Re: IOS Rookit: the sky isn't falling (yet)

[Gadi Evron]

On Thu, 29 May 2008, Steven M. Bellovin wrote:

On Wed, 28 May 2008 10:37:05 +0100
<[EMAIL PROTECTED]> wrote:


So let's see - if you had a billion CPUs in your botnet, and
each one could go at a billion to the second, you still need
2**69 seconds or 449,235,776,528,695 years.  Not bad - only
10,000 times the amount of time this planet has been around,
so yeah, that's the way they'll attack all right.


I didn't say that. I said that they are starting with an IOS image
in which there are some small number of bytes which they can possibly
change and still have a functional image. So it is likely that they
will brute force that by computing an MD5 hash on all variations of
those few bytes. It's like winning the lottery, you only *NEED* to
buy one ticket. No matter how slim the chances are of bad guys winning
that lottery, it is no excuse for ignoring the possibility that an
MD5 hash check may not be proof that you have an original image.


Did you even look at Valdis' arithmetic?  It *won't work*.  It isn't
"likely" that they'll try anything with that low a chance of success.
As for "no matter how slim the chances" -- if you want to have even a
vague chance of succeeding before Sol turns into a red giant, you're
going to have to devote enormous resources to the project.  (Actually,
I don't think you can succeed even then, not by brute force -- there
aren't a "small number of bytes" that can be changed, you can introduce
"random" "typographical" errors in error messages for the SNA stack or
some such, and if you're doing a brute force pre-image attack on MD5 any
bit is as good as any other.)  Let's put it purely in economic terms:
which is a better way to invest your effort, building a machine (or
botnet) with many billions of processors and still having no plausible
chance of winning, or -- as you yourself suggest -- getting the HVAC
contract for the data center.  Or putting back doors in the chips.  Or
bribing or blackmailing coders.  Or breaking into the vault where Cisco
keeps its master RSA key.  Or funding a vast research effort on
cracking MD5 before it's replaced by SHA-512.  Or *something* even
vaguely sane, because brute-forcing MD5 isn't physically possible.


I don't understand how this disucssion got to breaking MD5 to begin with? 
The whole point was that the results will be manipulated due to the 
rootkit messing with the test, no?


Gadi.



--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Network meltdowns anywhere in US?

[virendra rode //]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tuc at T-B-O-H wrote:
>> On Wed, May 28, 2008 at 4:05 PM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> 
>> wrote:
>>
>>> Hi,
>>>
>>>Sorry, would have posted this elsewhere, but I can't get
>>> to alot of places...
>>>
>>>I originally started chasing not being able to get to
>>> 71.74.56.243 (RR Mail server). I then found out neither L3 nor
>>> my other connection saw it in the table. I checked a few other
>>> router servers, some had it, some didn't.
>>>
>>>Now, though, I'm trying to get a few other places and
>>> most of them oddly seem to hang off L3 (Like the outages
>>> list. :) )
>>>
>>>Any ideas of there is some meltdown happening
>>> in L3 or elsewhere?
>>>
>>>Thanks, Tuc
>>>
>>> 
>> >From a cursory glance seems to be ok from where I'm currently looking from
>> (at&t), then again I haven't done my technical diligence. Will need to look
>> further and I'm sure someone will pipe up.
>>
>> Do you have any traceroutes, route stats, etc to give us as to what you are
>> experiencing?
>>
> 
>   A bit more "clue"... :)
> 
>   1) If its been discussed before, I was out that day... But it seems
> that CERF NET route-server isn't quite authoritative:
> 
> route-server>sho ip bgp 204.107.90.128
> % Network not in table
> 
> route-server>sho ip bgp
> 
> route-server>
- -
you could also try,

