Re: Sobigf + BGP
We have seen that many people *posting* do not have the best of intentions; I can assure you that there are lurkers on Nanog (surprise, surprise) who are not nearly as naive and well-intentioned as J. O. would hope. In fact, I know that there are subscribers from various print media, various on-line media, and certainly some stunningly unpleasant characters that I run into on other lists. And after being /.ed several times, there are undoubtedly end-users, small enterprises, non-network folks from networking companies, and assorted other groups which don't fit the traditional network operator mold. Oh, and sales people...
Re: Sobigf + BGP
On Wed, 27 Aug 2003 [EMAIL PROTECTED] wrote: We have seen that many people *posting* do not have the best of intentions; I can assure you that there are lurkers on Nanog (surprise, surprise) who are not nearly as naive and well-intentioned as J. O. would hope. In fact, I know that there are subscribers from various print media, various on-line media, and certainly some stunningly unpleasant characters that I run into on other lists. And after being /.ed several times, there are undoubtedly end-users, small enterprises, non-network folks from networking companies, and assorted other groups which don't fit the traditional network operator mold. Oh, and sales people... Case in point: http://slashdot.org/articles/03/08/27/0214238.shtml?tid=111tid=126 references http://www.merit.edu/mail.archives/nanog/msg12818.html For those few finding the NANOG archives for the first time with this /. link, I'm sure they'll take some time to poke around recent threads with interesting titles like Sobigf + BGP Pete.
Re: Sobigf + BGP
Stephen J. Wilcox [EMAIL PROTECTED] wrote: My impression of most of these people is that they are very clever, and unless you post something here that is really brilliant thinking the chances are these guys can come up with most of the ideas themselves. When Blaster hit back on Aug 11, I remembered an earlier NANOG post that I saw: Subject: Re: Microsoft.com attack? On Fri, 1 Aug 2003, Adam Maloney [EMAIL PROTECTED] wrote: I was just thinking the other day, wouldn't it be funny if there was a worm that had infected machines attack windowsupdate.microsoft.com so you couldn't patch? :) Despite the windowsupdate.microsoft.com vs windowsupdate.com difference, the paranoid side of me thinks that this was more than coincidental... -Sounil
Re: Sobigf + BGP
And my wife said 2 days at fortuneteller camp was a waste of money - Hah! This is neat, maybe I can make some more stuff happen. Tomorrow I will win the lottery. My next Qwest bill will be correct. Incidentally, I'd dump that stock you just bought - the CEO of that company is going to be involved in a little incident next week involving 2 goats, a paper mache' reconstruction of the Eiffel tower, and a well known youth organization. The oracle has spoken :) When Blaster hit back on Aug 11, I remembered an earlier NANOG post that I saw: Subject: Re: Microsoft.com attack? On Fri, 1 Aug 2003, Adam Maloney [EMAIL PROTECTED] wrote: I was just thinking the other day, wouldn't it be funny if there was a worm that had infected machines attack windowsupdate.microsoft.com so you couldn't patch? :) Despite the windowsupdate.microsoft.com vs windowsupdate.com difference, the paranoid side of me thinks that this was more than coincidental... -Sounil Adam Maloney Systems Administrator Sihope Communications
Re: Sobigf + BGP
'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. Assuming that everyone subscribed to the list has the best of intentions, what about people that can scan the publicly accessible archives? Or even the search engines that have nanog archives indexed? There's nothing wrong with kicking ideas like this around with the intention of coming up with a strategy on how to combat them, but perhaps a more discreet forum would be appropriate? I didn't get a chance to look at your idea very closely, but there are interesting possibilities brought up. Guy
Re: Sobigf + BGP
On Sat, 23 Aug 2003, guy wrote: 'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. Assuming that everyone subscribed to the list has the best of intentions, what about people that can scan the publicly accessible archives? Or even the search engines that have nanog archives indexed? There's nothing wrong with kicking ideas like this around with the intention of coming up with a strategy on how to combat them, but perhaps a more discreet forum would be appropriate? There are a lot more people subscribed to the list than you actually see posting, I'm sure many of them are representatives of the l33t h4x0r community.. My impression of most of these people is that they are very clever, and unless you post something here that is really brilliant thinking the chances are these guys can come up with most of the ideas themselves. Steve
Re: Sobigf + BGP
