Re: Level3 routing issues?
at Monday, January 27, 2003 7:50 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] was seen to say: This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection. This is nice in theory, but in practice is simply not true. even assuming that the most restrictive settings are used (user may not install software by admin setting, has no local administration on his machine, IP traffic other than via the VPN is exclusive to the vpn client) it is *still* possible that the machine could be compromised by (say) an email virus who then bypasses security by any one of a dozen routes.
Re: Level3 routing issues?
Wow, for a minute I thought I was looking at one of our old plots, except for the fact that the x-axis says January 2003 and not September 2001 :) :) seeing that the etiology and effects of the two events were quite different, perhaps eyeglasses which make them look the same are not as useful as we might wish? randy If you've been watching, you might agree that the interesting thing is not that it looked like that in September 2001, but that we really haven't seen a signal that looks like that SINCE September 2001. The large differences between the worms are exactly what should make us doubly interested in fingering the common mechanism that connects very high speed, high diversity wormscan to increased bgp activity. So far it's been visible as an apparently accidental byproduct of an attack with other goals. Are you willing to bet your bifocals that the same mechanism can't be weaponized and used against the routing infrastructure directly in the future? -- James Cowie Renesys Corporation http://gradus.renesys.com
Re: Level3 routing issues?
From: So far it's been visible as an apparently accidental byproduct of an attack with other goals. Are you willing to bet your bifocals that the same mechanism can't be weaponized and used against the routing infrastructure directly in the future? Yet the question becomes the reasoning behind it. How much is a direct result of the worm and how much is a result of actions based on the NE's? The other question is BGP deployment within smaller networks. I've seen a lot of different BGP configs handed down from reputable NEs to smaller businesses and ISPs. Unfortunately, the configs are usually comparable to what you'd use in a network that has peers beneath it versus what a network that only has two uplinks requires (ie, AS filtering not really required). It is quite common that /24 networks listed on connected interfaces not be null routed which has it's good points and bad. When you lose the interface, the traffic will stop at the local ISP's BGP routers if using ARIN assigned addresses or it will stop at the upstream provider's routers due to aggregates if using their IPs. In general, unless cost is an issue, it's usually good to let the packet come all the way to your network. It makes external troubleshooting easier and keeps BGP stable so long as the peering connection isn't lost. Of course, people need to learn to use metrics when doing null routes. Some people forget they exist. :) BGP update storms are enough to drop some peering sessions due to underpowered routers. Some large providers reject updates if the network goes critical in order to keep traffic manageable while the problem is determined and rectified. So while I do agree that the worms themselves hold some sway over the BGP activity, the same lack of preparation that allowed the worm to run so rampant can also be seen in the networks themselves. I personally have dealt with enough DOS/DDOS attacks that I have a emergency plan in place which allows as much control over the network from remote without depending on the network itself. I have an understanding of how my network is effected by different loads and which direction cascade failures will go. Luckily, I have a relatively small network, yet such an understanding and research should exist for any network regardless of size. The records of both worms should be indications of the weak points in people's networks. Jack Bates BrightNet Oklahoma
Re: Level3 routing issues?
So far it's been visible as an apparently accidental byproduct of an attack with other goals. Are you willing to bet your bifocals that the same mechanism can't be weaponized and used against the routing infrastructure directly in the future? Yet the question becomes the reasoning behind it. How much is a direct result of the worm and how much is a result of actions based on the NE's? Good question. null routing of traffic destined to a network with a BGP interface on it will cause the session to drop. That is a BGP effect due to engineers' actions, indirectly triggered by the worm. On the other hand, we also know (from private communications and from other mailing lists.. ahem) that high rate and high src/dst diversity of scans causes some network devices to fail (devices that cache flows, or devices that suffer from cpu overload under such conditions). Some BGP-speaking routers (not all, by any means, but some subpopulation) found themselves pegged at 100% CPU on Saturday. Just one example: http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html Whether you believe anthropogenic explanations for the instability depends on how fast you believe NEs can look, think, and type, compared to the speed with which the BGP announcement and withdrawal rates are observed to take off. For my part, I'd bet that the long slow exponential decay (with superimposed spiky noise) is people at work. But the initial blast is not. -- James Cowie Renesys Corporation http://gradus.renesys.com
Re: Level3 routing issues?
From: [EMAIL PROTECTED] snip On the other hand, we also know (from private communications and from other mailing lists.. ahem) that high rate and high src/dst diversity of scans causes some network devices to fail (devices that cache flows, or devices that suffer from cpu overload under such conditions). Some BGP-speaking routers (not all, by any means, but some subpopulation) found themselves pegged at 100% CPU on Saturday. Just one example: http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html Was it not known that under certain conditions the router would flatline? What percautionary measures were put into place in such an event to limit the damage? Whether you believe anthropogenic explanations for the instability depends on how fast you believe NEs can look, think, and type, compared to the speed with which the BGP announcement and withdrawal rates are observed to take off. For my part, I'd bet that the long slow exponential decay (with superimposed spiky noise) is people at work. But the initial blast is not. When the crisis is on you, it's too late. You are either prepared and know exactly what to do at that critical moment or you don't. You either had a 5 minute response time to the crisis or you didn't. We also know (from private communications and from other mailing lists.. yes, I'm a thief :) that many NEs were caught with their pants down, a mistake they aren't apt to do again. It comes down to one's outlook. Do you just configure and maintain or do you strive to push it to the envelope? Do you truly know your network? Remember, it's a living, breathing thing. The complexity of variables makes complete predictability impossible, and so we must learn to understand it and how it reacts. Then again, perhaps I'm a lunatic. :) Jack Bates BrightNet Oklahoma
Re: Level3 routing issues?
At 09:47 AM 28-01-03 -0600, Jack Bates wrote: From: [EMAIL PROTECTED] snip On the other hand, we also know (from private communications and from other mailing lists.. ahem) that high rate and high src/dst diversity of scans causes some network devices to fail (devices that cache flows, or devices that suffer from cpu overload under such conditions). Some BGP-speaking routers (not all, by any means, but some subpopulation) found themselves pegged at 100% CPU on Saturday. Just one example: http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html Was it not known that under certain conditions the router would flatline? Yes. And so does Cisco. What percautionary measures were put into place in such an event to limit the damage? A very reactive NOC. -Hank Whether you believe anthropogenic explanations for the instability depends on how fast you believe NEs can look, think, and type, compared to the speed with which the BGP announcement and withdrawal rates are observed to take off. For my part, I'd bet that the long slow exponential decay (with superimposed spiky noise) is people at work. But the initial blast is not. When the crisis is on you, it's too late. You are either prepared and know exactly what to do at that critical moment or you don't. You either had a 5 minute response time to the crisis or you didn't. We also know (from private communications and from other mailing lists.. yes, I'm a thief :) that many NEs were caught with their pants down, a mistake they aren't apt to do again. It comes down to one's outlook. Do you just configure and maintain or do you strive to push it to the envelope? Do you truly know your network? Remember, it's a living, breathing thing. The complexity of variables makes complete predictability impossible, and so we must learn to understand it and how it reacts. Then again, perhaps I'm a lunatic. :) Jack Bates BrightNet Oklahoma
Re: Level3 routing issues?
On Tue, Jan 28, 2003 at 03:34:15PM +, [EMAIL PROTECTED] wrote: Some BGP-speaking routers (not all, by any means, but some subpopulation) found themselves pegged at 100% CPU on Saturday. Just one example: http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html I wonder how much of this was because of packets destined *TO* the router. I don't know about you but I'm not about to go put access-lists on all 600+ interfaces in some of my routers. My push is for Cisco to (and i'm sure others agree, as well as the other vendors who don't have a similar feature today) to port their ip receive acl to other important platforms. The GSR is not the only router that needs to be protected on the internet and they seem to be missing that bit of direction. http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00800a8531.html Not putting this feature in the next releases of software would be irresponsible on their part after the critical nature of this attack, IMHO. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Level3 routing issues?
http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html Was it not known that under certain conditions the router would flatline? What percautionary measures were put into place in such an event to limit the damage? scheduler allocate -hc
Re: Level3 routing issues?
Alex, although technically correct, its not practical. How many end users vpn in from home from say a public ip on their dsl modem leaving themselves open to attack but now also having this connection back to the Secure inside network. Has anyone heard of any confirmed cases of this yet? So then they are using a wrong tool. Using a wrong security tool tends to bite one in the censored. Yes, I have seen attacks mounted via VPNs. Work like charm. Alex
Re: Level3 routing issues?
