JunOS NTP - Re: OpenNTPProject.org

[Jared Mauch]

So, be careful as the Juniper solution varies depending on the platform 
involved.

Make sure you check your devices.  It took a few iterations for us to get the 
right filters on everything.

- Jared

On Feb 17, 2014, at 12:26 AM, Yucong Sun sunyuc...@gmail.com wrote:

 Just for the reference, here is a more complete solution for Junos (took me
 a while searching the web to figure it out), hope it helps someone.
 
 policy-options {
prefix-list lo0.0-inet-address {
apply-path interfaces lo0 unit 0 family inet address *;
}
prefix-list ntp-servers {
apply-path system ntp server *;
}
 }
 
 firewall {
family inet {
filter lo-filter {
term ntp-allow {
from {
source-prefix-list {
ntp-servers;
lo0.0-inet-address;
}
protocol udp;
destination-port ntp;
}
then accept;
}
term ntp-other-discard {
from {
protocol udp;
destination-port ntp;
}
then {
discard;
}
}
term zz-accept {
then accept;
}
}
   }
 }
 
 
 
 On Sun, Feb 16, 2014 at 8:42 PM, Mark Tinka mark.ti...@seacom.mu wrote:
 
 On Monday, February 17, 2014 06:35:46 AM Lyndon Nerenberg
 wrote:
 
 I was suggesting it as an alternative to just chopping
 off NTP at your border.  Presumably it would be a
 one-off thing until Juniper issues a patch.
 
 In Junos, applying the right filters to your router's
 control plane will fix the issue. You don't need to block
 NTP in the data plane.
 
 Mark.
 

Re: Work Practices of Cyber Security Professionals

[Valdis . Kletnieks]

On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said:

 I am a university researcher who is investigating the development of new,
 usable tools that will improve the work practices of cyber security
 professionals. As a first step to achieve this goal, I am undertaking a
 survey to gain an in-depth understanding of the day-to-day activities of
 cyber security professionals. The targeted participants for this survey are
 those who perform security related activities as a part of their job (e.g.
 security analysts, network administrators, penetration testers).

Several comments:

1) If you're including network admins, you should also make sure to
get system admins (though you'll be more successful asking elsewhere for those).

2) Having worn at least a partial hat of all those along my careeer, I'm
curious what sort of tools will improve work practices for all the groups
concerned.  Probably the only place you'll find much overlap is in record
keeping - but even there the record keeping that a sysadmin needs to do for
changelogging their boxes is fairly different from what security analysts
working an incident and pen testers engaged in a test will need.  There's
also the problem that many sites have their change logging integrated into
their version control system or other workflow software already...

Good luck!


pgpTUABvpu9sQ.pgp
Description: PGP signature

RE: OpenNTPProject.org

[Mike Walter]

For knowledge on the list.  We found that our Cisco Nexus 7000s had NTP enabled 
on our public facing VDCs, even when the command feature ntp was not present. 
 I had to explicitly enter no feature ntp to prevent the NTP server service 
from existing on our public facing 7K interfaces.

Thanks,

Mike

-Original Message-
From: Blake Dunlap [mailto:iki...@gmail.com] 
Sent: Monday, February 17, 2014 11:03 AM
To: nanog@nanog.org
Subject: Re: OpenNTPProject.org

If you're trying to actually run a ntp server setup as opposed to just
trusting the world, I strongly suggest reading the documentation for the
service, as most people don't deploy it correctly while they think they
have.

At minimum, you want a cluster of 3 - 4 servers internally, configured as
peers of each other, and listening to some source of time, preferably
multiple like a few on the internet from the big public pool, and if you
really care about time, set up a GPS receiver or two.

You can definitely go farther than the above, but that's the start to doing
it right. Anything short of the above is just trusting the world at large,
and you'll likely happily follow along with any time skew like that thing a
few months/year ago with either tick or tock.

Without the above, you don't have enough sane sources to discredit bad
advisers (you need 3 for a time lock).

-Blake


On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams alby.willi...@verizon.com
 wrote:


 Blake:

  Just to make sure I've got this down, listing a device as a peer in
 the ntp.conf file will create a situation where both devices are saying,
 I know what time it is and splitting the difference?  Whereas when you
 list a device as a server, it's using that as the authority on the
 correct time?

 Example:
 --

 #
 peer192.168.1.1 iburst
 peer192.168.1.2 iburst


 #
 server  ntp.colby.edu   minpoll 6 maxpoll 10 iburst
 server  bonehed.lcs.mit.edu minpoll 6 maxpoll 10 iburst





 On 2/17/2014 10:28 AM, Blake Dunlap wrote:
  Peer means it considers the other side an equal and they will mutually
 skew
  time together. If you have peer on for devices you don't consider your
 time
  servers, you're opening yourself up to problems.
 
  -Blake

Telia contact

[Jay Coley]

Hi,

If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?

Thanks!
--J

Telia contact

[Jay Coley]

Hi,

If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?

Thanks!
--J

Re: JunOS NTP - Re: OpenNTPProject.org

[John Kristoff]

On Tue, 18 Feb 2014 09:14:59 -0500
Jared Mauch ja...@puck.nether.net wrote:

 prefix-list ntp-servers {
 apply-path system ntp server *;

Some people also have a 'boot-server [server]' statement.  In the
off chance that address is different than those listed in the server
statements, you may need to account for it as well.  If you can, just
make sure it is also listed as one of the configured servers.

John

Re: JunOS NTP - Re: OpenNTPProject.org

[Mark Tinka]

On Tuesday, February 18, 2014 04:14:59 PM Jared Mauch wrote:

 So, be careful as the Juniper solution varies depending
 on the platform involved.
 
