Re: OpenNTPProject.org

[Saku Ytti]

On (2014-01-13 21:33 +), Bjoern A. Zeeb wrote:

> BCP38!  I am always surprised when people need crypto if they fail the simple 
> things.

Saying that BCP38 is solution to the reflection attacks is not unlike 5 year
old wishing nothing but world peace for christmas, endearing, but it's not
going to change anything.
BCP38 is completely unrealistic, many access networks are on autopilot, many
don't have HW support for BCP38, one port configured has low-benefit, only
that machine can stop attacking (but whole world).

near term, reducing attack surface is practical to reduce impact (not a
solution, just damage control)

near term, transit providers who do BGP prefix-list, could use same
prefix-list for ACL, segmenting spoofing domains. It's very high pay-off,
couple ports configured, whole downstream branch isolated into its own
spoofing domain, able to just attack targets inside same domain.

mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could
trivially change to QUIC/MinimaLT or compared, getting same 0 RTT penalty as
UDP without reflection potential.

-- 
  ++ytti

Google GCE

[Blair Trosper]

Can someone from GCE contact me off list?  Your service is a big pile of
503s from multiple locations and from multiple servers.

The console is inoperable and instances are unreachable.

I'm getting sent across the country to a VIP in LAX.  A friend in
California is getting a VIP in Hong Kong.

You're having issues but it doesn't seem to have been detected.

Re: [VoiceOps] (cross post) VoIP heat charts...

[Paul Timmins]

On Jan 9, 2014, at 2:38 PM, Jay Ashworth  wrote:

> - Original Message -
>> 
>> 
>> Looking to "heat chart" where fraudelent calls are going.
> 
> So you want to be able to feed "NPANXX Count" to something that will map
> the call counts on a US map.
> 
> You have anything that does NPANXX to H&V, or directly to Lat Lon, already?
> 
> Cause that's the hard part.

Telcodata has this available.

city-county-zip-byratecenterTelcoData - Advanced Membership Area code, 
exchange, State, City, County, Zip - By Ratecenter (Requires Advanced 
Subscription)

Re: verify currently running software on ram

[Michael Costello]

On 1/13/14 5:26 AM, Tassos Chatzithomaoglou wrote:
> I'm looking for ways to verify that the currently running software on
> our Cisco/Juniper boxes is the one that is also in the
> flash/hd/storage/etc. Something that will somehow compare the running
> software in ram with the software on flash/hd/storage/etc, so that i
> can verify that nobody has actually messed with the running software
> (by whatever means that's possible).
> 
> Besides the "install verify" command on IOS-XR (which i'm not 100%
> sure if it suits my needs), i haven't managed to find anything else.
> And the vendors say that indeed there is nothing more. All other
> options are about verifying the software file integrity before it
> gets loaded into ram.
> 
> Have you ever done such an exercise? Are there maybe any external
> tools (or services) that offer this capability?
> 

As Tassos said, there are no solutions from vendors.  There are,
however, some examples by third parties such as

  Defending Embedded Systems with Software Symbiotes
  http://ids.cs.columbia.edu/sites/default/files/paper_2.pdf

and

  Protecting Software Codes By Guards
  http://www.seas.gwu.edu/~simhaweb/security/summer2005/Atallah1.pdf

There are other efforts inside academia as well as companies attempting
to develop dynamic firmware attestation (full disclosure: I work for one
such company).

As Valdis and others have said, it's an insoluble problem with solutions
of varying degrees of efficacy and practicality.

-mc

Winstream engineer?

[Dennis Burgess]

Looking for a windstream engineer that can help with BGP issue (not
advertising from your network to the net).. hit me offlist. not getting
anywhere with tech :(  

 

Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS-
Second Edition  "

 Link Technologies, Inc -- Mikrotik & WISP Support Services

 Office: 314-735-0270   Website:
http://www.linktechs.net   - Skype: linktechs


 -- Create Wireless Coverage's with www.towercoverage.com
  - 900Mhz - LTE - 3G - 3.65 - TV
Whitespace  

 

Re: OpenNTPProject.org

[Bjoern A. Zeeb]

On 13 Jan 2014, at 21:13 , Derek Andrew  wrote:

> nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP

Make that “all server IPs” if on different subnets, address families, ...


> On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch  wrote:
> 
>> 4) Please prevent packet spoofing where possible on your network.  This
>> will limit the impact of spoofed NTP or DNS (amongst others) packets from
>> impacting the broader community.

BCP38!  I am always surprised when people need crypto if they fail the simple 
things.


