagre amperages. Much the same in A/B DC legs in --a colo. Up the volts and the amps go down to produce the same power (watts --or work). HMM, it's been a LONG time but I remember high amp, low voltage The formula makes it a swap out. Raise the voltage drop the current, or lower the voltage and raise the current if the resistance stays constant. --I am a little rusty on this one, but I seem to remember that AC travels --only on the outside skin of the wire but DC uses all the wire. This is called the skin effect, and from my RF days we did not consider it to be an issue until you get to close the KHz range. In high voltage transmission lines it may get a little higher than 60 Hz, but I don't think by much. I have many UPS that track HZ and I have seen it coming in from 59.8 to 60.2. The skin effect was a really big deal in the L band systems where I used to work. 1.2 GHz to 1.6 GHz. And in the S Band we had to use pressurized dehumidified transmission Waveguide due to freq and power levels (2 Megawatts). We did AC/DC conversion and worked with 400 Hz power for those systems, and we were not concerned with skin effect at all. But we were concerned with RF induction into the power systems supply lines that could dirty up the power input and create problems for the ac/dc conversion for the discrete electronics. anyway-it's been awhile... J
RE: Did Sean Gorman's maps show the cascading vulnerability in Ohio?
-So, the US Government wants to classify Sean Gorman's student project. -The question is did Mr. Gorman's maps divulge the vulnerability in the -East Coast power grid that resulted in the blackouts this week? -Would it be better to know about these vulnerabilities, and do something -about them; or is it better to keep them secret until they fail in a -catastrophic way? This is a question whose answer I am willing to bet will remain classified should his research be classified. J
RE: Battery lifetimes RE: East Coast outage?
ut all those SONET hubs in basements, SLC's in the burbs and such -- they don't have generators. They have X hours of batteries. In the fine print, it says the LEC will have a portable generator on site before they die. That's doable if the failure is local; say a semi taking out a power pole. But given anything bigger, a citywide or bigger blackout, a regional ice storm, or whatever they do not have the quantity of gensets they'd need, much less the manpower to deploy AND maintain [refuel] same. Here in the SE we had a little Experience with this EXACT issue back in december. We had a power outage that lasted 4 days. Bellsouth's plan, and it seemed to work, was to hook gensets to a truck run to a battery pack run the generator long enough to recharge the pack and then drop and run to the next one. They started this within an hour or two of the power outage. None of my circuits went down during those days. (We had generator power at our office) This may be a larger, but we had about 2 Million out of power in little ole SC.. IMHO, J
RE: microsoft.com
good here thru ATT and Broadwing.. Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 15, 2003 10:16 AM To: Robbie Foust Cc: Bryan Heitman; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Chris Horry Subject: Re: microsoft.com No problems here, UUNET out of DC Robbie Foust [EMAIL PROTECTED]To: Chris Horry [EMAIL PROTECTED] Sent by: cc: Bryan Heitman [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: microsoft.com .edu 08/15/2003 10:04 AM I've had no problem getting to Microsoft's site(s) today...I'm in the southeastern US if it makes a difference. - Robbie Chris Horry wrote: Bryan Heitman wrote: Several networks I have talked to are reporting they can't get to www.microsoft.com Has the virus began? anyone? Yep, remember it's already August 16th in some parts of the world. Unable to get to www.microsoft.com at 0958 EDT. Chris -- Robbie Foust, IT Analyst Systems and Core Services Duke University
RE: Microsoft to ship new versions with firewall enabled
From: Scott McGrath [mailto:[EMAIL PROTECTED] No answer on that one, However Mac OS X also includes a built in firewall. On the configuration angle, the Microsoft ICF (Internet Connection Firewall) blocks everything by default. I just worked on a friends computer last night. The XP ICF firewall was on, and it did not stop the bug.. I want to test that in a lab environment though...
RE: RPC errors
Jack, This is that RPC flaw in MicroSoft. I noticed it too.. Got about 20K in 15 hours Jim -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 4:12 PM To: NANOG Subject: RPC errors I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
Road runner contact?
Title: Road runner contact? Does anyone have a good contact over at Road Runner? I used to have one, but lost it.. Thanks, Jim
RE: Power outage in North East
FROM CNN website NEW YORK (CNN) -- A major power outage simultaneously struck several large cities in the United States and Canada late Thursday afternoon. Cities affected include New York; Boston, Massachusetts; Cleveland, Ohio; Detroit, Michigan; Toronto, Ontario; and Ottawa, Ontario. The power outage occurred shortly after 4 p.m. Much of Midtown Manhattan and Wall Street were shut down, including all area airports and the Long Island Railroad. The airports were operating on back-up power and operations were reported to be normal, officials said. The New York City Police Department said they were trying to determine what happened. A Con Edison transformer on East 14th Street in Manhattan was afire, CNN learned. Thousands of people could be seen leaving buildings and walking into the streets. New York subways were reported stopped and people were trapped in the cars. -Original Message- From: Patrick Muldoon [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 4:34 PM To: Joel Perez; [EMAIL PROTECTED] Subject: Re: Power outage in North East On Thursday 14 August 2003 04:23 pm, Joel Perez wrote: Has anyone heard of a big Power outage in the North east? I just got a call from one of my tech's in the GBLX bldg in Newark, NJ at 1085 raymond and they are telling him that they lost power! But I also got a call from ATT in NY that they also lost Power! Power is flakier then all heck here in Albany, NY. Outages / major brown outs. We are running on Generator here since it is way cleaner power at the moment. -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C I haven't lost my mind; it's backed up on tape somewhere.
RE: How much longer..
OK.. I have lurked enough on this one.. $60 Billion plus for microsoft.. and 600 millions lines of code. thousands of employee programmers... $1 million for *NIX less than a million lines of code. rewritten on a whim, and source given to millions.. Bugs will be found and squashed easier. Less code, more eyes. and less complex. Less market, less users, less interest for hackers 5 less than statements for *NIX and how many more statements for Micro$oft? This is like trying to comparing the towing capacity of car to turbo diesal pickup. there is no comparison... I don't care if MicroSoft spends $600 Million a year, there will always be bugs. If a software package was perfect or a network was perfect how many of us would have jobs? Nothing in this world is perfect, and complaining about it does absolutely no good J -Original Message- From: Charles Sprickman [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 4:30 PM To: Crist Clark Cc: [EMAIL PROTECTED] Subject: Re: How much longer.. On Wed, 13 Aug 2003, Crist Clark wrote: Attacks _are_ on Linux machines. There have been Linux worms, Lion attacked BIND, Ramen attacked rpc.statd and wu-ftpd, Slapper attached Apache, to name a few. Attacks are on Solaris, the sadmin/IIS worm (which also attacked IIS, a cross-platform worm, remember that, cool, huh?). Attacks are on FreeBSD, Scalper worm attacked Apache. How soon people seem to forget these things. No, I don't think people are forgetting, but what Len was originally pointing out is that Microsoft, *because* of their vast install base *needs* to take a more proactive role in producing a secure OS. And the reason you can call it a toy OS is that on one hand you have *BSD, Linux and friends all with an annual budget of what, maybe $1M? And on the other hand you have a multi-billion dollar *software* company. Which should churn out better software? :) Charles To pound it home one more time, worms that attack Microsoft products are a bigger deal only because Microsoft has at least an order of magnitude greater installbase than the nearest competitor. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
RE: Port blocking last resort in fight against virus
