Re: Streaming Video Bandwidth Requirements, WAS: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Perhaps, continuing the off-topic thread... The best compression techniques that do not use block-based methods (as in MPEG-2/4) can achieve much better compression capabilities than listed below and in the other follow-on thread. For an excellent overview of what this may do for video on demand over the Internet, check out the September 22nd issue of The Economist. There are basically three types of approaches: wavelet, fractal, and heuristic (or object?). They are also either software-only or hardware-assisted. I've seen one of them that claims 1.1 Mbps typically for standard definition (480i), and about 3 Mbps for HDTV (1080i). I'm no codec expert, but I was amazed at the clarity, even with packet loss. I think we'll find video on demand and other streaming entertainment services over our xDSL connections and Cable Modems much sooner than most people expect. I hope network operators are prepared for it. You can get a typed copy of The Economist Article at: http://fox.rollins.edu/~tlairson/ecom/video.html Regards, Jeff Turner [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Al Rowland > Sent: Wednesday, January 22, 2003 9:28 AM > To: [EMAIL PROTECTED] > Subject: RE: FW: Re: Is there a line of defense against Distributed Reflective attacks? > Not to mention that fact that 99.99% of current consumer connections > are not up to the task. Standard full-screen video digital stream is > ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) > Al Rowland
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, 23 Jan 2003, Christopher L. Morrow wrote: > > Something I'm surprised no one has commented on considering the > > direction of this thread has been should ISPs be responsible for > > customer actions if they are not allowed to refuse service to customers? > > ISP's can't refuse service to customers? As I've come to understand, this depends on what system is in use. In the Anglo-Saxon system, "free" market is everything. But in post Napoleon France for instance, it is considered a privilege to offer commercial services to the public, and one of the obligations that comes with that privilege, is to offer that commercial services to everyone who pays, without discrimination. I'm sure better suited people are around to explain these differences better then I can. If only revolutions wouldn't be in violation of law :) Paul -- God devised pigeons as a means of punishment for man. Probably after the destruction of Sodom and Gomorrha he wanted to make sure that people would never again feel comfortable enough in a city to repeat the sins committed there, and he created the pigeons as a means to make the city dwellers' lives more miserable, as a constant reminder of their past sins.
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Wed, 22 Jan 2003, Baldwin, James wrote: > > Something I'm surprised no one has commented on considering the > direction of this thread has been should ISPs be responsible for > customer actions if they are not allowed to refuse service to customers? ISP's can't refuse service to customers? > I'm surprised this hasn't come up since the latter half of the question > also represented a fairly "popular" thread earlier. I'm interested in > people's opinions. > > James Baldwin > Worldwide Technology Services and Operations > Network Operations Center > Electronic Arts, Inc. >
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
> > The first MPEG-4 HD set top boxes are beginning to appear > > http://www.sigmadesigns.com/news/press_releases/030108.htm > > Watch this space > If you read the document carefully, you´ll figure that they support MPEG2 HDTV (1920x1080) and MPEG4 SDTV (640x480/720x576), which was my point earlier. So they are little less than two cycles of Moore´s law away from MPEG4 HDTV. That would put it three years away but if the market is there, we´ll probably see it earlier. SDTV video-over-ip services should take off first though or we´ll end up with peer2peer set top boxes sharing premium channel services over broadband networks. Pete
OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Something I'm surprised no one has commented on considering the direction of this thread has been should ISPs be responsible for customer actions if they are not allowed to refuse service to customers? I'm surprised this hasn't come up since the latter half of the question also represented a fairly "popular" thread earlier. I'm interested in people's opinions. James Baldwin Worldwide Technology Services and Operations Network Operations Center Electronic Arts, Inc.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Andy - - Original Message - From: "Andy Dills" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: "Vadim Antonov" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 22, 2003 9:07 AM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? > On Tue, 21 Jan 2003, todd glassey wrote: > > > > > Vadim - the newest form of SPAM uses the Messenger facility to place a > > pop-up in the middle of your screen without any email, pop, smtp or other > > service being involved. I apologize for the tone of the first posting, but I > > still stand by it. When ISP's are held accountable for what people do with > > the BW they sell them, then these issues will all be moot. Until then, the > > lie is that there is no way to stop these behaviors and its the one the > > ISP's proffer exclusively. > > No, we evil network admins are NOT saying there is no way to stop these > behaviors. We're saying that the solutions put such a crimp on open > standards and legitimate behavior that their value is negative. Who gave you the right to decide which laws you were going to abide by and which ones you were not? > The > problem is a social one, not a technical one. The technical problem is the > vulnerability that exists; the social problem is that as long as ANY > vulnerability exists, people will try to exploit that vulnerability. The reason that the vunerability is there is becuase of TCP/IP's inherent weaknesses, but that aside, there are processes that could easily be put in place to address these issues, the problem is that they cost money and that means they have to be paid for and ISP's like many other businesses are run to be as profitable as possible so that means that their owners will do as little as humanly possible to address these issues to keep the bottom lines where they are... Otherwise there wouldn't be the problems with SPAM and DDoS or other Attack Forms that exist today. > Technology can mitigate the vulnerabilities, but it cannot mitigate the > desire to exploit. So then the problem is the ISP's facilitating the evil forces of the world to do their worst??? > > For instance, substitute "airport" for "network", as in "airport > security". Well, this is really funny - see I used to do Network and Systems Operations for UAL at the SFO site and I think your commentary is so funny its almost ludicrous. The problems with the Airlines is the ALPA and its membership and the various other Unions that have a strangle hold on the carriers. You folks are not unionized are you? > There are