Re: Over a decade of DDOS--any progress yet?
Greg Whynott writes: i found it funny how M$ started giving away virus/security software for its OS. it can't fix the leaky roof, so it includes a roof patch kit. (and puts about 10 companies out of business at the same time) I actually like the new arrangement better, where Microsoft provides the security software to its OS customers for free. The previous setup had third parties (anti-virus vendors) profiting from the weaknesses in Microsoft's software. The new arrangement provides better incentives for fixing the security weaknesses at the source, at least as far as Microsoft is concerned. Even for third-party providers of buggy software, Microsoft probably better leverage towards them than the numerous anti-virus vendors. But then maybe my armchair economics are totally wrong. -- Simon.
Re: BGP multihoming question.
George Bonser gbon...@seven.com writes: -Original Message- From: Bret Clark Sent: Friday, December 10, 2010 7:08 AM To: nanog@nanog.org Subject: Re: BGP multihoming question. On 12/10/2010 10:01 AM, Dylan Ebner wrote: 3. You cannot trust the second isp to advertise the SWIP block correctly if they are not a tier 1. Even though they may advertise it for you to their upstream, they don't always have the appropriate procedures in place to get the LOAs to the upstream so your block just gets filtered out. Just got done battling this exact issue with one of our upstream peers...caused a lot of headaches for us. Proper registration in a routing registry helps, too. As does, frankly, having an ISP with a clue... and purported tier has little to do with it. -r
LOIC tool used in the Anonymous attacks
Interesting analysis of the 3 LOIC tool variants used in the Anonymous Operation Payback attacks on Mastercard, Paypal, etc. http://www.simpleweb.org/reports/loic-report.pdf LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Regards Marshall
Re: LOIC tool used in the Anonymous attacks
Interesting.. there's an ED about LOIC http://encyclopediadramatica.com/LOIC it even gives a instruction on how to deny the use of the tool: (funny) What if I get caught and Vd? You probably won't. It's recommended that attack with over 9000 other anons while attacking alone pretty much means doing nothing. If you are a complete idiot and LOIC a small server alone, there is a chance of getting V. No one will bother let alone have the resources to deal with DDoS attacks that happens every minute around the world. Then theres always the botnet excuse. Just say your pc was infected by a botnet and you have since ran antivirus programs and what not to try to get rid of it. Or just say you have NFI what a DDoS is at all. PROTIP: If you do get V: ALWAYS deny it, Explain it was botnet, Say you have dynamic IP and that they have the wrong guy. Also, epic lolz will be achieved because you are a fag. DDOS ONLY IN GROUPS On Sat, Dec 11, 2010 at 9:19 AM, Marshall Eubanks t...@multicasttech.com wrote: Interesting analysis of the 3 LOIC tool variants used in the Anonymous Operation Payback attacks on Mastercard, Paypal, etc. http://www.simpleweb.org/reports/loic-report.pdf LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Regards Marshall -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
RE: LOIC tool used in the Anonymous attacks
-Original Message- From: Marshall Eubanks [mailto:t...@multicasttech.com] Sent: Saturday, December 11, 2010 10:20 AM To: North American Network Operators Group Subject: LOIC tool used in the Anonymous attacks Interesting analysis of the 3 LOIC tool variants used in the Anonymous Operation Payback attacks on Mastercard, Paypal, etc. http://www.simpleweb.org/reports/loic-report.pdf LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. IMO, LOIC is a very unsophisticated tool. There are methods the attackers could have used to obfuscate their IP (while still employing a complete TCP 3-way handshake) if they were a bit more knowledgeable. Although it's equivalent to a sophomore year CS project, it has benefit of being easy to use and so lowers the barrier to entry for would-be script kiddies looking for a fun afternoon. There is also evidence of its use in the wild outside of the hive. I think the skill level of these guys is clearly evidenced by one of the members who forgot to remove the metadata from their most recent press release. Stefan
Re: LOIC tool used in the Anonymous attacks
I was reading about this- yeah really anonymous. http://praetorianprefect.com/archives/2010/12/anonymous-releases-very-unanonymous-press-release/ Also: http://www.boingboing.net/2010/12/11/anonymous-isnt-loic.html Andrew From: Stefan Fouant sfou...@shortestpathfirst.net To: 'Marshall Eubanks' t...@multicasttech.com; 'North American Network Operators Group' nanog@nanog.org Cc: Sent: Saturday, 11 December 2010, 17:34:20 Subject: RE: LOIC tool used in the Anonymous attacks I think the skill level of these guys is clearly evidenced by one of the members who forgot to remove the metadata from their most recent press release. Stefan
Re: [Operational] Internet Police
check the agreed maintenance windows as defined in the (SLA)section Maintenance Plans - etc - Original Message From: Joel Jaeggli joe...@bogus.com To: valdis.kletni...@vt.edu Cc: nanog@nanog.org Sent: Fri, December 10, 2010 6:48:41 PM Subject: Re: [Operational] Internet Police On 12/10/10 9:06 AM, valdis.kletni...@vt.edu wrote: On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said: I believe the word you wanted was hooliganism. And we have a legal system that has about 3,000 years of experience in dealing with *that*, thank you very much. The code of hamurabi or ur-nammu would probably cut off your hand or require the payment of several minas of silver. The failure isn't one of the legal system not having the tools to prosecute this sort of activity, it's the failure to effectively police it. Other attractive nusances the cause economic damage such as graffiti and antisocial behavior(of which much of this dos activity clearly is) have been around longer than the code of ur-nammu and we haven't solved them yet either.