So give up trying to control the actions of the end nodes by destroying the edge. Make sure that complaints reach the correct responsible person. Limit your involvement to careful excerpts from your customer/IP-address database, or better yet, register them in the RIR registry so that others having complaints can reach them without wasting your time. Intersting concept... MY upstream disagrees.. They, who shall remain nameless at this point, are doing a horrible job at policing their other customers, refuse to SWIP the block to me claiming they are working on it (been a year now), and they feel they need to know about whatever complaints they get about me. HMM, if they have gotten complaints, then I haven't gotten any!! And I have complained about other customers and never seen a fix.. One system was code red infected and had no FW, after a few weeks, I tracked them down and called them myself, and got told that ISP never called them!!! (I reported it 5 times) This is a great idea, but I very much doubt that most ISP's will even do it. And if ISP's did this.. NOTE the spammers, they would always lie about WHOIS, RWHOIS, contact info... I dunno, there is no perfect solution here... Except, as a community we need to enforce RIR policies and actual enforce our own AUP's. (NO shots being fired here, but as we all know some ISPs AUPs are like a law-- only effect the good citizen and not the high $ customer) just my 2c worth.. J
RE: Port blocking last resort in fight against virus
Jack, et al. As a larger than average end user and what could be called a small ISP, I really can not image legitimate traffic on 135.. who in there right mind would pass NB traffic in the wild? I dunno, may it is just that Old military security mindset creeping into my brain housing group. Can someone enlighten me? What is legitimate 136 traffic? J -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:31 PM To: Mans Nilsson Cc: [EMAIL PROTECTED] Subject: Re: Port blocking last resort in fight against virus Mans Nilsson wrote: Your chosen path is a down-turning spiral of kludgey dependencies, where a host is secure only on some nets, and some nets can't cope with the load of all administrative filters (some routers tend to take port-specific filters into slow-path). That way lies madness. Secure? Who's talking about secure? I'm talking about trash. Not blocking the port with a large group of infected users means that your network sends trash to other people's networks. Those networks may or may not have capacity to mean your network's trash. Temporarily blocking 135 is not about security. A single infection within a local net will infect all vulnerable systems within that local net. A block upstream will not save local networks from cross infecting. However, it does stop your network from sending the trash out to other networks which may have smaller capacities than your network does. Of course, perhaps a good neighbor doesn't really care about other people's networks? Perhaps there is no such thing as a good neighbor. It's kill or be killed, and if those other networks can't take my user's scanning them, then tough! There is legitimate traffic on 135. All users I've talked to have been understanding in a short term block of that port. They used alternative methods. I have a lot of valid traffic still cranking out the other Microsoft ports. -Jack
RE: North America not interested in IP V6
Jack Bates Wrote: In the US, the pipe is limited in any number of ways in attempts to limit how many people share their broadband with their neighbor at a reduced rate. Another issue is that handing out IP addresses to the home at this point is foolish. User's, in general, can't protect themselves. EXACTLY-- I wish there was some kind of regulatory something or other that made a cable/dsl router mandatory... HMMM -- Wonder is Lieberman would sponsor a bill? ;) Jim
RE: WANTED: ISPs with DDoS defense solutions
I tend to agree here. I have noticed so many attacks etc coming from APNIC as of recent that on our corp network we have an ACL to block a number of APNIC blocks. If there was a dynamic method to add null0 routes to identified zombies, I think that would help. IE. security company A provides a feed (BGP etc) to null route zombies that it has identified. But that opens a whole other can of worms. J -Original Message- From: Petri Helenius [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 9:24 AM To: [EMAIL PROTECTED]; Rob Thomas Cc: NANOG Subject: Re: WANTED: ISPs with DDoS defense solutions I would say that because backdoored hosts are easily available in large quantities, spoofing does not make sense and usually alarms various systems more quickly than packets from legitimate addresses. Pete - Original Message - From: [EMAIL PROTECTED] To: Rob Thomas [EMAIL PROTECTED] Cc: NANOG [EMAIL PROTECTED] Sent: Thursday, July 31, 2003 4:17 PM Subject: Re: WANTED: ISPs with DDoS defense solutions On Wed, 30 Jul 2003, Rob Thomas wrote: I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number, only 32 used spoofed sources. I rarely see spoofed attacks now. Do you have any ideas as to why that is? Is it due to more providers doing source filtering? It wouldn't make sense for attackers to become less sophisticated unless they became more difficult to catch for other reasons (e.g. botnets getting bigger). Rich
RE: The internet is slow
But isn't that the purpose of NANOG? To fix the major problems before the world knows about them. I would much rather discuss a problem here and solve it and tell a reported, Yes (sir,or mam) the Internet commnity worked togather to solve the problem.. Than say, I don't it just cleared up it's all a mystery... :) J -Original Message- From: Richard A Steenbergen [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 3:53 PM To: Rick Ernst Cc: NANOG Subject: Re: The internet is slow On Thu, Jul 31, 2003 at 12:02:32PM -0700, Rick Ernst wrote: Packet loss within UUNET, apparently localized to the Portland (OR) area. I've turned down our peer with them and things are looking much better. Thanks for all the help/responses. Shhh, next thing you know some reporter is going to be writing a story about how the NANOG mailing list fixed that darn the internet is slow problem everyone has been complaining about. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: WANTED: ISPs with DDoS defense solutions
Paul Vixie said: lots of late night pondering tonight. the anti-nat anti-firewall pure-end-to-end crowd has always argued in favour of every host for itself but in a world with a hundred million unmanaged but reprogrammable devices is that really practical? if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year? -- - YEAH but if I wanted to do it, the best way would be behind the firewall... They would have to put in PIX 535 with GIGE and segment the network into DMZs.. HMM.. I think that if the cable modem had a built in router with NAT this problem could be solved partially.. I did a test about 6 months ago. almost a honeypot, but not quite. put a standard windows ME system on a RW IP put a $60 cable router in front of a similiar system. the ME was compromised and made into a Bot in 3 hours. The $60 router protected one was not compromised in the 2 weeks it was used. Both had AV and were updated daily via automation. IF only cable operators would at least STRESS the security issues OR make the AUP's Stick.. Some of you may have seen my emails asking for help from Charter about security issues. It took me almost 4 months to get someones attention, and then only after I brought up several ARIN and other policies they violated. I hate to say it but I don't think we will see anything change here.. And if so not enough to matter maybe from 140K to 120K anyway I am ranting... J
RE: rfc1918 ignorant
