Re: spamassassin

2014-02-18 Thread Randy Bush
> A fix should be in the rules update today or tomorrow - or you can rescore 
> it to the same as BAYES_99 (someplace in the 3 range by default, I 
> believe).  That's what used to catch that mail: it used to mean 99-100%, 
> and now means 99-99.9%.

trying the copy 99->999 now.  thanks!

randy



Re: spamassassin

2014-02-18 Thread Daniel Staal
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have 
said:



in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?


--As for the rest, it is mine.

The spamassassin list has been tracking an issue where a new rule made it 
out of the testbox accidentally, which lowers scores on a lot of spam.  It 
wasn't in the sample you provided, but the rule name is BAYES_999 - it 
catches mail that the bayes filter thinks is 99.9-100% sure to be spam.  As 
it got promoted prematurely, it's showing with a score of 1.0.  (The 
default.)  It's probably a part of your problem.


A fix should be in the rules update today or tomorrow - or you can rescore 
it to the same as BAYES_99 (someplace in the 3 range by default, I 
believe).  That's what used to catch that mail: it used to mean 99-100%, 
and now means 99-99.9%.


More info can be found in the mailing list archives for the spamassassin 
list.


Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Dobbins, Roland wrote:


On Feb 19, 2014, at 1:07 PM, Joe Maimon  wrote:


There are ways to deal with it on resolvers as well, like RRL and IDS and 
iptables


None of these things work well for recursive resolvers; they cause more 
problems than they solve.



Whatever I am doing appears to be working, at least until this cropped up.

Joe



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Owen DeLong wrote:


On Feb 18, 2014, at 9:48 PM, Joe Maimon  wrote:




This assumes several facts not in evidence:

1.  It is an attack.
2.  It is deliberate
3.  There is a target
4.  It is more effective than others

On what do you base those assumptions? To me this looks to be far more likely 
to be someone’s wayward script, experiment, software, tool, etc. doing 
something it probably isn’t supposed to be doing.


I have found this occurring on unaffiliated open resolvers (that I 
happen to support and that I was able to make the choice to close)


It has been ongoing for a week or so (but not constant). The domain 
names have a pattern but are comprised of components that appear to be 
randomly generated. The source IP addresses for the queries appear to be 
non duplicated and randomly generated.


query logs are available for unicasting to the interested.

Has nobody else seen this?



If it happens to also be gathering the answers or information that the author 
wants (or appears to be doing so), then the author may well be blissfully 
ignorant of its wayward behavior towards your servers.

Owen





I would like to figure out how.

Joe





Re: spamassassin

2014-02-18 Thread Randy Bush
as i said, much of the crap coming through, 10-20 times normal, does not
have dkim.  i suggest that focusing on dkim is a red herring.  and yes,
i know how dkim works.

> If that is the case, there must be someway to configure to reject if the
> dkim signature is invalid.

5.0-0.8 is a large valus, at least in this area.

> You could always block their ip in the ...

their?  you are presuming a single soure.

> You could also add a rbl query to your mail server config to spamhaus.

have had that for years

randy



Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 1:07 PM, Joe Maimon  wrote:

> There are ways to deal with it on resolvers as well, like RRL and IDS and 
> iptables

None of these things work well for recursive resolvers; they cause more 
problems than they solve.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Dobbins, Roland wrote:


On Feb 19, 2014, at 12:48 PM, Joe Maimon  wrote:


What I cant figure out is what is the target and how this attack method is any 
more effective then the others.


The target appears to be the authoritative servers for the domain in question, 
yes?


I dont think so, but I have not compiled the full list of domains and 
compared the auth servers for each.




The attacker may consider it more effective because it provides a degree of 
obfuscation, or maybe he has some reason to game the operators of the 
authoritative servers in question into denying requests from your recursors.

Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and 
they tend to copycat one another and do the same things due to magical thinking.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton








Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Dobbins, Roland wrote:


On Feb 19, 2014, at 12:44 PM, Joe Maimon  wrote:


Get back to me when the same cant be done with auth servers.