On Mon, 27 Jan 2003, Scott Granados wrote: Alex, although technically correct, its not practical. How many end users vpn in from home from say a public ip on their dsl modem leaving themselves open to attack but now also having this connection back to the Secure inside network. Has anyone heard of any confirmed cases of this yet? I hate to blow a vendor's horn, BUT... checkpoint has atleast thought this through with SecureClient. There is the ability to push down on the vpn client a local security policy that SHOULD allow you to enforce corporate network security policy on the remote system. On Mon, 27 Jan 2003 [EMAIL PROTECTED] wrote: Note that in the case of a worm, a VPN could work against you. If you have all the right filters in place at your perimeter and yet let your employees in through a VPN solution of some sort, you could still be screwed if one of their home systems gets infected somehow. So what you're saying is that a really good worm could infiltrate any secure network by targetting those who vpn from exterior sources, collect data, and then run? Hmmm. Wait a sec. Would that constitute a worm if it had purpose? This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection. Alex
Re: Level3 routing issues?
On Mon, 27 Jan 2003 14:50:22 EST, [EMAIL PROTECTED] said: This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection. Given that the head of one of our three-letter-agencies managed to get this sort of thing wrong, what makes you think that Joe Middle-Manager who's more concerned about fixing a spreadsheet will get it correct? msg08559/pgp0.pgp Description: PGP signature
Re: Level3 routing issues?
On Mon Jan 27, 2003 at 03:03:09PM -0500, [EMAIL PROTECTED] wrote: Alex, although technically correct, its not practical. How many end users vpn in from home from say a public ip on their dsl modem leaving themselves open to attack but now also having this connection back to the Secure inside network. Has anyone heard of any confirmed cases of this yet? So then they are using a wrong tool. Using a wrong security tool tends to bite one in the censored. So what's the right tool? Yes, dial or dsl directly into corporate network is my preferred option, but doesn't fit the corporate plan for the future. Yes, I have seen attacks mounted via VPNs. Work like charm. As I suspected, but I keep being told that these problems were in old style VPN clients, and stuff is much better these days. I remain unconvinced. Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: [EMAIL PROTECTED] BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: Level3 routing issues?
On Mon Jan 27, 2003 at 03:03:09PM -0500, [EMAIL PROTECTED] wrote: Alex, although technically correct, its not practical. How many end users vpn in from home from say a public ip on their dsl modem leaving themselves open to attack but now also having this connection back to the Secure inside network. Has anyone heard of any confirmed cases of this yet? So then they are using a wrong tool. Using a wrong security tool tends to bite one in the censored. So what's the right tool? Yes, dial or dsl directly into corporate network is my preferred option, but doesn't fit the corporate plan for the future. Use a client that will push down corporate policy to the client. Yes, I have seen attacks mounted via VPNs. Work like charm. As I suspected, but I keep being told that these problems were in old style VPN clients, and stuff is much better these days. I remain unconvinced. VPN client creates a fake IP interface. If that interface deos not get the policy of a corporate network, you have an open enterance. Some of the clients (such as the ones CheckPoint has) do that. Others dont. Alex
Re: Level3 routing issues?
This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection. Given that the head of one of our three-letter-agencies managed to get this sort of thing wrong, what makes you think that Joe Middle-Manager who's more concerned about fixing a spreadsheet will get it correct? Because it is not that difficult. A security policy of a little office is very different from a security policy of a three letter agency. In fact, fixing a spreadsheet could be mode difficult than implementing a security policy for an office with 5 computers that are connected to the Internet. Alex
Re: Level3 routing issues?
On Mon, 27 Jan 2003 15:33:34 EST, [EMAIL PROTECTED] said: This is not correct. VPN simply extends security policy to a different location. A VPN user must make sure that local security policy prevents other traffic from entering VPN connection. Given that the head of one of our three-letter-agencies managed to get this sort of thing wrong, what makes you think that Joe Middle-Manager who's more concerned about fixing a spreadsheet will get it correct? Because it is not that difficult. A security policy of a little office is very different from a security policy of a three letter agency. In fact, fixing a spreadsheet could be mode difficult than implementing a security policy for an office with 5 computers that are connected to the Internet. Ahh... but in the case of SQLSlapper, you have a packet coming in to the PC.. That traffic doesn't get restricted by your hypothetical security policy, since it's not entering the VPN, and the outbound traffic isn't either, because it's locally generated. This also means that your security policy needs to be fixed so Outlook is not permitted to connect to any other mail servers - because otherwise the user can check their AOL account, pick up a Nimda, and whomp it into the VPN. In fact, if you're talking to the VPN and allow any non-VPN connections *at any time* (even when the VPN isn't active), you have a vulnerability - think about downloading a file that has a virus that doesn't have a signature from the vendors yet (like the first 75,000 copies of Nimda that his our mail server). Wanna bet that when that VPN connects, there's some shares available for the virus to attack? ;) It's not as easy as it looks. msg08564/pgp0.pgp Description: PGP signature
Re: Level3 routing issues?
On Mon, Jan 27, 2003 at 08:10:15PM +, Simon Lockhart wrote: As I suspected, but I keep being told that these problems were in old style VPN clients, and stuff is much better these days. I remain unconvinced. A good VPN client (I'm familiar with Nortel) will enforce no *simultaneous* access to or from on-VPN and off-VPN destinations. But I'm not aware of anything that will enforce that a home or portable machine has never been connected to anything but the corporate network. That would take TCPA or the equivalent, which would not bother me if it's on the company's machine and under control of the company - maybe the only scenario where TCPA/Palladium-ng would be acceptable. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Re: Level3 routing issues?
Given that the head of one of our three-letter-agencies managed to get this sort of thing wrong, what makes you think that Joe Middle-Manager who's more concerned about fixing a spreadsheet will get it correct? Because it is not that difficult. A security policy of a little office is very different from a security policy of a three letter agency. In fact, fixing a spreadsheet could be mode difficult than implementing a security policy for an office with 5 computers that are connected to the Internet. Ahh... but in the case of SQLSlapper, you have a packet coming in to the PC.. That traffic doesn't get restricted by your hypothetical security policy, since it's not entering the VPN, and the outbound traffic isn't either, because it's locally generated. Umm... Why is outside world talking to your database server without supervision? This also means that your security policy needs to be fixed so Outlook is not permitted to connect to any other mail servers - because otherwise the user can check their AOL account, pick up a Nimda, and whomp it into the VPN. Umm.. Why is your security policy allowing outlook to connect to somewhere other than your company mail server? In fact, if you're talking to the VPN and allow any non-VPN connections *at any time* (even when the VPN isn't active), you have a vulnerability - think about downloading a file that has a virus that doesn't have a signature from the vendors yet (like the first 75,000 copies of Nimda that his our mail server). Wanna bet that when that VPN connects, there's some shares available for the virus to attack? ;) Nope, in fact, the idea allow everything from inside to out is the reason the vast majority of the problems in the policy. It's not as easy as it looks. It is very easy. Deny everything. Allow outbound port 80 Allow mail server to 25 Allow ident If you need netmeeting, allow netmeeting server to other servers. If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine. I am failing to see a problem. --
Re: Level3 routing issues?
On Mon Jan 27, 2003 at 04:00:51PM -0500, [EMAIL PROTECTED] wrote: It is very easy. Deny everything. Allow outbound port 80 Allow mail server to 25 Allow ident If you need netmeeting, allow netmeeting server to other servers. If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine. I am failing to see a problem. That's fine for a non-MS view of the world (admittedly, a view I prefer), but then you've got to allow TCP 138/139 to all the MS servers in your organisation (why couldn't they seperate auth from file sharing from...). And then whatever protocols Outlook uses to talk to your Exchange servers (and if I understand it correctly, that might be more than one to get to Public Folders, etc). And then SAP. And then Business App A. And the Business App B. And... And... Me? I'd give them ports 443, 80, 53, 25 and 22, and be done with it. If you can't do it with those ports, it's probably not implemented right ;-) Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: [EMAIL PROTECTED] BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: Level3 routing issues?
On Mon Jan 27, 2003 at 04:16:00PM -0500, [EMAIL PROTECTED] wrote: Again, but why does it talk to the outside world unsupervised? Your organization clearly has a border that separates its internal systems from external ones. Why not apply those restrictions on *those* borders? From inside the organisation to outside, yes, ish. Except all those SSL sites on random port numbers. And other protocols which use random port numbers (not just peer-to-peer, but also things like FTP, etc). But, we were talking about end-user connected into the inside network using a VPN. That user needs to have pretty much unfettered access to the business parts of your internal network. (Okay, mission critical stuff should be seperately firewalled, but MS makes that hard enough, due to things like Active Directory, where everything needs to talk to everything). Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: [EMAIL PROTECTED] BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: Level3 routing issues?