route-views.oregon-ix.net>sho ip bgp 204.107.90.128
BGP routing table entry for 204.107.90.0/24, version 201333
Paths: (35 available, best #32, table Default-IP-Routing-Table)
  Not advertised to any peer
  3303 3356 1784 35954
164.128.32.11 from 164.128.32.11 (164.128.32.11)
  Origin IGP, localpref 100, valid, external
  Community: 3303:5004
  3277 3267 9002 1784 35954
194.85.4.55 from 194.85.4.55 (194.85.4.16)
  Origin IGP, localpref 100, valid, external
  Community: 3277:3267 3277:65100 3277:65320 3277:65326
  812 6461 3356 7911 35954
64.71.255.61 from 64.71.255.61 (64.71.255.61)
  Origin IGP, localpref 100, valid, external
  293 3356 7911 35954
134.55.200.1 from 134.55.200.1 (134.55.200.1)
  Origin IGP, localpref 100, valid, external
  Community: 293:14 293:41
  2905 701 3356 1784 35954
196.7.106.245 from 196.7.106.245 (196.7.106.245)
  Origin IGP, metric 0, localpref 100, valid, external
  4513 13789 22212 1784 35954
209.10.12.125 from 209.10.12.125 (209.10.12.125)
  Origin IGP, metric 4103, localpref 100, valid, external
  4513 12182 3356 7911 35954
209.10.12.156 from 209.10.12.156 (209.10.12.156)
  Origin IGP, metric 7002, localpref 100, valid, external
  2497 1784 35954
202.232.0.2 from 202.232.0.2 (202.232.0.2)
  Origin IGP, localpref 100, valid, external
  5511 3356 1784 35954
193.251.245.6 from 193.251.245.6 (193.251.245.6)
  Origin IGP, localpref 100, valid, external
  3257 3356 7911 35954
89.149.178.10 from 89.149.178.10 (213.200.87.40)
  Origin IGP, metric 10, localpref 100, valid, external
  Community: 3257:3150 3257:3152 3257:5010
  6079 1784 35954
207.172.6.162 from 207.172.6.162 (207.172.6.162)
  Origin IGP, metric 6, localpref 100, valid, external
  6539 1784 35954
66.59.190.221 from 66.59.190.221 (66.59.190.221)
  Origin IGP, localpref 100, valid, external
  6453 3356 1784 35954
195.219.96.239 from 195.219.96.239 (195.219.96.239)
  Origin IGP, localpref 100, valid, external
  1221 4637 3356 7911 35954
203.62.252.186 from 203.62.252.186 (203.62.252.186)
  Origin IGP, localpref 100, valid, external
  7500 2516 1784 35954
202.249.2.86 from 202.249.2.86 (203.178.133.115)
  Origin IGP, localpref 100, valid, external
  7660 2516 1784 35954
203.181.248.168 from 203.181.248.168 (203.181.248.168)
  Origin IGP, localpref 100, valid, external
  Community: 2516:1030
  2914 3356 7911 35954
129.250.0.171 from 129.250.0.171 (129.250.0.12)
  Origin IGP, metric 1, localpref 100, valid, external
  Community: 2914:420 2914:2000 2914:3000 65504:3356
  6079 1784 35954
207.172.6.20 from 207.172.6.20 (207.172.6.20)
  Origin IGP, metric 0, localpref 100, valid, external
  701 3356 7911 35954
157.130.10.233 from 157.130.10.233 (137.39.3.60)
  Origin IGP, localpref 100, valid, external
  1668 3356 7911 35954
66.185.128.48 from 66.185.128.48 (66.185.128.48)
  Origin IGP, metric 504, localpref 100, valid, external
  3549 3356 7911 35954
208.51.134.254 from 208.51.134.254 (67.17.81.162)
  Origin IGP, metric 53, localpref 100, valid, external
  Community: 3549:2142 3549:30840
  852 1239 3356 7911 35954
154.11.11.113 from 154.11.11.113 (154.11.11.113)
  Origin IGP, metric 0, localpref 100, valid, external
  Community: 852:180
   3356 1784 35954
193.0.0.56 from 193.0.0.56 (193.0.0.56)
  Origin IGP, localpref 100, valid, external
  3356 7911 35954
4.68.1.1

Re: IOS Rookit: the sky isn't falling (yet)

[Steven M. Bellovin]

On Wed, 28 May 2008 10:37:05 +0100
<[EMAIL PROTECTED]> wrote:

> > So let's see - if you had a billion CPUs in your botnet, and 
> > each one could go at a billion to the second, you still need 
> > 2**69 seconds or 449,235,776,528,695 years.  Not bad - only 
> > 10,000 times the amount of time this planet has been around, 
> > so yeah, that's the way they'll attack all right.
> 
> I didn't say that. I said that they are starting with an IOS image
> in which there are some small number of bytes which they can possibly
> change and still have a functional image. So it is likely that they
> will brute force that by computing an MD5 hash on all variations of
> those few bytes. It's like winning the lottery, you only *NEED* to
> buy one ticket. No matter how slim the chances are of bad guys winning
> that lottery, it is no excuse for ignoring the possibility that an
> MD5 hash check may not be proof that you have an original image.
> 
Did you even look at Valdis' arithmetic?  It *won't work*.  It isn't
"likely" that they'll try anything with that low a chance of success.
As for "no matter how slim the chances" -- if you want to have even a
vague chance of succeeding before Sol turns into a red giant, you're
going to have to devote enormous resources to the project.  (Actually,
I don't think you can succeed even then, not by brute force -- there
aren't a "small number of bytes" that can be changed, you can introduce
"random" "typographical" errors in error messages for the SNA stack or
some such, and if you're doing a brute force pre-image attack on MD5 any
bit is as good as any other.)  Let's put it purely in economic terms:
which is a better way to invest your effort, building a machine (or
botnet) with many billions of processors and still having no plausible
chance of winning, or -- as you yourself suggest -- getting the HVAC
contract for the data center.  Or putting back doors in the chips.  Or
bribing or blackmailing coders.  Or breaking into the vault where Cisco
keeps its master RSA key.  Or funding a vast research effort on
cracking MD5 before it's replaced by SHA-512.  Or *something* even
vaguely sane, because brute-forcing MD5 isn't physically possible.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: amazonaws.com?

[Peter Beckman]

On Wed, 28 May 2008, Barry Shein wrote:


On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote:
> On Wed, 28 May 2008, Dorn Hetzel wrote:
>
> > I would think that simply requiring some appropriate amount of irrevocable
> > funds (wire transfer, etc) for a deposit that will be forfeited in the case
> > of usage in violation of AUP/contract/etc would be both sufficient and not
> > excessive for allowing port 25 access, etc.
>
>   Until you find out that the source of those supposedly irrevocable funds
>   was stolen or fraudulent, and you have some sort of court subpoena to give
>   it back.
>
>   I don't believe there is a way for you to outwit the scammer/spammer by
>   making them pay more of their or someone elses money.  If you have what
>   they need, they'll find a way to trick you into giving it to them.

Are you still trying to prove that Amazon, Dell, The World, etc can't
possibly work?


 Amazon and Dell ship physical goods.  Amazon Web Services sells services,
 as do I.  Services are commonly enabled and activated immediately after
 payment or verification of a valid credit card, as is often expected by
 the customer immediately after payment.  Shipment of physical goods will
 almost always take at least 24 hours, often longer, enabling more thorough
 checks of credit, however they might do it.

 And even with the extra time to review the transaction and attempt to
 detect fraud, I'm confident Amazon and Dell lose millions per year due to
 fraud.  The reality is that the millions they lose to fraud doesn't affect
 us because a Blu-Ray player purchased with a stolen credit card doesn't
 send spam or initiate DOS attacks.