>> 5) Some vendors don’t have an easy way to alter the ntp configuration, or
>> have not or won’t be updating NTP, you may need to use ACLs, firewall
>> filters, or other methods to block this traffic.  I’ve heard of many
>> routers being used in attacks impacting the CPU usage.
>> 
>> Take a moment and see if your devices respond to the following
>> query/queries:
>> 
>> ntpdc -n -c monlist 10.0.0.1
>> ntpdc -n -c loopinfo 10.0.0.1
>> ntpdc -n -c iostats 10.0.0.1

And no matter if you use the above nmap or these instructions to check, also 
check your IPv6 addresses!
You need 'restrict -6 default ignore' lines or similar as well, not just a 
restrict default ignore. 


— 
Bjoern A. Zeeb ? ??? ??? ??:
'??? ???  ??  ??? ?? ?? ??? ??? ??? ? ? 
?? ?? ? ',  ? ?, "??? ? ?? ?", ?.???

Re: OpenNTPProject.org

[Derek Andrew]

nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP




On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch  wrote:

> Greetings,
>
> With the recent increase in NTP attacks, I wanted to advise the community
> of a few things:
>
> There are about 1.2-1.5 million of these servers out there.
>
> 1) You can search your IP space to find NTP servers that respond to the
> ‘MONLIST’ queries.
>
> 2) I’ve found some vendors have old embedded versions of NTP including
> ILO/Service Processors and other parts of the “internet of things”.
>
> 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’
> or ‘restrict’ lines or both.  (I defer to someone else to be an expert in
> this area, but am willing to learn :) )
>
> 4) Please prevent packet spoofing where possible on your network.  This
> will limit the impact of spoofed NTP or DNS (amongst others) packets from
> impacting the broader community.
>
> 5) Some vendors don’t have an easy way to alter the ntp configuration, or
> have not or won’t be updating NTP, you may need to use ACLs, firewall
> filters, or other methods to block this traffic.  I’ve heard of many
> routers being used in attacks impacting the CPU usage.
>
> Take a moment and see if your devices respond to the following
> query/queries:
>
> ntpdc -n -c monlist 10.0.0.1
> ntpdc -n -c loopinfo 10.0.0.1
> ntpdc -n -c iostats 10.0.0.1
>
> 6) If you do VMs/Servers and have a template, please make sure that they
> do not respond to NTP requests.
>
> Thanks!
>
> - Jared
>



-- 
Copyright 2014 Derek Andrew (excluding quotations)

+1 306 966 4808
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.

OpenNTPProject.org

[Jared Mauch]

Greetings,

With the recent increase in NTP attacks, I wanted to advise the community of a 
few things:

There are about 1.2-1.5 million of these servers out there.

1) You can search your IP space to find NTP servers that respond to the 
‘MONLIST’ queries.

2) I’ve found some vendors have old embedded versions of NTP including 
ILO/Service Processors and other parts of the “internet of things”.

3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ or 
‘restrict’ lines or both.  (I defer to someone else to be an expert in this 
area, but am willing to learn :) )

4) Please prevent packet spoofing where possible on your network.  This will 
limit the impact of spoofed NTP or DNS (amongst others) packets from impacting 
the broader community.

5) Some vendors don’t have an easy way to alter the ntp configuration, or have 
not or won’t be updating NTP, you may need to use ACLs, firewall filters, or 
other methods to block this traffic.  I’ve heard of many routers being used in 
attacks impacting the CPU usage.

Take a moment and see if your devices respond to the following query/queries:

ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1

6) If you do VMs/Servers and have a template, please make sure that they do not 
respond to NTP requests.

Thanks!

- Jared

Amazon help

[Alvaro Pereira]

Hi,

Can someone from AWS/Amazon contact me off-list to help us with an issue?

Thank you,

Alvaro Pereira

VistaPrint?

[Mikeal Clark]

Anyone have a worthwhile contact?  Have a friend with domain/dns/email
running on my equipment and web service on theirs.  Web server isn't
configured correctly for the domain.

