passive bandwidth estimation

[Murtaza]

Hi everyone,
I want to do passive available bandwidth measurement. I was just wandering
what tools/techniques people are generally using these days. And is it a
good idea to use congestion window as parameter.
Ghulam

Re: Nxdomain redirect revenue

[Brian Smith]

+1 to the use of CAA/DANE

-brian


On 09/27/2011 07:34 PM, Rubens Kuhl wrote:

On Tue, Sep 27, 2011 at 7:29 PM, David E. Smith  wrote:

On Tue, Sep 27, 2011 at 17:08, Jimmy Hess  wrote:

That is, HTTPs should become assumed.

As much as that would be wonderful from a security standpoint, IMO
it's not realistic to expect every mom-and-pop posting a personal Web
site to pay extra for a static/dedicated IP address from their hosting
company (even if IPv6 were widely deployed, Web hosts probably would
charge extra for this just on principle), and to pay extra for an SSL
certificate, even a "weak" one that only verifies the domain name.

Self-signed certificates published thru DNSSEC using CAA/DANE can cost nothing.
(And somebody else pointed out SNI to have TLS work without exclusive
IP requirement)

Rubens

Re: Nxdomain redirect revenue

[Brian Smith]

On 09/27/2011 07:55 PM, Jimmy Hess wrote:
the goal behind this would be integrity, not confidentiality. The 
objective of using SSL is not to strongly encrypt data to keep it 
secret, it's to apply whatever is necessary to provide a level of 
integrity assurance. 





If all you want is integrity then shouldn't you argue that every 
computer should operate a DNSSEC validating recursive resolver on the 
machine? After all that is the point of DNSSEC after all isn't it, the 
validation of DNS records for endpoint authenticity.


Even still SNI isn't even widely supported by the major browsers as I 
understand it.


just my 2c

Re: Over a decade of DDOS--any progress yet?

[Zachary Hanna]

The NIST has proposed a framework for operators to notify botnet victims.

The call for comments and article discussing it are described here:


https://www.infosecisland.com/blogview/17021-Government-Proposes-ISPs-Notif
y-Victims-of-Botnets.html#.TotXA6C-16Q.twitter

"Comments on the proposed Code of Conduct and botnet reporting initiative
are due on or before 5 p.m. EDT, November 4, 2011.
Written
 comments on the proposal may be submitted by mail to the National
Institute of  Standards and Technology at the U.S. Department of
Commerce, 1401  Constitution Avenue, NW., Room 4822, Washington, DC
20230. Submissions  may be in any of the following formats: HTML, ASCII,
 Word, rtf, or pdf.
Online comment submissions in electronic form may be sent to
consumer_notice_...@nist.gov.
  Paper submissions should include a compact disc (CD). CDs should be
labeled with the name and organizational affiliation of the filer and
the name of the word processing program used to create the document.
Comments will be posted at http://www.nist.gov/itl/.
A list of questions  are included in the Request for Information, and can
be accessed at the  source link below:
Source:  
http://www.federalregister.gov/articles/2011/09/21/2011-24180/models-to-adv
ance-voluntary-corporate-notification-to-consumers-regarding-the-illicit-us
e-of#p-3
  

"


IMHO this would go a long way to addressing the underlying root cause
(botted machines). 

Regards,

Zachary


On 12/14/10 5:34 PM, "Joel Jaeggli"  wrote:

>On 12/8/10 6:30 AM, Drew Weaver wrote:
>> Yes, but this obviously completes the 'DDoS attack' and sends the
>>signal that the bully will win.
>
>it's part of a valid mitigation strategy. shifting the target out from
>underneath the blackholed address is also part of the activity. that's
>easier in some cases than others. the bots will move and you play whack
>a rat with your upstreams.
>
>joel
>
>> -Drew
>
>> From: alvaro.sanc...@adinet.com.uy
>>[mailto:alvaro.sanc...@adinet.com.uy]
>> Sent: Wednesday, December 08, 2010 8:46 AM
>> To: rdobb...@arbor.net; North American Operators' Group
>> Subject: Re: Over a decade of DDOS--any progress yet?
>> 
>> A very common action is to blackhole ddos traffic upstream by sending a
>> bgp route to the next AS with a preestablished community indicating the
>> traffic must be sent to Null0. The route may be very specific, in order
>> to impact as less as possible. This needs previous coordination between
>> providers.
>> Regards.
>> 
>

Re: OT: Social Networking, Privacy and Control

[Christian de Larrinaga]

You know I don't need Facebook to introduce (broker) me to anyone! I am more 
than happy managing my own relationships (gradations of trust included!) Oh and 
my friends are distributed in the real world as well! 