Interesting. Did any of you note last month or so that Sprint US came out with a notice that they are no longer going to router /30 ptp subnets unless the customer specifically asks for it? Could that be why 10.x.y.z is showing up here? Sprint??? you out there? -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:53 PM To: Vinny Abello; [EMAIL PROTECTED] Subject: Re: rfc1918 ignorant Heh, check this out. traceroute to 219.168.64.121 (219.168.64.121), 64 hops max, 44 byte packets 1 216.93.161.1 (216.93.161.1) 0.532 ms 0.518 ms 0.405 ms 2 66.7.159.33 (66.7.159.33) 0.796 ms 0.667 ms 0.543 ms 3 gigabitethernet8-0-513.ipcolo1.SanFrancisco1.Level3.net (63.211.150.225) 0.541 ms 0.478 ms 0.834 ms 4 gigabitethernet4-1.core1.SanFrancisco1.Level3.net (209.244.14.197) 0.547 ms 0.486 ms 0.530 ms 5 so-4-0-0.mp2.SanFrancisco1.Level3.net (209.247.10.233) 0.741 ms 0.729 ms 0.731 ms 6 so-2-0-0.mp2.SanJose1.Level3.net (64.159.0.218) 1.677 ms 1.510 ms 1.549 ms 7 unknown.Level3.net (64.159.2.102) 1.864 ms 1.851 ms 1.875 ms 8 sl-bb20-sj.sprintlink.net (209.245.146.142) 3.110 ms 3.831 ms 3.321 ms 9 sl-bb22-sj-14-0.sprintlink.net (144.232.3.165) 7.127 ms 3.290 ms 3.331 ms 10 sl-bb20-tok-13-1.sprintlink.net (144.232.20.188) 113.739 ms 113.731 ms 113.874 ms 11 sl-gw10-tok-15-0.sprintlink.net (203.222.36.42) 114.400 ms 114.051 ms 114.067 ms 12 sla-bbtech-2-0.sprintlink.net (203.222.37.106) 114.207 ms 114.295 ms 114.340 ms 13 10.9.17.10 (10.9.17.10) 101.595 ms 101.580 ms 101.771 ms 14 10.0.13.2 (10.0.13.2) 119.025 ms 118.765 ms 118.833 ms 15 10.4.10.2 (10.4.10.2) 134.809 ms 134.536 ms 134.668 ms 16 10.3.10.130 (10.3.10.130) 134.526 ms 135.004 ms 135.701 ms 17 10.10.0.25 (10.10.0.25) 135.291 ms 134.899 ms 135.293 ms 18 10.10.0.3 (10.10.0.3) 122.515 ms 122.210 ms 121.779 ms 19 10.10.0.11 (10.10.0.11) 135.643 ms 135.144 ms 135.438 ms 20 10.10.3.4 (10.10.3.4) 121.721 ms 121.872 ms 122.603 ms 21 10.10.3.36 (10.10.3.36) 135.069 ms 134.956 ms 135.330 ms 22 10.10.3.107 (10.10.3.107) 121.906 ms 122.708 ms 122.076 ms 23 YahooBB219168064121.bbtec.net (219.168.64.121) 147.137 ms 146.039 ms 147.453 ms -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [EMAIL PROTECTED] Cell: (978) 394-2867 On Wed, Jul 23, 2003 at 09:07:51AM -0400, Vinny Abello wrote: Heh... Check out Comcast. A large part of their network uses rfc1918: 216 ms 9 ms10 ms 10.110.168.1 315 ms10 ms11 ms 172.30.116.17 410 ms13 ms10 ms 172.30.116.50 514 ms12 ms26 ms 172.30.112.123 610 ms14 ms23 ms 172.30.110.105 At 08:48 AM 7/23/2003, you wrote: Is there a site to report networks/isps that still leak rfc1918 space? By leaking I not only mean don't filter, but actually _use_ in their network? If someone is keeping a list, feel free to add ServerBeach.com. All traceroutes to servers housed there, pass by 10.10.10.3. traceroute to www.serverbeach.com ... 20. 64-132-228-70.gen.twtelecom.net 21. 10.10.10.3 22. 66.139.72.12 Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
RE: rfc1918 ignorant
I have a friend who is in SprintLink as a customer and he has VPN routers that this would take down... He called and they will route it.. Also, I got an offlist reply from a network services tech, and he said they would route if a customer requests it. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 8:44 AM To: [EMAIL PROTECTED] Subject: RE: rfc1918 ignorant According to the notice they send me on 7/1, this isn't supposed to take effect until Aug 17th or 18th for existing customers, and they didn't mention an option to specifically request that they not do this. However, there was a link: http://www.sprint.net/faq/serialip.html That explains that you can keep using your ptp IP if you request it, but in either case, they will no longer route their end of the IP. On Thu, 24 Jul 2003, McBurnett, Jim wrote: Interesting. Did any of you note last month or so that Sprint US came out with a notice that they are no longer going to router /30 ptp subnets unless the customer specifically asks for it? Could that be why 10.x.y.z is showing up here? Sprint??? you out there? -Original Message- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:53 PM To: Vinny Abello; [EMAIL PROTECTED] Subject: Re: rfc1918 ignorant Heh, check this out. traceroute to 219.168.64.121 (219.168.64.121), 64 hops max, 44 byte packets 1 216.93.161.1 (216.93.161.1) 0.532 ms 0.518 ms 0.405 ms 2 66.7.159.33 (66.7.159.33) 0.796 ms 0.667 ms 0.543 ms 3 gigabitethernet8-0-513.ipcolo1.SanFrancisco1.Level3.net (63.211.150.225) 0.541 ms 0.478 ms 0.834 ms 4 gigabitethernet4-1.core1.SanFrancisco1.Level3.net (209.244.14.197) 0.547 ms 0.486 ms 0.530 ms 5 so-4-0-0.mp2.SanFrancisco1.Level3.net (209.247.10.233) 0.741 ms 0.729 ms 0.731 ms 6 so-2-0-0.mp2.SanJose1.Level3.net (64.159.0.218) 1.677 ms 1.510 ms 1.549 ms 7 unknown.Level3.net (64.159.2.102) 1.864 ms 1.851 ms 1.875 ms 8 sl-bb20-sj.sprintlink.net (209.245.146.142) 3.110 ms 3.831 ms 3.321 ms 9 sl-bb22-sj-14-0.sprintlink.net (144.232.3.165) 7.127 ms 3.290 ms 3.331 ms 10 sl-bb20-tok-13-1.sprintlink.net (144.232.20.188) 113.739 ms 113.731 ms 113.874 ms 11 sl-gw10-tok-15-0.sprintlink.net (203.222.36.42) 114.400 ms 114.051 ms 114.067 ms 12 sla-bbtech-2-0.sprintlink.net (203.222.37.106) 114.207 ms 114.295 ms 114.340 ms 13 10.9.17.10 (10.9.17.10) 101.595 ms 101.580 ms 101.771 ms 14 10.0.13.2 (10.0.13.2) 119.025 ms 118.765 ms 118.833 ms 15 10.4.10.2 (10.4.10.2) 134.809 ms 134.536 ms 134.668 ms 16 10.3.10.130 (10.3.10.130) 134.526 ms 135.004 ms 135.701 ms 17 10.10.0.25 (10.10.0.25) 135.291 ms 134.899 ms 135.293 ms 18 10.10.0.3 (10.10.0.3) 122.515 ms 122.210 ms 121.779 ms 19 10.10.0.11 (10.10.0.11) 135.643 ms 135.144 ms 135.438 ms 20 10.10.3.4 (10.10.3.4) 121.721 ms 121.872 ms 122.603 ms 21 10.10.3.36 (10.10.3.36) 135.069 ms 134.956 ms 135.330 ms 22 10.10.3.107 (10.10.3.107) 121.906 ms 122.708 ms 122.076 ms 23 YahooBB219168064121.bbtec.net (219.168.64.121) 147.137 ms 146.039 ms 147.453 ms -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [EMAIL PROTECTED] Cell: (978) 394-2867 On Wed, Jul 23, 2003 at 09:07:51AM -0400, Vinny Abello wrote: Heh... Check out Comcast. A large part of their network uses rfc1918: 216 ms 9 ms10 ms 10.110.168.1 315 ms10 ms11 ms 172.30.116.17 410 ms13 ms10 ms 172.30.116.50 514 ms12 ms26 ms 172.30.112.123 610 ms14 ms23 ms 172.30.110.105 At 08:48 AM 7/23/2003, you wrote: Is there a site to report networks/isps that still leak rfc1918 space? By leaking I not only mean don't filter, but actually _use_ in their network? If someone is keeping a list, feel free to add ServerBeach.com. All traceroutes to servers housed there, pass by 10.10.10.3. traceroute to www.serverbeach.com ... 20. 64-132-228-70.gen.twtelecom.net 21. 10.10.10.3 22. 66.139.72.12 Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
RE: Cisco vulnerability and dangerous filtering techniques
Quick solution to this bug, as well as any future bug(s) replace all routers with PCs running Zebra. That is good until Zebra get's a bug and then someone will say go to XYZ... Jim
RE: Cisco vulnerability and dangerous filtering techniques
EXACTLY!! Company A fired the wrong person. DDoS internally. Company B has a Business partner that has VPN access, that get's infected. Company C has a home user that uses VPN on a cable modem. he gets infected Virus writers will see this and use it... What better DDoS method is there than to take down the network equipment I see this as a make or break If someone does not upgrade, well think of this as a roll-coaster. Remember the sign? This ride is not advised for people with bad backs, pregnant ladies.. This will be a long year of patches and learning experiences... J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 9:55 AM To: Niels Bakker Cc: [EMAIL PROTECTED] Subject: Re: Cisco vulnerability and dangerous filtering techniques On Tue, 22 Jul 2003 15:40:02 +0200, Niels Bakker [EMAIL PROTECTED] said: * [EMAIL PROTECTED] (Adam Maloney) [Tue 22 Jul 2003, 15:33 CEST]: The next worm taking advantage of the latest Windows' vulnerabilities is more or less inevitable. Someone somewhere has to be writing it. So why not include the cisco exploit in the worm payload? Why would a worm disable a vital component on its path to new infections? It's not part of the spread-the-worm code, it's part of the DDoS engine that it leaves behind. If you get lucky, one of your 20K zombies is the other side of a router along with whoever you're pissed at and want to DDoS, so you send the command, and the zombie sprays 76 packets, goes to sleep for 30 mins, sprays another 76.. lather rinse repeat. I'm going to go out on a limb and say that at least 30% of Ciscos are installed in places that would, if hit with this, have NO CLUE why their router needs to be power cycled every 30 mins.
RE: Cisco vulnerability on smaller catalyst switches
With the idea below. What is the current opinion about upgraded switches behind a firewall on a private lan? I suspect upgrade later or not at all. But curious about other's opinions.. Later, J -Original Message- From: Chris Griffin [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: Cisco vulnerability on smaller catalyst switches As part of our vulnerability tests, we have been unable to confirm that the smaller catalyst switches running IOS but without L3 capability are vulnerable. They don't seem to react in a negative way to the same attacks that lock up the other devices we have tested. Has anyone else been able to verify this one way or the other? -- Chris Griffin [EMAIL PROTECTED] Network Engineer - CCNP Phone: (352) 392-2061 OIT - Network Services Fax: (352) 392-9440 University of Florida Gainesville, FL 32611
RE: Weird email messages with re:movie and re:application in the subject line..