Re: verify currently running software on ram

[Jay Ashworth]

 Original Message -
> From: "Valdis Kletnieks" 

> You really need assistance from one layer further down - if you're in
> a VM, you need to ask the hypervisor. If you're on bare metal, you need
> to ask the SMM or equivalent. If you're in the SMM, you need to ask the
> hardware. And of course, at each level, you have to ask yourself how
> you know that *that* level isn't lying to you
> 
> (Yes, this is the corner of system security where, if you're not
> already a paranoid schizophrenic, you will be soon.. :)

If you have not already read the Ken Thompson paper:

  http://cm.bell-labs.com/who/ken/trust.html

And for a bit more on whether it was ever actually implemented, from Ken
himself:

  https://groups.google.com/d/msg/comp.security.unix/ivjYjNSduFc/0Er2cynPKjsJ

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA   #natog  +1 727 647 1274

Re: verify currently running software on ram

[Valdis . Kletnieks]

On Mon, 13 Jan 2014 12:26:02 +0200, Tassos Chatzithomaoglou said:

> I'm looking for ways to verify that the currently running software on our
> Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.

In general, asking the operating system if it's pwned is an insoluble
problem, because the pwner will of course arrange that the answer to such
a query be "No, I'm not pwned".

You really need assistance from one layer further down - if you're in a
VM, you need to ask the hypervisor.  If you're on bare metal, you need to
ask the SMM or equivalent.  If you're in the SMM, you need to ask the
hardware.  And of course, at each level, you have to ask yourself how you
know that *that* level isn't lying to you

(Yes, this is the corner of system security where, if you're not already
a paranoid schizophrenic, you will be soon.. :)


pgpJrvnxXdjZu.pgp
Description: PGP signature

Re: verify currently running software on ram

[shawn wilson]

Doh, tired and not reading - the util should help after you get a dump
though.
On Jan 13, 2014 7:29 AM, "shawn wilson"  wrote:

> dd kmem and see if it's what you'd expect (size of ram+swap). If so you
> should be able to look at it
>
> Also see Volatility
> On Jan 13, 2014 7:21 AM, "Tassos Chatzithomaoglou" 
> wrote:
>
>> Saku Ytti wrote on 13/1/2014 12:51:
>> > On (2014-01-13 12:46 +0200), Saku Ytti wrote:
>> >> On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
>> >>
>> >>> I'm looking for ways to verify that the currently running software on
>> our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
>> >> IOS: verify /md5 flash:file
>> >> JunOS: filechecksum md5|sha-256|sha1 file
>> >>
>> >> But if your system is owned, maybe the verification reads filename and
>> outputs
>> >> expected hash instead of correct hash.
>> > mea culpa, you were looking to check running to image, I don't think
>> this is
>> > practical.
>> > In IOS its compressed and decompressed upon boot, so no practical way
>> to map
>> > the two together.
>> > Same is true in JunOS, even without compression it wouldn't be possible
>> to
>> > reasonably map the *.tgz to RAM.
>> >
>> > I think vendors could take page from XBOX360 etc, and embed public keys
>> inside
>> > their NPU in modern lithography then sign images, it would be
>> impractical
>> > attack vector.
>>
>> I was assuming the vendors could take a snapshot of the memory and
>> somehow "compare" it to a snapshot of the original software.
>> Or (i don't know how easy it is) do an auditing of the memory snapshot on
>> specific pointers...well, i don't know...just thinking loudly...
>> > But changing memory runtime is probably going to very complicated to
>> verify,
>> > easier to create infrastructure/HW where program memory cannot be
>> changed
>> > runtime.
>> >
>> I agree, and we already do that, but a regulatory authority has brought
>> into surface something trickier.
>>
>> --
>> Tassos
>>
>>
>>

Re: verify currently running software on ram

[shawn wilson]

dd kmem and see if it's what you'd expect (size of ram+swap). If so you
should be able to look at it

Also see Volatility
On Jan 13, 2014 7:21 AM, "Tassos Chatzithomaoglou" 
wrote:

> Saku Ytti wrote on 13/1/2014 12:51:
> > On (2014-01-13 12:46 +0200), Saku Ytti wrote:
> >> On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
> >>
> >>> I'm looking for ways to verify that the currently running software on
> our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
> >> IOS: verify /md5 flash:file
> >> JunOS: filechecksum md5|sha-256|sha1 file
> >>
> >> But if your system is owned, maybe the verification reads filename and
> outputs
> >> expected hash instead of correct hash.
> > mea culpa, you were looking to check running to image, I don't think
> this is
> > practical.
> > In IOS its compressed and decompressed upon boot, so no practical way to
> map
> > the two together.
> > Same is true in JunOS, even without compression it wouldn't be possible
> to
> > reasonably map the *.tgz to RAM.
> >
> > I think vendors could take page from XBOX360 etc, and embed public keys
> inside
> > their NPU in modern lithography then sign images, it would be impractical
> > attack vector.
>
> I was assuming the vendors could take a snapshot of the memory and somehow
> "compare" it to a snapshot of the original software.
> Or (i don't know how easy it is) do an auditing of the memory snapshot on
> specific pointers...well, i don't know...just thinking loudly...
> > But changing memory runtime is probably going to very complicated to
> verify,
> > easier to create infrastructure/HW where program memory cannot be changed
> > runtime.
> >
> I agree, and we already do that, but a regulatory authority has brought
> into surface something trickier.
>
> --
> Tassos
>
>
>