On Mon, 27 Jan 2003 16:00:51 EST, [EMAIL PROTECTED] said: It is very easy. Deny everything. Allow outbound port 80 Bzzt! You just let in an ActiveX exploit. Or Javascript. Or Allow mail server to 25 Bzzt! You just let in a new Outlook exploit. If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine. Bzzt! You just let in an AIM exploit. That's assuming that you even *know* what the current name of the other machine is this time around - this laptop has had 6 IP addresses in as many hours. Remember there's a reason why 'talk [EMAIL PROTECTED]' isn't as common anymore I am failing to see a problem. Well.. other than you let a box that wants to talk on the VPN get outside access to 3 things that are *KNOWN* vectors of malware which could then attack the VPN side of things, no, there's no problem here. msg08578/pgp0.pgp Description: PGP signature
Re: [Re: Level3 routing issues?]
Simon Lockhart [EMAIL PROTECTED] wrote: On Mon Jan 27, 2003 at 04:16:00PM -0500, [EMAIL PROTECTED] wrote: Again, but why does it talk to the outside world unsupervised? Your organization clearly has a border that separates its internal systems from external ones. Why not apply those restrictions on *those* borders? From inside the organisation to outside, yes, ish. Except all those SSL sites on random port numbers. And other protocols which use random port numbers (not just peer-to-peer, but also things like FTP, etc). But, we were talking about end-user connected into the inside network using a VPN. That user needs to have pretty much unfettered access to the business parts of your internal network. (Okay, mission critical stuff should be seperately firewalled, but MS makes that hard enough, due to things like Active Directory, where everything needs to talk to everything). and don't forget the fact that nearly every M$ service pack/'critical' update changes what ports that program is using (exchange/outlook are really bad about this) joshua Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (BBC ext 37720) Technology Manager | Fax: +44 (0)1628 407701 (BBC ext 37701) BBC Internet Services | Email: [EMAIL PROTECTED] BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence. - Stephen Hawking -
Re: Level3 routing issues?
On Sun, Jan 26, 2003 at 12:17:20AM -0500, Tim Griffin mooed: hc wrote: I am on Verizon-GNI via Qwest and Genuity and seeing the same problem as well. here's a plot showing the impact on BGP routing tables from seven ISPs (plotted using route-views data): http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html And as an interesting counterpoint to this, this graph shows the number of BGP routing updates received at MIT before, during, and after the worm (3 day window). Tim's plots showed that the number of actual routes at the routers he watched was down significantly - these plots show that the actual BGP traffic was up quite a bit. Probably the withdrawals that were taking routes away from routeviews... http://nms.lcs.mit.edu/~dga/sqlworm.html -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: Level3 routing issues?
Deny everything. Allow outbound port 80 Bzzt! You just let in an ActiveX exploit. Or Javascript. Or And I have successfully blocked everything other than AcriveX or JavaScript or whatever else. Allow mail server to 25 Bzzt! You just let in a new Outlook exploit. It is talking only to your own server. Presumably you already made sure that your Outlook by itself does not do anything funny? If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine. Bzzt! You just let in an AIM exploit. That's assuming that you even *know* what the current name of the other machine is this time around - this laptop has had 6 IP addresses in as many hours. Remember there's a reason why 'talk [EMAIL PROTECTED]' isn't as common anymore Oscar.aol.com and whatever the name of another .aol.com machine it is are the names associated with services that AIM connects to. I am failing to see a problem. Well.. other than you let a box that wants to talk on the VPN get outside access to 3 things that are *KNOWN* vectors of malware which could then attack the VPN side of things, no, there's no problem here. That's why the policy on that box that wants to talk to the secure network over VPN is to drop all but the traffic to/from gateway VPN client connects to on the floor. It is being done. CheckPoint, for example, manages to manage policy on the client not to contradict the policy of the site. Why dont others do it is beyond me. Alex
Re: Level3 routing issues?
here's a plot showing the impact on BGP routing tables from seven ISPs (plotted using route-views data): http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html And as an interesting counterpoint to this, this graph shows the number of BGP routing updates received at MIT before, during, and after the worm (3 day window). Tim's plots showed that the number of actual routes at the routers he watched was down significantly - these plots show that the actual BGP traffic was up quite a bit. Probably the withdrawals that were taking routes away from routeviews... http://nms.lcs.mit.edu/~dga/sqlworm.html -Dave Wow, for a minute I thought I was looking at one of our old plots, except for the fact that the x-axis says January 2003 and not September 2001 :) :) Your plot is consistent with what we saw on Saturday as well. Looks much like a little Nimda. Blast from the past: http://www.renesys.com/projects/bgp_instability --jim -- James Cowie Renesys Corporation http://gradus.renesys.com
Re: Level3 routing issues?
On Mon, Jan 27, 2003 at 06:15:33PM -0800, Randy Bush mooed: Wow, for a minute I thought I was looking at one of our old plots, except for the fact that the x-axis says January 2003 and not September 2001 :) :) seeing that the etiology and effects of the two events were quite different, perhaps eyeglasses which make them look the same are not as useful as we might wish? Actually, an eyeballing of the MIT data would suggest that the SQL worm hit harder and faster than NIMDA, and resulted in a more drastic effect on routing tables. I've updated the page I mentioned before: http://nms.lcs.mit.edu/~dga/sqlworm.html to also contain the graph of MIT updates during the NIMDA worm. I should note that our route monitor moved closer to MIT's border router between these updates - it's now colocated in the same datacenter, and before it was across the street, which made it a bit more susceptable to link resets during the NIMDA worm attack. LCS is more prone to dropping off the network than is the entire MIT campus. Therefore, the NIMDA graph probably has a few more session resets (the spikes up to 100,000 routes updated) than it should. -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Bill Woodcock wrote: On Sat, 25 Jan 2003, Mikael Abrahamsson wrote: Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint Looks like we may have a winner for DDoS of the year (so far) What kind of traffic levels are you seeing? I'm working on it for some friends, and I'm seeing about 900mbits/second on a gigabit link coming out of their hosting facility. Lots and lots of Microsoft crap in there, I guess. gotcha beat :) dual gig pipes, each with sustained 780mbps... from one facility, 1.5+gbps sustained!!! Somebody remind me why Microsoft is still allowed to exist? I think the reason is somewhere in layer8 eh?? Certianly NOT due to any good technical reason.
Re: Level3 routing issues?
On Sat, 25 Jan 2003, K. Scott Bethke wrote: Keep in mind that these problems aren't from 'well behaved' hosts, and 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED classic DoS attack scenario. :( I understand the evils, but are we really at the mercy of situations like this? Of course we can firewall the common sense things ahead of time, I don't think this one could have been reasonably firewalled using a non-stateful firewall (such as a simple router access list): the port is unpriviliged so it will be used as a source port for regular UDP traffic such as DNS queries. However, rate limiting UDP would have helped. This is a reasonable thing to do for customers that have a lot of bandwidth but don't run high-bandwidth UDP protocols. we can jump right in and block evil traffic when it happens, after it takes down our network but what sorts of things can we design into our networks today to help with these situations? Rate limit everything you can rate limit, make sure your routers and switches have enough CPU even if interfaces are saturated with minimum-sized packets to random destinations. But this type of rDOS (reversed denial of service) is easy: you can simply filter the offending systems. If it's the other way around (DOS) there is not much you can do. To really solve this we need a mechanism for destination hosts to authorize source hosts to send data in such a way that intermediate routers/firewalls can check this authorization and drop unauthorized packets.
Re: Level3 routing issues?
From: Michael Lamoureux Note that in the case of a worm, a VPN could work against you. If you have all the right filters in place at your perimeter and yet let your employees in through a VPN solution of some sort, you could still be screwed if one of their home systems gets infected somehow. So what you're saying is that a really good worm could infiltrate any secure network by targetting those who vpn from exterior sources, collect data, and then run? Hmmm. Wait a sec. Would that constitute a worm if it had purpose? Jack Bates Network Engineer
RE: Level3 routing issues?
Of the customers I've had to shut off for being DOS targets, all are windows boxen. Perhaps there is a new windows exploit? Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of hc Sent: Friday, January 24, 2003 11:39 PM To: Joel Perez Cc: Aaron Burnett; Alex Rubenstein; [EMAIL PROTECTED] Subject: Re: Level3 routing issues? Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now. -hc Joel Perez wrote: My firewalls are going nuts with hits on UDP port 1434 also from everywhere! -Original Message- From: Aaron Burnett [mailto:[EMAIL PROTECTED]] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; [EMAIL PROTECTED] Subject: Re: Level3 routing issues? On Sat, 25 Jan 2003, Alex Rubenstein wrote: I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.ht ml We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
RE: Level3 routing issues?
Not just L3Genuity is getting whacked. ELI is getting whacked. Somebody needs to be gelded. Andrew
Re: Level3 routing issues?