 Make sure you check your devices.  It took a few
 iterations for us to get the right filters on
 everything.

Indeed.

In particular, different hardware and software combinations 
for the EX line have different match conditions for ports 
compared to the routers.

Mark.


signature.asc
Description: This is a digitally signed message part.

Everyone should be deploying BCP 38! Wait, they are ….

[Jay Ashworth]

Here's a piece which uses the MIT ANA data to assert that the job is mostly 
done already.

Unless I'm very much mistaken, it appears that a large percentage of the failed 
BCP 38 spoofing tests listed in that data are actually due to customer side NAT 
routers dropping packets...

which is of course egress filtering rather than ingress filtering, and thus 
doesn't actually apply to our questions. 

Am I interpreting that correctly?

http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/

(Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new 
contributors for signing up to help so far this week.)

Cheers,
- jra
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

looking for feedback on virtual/dedicated server providers in latin/south america/UK

[Carlos Kamtha]

Hi, 

Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica, 
and pretty much anywhere in the UK region.  

Please respond offlist. 

Any feedback would be greatly appreciated. :)

Carlos. 

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Dave Bell]

That article is terrible.

Looking at the stats provided, only 2582 unique AS's were tested.
http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
currently in the routing table.

This means they have tested around 5% of the AS's on the Internet.

Dave


On 18 February 2014 17:20, Jay Ashworth j...@baylink.com wrote:

 Here's a piece which uses the MIT ANA data to assert that the job is
 mostly done already.

 Unless I'm very much mistaken, it appears that a large percentage of the
 failed BCP 38 spoofing tests listed in that data are actually due to
 customer side NAT routers dropping packets...

 which is of course egress filtering rather than ingress filtering, and
 thus doesn't actually apply to our questions.

 Am I interpreting that correctly?

 http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/

 (Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new
 contributors for signing up to help so far this week.)

 Cheers,
 - jra
 --
 Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Patrick W. Gilmore]

Barry is a well respected security researcher. I'm surprised he posted this.

In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask 
him about it. I'll do that now

-- 
TTFN,
patrick

On Feb 18, 2014, at 13:31 , Dave Bell m...@geordish.org wrote:

 That article is terrible.
 
 Looking at the stats provided, only 2582 unique AS's were tested.
 http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
 currently in the routing table.
 
 This means they have tested around 5% of the AS's on the Internet.
 
 Dave
 
 
 On 18 February 2014 17:20, Jay Ashworth j...@baylink.com wrote:
 
 Here's a piece which uses the MIT ANA data to assert that the job is
 mostly done already.
 
 Unless I'm very much mistaken, it appears that a large percentage of the
 failed BCP 38 spoofing tests listed in that data are actually due to
 customer side NAT routers dropping packets...
 
 which is of course egress filtering rather than ingress filtering, and
 thus doesn't actually apply to our questions.
 
 Am I interpreting that correctly?
 
 http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
 
 (Oh, and bcp38.info is now the number 2 Ghit for bcp38; thanks to 5 new
 contributors for signing up to help so far this week.)
 
 Cheers,
 - jra
 --
 Sent from my Android phone with K-9 Mail. Please excuse my brevity.
 
 

Re: looking for feedback on virtual/dedicated server providers in latin/south america/UK

[Sam Moats]

I have to recommend Linode in the UK, from my experience they have 
their act together and their prices are reasonable.

Sam Moats
Circle Net

On 2014-02-18 12:50, Carlos Kamtha wrote:

Hi,

Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica,
and pretty much anywhere in the UK region.

Please respond offlist.

Any feedback would be greatly appreciated. :)

Carlos.

Re: Everyone should be deploying BCP 38! Wait, they are ….

[Larry Sheldon]

On 2/18/2014 11:20 AM, Jay Ashworth wrote:

Here's a piece which uses the MIT ANA data to assert that the job is
mostly done already.

Unless I'm very much mistaken, it appears that a large percentage of
the failed BCP 38 spoofing tests listed in that data are actually due
to customer side NAT routers dropping packets...

which is of course egress filtering rather than ingress filtering,
and thus doesn't actually apply to our questions.

Am I interpreting that correctly?


The date seems a little past buy by in light of the very recent 
observations and comments here.



http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Everyone should be deploying BCP 38! Wait, they are ....

[James Milko]

Is using data from a self-selected group even meaningful when
extrapolated?  It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.

JM


On Tue, Feb 18, 2014 at 2:11 PM, Larry Sheldon larryshel...@cox.net wrote:

 On 2/18/2014 11:20 AM, Jay Ashworth wrote:

 Here's a piece which uses the MIT ANA data to assert that the job is
 mostly done already.

 Unless I'm very much mistaken, it appears that a large percentage of
 the failed BCP 38 spoofing tests listed in that data are actually due
 to customer side NAT routers dropping packets...

 which is of course egress filtering rather than ingress filtering,
 and thus doesn't actually apply to our questions.

 Am I interpreting that correctly?


 The date seems a little past buy by in light of the very recent
 observations and comments here.

  http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/



 --
 Requiescas in pace o email   Two identifying characteristics
 of System Administrators:
 Ex turpi causa non oritur actio  Infallibility, and the ability to
 learn from their mistakes.
   (Adapted from Stephen Pinker)

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Jared Mauch]

On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote:

 Barry is a well respected security researcher. I'm surprised he posted this.
 
 In his defense, he did it over a year ago (June 11, 2012). Maybe we should 
 ask him about it. I'll do that now

I'm not surprised in any regard.  There are too many names for BCP-38, SAV, 
SSAC-004, BCP-84, Ingress Filtering, etc..

There are many networks that perform this best practice either by default 
through NAT/firewalls or by explicit configuration of the devices.

