JunOS NTP - Re: OpenNTPProject.org
So, be careful as the Juniper solution varies depending on the platform involved. Make sure you check your devices. It took a few iterations for us to get the right filters on everything. - Jared On Feb 17, 2014, at 12:26 AM, Yucong Sun sunyuc...@gmail.com wrote: Just for the reference, here is a more complete solution for Junos (took me a while searching the web to figure it out), hope it helps someone. policy-options { prefix-list lo0.0-inet-address { apply-path interfaces lo0 unit 0 family inet address *; } prefix-list ntp-servers { apply-path system ntp server *; } } firewall { family inet { filter lo-filter { term ntp-allow { from { source-prefix-list { ntp-servers; lo0.0-inet-address; } protocol udp; destination-port ntp; } then accept; } term ntp-other-discard { from { protocol udp; destination-port ntp; } then { discard; } } term zz-accept { then accept; } } } } On Sun, Feb 16, 2014 at 8:42 PM, Mark Tinka mark.ti...@seacom.mu wrote: On Monday, February 17, 2014 06:35:46 AM Lyndon Nerenberg wrote: I was suggesting it as an alternative to just chopping off NTP at your border. Presumably it would be a one-off thing until Juniper issues a patch. In Junos, applying the right filters to your router's control plane will fix the issue. You don't need to block NTP in the data plane. Mark.
Re: Work Practices of Cyber Security Professionals
On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said: I am a university researcher who is investigating the development of new, usable tools that will improve the work practices of cyber security professionals. As a first step to achieve this goal, I am undertaking a survey to gain an in-depth understanding of the day-to-day activities of cyber security professionals. The targeted participants for this survey are those who perform security related activities as a part of their job (e.g. security analysts, network administrators, penetration testers). Several comments: 1) If you're including network admins, you should also make sure to get system admins (though you'll be more successful asking elsewhere for those). 2) Having worn at least a partial hat of all those along my careeer, I'm curious what sort of tools will improve work practices for all the groups concerned. Probably the only place you'll find much overlap is in record keeping - but even there the record keeping that a sysadmin needs to do for changelogging their boxes is fairly different from what security analysts working an incident and pen testers engaged in a test will need. There's also the problem that many sites have their change logging integrated into their version control system or other workflow software already... Good luck! pgpTUABvpu9sQ.pgp Description: PGP signature
RE: OpenNTPProject.org
For knowledge on the list. We found that our Cisco Nexus 7000s had NTP enabled on our public facing VDCs, even when the command feature ntp was not present. I had to explicitly enter no feature ntp to prevent the NTP server service from existing on our public facing 7K interfaces. Thanks, Mike -Original Message- From: Blake Dunlap [mailto:iki...@gmail.com] Sent: Monday, February 17, 2014 11:03 AM To: nanog@nanog.org Subject: Re: OpenNTPProject.org If you're trying to actually run a ntp server setup as opposed to just trusting the world, I strongly suggest reading the documentation for the service, as most people don't deploy it correctly while they think they have. At minimum, you want a cluster of 3 - 4 servers internally, configured as peers of each other, and listening to some source of time, preferably multiple like a few on the internet from the big public pool, and if you really care about time, set up a GPS receiver or two. You can definitely go farther than the above, but that's the start to doing it right. Anything short of the above is just trusting the world at large, and you'll likely happily follow along with any time skew like that thing a few months/year ago with either tick or tock. Without the above, you don't have enough sane sources to discredit bad advisers (you need 3 for a time lock). -Blake On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams alby.willi...@verizon.com wrote: Blake: Just to make sure I've got this down, listing a device as a peer in the ntp.conf file will create a situation where both devices are saying, I know what time it is and splitting the difference? Whereas when you list a device as a server, it's using that as the authority on the correct time? Example: -- # peer192.168.1.1 iburst peer192.168.1.2 iburst # server ntp.colby.edu minpoll 6 maxpoll 10 iburst server bonehed.lcs.mit.edu minpoll 6 maxpoll 10 iburst On 2/17/2014 10:28 AM, Blake Dunlap wrote: Peer means it considers the other side an equal and they will mutually skew time together. If you have peer on for devices you don't consider your time servers, you're opening yourself up to problems. -Blake
Telia contact
Hi, If there are any Telia engineers lurking about could you please contact me off-list regarding a routing question? Thanks! --J
Telia contact
Hi, If there are any Telia engineers lurking about could you please contact me off-list regarding a routing question? Thanks! --J
Re: JunOS NTP - Re: OpenNTPProject.org
On Tue, 18 Feb 2014 09:14:59 -0500 Jared Mauch ja...@puck.nether.net wrote: prefix-list ntp-servers { apply-path system ntp server *; Some people also have a 'boot-server [server]' statement. In the off chance that address is different than those listed in the server statements, you may need to account for it as well. If you can, just make sure it is also listed as one of the configured servers. John
Re: JunOS NTP - Re: OpenNTPProject.org
On Tuesday, February 18, 2014 04:14:59 PM Jared Mauch wrote: So, be careful as the Juniper solution varies depending on the platform involved. Make sure you check your devices. It took a few iterations for us to get the right filters on everything. Indeed. In particular, different hardware and software combinations for the EX line have different match conditions for ports compared to the routers. Mark. signature.asc Description: This is a digitally signed message part.