This is definately a world-wide problem. Many networks are reporting all sorts of things. Nothing clear, except that it's all aimed at 1434. 01:28:33.331686 64.21.34.210.28295 238.192.142.61.1434: udp 376 [ttl 1] 01:28:33.331720 207.99.21.121.1917 226.39.19.228.1434: udp 376 [ttl 1] 01:28:33.331772 64.247.0.168.1379 239.194.46.210.1434: udp 376 [ttl 1] 01:28:33.331841 207.99.77.34.3894 227.154.8.29.1434: udp 376 [ttl 1] 01:28:33.331992 207.99.21.120.2558 231.16.91.78.1434: udp 376 [ttl 1] FYI: ms-sql-m1434/tcp #Microsoft-SQL-Monitor ms-sql-m1434/udp #Microsoft-SQL-Monitor On Sat, 25 Jan 2003, hc wrote: I am on Verizon-GNI via Qwest and Genuity and seeing the same problem as well. -hc Joel Perez wrote: I am also seeing increased traffic on my network. It has gotten so bad for one of my edge routers that i cant telnet into it. But i am on Qwest and GBLX. -Original Message- From: Alex Rubenstein [mailto:[EMAIL PROTECTED]] Sent: Sat 1/25/2003 1:04 AM To: hc Cc: [EMAIL PROTECTED] Subject: Re: Level3 routing issues? I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? I will dig more to look at the traffic. On Sat, 25 Jan 2003, hc wrote: Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks! -hc -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Level3 routing issues?
Internap has posted an alert noting widespread latency and packetloss affecting all their pnaps. Any SQL Server host at my facilily shows an enourmous traffic spike at the times below. We've begun filtering udp port 1434 in/out. - Original Message - From: Andy Dills [EMAIL PROTECTED] To: Alex Rubenstein [EMAIL PROTECTED] Cc: hc [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, January 24, 2003 10:37 PM Subject: Re: Level3 routing issues? On Sat, 25 Jan 2003, Alex Rubenstein wrote: I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? I will dig more to look at the traffic. Interesting, at almost the exact same time (call it 12:30), qwest dropped all but 1000 routes through IAD...still trying to get somebody on the phone at their IP noc, not having much luck. Genuity seems fine at the moment... Any speculation yet? Kind of an odd coincidence of problems... Oh, just got through...fiber cut in DC? Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
Re: Level3 routing issues?
Really, really bad - most traffic I see is from this virus/dos: Extended IP access list 152 deny udp any any eq 1434 (5639464 matches) - 94% permit ip any any (311888 matches) - 6% Wow!!! On Fri, 24 Jan 2003 [EMAIL PROTECTED] wrote: Really bad. Quick capture of filter drops: PROTO 17 (UDP) pkt from (IP's from all over the world)/1033 to (All my IP space)/1434 dropped On Sat, 25 Jan 2003, hc wrote: Okay this is getting bad.. one of our routers just locked up from udp 1434's. Can't even telnet to it now. -hc Joel Perez wrote: My firewalls are going nuts with hits on UDP port 1434 also from everywhere! -Original Message- From: Aaron Burnett [mailto:[EMAIL PROTECTED]] Sent: Sat 1/25/2003 1:19 AM To: Alex Rubenstein Cc: hc; [EMAIL PROTECTED] Subject: Re: Level3 routing issues? On Sat, 25 Jan 2003, Alex Rubenstein wrote: I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? Yep. Since about 12:30 am. Getting pounded on UDP port 1434 from all over the world to any address on my network.
New worm/DOS/Level3 routing issues
repost* Forgive me if this shows up twice. Mail is flaked via this smtp, and the last time I sent this, I accidentally sent it to the individual and not list. heh. Temporary block in place. My border cpu was starting to hammer up. Outbound stat about 2 minutes later: deny udp any any eq 1434 (445523 matches) permit ip 69.8.0.0 0.0.63.255 any (55749 matches) permit ip 206.27.138.0 0.0.1.255 any permit ip 206.30.96.0 0.0.31.255 any (97851 matches) permit ip 205.162.224.0 0.0.15.255 any (146920 matches) permit ip 205.240.128.0 0.0.15.255 any (49146 matches) permit ip 204.249.192.0 0.0.15.255 any (27351 matches) permit ip 192.133.7.0 0.0.0.255 any (5 matches) permit ip 63.136.128.0 0.0.3.255 any (379 matches) permit ip 216.226.0.0 0.0.31.255 any (27173 matches) permit ip 64.58.32.0 0.0.15.255 any (17368 matches) permit ip 206.230.34.128 0.0.0.127 any permit ip 209.54.40.0 0.0.1.255 any permit ip 206.61.140.0 0.0.0.255 any (52 matches) Inbound stat at same time: deny udp any any eq 1434 (53534 matches) permit ip any any (431556 matches) cpu load drop of about 20%Definately a bad port. virus suspected due to inbound and outbound. Jack Bates Network Engineer BrightNet Oklahoma
RE: Level3 routing issues?
We are also seeing this traffic at AS4436. Appears to be coming from IP addresses all over the space. Here's a box that traps all of 165.227.0.0/16: 23:08:13.257197 165.194.123.131.1227 165.227.92.176.1434: udp 376 23:08:13.259778 129.187.150.78.2667 165.227.84.186.1434: udp 376 23:08:13.276695 61.40.143.242.3794 165.227.21.48.1434: udp 376 23:08:13.284191 128.218.133.213.1078 165.227.198.96.1434: udp 376 23:08:13.286648 169.229.141.44.1065 165.227.255.90.1434: udp 376 23:08:13.294512 218.232.109.22.3302 165.227.146.129.1434: udp 376 23:08:13.300412 137.79.10.100.2478 165.227.5.230.1434: udp 376 23:08:13.302869 128.143.100.86.1397 165.227.41.248.1434: udp 376 23:08:13.317327 203.226.64.220.3081 165.227.216.188.1434: udp 376 23:08:13.319908 209.41.170.8.4033 165.227.252.85.1434: udp 376 23:08:13.322365 64.71.177.201.2439 165.227.128.21.1434: udp 376 23:08:13.327937 216.120.60.154.3005 165.227.125.156.1434: udp 376 23:08:13.330435 64.239.145.3.3231 165.227.4.161.1434: udp 376 23:08:13.333016 204.228.229.106.4049 165.227.238.69.1434: udp 376 23:08:13.335350 212.209.231.186.52703 165.227.38.136.1434: udp 376 23:08:13.337930 207.46.200.162.2343 165.227.96.170.1434: udp 376 23:08:13.340388 61.178.83.30.4525 165.227.77.119.1434: udp 376 23:08:13.342887 62.250.16.28.1385 165.227.119.91.1434: udp 376 23:08:13.345468 66.155.116.10.1041 165.227.106.35.1434: udp 376 23:08:13.362506 207.226.255.124.2331 165.227.189.42.1434: udp 376 23:08:13.364964 63.241.139.196.1150 165.227.135.221.1434: udp 376 23:08:13.367422 66.109.239.200.1117 165.227.67.250.1434: udp 376 23:08:13.370042 194.100.187.36.2342 165.227.103.27.1434: udp 376 23:08:13.372501 158.38.141.86.3269 165.227.239.113.1434: udp 376 23:08:13.374959 212.71.66.23.2019 165.227.232.118.1434: udp 376 23:08:13.377417 158.38.141.65.1382 165.227.169.58.1434: udp 376 23:08:13.379915 130.127.8.157.2980 165.227.107.122.1434: udp 376 23:08:13.382496 207.46.200.146.2718 165.227.49.107.1434: udp 376 23:08:13.386100 80.237.200.171.1198 165.227.93.216.1434: udp 376 23:08:13.388557 64.71.180.135.1915 165.227.38.41.1434: udp 376 23:08:13.394660 211.117.60.188.2806 165.227.49.12.1434: udp 376 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Granados Sent: Friday, January 24, 2003 10:41 PM To: Alex Rubenstein Cc: hc; [EMAIL PROTECTED] Subject: Re: Level3 routing issues? We just had a box inside one of my customers networks start sending tons of small packets not sure what kind yet. On Sat, 25 Jan 2003, Alex Rubenstein wrote: I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/s witch9.oct.nac.net-3865. html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? I will dig more to look at the traffic. On Sat, 25 Jan 2003, hc wrote: Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks! -hc -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Level3 routing issues?
Hey Blaine, On Sat, Jan 25, 2003 at 01:53:49AM -0600, Blaine Kahle wrote: Same symptoms here. After disabling MS SQL, which required a reboot as the process didn't want to shut down normally, the traffic stopped. I found 3 boxes on our network that were generating massive amounts of traffic, all of which run MS SQL. This may or may not prove useful: http://www.microsoft.com/Downloads/details.aspx?displaylang=enFamilyID=DCFDCBE9-B4EB-4446-9BE7-2DE45CFA6A89 Cheers, --Adam -- Adam Korab
Re: Level3 routing issues?