 At least not yet; those Blu-Ray players do have an ethernet port.


By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over
the internet which'd mean taking credit cards...


 Now you're just being rediculous.  Or sarcastic.  :-)


I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise
make some attempt to know who you're doing business with.


 Charging whom?  The spammer who pays your extra AUP abuse charges with
 stolen paypal accounts, credit cards, and legit bank accounts funded by
 money stolen from paypal accounts and transferred from stolen credit
 cards?

 If you are taking card-not-present credit card transactions over the
 Internet or phone, and not shipping physical goods but providing services,
 in my experience the merchant gets screwed, no matter how much money you
 might have charged for the privilege of using port 25 or violating AUPs.
 That money you collected and believed was yours and was in your bank
 account can be taken out just as easily 6 months later, after the lazy
 card holder finally reviews his credit card bill, sees unrecognized
 charges and says "This is fraudulent!"  And there you are, without your
 money.

 Getting someone to fax their ID in takes extra time and resources, and
 means it might be hours before you get your account "approved," and for
 some service providers, part of the value of the service is the immediacy
 in which a customer can gain new service.

Beckman
---
Peter Beckman  Internet Guy
[EMAIL PROTECTED] http://www.angryox.com/
---

Re: amazonaws.com?

[Barry Shein]

On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote:
 > On Wed, 28 May 2008, Dorn Hetzel wrote:
 > 
 > > I would think that simply requiring some appropriate amount of irrevocable
 > > funds (wire transfer, etc) for a deposit that will be forfeited in the case
 > > of usage in violation of AUP/contract/etc would be both sufficient and not
 > > excessive for allowing port 25 access, etc.
 > 
 >   Until you find out that the source of those supposedly irrevocable funds
 >   was stolen or fraudulent, and you have some sort of court subpoena to give
 >   it back.
 > 
 >   I don't believe there is a way for you to outwit the scammer/spammer by
 >   making them pay more of their or someone elses money.  If you have what
 >   they need, they'll find a way to trick you into giving it to them.

Are you still trying to prove that Amazon, Dell, The World, etc can't
possibly work?

By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over
the internet which'd mean taking credit cards...

I'm still curious what a typical $ sale is on one of these cloud
compute clusters, in orders of magnitude, $1, $10, $100, $1000, ...?

P.S. For the record I'm not a great fan of blocking port 25 as someone
mis-cited me here, I don't really care strongly either way, it's a
tool.

I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise
make some attempt to know who you're doing business with.

-- 
-Barry Shein

The World  | [EMAIL PROTECTED]   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Network meltdowns anywhere in US?

[Tuc at T-B-O-H]

> On Wed, May 28, 2008 at 4:05 PM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> wrote:
> 
> > Hi,
> >
> >Sorry, would have posted this elsewhere, but I can't get
> > to alot of places...
> >
> >I originally started chasing not being able to get to
> > 71.74.56.243 (RR Mail server). I then found out neither L3 nor
> > my other connection saw it in the table. I checked a few other
> > router servers, some had it, some didn't.
> >
> >Now, though, I'm trying to get a few other places and
> > most of them oddly seem to hang off L3 (Like the outages
> > list. :) )
> >
> >Any ideas of there is some meltdown happening
> > in L3 or elsewhere?
> >
> >Thanks, Tuc
> >
> > 
> >From a cursory glance seems to be ok from where I'm currently looking from
> (at&t), then again I haven't done my technical diligence. Will need to look
> further and I'm sure someone will pipe up.
> 
> Do you have any traceroutes, route stats, etc to give us as to what you are
> experiencing?
> 

A bit more "clue"... :)

1) If its been discussed before, I was out that day... But it seems
that CERF NET route-server isn't quite authoritative:

route-server>sho ip bgp 204.107.90.128
% Network not in table

route-server>sho ip bgp

route-server>


2) The other route-server it wasn't showing up in is my "backup"
provider. I'm trying to get clarification, but I think my backup provider
relies too heavily on my primary provider. So yea, it would make sense, if
Level3 had an issue, that the provider USING L3 would have an issue.

3) I've gotten zip from L3 about any of this.



Can anyone atleast, once again, despite a certain list members
contentions, tell me I'm not crazy. That someone else SOMEWHERE saw it?
(Or more DIDN'T see RR. :) )

Thanks, Tuc

Re: amazonaws.com?

[Peter Beckman]

On Wed, 28 May 2008, Dorn Hetzel wrote:


I would think that simply requiring some appropriate amount of irrevocable
funds (wire transfer, etc) for a deposit that will be forfeited in the case
of usage in violation of AUP/contract/etc would be both sufficient and not
excessive for allowing port 25 access, etc.


 Until you find out that the source of those supposedly irrevocable funds
 was stolen or fraudulent, and you have some sort of court subpoena to give
 it back.

 I don't believe there is a way for you to outwit the scammer/spammer by
 making them pay more of their or someone elses money.  If you have what
 they need, they'll find a way to trick you into giving it to them.

Beckman
---
Peter Beckman  Internet Guy
[EMAIL PROTECTED] http://www.angryox.com/
---

Re: amazonaws.com?