Stephen J. Wilcox wrote: On Sat, 23 Aug 2003, guy wrote: J. Oquendo wrote: 'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. Stunning innocence. I had to read this statement at least four times to be sure that I was not mistaken. Then I examined the headers, and I wonder if you (J. Oquendo) are being a bit disengenous. You may be well-meaning, but I cannot believe that anyone believes such a thing. Assuming that everyone subscribed to the list has the best of intentions, what about people that can scan the publicly accessible archives? Or even the search engines that have nanog archives indexed? There's nothing wrong with kicking ideas like this around with the intention of coming up with a strategy on how to combat them, but perhaps a more discreet forum would be appropriate? We have seen that many people *posting* do not have the best of intentions; I can assure you that there are lurkers on Nanog (surprise, surprise) who are not nearly as naive and well-intentioned as J. O. would hope. In fact, I know that there are subscribers from various print media, various on-line media, and certainly some stunningly unpleasant characters that I run into on other lists. There is no such thing as a discreet forum. If you mean by that, a few people exchanging emails, then surely that is not a forum, not being public. If it is publically accessible, and you aren't sure of precisely every member that's on it, then it's NOT discreet. It may be obscure, but I know plenty people who specialize in the obscure. There are a lot more people subscribed to the list than you actually see posting, I'm sure many of them are representatives of the l33t h4x0r community.. Those are hardly the persons you need worry about. There *is* no hacker community. There may be pockets here and there, with people of varying skills, and purposes, but there is no community. On the other hand, this is almost certainly not a topic for Nanog, even if the word BGP does appear in the original post. -- In April 1951, Galaxy published C.M. Kornbluth's The Marching Morons. The intervening years have proven Kornbluth right. --Valdis Kletnieks
Sobigf + BGP
I was reading some PDF files on BGP along with Routing TCP/IP v2, and I found myself pondering what a nasty damn worm it would be if someone were to do something using winpcap in conjucting with the worm/virus, and I was a bit confused, disturbed, lost. So I drew up a quick question complete with ascii which can be viewed at politrix.org/segment/brat.txt for those who get a distorted diagram... Apologies beforehand if this post seems a bit odd, but I did not see anything similar to a networking 'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. - brat.txt I was thinking about the recent polymorphic Sobigf worm/virus and wondered about the following hypothetical scenario... Sorry about this ASCIIgram, I didn't want to look for Visio nor any other graphic program to do this in, strictly terms to keep it gritty... So here goes. Attacker scripts Sobigf variant with a virii/worm generator, and uses pcap (packet capture) under Windows to have his worm send out predefined packets. Let's say he created what I call a 'BRAT' BGP Router Attack Tool. Now this tool isn't something major it simply sends out two types of packets aimed at routers running BGP. They're both Notification Messages: = Packet 1 = BGP NM ERROR CODE 2 SUBCODE 2 | Packer 2 = BGP NM ERROR CODE 6 | = Now we have the hosts' information: www.targetednap.net (4 if's) 192.168.1.1 192.168.4.1 10.10.1.1 10.10.5.1 VIC's nap.maefi.com Link 1 nsp.maefee.com Link 2 nap.maefo.com Link 3 nsp.maefum.com Link 4 Link 1 Link 2 \ / - | | | Targetednap.net | | | - / \ Link 3Link 4 Script kiddiot sets up his worm/virii to send packets as Targetednap to all VIC's as Targetednap via spoofing using WinPCAP. Given the rate of connections that were mentioned for SoBigf, what could happen say if route dampening were used between the routers. Would penalties keep adding up making the connection intolerable because of latency, would it ignore it. Or what could happen say if worm was smart enough to send NLRI's of something like $targetvalue=0 Wouldn't this knock off connections between BR's/ABR's, etc. Are there any flags one can take to prevent this from occurring. Keep in mind that packet creation is not difficult. My guess would be, even if someone didn't get all fancy with the packets being sent, a couple of million packets sent with say a: ping -l 25000 $VIC as $TARGETEDNAP would be enough to cause some massive latency, maybe even disconnect a backbone perhaps? Anyone care to share links on security on this level if any are available = J. Oquendo rsvp: segment ... antioffline . com PGP Fingerprint 39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0 http://www.politrix.org http://www.antioffline.com = -- __ Sign-up for your own personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
Re: Sobigf + BGP
J. Oquendo [EMAIL PROTECTED] writes: Apologies beforehand if this post seems a bit odd, but I did not see anything similar to a networking 'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. This is very naive. ---rob (feeling like rbush this morning)