RE: in case nobody else noticed it, there was a mail worm released today
The worm is being talked about on news.com and all the major virus vendors already have advisories on their websites. The worm in my case masqueraded as a Mailer Daemon bounce. Source email address appeared to be valid and matching a domain of a website I visited recently (but have not for a long time). Anyone know the worm generates the sending domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Monday, January 26, 2004 8:52 PM To: [EMAIL PROTECTED] Subject: in case nobody else noticed it, there was a mail worm released today my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
RE: sniffer/promisc detector
Since all sniffers I know of are passive devices, there really shouldn't be a way to track one down. From a Cisco standpoint, if I were mirroring a port, and had a sniffer mirroring the sniffer port, I would see traffic of a unicast nature with multiple unicast MAC destinations destined at a swithport with only one MAC address cached. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald Sent: Friday, January 16, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: sniffer/promisc detector Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode or sniffing traffic? Gerald
RE: GSR, 7600, Juniper M?, oh my!
Ejay, Those would be Intel NICs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ejay Hire Sent: Thursday, January 08, 2004 10:17 AM To: 'Alexei Roudnev'; [EMAIL PROTECTED]; 'Jeff Kell' Cc: [EMAIL PROTECTED] Subject: RE: GSR, 7600, Juniper M?, oh my! "used to be..." One could lay hands on a magic Cd that turned an ordinary PC with (Commonly available but the Brand Escapes me) Nics into a Juniper Olive that ran the full JunOS. It has disappeared, much to the disappointment of those of us that would love to use one to study for a cert/resume fodder. -Ejay > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Alexei Roudnev > Sent: Thursday, January 08, 2004 12:51 AM > To: [EMAIL PROTECTED]; Jeff Kell > Cc: [EMAIL PROTECTED] > Subject: Re: GSR, 7600, Juniper M?, oh my! > > > > > > Many interesting network solutions that have to be > dismissed outright > > because of IOS limitations, weaknesses or bugs can be > easily expressed > > in newer systems, not just JUNOS. > > Example, please. > > (Agree with Jiniper OS for x86 - many people avoid Juniper > because do not > know it).
RE: Anit-Virus help for all of us??????
I would hate to blame the users here. In most organizations it is the role of the IT Dept to manage the workstations and not end users. Severely restricting users privileges is often a good thing, at least from the perspective of being able to control what gets installed on the machines in question. Having consistent hardware and software images also helps (where rooted boxes are quickly re-imaged), as well as having a good distributed anti-virus solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Dobrynski Sent: Tuesday, November 25, 2003 12:21 PM To: [EMAIL PROTECTED] Subject: Re: Anit-Virus help for all of us?? Having sat up until the wee hours of the AM last night cleaning up virus traffic on one of my private nets (an inhouse private net at that) i was giving this some thought. It seems that as with all things, knowledge is power. While all of the machines on the floor where the net op's team lives where fine (mostly windows), the entire call center was infected (entirely windows). When i went downstairs and spoke with them i was suprised (ok not really) to find that none of them knew how to run windows update or had ever heard of the xp firewall feature.
RE: Worst design decisions?
Its even funnier what happens when a customer confuses a Netopia console connector with that of the power connector from the next revision :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:57 AM To: [EMAIL PROTECTED] Subject: Re: Worst design decisions? Without a question: PS/2 style keyboard and mouse connectors. Impossible to tell from each other, or the right way up without eyeballs directly on them. A real PITA when trying to reach behind a desk or rack. The console port is a close second, though...
RE: uunet
This type of situation has been extensively discussed and debated here. If you are not UUNet's direct customer (or many other providers for that manner), they likely cannot and will not open a ticket. If MFN is your upstream, open up a ticket with them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of blitz Sent: Sunday, January 19, 2003 4:25 AM To: Scott Granados Cc: [EMAIL PROTECTED] Subject: Re: uunet I'll copy this email, and keep it for reference when someone asks about buying service from UUnet...thanks... At 17:17 1/18/03 -0800, you wrote: >What's interesting is that I just tried to call the noc and was told >"We have to have you e-mail the group" > >my response, I can't I have no route working to uunet > >"Well you have to" > >my response, ok I'll use someone elses mail box where do I mail? > >"We can't tell you your not a customer" > >My response its a routing issue do you have somewhere I can e-mail you. > >"Your not my customer I really don't care" *click* > >Nice. professional too. > >Anyone have a number to the noc that someone with clue might answer? > >- Original Message - >From: "David Diaz" <[EMAIL PROTECTED]> >To: "Scott Granados" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Sent: Saturday, January 18, 2003 4:35 PM >Subject: Re: uunet > > > > Im not seeing anything coming from qwest. > > > > > > > > At 16:55 -0800 1/18/03, Scott Granados wrote: > > >Is something up on uunet tonight? > > > > > >It looks to me that dns is broken forward and reverse but more > > >likely it looks like a bad bogan fiilter popped up suddenly. I > > >have issue as soon >as > > >I leave mfn's network and hit uunet. > > > > -- > > > > David Diaz > > [EMAIL PROTECTED] [Email] > > [EMAIL PROTECTED] [Pager] > > www.smoton.net [Peering Site under development] > > Smotons (Smart Photons) trump dumb photons > > > > > >
Re: Effective ways to deal with DDoS attacks?
> Then you are pushing out /32's and peers would need to accept them. Then > someone will want to blackhole /30's, /29's, etc. Route bloat. Yum! I am in no way proposing discounting current filtering rules. There are alway two different intersts one must consider, one that of the customer and two that of the service provider. If a large block must be filtered so be it. Where are providers drawing the line ? Anyone have somewhat detailed published policies as to what a provider can do in order to protect their nework as a whole. At what point (strength of the attack) does a customers netblock (assuming a /24 for example) get null routed by whichever party. > Anyways, some providers already allow you to set a community on a route, > and they will inturn "blackhole" it for you. I believe Teleglobe does > this for some customers and I know UUNet does this for all customers. When the attack is distributed, having one or two providers (even if they are UUNET or Teleglobe) is just not enough. Must private routing policy be developed in order to make my suggestion work. The reason that so many methods likely fail are the difficulty of implementation and low implementation.
Re: Effective ways to deal with DDoS attacks?
> > What processes and/or tools are large networks using to > > identify and limit the impact of DDoS attacks? > > A great deal of thought is being expended on this question, I am certain, > however, how many of these thought campaings have born significant fruit yet, > I do not know. How about the following : We develop a new community , being fully transitive (666 would be appropriate ) and either build into router code or create a route map to null route anything that contains this community. The effect of this being the distribution of the force of the attack. This aside, how effective would be using a no export community with ones peers (being non transitive, it would still distribute the force of the attack).