Everyone should be deploying BCP 38! Wait, they are ….
Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ (Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new contributors for signing up to help so far this week.) Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
looking for feedback on virtual/dedicated server providers in latin/south america/UK
Hi, Just wondering if anyone could share some experiences with server providers specifically in argentina, columbia and costa rica, and pretty much anywhere in the UK region. Please respond offlist. Any feedback would be greatly appreciated. :) Carlos.
Re: Everyone should be deploying BCP 38! Wait, they are ....
That article is terrible. Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table. This means they have tested around 5% of the AS's on the Internet. Dave On 18 February 2014 17:20, Jay Ashworth j...@baylink.com wrote: Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ (Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new contributors for signing up to help so far this week.) Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Everyone should be deploying BCP 38! Wait, they are ....
Barry is a well respected security researcher. I'm surprised he posted this. In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now -- TTFN, patrick On Feb 18, 2014, at 13:31 , Dave Bell m...@geordish.org wrote: That article is terrible. Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table. This means they have tested around 5% of the AS's on the Internet. Dave On 18 February 2014 17:20, Jay Ashworth j...@baylink.com wrote: Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ (Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new contributors for signing up to help so far this week.) Cheers, - jra -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: looking for feedback on virtual/dedicated server providers in latin/south america/UK
I have to recommend Linode in the UK, from my experience they have their act together and their prices are reasonable. Sam Moats Circle Net On 2014-02-18 12:50, Carlos Kamtha wrote: Hi, Just wondering if anyone could share some experiences with server providers specifically in argentina, columbia and costa rica, and pretty much anywhere in the UK region. Please respond offlist. Any feedback would be greatly appreciated. :) Carlos.
Re: Everyone should be deploying BCP 38! Wait, they are ….
On 2/18/2014 11:20 AM, Jay Ashworth wrote: Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? The date seems a little past buy by in light of the very recent observations and comments here. http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Everyone should be deploying BCP 38! Wait, they are ....
Is using data from a self-selected group even meaningful when extrapolated? It's been a while since Stats in college, and it's very likely the guys from MIT know more than I do, but one of the big things they pushed was random sampling. JM On Tue, Feb 18, 2014 at 2:11 PM, Larry Sheldon larryshel...@cox.net wrote: On 2/18/2014 11:20 AM, Jay Ashworth wrote: Here's a piece which uses the MIT ANA data to assert that the job is mostly done already. Unless I'm very much mistaken, it appears that a large percentage of the failed BCP 38 spoofing tests listed in that data are actually due to customer side NAT routers dropping packets... which is of course egress filtering rather than ingress filtering, and thus doesn't actually apply to our questions. Am I interpreting that correctly? The date seems a little past buy by in light of the very recent observations and comments here. http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/ -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Everyone should be deploying BCP 38! Wait, they are ....
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote: Barry is a well respected security researcher. I'm surprised he posted this. In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc.. There are many networks that perform this best practice either by default through NAT/firewalls or by explicit configuration of the devices. There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices. - Jared
Changing the way we talk about BCP38 [Was: Re: Everyone should be deploying BCP 38! Wait, they are ....]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Below: On 2/18/2014 11:22 AM, Jared Mauch wrote: On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote: Barry is a well respected security researcher. I'm surprised he posted this. In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc.. This is why I am now using the phrase anti-spoofing when talking about this in public. It far less cryptic, and I am breaking into bite-sized components that people can actually understand. As engineers technical people, we need to start using language people can wrap their brains around easily. Remember: We are living in the age of instant gratification and Attention Deficit Disorder. :-) - - ferg There are many networks that perform this best practice either by default through NAT/firewalls or by explicit configuration of the devices. There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices. - Jared - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMDt90ACgkQKJasdVTchbIBrwD/YyUeK4SvS6grQdarKnoJiZXD 2YoTf+lRXpXnkSTPUdUA/3TH8jnXNx6DkOw9nkbVIi6Ek8ehTLUPpDPBe0oELQj4 =Cf2C -END PGP SIGNATURE-
HP to Cisco fiber
I've talked to HP and Cisco and neither side will commit to any kind of answer to this question, so I thought I'd ask it here: Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver J9143B SFP, assuming they are already talking over dual fiber links and both units support the single fiber sfp's? (they do). All the specs look like they should but Cisco and HP are doing the old 'will neither confirm nor deny interoperability'. Off list reply is fine, I'd like someone with a definite 'yes I did it and it works fine' or 'no I tried it and it did not', not 'it should' because that's where I'm at for the moment. - Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpunet.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
Re: Everyone should be deploying BCP 38! Wait, they are ....