There are many networks that one will never be able to measure nor audit as 
well, but that doesn't mean we shouldn't continue to work on tracking back 
spoofed packets and reporting the attacks, and securing devices.

- Jared

Changing the way we talk about BCP38 [Was: Re: Everyone should be deploying BCP 38! Wait, they are ....]

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Below:

On 2/18/2014 11:22 AM, Jared Mauch wrote:
 
 On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net
 wrote:
 
 Barry is a well respected security researcher. I'm surprised he
 posted this.
 
 In his defense, he did it over a year ago (June 11, 2012). Maybe
 we should ask him about it. I'll do that now
 
 I'm not surprised in any regard.  There are too many names for
 BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
 

This is why I am now using the phrase anti-spoofing when talking
about this in public. It far less cryptic, and I am breaking into
bite-sized components that people can actually understand.

As engineers  technical people, we need to start using language
people can wrap their brains around easily.

Remember: We are living in the age of instant gratification and
Attention Deficit Disorder.  :-)

- - ferg


 There are many networks that perform this best practice either by
 default through NAT/firewalls or by explicit configuration of the
 devices.
 
 There are many networks that one will never be able to measure nor
 audit as well, but that doesn't mean we shouldn't continue to work
 on tracking back spoofed packets and reporting the attacks, and
 securing devices.
 
 - Jared
 
 
 
 


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMDt90ACgkQKJasdVTchbIBrwD/YyUeK4SvS6grQdarKnoJiZXD
2YoTf+lRXpXnkSTPUdUA/3TH8jnXNx6DkOw9nkbVIi6Ek8ehTLUPpDPBe0oELQj4
=Cf2C
-END PGP SIGNATURE-

HP to Cisco fiber

[Eric J Esslinger]

I've talked to HP and Cisco and neither side will commit to any kind of answer 
to this question, so I thought I'd ask it here:
Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will 
connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver 
J9143B SFP, assuming they are already talking over dual fiber links and both 
units support the single fiber sfp's? (they do).

All the specs look like they should but Cisco and HP are doing the old 'will 
neither confirm nor deny interoperability'.

Off list reply is fine, I'd like someone with a definite 'yes I did it and it 
works fine' or 'no I tried it and it did not', not 'it should' because that's 
where I'm at for the moment.

-
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpunet.com/
(931)433-1522 ext 165



This message may contain confidential and/or proprietary information and is 
intended for the person/entity to whom it was originally addressed. Any use by 
others is strictly prohibited.

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Jay Ashworth]

- Original Message -
 From: Dave Bell m...@geordish.org

 That article is terrible.
 
 Looking at the stats provided, only 2582 unique AS's were tested.
 http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
 currently in the routing table.
 
 This means they have tested around 5% of the AS's on the Internet.

Well, it did strike me, when someone cited the same data last week, that
it seemed an awful lot of stew to make from that few oysters. 

I suppose it does depend on what percentage of end nodes are subsumed
by those AS's, but there's no authoritative way to know that from on top.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

BCP38 filtering on Mobile IP networks

[Jay Ashworth]

I note that the MIT ANA tester is only for desktop OSs, and none of the
network tools I've collected for Android have BCP38 filter testing built
in.

Does anyone know if there are such tools for Android and for iOS?

I assume that tether testing from a PC would be useless, as the NAT
implementation would drop the packets -- does anyone know if there
are any leaky NAT implementations that *won't* drop packets with bogus 
source addresses?

Or, alternatively, does anyone know *authoritatively* that any cell carrier's
mobile IP network already implements BCP38?  And if so, why aren't they
bragging about it; at least here?  :-)

I have added the Small Business page to BCP38.info.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: HP to Cisco fiber

[Jared Mauch]

On Feb 18, 2014, at 2:44 PM, Eric J Esslinger eesslin...@fpu-tn.com wrote:

 I've talked to HP and Cisco and neither side will commit to any kind of 
 answer to this question, so I thought I'd ask it here:
 Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will 
 connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver 
 J9143B SFP, assuming they are already talking over dual fiber links and both 
 units support the single fiber sfp's? (they do).
 
 All the specs look like they should but Cisco and HP are doing the old 'will 
 neither confirm nor deny interoperability'.
 
 Off list reply is fine, I'd like someone with a definite 'yes I did it and it 
 works fine' or 'no I tried it and it did not', not 'it should' because that's 
 where I'm at for the moment.

Sounds like it should based on your description.  You should make sure other 
media settings match, such as speed, etc.. While this may seem illogical on a 
1G SFP, some devices have varying expectations of that, so sometimes speed 
nonegotiate is necessary.

If you are going from HP-HP to Cisco-HP, you may need to disable their 
transciever eeprom check on the Cisco side.

- Jared

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Robert Drake]

On 2/18/2014 2:19 PM, James Milko wrote:

Is using data from a self-selected group even meaningful when
extrapolated?  It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.

JM


Isn't it probable that people who know enough to download the spoofer 
projects program and run it might also be in position to fix things when 
it's broken, or they may just be testing their own networks which 
they've already secured, just to verify they got it right.


I may put it on my laptop and start testing random places like 
Starbucks, my moms house, conventions and other things, but if I'm 
running it from my home machine it's just to get the gold I did this star.


So yeah, data from the project is probably meaningless unless someone 
uses it as a worm payload and checks 50,000 computers randomly (of 
course I don't advise this.  I just wish there was a way to really push 
this to be run by everyone in the world for a week)


Maybe with enough hype we could get CNN to advise people to download 
it.  Actually, it would be nice if someone who writes security software 
like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it 
into their test suite.  Then you get the thousands of users from them 
added to the results.

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Tony Tauber]

I agree that Barry's post can be read in misleading ways and I seem to
recall chatting about that with him at some point.