got it here too.. And on 30+ publicly annouced mail accounts Hitting big.. sobig virus once again... Jim -Original Message- From: Anne P. Mitchell, Esq. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:05 PM To: '[EMAIL PROTECTED]' Subject: Re: Weird email messages with re:movie and re:application in the subject line.. New spam technique or some new virus, similar to a Melissa? Any body else seeing this? We're seeing it here too, coming to role accounts. Our folks are saying virus, but haven't identified which one yet. Anne
RE: Country of Origin for Malicious Attacks
Sean, of the scans I get and have seen.. 60% APNIC region Most noteably- Taiwan, China, and Korea (north) 20% RIPE Most noteable- Former Soviet Block nations then Scandanavian countries... 20% ARIN/LACNIC This is a rough estimate from the last 3 weeks... I guess you may be after this kind of fact: When I blocked HINET (Taiwan based-- has a single /16 to my knowledge) I cut scans/probes by 20% Later, Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 11:58 AM To: [EMAIL PROTECTED] Subject: Country of Origin for Malicious Attacks I was wondering if folks had noticed any trends with malicious network attacks predominantly originating from any individual or group of countries. Any observations, comments or help would be greatly appreciated. Thanks, sean
RE: The Cidr Report
Not sure how relevent this may be but: Interland has recently been in a major network move They boight out Communitech and are in the process of moving datacenters to the Interland centers.. This could explain it But they should be doing a better job of it though... Jim -Original Message- From: Hank Nussbacher [mailto:[EMAIL PROTECTED] Sent: Saturday, June 21, 2003 3:41 PM To: Haesu; [EMAIL PROTECTED] Subject: Re: The Cidr Report At 01:00 PM 21-06-03 -0400, Haesu wrote: What is up with ASN11305 generating humongous loads of unaggregated /24's? Sent them an email 11 days ago, no reply yet: Date: Tue, 10 Jun 2003 10:56:46 +0200 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Hank Nussbacher [EMAIL PROTECTED] Subject: AS11305 - routing table bloat Cc: Terry Baranski [EMAIL PROTECTED], [EMAIL PROTECTED] AS11305 has been lately seen to be sending out too many prefixes not based on CIDR boundries, thereby increasing the global router table size: ASnumNetsNow NetsAggr NetGain % Gain Description AS11305 646 136 51078.9% INTERLAND-NET1 Interland Incorporated See http://www.mcvax.org/~jhma/routing/ and http://bgp.potaroo.net/cidr/ and http://bgp.potaroo.net/cgi-bin/as-report?as=as11305view=4637 for further details. Regards, Hank -Hank -hc Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 20Jun03 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 122681877223495928.5% All ASes AS7132 923 229 69475.2% SBIS-AS SBC Internet Services - Southwest AS11305 647 137 51078.8% INTERLAND-NET1 Interland Incorporated AS701 1514 1070 44429.3% ALTERNET-AS UUNET Technologies, Inc. AS7843 614 175 43971.5% ADELPHIA-AS Adelphia Corp. AS4323 600 177 42370.5% TW-COMM Time Warner Communications, Inc. AS7018 1337 927 41030.7% ATT-INTERNET4 ATT WorldNet Services AS3908 889 521 36841.4% SUPERNETASBLK SuperNet, Inc. AS1221 1062 756 30628.8% ASN-TELSTRA Telstra Pty Ltd AS6197 518 225 29356.6% BATI-ATL BellSouth Network Solutions, Inc AS4355 397 111 28672.0% ERMS-EARTHLNK EARTHLINK, INC AS6198 475 189 28660.2% BATI-MIA BellSouth Network Solutions, Inc AS1239 959 677 28229.4% SPRINTLINK Sprint AS6347 367 92 27574.9% DIAMOND SAVVIS Communications Corporation AS27364 319 87 23272.7% ACS-INTERNET Armstrong Cable Services AS17676 250 24 22690.4% GIGAINFRA XTAGE CORPORATION AS22773 2208 21296.4% CCINET-2 Cox Communications Inc. Atlanta AS209498 305 19338.8% ASN-QWEST Qwest AS705508 331 17734.8% ALTERNET-AS UUNET Technologies, Inc. AS2386 406 235 17142.1% INS-AS ATT Data Communications Services AS2048 258 87 17166.3% LANET-1 State of Louisiana AS17557 341 173 16849.3% PKTELECOM-AS-AP Pakistan Telecom AS6327 190 24 16687.4% SHAWFIBER Shaw Fiberlink Limited AS13601 205 46 15977.6% ASN-INNERHOST Innerhost, Inc. AS690450 293 15734.9% MERIT-AS-27 Merit Network Inc. AS20115 463 311 15232.8% CHARTER-NET-HKY-NC Charter Communications AS3602 226 79 14765.0% SPRINT-CA-AS Sprint Canada Inc. AS2686 258 112 14656.6% AS2686 ATT Global Network Services - EMEA AS6140 297 155 14247.8% IMPSAT-USA ImpSat AS7303 238 98 14058.8% AR-TAST-LACNIC Telecom
RE: Rescheduled: P2P file sharing national security and personal security risks
HMMM... Well, in the US, there is even the threat of lawsuit from an Employee that get pornographic SPAM email... should the employer not make efforts to block it, the employee can sue.. BUT it is the same argument.. Do we take the bad with the good? do we allow P2P when it can create security issues? All this should be regulated by corporations not govermentt.. IE: Every business model is different.. A defense contractor should definately block p2p, but does a computer gaming company need to block it? The Entire issue goes back to the job description of security professional Balancing the operational needs of XYZ vs. the hassle of certain security needs That is all this is... Some Senator or Congress member got wind of a potential security issue, and in light of Sept 11, EVERYTHING is being scrutinized... Anyway.. I've said enuf. J From: Stephen J. Wilcox Hmm where do you draw the line.. peer2peer file sharing, MS Networking, SMTP, telephones, snail mail, visiting foreign countries, meeting people at all.. ? Seems a bit silly to me to be having the conversation at all, its people who willingly leak this information not the mechanism used thats at fault Steve On Fri, 13 Jun 2003, Richard Irving wrote: After all, how many meetings are there going to be assessing the risk SMTP has on National Security ? Or, as you mentioned, MS file sharing... And, remember, SMTP is -already- proven guilty of said Risk, and a far more -probable- culprit in future compromises... ! Reality Check. My .02c .Richard. My, what interesting times we live in, and darn it, important people noticed me! :{ Sean Donelan wrote: June 10, 2003 NOTICE OF RESCHEDULED FULL COMMITTEE HEARING The Senate Committee on the Judiciary scheduled for Wednesday, June 11, 2003, at 2:00 p.m., on .The Dark Side of a Bright Idea: Could Personal and National Security Risks Compromise the Potential of P2P File-Sharing Networks?. has been rescheduled for Tuesday, June 17, 2003 at 2:00 p.m. in Room 226 of the Senate Dirksen Building. By order of the Chairman I wonder if anyone is going to mention that Microsoft Network Neighborhood file sharing is a form of P2P file sharing.
RE: Net-24 top prefix generating bogus RFC-1918 queries
guys.. I have a thought... I am a charter fiber customer.. AND they use lots of 1918 address for management even some customer links. I have seen this on all the cable providers.. unlike Sprint/MCI/ATT they don't use 100% RW on all their equipment.. then they leak because the BGP is not filtering properly.. -Original Message- From: John Brown [mailto:[EMAIL PROTECTED] Sent: Sunday, June 01, 2003 1:55 AM To: Roland Verlander Cc: [EMAIL PROTECTED] Subject: Re: Net-24 top prefix generating bogus RFC-1918 queries Why does 65/8 generate almost as many queries as 24/8? because there are lots of cable and DSL users in those prefix's My cable at home is net-65
RE: Net-24 top prefix generating bogus RFC-1918 queries
Forgive me.. I thought I understood that 1918 routes were leaking Jim -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 12:26 AM To: [EMAIL PROTECTED] Subject: RE: Net-24 top prefix generating bogus RFC-1918 queries On Sun, 1 Jun 2003, McBurnett, Jim wrote: guys.. I have a thought... I am a charter fiber customer.. AND they use lots of 1918 address for management even some customer links. I have seen this on all the cable providers.. unlike Sprint/MCI/ATT they don't use 100% RW on all their equipment.. then they leak because the BGP is not filtering properly.. Uhm, incorrect. A DNS lookup for a RFC1918 in-addr.arpa record is unrelated to BGP or BGP filters. If you want to generate an RFC1918 in-addr.arpa query to the AS112 servers do the following nslookup Default Server: localhost Address: 127.0.0.1 set querytype=any 10.in-addr.arpa Server: localhost Address: 127.0.0.1 Non-authoritative answer: 10.in-addr.arpa origin = prisoner.iana.org mail addr = hostmaster.root-servers.org serial = 2002040800 refresh = 1800 (30M) retry = 900 (15M) expire = 604800 (1W) minimum ttl = 604800 (1W) Authoritative answers can be found from: 10.in-addr.arpa nameserver = BLACKHOLE-1.iana.org 10.in-addr.arpa nameserver = BLACKHOLE-2.iana.org BLACKHOLE-1.iana.orginternet address = 192.175.48.6 BLACKHOLE-2.iana.orginternet address = 192.175.48.42 Your query will then be included in John's statistics. You BGP filters will not stop it.