- Original Message - From: Dave Bell m...@geordish.org That article is terrible. Looking at the stats provided, only 2582 unique AS's were tested. http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's currently in the routing table. This means they have tested around 5% of the AS's on the Internet. Well, it did strike me, when someone cited the same data last week, that it seemed an awful lot of stew to make from that few oysters. I suppose it does depend on what percentage of end nodes are subsumed by those AS's, but there's no authoritative way to know that from on top. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
BCP38 filtering on Mobile IP networks
I note that the MIT ANA tester is only for desktop OSs, and none of the network tools I've collected for Android have BCP38 filter testing built in. Does anyone know if there are such tools for Android and for iOS? I assume that tether testing from a PC would be useless, as the NAT implementation would drop the packets -- does anyone know if there are any leaky NAT implementations that *won't* drop packets with bogus source addresses? Or, alternatively, does anyone know *authoritatively* that any cell carrier's mobile IP network already implements BCP38? And if so, why aren't they bragging about it; at least here? :-) I have added the Small Business page to BCP38.info. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: HP to Cisco fiber
On Feb 18, 2014, at 2:44 PM, Eric J Esslinger eesslin...@fpu-tn.com wrote: I've talked to HP and Cisco and neither side will commit to any kind of answer to this question, so I thought I'd ask it here: Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver J9143B SFP, assuming they are already talking over dual fiber links and both units support the single fiber sfp's? (they do). All the specs look like they should but Cisco and HP are doing the old 'will neither confirm nor deny interoperability'. Off list reply is fine, I'd like someone with a definite 'yes I did it and it works fine' or 'no I tried it and it did not', not 'it should' because that's where I'm at for the moment. Sounds like it should based on your description. You should make sure other media settings match, such as speed, etc.. While this may seem illogical on a 1G SFP, some devices have varying expectations of that, so sometimes speed nonegotiate is necessary. If you are going from HP-HP to Cisco-HP, you may need to disable their transciever eeprom check on the Cisco side. - Jared
Re: Everyone should be deploying BCP 38! Wait, they are ....
On 2/18/2014 2:19 PM, James Milko wrote: Is using data from a self-selected group even meaningful when extrapolated? It's been a while since Stats in college, and it's very likely the guys from MIT know more than I do, but one of the big things they pushed was random sampling. JM Isn't it probable that people who know enough to download the spoofer projects program and run it might also be in position to fix things when it's broken, or they may just be testing their own networks which they've already secured, just to verify they got it right. I may put it on my laptop and start testing random places like Starbucks, my moms house, conventions and other things, but if I'm running it from my home machine it's just to get the gold I did this star. So yeah, data from the project is probably meaningless unless someone uses it as a worm payload and checks 50,000 computers randomly (of course I don't advise this. I just wish there was a way to really push this to be run by everyone in the world for a week) Maybe with enough hype we could get CNN to advise people to download it. Actually, it would be nice if someone who writes security software like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it into their test suite. Then you get the thousands of users from them added to the results.
Re: Everyone should be deploying BCP 38! Wait, they are ....
I agree that Barry's post can be read in misleading ways and I seem to recall chatting about that with him at some point. As to one poster's comment about random sampling, I'm pretty sure the Spoofer project likely fell short in a number of ways (e.g. being documented in not every language). So, if NATs prevent (many? most?) end-user machines for being able inject spoofed IPv4 source addresses (IPv6 home gateways may well not provide such protection), maybe we should conclude that most of the spoofing is coming from somewhere else; perhaps including colo and cloud providers. I wonder how many users/admins of those kinds of machines ran the Spoofer test SW. Tony On Tue, Feb 18, 2014 at 2:22 PM, Jared Mauch ja...@puck.nether.net wrote: On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote: Barry is a well respected security researcher. I'm surprised he posted this. In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask him about it. I'll do that now I'm not surprised in any regard. There are too many names for BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc.. There are many networks that perform this best practice either by default through NAT/firewalls or by explicit configuration of the devices. There are many networks that one will never be able to measure nor audit as well, but that doesn't mean we shouldn't continue to work on tracking back spoofed packets and reporting the attacks, and securing devices. - Jared
Re: Everyone should be deploying BCP 38! Wait, they are ....