From: Dave Stewart Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint Looks like we may have a winner for DDoS of the year (so far) Temporary block in place. My border cpu was starting to hammer up. Outbound stat about 2 minutes later: deny udp any any eq 1434 (445523 matches) permit ip 69.8.0.0 0.0.63.255 any (55749 matches) permit ip 206.27.138.0 0.0.1.255 any permit ip 206.30.96.0 0.0.31.255 any (97851 matches) permit ip 205.162.224.0 0.0.15.255 any (146920 matches) permit ip 205.240.128.0 0.0.15.255 any (49146 matches) permit ip 204.249.192.0 0.0.15.255 any (27351 matches) permit ip 192.133.7.0 0.0.0.255 any (5 matches) permit ip 63.136.128.0 0.0.3.255 any (379 matches) permit ip 216.226.0.0 0.0.31.255 any (27173 matches) permit ip 64.58.32.0 0.0.15.255 any (17368 matches) permit ip 206.230.34.128 0.0.0.127 any permit ip 209.54.40.0 0.0.1.255 any permit ip 206.61.140.0 0.0.0.255 any (52 matches) Inbound stat at same time: deny udp any any eq 1434 (53534 matches) permit ip any any (431556 matches) cpu load drop of about 20%Definately a bad port. virus suspected due to inbound and outbound. Jack Bates Network Engineer BrightNet Oklahoma
Re: Level3 routing issues?
MS SQL, or SQL Monitor? On Sat, 25 Jan 2003, Blaine Kahle wrote: On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote: I am seeing similar traffic loads on my network at this hour, one of our MS SQL servers seemed to be sending a large amount of traffic out to the Internet. Still looking into it but too similar for me to avoid sending an e-mail. Same symptoms here. After disabling MS SQL, which required a reboot as the process didn't want to shut down normally, the traffic stopped. I found 3 boxes on our network that were generating massive amounts of traffic, all of which run MS SQL. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
RE: Level3 routing issues?
Same results here, shut down SQL problem went away... started it back up.. problem started again, so I shut them all down. One side note all the egress traffic headed out UU.NET, not our CW or Sprint DS3's... since we have full routes from all carriers this may be an indicator of the destination. Too bad I have a 700MB netflow file I cannot load or parse or I might be able to provide more detailed information as to a destination. - Kevin Welch [EMAIL PROTECTED] Network EngineerThe Iserv Company Desk Ph: 616.493.0577 Cell Ph: 616.437.3861 -Original Message- From: Blaine Kahle [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 AM To: Kevin Welch Cc: 'Alex Rubenstein'; 'hc'; [EMAIL PROTECTED] Subject: Re: Level3 routing issues? On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote: I am seeing similar traffic loads on my network at this hour, one of our MS SQL servers seemed to be sending a large amount of traffic out to the Internet. Still looking into it but too similar for me to avoid sending an e-mail. Same symptoms here. After disabling MS SQL, which required a reboot as the process didn't want to shut down normally, the traffic stopped. I found 3 boxes on our network that were generating massive amounts of traffic, all of which run MS SQL. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0
Re: Level3 routing issues?
* Josh Richards [EMAIL PROTECTED] [20030124 23:25]:
Same here. We first saw what looked like a DoS at about
09:00 PST. We're seeing strange stuff all over the place.
Oops, meant to say 09:30 PST.
-jr
Josh Richards jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
Re: Level3 routing issues?
From: Mikael Abrahamsson What kind of traffic levels are you seeing? With a handful of /16 etc we're not seeing more than 5-10 megabits of traffic according to my global transit graphs. People who havent null routed their unused prefixes properly will probably see a lot of problems though (but that's default). Going by the decline in both my outbound and inbound access lists over time, I suspect that the traffic increases when a sql server is found. Once communication is cut between the two, it appears that there is just scan data passing through at a lower rate. I have little data to go on, though, so my assessment may not be accurate. Jack Bates BrightNet Oklahoma
Re: Level3 routing issues?
Has someone reported the details to CERT yet? Preferably someone who's got logs and such? -george william herbert [EMAIL PROTECTED]
Re: Level3 routing issues?
Appears to relate to this cert advisory http://www.cert.org/advisories/CA-1996-01.html We have it totally blocked on our network but the routers are working over time just rejecting packets. The only way to stop it is to stop MySQL or kill the hosts network connection. [EMAIL PROTECTED] wrote: It is global. 01:42:04.040462 194.87.13.21.1812 x.x.x.x.1434: rad-account-req 376 [id 1] Attr[ User User User User User User User User User User User User User User User User User User User User User User User User User User User User User User User User User [|radius] That is the traffic... On Sat, 25 Jan 2003, hc wrote: I am on Verizon-GNI via Qwest and Genuity and seeing the same problem as well. -hc Joel Perez wrote: I am also seeing increased traffic on my network. It has gotten so bad for one of my edge routers that i cant telnet into it. But i am on Qwest and GBLX. -Original Message- From: Alex Rubenstein [mailto:[EMAIL PROTECTED]] Sent: Sat 1/25/2003 1:04 AM To: hc Cc: [EMAIL PROTECTED] Subject: Re: Level3 routing issues? I dunno about that. But, I am seeing, in the last couple hours, all kinds of new traffic. like, customers who never get attacked or anything, all of a sudden: http://mrtg.nac.net/switch9.oct.nac.net/3865/switch9.oct.nac.net-3865.html We are seeing this on ports all across out network -- nearly 1/2 our ports are in delta alarm right now. Anyone else? I will dig more to look at the traffic. On Sat, 25 Jan 2003, hc wrote: Anyone seeing routing problems with Level3 at this hour? I just witnessed tons of prefixes behind level3's network withdraw. Any information on what is happening (if you know) would be great. Thanks! -hc -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- -- Message scanned for viruses and dangerous content by http://www.newnet.co.uk/av/ and believed to be clean
Re: dos of the week? was RE: Level3 routing issues?
my transit traffic doubled (luckily it is the low time of the night for me) from 10-12ish I work at a really large east coast University. Our sensors show the problem starting between 12:30-12:45am this morning... Eric :)
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 01:13:30AM -0800, Bill Woodcock wrote: On Sat, 25 Jan 2003, Mikael Abrahamsson wrote: Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint Looks like we may have a winner for DDoS of the year (so far) What kind of traffic levels are you seeing? I'm working on it for some friends, and I'm seeing about 900mbits/second on a gigabit link coming out of their hosting facility. Lots and lots of Microsoft crap in there, I guess. Somebody remind me why Microsoft is still allowed to exist? Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote: Somebody remind me why Microsoft is still allowed to exist? Dunno, arent they negligent? In any other industry a fundemental flaw would be met with lawsuits, in the computer world tho people seem to get around for some reason. Steve Including the developers of SSHD, HTTPD, NAMED, CVS? How about Linus? Wanna call him up? I am no windows cheerleader, but to think this is something that happens only in windows-land is whack -- might as well put your head in the sand. Simple philosophy: Everything sucks at all times and all places. Routers, switches, hosts, OS's. We, as operators, have to do our best to deal. It's arguable you are as liable as anyone else, since this particular exploit is 'old news' and a patch has been available for it for some time. Also; everyone who just posted to this list made it abundantly clear that they don't have a firewall in front of at least one MS SQL server on their network. Should you really have port 1433/4 open to the world? Would you do this with a MySql server? -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 02:57:16AM -0500, Alex Rubenstein wrote: MS SQL, or SQL Monitor? Are those two separate programs? I don't know; I'm not a windows guy. I just watched over the shoulders of a few other techs as they shut what appeared to be everything-MSSQL down. I just found the blinkenlights that were causing the problems, shut those lights off, and pointed the windows guys to the offending boxes :) On Sat, 25 Jan 2003, Blaine Kahle wrote: On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote: I am seeing similar traffic loads on my network at this hour, one of our MS SQL servers seemed to be sending a large amount of traffic out to the Internet. Still looking into it but too similar for me to avoid sending an e-mail. Same symptoms here. After disabling MS SQL, which required a reboot as the process didn't want to shut down normally, the traffic stopped. I found 3 boxes on our network that were generating massive amounts of traffic, all of which run MS SQL. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Avleen Vig wrote: [snip] Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 Would it not also be a good idea/practice *not* to ever let a MS SQL server (or *any* database server) sit on a network that is directly accessible from the internet ? Having a firewall(s) in front of your database server regardless of the type is pretty much common sense, right? Its bad enough to be stuck having to run/support IIS and MSSQL in any scenario, but letting MSSQL talk to the world just seems like asking for even more trouble. -jon -- + Jon Larsen; Chief Technology Officer, Richweb.com + GnuPG Public Key http://richweb.com/jlarsen.gpg + Richweb.com: Providing Internet-Based Business Solutions since 1995 + Business Telephone: (804) 359.2220 + Jon Larsen Cell Phone: (804) 307.6939
Re: Level3 routing issues?
From what I have read and researched, it does. On Sat, 25 Jan 2003, Jack Bates wrote: From: Avleen Vig snip Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 Has it been verified that the mid-2002/SP3 patches work? I haven't heard anything difinitive on this yet. Jack Bates Network Engineer BrightNet Oklahoma -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Level3 routing issues?