There are ways to deal with it on authoritative servers, like RRL.




There are ways to deal with it on resolvers as well, like RRL and IDS 
and iptables and see google for so more examples.






Re: random dns queries with random sources

2014-02-18 Thread Owen DeLong

On Feb 18, 2014, at 9:48 PM, Joe Maimon  wrote:

> 
> 
> George Herbert wrote:
>> Right.  Nonzero chances that you (Joe's site) are the target...
>> 
>> Also, check if you have egress filtering of spoofed addresses below these
>> DNS resources, between them and any user objects.  You could be sourcing
>> the spoofing if not...
> 
> It seems to me that the same|similar dataset of open resolvers to be used for 
> amplification attacks is also being used for this sort of thing, and the 
> overall effect is not large enough to indicate my resources are a target.
> 
> What I cant figure out is what is the target and how this attack method is 
> any more effective then the others.
> 
> Joe

This assumes several facts not in evidence:

1.  It is an attack.
2.  It is deliberate
3.  There is a target
4.  It is more effective than others

On what do you base those assumptions? To me this looks to be far more likely 
to be someone’s wayward script, experiment, software, tool, etc. doing 
something it probably isn’t supposed to be doing.

If it happens to also be gathering the answers or information that the author 
wants (or appears to be doing so), then the author may well be blissfully 
ignorant of its wayward behavior towards your servers.

Owen




Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 12:48 PM, Joe Maimon  wrote:

> What I cant figure out is what is the target and how this attack method is 
> any more effective then the others.

The target appears to be the authoritative servers for the domain in question, 
yes?

The attacker may consider it more effective because it provides a degree of 
obfuscation, or maybe he has some reason to game the operators of the 
authoritative servers in question into denying requests from your recursors.

Most (not all) attackers don't know that much about TCP/IP, DNS, et. al, and 
they tend to copycat one another and do the same things due to magical thinking.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 12:44 PM, Joe Maimon  wrote:

> Get back to me when the same cant be done with auth servers.

There are ways to deal with it on authoritative servers, like RRL.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



George Herbert wrote:

Right.  Nonzero chances that you (Joe's site) are the target...

Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects.  You could be sourcing
the spoofing if not...


It seems to me that the same|similar dataset of open resolvers to be 
used for amplification attacks is also being used for this sort of 
thing, and the overall effect is not large enough to indicate my 
resources are a target.


What I cant figure out is what is the target and how this attack method 
is any more effective then the others.


Joe



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Doug Barton wrote:

On 02/18/2014 07:59 PM, Joe Maimon wrote:



Are you running open resolvers?


Yes


If so, please stop doing that,


No



it's
widely known to be a bad idea for over a decade now,


At this point, doing anything on the internet is a bad idea.



and you are
providing the bad guys a tool to use for DDOS attacks.


Get back to me when the same cant be done with auth servers.



If it's something else, please speak up. Regardless of the goal of this
particular issue, the way to solve the root problem is to prevent the
spoofed packets from getting to your servers in the first place.

Doug











Re: spamassassin

2014-02-18 Thread Suresh Ramasubramanian
I would not advise that.  Plenty of things can render a dkim sig invalid.
 Not all of them are evidences of malice.

You might be well advised to check for a DMARC record (which asserts policy
using a combination of DKIM and SPF) and if there's a reject there, feel
free to trash the email if there's a validation failure.  But not simply
because a DKIM signature breaks.

--srs

On Tuesday, February 18, 2014, Private Sender  wrote:

> Spamassassin knows the dkim signature is invalid, so there must be a dns
> query that occurs at this point in the message processing.
>
> If that is the case, there must be someway to configure to reject if the
> dkim signature is invalid.
>
>

-- 
--srs (iPad)


Re: random dns queries with random sources

2014-02-18 Thread Doug Barton

On 02/18/2014 07:59 PM, Joe Maimon wrote:



Doug Barton wrote:

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?

Doug




Thousands of queries _from_ thousands of source ip addresses

likely they are spoofed


Yes, got that bit. :)  What I'm asking is, why are spoofed queries 
hitting your "different resolvers, routers with proxy turned on, etc.?"