Spybot, adaware, and MalWare bytes. I hadn't even thought of them; I was all fixated on Ookla... and why it wouldn't work. I will query those folks. Cheers, - jra On February 18, 2014 3:56:19 PM EST, Robert Drake rdr...@direcpath.com wrote: On 2/18/2014 2:19 PM, James Milko wrote: Is using data from a self-selected group even meaningful when extrapolated? It's been a while since Stats in college, and it's very likely the guys from MIT know more than I do, but one of the big things they pushed was random sampling. JM Isn't it probable that people who know enough to download the spoofer projects program and run it might also be in position to fix things when it's broken, or they may just be testing their own networks which they've already secured, just to verify they got it right. I may put it on my laptop and start testing random places like Starbucks, my moms house, conventions and other things, but if I'm running it from my home machine it's just to get the gold I did this star. So yeah, data from the project is probably meaningless unless someone uses it as a worm payload and checks 50,000 computers randomly (of course I don't advise this. I just wish there was a way to really push this to be run by everyone in the world for a week) Maybe with enough hype we could get CNN to advise people to download it. Actually, it would be nice if someone who writes security software like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it into their test suite. Then you get the thousands of users from them added to the results. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Changing the way we talk about BCP38 [Was: Re: Everyone should be deploying BCP 38! Wait, they are ....]
On Feb 19, 2014, at 2:43 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: This is why I am now using the phrase anti-spoofing when talking about this in public. +1 It's also more semantically correct, in many cases. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Fibre/Layer2 In San Jose
Hi I am wondering if anyone knows anyone with Fibre or L2 service between Equinix SV1 (11 Great Oaks) and CoreSite (55 S Market). It seems we need it sooner rather than later. Thanks. -- Geraint Jones Director of Systems Infrastructure Koding https://koding.com gera...@koding.com Phone (415) 653-0083
Re: Everyone should be deploying BCP 38! Wait, they are ....
On Feb 19, 2014, at 4:52 AM, Tony Tauber ttau...@1-4-5.net wrote: maybe we should conclude that most of the spoofing is coming from somewhere else; perhaps including colo and cloud providers. My theory - not yet backed by data - is that probably most spoofed traffic these days does in fact emanate from IDC networks, and that a non-trivial proportion of same emanates from a relatively small number of such networks. In many cases, it's possible to put 'naked' hosts on home broadband connections, however - and how common that is, and what proportion of those broadband access networks don't run any form of anti-spoofing, is an open question. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
spamassassin
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? randy From: SmallCapStockPlays i...@smallcapstockplays.com Subject: Could VIIC be our biggest play in 2014? Check the stock today To: ra...@psg.com Date: Tue, 18 Feb 2014 20:48:02 -0500 Return-path: bounces+796782.50654126.285...@icpbounce.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from psg.com ([2001:418:1::62]) by ran.psg.com with esmtp (Exim 4.76) (envelope-from bounces+796782.50654126.285...@icpbounce.com) id 1WFwGl-0006al-Bu for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 + Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com) by psg.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from bounces+796782.50654126.285...@icpbounce.com) id 1WFwGZ-000Lp8-0W for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 + DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=icontactmail3.com; h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID; bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH 5bYunRCoGolocQ5HmAw= Mime-Version: 1.0 Errors-To: bounces+796782.50654126.285...@icpbounce.com List-Unsubscribe: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782, mailto:bounces+796782.50654126.285...@icpbounce.com X-List-Unsubscribe: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782 X-Unsubscribe-Web: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782 X-Feedback-ID: 01_796782_285374:01_796782:01:vocus X-ICPINFO: X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com Content-Type: multipart/alternative; boundary=cdf82e78-582d-4a55-9037-dacf81ae37d3 Message-ID: 0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com [1 text/plain; utf-8 (quoted-printable)] HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS [1][png] [2][png] [3][png]