[Martin Hannigan]

On Wed, May 28, 2008 at 9:14 AM, Steve Atkins <[EMAIL PROTECTED]> wrote:
>
> On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
>
>> Has Amazon given an official statement on this? It would be nice to get
>> someone from within Amazon to give us their official view on this. It
>> would be even more appropriate for the other cloud infrastructures to
>> join in, and or have some sort of RFC to do with SMTP access within the
>> "cloud." I forsee this as a major problem as the idea of "the cloud" is
>> being pushed more and more. You are talking about a spammers dream. Low
>> cost , powerful resources with no restrictions and complete anonymity.
>>
>> Personally I'm going to block *.amazonaws.com from my mail server until
>> Amazon gives us a statement on how they are planning on fighting spam
>> from the cloud.
>
> "The cloud" is just a marketing term for a bunch of virtual servers,
> at least in Amazons case. It's nothing particularly new, just a VPS
> farm with the same constraints and abuse issues as a VPS or
> managed server provider.\

These are highly dense service farms that are making efficient use of
power, CPU, memory and network based on huge densities based on power
and square footage. It's far more than a marketing term.

Careful. Don't under estimate this trend.

-M<

Re: Network meltdowns anywhere in US?

[Tuc at T-B-O-H.NET]

> On Wed, May 28, 2008 at 4:05 PM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> wrote:
> 
> > Hi,
> >
> >Sorry, would have posted this elsewhere, but I can't get
> > to alot of places...
> >
> >I originally started chasing not being able to get to
> > 71.74.56.243 (RR Mail server). I then found out neither L3 nor
> > my other connection saw it in the table. I checked a few other
> > router servers, some had it, some didn't.
> >
> >Now, though, I'm trying to get a few other places and
> > most of them oddly seem to hang off L3 (Like the outages
> > list. :) )
> >
> >Any ideas of there is some meltdown happening
> > in L3 or elsewhere?
> >
> >Thanks, Tuc
> >
> > 
> >From a cursory glance seems to be ok from where I'm currently looking from
> (at&t), then again I haven't done my technical diligence. Will need to look
> further and I'm sure someone will pipe up.
> 
> Do you have any traceroutes, route stats, etc to give us as to what you are
> experiencing?
> 
No, no traceroutes since when I'd query BGP, it just said that the 
network
didn't exist in the table like :

***route-server***>sho ip bgp 71.74.56.243
% Network not in table
***route-server***>sho ip route 71.74.56.243
% Subnet not in table


(Only output I captured... But I know that Cerfnet did this too.)

Tuc

Re: Network meltdowns anywhere in US?

[virendra rode]

On Wed, May 28, 2008 at 4:05 PM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> wrote:

> Hi,
>
>Sorry, would have posted this elsewhere, but I can't get
> to alot of places...
>
>I originally started chasing not being able to get to
> 71.74.56.243 (RR Mail server). I then found out neither L3 nor
> my other connection saw it in the table. I checked a few other
> router servers, some had it, some didn't.
>
>Now, though, I'm trying to get a few other places and
> most of them oddly seem to hang off L3 (Like the outages
> list. :) )
>
>Any ideas of there is some meltdown happening
> in L3 or elsewhere?
>
>Thanks, Tuc
>
> 
>From a cursory glance seems to be ok from where I'm currently looking from
(at&t), then again I haven't done my technical diligence. Will need to look
further and I'm sure someone will pipe up.

Do you have any traceroutes, route stats, etc to give us as to what you are
experiencing?



regards,
/virendra

Network meltdowns anywhere in US?

[Tuc at T-B-O-H.NET]

Hi,

Sorry, would have posted this elsewhere, but I can't get
to alot of places...

I originally started chasing not being able to get to 
71.74.56.243 (RR Mail server). I then found out neither L3 nor
my other connection saw it in the table. I checked a few other
router servers, some had it, some didn't. 

Now, though, I'm trying to get a few other places and
most of them oddly seem to hang off L3 (Like the outages
list. :) )

Any ideas of there is some meltdown happening 
in L3 or elsewhere?

Thanks, Tuc

RE: amazonaws.com?

[michael.dillon]

> I think the straightforward fix is for Amazon to put some 
> practical mail guidelines together for their environment 

Has anyone making these suggestions ever thought to look at the Amazon
Web Services agreement that governs these EC2 customers?



--Michael Dillon

New ID: Special Use IPv4 Addresses

[Sean Donelan]

http://www.ietf.org/internet-drafts/draft-iana-rfc3330bis-01.txt

Other than a formatting error in the header ("IPv4 Multicast Guidelines")
instead of ("Special Use IPv4 Addresses"), the only significant change
appears to be removing the "Reserved" status of the old Classfull boundary
networks.  The former boundary networks are now subject to allocation like 
any other unicast IPv4 address space.


Host, Router vendors and Network Operators should have already been 
testing their equipment for proper handling (i.e. not doing anything 
different) of these network addresses.  So this ID should just be a minor 
IANA administrative cleanup.

Re: amazonaws.com?

[Jay R. Ashworth]

On Wed, May 28, 2008 at 12:01:30PM -0500, Skywing wrote:
> That's somewhat ironic of a sentiment you referred to there, given
> that the conception that one should have to hand over one's SSN for
> "verification" to anyone who asks for it is the kind of thing that
> many of these spammers/phishers thrive on in the first place...

What...

are people still using SSNs as authenticators instead of identifiers,
20 years on?

Cheers,
-- jra
-- 
Jay R. Ashworth[EMAIL PROTECTED]
Designer+-Internetworking--+-+RFC 2100
Ashworth & Associates   |  Best Practices Wiki | | '87 e24
St Petersburg FL USA+-http://bestpractices.wikia.com-+ +1 727 647 1274

  If you can read this... thank a system administrator.  Or two.  --me

Re: Hurricane season starts June 1: Carriers harden networks

[Jay R. Ashworth]

On Tue, May 27, 2008 at 06:58:47PM -0400, Jared Mauch wrote:
>   I think there's something else to make note of.
> 
>   NCS wants to make sure that a number of the ISPs and critical  
> infrastructure operators have WPS/GETS available to the people who  
> rightly need them.  If you're not sure, give them a ring and chat with  
> them about what resources you should have at your disposal.  If there  
> is a major communication disruption, this may help your operations  
> team communicate.
> 
>   You can fill out the forms online at gets.ncs.gov

It might be useful, too, to talk to the people who did this in NOLA
during and after Katrina; if they didn't know what to do before, they
probably do now...