This works pretty well even without a "social network" or a "system". When the 
Diginotar certification authority was badly compromised I got a bunch of 
information from many sources using those protocols which span the standards 
sphere of the Internet each bringing information that I value at varying levels 
of trust and applicability. Between and in combination of all this input I was 
able to take action and remove Diginotar from my keychain. I could have waited 
for Apple to stir its stumps but didn't need to. 

All those independent distributed "trust brokers" did a fine job! 

thanks folks!



Christian



On 4 Oct 2011, at 16:38, Jay Ashworth wrote:

> As usual, the underlying issue is one of trust.
> 
> Alas, I see no theoretical way that distributed systems like Diaspora *can*
> provide some of the functions that are core to systems like Facebook, *exactly
> by virtue* (vice?) of the fact that they are distributed; there is no central
> Trust Broker.

Re: F.ROOT-SERVERS.NET moved to Beijing?

[Lindqvist Kurt Erik]

On 3 okt 2011, at 16:30, Todd Underwood wrote:

> 
> ignoring randy (and others) off-topic comments about hypocrisy, this
> situation is fundamentally a situation of bad (or different) network
> policy being applied outside of its scope.  i would prefer that china
> not censor the internet, sure.  but i really require that china not
> censor *my* internet when i'm not in china.

Most if not all European operators today force rewrite or blocking of DNS 
lookups. Belgium added a fairly large site today. There is virtually no way 
that this can be contained just inside a country. This problem is wy beyond 
root-servers, China etc. Filtering on the net is becoming common, and was 
pushed quite hard for at Interent Governance Forum last week. By Interpol and 
MPAA. 

Best regards,

- kurtis -






signature.asc
Description: Message signed with OpenPGP using GPGMail

[NANOG-announce] NANOG 53 Last Agenda and Registration Reminder

[Betty Burke]

Everyone,

The last update regarding NANOG 53 Registration and Agenda !  Do not miss
out.


   - Late Registration starting October 4, 2011
   (non-member $600, member $575, student $100)

   - On-Site Registration starting October 9, 2011
   (non-member $675, member $650, student $100)


   - Submit your lightning talk proposal at http://pc.nanog.org starting
   October 3, 2011. Lightning Talks: A lightning talk is a very short
   presentation or speech by any attendee on any topic relevant to the NANOG
   audience. These are limited to ten minutes; this will be strictly enforced.
  - topic that are timely, interesting, or even a crackpot idea you want
  to share, we encourage you to consider presenting it. The
Program Committee
  will vote on all Lightning Talk submissions onsite at the meeting, and a
  submitter will be notified about his or her submission one day
prior to the
  scheduled talk time.




See you in Philly!

All best.
Betty


-- 
Betty Burke
NewNOG/NANOG Executive Director
Office (810) 214-1218
NANOG Direct (510) 492-4030
___
NANOG-announce mailing list
nanog-annou...@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: events

[jeff murphy]

http://code.google.com/p/eventlog-to-syslog/

On Oct 4, 2011, at 11:47 AM, Jones, Barry wrote:

> A sub question to this would be - is anyone using an app or client that will 
> forward windows OS events to said collector? I've seen Loglogic and others. 
> Was just curious if you've used a small scale version to collect security 
> events - log on, log off, etc...?
> 
> -Original Message-
> From: Harry Hoffman [mailto:hhoff...@ip-solutions.net] 
> Sent: Friday, September 30, 2011 6:56 AM
> To: nanog@nanog.org
> Subject: Re: events
> 
> It's a bit old but still works well. Russel Fulton and I worked on this when 
> I was down in NZ.
> 
> You still need to run syslog-ng but this allows you to ignore, warn, alert on 
> logs via regex.
> 
> 
> http://www.ip-solutions.net/syslog-ng/
> 
> 
> Cheers,
> Harry
> 
> 
> 
> On 09/30/2011 09:50 AM, harbor235 wrote:
>> What is everyone using to collect, alert, and analyze syslog data?
>> I am looking for something that can generate reports as well as support
>> multiple vendors. We have done some home grown stuff in the past but
>> would be interested in something  that incorprates all the best features.
>> 
>> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
>> out there?
>> 
>> 
>> Mike
>> 
> 
> 



smime.p7s
Description: S/MIME cryptographic signature

RE: events

[Jones, Barry]

A sub question to this would be - is anyone using an app or client that will 
forward windows OS events to said collector? I've seen Loglogic and others. Was 
just curious if you've used a small scale version to collect security events - 
log on, log off, etc...?