As to one poster's comment about random sampling, I'm pretty sure the
Spoofer project likely fell short in a number of ways (e.g. being
documented in not every language).

So, if NATs prevent (many? most?) end-user machines for being able inject
spoofed IPv4 source addresses (IPv6 home gateways may well not provide such
protection), maybe we should conclude that most of the spoofing is coming
from somewhere else; perhaps including colo and cloud providers.

I wonder how many users/admins of those kinds of machines ran the Spoofer
test SW.

Tony


On Tue, Feb 18, 2014 at 2:22 PM, Jared Mauch ja...@puck.nether.net wrote:


 On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote:

  Barry is a well respected security researcher. I'm surprised he posted
 this.
 
  In his defense, he did it over a year ago (June 11, 2012). Maybe we
 should ask him about it. I'll do that now

 I'm not surprised in any regard.  There are too many names for BCP-38,
 SAV, SSAC-004, BCP-84, Ingress Filtering, etc..

 There are many networks that perform this best practice either by
 default through NAT/firewalls or by explicit configuration of the devices.

 There are many networks that one will never be able to measure nor audit
 as well, but that doesn't mean we shouldn't continue to work on tracking
 back spoofed packets and reporting the attacks, and securing devices.

 - Jared

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Jay Ashworth]

Spybot, adaware, and MalWare bytes.

I hadn't even thought of them; I was all fixated on Ookla... and why it 
wouldn't work.

I will query those folks.

Cheers,
- jra


On February 18, 2014 3:56:19 PM EST, Robert Drake rdr...@direcpath.com wrote:

On 2/18/2014 2:19 PM, James Milko wrote:
 Is using data from a self-selected group even meaningful when
 extrapolated?  It's been a while since Stats in college, and it's
very
 likely the guys from MIT know more than I do, but one of the big
things
 they pushed was random sampling.

 JM


Isn't it probable that people who know enough to download the spoofer 
projects program and run it might also be in position to fix things
when 
it's broken, or they may just be testing their own networks which 
they've already secured, just to verify they got it right.

I may put it on my laptop and start testing random places like 
Starbucks, my moms house, conventions and other things, but if I'm 
running it from my home machine it's just to get the gold I did this
star.

So yeah, data from the project is probably meaningless unless someone 
uses it as a worm payload and checks 50,000 computers randomly (of 
course I don't advise this.  I just wish there was a way to really push

this to be run by everyone in the world for a week)

Maybe with enough hype we could get CNN to advise people to download 
it.  Actually, it would be nice if someone who writes security software

like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it

into their test suite.  Then you get the thousands of users from them 
added to the results.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Changing the way we talk about BCP38 [Was: Re: Everyone should be deploying BCP 38! Wait, they are ....]

[Dobbins, Roland]

On Feb 19, 2014, at 2:43 AM, Paul Ferguson fergdawgs...@mykolab.com wrote:

 This is why I am now using the phrase anti-spoofing when talking about this 
 in public.

+1

It's also more semantically correct, in many cases.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Fibre/Layer2 In San Jose

[Geraint Jones]

Hi 

I am wondering if anyone knows anyone with Fibre or L2 service between
Equinix SV1 (11 Great Oaks) and CoreSite (55 S Market).

It seems we need it sooner rather than later.

Thanks.
-- 
Geraint Jones
Director of Systems  Infrastructure
Koding 
https://koding.com
gera...@koding.com
Phone (415) 653-0083

Re: Everyone should be deploying BCP 38! Wait, they are ....

[Dobbins, Roland]

On Feb 19, 2014, at 4:52 AM, Tony Tauber ttau...@1-4-5.net wrote:

 maybe we should conclude that most of the spoofing is coming from somewhere 
 else; perhaps including colo and cloud providers.

My theory - not yet backed by data - is that probably most spoofed traffic 
these days does in fact emanate from IDC networks, and that a non-trivial 
proportion of same emanates from a relatively small number of such networks.

In many cases, it's possible to put 'naked' hosts on home broadband 
connections, however - and how common that is, and what proportion of those 
broadband access networks don't run any form of anti-spoofing, is an open 
question.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

spamassassin

[Randy Bush]

in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?

randy

From: SmallCapStockPlays i...@smallcapstockplays.com
Subject: Could VIIC be our biggest play in 2014?  Check the stock today
To: ra...@psg.com
Date: Tue, 18 Feb 2014 20:48:02 -0500
Return-path: bounces+796782.50654126.285...@icpbounce.com
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham 
version=3.3.2
Received: from psg.com ([2001:418:1::62])
by ran.psg.com with esmtp (Exim 4.76)
(envelope-from bounces+796782.50654126.285...@icpbounce.com)
id 1WFwGl-0006al-Bu
for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +
Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)
by psg.com with esmtp (Exim 4.82 (FreeBSD))
(envelope-from bounces+796782.50654126.285...@icpbounce.com)
id 1WFwGZ-000Lp8-0W
for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 +
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; 
d=icontactmail3.com; 
h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID;
 bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; 
b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q  
 camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH   
5bYunRCoGolocQ5HmAw=
Mime-Version: 1.0
Errors-To: bounces+796782.50654126.285...@icpbounce.com
List-Unsubscribe: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782,
 mailto:bounces+796782.50654126.285...@icpbounce.com
X-List-Unsubscribe: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782
X-Unsubscribe-Web: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782
X-Feedback-ID: 01_796782_285374:01_796782:01:vocus
X-ICPINFO: 
X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com
Content-Type: multipart/alternative; 
boundary=cdf82e78-582d-4a55-9037-dacf81ae37d3
Message-ID: 0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com

[1  text/plain; utf-8 (quoted-printable)]
HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS

[1][png] [2][png] [3][png]

Re: Work Practices of Cyber Security Professionals

[Muhammad Adnan]

Dear Valdis,

1) If you're including network admins, you should also make sure to
get system admins (though you'll be more successful asking elsewhere for
those).