Re: Global Crossing/GBLX tech needed - AS3549
location? - Original Message From: Matt Disuko gourmetci...@hotmail.com To: NANOG nanog@nanog.org Sent: Thu, December 9, 2010 3:02:59 PM Subject: Global Crossing/GBLX tech needed - AS3549 Can a Global Crossing IP engineer please contact me off-list? Thanks, Matt
Re: LOIC tool used in the Anonymous attacks
It's hard to believe that it took eight people to run wireshark and write this simplistic paper about LOIC. The analysis is weak at best (it seems they only had a few days to study the problem), and never analyzes the source code which has been widely available at https://github.com/NewEraCracker/LOIC A cursory analysis of HTTPFlooder.cs would give you all you need to know to understand the attack and block the tool; If you find your network attacked by this tool, you'll immediately discover a large volume of HTTP requests with no User-Agent or Accept: headers. Drop those requests at the border. You can also compile requests of that nature to analyze the size of the swarm that is attacking you. In analysis, I've found this to be on the order of 2000-3000 hosts. It's a decently sized ACL to place on your ingress routers, but these attacks can be thwarted. -j On Sat, Dec 11, 2010 at 7:19 AM, Marshall Eubanks t...@multicasttech.com wrote: Interesting analysis of the 3 LOIC tool variants used in the Anonymous Operation Payback attacks on Mastercard, Paypal, etc. http://www.simpleweb.org/reports/loic-report.pdf LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Regards Marshall
Re: LOIC tool used in the Anonymous attacks
In a message written on Sat, Dec 11, 2010 at 10:19:32AM -0500, Marshall Eubanks wrote: LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Perhaps the authors of the tool would rather keep the finite law enforcement busy rounding up clueless highschool kids who install this tool. In that sense it's both a network packet DDOS, and a law enforcement attacker DDOS. Brilliant in a way. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpjN4xv45zeC.pgp Description: PGP signature
Re: Over a decade of DDOS--any progress yet?
On Fri, 10 Dec 2010 15:32:10 -0500 Drew Weaver drew.wea...@thenap.com wrote: I should've qualified my question by saying What valid application which traverses the Internet and could be seen at the edge of a network actually uses UDP 80? I'll grant that my response was a bit pedantic: there is no legitimate reason for such traffic to leave a network. I can't imagine there is too much Cisco NAC client for macs carrying on over the Internet, although I have been wrong in the past. I imagine you're right, and that any network that detects any significant amount would be one whose first octet is a common fourth-octet-of-a-gateway (1, 65, 129, etc). mc
Re: LOIC tool used in the Anonymous attacks
On Dec 11, 2010, at 4:21 PM, Leo Bicknell wrote: In a message written on Sat, Dec 11, 2010 at 10:19:32AM -0500, Marshall Eubanks wrote: LOIC makes no attempt to hide the IP addresses of the attackers, making it easy to trace them if they are using their own computers. Perhaps the authors of the tool would rather keep the finite law enforcement busy rounding up clueless highschool kids who install this tool. In that sense it's both a network packet DDOS, and a law enforcement attacker DDOS. Brilliant in a way. Or maybe that's a feature, not a bug. False flag operations to ensnare the clueless have a long history of running code. Regards Marshall -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: LOIC tool used in the Anonymous attacks
Like I said the other day on Cnet comments section, December 10, 2010 3:31 PM PST. It is extremely easy to find out who everyone is, because the anonymous is decentralised and easy to infiltrate and manipulate. Andrew From: Leo Bicknell bickn...@ufp.org To: North American Network Operators Group nanog@nanog.org Cc: Sent: Saturday, 11 December 2010, 21:21:29 Subject: Re: LOIC tool used in the Anonymous attacks Perhaps the authors of the tool would rather keep the finite law enforcement busy rounding up clueless highschool kids who install this tool. In that sense it's both a network packet DDOS, and a law enforcement attacker DDOS. Brilliant in a way.