-Original Message-
From: Harry Hoffman [mailto:hhoff...@ip-solutions.net] 
Sent: Friday, September 30, 2011 6:56 AM
To: nanog@nanog.org
Subject: Re: events

It's a bit old but still works well. Russel Fulton and I worked on this when I 
was down in NZ.

You still need to run syslog-ng but this allows you to ignore, warn, alert on 
logs via regex.


http://www.ip-solutions.net/syslog-ng/


Cheers,
Harry



On 09/30/2011 09:50 AM, harbor235 wrote:
> What is everyone using to collect, alert, and analyze syslog data?
> I am looking for something that can generate reports as well as support
> multiple vendors. We have done some home grown stuff in the past but
> would be interested in something  that incorprates all the best features.
>
> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> out there?
>
>
> Mike
>

OT: Social Networking, Privacy and Control

[Jay Ashworth]

[ if you were already over this topic, plonk the thread ]

- Original Message -
> From: "Bill.Pilloud" 

> Is this not the nature of social media? If you want to make sure something
> is secure (sensitive information), Why is it on social media. If you are
> worried about it being monetised, I think Google has already done that.

No.

Because "sensitive" is a word with different definitions at different times
for different people.

I don't mind my friends knowing that I (used to) go to Rocky Horror every
Saturday night and run around in my underwear.  I don't particularly want 
a potential employer to know that, and I might not want a new girlfriend to
know it *immediately*.

The promise of Social Networking is *precisely* that it permits this more
fine-grained *control* (that's the key word, for those who weren't playing 
the home game) over the information you disseminate, as opposed to just 
posting all of it on your blog.

*Telling people you're going to provide them that control* and then being
sloppy about it -- or worse, purposefully evil -- is the thing that has people
up in arms.

As usual, the underlying issue is one of trust.

Alas, I see no theoretical way that distributed systems like Diaspora *can*
provide some of the functions that are core to systems like Facebook, *exactly
by virtue* (vice?) of the fact that they are distributed; there is no central
Trust Broker.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

RE: Synology Disk DS211J

[Jones, Barry]

Thanks everyone for the input. I've seen some very good responses, and this 
NANOG newbie appreciates the take... :-) 

-Original Message-
From: Nick Olsen [mailto:n...@flhsi.com] 
Sent: Friday, September 30, 2011 1:05 PM
To: nanog@nanog.org
Subject: Re: Synology Disk DS211J

It's updates, I've got a 1511+ here and at the office. It phones home to check 
for updates. I noticed this the day I got it. Blocked the dst IP and that was 
the only thing that "broke".


Nick Olsen

Network Operations
(855) FLSPEED  x106



From: "Pierre-Yves Maunier" 

Sent: Friday, September 30, 2011 8:32 AM

To: "Jones, Barry" 

Subject: Re: Synology Disk DS211J


2011/9/29 Jones, Barry 


> Hey all.

> A little off topic, but wanted to share... I purchased a home storage

> Synology DS1511+. After configuring it on the home net, I did some
captures

> to look at the protocols, and noticed that the DS1511+ is making 
outgoing

> connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a

> regular basis. These addresses are owned by Synology and Chungwa Telecom 
in

> Taiwan.

>

> So far, I've not been able to find much information on their support 
sites,

> or Synology's wiki, but I wanted to put it out there.

>

>

>

Maybe it's for checking new firmware update availability...


-- 

Pierre-Yves Maunier

Re: Facebook insecure by design

[Bill.Pilloud]

Is this not the nature of social media? If you want to make sure something 
is secure (sensitive information), Why is it on social media. If you are 
worried about it being monetised, I think Google has already done that.
- Original Message - 
From: "Joel jaeggli" 

To: "Jimmy Hess" 
Cc: 
Sent: Sunday, October 02, 2011 4:05 PM
Subject: Re: Facebook insecure by design



On 10/2/11 15:43 , Joel jaeggli wrote:

On 10/2/11 15:25 , Jimmy Hess wrote:

On Sun, Oct 2, 2011 at 4:53 PM,   wrote:

On Sun, 02 Oct 2011 08:38:36 PDT, Michael Thomas said:
I'm not sure why lack of TLS is considered to be problem with 
Facebook.
The man in the middle is the other side of the connection, tls or 
otherwise.

Ooh.. subtle. :)


Man in the Middle (MITM) is a technical term that refers to a rather
specific kind of attack.