Are you running open resolvers? If so, please stop doing that, it's 
widely known to be a bad idea for over a decade now, and you are 
providing the bad guys a tool to use for DDOS attacks.


If it's something else, please speak up. Regardless of the goal of this 
particular issue, the way to solve the root problem is to prevent the 
spoofed packets from getting to your servers in the first place.


Doug




Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 10:48 AM, Christopher Morrow  
wrote:

> apologies. both chl.net and chl.com ... which appear to be parts of ttec ... 
> which is joe.

Premature send - I meant to add 'Or against the authoritative servers for 
5kkx.com?'

We've been seeing a spate of reflected (not amplified) DNS attacks against 
various authoritative servers in Europe for the past week or so, bounced 
through some type of consumer DSL broadband CPE with an open DNS forwarded on 
the WAN interface (don't know the make/model, but it was supplied by the 
broadband operators to the customers), on some European broadband access 
networks.  

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: spamassassin

2014-02-18 Thread Private Sender

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
> DKIM serves to authenticate the source of the message. So this is a stock
> tip spam sent through an email service provider called icontact, and the
> dkim signature declares that.  Just that and nothing more.
>
> Says nothing at all about the email's reputation - whether it is spam or
> not.
>
> --srs
>
> On Tuesday, February 18, 2014, Randy Bush  wrote:
>
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 

On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
> DKIM serves to authenticate the source of the message. So this is a stock
> tip spam sent through an email service provider called icontact, and the
> dkim signature declares that.  Just that and nothing more.
>
> Says nothing at all about the email's reputation - whether it is spam or
> not.
>
> --srs
>
> On Tuesday, February 18, 2014, Randy Bush  wrote:
>

Yeah, it just validates the domain that the email came from.

But,

"X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,*T_DKIM_INVALID*
autolearn=ham version=3.3.2"

Spamassassin knows the dkim signature is invalid, so there must be a dns
query that occurs at this point in the message processing.

If that is the case, there must be someway to configure to reject if the
dkim signature is invalid.

"X-Spam-Status: No, score=0.8 required=5.0"

Spamassassin isn't going to block anything until it registers a score of
5. So, just having a dkim signature (even though invalid) is possibly
lowering the score. Maybe you could tweak the settings to pick-off spam
at a lower score. But, setting your levels down to 0.8 would probably
block legitimate email.

You could always block their ip in the helo_access (or iptables) of your
postfix server (I'm assuming that's what you are using). But that's only
going to be a temporary fix.

You could also add a rbl query to your mail server config to spamhaus.
That could always help.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iQEcBAEBAgAGBQJTBCy2AAoJEMBLKVFKNw4KFDUH/RktUI0ybOj0ruWw06RZUzcD
bHiFb/QUahqXihFQMkSwofjV/WovcGkSQgCpzM3XFyGdoo79KzgJ9ByrlPLfIOdI
m/pvcRSODl+rOsaXR1VS0bUyTtdRzEdRZ2EQxvXeaSIOnsZCegG+noY+7GJ5U70o
NyctfgEod0sxFqeJKTzjXpCaXJsuwFBUL3PlLXVWE6ilAtaxh8KBCmIG/kFMrtoG
P+DlTm17d63WZeVBvsZ7YHe/moVm57gBLCsmA8aI6qgqdCGbpkT3p/rKAEcqeV6z
RyyIC4vm9gaaJmuh7Cz7hoM2whGsWSxfrNaGV0hCRoNGBAup5NFIQQfsTn858Dc=
=Aztz
-END PGP SIGNATURE-



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Dobbins, Roland wrote:


On Feb 19, 2014, at 10:08 AM, Joe Maimon  wrote:


What is the purpose of this?


Resource-exhaustion attack against the recursive DNS?



On anything that is going to stay open, not even close.



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Doug Barton wrote:

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?