Cheers,
-- jra
-- 
Jay R. Ashworth[EMAIL PROTECTED]
Designer+-Internetworking--+-+RFC 2100
Ashworth & Associates   |  Best Practices Wiki | | '87 e24
St Petersburg FL USA+-http://bestpractices.wikia.com-+ +1 727 647 1274

  If you can read this... thank a system administrator.  Or two.  --me

Re: amazonaws.com?

[Joe Abley]

On 28 May 2008, at 16:34, Sargun Dhillon wrote:


Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access,  
and

the infinite amount of identities.


That sounds great. Presumably in addition to the above the sun is  
always shining, cats never crap in the kitchen and those responsible  
for the American Idol franchise have been lined up against the wall  
and shot?



Joe

Re: amazonaws.com?

[Brandon Galbraith]

On 5/28/08, Skywing <[EMAIL PROTECTED]> wrote:
>
> That's somewhat ironic of a sentiment you referred to there, given that the
> conception that one should have to hand over one's SSN for "verification" to
> anyone who asks for it is the kind of thing that many of these
> spammers/phishers thrive on in the first place...
>
> (I assume that you are not actually really advocating such a requirement
> for anyone wanting to run a mail server...)
>
>
> - S
>

Many, many years ago, when I was working someplace that was just starting to
dabble in shared hosting, the company would require a faxed copy of a
driver's license to enable some hosting features (shell off the top of my
head). In today's world, this simply will not do (customer sentiment,
liability for loss of that data you're storing, and so on).

I think the straightforward fix is for Amazon to put some practical mail
guidelines together for their environment (time-based volume limitations,
Amazon-provided smarthosts, etc) with an exception process for those who
need larger amounts of legitimate outbound mail. I guess legitimate is
subjective though. *sigh*

-brandon

Re: amazonaws.com?

[Dorn Hetzel]

I would think that simply requiring some appropriate amount of irrevocable
funds (wire transfer, etc) for a deposit that will be forfeited in the case
of usage in violation of AUP/contract/etc would be both sufficient and not
excessive for allowing port 25 access, etc.

On Wed, May 28, 2008 at 1:01 PM, Skywing <[EMAIL PROTECTED]>
wrote:

> That's somewhat ironic of a sentiment you referred to there, given that the
> conception that one should have to hand over one's SSN for "verification" to
> anyone who asks for it is the kind of thing that many of these
> spammers/phishers thrive on in the first place...
>
> (I assume that you are not actually really advocating such a requirement
> for anyone wanting to run a mail server...)
>
> - S
>
> -Original Message-
> From: Sargun Dhillon [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 28, 2008 12:34 PM
> To: Steve Atkins
> Cc: nanog@nanog.org
> Subject: Re: amazonaws.com?
>
> Well the thing that differentiates "the cloud" is that there is an
> infinite amount of resources, the ability to have anonymous access, and
> the infinite amount of identities. Basically Amazon has allocated a /18,
> /19, and /17 to EC2. The chances of getting the same IP between two
> instances amongst that many possibilities is low. Basically someone
> could easily go get a temporary credit card and start up 10 small EC2
> instances. This would give them 10 public IPs which would probably take
> 3-4 hours (minimum) to show up on any sort of blacklists. Then its just
> a matter of rebooting and you have another 3-4 hours. This could last
> weeks with a credit card. Then you could rinse and repeat. In the past
> I've seen companies require EIN/SSN verification (a bit much) in order
> to open up certain things (port 25, BGP, etc...). If Amazon is going to
> continue to have policies that allow spammers to thrive it will end with
> EC2 failing.
>
> SMTP has inherent trust issues. I'm currently researching Amazon AWS's
> static IP addresses. I think it would be easiest to block everything and
> just make exemptions for people who purchase the static IPs.
>
> My advice to you if you are buying anonymous resources would be to
> purchase an agreement with a relay that isn't part of the anonymous
> computing center.
>
>
>
>
> Steve Atkins wrote:
> >
> > On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
> >
> >> Has Amazon given an official statement on this? It would be nice to get
> >> someone from within Amazon to give us their official view on this. It
> >> would be even more appropriate for the other cloud infrastructures to
> >> join in, and or have some sort of RFC to do with SMTP access within the
> >> "cloud." I forsee this as a major problem as the idea of "the cloud" is
> >> being pushed more and more. You are talking about a spammers dream. Low
> >> cost , powerful resources with no restrictions and complete anonymity.
> >>
> >> Personally I'm going to block *.amazonaws.com from my mail server until
> >> Amazon gives us a statement on how they are planning on fighting spam
> >> from the cloud.
> >
> > "The cloud" is just a marketing term for a bunch of virtual servers,
> > at least in Amazons case. It's nothing particularly new, just a VPS
> > farm with the same constraints and abuse issues as a VPS or
> > managed server provider.
> >
> > The only reason this is a problem in the case of Amazon is that they're
> > knowingly selling service to spammers, their abuse guy is in
> > way over his head and isn't interested in policing their users
> > unless they're doing something illegal or the check doesn't clear.
> > As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
> >
> > Cheers,
> > Steve
> >
> >
>
>
> --
> +1.925.202.9485
> Sargun Dhillon
> deCarta
> [EMAIL PROTECTED]
> www.decarta.com
>
>
>
>
>
>

RE: amazonaws.com?