Re: Mastercard problems
The USSS has jurisdiction over all DDoS (threats to critical infrastructure). Jeff On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States. --- secretservice.gov Andrew - Original Message - From:Christopher Morrow morrowc.li...@gmail.com To:Jack Bates jba...@brightok.net Cc:nanog@nanog.org nanog@nanog.org Sent:Wednesday, 8 December 2010, 18:47:49 Subject:Re: Mastercard problems I know that the folks involved on the MC side already have this data, and that the fbi is interested in it. -chris -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Mastercard problems
So then why is there a cyber command and a cyber group part of homeland security charged with protection of critical infrastructure if critical infrastructure is the responsibility of USSS? Looks like we have too many keystone cops (the AF advertises an operational Cyber Command with nothing really there) who might fall over one another not to mention get in the way of the owners of the infrastructure who probably know it better than the feds. On Dec 11, 2010, at 8:16 PM, Jeffrey Lyon wrote: The USSS has jurisdiction over all DDoS (threats to critical infrastructure). Jeff On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States. --- secretservice.gov Andrew - Original Message - From:Christopher Morrow morrowc.li...@gmail.com To:Jack Bates jba...@brightok.net Cc:nanog@nanog.org nanog@nanog.org Sent:Wednesday, 8 December 2010, 18:47:49 Subject:Re: Mastercard problems I know that the folks involved on the MC side already have this data, and that the fbi is interested in it. -chris -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Mastercard problems
http://www.secretservice.gov/ectf_newyork.shtml Each field office has their own page. Jeff On Sat, Dec 11, 2010 at 8:42 PM, TR Shaw ts...@oitc.com wrote: So then why is there a cyber command and a cyber group part of homeland security charged with protection of critical infrastructure if critical infrastructure is the responsibility of USSS? Looks like we have too many keystone cops (the AF advertises an operational Cyber Command with nothing really there) who might fall over one another not to mention get in the way of the owners of the infrastructure who probably know it better than the feds. On Dec 11, 2010, at 8:16 PM, Jeffrey Lyon wrote: The USSS has jurisdiction over all DDoS (threats to critical infrastructure). Jeff On Wed, Dec 8, 2010 at 3:30 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: I would say the attack falls under the jurisdiction of the US secret service since this is an attack on the financial system. Today the agency's primary investigative mission is to safeguard the payment and financial systems of the United States. --- secretservice.gov Andrew - Original Message - From:Christopher Morrow morrowc.li...@gmail.com To:Jack Bates jba...@brightok.net Cc:nanog@nanog.org nanog@nanog.org Sent:Wednesday, 8 December 2010, 18:47:49 Subject:Re: Mastercard problems I know that the folks involved on the MC side already have this data, and that the fbi is interested in it. -chris -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Over a decade of DDOS--any progress yet?
On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli joe...@bogus.com wrote: On 12/10/10 12:33 PM, Drew Weaver wrote: Nobody has really driven the point home that yes you can purchase a system from Arbor, RioRey, make your own mitigation system; what-have you, but you still have to pay for the transit to digest the attack, which is probably the main cost right now. or you outsource it and it's still costlier. Paying for DOS mitigation you rarely if ever use is quite expensive. If you use it a lot it's even more expensive, but can at least be rationalized on the basis of known costs e.g. npv calculation on the number and duration of outages... verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) -chris -Drew -Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Wednesday, December 08, 2010 11:54 AM To: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: This has been our recent experience as well. I see a link-filling attacks with some regularity; but again, what I'm saying is simply that they aren't as prevalent as they used to be, because the attackers don't *need* to fill links in order to achieve their goals, in many cases. That being said, high-bandwidth DNS reflection/amplification attacks tip the scales, every time. Lastly there is usually always someone at the other end of these attacks watching what is working and what is not This is a very important point - determined attackers will observe and react in order to try and defeat successful countermeasures, so the defenders must watch for shifting attack vectors. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Over a decade of DDOS--any progress yet?