ways for law enforcement to be 100% positive that no > terrorists ever steps foot on a plane. Unfortunately, the cost involved, > along with the reduction in efficiency, would make normal travel > impossible. The same is not true of networking though. > > > Do you try to hold realestate developers responsible for what the > homeowner does with their house? Do you try to hold the power company > responsible for the people who use their electricity to grow weed? of course not - but I do hold the provider responsible for not enforcing the laws regarding digital fraud. And everytime one of your email servers passes a forged email along another hop in its trip, you actively participate in the fraud, so you are not the grower of the weed but rather the reseller of it. > > I assume you were beating down the doors of Congress, tyring to get rock > artists to be responsible for the people who committed suicide after > listening to their albums? Hardly, and Tipper and I disagree on many things. > > Andy > > > Andy Dills 301-682-9972 > Xecunet, LLCwww.xecu.net > > Dialup * Webhosting * E-Commerce * High-Speed Access >
Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Hello; On Wednesday, January 22, 2003, at 06:04 PM, Petri Helenius wrote: Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred. The 6 and 19.8 are already compressed. Obviously putting more horsepower to the compression you can achieve smaller data rates. However applying for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational requirements beyond current consumer state of the art. The first MPEG-4 HD set top boxes are beginning to appear http://www.sigmadesigns.com/news/press_releases/030108.htm Watch this space Regards Marshall Eubanks I think you'll see it long before every house has fiber run to it. 75% is enough. Pete \ T.M. Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : [EMAIL PROTECTED] http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
> Drifting off-topic, but those are 'raw' data rates. Compression algorithms > along with motion-estimation allow you to get full-screen video down to > ~1.5 Mbps with not much in the way of image quality loss. > Raw HDTV is about 1.2Gbps. RAW NTSC SDI bitstream is a few hundred. The 6 and 19.8 are already compressed. Obviously putting more horsepower to the compression you can achieve smaller data rates. However applying for example MPEG4 instead of MPEG2 for 1080i or 720p ups the computational requirements beyond current consumer state of the art. > I think you'll see it long before every house has fiber run to it. > 75% is enough. Pete
Re: OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Its actually funny you mention this. I'd been working on a way to deliver television via atm for years just never had much interest. But basically by attaching to the cloud and then being able to draw pvc's over to dsl lines it should be quite possible. Don't forget also many of us in given areas have faster than 1.5 down in my case its 6 down which should be pleanty for a good tv picture. I'm sure bell would love to put a set top box in when you buy dsl, maybe even have it part of the shipping package you get when you join which delivers tv. Give you phone, net and tv over one pair they should eat that up! Not to mention theoretically isp's should be able to offer it as well with their own offerings. On Wed, 22 Jan 2003, Chris Parker wrote: > > At 10:58 AM 1/22/2003 -0800, Al Rowland wrote: > >1. I also remember when web page standards required you to design > >everything to fit in a 640x400 screen. DTV/HDTV will significantly > >change your 'not much in the way of image quality loss' yardstick. My > >viewing habits have changed significantly in the year plus I've been > >DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality > >(which is lower than HDTV) is better than most movie theaters and > >there's no gum/spilled drink (most of the time) on my floor. > > Agreed, however the source video that I've seen demoed is from DVD. Side > by side comparison shows slight degradation, but solo viewing is more > than adequate. This also isn't targetted to people at the end of the > bell curve for technology adopters and purists, rather at the fat middle > section that isn't upgrading to ( or doesn't care about ) HDTV yet and > for whom current "digital video" quality is "just fine". > > >2. I already have it. It's called broadcast. $100 (could have been less > >but I always over design) antenna and $20 of coax. No monthly fee. I do > >pay for the DirecTV feed, but that's a separate flame war. > > Last I checked "premium" channels came via Cable or Satellite. :) If > you have separate DSL line and DirecTV then you are doubling up on > delivery costs. Would the average consumer like to "add" video to their > DSL connection? The cable company cuts you a deal if you have video > and data on the same line. Wouldn't the telco's like to compete in that > market? > > >Of course, you could just as easily be right. > > Who knows? :) Reality will probably end up somewhere in the middle. > > -Chris > > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > >
Re: OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 10:58 AM 1/22/2003 -0800, Al Rowland wrote: 1. I also remember when web page standards required you to design everything to fit in a 640x400 screen. DTV/HDTV will significantly change your 'not much in the way of image quality loss' yardstick. My viewing habits have changed significantly in the year plus I've been DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality (which is lower than HDTV) is better than most movie theaters and there's no gum/spilled drink (most of the time) on my floor. Agreed, however the source video that I've seen demoed is from DVD. Side by side comparison shows slight degradation, but solo viewing is more than adequate. This also isn't targetted to people at the end of the bell curve for technology adopters and purists, rather at the fat middle section that isn't upgrading to ( or doesn't care about ) HDTV yet and for whom current "digital video" quality is "just fine". 2. I already have it. It's called broadcast. $100 (could have been less but I always over design) antenna and $20 of coax. No monthly fee. I do pay for the DirecTV feed, but that's a separate flame war. Last I checked "premium" channels came via Cable or Satellite. :) If you have separate DSL line and DirecTV then you are doubling up on delivery costs. Would the average consumer like to "add" video to their DSL connection? The cable company cuts you a deal if you have video and data on the same line. Wouldn't the telco's like to compete in that market? Of course, you could just as easily be right. Who knows? :) Reality will probably end up somewhere in the middle. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
"Al Rowland" <[EMAIL PROTECTED]> writes: > mention the effect everyone on AOL going to broadband and downloading > Disney clips all the time would have on their settlement plans with > backbone providers. Of course, because you are definitely being kept in the loop regarding the AOL settlement plans? /vijay
OT: FW: Re: Is there a line of defense against Distributed Reflective attacks?