We are also targeting system admins. As I mentioned in my e-mail, targeted
participants for this survey are those who perform security related
activities as a part of their job. After this sentence, I mentioned a
couple of roles as an example. By those examples I meant including but not
limited to.

2) Having worn at least a partial hat of all those along my career, I'm
curious what sort of tools will improve work practices for all the groups
concerned.

The goal of this project is not to improve the work practices for all the
groups concerned. Instead, our aim is to first find out what cyber security
professionals (we are using this term to define anyone who performs
security related activities) do on day-to-day basis and which of  their
activities are relatively significant (i.e. performed frequently and
require more time) than others. Once we establish that, then we will pick a
couple of relatively significant activities from their workflow and build
tools for those activities, following a user-centered design process.

But, to get to that stage we first need to know that cyber security
professionals do, how often they do that, and how much time they spend on
doing that.

Hope that answers you questions. Feel free to ask if you have anymore.

Best wishes,
Adnan





On Tue, Feb 18, 2014 at 2:28 PM, valdis.kletni...@vt.edu wrote:

 On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said:

  I am a university researcher who is investigating the development of new,
  usable tools that will improve the work practices of cyber security
  professionals. As a first step to achieve this goal, I am undertaking a
  survey to gain an in-depth understanding of the day-to-day activities of
  cyber security professionals. The targeted participants for this survey
 are
  those who perform security related activities as a part of their job
 (e.g.
  security analysts, network administrators, penetration testers).

 Several comments:

 1) If you're including network admins, you should also make sure to
 get system admins (though you'll be more successful asking elsewhere for
 those).

 2) Having worn at least a partial hat of all those along my careeer, I'm
 curious what sort of tools will improve work practices for all the groups
 concerned.  Probably the only place you'll find much overlap is in record
 keeping - but even there the record keeping that a sysadmin needs to do for
 changelogging their boxes is fairly different from what security analysts
 working an incident and pen testers engaged in a test will need.  There's
 also the problem that many sites have their change logging integrated into
 their version control system or other workflow software already...

 Good luck!

Re: spamassassin

[Private Sender]

Randy Bush wrote:

in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?

randy

From: SmallCapStockPlays i...@smallcapstockplays.com
Subject: Could VIIC be our biggest play in 2014?  Check the stock today
To: ra...@psg.com
Date: Tue, 18 Feb 2014 20:48:02 -0500
Return-path: bounces+796782.50654126.285...@icpbounce.com
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham 
version=3.3.2
Received: from psg.com ([2001:418:1::62])
by ran.psg.com with esmtp (Exim 4.76)
(envelope-from bounces+796782.50654126.285...@icpbounce.com)
id 1WFwGl-0006al-Bu
for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +
Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)
by psg.com with esmtp (Exim 4.82 (FreeBSD))
(envelope-from bounces+796782.50654126.285...@icpbounce.com)
id 1WFwGZ-000Lp8-0W
for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 +
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; 
d=icontactmail3.com; 
h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID;
 bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; 
b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q  
 camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH   
5bYunRCoGolocQ5HmAw=
Mime-Version: 1.0
Errors-To: bounces+796782.50654126.285...@icpbounce.com
List-Unsubscribe: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782,
 mailto:bounces+796782.50654126.285...@icpbounce.com
X-List-Unsubscribe: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782
X-Unsubscribe-Web: 
https://app.icontact.com/icp/listunsubscribe.php?r=50654126l=4084s=FSMCm=285374c=796782
X-Feedback-ID: 01_796782_285374:01_796782:01:vocus
X-ICPINFO:
X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com
Content-Type: multipart/alternative; 
boundary=cdf82e78-582d-4a55-9037-dacf81ae37d3
Message-ID: 0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com

[1  text/plain; utf-8 (quoted-printable)]
HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS

[1][png] [2][png] [3][png]

They are smart and dkim sign their messages; even though it's invalid I 
believe that's why it has such a low bayes score.


It's getting marked as ham and not spam. Are you positive your 
definitions are still updating?

Re: spamassassin

[Randy Bush]

 They are smart and dkim sign their messages; even though it's invalid I 
 believe that's why it has such a low bayes score.

lots of the spam getting through has no dkim

 It's getting marked as ham and not spam. Are you positive your 
 definitions are still updating?

sa-update has run.  and it runs cleanly

randy

Re: spamassassin

[Michael Thomas]

On 02/18/2014 05:52 PM, Randy Bush wrote:

in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.




It's been a while since i've been in this world, but I wonder whether 
bayes filters are
using the public key of the dkim selector as a token. if they don't 
change selectors/keys
they'd probably be s-canned pretty quickly. It would require that the 
dkim subsystem
talk to the bayes subsystem since the public key isn't in the signature, 
so i'm guessing

not.

Mike

random dns queries with random sources

[Joe Maimon]

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I 
was getting mitigation down to acceptable levels.


But now this. At different times during the previous days and on 
different resolvers, routers with proxy turned on, etc...


Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any 
significant frequency)


What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)

Re: spamassassin

[Suresh Ramasubramanian]

DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that.  Just that and nothing more.

Says nothing at all about the email's reputation - whether it is spam or
not.

--srs

On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote:

 in the last 3-4 days, a *massive* amount of spam is making it past
 spamassassin to my users and to me.  see appended for example.  not
 all has dkim.

 clue?