RE: .mil domain
Let me say this: I am former military.. Worked in Military IT. AND worst case situation, use www.cert.mil Or if not that bad.. Call the public affairs officer at the branch of service.. Tell him you need help, tell him to put you in contact with the local Info systems type. and away u go.. I wish I still had the DoD and BoS NOC #'s but I don't.. If you want to complain to a US Military net admin and just find one, well it is not for lack of contact info.. It is lack of trying. And yes I have sent stuff to the military.. Recently got a huge nessus scan and DoS attack attempt from a military block.. went to that services web site and found the Info systems # on the web.. AND IT WORKED. We used to say a Marine was not happy unless he had something to complain about... But it is the same for most all of us. just my 10 cents worth.. Inflation ya know... J Lazyness is just the act of being tired before doing the work Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC. In other words, when one can't get a response, check with NANOG. :) -Jack
RE: Abuse.cc ???
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet.. With a syslog file, sometimes an IDSLog and a Syslog. Some ISP's either /dev/null all of it, or they can't stop their users or politics stop 'em.. Later, J -Original Message- From: Simon Lyall [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 5:04 PM To: [EMAIL PROTECTED] Subject: Re: Abuse.cc ??? On Thu, 3 Apr 2003, Gerald wrote: I hate to play devil's advocate here, but I've been on the receiving end of the abuse@ complaints that became unmanagable. The bulk of them consisting of: Your user at x.x.x.x attacked me! (And this is sometimes the nameserver:53 or mailserver:113) We added this to the auto-reply of our abuse@ address: --- cut - here For complaints of port scanning or supposed hacking attempts, complete logs of the abuse are required. At a minimum, a log of abuse contains the time (including time zone) it happened, the hosts/ips involved and the ports involved. Please note that we received a large number of false complaints from people using personal firewall programs regarding port scanning. If you are submitting a complaint based on the logs from one of these programs we highly suggest you to read the following: http://www.samspade.org/d/persfire.html AND http://www.samspade.org/d/firewalls.html --- cut - here The abuse guys concentrate on spam reports, open-relay reports and sometimes port scanning reports from proper admins (these are easy to spot). Junk from dshield.org and the like is pushed to the bottom of the priority list. There are just too many random packets flying about for the personal firewall reports to be useful. The other problem is it's hard to act against a client based on one packet received by some person on the other side of the world running a program they don't understand. At least with spam reports you'll get several independant reports with full headers and if they use our servers we'll even have our own logs. -- Simon Lyall.| Newsmaster | Work: [EMAIL PROTECTED] Senior Network/System Admin | Postmaster | Home: [EMAIL PROTECTED] Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
Abuse.cc ???
Title: Abuse.cc ??? I just made a number of abuse complaints to a provider and then after contacting the abuse #. I got told that they don't use abuse@ anymore. that abuse.cc is the new email address. Correct me if I am wrong, but isn't this against RFC current practice? I won't name the provider, and have email [EMAIL PROTECTED] since they have the wrong abuse on their WHOIS.. Thanks, Jim
AOL---
Title: AOL--- Is there anyone lurking out there from the AOL NOC? I have an issue I need to discuss with you without the voice mail roulette or number extension jeopardy.. Please respond off-list. Jim
RE: AOL---
Title: AOL--- Thanks to those that responded off-list I believe the issue has been handled... Jim -Original Message-From: McBurnett, Jim Sent: Wednesday, April 02, 2003 8:24 AMTo: [EMAIL PROTECTED]Subject: AOL--- Is there anyone lurking out there from the AOL NOC? I have an issue I need to discuss with you without the voice mail roulette or number extension jeopardy.. Please respond off-list. Jim
RE: State Super-DMCA Too True
And to use NAT to circumvent this should be illegal. It is theft of service. The ISP has the right to setup a business model and sell as it wishes. Technology has allowed ways to bypass or steal extra service. This law now protects the ISP. There will be some ISPs that continue to allow and support NAT. NAT-- HMMM - In my eyes that is a security precaution for the ignorant.. Think of this: Joe user goes to Wally World, or Staples and get's a Linksys BEFSR11 cable/dsl router. He adds NAT, and walla, his computer is no longer wide open to the world... Albeit not a stateful firewall, it is much more effective than Norton or others, as it does not use the resources of the system. If this is illegal, then the law truely is contradictoriy. As I understand it, it says that a network operator has the right to protect themselves. A network can be defined as 1 or more computers connected to 1 or more other computers. The problem is that these laws not only outlaw the use of NAT devices where prohibited, but also the sale and possession of such devices. HMMM - Cisco just bought Linksys-- This should prove interesting Futher, I think many would disagree that the use of NAT where prohibited necessarily should be considered an illegal activity. Note that the customer is still paying for a service, so the question of theft is debatable. It is one thing for an ISP to terminate service for breach of contract by using a NAT device, it is quite something else to put someone in prison for such a breach. See note above... NAT- A poor man's type of firewall. I found one large broadband provider in Michigan that prohibits the use of NAT devices -- Charter Communications. Comcast, Verizon, and SBC seem to allow them for personal household use (although they do have value-add services that charge extra for multiple routable static IP addresses). That is surprising.. IN SC I know charter does not say that.. As a Matter of fact, I have worked closely with several local Charter Engineers. And they have really been exactly opposite... The Michigan law covers only commercial telecommunications service providers that charge fees. It most definitely does not cover anyone running a network. how do they define a network? If I have a computer at home and it talks to other computers.. Then don't I operate a network? Later, Jim
RE: NANOG Splinter List (Was: State Super-DMCA Too True)
I agree...Partially Legal issues are important, but those below a management level, mostly don't care.. I would not necessarily want another list to watch.. But, it sometimes get's overly consuming to look at topics I care less about... anyway, that's my 10 cents worth.. Inflation ya know.. Jim -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 2:41 PM To: Rafi Sadowsky Cc: Jared Mauch; todd glassey; [EMAIL PROTECTED] Subject: Re: NANOG Splinter List (Was: State Super-DMCA Too True) Rafi Sadowsky wrote: Whats wrong with the nanog-offtopic list ? The legal issues are technical on-topic and nanog related. However, there are some that want to know what's going on in the legal system, and others that don't. At the same time, those wanting to keep track of legal issues may not want to be subscribed to nanog-offtopic. -Jack
RE: State Super-DMCA Too True
maybe I should have said Stateful inspection.. IE inspection of SMTP whereas it limits the commands that are allowed and makes protocol adjustments. thanks, J -Original Message- From: E.B. Dreger [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 5:11 PM To: [EMAIL PROTECTED] Subject: RE: State Super-DMCA Too True JM Date: Sun, 30 Mar 2003 10:34:28 -0500 JM From: McBurnett, Jim JM NAT-- HMMM - In my eyes that is a security precaution for the JM ignorant.. Think of this: Joe user goes to Wally World, or JM Staples and get's a Linksys BEFSR11 cable/dsl router. He adds JM NAT, and walla, his computer is no longer wide open to the JM world... Albeit not a stateful firewall, it is much more Actually, it _is_ stateful. It tracks state so it knows what inbound traffic is directed to what IP:port on the inside, or dropped if no match is found. Run 1:1 NAT and see how secure that is. Run a public IP address with stateful rules that drop inbound traffic unless outbound traffic happened recently. Compare. NAT's security is a by-product of state that is necessary to achieve 1:N mapping. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
RE: NANOG Splinter List (Was: State Super-DMCA Too True) (why not nanog-legal ?)