1. I also remember when web page standards required you to design everything to fit in a 640x400 screen. DTV/HDTV will significantly change your 'not much in the way of image quality loss' yardstick. My viewing habits have changed significantly in the year plus I've been DTV/HDTV. Among other things, I go to the movies a lot less. DVD quality (which is lower than HDTV) is better than most movie theaters and there's no gum/spilled drink (most of the time) on my floor. 2. I already have it. It's called broadcast. $100 (could have been less but I always over design) antenna and $20 of coax. No monthly fee. I do pay for the DirecTV feed, but that's a separate flame war. Of course, you could just as easily be right. Best regards, __ Al Rowland > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Chris Parker > Sent: Wednesday, January 22, 2003 10:02 AM > To: [EMAIL PROTECTED] > Subject: RE: FW: Re: Is there a line of defense against > Distributed Reflective attacks? > > > > At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: > SNIP > Drifting off-topic, but those are 'raw' data rates. > Compression algorithms along with motion-estimation allow you > to get full-screen video down to > ~1.5 Mbps with not much in the way of image quality loss. > SNIP > > I think you'll see it long before every house has fiber run to it. > > My 2 cents anyway. > > -Chris > > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\ > -- >\ Wholesale Internet Services - http://www.megapop.net
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
speaking of HDSL over copper, does anyone know anything about a company called Rose Tekephone that reportedly has an HDTV over T1 service? - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 22, 2003 1:02 PM Subject: RE: FW: Re: Is there a line of defense against Distributed Reflective attacks? > > At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: > > >Not to mention that fact that 99.99% of current consumer connections are > >not up to the task. Standard full-screen video digital stream is ~6Mbps, > >HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) > > Drifting off-topic, but those are 'raw' data rates. Compression algorithms > along with motion-estimation allow you to get full-screen video down to > ~1.5 Mbps with not much in the way of image quality loss. > > That puts you into DSL/Wireless range. > > >As always, it gets down to doing the math, something may dot bombers > >weren't (aren't) very good at. AOL/Time Warner is just the first major > >example of this 'not yet ready for prime time' business plan. Not to > >mention the effect everyone on AOL going to broadband and downloading > >Disney clips all the time would have on their settlement plans with > >backbone providers. > > > >When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' > >Until then, your mileage may vary. You might also see some change in > >settlement plans and consumer pricing about that same time. > > I think you'll see it long before every house has fiber run to it. > > My 2 cents anyway. > > -Chris > > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > >
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 09:28 AM 1/22/2003 -0800, Al Rowland wrote: Not to mention that fact that 99.99% of current consumer connections are not up to the task. Standard full-screen video digital stream is ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) Drifting off-topic, but those are 'raw' data rates. Compression algorithms along with motion-estimation allow you to get full-screen video down to ~1.5 Mbps with not much in the way of image quality loss. That puts you into DSL/Wireless range. As always, it gets down to doing the math, something may dot bombers weren't (aren't) very good at. AOL/Time Warner is just the first major example of this 'not yet ready for prime time' business plan. Not to mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' Until then, your mileage may vary. You might also see some change in settlement plans and consumer pricing about that same time. I think you'll see it long before every house has fiber run to it. My 2 cents anyway. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Not to mention that fact that 99.99% of current consumer connections are not up to the task. Standard full-screen video digital stream is ~6Mbps, HDTV requires 19.4Mbps. Don't know many consumers with T3s. ;) As always, it gets down to doing the math, something may dot bombers weren't (aren't) very good at. AOL/Time Warner is just the first major example of this 'not yet ready for prime time' business plan. Not to mention the effect everyone on AOL going to broadband and downloading Disney clips all the time would have on their settlement plans with backbone providers. When fiber-to-the-curb is the norm we'll be able to 'Ride the Light' Until then, your mileage may vary. You might also see some change in settlement plans and consumer pricing about that same time. Best regards, __ Al Rowland > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of Vadim Antonov > Sent: Tuesday, January 21, 2003 5:51 PM > To: todd glassey > Cc: [EMAIL PROTECTED] > Subject: Re: FW: Re: Is there a line of defense against > Distributed Reflective attacks? > > > > > On Tue, 21 Jan 2003, todd glassey wrote: > > > Vadim - the instant someone sues a Provider for sexual > harassment from > > their spam epidemic you will start to see things change. The reason > > that No-Sane provider will block these ports or services is because > > they have been listening to their Network Admins too long, > > We were talking about P2P, not spam. P2P participants _want_ > to talk to each other, unlike spammer and his victims. ISPs > already agressively fight spammers by termninating their > service completely - no port blocking or lawsuits are needed. > > Blocking ports is not going to prevent communication between > parties which wish to