BIll, - Original Message - From: Bill Woodcock [EMAIL PROTECTED] I'd agree with it. Except the herds of losers who still buy exploding crap from Vendor M don't seem to be thinning themselves out quickly dude, the Exploding Cars are so much easier to drive than the ones from Vendor L. (tic) enough. Maybe they're sexually attractive to each other, and reproduce before their stupidity kills them. That would be unfortunate. Or maybe it's just that none of this computer stuff actually matters, so exploding crap isn't actually fatal. Maybe that's it. I think it sucks that they are exploding on MY highway. With that in mind is it time yet to talk about solutions to problems like this from the network point of view? Sure its easy to put up access list's when needed but I have 100megs available to me on egress and I was trying to push 450megs. Is there anything protocol, vendor specific or otherwise that will not allow rogue machines to at will take up 100% of available resources? I know extreme networks has the concept of Max Port utilization on thier switches, will this help? Suggestions? -Scotty
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote: On Sat, 25 Jan 2003, Avleen Vig wrote: [snip] Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 Would it not also be a good idea/practice *not* to ever let a MS SQL server (or *any* database server) sit on a network that is directly accessible from the internet ? Having a firewall(s) in front of your database server regardless of the type is pretty much common sense, right? Its bad enough to be stuck having to run/support IIS and MSSQL in any scenario, but letting MSSQL talk to the world just seems like asking for even more trouble. I agree absolutely. This is just bad practice and the network admins here need to re-think their security architecture.
Re: Level3 routing issues?
Would it not also be a good idea/practice *not* to ever let a MS SQL server (or *any* database server) sit on a network that is directly accessible from the internet ? Having a firewall(s) in front of your database server regardless of the type is pretty much common sense, right? Its bad enough to be stuck having to run/support IIS and MSSQL in any scenario, but letting MSSQL talk to the world just seems like asking for even more trouble. That depends on what you are using the server for - it might be used by various offices around the world, or to interface with other corporations platforms etc. Ideally this would be in a secured VPN or at the very least be limited by IP address, but MS SQL admins are not alone in the pretend everything will be ok from a security standpoint. Neil. -- Neil J. McRae - Alive and Kicking [EMAIL PROTECTED]
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote: Including the developers of SSHD, HTTPD, NAMED, CVS? How about Linus? Wanna call him up? I am no windows cheerleader, but to think this is something that happens only in windows-land is whack -- might as well put your head in the sand. It is interesting to note that one inadvertent advantage of open source (when it requires people to compile from source, and pick and choose options at compile time... popular distributions with precompiled packages obviously break this to a certain degree) is that it leads to a much more heterogenous set of software WRT attacks like buffer overflows. Contrast this to something that is compiled once (or a small handfull) of times by the vendor, resulting in a much more predictable environment for many types of exploits. There have been several worms that have demonstrated this difference. [...] Also; everyone who just posted to this list made it abundantly clear that they don't have a firewall in front of at least one MS SQL server on their network. Should you really have port 1433/4 open to the world? Would you do this with a MySql server? It is interesting to note that apparently Windows NT and 2000 systems default to a somewhat dated and limited ephemeral port range of 1024-5000 (cf. ms kb article 196271). If you are blocking traffic on a variety of inbound UDP ports in that range using a simple packet filter, you will randomly be blocking responses to legitimate outbound UDP traffic, such as DNS. Granted, in many environments there is no need to allow MS systems to directly make DNS queries to anything outside the firewall. There are quite disturbing reports of hosts such as activex.microsoft.com, lawsqlsrv2.hotmail.com, etc. sourcing these packets (ie. appearing to be infected), but they need to be taken with a grain of salt. It is certainly possible that places who have hosts that are otherwise firewalled (that's ok, don't need to patch them...) aren't properly filtering UDP since it is harder to do properly if you require support for UDP traffic.
Re: Level3 routing issues?
At 11:56 AM 1/25/2003, Bill Woodcock wrote: Dunno, arent they negligent? In any other industry a fundemental flaw would be met with lawsuits, in the computer world tho people seem to get around for some reason. Not true, look at cars and recalls. Also as I understand it MS issued a fix for this sometime ago - it the users who didn't implement it! Uh, lemme see if I get your argument. People who buy exploding cars from Vendor M are at fault when the cars explode, since cars from Vendor M always explode, and Vendor M always disclaims responsibility, since someone usually points out in advance that the cars will explode? To further torture analogies: So what type of vehicles ARE safe for the road, and for which roads? Taking a lawn tractor out on the Interstate surely is the fault of the driver, and not the manufacturer. At what point do folks figure out that putting production servers out on the Internet with no protection whatsoever is an invitation to abuse? Firewalls may not be perfect. Server software may not be perfect. Layering security can sure help. It appears this worm only sought to annoy. Perhaps the next one that goes after the mass of unpatched MS SQL servers will instead take the opportunity to raid these servers for personal information? The opportunities for mass-scale identity theft are rather staggering.
Re: Level3 routing issues?
Not sure you can claim something you have for free is liable or with guarantee Thats total rubbish. Whether you pay for it or not shouldn't matter. You might also want to consider reading the various software agreement licenses that come with various pieces of software both free and non-free. True altho it does appear to affect MS more so than it ought to even considering their market lead. What evidence do you have here? If I count the number of DDOS attacks from insecure Linux boxes that we've seen in the last year, I'd say that its on par. I expect my purchases to live up to their sales description Yes, thats bad.. people should be more clueful than they are, I blame folks being cheap, having staff who are clueless, low quality equipment, this is the market we're in. Do you actually use MS SQL? From what you've posted I'd say not. Have you had a network outage that your customers have had to suffer? You are blaming yourself in the last statement as its upto operators to make sure customers get the message about securing their network. I've been whining at router manufacturers about alot of their default options for years. Last week I whined at Cisco to put a huge sticker on every CPE router they sell warning about Network Security and Day to Day administration. How much of this to you talk to your own customers about? Or do you just take the money? I don't know of an industry where costs aren't always being lowered. Regards, Neil. -- Neil J. McRae - Alive and Kicking [EMAIL PROTECTED]
Re: Level3 routing issues?
I think you are on the right lines below in suggesting that products and services should be supplied safe and not require additional maintenance out of the box to make them so (additional changes should make them weaker) There is no such thing as safe! You have control over what risks you want to take the aim should always be to lower them but if you want safe, pull the power plug, place your box in a large metal container and sink it in very deep waters. I don't know of an industry where costs aren't always being lowered. I dont know of one where prices are below cost values such that players of all sizes regularly go bankrupt and services are squeezed harder and harder. Microsoft and XBox is an example, lots of industries have loss leaders. Still waiting on evidence that most security issues are due to Microsoft though! Regards, Neil. -- Neil J. McRae - Alive and Kicking [EMAIL PROTECTED]
Re: Level3 routing issues?
On 1/25/03 2:53 PM, Christopher L. Morrow [EMAIL PROTECTED] wrote: Keep in mind that these problems aren't from 'well behaved' hosts, and 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED classic DoS attack scenario. :( Well not everyone plays fair out there. I imagine this is built into SLA's too right? My network will be up as long as everyone is well behaved I understand the evils, but are we really at the mercy of situations like this? Of course we can firewall the common sense things ahead of time, and we can jump right in and block evil traffic when it happens, after it takes down our network but what sorts of things can we design into our networks today to help with these situations? -Scotty
Re: Level3 routing issues?
On Saturday 25 January 2003 10:03 am, Avleen Vig wrote: On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote: On Sat, 25 Jan 2003, Avleen Vig wrote: [snip] Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 Would it not also be a good idea/practice *not* to ever let a MS SQL server (or *any* database server) sit on a network that is directly accessible from the internet ? Having a firewall(s) in front of your database server regardless of the type is pretty much common sense, right? Its bad enough to be stuck having to run/support IIS and MSSQL in any scenario, but letting MSSQL talk to the world just seems like asking for even more trouble. I agree absolutely. This is just bad practice and the network admins here need to re-think their security architecture. Sometimes that's just not an option. We operate a colo facility, and while we strongly encourage best practices customers don't always listen. My personal firewall will protect me etc... It's just unfortunate when one person's ignorance leads to problems for other people, as in this case. -- Grant A. Kirkwood - grant(at)tnarg.org Fingerprint = D337 48C4 4D00 232D 3444 1D5D 27F6 055A BF0C 4AED
Re: Level3 routing issues?