I am not for or against either.. just putting thoughts out there.. NANOG-Legal would be a good thing for the legal eagles, and a more consuming one for those of us already on numerous lists.. all in all, NANOG as a whole single list usually inspires more information sharing when taken whole, IMHO Jim -Original Message- From: William Devine, II [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 5:15 PM To: McBurnett, Jim; 'Jack Bates'; 'Rafi Sadowsky' Cc: [EMAIL PROTECTED] Subject: RE: NANOG Splinter List (Was: State Super-DMCA Too True) (why not nanog-legal ?) Why not a nanog-legal list ? wiliam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of McBurnett, Jim Sent: Sunday, March 30, 2003 01:47 PM To: Jack Bates; Rafi Sadowsky Cc: Jared Mauch; todd glassey; [EMAIL PROTECTED] Subject: RE: NANOG Splinter List (Was: State Super-DMCA Too True) I agree...Partially Legal issues are important, but those below a management level, mostly don't care.. I would not necessarily want another list to watch.. But, it sometimes get's overly consuming to look at topics I care less about... anyway, that's my 10 cents worth.. Inflation ya know.. Jim -Original Message- From: Jack Bates [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 2:41 PM To: Rafi Sadowsky Cc: Jared Mauch; todd glassey; [EMAIL PROTECTED] Subject: Re: NANOG Splinter List (Was: State Super-DMCA Too True) Rafi Sadowsky wrote: Whats wrong with the nanog-offtopic list ? The legal issues are technical on-topic and nanog related. However, there are some that want to know what's going on in the legal system, and others that don't. At the same time, those wanting to keep track of legal issues may not want to be subscribed to nanog-offtopic. -Jack
RE: State Super-DMCA Too True
Well, if it is that big.. no IPSEC.. then I suspect Cisco, Checkpoint, and others to stand up ASAP.. This is no right As I see it a growing percentage of companies are moving to IPSEC VPNs and leaving dedicated ckts behind.. I can't believe that legislators would be so un-informed, and Cisco/the industry would be so out of touch.. J -Original Message- From: William Allen Simpson [mailto:[EMAIL PROTECTED] Sent: Sunday, March 30, 2003 9:39 AM To: [EMAIL PROTECTED] Subject: Re: State Super-DMCA Too True Jack Bates wrote: William Allen Simpson wrote: It outlaws all encryption, and all remailers. I'm missing where it outlaws these? In fact, it outlaws others (say your ISP) from decryping your encrypted data. That is not correct. I'm very sensitive to these issues. As those of you that have been around for awhile may recall, I was investigated by the FBI for treason merely for *WRITING* the specification for PPP CHAP and discussing it at the IETF (under Bush I). I don't expect it to be different for Bush II. As Larry Blunk points out, to possess an encryption device is a felony! Jack, you need to actually look at the text of the Act: (1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following: (a) ... (b) Conceal the existence or place of origin or destination of any telecommunications service. [no encryption, no steganography, no remailers, no NAT, no tunnels] [no Kerberos, no SSH, no IPSec, no SMTPTLS] (c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider. [no NAT, no wireless, no sniffers, no redirects, no war driving, ...] (2) A person shall not modify, alter, program, or reprogram a telecommunications access device for the purposes described in subsection (1). [no research, no mod'ing] (3) A person shall not deliver, offer to deliver, or advertise plans, written instructions, or materials for ... [no technical papers detailed enough to matter] (4) A person who violates subsection (1), (2), or (3) is guilty of a felony punishable by imprisonment for not more than 4 years or a fine of not more than $2,000.00, or both. All fines shall be imposed for each unlawful telecommunications access device or telecommunications access device involved in the offense. Each unlawful telecommunications access device or telecommunications access device is considered a separate violation. [big penalties] (a) Telecommunications and telecommunications service mean any service lawfully provided for a charge or compensation to facilitate the origination, transmission, retransmission, emission, or reception of signs, data, images, signals, writings, sounds, or other intelligence or equivalence of intelligence of any nature over any telecommunications system by any method, including, but not limited to, electronic, electromagnetic, magnetic, optical, photo-optical, digital, or analog technologies. [everything from a DVD, to the network, to the monitor, to t-shirts] -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Wierd...
Title: Wierd... Okay, Here is a wierd one... 69.6.32.100 - allocated by Arin accessed through Hong Kong. H... Global Crossing? do you have a routing issue? Anyway, Later, J 03/30/03 22:14:24 Fast traceroute 69.6.32.100 Trace 69.6.32.100 ... 1 10.129.32.1 40ms 50ms 30ms TTL: 0 (No rDNS) 2 172.22.32.1 20ms 90ms 20ms TTL: 0 (No rDNS) 3 172.22.32.106 21ms 10ms 10ms TTL: 0 (No rDNS) 4 12.124.58.105 20ms 40ms 70ms TTL: 0 (No rDNS) 5 12.123.21.78 50ms 40ms 50ms TTL: 0 (gbr6-p80.attga.ip.att.net bogus rDNS: host not found [authoritative]) 6 12.122.12.25 20ms 40ms 70ms TTL: 0 (tbr1-p013601.attga.ip.att.net bogus rDNS: host not found [authoritative]) 7 No Response * * * 8 12.123.9.53 60ms 30ms 40ms TTL: 0 (ggr1-p370.wswdc.ip.att.net bogus rDNS: host not found [authoritative]) 9 208.51.74.181 30ms 50ms 30ms TTL: 0 (so2-1-0-622M.br1.WDC2.gblx.net bogus rDNS: host not found [authoritative]) 10 208.178.174.53 50ms 31ms 40ms TTL: 0 (pos2-0-155M.cr1.WDC2.gblx.net bogus rDNS: host not found [authoritative]) 11 203.192.134.118 330ms 230ms 240ms TTL: 0 (so1-0-0-622M.cr2.HKG1.gblx.net bogus rDNS: host not found [authoritative]) 12 203.192.134.126 271ms 260ms 230ms TTL: 0 (so1-0-0-622M.ar1.HKG1.gblx.net bogus rDNS: host not found [authoritative]) 13 203.192.137.154 300ms 230ms 291ms TTL: 0 (iAdvantage2.ge-0-1-0-878-1000m.ar1.HKG1.gblx.net bogus rDNS: host not found [authoritative]) 14 69.6.1.3 260ms 290ms 251ms TTL: 0 (No rDNS) 15 No Response * * * 16 No Response * * * 17 No Response * * * 18 No Response * * * 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * *
RE: Odd DNS Traffic
Michael, Do you have a packet sniff of the traffic? Possibly a sniff of at least 1 packets? HMMM.. I have seen some increase at our Corp DNS, but not that much... drop me a note offlist with the sniff.. I would like to look at this.. Jim -Original Message- From: Support Team [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 4:01 PM To: [EMAIL PROTECTED] Subject: Odd DNS Traffic First I would like to note I am new to the list and group. It's nice to be here. Second, since Monday, March 24th at approx 1am we have been suffering from odd DNS traffic to our two primary DNS servers. The odd traffic has increased our bandwidth utilization by about 20 Mbps, which is obviously putting a hurting on our network and our DNS servers. I know this must also be affecting other networks, and if anything the root servers. If anyone has any suggestions, etc, they would be much appreciated. Thank you, Michael Mannella Support Team Synergy Networks, Inc. Here are the symptoms: The odd traffic started with the root servers, namely (a-m).gtld-servers.net . Most of the traffic is still coming from them, but other servers have also started sending us this odd traffic. We have 3 dns servers, only two are being affected, they are our Primary and Secondary servers that are listed with Network Solutions. The third server (that is not being affected) is not listed with NetSol and has no DNS records setup in it. It is strictly being used for lookups. The odd traffic is listed as a DNS Spoof attempt on our firewall. The odd traffic looks like this: Rcv 192.48.79.300cbb R Q [0084 A NOERROR] (8)Îҵĵ绰(3)COM(0) UDP response info at 01ADC8BC Socket = 380 Remote addr 192.48.79.30, port 53 Time Query=147367, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x010e (270) Message: XID 0x0cbb Flags 0x8400 QR1 (response) OPCODE0 (QUERY) AA1 TC0 RD0 RA0 Z 0 RCODE 0 (NOERROR) QCOUNT0x1 ACOUNT0x1 NSCOUNT 0xd ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name (8)Îҵĵ绰(3)COM(0) QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x001e, RR count = 0 Name [C00C](8)Îҵĵ绰(3)COM(0) TYPE A (1) CLASS 1 TTL300 DLEN 4 DATA 198.41.1.35 AUTHORITY SECTION: Offset = 0x002e, RR count = 0 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 20 DATA (1)g(12)gtld-servers(3)net(0) Offset = 0x004e, RR count = 1 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)h[C03C](12)gtld-servers(3)net(0) Offset = 0x005e, RR count = 2 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)d[C03C](12)gtld-servers(3)net(0) Offset = 0x006e, RR count = 3 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)j[C03C](12)gtld-servers(3)net(0) Offset = 0x007e, RR count = 4 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)i[C03C](12)gtld-servers(3)net(0) Offset = 0x008e, RR count = 5 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)l[C03C](12)gtld-servers(3)net(0) Offset = 0x009e, RR count = 6 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)b[C03C](12)gtld-servers(3)net(0) Offset = 0x00ae, RR count = 7 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)e[C03C](12)gtld-servers(3)net(0) Offset = 0x00be, RR count = 8 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)a[C03C](12)gtld-servers(3)net(0) Offset = 0x00ce, RR count = 9 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)k[C03C](12)gtld-servers(3)net(0) Offset = 0x00de, RR count = 10 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)f[C03C](12)gtld-servers(3)net(0) Offset = 0x00ee, RR count = 11 Name [C015](3)COM(0) TYPE NS (2) CLASS 1 TTL172800 DLEN 4 DATA (1)c[C03C](12)gtld-servers(3)net(0) Offset = 0x00fe, RR count = 12 Name [C015](3)COM(0) TYPE NS (2) CLASS 1
RE: Bellsouth clueful?