In this case, I believe the proper term would be just "The man".
[Or  "Man at the Other End  (MATOE)"];  you either trust Facebook with
info to send to
them or you don't, and network security is only for securing the
transportation of that information
you opt to send facebook.


alice sends charlie a message using bob's api, bob can observe and
probably monetize the contents.


Yes, if Alice sends Bob an encrypted message that Bob can read, and
Bob turns out to
be untrustworthy,  then  Bob can sell/re-use the information in an
abusive/unapproved way for
personal or economic profit.


charlie is probably untrustworthy, bob is probably moreso (mostly

  ^
trustworthy

because bob has more to lose than charlie), alice isn't cognizant of the
implications of running charlie's app on bob's platform despite the
numerous disclaimers she blindly clicked through on the way there.




--
-JH

Re: events

[Jason LeBlanc]

+1 for SEC, minimal hit on the cpu like most parsing tools, the regexp 
can be painful but it is fairly extensible.  Once you get used to it 
you'll love it.


On 10/04/2011 05:58 AM, Ben Roeder wrote:

Hi Mike,
We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home  yes 
it is work safe :-) ) with ok results.
Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) 
to some success in simple cases.

Currently having another look at this myself and the following look 
interesting, but have not deployed them yet
http://logstash.net/
http://graylog2.org/about

Ben
On 30 Sep 2011, at 14:50, harbor235 wrote:


What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support
multiple vendors. We have done some home grown stuff in the past but
would be interested in something  that incorprates all the best features.

Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
out there?


Mike

Re: events

[Leigh Porter]

8pussy.org ?

-- 
Leigh Porter


On 4 Oct 2011, at 10:59, "Ben Roeder"  wrote:

> Hi Mike,
> We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home  yes 
> it is work safe :-) ) with ok results.
> Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ 
> ) to some success in simple cases.
> 
> Currently having another look at this myself and the following look 
> interesting, but have not deployed them yet
> http://logstash.net/
> http://graylog2.org/about
> 
> Ben
> On 30 Sep 2011, at 14:50, harbor235 wrote:
> 
>> What is everyone using to collect, alert, and analyze syslog data?
>> I am looking for something that can generate reports as well as support
>> multiple vendors. We have done some home grown stuff in the past but
>> would be interested in something  that incorprates all the best features.
>> 
>> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
>> out there?
>> 
>> 
>> Mike
> 
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: events

[Ben Roeder]

Hi Mike,
We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home  yes 
it is work safe :-) ) with ok results.
Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) 
to some success in simple cases.

Currently having another look at this myself and the following look 
interesting, but have not deployed them yet
http://logstash.net/
http://graylog2.org/about

Ben
On 30 Sep 2011, at 14:50, harbor235 wrote:

> What is everyone using to collect, alert, and analyze syslog data?
> I am looking for something that can generate reports as well as support
> multiple vendors. We have done some home grown stuff in the past but
> would be interested in something  that incorprates all the best features.
> 
> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> out there?
> 
> 
> Mike

Re: events

[Brian Spade]

Jeff,

When is 1.10 going to be released?

thx,
/bs

On Fri, Sep 30, 2011 at 11:53 AM, Jeff Gehlbach  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/30/2011 09:50 AM, harbor235 wrote:
>
> > Soalrwinds, splunk, fwanalog, and others come to mind, any other
> good ones
> > out there?
>
> We've made some great strides in OpenNMS in the area of syslog event
> processing.  The upcoming 1.10 release will be much easier to get
> going, particularly since we now have pluggable message parsers -- you
> no longer need Wireshark and a black belt in regular expressions to
> start receiving events from syslog sources.  We've also made it
> possible to split the syslog rules across multiple files, which makes
> maintaining your own rules much easier compared to the old monolithic
> style.
>
> It's still not going to be Splunk-easy to configure, but it's now
> darned close to Netcool OMNIbus syslogd probe-easy.  Plus you get
> pretty JasperReports reports based on your events like this one (or
> roll your own):
>
> http://opennms.org/~jeffg/event-analysis-sample.pdf
>
> Also flexible event notifications, event de-duplication, and SNMP trap
> handling as well as service-assurance polling, performance data
> collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols.
>
> Oh yeah, it's 100% free / libre / open source software.  And you can
> get support for it from my employer.
>
> PR hat off,
> - -jeff
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6GEB0ACgkQB3953+hexDrEPACfRzSKZxijkirgVgTA0OTRrGjX
> 27IAoJ7Ef0Cv33zRsYVN50YNbL3tVvLq
> =5v3H
> -END PGP SIGNATURE-
>
>