Re: Work Practices of Cyber Security Professionals
Dear Valdis, 1) If you're including network admins, you should also make sure to get system admins (though you'll be more successful asking elsewhere for those). We are also targeting system admins. As I mentioned in my e-mail, targeted participants for this survey are those who perform security related activities as a part of their job. After this sentence, I mentioned a couple of roles as an example. By those examples I meant including but not limited to. 2) Having worn at least a partial hat of all those along my career, I'm curious what sort of tools will improve work practices for all the groups concerned. The goal of this project is not to improve the work practices for all the groups concerned. Instead, our aim is to first find out what cyber security professionals (we are using this term to define anyone who performs security related activities) do on day-to-day basis and which of their activities are relatively significant (i.e. performed frequently and require more time) than others. Once we establish that, then we will pick a couple of relatively significant activities from their workflow and build tools for those activities, following a user-centered design process. But, to get to that stage we first need to know that cyber security professionals do, how often they do that, and how much time they spend on doing that. Hope that answers you questions. Feel free to ask if you have anymore. Best wishes, Adnan On Tue, Feb 18, 2014 at 2:28 PM, valdis.kletni...@vt.edu wrote: On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said: I am a university researcher who is investigating the development of new, usable tools that will improve the work practices of cyber security professionals. As a first step to achieve this goal, I am undertaking a survey to gain an in-depth understanding of the day-to-day activities of cyber security professionals. The targeted participants for this survey are those who perform security related activities as a part of their job (e.g. security analysts, network administrators, penetration testers). Several comments: 1) If you're including network admins, you should also make sure to get system admins (though you'll be more successful asking elsewhere for those). 2) Having worn at least a partial hat of all those along my careeer, I'm curious what sort of tools will improve work practices for all the groups concerned. Probably the only place you'll find much overlap is in record keeping - but even there the record keeping that a sysadmin needs to do for changelogging their boxes is fairly different from what security analysts working an incident and pen testers engaged in a test will need. There's also the problem that many sites have their change logging integrated into their version control system or other workflow software already... Good luck!
Re: spamassassin
Randy Bush wrote: in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? randy From: SmallCapStockPlays i...@smallcapstockplays.com Subject: Could VIIC be our biggest play in 2014? Check the stock today To: ra...@psg.com Date: Tue, 18 Feb 2014 20:48:02 -0500 Return-path: bounces+796782.50654126.285...@icpbounce.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from psg.com ([2001:418:1::62]) by ran.psg.com with esmtp (Exim 4.76) (envelope-from bounces+796782.50654126.285...@icpbounce.com) id 1WFwGl-0006al-Bu for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 + Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com) by psg.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from bounces+796782.50654126.285...@icpbounce.com) id 1WFwGZ-000Lp8-0W for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 + DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=icontactmail3.com; h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID; bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH 5bYunRCoGolocQ5HmAw= Mime-Version: 1.0 Errors-To: bounces+796782.50654126.285...@icpbounce.com List-Unsubscribe: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782, mailto:bounces+796782.50654126.285...@icpbounce.com X-List-Unsubscribe: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782 X-Unsubscribe-Web: https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782 X-Feedback-ID: 01_796782_285374:01_796782:01:vocus X-ICPINFO: X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com Content-Type: multipart/alternative; boundary=cdf82e78-582d-4a55-9037-dacf81ae37d3 Message-ID: 0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com [1 text/plain; utf-8 (quoted-printable)] HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS [1][png] [2][png] [3][png] They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score. It's getting marked as ham and not spam. Are you positive your definitions are still updating?