Jason, If this is important to you, check out using your W2K pro or WXP machines SMTP relay and use it to send the mail.. It can send directly out of it to the destin server.. Since you are a CCNP I am sure you are most likely running a firewall of some kind and little risk of you having an open relay. If you have questions catch me offlist.. Jim -Original Message- From: Jason Slagle [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2003 10:48 PM To: [EMAIL PROTECTED] Subject: Bellsouth clueful? Anyone at bellsouth home that can provide some insite (mostly eta) on the email-server outage going on. I tried the normal paths: - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 Invalid recipient: [EMAIL PROTECTED]) I have loved ones overseas, and rumor has it they could send email. Bellsouth needs to get this fixed ASAP. Jason -- Jason Slagle - CCNP - CCDP /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . X - NO HTML/RTF in e-mail . / \ - NO Word docs in e-mail .
RE: Co-lo best practices on IP allocations
One more thought: If the company is a SPAM or other less than popular type, I would keep a watch on SPAM-L and spamhaus.org Look for you IP block.. Some networks flat out put IP Access lists to block ranges for SPAM/.. J -Original Message- From: Daniel Abbey [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 11:57 AM To: [EMAIL PROTECTED] Subject: Co-lo best practices on IP allocations Are there any suggestions/ideas on best practices when it comes to co-lo allocation of addresses to its customers? Is there any site that may have some pointers? The dilemma is whether to charge or no to charge separate for the IPs. Should it be a cause built into their overall contract? Any ideas?
RE: 69/8 revisited
look at the location too... 61/8 is APNIC and 69 ARIN.. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 5:02 PM To: Stephen Sprunk Cc: Scott Granados; Rick Ernst; North American Noise and Off-topic Gripes Subject: Re: 69/8 revisited On Wed, 19 Mar 2003, Stephen Sprunk wrote: I'm wondering if there's something special about 69/8... I can't recall this sort of discussion for 61/8 through 68/8, at least after CIDR in the former Class A space was initially validated. For a very interesting comparison, do groups.google.com searches for 69.0.0.0/8 and then for 61.0.0.0/8. While the first is several pages of hits saying to block 69.0.0.0/8 as a bogon, all the links for 61.0.0.0/8 seem to suggest blocking that /8 due to spam. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Code red- Returning?
Title: Code red- Returning? Has anyone out there noticed an increase in a Code-Red patterned virus? I know about the Microsoft bug that came out yesterday/last night. But I am seeing the same symptoms as Code Red, 800+ hits in the last 12 hours, from the same Class A network I am on. The amount is increasing per hour.. It started with 50 the first hour and now it just about 150 an hour... Thoughts? thanks, Jim
RE: Code red- Returning?
PatchLink Update Awarded Blue Ribbion from Network World Fusion For the article go to: http://www.nwfusion.com/reviews/2003/0303patchrev.html PatchLink Update Receives Network Computing Editor's Choice Award for Patch Management For the article go to: http://www.patchlink.com/media_room/nwc92002.pdf -Original Message-From: McBurnett, Jim [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 18, 2003 10:50 AMTo: [EMAIL PROTECTED]Subject: Code red- Returning? Has anyone out there noticed an increase in a Code-Red patterned virus? I know about the Microsoft bug that came out yesterday/last night. But I am seeing the same symptoms as Code Red, 800+ hits in the last 12 hours, from the same Class A network I am on. The amount is increasing per hour.. It started with 50 the first hour and now it just about 150 an hour... Thoughts? thanks, Jim
FW: Code red- Returning?
I think this shouldgo here.. Mistype nanog Jim -Original Message- From: Johannes Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 1:10 PM To: McBurnett, Jim Cc: [EMAIL PROTECTED] Subject: Re: Code red- Returning? Yes. This month, we are tracking about twice as many sources as usual scanning port 80. The likely reason is the release of Code Red F earlier this month. graph of port 80 activity for the last 2+months: ttp://www.dshield.org/port_report.php?port=80days=70 In addition, there are some spikes in the number of targets scanned, which could be target list acquisitions for the next big thing (maybe the WebDav exploit). AFAIK, the only difference for Code Red F is that it changed the 'cut off year' at which it will stop scanning. So it probably infected some machines that due to clock settings where not infected by the other versions. But I haven't had a chance to look at it in detail. On Tue, 18 Mar 2003 12:50:17 -0500 McBurnett, Jim [EMAIL PROTECTED] wrote: Has anyone out there noticed an increase in a Code-Red patterned virus? I know about the Microsoft bug that came out yesterday/last night. But I am seeing the same symptoms as Code Red, 800+ hits in the last 12 hours, from the same Class A network I am on. The amount is increasing per hour.. It started with 50 the first hour and now it just about 150 an hour... Thoughts? thanks, Jim -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
--NON-Topic-- Advertising on NANOG instead of......
Title: Code red- Returning? Marty, Many people on NANOG get there here subscribing to NWF... If your email wasjust a link, and an article summary, sure no problem, but putting the entire article here.. well that is a different story.. Kinda like, here is my reply, but I want you to read the entire thing to see what I have to say, and then todiscovermy reply is 99% off topic.. Yes, Code Red is a bug that needs to be patched. But where in your response did you answer: Has anyone out there noticed an increase in a Code-Red patterned virus? That is my problem. most of us get hundreds of emails a week. and to spend time going through something that is off-topic is a waste. Several of the other users here have commented that they filter out emails from said individuals when they notice the consistent off-topic replies. And I have held out so far... But I am leaning. J -Original Message-From: Marty Armstrong [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 18, 2003 1:46 PMTo: McBurnett, JimCc: [EMAIL PROTECTED]Subject: RE: Code red- Returning? Jim, It is no my intent to advertise as much as inform. The Network World article tells the story and speaksabout all the companies in this category not just PatchLink. Also, other members of this list have discussed application on thisprior, would their discussions also be considered advertising? -Marty -Original Message-From: McBurnett, Jim [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 18, 2003 11:38 AMTo: Marty ArmstrongCc: [EMAIL PROTECTED]Subject: RE: Code red- Returning? Marty, this would be great news, IF I wasn't the victim.. I did read the article when I got my NW Fusion this month.. This needs to go to the folks who are infected... Is this the correct place for an Advertisement? Jim -Original Message-From: Marty Armstrong [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 18, 2003 12:57 PMTo: McBurnett, JimCc: [EMAIL PROTECTED]Subject: RE: Code red- Returning? Network World evaluated several Patch Management tools on March 3rd. PatchLink Update won the Blue Ribbon Award. Also, none of our customers were hit by Slammer. PatchLink Update's flexibility helped it best three other products tested. Please see the attached link to read about our Blue Ribbon Award from Network World Fusion for Patch Management . http://www.nwfusion.com/reviews/2003/0303patchrev.html Review: Windows patch management tools PatchLink Update's flexibility helped it best three other products tested. By Mandy Andress, Network World Global Test Alliance Network World, 03/03/03 With Microsoft releasing more than 230 security bulletins since the beginning of 2000 - most of those requiring some sort of corrective action to fix a hole in one of its Windows-based products - the numbers speak for themselves: Windows patch management in an enterprise environment is a nightmare. We tested four stand-alone Windows patch management products - BigFix's Enterprise Suite, Gravity Storm Software's Service Pack Manager 2000, PatchLink's Update and Shavlik Technologies' HfNetChk Pro to find out if they improve patch deployment. (See "Not in the game" for declining vendors.) Patch management tools should identify accurately which patches are missing on each system, provide an easy means to deploy patches and provide administrative reports tracking patch status across multiple machines. The products we tested (see How we did it) attack the problem in two ways - with or without agent software. Agent-based products - such as those from PatchLink and BigFix - can greatly reduce network traffic by offloading processing and analysis to the target system, saving data until it needs to report to the central server. But they also force an administrator to manage software on all systems the product analyzes. With agentless products - such as those from Shavlik and Gravity Storm - you don't have any distributed management issues, but whenever a scan is requested all tests and communications travel over the network. If scanning a domain with a large number of systems, the increase in network traffic can be quite significant. PatchLink's Update 4.0 earned the Network World Blue Ribbon award for its ease of use, flexibility, automation and letting you easily create deployment packages. PatchLink has two components - PatchLink Update Server and the agent. The Update Server is installed on a Windows 2000 Server with SP2 and Internet Information S
RE: DSL-IP Probes Curiousity..