I'm certain there are thresholds to that. Carrier grade mitigation solutions will start low and ramp up to 5, 6, 7, etc. figures depending on the attack and amount of bandwidth to be filtered among other variables. Jeff On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli joe...@bogus.com wrote: On 12/10/10 12:33 PM, Drew Weaver wrote: Nobody has really driven the point home that yes you can purchase a system from Arbor, RioRey, make your own mitigation system; what-have you, but you still have to pay for the transit to digest the attack, which is probably the main cost right now. or you outsource it and it's still costlier. Paying for DOS mitigation you rarely if ever use is quite expensive. If you use it a lot it's even more expensive, but can at least be rationalized on the basis of known costs e.g. npv calculation on the number and duration of outages... verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) -chris -Drew -Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Wednesday, December 08, 2010 11:54 AM To: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: This has been our recent experience as well. I see a link-filling attacks with some regularity; but again, what I'm saying is simply that they aren't as prevalent as they used to be, because the attackers don't *need* to fill links in order to achieve their goals, in many cases. That being said, high-bandwidth DNS reflection/amplification attacks tip the scales, every time. Lastly there is usually always someone at the other end of these attacks watching what is working and what is not This is a very important point - determined attackers will observe and react in order to try and defeat successful countermeasures, so the defenders must watch for shifting attack vectors. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Over a decade of DDOS--any progress yet?
On Sun, Dec 12, 2010 at 12:20 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: I'm certain there are thresholds to that. Carrier grade mitigation solutions will start low and ramp up to 5, 6, 7, etc. figures depending on the attack and amount of bandwidth to be filtered among other variables. nope, the pricing (when I was there, and I don't think it's changed much) is 3250/month for 500mbps or mitigation, though there was ~12gbps available easily before any work had to be done by the ISP... If the plan I/sfouant put in place was followed you could had scaled the capacity to much higher than that. If a customer continuously abused the 'limit' they may have been boosted to the next tier, but... I'd not ever seen that done. 3250/month... easy, peasy. -chris Jeff On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Dec 10, 2010 at 5:51 PM, Joel Jaeggli joe...@bogus.com wrote: On 12/10/10 12:33 PM, Drew Weaver wrote: Nobody has really driven the point home that yes you can purchase a system from Arbor, RioRey, make your own mitigation system; what-have you, but you still have to pay for the transit to digest the attack, which is probably the main cost right now. or you outsource it and it's still costlier. Paying for DOS mitigation you rarely if ever use is quite expensive. If you use it a lot it's even more expensive, but can at least be rationalized on the basis of known costs e.g. npv calculation on the number and duration of outages... verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) -chris -Drew -Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Wednesday, December 08, 2010 11:54 AM To: North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 11:47 PM, Jay Coley wrote: This has been our recent experience as well. I see a link-filling attacks with some regularity; but again, what I'm saying is simply that they aren't as prevalent as they used to be, because the attackers don't *need* to fill links in order to achieve their goals, in many cases. That being said, high-bandwidth DNS reflection/amplification attacks tip the scales, every time. Lastly there is usually always someone at the other end of these attacks watching what is working and what is not This is a very important point - determined attackers will observe and react in order to try and defeat successful countermeasures, so the defenders must watch for shifting attack vectors. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Over a decade of DDOS--any progress yet?
On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow morrowc.li...@gmail.com wrote: verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) reasonable, but 'completely self-service' ? how much to have an engineer pump my gas for me (full service)? does that include a windshield wipe down, tire pressure and oil check (old timey full service extras)?
Re: Over a decade of DDOS--any progress yet?
On Sun, Dec 12, 2010 at 12:42 AM, Aaron Glenn aaron.gl...@gmail.com wrote: On Sun, Dec 12, 2010 at 12:05 AM, Christopher Morrow morrowc.li...@gmail.com wrote: verizon's ddos service was/is 3250/month flat... not extra if there was some sort of incident, and completely self-service for the customer(s). Is 3250/month a reasonable insurance against loss? (40k/yr or there abouts) reasonable, but 'completely self-service' ? how much to have an engineer pump my gas for me (full service)? does that include a windshield wipe down, tire pressure and oil check (old timey full service extras)? end customer sends the right community and mitigation happens... remove the community it stops. no need to call someone and make it happen, just have the NOC/etc at your network follow a simple procedure. you are funny though :) (and I think you can call for free, 1-800 number, and get an engineer to make things happen for you as well...) -Chris