communicate. And carriage of bits is > about an order of magintude bigger economically than the > whole entertaintment industry. RIAA already was stupid > enough to make enemies of telcos (with that Verizon lawsut). > > The tech industry was bending themselves over to court > Hollywood because the common wisdom was that the content is > going to be what people will pay for. Wrong. Content-based > dotcoms died, and people still pay for Internet connectivity, > in ever-increasing numbers. And spend more and more time in > front of computers instead of TVs. Simply because live > people on the other end of the wire are infinitely more > interesting than the prechewed corporate crud called "content". > > So I think we'll see some fireworks on the legal front, but > the outcome is already clear - unfiltered connectivity is > what consumers wish to pay for, not the sanitized disneys. > > --vadim > >
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Wed, 22 Jan 2003 11:11:19 -0500 Damian Gerow <[EMAIL PROTECTED]> wrote: > > (Taking NANOG out, as this is moving a little towards personal > conversation) Apparently, I didn't read my own Cc: line. Sorry, folks.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
(Taking NANOG out, as this is moving a little towards personal conversation) On Tue, 21 Jan 2003 16:44:26 -0800 "todd glassey" <[EMAIL PROTECTED]> wrote: > > Vadim - the instant someone sues a Provider for sexual harassment from > their spam epidemic you will start to see things change. The reason that > No-Sane provider will block these ports or services is because they have > been listening to their Network Admins too long, and in fact the problem > is that they are not sane providers. What they are, and this is pretty > much true across the board, is people that just don't care what they do to > earn a buck otherwise we would not have these problems, and this is > especially true of those Network Operators that push all those billions of > bytes of illicit SPAM and throw their hands up and say "What do you expect > us to do" - well the answer is simple. I expect you folks to operate > within the law and to cooperate in stopping people who use your services > in violation of the laws. > > And if the providers out there don't like that - then they should find > other businesses. I think you're *nuts* if you think an ISP should be held entirely accountable for its customers actions. I'm one of a handful of administrators in a small ISP, and we do our damnedest to ensure that everything runs smoothly. We have a fairly strict AUP that we actually enforce, we do egress filtering (not enough, but we're working towards it), we contact customers that are infected with virii and worms, and we have *zero* tolerance for script kiddies (usually instant blackholes). IMHO, that is about all you can expect an ISP to do. Have an AUP that incorporates all of your problems (spam, abuse, viruses, etc), and enforce it. You can *not* expect the ISP to police absolutely everything that its customers do. You can *not* expect the ISP to be held responsible for three of its fifteen thousand customers browsing child porn. You can *not* expect the ISP to be accountable for its two hundred script kiddies. You *can* expect the ISP to have an AUP. You *can* expect the ISP to react, and to react quickly. You *can* expect the ISP to co-operate with the proper authorities, if it goes to that level. You *can* expect the ISP to contact and work with (when and where needed) other ISPs to track down and solve problems. I am a Network Admin, and I am *still* looking for an effective way to block outbound spam from our customers. I spent two months purging all our mail servers of FormMail, and scan them every night for more vulnerable versions. Do you think that I should be sued because one of these slips through the cracks (there's a 24-hour window in which one can be installed and abused), and you get some porn spam? I certainly hope not. Being able to sue ISPs for their customers actions is pure insanity, and will just lead to massive ISP shutdown world-wide. However, being able to sue ISPs for *negligence* and for *ignoring* customers actions is a whole different boat, and I think is an idea worth looking at. - Damian Gerow, an overworked, underpaid, underappreciated Network Administrator. Strung out on caffeine, because I spent most of last night hashing out some more details on our anti-spamming actions.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Vadim - the newest form of SPAM uses the Messenger facility to place a pop-up in the middle of your screen without any email, pop, smtp or other service being involved. I apologize for the tone of the first posting, but I still stand by it. When ISP's are held accountable for what people do with the BW they sell them, then these issues will all be moot. Until then, the lie is that there is no way to stop these behaviors and its the one the ISP's proffer exclusively. Todd - Original Message - From: "Vadim Antonov" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 21, 2003 5:51 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? > > On Tue, 21 Jan 2003, todd glassey wrote: > > > Vadim - the instant someone sues a Provider for sexual harassment from their > > spam epidemic you will start to see things change. The reason that No-Sane > > provider will block these ports or services is because they have been > > listening to their Network Admins too long, > > We were talking about P2P, not spam. P2P participants _want_ to talk to > each other, unlike spammer and his victims. ISPs already agressively > fight spammers by termninating their service completely - no port blocking > or lawsuits are needed. > > Blocking ports is not going to prevent communication between parties which > wish to communicate. And carriage of bits is about an order of magintude > bigger economically than the whole entertaintment industry. RIAA already > was stupid enough to make enemies of telcos (with that Verizon lawsut). > > The tech industry was bending themselves over to court Hollywood because > the common wisdom was that the content is going to be what people will pay > for. Wrong. Content-based dotcoms died, and people still pay for > Internet connectivity, in ever-increasing numbers. And spend more and > more time in front of computers instead of TVs. Simply because live > people on the other end of the wire are infinitely more interesting than > the prechewed corporate crud called "content". > > So I think we'll see some fireworks on the legal front, but the outcome is > already clear - unfiltered connectivity is what consumers wish to pay for, > not the sanitized disneys. > > --vadim >