[Skywing]

That's somewhat ironic of a sentiment you referred to there, given that the 
conception that one should have to hand over one's SSN for "verification" to 
anyone who asks for it is the kind of thing that many of these 
spammers/phishers thrive on in the first place...

(I assume that you are not actually really advocating such a requirement for 
anyone wanting to run a mail server...)

- S

-Original Message-
From: Sargun Dhillon [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 28, 2008 12:34 PM
To: Steve Atkins
Cc: nanog@nanog.org
Subject: Re: amazonaws.com?

Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access, and
the infinite amount of identities. Basically Amazon has allocated a /18,
/19, and /17 to EC2. The chances of getting the same IP between two
instances amongst that many possibilities is low. Basically someone
could easily go get a temporary credit card and start up 10 small EC2
instances. This would give them 10 public IPs which would probably take
3-4 hours (minimum) to show up on any sort of blacklists. Then its just
a matter of rebooting and you have another 3-4 hours. This could last
weeks with a credit card. Then you could rinse and repeat. In the past
I've seen companies require EIN/SSN verification (a bit much) in order
to open up certain things (port 25, BGP, etc...). If Amazon is going to
continue to have policies that allow spammers to thrive it will end with
EC2 failing.

SMTP has inherent trust issues. I'm currently researching Amazon AWS's
static IP addresses. I think it would be easiest to block everything and
just make exemptions for people who purchase the static IPs.

My advice to you if you are buying anonymous resources would be to
purchase an agreement with a relay that isn't part of the anonymous
computing center.




Steve Atkins wrote:
>
> On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
>
>> Has Amazon given an official statement on this? It would be nice to get
>> someone from within Amazon to give us their official view on this. It
>> would be even more appropriate for the other cloud infrastructures to
>> join in, and or have some sort of RFC to do with SMTP access within the
>> "cloud." I forsee this as a major problem as the idea of "the cloud" is
>> being pushed more and more. You are talking about a spammers dream. Low
>> cost , powerful resources with no restrictions and complete anonymity.
>>
>> Personally I'm going to block *.amazonaws.com from my mail server until
>> Amazon gives us a statement on how they are planning on fighting spam
>> from the cloud.
>
> "The cloud" is just a marketing term for a bunch of virtual servers,
> at least in Amazons case. It's nothing particularly new, just a VPS
> farm with the same constraints and abuse issues as a VPS or
> managed server provider.
>
> The only reason this is a problem in the case of Amazon is that they're
> knowingly selling service to spammers, their abuse guy is in
> way over his head and isn't interested in policing their users
> unless they're doing something illegal or the check doesn't clear.
> As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
>
> Cheers,
> Steve
>
>


--
+1.925.202.9485
Sargun Dhillon
deCarta
[EMAIL PROTECTED]
www.decarta.com

Re: amazonaws.com?

[Sargun Dhillon]

Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access, and
the infinite amount of identities. Basically Amazon has allocated a /18,
/19, and /17 to EC2. The chances of getting the same IP between two
instances amongst that many possibilities is low. Basically someone
could easily go get a temporary credit card and start up 10 small EC2
instances. This would give them 10 public IPs which would probably take
3-4 hours (minimum) to show up on any sort of blacklists. Then its just
a matter of rebooting and you have another 3-4 hours. This could last
weeks with a credit card. Then you could rinse and repeat. In the past
I've seen companies require EIN/SSN verification (a bit much) in order
to open up certain things (port 25, BGP, etc...). If Amazon is going to
continue to have policies that allow spammers to thrive it will end with
EC2 failing.

SMTP has inherent trust issues. I'm currently researching Amazon AWS's
static IP addresses. I think it would be easiest to block everything and
just make exemptions for people who purchase the static IPs.

My advice to you if you are buying anonymous resources would be to
purchase an agreement with a relay that isn't part of the anonymous
computing center.




Steve Atkins wrote:
>
> On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
>
>> Has Amazon given an official statement on this? It would be nice to get
>> someone from within Amazon to give us their official view on this. It
>> would be even more appropriate for the other cloud infrastructures to
>> join in, and or have some sort of RFC to do with SMTP access within the
>> "cloud." I forsee this as a major problem as the idea of "the cloud" is
>> being pushed more and more. You are talking about a spammers dream. Low
>> cost , powerful resources with no restrictions and complete anonymity.
>>
>> Personally I'm going to block *.amazonaws.com from my mail server until
>> Amazon gives us a statement on how they are planning on fighting spam
>> from the cloud.
>
> "The cloud" is just a marketing term for a bunch of virtual servers,
> at least in Amazons case. It's nothing particularly new, just a VPS
> farm with the same constraints and abuse issues as a VPS or
> managed server provider.
>
> The only reason this is a problem in the case of Amazon is that they're
> knowingly selling service to spammers, their abuse guy is in
> way over his head and isn't interested in policing their users
> unless they're doing something illegal or the check doesn't clear.
> As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
>
> Cheers,
> Steve
>
>


-- 
+1.925.202.9485
Sargun Dhillon
deCarta
[EMAIL PROTECTED]
www.decarta.com

Re: amazonaws.com?

[Steve Atkins]

On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:

Has Amazon given an official statement on this? It would be nice to  
get

someone from within Amazon to give us their official view on this. It
would be even more appropriate for the other cloud infrastructures to
join in, and or have some sort of RFC to do with SMTP access within  
the
"cloud." I forsee this as a major problem as the idea of "the cloud"  
is
being pushed more and more. You are talking about a spammers dream.  
Low

cost , powerful resources with no restrictions and complete anonymity.