Re: spamassassin
They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score. lots of the spam getting through has no dkim It's getting marked as ham and not spam. Are you positive your definitions are still updating? sa-update has run. and it runs cleanly randy
Re: spamassassin
On 02/18/2014 05:52 PM, Randy Bush wrote: in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. It's been a while since i've been in this world, but I wonder whether bayes filters are using the public key of the dkim selector as a token. if they don't change selectors/keys they'd probably be s-canned pretty quickly. It would require that the dkim subsystem talk to the bayes subsystem since the public key isn't in the signature, so i'm guessing not. Mike
random dns queries with random sources
Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7)
Re: spamassassin
DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more. Says nothing at all about the email's reputation - whether it is spam or not. --srs On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote: in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? -- --srs (iPad)
Re: spamassassin
On 2/18/2014 8:42 PM, Randy Bush wrote: They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score. lots of the spam getting through has no dkim It's getting marked as ham and not spam. Are you positive your definitions are still updating? sa-update has run. and it runs cleanly randy From a posting on NANAE: On 2/18/2014 6:09 PM, Larry Sheldon wrote: Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com) Larry, icpbounce.com is IContact aka Vocus. I don't know whether the managers of Vocus are as whitehat as those of IContact were before the buyout, but Andrew Barrett was still in charge of abuse/deliverability when I last checked and he *does* respond quickly and effectively to spam complaints. Try sending this to ab...@icontact.com. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: random dns queries with random sources
In message 5304201a.3040...@ttec.com, Joe Maimon writes: Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? Indirect attack on the 5kkx.com servers? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: random dns queries with random sources
I couldn't resolve that domain or subdomains that I tried. If that domain did respond, I'd guess it's tailored to be a large junky response. Varying the qname prevents people from using iptables to block specific queries. On 2/18/2014 10:08 PM, Joe Maimon wrote: Hey all, DNS amplification spoofed source attacks, I get that. I even thought I was getting mitigation down to acceptable levels. But now this. At different times during the previous days and on different resolvers, routers with proxy turned on, etc... Thousand of queries with thousands of source ip addresses. According to my logs, sources are not being repeated (or not with any significant frequency) What is the purpose of this? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: uehkaiy.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: query: yqv.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: query: e.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: bfpofpj.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: query: aocdesguijxym.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7) 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103) 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: query: ebb.5kkx.com IN A + (66.199.132.5) 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: query: l.5kkx.com IN A + (66.199.132.7)
Re: random dns queries with random sources
Mark Andrews wrote: What is the purpose of this? Indirect attack on the 5kkx.com servers? 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: swe.5kkx.com IN A + (66.199.132.5) I have seen dozens of different second level parts. How is this any more effective then sending it direct?
Re: random dns queries with random sources
On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug
Re: random dns queries with random sources
Totally was trying to figure out how to ask the same thing. How exactly are you the POC in this situation? lol On 2/18/14, 7:35 PM, Doug Barton do...@dougbarton.us wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug
Re: random dns queries with random sources
On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Feb 19, 2014, at 10:32 AM, Joe Maimon jmai...@ttec.com wrote: How is this any more effective then sending it direct? If they're attacking the authoritative DNS servers for 5kkx.com, just reflecting gives them indirection and presumably makes traceback harder for 5kkx.com (at least, in the minds of the attackers). Or maybe they're trying to game 5kkx.com into blocking requests from the recursive servers in question, for some reason. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? so... i could be nuts, but in the example joe clipped, the resolved hosts are either: 66.199.132.5 66.199.132.7 or 216.222.148.103 these are from 2 different PI blocks, but the same named end-user: chl.net. maybe someone's upset with CHL, whomever that may be.
Re: random dns queries with random sources
On Feb 19, 2014, at 10:44 AM, Dobbins, Roland rdobb...@arbor.net wrote: Resource-exhaustion attack against the recursive DNS? Fat-finger, sorry - should also state 'Or against the authoritative servers for 5kkx.com?' --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Tue, Feb 18, 2014 at 10:47 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? so... i could be nuts, but in the example joe clipped, the resolved hosts are either: 66.199.132.5 66.199.132.7 or 216.222.148.103 these are from 2 different PI blocks, but the same named end-user: chl.net. maybe someone's upset with CHL, whomever that may be. apologies. both chl.net and chl.com ... which appear to be parts of ttec ... which is joe.
Re: random dns queries with random sources
Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... On Tue, Feb 18, 2014 at 7:44 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton -- -george william herbert george.herb...@gmail.com
Re: random dns queries with random sources
Doug Barton wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug Thousands of queries _from_ thousands of source ip addresses likely they are spoofed this is an example of what I am seeing root@nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l 1337 root@nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l 1415 root@nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5 99.86.116.243 1 99.219.232.72 1 99.184.19.178 1 99.155.180.193 1 99.129.26.85 1 root@nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5 18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706: query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5) 18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438: query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722: query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948: query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7) 18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395: query: amo.dlq1.9aq.com IN A + (66.199.132.5) root@nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs #!/bin/bash if [[ $1 == ]]; then exit 0; fi grep -E $1 /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort | uniq |\ while read INPUT; do if [[ $INPUT == ]]; then continue; fi echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E $1`; done
Re: random dns queries with random sources
Dobbins, Roland wrote: On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote: What is the purpose of this? Resource-exhaustion attack against the recursive DNS? On anything that is going to stay open, not even close.