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Vadim - the instant someone sues a Provider for sexual harassment from their spam epidemic you will start to see things change. The reason that No-Sane provider will block these ports or services is because they have been listening to their Network Admins too long, and in fact the problem is that they are not sane providers. What they are, and this is pretty much true across the board, is people that just don't care what they do to earn a buck otherwise we would not have these problems, and this is especially true of those Network Operators that push all those billions of bytes of illicit SPAM and throw their hands up and say "What do you expect us to do" - well the answer is simple. I expect you folks to operate within the law and to cooperate in stopping people who use your services in violation of the laws. And if the providers out there don't like that - then they should find other businesses. Todd Glassey - Original Message - From: "Vadim Antonov" <[EMAIL PROTECTED]> To: "Avleen Vig" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, January 20, 2003 7:59 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? > > > On Mon, 20 Jan 2003, Avleen Vig wrote: > > > > > On Mon, 20 Jan 2003, Christopher L. Morrow wrote: > > > > > > I was refering specifically to end user workstations. For example home > > > > machines on dial up or broadband connections. > > > > A lot of broadband providers already prohibit running servers and block > > > > certain inbound ports (eg 21 and 80). > > > > *shrug* just seems like it would make more sense to block all incoming > > > > 'syn' packets. > > > > > Indeed it does break that. P2P clients: Mostly transfer illegal content. > > As much as a lot of people love using these, I'm sure most realise they're > > on borrowed time in their current state. > > Well, blocking TCP SYNs is not a way to block establishment of sessions > between _cooperating_ hosts. > > Simply make a small hack in TCP stack to leave SYN flag clear, and use > some other bit instead. > > To really block something you need an application proxy... and then there > are always ways to subvert those. Elimination of covert channels is one of > the hardest problems. In any case, no sane provider will restrict traffic > only to applications which can be served by its proxies. > > Going further, the growing awareness of the importance of security will > cause more and more legitimate apps to create totally indiscriminate > encrypted traffic... and it is a good idea to routinely encrypt all > traffic, to avoid revealing importance of particular communications. > Leaving identity of applications (different port #s) in the clear is also > a bad idea, security-wise. > > --vadim >
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
And their are legal uses for p2p. I have a customer who works with some of these technologies for legal and approved file transfers like game publishing. - Original Message - From: "Christopher L. Morrow" <[EMAIL PROTECTED]> To: "Avleen Vig" <[EMAIL PROTECTED]> Cc: "Christopher L. Morrow" <[EMAIL PROTECTED]>; "Daniel Senie" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, January 20, 2003 5:22 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? > > > On Mon, 20 Jan 2003, Avleen Vig wrote: > > > Doesn't this stop kazaa/morpheus/gnutella/FTP/ > > chats>? This is a problematic setup, and woudl require the cable modem > > > provider to maintain a quickly changing 'firewall' :( I understand the > > > want to do it, but I'm not sure its practical to see it happen based > > > solely on the hassle factor :( Hmm, security, "you gotta pay to play" > > > (Some famous man once said that I believe) > > > > Indeed it does break that. P2P clients: Mostly transfer illegal content. > > As much as a lot of people love using these, I'm sure most realise they're > > on borrowed time in their current state. > > And I'm sure that if they were gone tomorrow, I'm sure they'd be back in > > another fashion soon. > > That may be, but its still a problem... I believe http and ftp also > transfer illegal content, should we shut them down? Email too? Often there > is illegal content in email. :( > > > Ftp/HTTP etc I believe most cable providers currently block these anyway > > :-) > > > > for FTP I was talking about non-passive data traffic. > > >