Personally I'm going to block *.amazonaws.com from my mail server  
until

Amazon gives us a statement on how they are planning on fighting spam
from the cloud.


"The cloud" is just a marketing term for a bunch of virtual servers,
at least in Amazons case. It's nothing particularly new, just a VPS
farm with the same constraints and abuse issues as a VPS or
managed server provider.

The only reason this is a problem in the case of Amazon is that they're
knowingly selling service to spammers, their abuse guy is in
way over his head and isn't interested in policing their users
unless they're doing something illegal or the check doesn't clear.
As long as the spam being sent doesn't violate CAN-SPAM, it's legal.

Cheers,
  Steve

Re: amazonaws.com?

[Sargun Dhillon]

Has Amazon given an official statement on this? It would be nice to get
someone from within Amazon to give us their official view on this. It
would be even more appropriate for the other cloud infrastructures to
join in, and or have some sort of RFC to do with SMTP access within the
"cloud." I forsee this as a major problem as the idea of "the cloud" is
being pushed more and more. You are talking about a spammers dream. Low
cost , powerful resources with no restrictions and complete anonymity.

Personally I'm going to block *.amazonaws.com from my mail server until
Amazon gives us a statement on how they are planning on fighting spam
from the cloud.


Tony Finch wrote:
> On Wed, 28 May 2008, [EMAIL PROTECTED] wrote:
>   
>>> I don't see how, in your preferred replacement email
>>> architecture, a provider would be able to avoid policing
>>> their users to prevent spam in the way that you complain is
>>> so burdensome.
>>>   
>> To begin with, mail could only enter such a system through
>> port 587 or through a rogue operator signing an email peering
>> agreement. In either case, there is a bilateral contract involved
>> so that it is clear whose customer is doing wrong, and therefore
>> who is responsible for policing it.
>> 
>
> This is different from Amazon's situation how?
>
> Tony.
>   


-- 
+1.925.202.9485
Sargun Dhillon
deCarta
[EMAIL PROTECTED]
www.decarta.com

RE: amazonaws.com?

[Tony Finch]

On Wed, 28 May 2008, [EMAIL PROTECTED] wrote:
>
> > I don't see how, in your preferred replacement email
> > architecture, a provider would be able to avoid policing
> > their users to prevent spam in the way that you complain is
> > so burdensome.
>
> To begin with, mail could only enter such a system through
> port 587 or through a rogue operator signing an email peering
> agreement. In either case, there is a bilateral contract involved
> so that it is clear whose customer is doing wrong, and therefore
> who is responsible for policing it.

This is different from Amazon's situation how?

Tony.
-- 
f.anthony.n.finch  <[EMAIL PROTECTED]>  http://dotat.at/
SOUTHEAST ICELAND: EASTERLY 4 OR 5, INCREASING 6 OR 7. MODERATE INCREASING
ROUGH. RAIN LATER. MODERATE OR GOOD, OCCASIONALLY POOR.

Re: Hurricane season starts June 1: Carriers harden networks

[virendra rode //]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jared Mauch wrote:
> 
> On May 27, 2008, at 6:47 PM, Jerry Dixon wrote:
> 
>> Jared nailed it on the head.  It is absolutely critical to get to know
>> who
>> your State JFO POC is, State EOC POC, and have the National Communication
>> Systems Hotline on speed dial or at least in your cell.  They can help
>> facilitate needs such as getting human resources from your company or
>> mutual
>> aide in to help with a crisis (credentialing issues), fuel trucks, and
>> other
>> supplies as needed.
>>
>> Also you might want to check to see if your company has a govt. affairs
>> person within your organization who might all ready have a lot of this
>> info
>> and the contacts to assist.
> 
> I think there's something else to make note of.
> 
> NCS wants to make sure that a number of the ISPs and critical
> infrastructure operators have WPS/GETS available to the people who
> rightly need them.  If you're not sure, give them a ring and chat with
> them about what resources you should have at your disposal.  If there is
> a major communication disruption, this may help your operations team
> communicate.
- 
What you briefly outlined here applies to outages effecting certain size
of customers. If so I wonder what's that magic number is? How do you
measure the impact of an outage that would require companies to issue
outages?

It would be nice for these companies to report network outages to a
central public forum (w/o bureaucracy) so end users irrespective of the
size can lookup such reports and know why their services (e-mail,
phones, etc) went down eliminating the need to open tons of trouble
tickets during a major event. This way everyone could benefit from it.

Due to such lack of information sharing outages mailing was started
for the purpose of on having outages available to the public when and where
it is most needed irrespective how big or small the company is.

Then there are others who believe that there are companies who are
protected from public disclosure like to use this protection to their
advantage as they no longer have to air their dirty laundry.

IMO, network outages needs to get to the public rather than keeping it a
secret.

Before software bugs were routinely published, network/software
companies denied their existence and wouldn't bother fixing them,
believing in the security of secrecy. If we return to a practice of
keeping these bugs secret, we'll have vulnerabilities known to a few in
the security community. Public reporting forces companies to improve
their service.


regards,
/virendra

> 
> You can fill out the forms online at gets.ncs.gov
> 
> - Jared
> 
> 
> 


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIPXQVpbZvCIJx1bcRAjHrAJkB9lNtGYdib5Kezhmz2EBtpoXMowCeKgqR
tR1+3To4MsBnTNMEgGJ/6Kw=
=GrRH
-END PGP SIGNATURE-

Re: AT&T BGP blackholing

[Brian Raaen]

I'll have to check I have a doc from AT&T at work from when I just set up a 
BGP session with them about 2 weeks ago.  I don't remember if there was a 
blackhole community or not listed.  The doc does list some community strings.  
I was surprised, they were pretty responsive, now I will find out how the 
qwest side goes, then I'll have full BGP.