Doug




Thousands of queries _from_ thousands of source ip addresses

likely they are spoofed

this is an example of what I am seeing

root@nameserver3:~# baddnsqueries-srcs 9aq.com | wc -l
1337
root@nameserver3:~# grep 9aq.com /var/log/named/queries | wc -l
1415
root@nameserver3:~# baddnsqueries-srcs 9aq.com | sort -rn -k2 | head -n5
99.86.116.243 1
99.219.232.72 1
99.184.19.178 1
99.155.180.193 1
99.129.26.85 1
root@nameserver3:~# grep 9aq.com /var/log/named/queries | head -n5
18-Feb-2014 22:42:30.754 queries: info: client 93.209.49.151#59706: 
query: abpdefguvwxym.dlq1.9aq.com IN A + (66.199.132.5)
18-Feb-2014 22:42:30.787 queries: info: client 110.158.165.119#32438: 
query: ocpkxdfupiy.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.382 queries: info: client 84.14.84.205#63722: 
query: abpqeftuiwklz.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:31.649 queries: info: client 45.73.65.145#38948: 
query: pvtlirr.dlq1.9aq.com IN A + (66.199.132.7)
18-Feb-2014 22:42:32.679 queries: info: client 9.121.56.232#18395: 
query: amo.dlq1.9aq.com IN A + (66.199.132.5)




root@nameserver3:~# cat /usr/local/sbin/baddnsqueries-srcs
#!/bin/bash

if [[ "$1" == "" ]]; then exit 0; fi
grep -E "$1" /var/log/named/queries | cut -f6 -d' ' | cut -f1 -d# | sort 
| uniq |\

while read INPUT; do
if [[ "$INPUT" == "" ]]; then
continue;
fi
echo $INPUT `grep $INPUT /var/log/named/queries | grep -c -E "$1"`;
done







Re: random dns queries with random sources

2014-02-18 Thread George Herbert
Right.  Nonzero chances that you (Joe's site) are the target...

Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects.  You could be sourcing
the spoofing if not...


On Tue, Feb 18, 2014 at 7:44 PM, Dobbins, Roland  wrote:

>
> On Feb 19, 2014, at 10:08 AM, Joe Maimon  wrote:
>
> > What is the purpose of this?
>
> Resource-exhaustion attack against the recursive DNS?
>
> ---
> Roland Dobbins  // 
>
>   Luck is the residue of opportunity and design.
>
>-- John Milton
>
>
>


-- 
-george william herbert
george.herb...@gmail.com


Re: random dns queries with random sources

2014-02-18 Thread Christopher Morrow
On Tue, Feb 18, 2014 at 10:47 PM, Christopher Morrow
 wrote:
> On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland  wrote:
>>
>> On Feb 19, 2014, at 10:08 AM, Joe Maimon  wrote:
>>
>>> What is the purpose of this?
>>
>> Resource-exhaustion attack against the recursive DNS?
>
> so... i could be nuts, but in the example joe clipped, the resolved
> hosts are either:
> 66.199.132.5
> 66.199.132.7
> or
> 216.222.148.103
>
> these are from 2 different PI blocks, but the same named end-user: chl.net.
>
> maybe someone's upset with CHL, whomever that may be.

apologies. both chl.net and chl.com ... which appear to be parts of
ttec ... which is joe.



Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 10:44 AM, Dobbins, Roland  wrote:

> Resource-exhaustion attack against the recursive DNS?

Fat-finger, sorry - should also state 'Or against the authoritative servers for 
5kkx.com?'

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Christopher Morrow
On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland  wrote:
>
> On Feb 19, 2014, at 10:08 AM, Joe Maimon  wrote:
>
>> What is the purpose of this?
>
> Resource-exhaustion attack against the recursive DNS?

so... i could be nuts, but in the example joe clipped, the resolved
hosts are either:
66.199.132.5
66.199.132.7
or
216.222.148.103

these are from 2 different PI blocks, but the same named end-user: chl.net.

maybe someone's upset with CHL, whomever that may be.



Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 10:32 AM, Joe Maimon  wrote:

> How is this any more effective then sending it direct?