Third point to the correlation above: The vast majority of Windows admins are dingbat-morons, self-proclaimed experts. Had then not been dingbat-morons, and applied the readily available and widely announced patches (as zealously as unix folks patch thier stuff), this'd be all moot, and we'd all have gotten a better nights sleep. I don't think this is fair statement either, Linux and Microsoft have the most issues because they have the largest market share - security by obscurity. It doesn't mean they have anymore issues than any other vendors, success brings problems and this is one of them. Regards, Neil. -- Neil J. McRae - Alive and Kicking [EMAIL PROTECTED]
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Neil J. McRae wrote: I think you are on the right lines below in suggesting that products and services should be supplied safe and not require additional maintenance out of the box to make them so (additional changes should make them weaker) There is no such thing as safe! You have control over what risks you want to take the aim should always be to lower them but if you want safe, pull the power plug, place your box in a large metal container and sink it in very deep waters. Agreed but on the assumption people will connect their new PC to the Internet the supplied OS should be appropriately configured. I don't know of an industry where costs aren't always being lowered. I dont know of one where prices are below cost values such that players of all sizes regularly go bankrupt and services are squeezed harder and harder. Microsoft and XBox is an example, lots of industries have loss leaders. Still waiting on evidence that most security issues are due to Microsoft though! A loss leader does not cause bankruptcy, they have a profitable section to sustain the loss making product. In our industry we just seem to run with too small a margin. Hmm dont think I can argue the Linux vs MS point tho, its a big can of worms! This may be academic tho in our discussion, are you saying COLT uses MS servers in favour of linux for its public services? The question of which is more secure depends on numbers, application, etc I see loads of linux patches every month that I dont install because I have not installed or disabled most features in my OS. I believe if you count security bulletins linux has in fact overtaken microsoft. On the other hand if you count incidents you'll find the Codered, Nimda and probably this one too at the top of the list. But then offset that against the market penetration MS has into joe public.. and so on. Heres my advice to the uninitiated. Run linux, run firewalls, disable what you dont need and listen to folks who have real world experience. Steve
Re: Level3 routing issues?
On Sat, 25 Jan 2003, K. Scott Bethke wrote: BIll, - Original Message - From: Bill Woodcock [EMAIL PROTECTED] I'd agree with it. Except the herds of losers who still buy exploding crap from Vendor M don't seem to be thinning themselves out quickly dude, the Exploding Cars are so much easier to drive than the ones from Vendor L. (tic) unfortunately (being a vendor L user myself) you must admit that these too have problems :( (at times) enough. Maybe they're sexually attractive to each other, and reproduce before their stupidity kills them. That would be unfortunate. Or maybe it's just that none of this computer stuff actually matters, so exploding crap isn't actually fatal. Maybe that's it. I think it sucks that they are exploding on MY highway. With that in mind is it time yet to talk about solutions to problems like this from the network point of view? Sure its easy to put up access list's when needed but I have 100megs available to me on egress and I was trying to push 450megs. Is there anything protocol, vendor specific or otherwise that will not allow rogue machines to at will take up 100% of available resources? I know extreme networks has the concept of Max Port utilization on thier switches, will this help? Suggestions? Keep in mind that these problems aren't from 'well behaved' hosts, and 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED classic DoS attack scenario. :(
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Avleen Vig wrote: On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote: On Sat, 25 Jan 2003, Avleen Vig wrote: [snip] Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 Would it not also be a good idea/practice *not* to ever let a MS SQL server (or *any* database server) sit on a network that is directly accessible from the internet ? Having a firewall(s) in front of your database server regardless of the type is pretty much common sense, right? Its bad enough to be stuck having to run/support IIS and MSSQL in any scenario, but letting MSSQL talk to the world just seems like asking for even more trouble. I agree absolutely. This is just bad practice and the network admins here need to re-think their security architecture. I've not looked at any great detail into the exact sources but of the few I looked at earlier I was surprised to find them on ADSL .. these may be corporate networks this is the bit I dont know but some of them seemed to be residential, weird! Steve
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 05:08:22PM +, Stephen J. Wilcox wrote: Also; everyone who just posted to this list made it abundantly clear that they don't have a firewall in front of at least one MS SQL server on their network. Should you really have port 1433/4 open to the world? Would you do this with a MySql server? Yes, thats bad.. people should be more clueful than they are, I blame folks being cheap, having staff who are clueless, low quality equipment, this is the market we're in. The market we are in was specifically bred by Microsoft in the 90's when they claimed Windows was so eay to use, anyone could admin it. They've since changed their tune, but the damage has been done and continues to be done like last night :(
Re: Level3 routing issues?
What about doing some priority-based QoS? If a single IP exceeds X amount of traffic, prioritize traffic above that threshold as low. It would keep any one single host from saturating a link if the threshold is low. For example, you may say that each IP is limited to 10mb of prioirty traffic. Yes, a compromised host may try to barf out 90mb of chaff, but the excess would be moved down the totem pole. Obviously, this may not make sense in all environments, but in a campus or large enterprise situation, I can see this occuring on your WAN links in particular. On Sat, 25 Jan 2003, K. Scott Bethke wrote: BIll, - Original Message - From: Bill Woodcock [EMAIL PROTECTED] I'd agree with it. Except the herds of losers who still buy exploding crap from Vendor M don't seem to be thinning themselves out quickly dude, the Exploding Cars are so much easier to drive than the ones from Vendor L. (tic) enough. Maybe they're sexually attractive to each other, and reproduce before their stupidity kills them. That would be unfortunate. Or maybe it's just that none of this computer stuff actually matters, so exploding crap isn't actually fatal. Maybe that's it. I think it sucks that they are exploding on MY highway. With that in mind is it time yet to talk about solutions to problems like this from the network point of view? Sure its easy to put up access list's when needed but I have 100megs available to me on egress and I was trying to push 450megs. Is there anything protocol, vendor specific or otherwise that will not allow rogue machines to at will take up 100% of available resources? I know extreme networks has the concept of Max Port utilization on thier switches, will this help? Suggestions? -Scotty
Re: Level3 routing issues?
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote: I've not looked at any great detail into the exact sources but of the few I looked at earlier I was surprised to find them on ADSL .. these may be corporate networks this is the bit I dont know but some of them seemed to be residential, weird! Seems this borked software bit is in more than just hardcore SQLServer. It seems that the bits are also in visio2000 and a few other things :( Hence the 'more than server platform' infection spread. This also helps to explain the speed of infection and spread, as with more possible targets things should move more quickly. The interesting is the huge spike at a common time (00:30EST) one wonders if there is a group tracking down the initial infector or not :)
worm design (Re: Level3 routing issues?)
MS Date: Sat, 25 Jan 2003 10:17:01 -0800 (PST) MS From: Marc Slemko MS It is interesting to note that one inadvertent advantage of open MS source (when it requires people to compile from source, and pick MS and choose options at compile time... popular distributions with MS precompiled packages obviously break this to a certain degree) is MS that it leads to a much more heterogenous set of software WRT MS attacks like buffer overflows. 1. Position-relative opcodes used in shellcode 2. Syscalls triggered via a software trap, not subroutine call 3. Dynamic linking involves fixups stored in the binary 4. Activate a syscall, then check the stack to find %eip Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
Re: Level3 routing issues?
## On 2003-01-25 20:04 - Stephen J. Wilcox typed: SJW SJW SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you SJW dont need and listen to folks who have real world experience. SJW SJW Steve SJW Please don't start a flame war about this but are you implying that the Major Linux distributions are the most secure Unix-like OS (at least out of the box) ??? -- Thanks Rafi
Re: Level3 routing issues?
On Sun, 26 Jan 2003, Rafi Sadowsky wrote: ## On 2003-01-25 20:04 - Stephen J. Wilcox typed: SJW SJW SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you SJW dont need and listen to folks who have real world experience. SJW SJW Steve SJW Please don't start a flame war about this but are you implying that the Major Linux distributions are the most secure Unix-like OS (at least out of the box) ??? I hadnt really thought about it, I was just offering my approach to running servers on the public Internet Dont read too much into it, I wasnt suggesting that snippet as the absolute way to connect to the internet.. it was preceded by a discussion on where folks place their database servers.. Steve
Re: Level3 routing issues?
From: Robert A. Hayden What about doing some priority-based QoS? If a single IP exceeds X amount of traffic, prioritize traffic above that threshold as low. It would keep any one single host from saturating a link if the threshold is low. For example, you may say that each IP is limited to 10mb of prioirty traffic. Yes, a compromised host may try to barf out 90mb of chaff, but the excess would be moved down the totem pole. snip Down the totem pole isn't off the totem pole. In most cases the issue wasn't traffic priority. Most network equipment isn't designed to handle 100% capacity from all ports. Under standard operation, maximum capacity is never reached. It is cost prohibitive to support it. In addition, this was a dual issue. Not only did the bandwidth saturate, the packets are so small that in reaching for 100% saturation, many routers and switches first exceeded their maximum pps thresholds. The best defense is to monitor and know your traffic. When traffic becomes uncommon, someone needs to be alerted. A 30% processor increase is not a good thing; ever. Second, know the optimizations for your particular equipment and code. Each piece of equipment has it's own optimizations. In my case, it was better to access-list at the router level than to run bandwidth limiting, and I run a crummy 7200. It's even nicer on a 7500+ where it's offloaded to the linecard processors. If a portion of the network or a specific port is unrecoverable, shut it down. The server won't be able to handle traffic anyways, and it is better to cut off a portion of the network than lose the entire network. Jack Bates Network Engineer BrightNet Oklahoma
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 02:10:59PM -0800, Stephen Milton wrote: We have had multiple customers who had SP3 on their boxes that were hit. SP3 was _supposed_ to include this patch, there is no verification so far that it did. Since all the providers have been blocking the attack spread from the routers, installing SP3 on boxes post-attack hasn't really been put to the test yet. Did you install WIDOWS service pack 3 or SQL SERVER service pack 3?