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Stoned koalas drooled eucalyptus spit in awe as Avleen Vig exclaimed: Doesn't this stop kazaa/morpheus/gnutella/FTP/? This is a problematic setup, and woudl require the cable modem provider to maintain a quickly changing 'firewall' :( I understand the want to do it, but I'm not sure its practical to see it happen based solely on the hassle factor :( Hmm, security, "you gotta pay to play" (Some famous man once said that I believe) Indeed it does break that. P2P clients: Mostly transfer illegal content. As much as a lot of people love using these, I'm sure most realise they're on borrowed time in their current state. And it's your job as a network provider to determine the legality of your users' activities? Plus, you said the magic word "mostly" What about legit uses of P2P networks? Do you also stop your users from using NNTP as well, since it's "mostly" used for porn and warez? How about email? since, from the looks of my mail logs, SMTP traffic is "mostly" spam and sircam. :) I'm sure your users would certainly pack up and take their business elsewhere if you placed these restrictions on them. Why not just put them all behind a firewall on RFC-1918 addresses, if you are going to block all incoming SYNs? And I'm sure that if they were gone tomorrow, I'm sure they'd be back in another fashion soon. Any true P2P system is going to need at least one end user to receive a SYN. Ftp/HTTP etc I believe most cable providers currently block these anyway I also believe this is usually stated in their TOS that they're not allowed to run services on their home computers. If I'm on IRC and I initiate an outgoing DCC chat, the open port on my box awaiting the connection is hardly a "service." There's a chance it'd break things like file transfers on IM clients but I'm sure they'd be altered too. Unless I'm missing something, wouldn't it be necessary to modify both the clients and the servers to pass all FT traffic through the servers? I'm sure those who sell bandwidth to AOL and Yahoo would love it if they did that, but I don't see it happening. -Jeff -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
This whole 'Internet Thing' is a one of the wonders of the modern world. A public transport system that has handled growth easily and efficiently for many years. Some people get leisure from it, some make money from it, some do research on it, some communicate on it, It is one of the most pervasive things I've seen. Because of the internet's inherent distributed nature, legislation will get you no where, and besides,l legislation is the easy way out, and not very effective at that. Market forces and the golden rule (if that combo actually works, I'd be amazed) should drive the direction of this dynamic animal we call 'The Internet'. If we lived in Nirvana, the Internet would be a beautiful thing. But as we live in reality, we have to take the good with the bad. But overall, I think the Good is winning over the Bad. I say: Cool. Ray Burkholder > -Original Message- > From: todd glassey [mailto:[EMAIL PROTECTED]] > Sent: January 19, 2003 12:02 > To: Christopher L. Morrow; Stewart, William C (Bill), RTLSL > Cc: [EMAIL PROTECTED] > Subject: Re: FW: Re: Is there a line of defense against > Distributed Reflective attacks? > > > You nor any of the ISP's may like this but the facts of the > matter are pretty clean and easily discerned and they all > point to the Governance Model for developing and releasing > protocols whole cloth on the Internet, no matter what they > enable people to do. Its time to take a close accounting of > what this "Internet" thing really is and put some stronger > legislation in place. > > Todd Glassey > > - Original Message - > From: "Christopher L. Morrow" <[EMAIL PROTECTED]> > To: "Stewart, William C (Bill), RTLSL" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, January 17, 2003 6:29 PM > Subject: Re: FW: Re: Is there a line of defense against > Distributed Reflective attacks? > > > > > > > > On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: > > > > > > > > > > > > > > -Original Message- > > > From: Stewart, William C (Bill), RTLSL > > > Sent: Friday, January 17, 2003 5:35 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: Re: Is there a line of defense against Distributed > > > Reflective attacks? > > > > > > > > > Many of these attacks can be mitigated by ISPs that do > anti-spoofing > > > filtering on input - only accepting packets from user > ports > > > > Sure, but this is a proven non-scalable solution. HOWEVER, > filtering > > as close to the end host is scalable and feasible... do it > there, it > > makes MUCH more sense to do it there. > > > > > that have IP addresses that are registered for that port, and not > > > accepting incoming packets from outside their network > that claim to > > > be from inside (except maybe from registered dual-homed > hosts.) > > > This cuts down on many opportunities for forgery, > > > and means that SYN Flood attacks have a much more limited set of > > > addresses they can forge (e.g. an attacker or zombie can only > > > impersonate other ips sharing its /24 or /29, so it can't > pretend to > > > be its victim in a reflection or smurf attack.) > > > > > > That doesn't stop all reflection attacks; a zombie on a > network that > > > doesn't do anti-spoofing can send SYNs to a big server on > a network > > > that also doesn't anti-spoof, so the server will still SYN-ACK > > > > its not the 'server' that needs 'anti-spoof' its the end host, the > > machine in your livingroom that is on a cable modem for instance... > > the server in this instance is a simple, innocent, machine > doing its > > business. > > > > > to the victim. This cuts out a lot of potential zombie/server > > > pairs. If the server that's being used for reflection is > someone the > > > victim would often talk to, that's a problem (you'd > rather not block > > > connections to Yahoo), but if it's someone the victim > doesn't care > > > about talking to (like router23.example.net) you don't > mind blocking > > > it. (Also, why is router23.example.net SYNACKing somebody > it doesn't > > > know?) > > > > > > > This is an interesting point. The routers shouldn't really > syn-ack (in > > this example) bgp from 'unknown' places... unless you are a > neighbor