Re: spamassassin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote: DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more. Says nothing at all about the email's reputation - whether it is spam or not. --srs On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote: - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote: DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more. Says nothing at all about the email's reputation - whether it is spam or not. --srs On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote: Yeah, it just validates the domain that the email came from. But, X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,*T_DKIM_INVALID* autolearn=ham version=3.3.2 Spamassassin knows the dkim signature is invalid, so there must be a dns query that occurs at this point in the message processing. If that is the case, there must be someway to configure to reject if the dkim signature is invalid. X-Spam-Status: No, score=0.8 required=5.0 Spamassassin isn't going to block anything until it registers a score of 5. So, just having a dkim signature (even though invalid) is possibly lowering the score. Maybe you could tweak the settings to pick-off spam at a lower score. But, setting your levels down to 0.8 would probably block legitimate email. You could always block their ip in the helo_access (or iptables) of your postfix server (I'm assuming that's what you are using). But that's only going to be a temporary fix. You could also add a rbl query to your mail server config to spamhaus. That could always help. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTBCy2AAoJEMBLKVFKNw4KFDUH/RktUI0ybOj0ruWw06RZUzcD bHiFb/QUahqXihFQMkSwofjV/WovcGkSQgCpzM3XFyGdoo79KzgJ9ByrlPLfIOdI m/pvcRSODl+rOsaXR1VS0bUyTtdRzEdRZ2EQxvXeaSIOnsZCegG+noY+7GJ5U70o NyctfgEod0sxFqeJKTzjXpCaXJsuwFBUL3PlLXVWE6ilAtaxh8KBCmIG/kFMrtoG P+DlTm17d63WZeVBvsZ7YHe/moVm57gBLCsmA8aI6qgqdCGbpkT3p/rKAEcqeV6z RyyIC4vm9gaaJmuh7Cz7hoM2whGsWSxfrNaGV0hCRoNGBAup5NFIQQfsTn858Dc= =Aztz -END PGP SIGNATURE-
Re: random dns queries with random sources
On Feb 19, 2014, at 10:48 AM, Christopher Morrow morrowc.li...@gmail.com wrote: apologies. both chl.net and chl.com ... which appear to be parts of ttec ... which is joe. Premature send - I meant to add 'Or against the authoritative servers for 5kkx.com?' We've been seeing a spate of reflected (not amplified) DNS attacks against various authoritative servers in Europe for the past week or so, bounced through some type of consumer DSL broadband CPE with an open DNS forwarded on the WAN interface (don't know the make/model, but it was supplied by the broadband operators to the customers), on some European broadband access networks. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On 02/18/2014 07:59 PM, Joe Maimon wrote: Doug Barton wrote: On 02/18/2014 07:08 PM, Joe Maimon wrote: Thousand of queries with thousands of source ip addresses. Pardon if I missed a memo, but how are your resolver systems receiving these thousands of very different source addresses? Doug Thousands of queries _from_ thousands of source ip addresses likely they are spoofed Yes, got that bit. :) What I'm asking is, why are spoofed queries hitting your different resolvers, routers with proxy turned on, etc.? Are you running open resolvers? If so, please stop doing that, it's widely known to be a bad idea for over a decade now, and you are providing the bad guys a tool to use for DDOS attacks. If it's something else, please speak up. Regardless of the goal of this particular issue, the way to solve the root problem is to prevent the spoofed packets from getting to your servers in the first place. Doug
Re: spamassassin
I would not advise that. Plenty of things can render a dkim sig invalid. Not all of them are evidences of malice. You might be well advised to check for a DMARC record (which asserts policy using a combination of DKIM and SPF) and if there's a reject there, feel free to trash the email if there's a validation failure. But not simply because a DKIM signature breaks. --srs On Tuesday, February 18, 2014, Private Sender nob...@snovc.com wrote: Spamassassin knows the dkim signature is invalid, so there must be a dns query that occurs at this point in the message processing. If that is the case, there must be someway to configure to reject if the dkim signature is invalid. -- --srs (iPad)
Re: random dns queries with random sources
Doug Barton wrote: On 02/18/2014 07:59 PM, Joe Maimon wrote: Are you running open resolvers? Yes If so, please stop doing that, No it's widely known to be a bad idea for over a decade now, At this point, doing anything on the internet is a bad idea. and you are providing the bad guys a tool to use for DDOS attacks. Get back to me when the same cant be done with auth servers. If it's something else, please speak up. Regardless of the goal of this particular issue, the way to solve the root problem is to prevent the spoofed packets from getting to your servers in the first place. Doug
Re: random dns queries with random sources
George Herbert wrote: Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... It seems to me that the same|similar dataset of open resolvers to be used for amplification attacks is also being used for this sort of thing, and the overall effect is not large enough to indicate my resources are a target. What I cant figure out is what is the target and how this attack method is any more effective then the others. Joe
Re: random dns queries with random sources