Re: verify currently running software on ram

[Tassos Chatzithomaoglou]

Saku Ytti wrote on 13/1/2014 12:51:
> On (2014-01-13 12:46 +0200), Saku Ytti wrote:
>> On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
>>
>>> I'm looking for ways to verify that the currently running software on our 
>>> Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
>> IOS: verify /md5 flash:file
>> JunOS: filechecksum md5|sha-256|sha1 file
>>
>> But if your system is owned, maybe the verification reads filename and 
>> outputs
>> expected hash instead of correct hash.
> mea culpa, you were looking to check running to image, I don't think this is
> practical.
> In IOS its compressed and decompressed upon boot, so no practical way to map
> the two together.
> Same is true in JunOS, even without compression it wouldn't be possible to
> reasonably map the *.tgz to RAM.
>
> I think vendors could take page from XBOX360 etc, and embed public keys inside
> their NPU in modern lithography then sign images, it would be impractical
> attack vector.

I was assuming the vendors could take a snapshot of the memory and somehow 
"compare" it to a snapshot of the original software.
Or (i don't know how easy it is) do an auditing of the memory snapshot on 
specific pointers...well, i don't know...just thinking loudly...
> But changing memory runtime is probably going to very complicated to verify,
> easier to create infrastructure/HW where program memory cannot be changed
> runtime.
>
I agree, and we already do that, but a regulatory authority has brought into 
surface something trickier.

--
Tassos

Re: verify currently running software on ram

[Tassos Chatzithomaoglou]

That verifies the software that is stored somewhere, not the currently running 
one.

Someone "insider" could load a "hacked" software into flash, boot the router 
with that file (supposing that he has found a way to do so) and then replace 
the file on the flash with the real one.
How can you verify that the running software is actually the original one?

--
Tassos

Saku Ytti wrote on 13/1/2014 12:46:
> On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
>
>> I'm looking for ways to verify that the currently running software on our 
>> Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
> IOS: verify /md5 flash:file
> JunOS: filechecksum md5|sha-256|sha1 file
>
> But if your system is owned, maybe the verification reads filename and outputs
> expected hash instead of correct hash.
>

Re: verify currently running software on ram

[Saku Ytti]

On (2014-01-13 12:46 +0200), Saku Ytti wrote:
> On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
> 
> > I'm looking for ways to verify that the currently running software on our 
> > Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
> 
> IOS: verify /md5 flash:file
> JunOS: filechecksum md5|sha-256|sha1 file
> 
> But if your system is owned, maybe the verification reads filename and outputs
> expected hash instead of correct hash.

mea culpa, you were looking to check running to image, I don't think this is
practical.
In IOS its compressed and decompressed upon boot, so no practical way to map
the two together.
Same is true in JunOS, even without compression it wouldn't be possible to
reasonably map the *.tgz to RAM.

I think vendors could take page from XBOX360 etc, and embed public keys inside
their NPU in modern lithography then sign images, it would be impractical
attack vector.
But changing memory runtime is probably going to very complicated to verify,
easier to create infrastructure/HW where program memory cannot be changed
runtime.

-- 
  ++ytti

Re: verify currently running software on ram

[Saku Ytti]

On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:

> I'm looking for ways to verify that the currently running software on our 
> Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.

IOS: verify /md5 flash:file
JunOS: filechecksum md5|sha-256|sha1 file

But if your system is owned, maybe the verification reads filename and outputs
expected hash instead of correct hash.

-- 
  ++ytti

verify currently running software on ram

[Tassos Chatzithomaoglou]

I'm looking for ways to verify that the currently running software on our 
Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
Something that will somehow compare the running software in ram with the 
software on flash/hd/storage/etc, so that i can verify that nobody has actually 
messed with the running software (by whatever means that's possible).

Besides the "install verify" command on IOS-XR (which i'm not 100% sure if it 
suits my needs), i haven't managed to find anything else. And the vendors say 
that indeed there is nothing more.
All other options are about verifying the software file integrity before it 
gets loaded into ram.

Have you ever done such an exercise? Are there maybe any external tools (or 
services) that offer this capability?

-- 
Tassos