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Christopher, IP filtering is something that needs to be legally mandated and put in place at both ends. Any tier-2/3 provider should be held accountable for any fraud's that they enable their customers to commit, since there is no other technical point of responsibility possible. As to spoofed IP's that also is an issue, and the failure of the ISP's to put in place an infrastructure where they could enact better controls is part in parcel to their public denial of responsibility for what their customers do. But I think that those days are rapidly coming to a close, and the Network Providers will be called to task. As to TCP/IP and the inherent design flaws that allow people to spoof it, those to are much the responsibility of the "networking community" as a whole as well and need to be addressed therein. You nor any of the ISP's may like this but the facts of the matter are pretty clean and easily discerned and they all point to the Governance Model for developing and releasing protocols whole cloth on the Internet, no matter what they enable people to do. Its time to take a close accounting of what this "Internet" thing really is and put some stronger legislation in place. Todd Glassey - Original Message - From: "Christopher L. Morrow" <[EMAIL PROTECTED]> To: "Stewart, William C (Bill), RTLSL" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, January 17, 2003 6:29 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? > > > On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: > > > > > > > > > -Original Message- > > From: Stewart, William C (Bill), RTLSL > > Sent: Friday, January 17, 2003 5:35 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Is there a line of defense against Distributed Reflective > > attacks? > > > > > > Many of these attacks can be mitigated by ISPs that do > > anti-spoofing filtering on input - only accepting packets from user ports > > Sure, but this is a proven non-scalable solution. HOWEVER, filtering as > close to the end host is scalable and feasible... do it there, it makes > MUCH more sense to do it there. > > > that have IP addresses that are registered for that port, > > and not accepting incoming packets from outside their network > > that claim to be from inside (except maybe from registered dual-homed hosts.) > > This cuts down on many opportunities for forgery, > > and means that SYN Flood attacks have a much more limited set of > > addresses they can forge (e.g. an attacker or zombie can only > > impersonate other ips sharing its /24 or /29, > > so it can't pretend to be its victim in a reflection or smurf attack.) > > > > That doesn't stop all reflection attacks; a zombie on a network > > that doesn't do anti-spoofing can send SYNs to a big server on a > > network that also doesn't anti-spoof, so the server will still SYN-ACK > > its not the 'server' that needs 'anti-spoof' its the end host, the machine > in your livingroom that is on a cable modem for instance... the server in > this instance is a simple, innocent, machine doing its business. > > > to the victim. This cuts out a lot of potential zombie/server pairs. > > If the server that's being used for reflection is someone the > > victim would often talk to, that's a problem > > (you'd rather not block connections to Yahoo), > > but if it's someone the victim doesn't care about talking to > > (like router23.example.net) you don't mind blocking it. > > (Also, why is router23.example.net SYNACKing somebody it doesn't know?) > > > > This is an interesting point. The routers shouldn't really syn-ack (in > this example) bgp from 'unknown' places... unless you are a neighbor you > get squat, or that would be a nice feature, eh? :) For some folks, the > problems aren't confined to just bgp, telnet or ssh on routers are also > problemmatic, vty acl's are important :) > > > But there are probably 20 million web servers or Kazaa or IM clients out there, > > and probably half of them are on networks that don't spoof-proof, > > so blocking those is much tougher than blocking the big ones. > > And next stop - reflection attacks using big domain servers... > > > > Hmm, I'm not sure, again, that the spoof proof needs to be on the kazaa > server network, it needs to be on the network where the originating > attacke is, preferrably as close to that host as possible, like it's > default router... Now, the problems with 60million kazaa clients openning > the floodgates on you are a whole nother problem :) >
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
> *shrug* just seems like it would make more sense to block all incoming > 'syn' packets. > Wouldn't that be faster than inspecting the destination port against two > seperate rules? blocking all SYN's will break too much other stuff (Instant Messangers, games ...). I think we would be much better off if they (consumer ISPs) would block 135-139 and 445, maybe 21 and 80. The rest could be handled with a simple IDS (doesn't even need to match patterns... just count packets going to 27374 and the like) I keep saying ISPs would be much better off if they implement these filters. But not all of them agree. IMHO: less 'zombies' -> better service -> less support phonecalls. -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org msg08102/pgp0.pgp Description: PGP signature
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Sat, Jan 18, 2003 at 10:45:11PM -0600, Chris Adams wrote: > How is this different than "ip verify unicast reverse-path" (modulo CEF > problems and bugs, which of course NEVER happen :-) )? It would be useful for all sorts of things besides verifying a source address. So in addition to complicated configurations such as multi- homing/paths that you mention, it could also be useful for standard filters on protocols, ports, logging and so on. John
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