On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote: Get back to me when the same cant be done with auth servers. There are ways to deal with it on authoritative servers, like RRL. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote: What I cant figure out is what is the target and how this attack method is any more effective then the others. The target appears to be the authoritative servers for the domain in question, yes? The attacker may consider it more effective because it provides a degree of obfuscation, or maybe he has some reason to game the operators of the authoritative servers in question into denying requests from your recursors. Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and they tend to copycat one another and do the same things due to magical thinking. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote: George Herbert wrote: Right. Nonzero chances that you (Joe's site) are the target... Also, check if you have egress filtering of spoofed addresses below these DNS resources, between them and any user objects. You could be sourcing the spoofing if not... It seems to me that the same|similar dataset of open resolvers to be used for amplification attacks is also being used for this sort of thing, and the overall effect is not large enough to indicate my resources are a target. What I cant figure out is what is the target and how this attack method is any more effective then the others. Joe This assumes several facts not in evidence: 1. It is an attack. 2. It is deliberate 3. There is a target 4. It is more effective than others On what do you base those assumptions? To me this looks to be far more likely to be someone’s wayward script, experiment, software, tool, etc. doing something it probably isn’t supposed to be doing. If it happens to also be gathering the answers or information that the author wants (or appears to be doing so), then the author may well be blissfully ignorant of its wayward behavior towards your servers. Owen
Re: random dns queries with random sources
Dobbins, Roland wrote: On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote: Get back to me when the same cant be done with auth servers. There are ways to deal with it on authoritative servers, like RRL. There are ways to deal with it on resolvers as well, like RRL and IDS and iptables and see google for so more examples.
Re: random dns queries with random sources
Dobbins, Roland wrote: On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote: What I cant figure out is what is the target and how this attack method is any more effective then the others. The target appears to be the authoritative servers for the domain in question, yes? I dont think so, but I have not compiled the full list of domains and compared the auth servers for each. The attacker may consider it more effective because it provides a degree of obfuscation, or maybe he has some reason to game the operators of the authoritative servers in question into denying requests from your recursors. Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and they tend to copycat one another and do the same things due to magical thinking. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: random dns queries with random sources
On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote: There are ways to deal with it on resolvers as well, like RRL and IDS and iptables None of these things work well for recursive resolvers; they cause more problems than they solve. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: spamassassin
as i said, much of the crap coming through, 10-20 times normal, does not have dkim. i suggest that focusing on dkim is a red herring. and yes, i know how dkim works. If that is the case, there must be someway to configure to reject if the dkim signature is invalid. 5.0-0.8 is a large valus, at least in this area. You could always block their ip in the ... their? you are presuming a single soure. You could also add a rbl query to your mail server config to spamhaus. have had that for years randy
Re: random dns queries with random sources
Owen DeLong wrote: On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote: This assumes several facts not in evidence: 1. It is an attack. 2. It is deliberate 3. There is a target 4. It is more effective than others On what do you base those assumptions? To me this looks to be far more likely to be someone’s wayward script, experiment, software, tool, etc. doing something it probably isn’t supposed to be doing. I have found this occurring on unaffiliated open resolvers (that I happen to support and that I was able to make the choice to close) It has been ongoing for a week or so (but not constant). The domain names have a pattern but are comprised of components that appear to be randomly generated. The source IP addresses for the queries appear to be non duplicated and randomly generated. query logs are available for unicasting to the interested. Has nobody else seen this? If it happens to also be gathering the answers or information that the author wants (or appears to be doing so), then the author may well be blissfully ignorant of its wayward behavior towards your servers. Owen I would like to figure out how. Joe
Re: random dns queries with random sources
Dobbins, Roland wrote: On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote: There are ways to deal with it on resolvers as well, like RRL and IDS and iptables None of these things work well for recursive resolvers; they cause more problems than they solve. Whatever I am doing appears to be working, at least until this cropped up. Joe
Re: spamassassin
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have said: in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? --As for the rest, it is mine. The spamassassin list has been tracking an issue where a new rule made it out of the testbox accidentally, which lowers scores on a lot of spam. It wasn't in the sample you provided, but the rule name is BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100% sure to be spam. As it got promoted prematurely, it's showing with a score of 1.0. (The default.) It's probably a part of your problem. A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%. More info can be found in the mailing list archives for the spamassassin list. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
Re: spamassassin
A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%. trying the copy 99-999 now. thanks! randy