Re: Level3 routing issues?
MS SQL SP3, _NOT_ MS Windows 2000 SP3. BIG DIFFERENCE. http://www.microsoft.com/sql/downloads/2000/sp3.asp On Sat, 25 Jan 2003, Stephen Milton wrote: We have had multiple customers who had SP3 on their boxes that were hit. SP3 was _supposed_ to include this patch, there is no verification so far that it did. Since all the providers have been blocking the attack spread from the routers, installing SP3 on boxes post-attack hasn't really been put to the test yet. YMMV On Sat, Jan 25, 2003 at 08:40:53AM -0800, Avleen Vig eloquently stated: Let's not blame MS for admins who don't know how to secure their boxes :-) A patch was released mid-2002 and was also part of SQL Server SP3 -- Stephen Milton - Vice President(425) 881-8769 x102 ISOMEDIA.COM - Premium Internet Services(425) 869-9437 Fax [EMAIL PROTECTED]http://www.isomedia.com -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 08:56:06AM -0800, Bill Woodcock wrote: Dunno, arent they negligent? In any other industry a fundemental flaw would be met with lawsuits, in the computer world tho people seem to get around for some reason. Not true, look at cars and recalls. Also as I understand it MS issued a fix for this sometime ago - it the users who didn't implement it! Uh, lemme see if I get your argument. People who buy exploding cars from Vendor M are at fault when the cars explode, since cars from Vendor M always explode, and Vendor M always disclaims responsibility, since someone usually points out in advance that the cars will explode? I'm not sure that your argument has anything to do with the law or with right and wrong, but in a sort of social-Darwinism sort of way, I guess I'd agree with it. Except the herds of losers who still buy exploding crap from Vendor M don't seem to be thinning themselves out quickly enough. Maybe they're sexually attractive to each other, and reproduce before their stupidity kills them. That would be unfortunate. Or maybe it's just that none of this computer stuff actually matters, so exploding crap isn't actually fatal. Maybe that's it. Time for someone to fight the product liability included in the 'shrinkwrap' licenses. I do believe that there should be some sort of inital grace period for the software industry.. they are well intentioned and not as old as the car industry.. but the dire affects and lost sleep for some people need to eventually be reckoned with. The grace period should probally be over now and the industry declared 'mature and liable' for shoddy software. If my car has a recall notice, i get a letter saying dear sir, your gas tank may explode if used. please come in for our inspection. If they can keep track of those millions of cars each year, at least somewhat, it should be simple to track who purchased the software and send them a letter saying get these patches now.. or perhaps they can do some agrement with AOL to include all the latest patches in those CDs^H^H^HCoasters they send me. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Level3 routing issues?
From: K. Scott Bethke Well not everyone plays fair out there. I imagine this is built into SLA's too right? My network will be up as long as everyone is well behaved You know that customers won't behave. Prepare for it. I understand the evils, but are we really at the mercy of situations like this? Of course we can firewall the common sense things ahead of time, and we can jump right in and block evil traffic when it happens, after it takes down our network but what sorts of things can we design into our networks today to help with these situations? If a customer is infected, then the problem is on their end. The fact that they don't have throughput is their issue, not that of the provider's. As for collateral damage, proper monitoring of the entire network and early warning systems allow engineers to hopefully stop the problem before it goes critical. The spool up on this worm was massive and effected some networks too fast to prevent them going critical. However, tracking and resolution should easily have been within the SLA windows. My policy: Hmm, I'm not sure. *ring* Dude, wake up. It's a critical outage. The whole network is collapsing. Think! *rambles for 5 minutes* Oh, wait. Never mind, I got it. Go back to sleep. Thanks. Jack Bates Network Engineer BrightNet Oklahoma
Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 10:02:54PM +, Christopher L. Morrow wrote: On Sat, 25 Jan 2003, Avleen Vig wrote: The market we are in was specifically bred by Microsoft in the 90's when they claimed Windows was so eay to use, anyone could admin it. They've since changed their tune, but the damage has been done and continues to be done like last night :( I would agree somewhat with Avleen here... BUT, like I said, its long past the time when every internet connected org really should reevaluate their security force's size and abilities :) security is 'important' and we really SHOULD get that across to EVERYONE... or atleast that's my thought :) You've highlightest my sentiments well :-) The past is no excuse for running a poor shop now. there have been multiple incidents over the last 3 years alone that should wake people up to the problems with their sysadmin and security staff's lack of skill be people seem not to care at all. It's ironic to note that most companies who 'dont care', do so because they don't want to pay the slightly higher buck for good staff or decent training (hard to find). While at the same time it is these companies that struggle to float while the ones spending the money get staff who really care about their work and thus impress the customers more. (this is of course just one point of view and not the only reasons companies float/sink).
Re: Level3 routing issues?
At 05:10 PM 1/25/2003, you wrote: We have had multiple customers who had SP3 on their boxes that were hit. SP3 was _supposed_ to include this patch, there is no verification so far that it did. Since all the providers have been blocking the attack spread from the routers, installing SP3 on boxes post-attack hasn't really been put to the test yet. YMMV Not extensive testing, no... but again... SQL Server 2000 SP3 is not the same animal as Windows 2000 SP3. And after installing SQL Server 2000 SP3, I opened up the router to allow all the 1434 traffic that came in... the box was hit on numerous occasions over the next hour or so, and never did it get infected again. SQL Server 2000 SP3 was just released on 1/17/2003... while the patch for this vulnerability has been out since last July (and yes, I'm guilty of not following it closely enough myself... no excuses)
Re: Level3 routing issues?
If a customer is infected, then the problem is on their end. The fact that they don't have throughput is their issue, not that of the provider's. Many, many customers don't understand this - if they don't have throughput, it's the provider's problem and the provider has to fix it. One of the reasons I'm not providing anymore. As for collateral damage, proper monitoring of the entire network and early warning systems allow engineers to hopefully stop the problem before it goes critical. The spool up on this worm was massive and effected some networks too fast to prevent them going critical. However, tracking and resolution should easily have been within the SLA windows. I've seen various references to this worm firing off and saturating networks worldwide within 1 minute... if *that* isn't scary, I don't know what is. It shows that someone, with the right tools and enough vulnerable servers can take out a good portion of the Internet in seconds. And how can we predict *every* possible issue and block it? My policy: Hmm, I'm not sure. *ring* Dude, wake up. It's a critical outage. The whole network is collapsing. Think! *rambles for 5 minutes* Oh, wait. Never mind, I got it. Go back to sleep. Thanks. I think there's only so much one can do in advance. Sure, we all know we shouldn't have these servers exposed, but again, many are in the position of having to leave them open to some extent - case in point, I have a developer who uses dialup (because he's in the sticks in northern Georgia, and nothing else is available, and he's a skinflint who uses the free or nearly-free dialup providers)... he's also not going to use a VPN... he'll just bitch because he can't get to the server. More cases where you do what you have to... a couple of years ago, when I *was* doing the provider bit... I blocked the netbios ports on the border. You have no idea what a cry went up from customers... they *want* to share drives over the Internet, and didn't care what risks might be involved. It was, to them, too complicated and/or expensive to do it via a VPN. So I ended up having to open them back up, but kept them blocked to my own machines. Sometimes the best you can do is explain the risks, and then let the customer do what they will. Until they're causing problems... of course at that point you can cut 'em off (how many of you shut down customer boxen last night?). I'm no great thinker, and having said that, I'm just not sure we can protect everything/everybody.
Re: Level3 routing issues?
I've seen various references to this worm firing off and saturating networks worldwide within 1 minute... if *that* isn't scary, I don't know what is. It shows that someone, with the right tools and enough vulnerable servers can take out a good portion of the Internet in seconds. And how can we predict *every* possible issue and block it? The good news with this worm was that the ports it used had low real utility for inter-provider traffic. Compare and contrast to Code Red, where block TCP port 80 isn't such a great way to slow down the worm if you have any customers who like to use the web A combination of the speed at which this spread and a port nobody wants to block will undoubtedly happen in the future, and be ugly, both. Matthew Kaufman [EMAIL PROTECTED] (home) [EMAIL PROTECTED] (work)