Once upon a time, John Kristoff <[EMAIL PROTECTED]> said: > It might be nice if all router vendors were able to associate the > interface configured address(es)/nets as a variable for ingress > filters. So for in the Cisco world, a simple example would be: > > interface Serial0 > ip address 192.0.2.1 255.255.255.128 > ip access-group 100 in > ! > interface Serial1 > ip address 192.0.2.129 255.255.255.128 > ip access-group 100 in > ! > access-list 100 permit ip $interface-routes any > access-list 100 deny ip any any How is this different than "ip verify unicast reverse-path" (modulo CEF problems and bugs, which of course NEVER happen :-) )? Multihomed customers are more interesting, but if all the single homed customers had uRPF (or $VENDOR's equivalent) enabled it would cut down on a significant amount of the spoofed traffic. -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote: > While it's nice that router vendors implemented unicast RPF to make > configuration in some cases easier, using simple ACLs isn't necessarily > hard at the edges either. It might be nice if all router vendors were able to associate the interface configured address(es)/nets as a variable for ingress filters. So for in the Cisco world, a simple example would be: interface Serial0 ip address 192.0.2.1 255.255.255.128 ip access-group 100 in ! interface Serial1 ip address 192.0.2.129 255.255.255.128 ip access-group 100 in ! access-list 100 permit ip $interface-routes any access-list 100 deny ip any any Those sorts of features could make the scaling issue much easier for large providers and environments where routers may have lots of interfaces. An operator could also essentially build tools to automatically configure/verify configurations this way, but I think it would be better for the router vendors to do this for us. John
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
At 09:29 PM 1/17/2003, Christopher L. Morrow wrote: On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote: > > > > -Original Message- > From: Stewart, William C (Bill), RTLSL > Sent: Friday, January 17, 2003 5:35 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Is there a line of defense against Distributed Reflective > attacks? > > > Many of these attacks can be mitigated by ISPs that do > anti-spoofing filtering on input - only accepting packets from user ports Sure, but this is a proven non-scalable solution. HOWEVER, filtering as close to the end host is scalable and feasible... do it there, it makes MUCH more sense to do it there. Well, let's see... on dialup circuits it should be done and should be a no-brainer. After all, ISPs are required (by UUNet at least) to push in filters to ensure dialup users can only reach port 25 of that ISPs mail servers and be blocked from all other spots. How hard is it to push in one more filter that checks the source IP address of the dialup user to ensure the address coming from the user is the one assigned? Sure, dialups are not the only problem, but it's an example of blocking close (very close) to the edge. Each time an ISP sells a T1 with a router and assigns a block of addresses, there's an opportunity to configure that router with filters (ingress/egress depending on which side you look at it from) and at least simple firewalling rules. Is this an expense to the installing ISP, or a cost savings in not having to deal with attacks that came from that network later? Even when a customer provides the CPE, providing sample configurations really costs little and would help. In many cases, the vendor supplying that T1 is one of the same companies which also handles the "core" so it's REALLY in their best interest to take little steps to protect their edges (hard to point fingers from the core and say "it's the edge vendor's problem" when you're also the edge vendor in some cases). While it's nice that router vendors implemented unicast RPF to make configuration in some cases easier, using simple ACLs isn't necessarily hard at the edges either. The stumbling block for ingress filtering has always been pretty simple: By implementing ingress, the network you save will be someone else's. You have to trust that other network operators will implement ingress filtering and in so doing save your network. Sadly, folks tend to avoid doing things that might help others, and so I continue to wait for a negligence lawsuit to wake folks up on this issue. Eliminating spoofed addresses from the backbone, even if it were possible to do 100%, would not eliminate denial of service attacks. The DDoS attacks using coordinated "owned" machines demonstrates this. As spoofing becomes more difficult, tracing back the source of attacks becomes easier. Network operators will still find machines on their networks performing attacks, but when that phone call comes from another network with attack details, the chances of finding the offending host are much greater.
FW: Re: Is there a line of defense against Distributed Reflective attacks?
-Original Message- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: '[EMAIL PROTECTED]' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports that have IP addresses that are registered for that port, and not accepting incoming packets from outside their network that claim to be from inside (except maybe from registered dual-homed hosts.) This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can't pretend to be its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on a network that doesn't do anti-spoofing can send SYNs to a big server on a network that also doesn't anti-spoof, so the server will still SYN-ACK to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection is someone the victim would often talk to, that's a problem (you'd rather not block connections to Yahoo), but if it's someone the victim doesn't care about talking to (like router23.example.net) you don't mind blocking it. (Also, why is router23.example.net SYNACKing somebody it doesn't know?) But there are probably 20 million web servers or Kazaa or IM clients out there, and probably half of them are on networks that don't spoof-proof, so blocking those is much tougher than blocking the big ones. And next stop - reflection attacks using big domain servers...