-- 
Brian Raaen
Network Engineer
[EMAIL PROTECTED]

On Wednesday 28 May 2008, Philip L. wrote:
> Does anyone have information or a contact at AT&T with regards to 
> setting up BGP blackholing with them?  I see that the question has been 
> asked in the past but there was no definitive answer, at least none that 
> I could find.
> 
> --Philip L.
> 
> 
> 
> 

RE: amazonaws.com?

[michael.dillon]

> I don't see how, in your preferred replacement email 
> architecture, a provider would be able to avoid policing 
> their users to prevent spam in the way that you complain is 
> so burdensome.

To begin with, mail could only enter such a system through
port 587 or through a rogue operator signing an email peering
agreement. In either case, there is a bilateral contract involved
so that it is clear whose customer is doing wrong, and therefore
who is responsible for policing it. It's a different model in
which email traffic follows a chain of bilateral agreements 
from the sender to the recipient. At each link in the chain, 
a provider can block traffic if it does not conform to the 
peering agreement (or service agreement for end users).

Today, an anonymous spammer can obfuscate the source of their email
in a way that an average user can't figure out who to complain to.
In a hierarchical email peering system, only a rogue operator could
do that, and by nature of the system, they can't really be totally
anonymous. After all they have to sign a peering agreement with someone.

--Michael Dillon

RE: amazonaws.com?

[Tony Finch]

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote:
>
> But a more advanced intelligence will wonder why we have to have an SMTP
> server architecture that invites attacks. Why, by definition, do SMTP
> servers have to accept connections from all comers, by default? We have
> shown that other architectures are workable on the Internet, where
> communications only take place between peers who have prearranged which
> devices talk to which. This worked for USENET news and it works for
> exchanging BGP route announcements.

Of course there's no unwanted traffic on USENET or BGP. Everyone de-peers
Tiscali when their customers' compromised home computers perform DDOS
attacks.

> As long as we don't fix the architecture of Internet email, we
> are stuck with the catch-22 situation that Amazon, and all hosting
> providers find themsleves in. These companies really have no choice
> but to allow spammers to exploit their services until the spamming
> is detected, either proactively by the provider, or reactively by
> a complaint to their abuse desk.

Nothing prevents Amazon from implementing a hierarchial email delivery
network for their little corner of the net. They just have to block
outgoing port 25 and require their users to use Amazon's smarthosts.

I don't see how, in your preferred replacement email architecture, a
provider would be able to avoid policing their users to prevent spam
in the way that you complain is so burdensome.

Tony.
-- 
f.anthony.n.finch  <[EMAIL PROTECTED]>  http://dotat.at/
HUMBER: SOUTHEAST VEERING SOUTHWEST 5 TO 7, PERHAPS GALE 8 LATER. MODERATE OR
ROUGH. THUNDERY RAIN, FOG PATCHES. MODERATE, OCCASIONALLY VERY POOR.

RE: Hurricane season starts June 1: Carriers harden networks

[michael.dillon]

> The official spokespeople don't mention it, but there is also 
> a tendency for local officials to divert fuel delivery trucks 
> for their use instead of maintaining communication facilities.

How much fuel can you legally carry in drums inside the trucks that
your company already has with your logo on it? Is it logistically
feasible to resupply your sites using such vehicles? 

--Michael Dillon

RE: IOS Rookit: the sky isn't falling (yet)

[michael.dillon]

> So let's see - if you had a billion CPUs in your botnet, and 
> each one could go at a billion to the second, you still need 
> 2**69 seconds or 449,235,776,528,695 years.  Not bad - only 
> 10,000 times the amount of time this planet has been around, 
> so yeah, that's the way they'll attack all right.

I didn't say that. I said that they are starting with an IOS image
in which there are some small number of bytes which they can possibly
change and still have a functional image. So it is likely that they
will brute force that by computing an MD5 hash on all variations of
those few bytes. It's like winning the lottery, you only *NEED* to
buy one ticket. No matter how slim the chances are of bad guys winning
that lottery, it is no excuse for ignoring the possibility that an
MD5 hash check may not be proof that you have an original image.

And lets not get into all the other possibilities such as an insider
who corrupts your database in which you safely store the MD5 hashes.
There is no magic bullet, only various security layers which reduce
the odds of an exploit in your network in a similar way to how
multiple routers and multiple paths can increase your network's
uptime to very nearly 100%.

--Michael Dillon

Re: AT&T BGP blackholing

[Paul Wall]

On Wed, May 28, 2008 at 12:08 AM, Philip L. <[EMAIL PROTECTED]> wrote:
> Does anyone have information or a contact at AT&T with regards to setting up
> BGP blackholing with them?  I see that the question has been asked in the
> past but there was no definitive answer, at least none that I could find.

Good luck.

The problem is the MIS product managers would rather sell you their
DoS Clean Pipe solution rather than accept a prefix via a BGP session
with a unique community.

Their DoS Clean Pipe redirects your impacted networks into their
scrubber (Cisco Riverheads) then back towards your network.

What I find funny is that on the list of AT&T achievements of the past
100 years, the DoS Clean Pipe is listed in the 2000s while transistor
is listed for the 1940s. Whats next for 2008, claiming the Apple
iPhone or Cisco Telepresence as an AT&T achievement? Didn't know
resetting BGP next-hops was up there next to the transistor.

Mr. Wallingford says you should call up your MIS contact, but why
should you call up when most other networks let you black hole with an
existing or separate BGP session?

Sounds like AT&T MIS needs to get with the times and stop catering
only to the enterprise T1's.

Paul Wall

Drive slow...like Brucie.