-- 
--srs (iPad)

Re: spamassassin

[Larry Sheldon]

On 2/18/2014 8:42 PM, Randy Bush wrote:

They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.


lots of the spam getting through has no dkim


It's getting marked as ham and not spam. Are you positive your
definitions are still updating?


sa-update has run.  and it runs cleanly

randy



From a posting on NANAE:


On 2/18/2014 6:09 PM, Larry Sheldon wrote:

Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)


Larry, icpbounce.com is IContact aka Vocus.  I don't know whether the
managers of Vocus are as whitehat as those of IContact were before the
buyout, but Andrew Barrett was still in charge of abuse/deliverability
when I last checked and he *does* respond quickly and effectively to
spam complaints.  Try sending this to ab...@icontact.com.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: random dns queries with random sources

[Mark Andrews]

In message 5304201a.3040...@ttec.com, Joe Maimon writes:
 Hey all,
 
 DNS amplification spoofed source attacks, I get that. I even thought I 
 was getting mitigation down to acceptable levels.
 
 But now this. At different times during the previous days and on 
 different resolvers, routers with proxy turned on, etc...
 
 Thousand of queries with thousands of source ip addresses.
 
 According to my logs, sources are not being repeated (or not with any 
 significant frequency)
 
 What is the purpose of this?

Indirect attack on the 5kkx.com servers? 
 
 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
 swe.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
 query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
 query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
 uehkaiy.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
 query: yqv.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
 query: e.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
 bfpofpj.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
 query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
 query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
 ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
 query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
 query: ebb.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
 query: l.5kkx.com IN A + (66.199.132.7)
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: random dns queries with random sources

[ML]

I couldn't resolve that domain or subdomains that I tried.

If that domain did respond, I'd guess it's tailored to be a large junky 
response.  Varying the qname prevents people from using iptables to 
block specific queries.



On 2/18/2014 10:08 PM, Joe Maimon wrote:

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I 
was getting mitigation down to acceptable levels.


But now this. At different times during the previous days and on 
different resolvers, routers with proxy turned on, etc...


Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any 
significant frequency)


What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: 
query: swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: 
query: bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: 
query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)

Re: random dns queries with random sources

[Joe Maimon]

Mark Andrews wrote:


What is the purpose of this?


Indirect attack on the 5kkx.com servers?


18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
swe.5kkx.com IN A + (66.199.132.5)



I have seen dozens of different second level parts.

How is this any more effective then sending it direct?

Re: random dns queries with random sources

[Doug Barton]

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving 
these thousands of very different source addresses?


Doug

Re: random dns queries with random sources

[Warren Bailey]

Totally was trying to figure out how to ask the same thing. How exactly
are you the POC in this situation? lol

On 2/18/14, 7:35 PM, Doug Barton do...@dougbarton.us wrote:

On 02/18/2014 07:08 PM, Joe Maimon wrote:
 Thousand of queries with thousands of source ip addresses.

Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?

Doug

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:

 What is the purpose of this?

Resource-exhaustion attack against the recursive DNS?

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 10:32 AM, Joe Maimon jmai...@ttec.com wrote:

 How is this any more effective then sending it direct?

If they're attacking the authoritative DNS servers for 5kkx.com, just 
reflecting gives them indirection and presumably makes traceback harder for 
5kkx.com (at least, in the minds of the attackers).

Or maybe they're trying to game 5kkx.com into blocking requests from the 
recursive servers in question, for some reason.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Christopher Morrow]

On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote:

 On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:

 What is the purpose of this?

 Resource-exhaustion attack against the recursive DNS?

so... i could be nuts, but in the example joe clipped, the resolved
hosts are either:
66.199.132.5
66.199.132.7
or
216.222.148.103

these are from 2 different PI blocks, but the same named end-user: chl.net.

maybe someone's upset with CHL, whomever that may be.

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 10:44 AM, Dobbins, Roland rdobb...@arbor.net wrote:

 Resource-exhaustion attack against the recursive DNS?

Fat-finger, sorry - should also state 'Or against the authoritative servers for 
5kkx.com?'

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Christopher Morrow]

On Tue, Feb 18, 2014 at 10:47 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote:

 On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:

 What is the purpose of this?

 Resource-exhaustion attack against the recursive DNS?

 so... i could be nuts, but in the example joe clipped, the resolved
 hosts are either:
 66.199.132.5
 66.199.132.7
 or
 216.222.148.103

 these are from 2 different PI blocks, but the same named end-user: chl.net.

 maybe someone's upset with CHL, whomever that may be.

apologies. both chl.net and chl.com ... which appear to be parts of
ttec ... which is joe.

Re: random dns queries with random sources

[George Herbert]

Right.  Nonzero chances that you (Joe's site) are the target...

Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects.  You could be sourcing
the spoofing if not...


On Tue, Feb 18, 2014 at 7:44 PM, Dobbins, Roland rdobb...@arbor.net wrote:


 On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:

  What is the purpose of this?

 Resource-exhaustion attack against the recursive DNS?

 ---
 Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

   Luck is the residue of opportunity and design.

-- John Milton





-- 
-george william herbert
george.herb...@gmail.com

Re: random dns queries with random sources

[Joe Maimon]

Doug Barton wrote:

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?

Doug




Thousands of queries _from_ thousands of source ip addresses

likely they are spoofed

this is an example of what I am seeing

root@nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l
1337
root@nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l
1415
root@nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5
99.86.116.243 1
99.219.232.72 1
99.184.19.178 1
99.155.180.193 1
99.129.26.85 1
root@nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5
18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706: 
query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5)
18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438: 
query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722: 
query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948: 
query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395: 
query: amo.dlq1.9aq.com IN A + (66.199.132.5)




root@nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs
#!/bin/bash

if [[ $1 ==  ]]; then exit 0; fi
grep -E $1 /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort 
| uniq |\

while read INPUT; do
if [[ $INPUT ==  ]]; then
continue;
fi
echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E $1`;
done

Re: random dns queries with random sources

[Joe Maimon]

Dobbins, Roland wrote:


On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:


What is the purpose of this?