There is so much of it, I liken it to Internet background radiation. In fact, if I didnt see a constant stream of this (either by accident-- SNMP auto discovery, or design-- lets find all the 'private' routers and switches out there) I would be more worried as my network probably has been blackholed! Good Point!! In terms of reporting it, I usually do if its more than just some automated probe and is a directed attack against a particular device and is causing some grief or potential grief. But it would be a full time job evaluating and responding to each and every scan/hack attempt as the volume is way too high. I think something like dshield is going in the right direction. Ultimately if these things are not reported and the people doing them sanctioned somehow, it wont stop. Yeah, If a dshield type system is used and the ISP's can use that to add to the Abuse reports.. That would be great! Also, its March Break in many parts of North America... More time to do these sorts of things. Yeah, and don't forget spring exams in the AP Rim... That is always bad too J
RE: Issue with 208.192.0.0/8 - 208.196.93.0/24?
Easy, question.. Sure I could do that, I could run NMAP, Nessus, or any number of probes to check the validity of the host reachability. N-Stealth... and the list goes on. BUT if a host is denying pings from the world round and it stops trace a couple hops away maybe a BOGON filter or ACL or Well If I can't http to it, and I can't ping it from multiple peering points, there is a filter somewhere.. It can't even be accessed via the Worldcom UUNet network.. H.. Yeah you can telnet to it... Yeah I got to it via telnet... Anyway.. Normally if you can't Ping it and can't HTTP to a web server J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 8:50 AM To: McBurnett, Jim Cc: chuck goolsbee; [EMAIL PROTECTED] Subject: RE: Issue with 208.192.0.0/8 - 208.196.93.0/24? Is anyone from Alter.net lurking? Just for grins I went to the DIGEX looking glass and I could not ping it from MAE-Central, PAIX , MAE-East and also from ATT Cerf router below are some of the traces.. Always dies on Alter... I wonder. Alter? Brilliant. Why did not you try telnet target.ip 80? Just because random packets spewed by traceroute are dropped on the floor does not mean that the site is dead. Alex
RE: Move all 9-1-1 to 8-5-5
After working at a CLEC for a while, I must say that I know of very few PBXs that can do this, that the avg customer can afford.. Of course the BIG Lucent Definity series, maybe a few of it's peers.. But the Lucent/ATT partner/Magix systems, I am nearly positive(99.9%) they can't.. And forget about those 4 line toshiba's. Anyway that is not a discussion for this list... Jim -Original Message- From: Mark Segal [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 9:04 AM To: [EMAIL PROTECTED] Subject: RE: Move all 9-1-1 to 8-5-5 Whenever the North American Numbering Planning Administration releases a new toll-free prefix (e.g. 1-800, 1-888, 1-877, 1-866) there is always a lengthy delay for individuals operating some telephone switches to update their routing tables. Its common to be in hotels, and find the hotel PBX doesn't recognize a recent toll-free prefix. Yes.. But most people don't run translations for all NPA-NXXs on their 4 line PBX Regards, Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 So to fix this problem, why don't we move all 9-1-1 numbers to the new toll-free prefix, which will break stuff for people who don't update their PBX's promptly. When they find out they can't report a fire in the hotel because their PBX is blocking the new prefix, then they'll fix the PBX. Let's get real, no one is going to break any critical resource just for the purpose of making people fix their systems. Rob's bogon lists are good, but unless you have the processes in place to keep it update to date (or hire an consulting firm to do it for you), its about as useful as putting a list of invalid phone numbers in your PBX. The lists change all the time, and unless you are a full-time LERG expert, it will probably get quickly out of date. Of course, we can always use LDAP to keep all the PBX's updated.
RE: Put part of Google on 69/8 (was Re: 69/8...this sucks)
Idea #2.. CNN.com-- Put some of their content.. They would probrably really enjoy the publicity.. And that would really be an educational point.. Anybody here from there??? Jim The suggestion of putting Yahoo or Google on a 69/8 IP led me to this idea: Google could put their *beta* sites on a 69/8 IP, without causing them (Google) much Internet reachability/connectivity harm, and benefiting the Internet at large considerably. Set up a page (hopefully linked from www.google.com) that lists all of Google's present beta sites.
RE: 69/8...this sucks -- Centralizing filtering..
I saw it version of this earlier: Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip route clueless No seriously.. What if that customer has a VPN design with a dial backup behind their firewall. Using BGP to suck down a default route from the provider, when that default route goes away, then the internal router initiates the dial backup solution to the remote network. They should not be sending out any BGP routes though.. But.. See example above... OR They are in the process of preparing for Multi-homeing and just have not got it up yet... You know one provider is toiling with the T-1 facility FOC etc.. Sure this is somewhat unusual, but I have seen it, and corrected it... Jim It would be nice if vendors had a variant to (in cisco terms) ip verify unicast reverse-path that would work in asymmetrical networks. If you only have a single link to the internet, the command works well, but then why would you ever run bgp for a single uplink? -Jack
RE: 69/8...this sucks -- Centralizing filtering..
SNIP Oh, I agree that there are times when BGP is used in a single uplink scenario, but it is not common. However, someone pointed me to ip verify unicast source reachable-via any which seems to be available on some of the cisco Service provider releases. It's an interesting concept and I'm itching to play with it. If you aren't in my routing table, then why accept the IP address? -Jack Well, If you don't access my address and I happen to be a poor ole 69/8 or FILL IN NEW NET BLOCK HERE then your customers may not be able to get to me... But there are an aweful lot of ifs to this ^^. And I don't remember that command syntax at all Yea, I want to test that too.. Maybe I can make a visit to the local Cisco office and borrow some time in the Lab I want to see this is action, and how it may affect my routing... or maybe I can get a quick answer from the local CCIEs... Hey have you checked the Feature Navigator and seen which versions it is in? Catch me off-list Later, J
RE: 69/8...this sucks
From EB Dreger I suggest a rotation like so: Jan-Apr: 69.w.w.0 Apr-Jul: 69.x.x.255 Jul-Oct: 70.y.y.0 Oct-Jan: 70.z.z.255 where the middle two octets are predetermined ahead of time. IIRC, some RFC recommends updating the root zone cache monthly... following this would ensure one had proper root/gTLD addresses. The above also would break DNS for broken networks for a two month stretch... long enough to flush out bad rules. Eddy Okay, let's assume that we all agree to this.. Who are the players? ARIN, gTLD Owners, and who else? Let's get some emails fired off.. Who is going to ARIN in Memphis? Jack? Dr Race? Volunteers to broach this? Any gTLD owners on list? Let's go for it.. I think this is a great Idea... Maybe we need to look at applying this elsewhere J
RE: 69/8...this sucks
IIRC, some RFC recommends updating the root zone cache monthly... following this would ensure one had proper root/gTLD addresses. The above also would break DNS for broken networks for a two month stretch... long enough to flush out bad rules. You want to move things like gtld servers, yahoo/google (and other 'important' things), including things like oscar.toc.aol.com into these. This will leave the clueless to buy a clue and stimulate the economy ;-) - jared Hey if it will be a great Stimulas package I bet we could get congressional research funding to try it. ;) J
RE: 69/8...this sucks -- Centralizing filtering..
From Chris Adams: This isn't meant to be a pick on you (we've got some SWIPs filed incorrectly that we are working on). I've just run into more and more cases where ARIN (or other RIR, but I'm typically interested in ARIN info) info is out of date. Maybe ARIN should periodically send an are you there type email to contacts (like some mailing lists do). If that fails, mail a letter with instructions on how to update your contact info, and if that fails, delete the invalid contact info - I'd rather see no contact info than bogus info. Chris, If you read PPML, there is a HUGE push via Owen DeLong's Policy 2003-1a to help with some aspects of the whois Contact.. his policy is mainly based on the abuse contact, But I think may get extended to all contacts eventually... Owen- Wanta jump in here??? And-- if you feel strong enough to be flamed on the ARIN PPML list propose a Policy based on your comments.. I for one agree with you.. just give 2 or 3 tries.. If it fails once - retry 24 hours if it fails again retry 48 hours. If it fails again.. 3 strikes and your out in the old ball game (add in the music from take me out to the ballgame) Later, J That's my 10 cents worth- ya know inflation gets us everywhere...
RE: Question concerning authoritative bodies.
See Comments In-line below.. So I'm curious what people think. We have semi centralized various things in the past such as IP assignments and our beloved DNS root servers. Would it not also make sense to handle common security checks in a similar manner? In creating an authority to handle this, we cut back on the I would question the validity of this scan.. How easy would it be to put an ACL entry to block the Scan source? amount of noise issued. I bring this up because the noise is getting louder. This is almost the cost of being a business... More and more networks are issuing their own relay and proxy checks. At this rate, in a few years, we'll see more damage done to server resources by scanners than we do from spam and those who would exploit such vulnerabilities. Why not establish a system like dshield.org, where companies could reference the database and submit their data. Maybe get the backbones to sponsor, or Dept of Homeland Security. It needs to be global, and probrably should be an IETF / RIR / IANA thought process... Thoughts?? Jim