Resource-exhaustion attack against the recursive DNS?



On anything that is going to stay open, not even close.

Re: spamassassin

[Private Sender]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
 DKIM serves to authenticate the source of the message. So this is a stock
 tip spam sent through an email service provider called icontact, and the
 dkim signature declares that.  Just that and nothing more.

 Says nothing at all about the email's reputation - whether it is spam or
 not.

 --srs

 On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote:

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
 DKIM serves to authenticate the source of the message. So this is a stock
 tip spam sent through an email service provider called icontact, and the
 dkim signature declares that.  Just that and nothing more.

 Says nothing at all about the email's reputation - whether it is spam or
 not.

 --srs

 On Tuesday, February 18, 2014, Randy Bush ra...@psg.com wrote:


Yeah, it just validates the domain that the email came from.

But,

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,*T_DKIM_INVALID*
autolearn=ham version=3.3.2

Spamassassin knows the dkim signature is invalid, so there must be a dns
query that occurs at this point in the message processing.

If that is the case, there must be someway to configure to reject if the
dkim signature is invalid.

X-Spam-Status: No, score=0.8 required=5.0

Spamassassin isn't going to block anything until it registers a score of
5. So, just having a dkim signature (even though invalid) is possibly
lowering the score. Maybe you could tweak the settings to pick-off spam
at a lower score. But, setting your levels down to 0.8 would probably
block legitimate email.

You could always block their ip in the helo_access (or iptables) of your
postfix server (I'm assuming that's what you are using). But that's only
going to be a temporary fix.

You could also add a rbl query to your mail server config to spamhaus.
That could always help.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iQEcBAEBAgAGBQJTBCy2AAoJEMBLKVFKNw4KFDUH/RktUI0ybOj0ruWw06RZUzcD
bHiFb/QUahqXihFQMkSwofjV/WovcGkSQgCpzM3XFyGdoo79KzgJ9ByrlPLfIOdI
m/pvcRSODl+rOsaXR1VS0bUyTtdRzEdRZ2EQxvXeaSIOnsZCegG+noY+7GJ5U70o
NyctfgEod0sxFqeJKTzjXpCaXJsuwFBUL3PlLXVWE6ilAtaxh8KBCmIG/kFMrtoG
P+DlTm17d63WZeVBvsZ7YHe/moVm57gBLCsmA8aI6qgqdCGbpkT3p/rKAEcqeV6z
RyyIC4vm9gaaJmuh7Cz7hoM2whGsWSxfrNaGV0hCRoNGBAup5NFIQQfsTn858Dc=
=Aztz
-END PGP SIGNATURE-

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 10:48 AM, Christopher Morrow morrowc.li...@gmail.com 
wrote:

 apologies. both chl.net and chl.com ... which appear to be parts of ttec ... 
 which is joe.

Premature send - I meant to add 'Or against the authoritative servers for 
5kkx.com?'

We've been seeing a spate of reflected (not amplified) DNS attacks against 
various authoritative servers in Europe for the past week or so, bounced 
through some type of consumer DSL broadband CPE with an open DNS forwarded on 
the WAN interface (don't know the make/model, but it was supplied by the 
broadband operators to the customers), on some European broadband access 
networks.  

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Doug Barton]

On 02/18/2014 07:59 PM, Joe Maimon wrote:



Doug Barton wrote:

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?

Doug




Thousands of queries _from_ thousands of source ip addresses

likely they are spoofed


Yes, got that bit. :)  What I'm asking is, why are spoofed queries 
hitting your different resolvers, routers with proxy turned on, etc.?


Are you running open resolvers? If so, please stop doing that, it's 
widely known to be a bad idea for over a decade now, and you are 
providing the bad guys a tool to use for DDOS attacks.


If it's something else, please speak up. Regardless of the goal of this 
particular issue, the way to solve the root problem is to prevent the 
spoofed packets from getting to your servers in the first place.


Doug

Re: spamassassin

[Suresh Ramasubramanian]

I would not advise that.  Plenty of things can render a dkim sig invalid.
 Not all of them are evidences of malice.

You might be well advised to check for a DMARC record (which asserts policy
using a combination of DKIM and SPF) and if there's a reject there, feel
free to trash the email if there's a validation failure.  But not simply
because a DKIM signature breaks.

--srs

On Tuesday, February 18, 2014, Private Sender nob...@snovc.com wrote:

 Spamassassin knows the dkim signature is invalid, so there must be a dns
 query that occurs at this point in the message processing.

 If that is the case, there must be someway to configure to reject if the
 dkim signature is invalid.



-- 
--srs (iPad)

Re: random dns queries with random sources

[Joe Maimon]

Doug Barton wrote:

On 02/18/2014 07:59 PM, Joe Maimon wrote:



Are you running open resolvers?


Yes


If so, please stop doing that,


No



it's
widely known to be a bad idea for over a decade now,


At this point, doing anything on the internet is a bad idea.



and you are
providing the bad guys a tool to use for DDOS attacks.


Get back to me when the same cant be done with auth servers.



If it's something else, please speak up. Regardless of the goal of this
particular issue, the way to solve the root problem is to prevent the
spoofed packets from getting to your servers in the first place.

Doug

Re: random dns queries with random sources

[Joe Maimon]

George Herbert wrote:

Right.  Nonzero chances that you (Joe's site) are the target...

Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects.  You could be sourcing
the spoofing if not...


It seems to me that the same|similar dataset of open resolvers to be 
used for amplification attacks is also being used for this sort of 
thing, and the overall effect is not large enough to indicate my 
resources are a target.


What I cant figure out is what is the target and how this attack method 
is any more effective then the others.


Joe

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote:

 Get back to me when the same cant be done with auth servers.

There are ways to deal with it on authoritative servers, like RRL.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote:

 What I cant figure out is what is the target and how this attack method is 
 any more effective then the others.

The target appears to be the authoritative servers for the domain in question, 
yes?

The attacker may consider it more effective because it provides a degree of 
obfuscation, or maybe he has some reason to game the operators of the 
authoritative servers in question into denying requests from your recursors.

Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and 
they tend to copycat one another and do the same things due to magical thinking.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Owen DeLong]

On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote:

 
 
 George Herbert wrote:
 Right.  Nonzero chances that you (Joe's site) are the target...
 
 Also, check if you have egress filtering of spoofed addresses below these
 DNS resources, between them and any user objects.  You could be sourcing
 the spoofing if not...
 
 It seems to me that the same|similar dataset of open resolvers to be used for 
 amplification attacks is also being used for this sort of thing, and the 
 overall effect is not large enough to indicate my resources are a target.
 
 What I cant figure out is what is the target and how this attack method is 
 any more effective then the others.
 
 Joe

This assumes several facts not in evidence:

1.  It is an attack.
2.  It is deliberate
3.  There is a target
4.  It is more effective than others

On what do you base those assumptions? To me this looks to be far more likely 
to be someone’s wayward script, experiment, software, tool, etc. doing 
something it probably isn’t supposed to be doing.

If it happens to also be gathering the answers or information that the author 
wants (or appears to be doing so), then the author may well be blissfully 
ignorant of its wayward behavior towards your servers.

Owen

Re: random dns queries with random sources

[Joe Maimon]

Dobbins, Roland wrote:


On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote:


Get back to me when the same cant be done with auth servers.


There are ways to deal with it on authoritative servers, like RRL.




There are ways to deal with it on resolvers as well, like RRL and IDS 
and iptables and see google for so more examples.

Re: random dns queries with random sources

[Joe Maimon]

Dobbins, Roland wrote:


On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote:


What I cant figure out is what is the target and how this attack method is any 
more effective then the others.


The target appears to be the authoritative servers for the domain in question, 
yes?


I dont think so, but I have not compiled the full list of domains and 
compared the auth servers for each.




The attacker may consider it more effective because it provides a degree of 
obfuscation, or maybe he has some reason to game the operators of the 
authoritative servers in question into denying requests from your recursors.

Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and 
they tend to copycat one another and do the same things due to magical thinking.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote:

 There are ways to deal with it on resolvers as well, like RRL and IDS and 
 iptables

None of these things work well for recursive resolvers; they cause more 
problems than they solve.

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: spamassassin

[Randy Bush]

as i said, much of the crap coming through, 10-20 times normal, does not
have dkim.  i suggest that focusing on dkim is a red herring.  and yes,
i know how dkim works.

 If that is the case, there must be someway to configure to reject if the
 dkim signature is invalid.

5.0-0.8 is a large valus, at least in this area.

 You could always block their ip in the ...

their?  you are presuming a single soure.

 You could also add a rbl query to your mail server config to spamhaus.

have had that for years

randy

Re: random dns queries with random sources

[Joe Maimon]

Owen DeLong wrote:


On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote:




This assumes several facts not in evidence:

1.  It is an attack.
2.  It is deliberate
3.  There is a target
4.  It is more effective than others

On what do you base those assumptions? To me this looks to be far more likely 
to be someone’s wayward script, experiment, software, tool, etc. doing 
something it probably isn’t supposed to be doing.


I have found this occurring on unaffiliated open resolvers (that I 
happen to support and that I was able to make the choice to close)


It has been ongoing for a week or so (but not constant). The domain 
names have a pattern but are comprised of components that appear to be 
randomly generated. The source IP addresses for the queries appear to be 
non duplicated and randomly generated.


query logs are available for unicasting to the interested.

Has nobody else seen this?



If it happens to also be gathering the answers or information that the author 
wants (or appears to be doing so), then the author may well be blissfully 
ignorant of its wayward behavior towards your servers.

Owen





I would like to figure out how.

Joe

Re: random dns queries with random sources

[Joe Maimon]

Dobbins, Roland wrote:


On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote:


There are ways to deal with it on resolvers as well, like RRL and IDS and 
iptables


None of these things work well for recursive resolvers; they cause more 
problems than they solve.



Whatever I am doing appears to be working, at least until this cropped up.

Joe

Re: spamassassin

[Daniel Staal]

--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have 
said:



in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?


--As for the rest, it is mine.

The spamassassin list has been tracking an issue where a new rule made it 
out of the testbox accidentally, which lowers scores on a lot of spam.  It 
wasn't in the sample you provided, but the rule name is BAYES_999 - it 
catches mail that the bayes filter thinks is 99.9-100% sure to be spam.  As 
it got promoted prematurely, it's showing with a score of 1.0.  (The 
default.)  It's probably a part of your problem.


A fix should be in the rules update today or tomorrow - or you can rescore 
it to the same as BAYES_99 (someplace in the 3 range by default, I 
believe).  That's what used to catch that mail: it used to mean 99-100%, 
and now means 99-99.9%.


More info can be found in the mailing list archives for the spamassassin 
list.


Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

Re: spamassassin

[Randy Bush]

 A fix should be in the rules update today or tomorrow - or you can rescore 
 it to the same as BAYES_99 (someplace in the 3 range by default, I 
 believe).  That's what used to catch that mail: it used to mean 99-100%, 
 and now means 99-99.9%.

trying the copy 99-999 now.  thanks!

randy