If they're attacking the authoritative DNS servers for 5kkx.com, just 
reflecting gives them indirection and presumably makes traceback harder for 
5kkx.com (at least, in the minds of the attackers).

Or maybe they're trying to game 5kkx.com into blocking requests from the 
recursive servers in question, for some reason.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 10:08 AM, Joe Maimon  wrote:

> What is the purpose of this?

Resource-exhaustion attack against the recursive DNS?

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: random dns queries with random sources

2014-02-18 Thread Warren Bailey
Totally was trying to figure out how to ask the same thing. How exactly
are you the POC in this situation? lol

On 2/18/14, 7:35 PM, "Doug Barton"  wrote:

>On 02/18/2014 07:08 PM, Joe Maimon wrote:
>> Thousand of queries with thousands of source ip addresses.
>
>Pardon if I missed a memo, but how are your resolver systems receiving
>these thousands of very different source addresses?
>
>Doug
>




Re: random dns queries with random sources

2014-02-18 Thread Doug Barton

On 02/18/2014 07:08 PM, Joe Maimon wrote:

Thousand of queries with thousands of source ip addresses.


Pardon if I missed a memo, but how are your resolver systems receiving 
these thousands of very different source addresses?


Doug



Re: random dns queries with random sources

2014-02-18 Thread Joe Maimon



Mark Andrews wrote:


What is the purpose of this?


Indirect attack on the 5kkx.com servers?


18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
swe.5kkx.com IN A + (66.199.132.5)



I have seen dozens of different second level parts.

How is this any more effective then sending it direct?



Re: random dns queries with random sources

2014-02-18 Thread ML

I couldn't resolve that domain or subdomains that I tried.

If that domain did respond, I'd guess it's tailored to be a large junky 
response.  Varying the qname prevents people from using iptables to 
block specific queries.



On 2/18/2014 10:08 PM, Joe Maimon wrote:

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I 
was getting mitigation down to acceptable levels.


But now this. At different times during the previous days and on 
different resolvers, routers with proxy turned on, etc...


Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any 
significant frequency)


What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: 
query: swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: 
query: bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: 
query: ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)







Re: random dns queries with random sources

2014-02-18 Thread Mark Andrews

In message <5304201a.3040...@ttec.com>, Joe Maimon writes:
> Hey all,
> 
> DNS amplification spoofed source attacks, I get that. I even thought I 
> was getting mitigation down to acceptable levels.
> 
> But now this. At different times during the previous days and on 
> different resolvers, routers with proxy turned on, etc...
> 
> Thousand of queries with thousands of source ip addresses.
> 
> According to my logs, sources are not being repeated (or not with any 
> significant frequency)
> 
> What is the purpose of this?

Indirect attack on the 5kkx.com servers? 
 
> 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
> swe.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
> query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
> query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
> uehkaiy.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
> query: yqv.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
> query: e.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
> bfpofpj.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
> query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
> query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
> 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
> ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
> query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
> 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
> query: ebb.5kkx.com IN A + (66.199.132.5)
> 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
> query: l.5kkx.com IN A + (66.199.132.7)
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org



Re: spamassassin

2014-02-18 Thread Larry Sheldon

On 2/18/2014 8:42 PM, Randy Bush wrote:

They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.


lots of the spam getting through has no dkim


It's getting marked as ham and not spam. Are you positive your
definitions are still updating?


sa-update has run.  and it runs cleanly

randy



From a posting on NANAE:


On 2/18/2014 6:09 PM, Larry Sheldon wrote:

Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)


Larry, icpbounce.com is IContact aka Vocus.  I don't know whether the
managers of Vocus are as whitehat as those of IContact were before the
buyout, but Andrew Barrett was still in charge of abuse/deliverability
when I last checked and he *does* respond quickly and effectively to
spam complaints.  Try sending this to ab...@icontact.com.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)



Re: spamassassin

2014-02-18 Thread Suresh Ramasubramanian
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that.  Just that and nothing more.

Says nothing at all about the email's reputation - whether it is spam or
not.

--srs

On Tuesday, February 18, 2014, Randy Bush  wrote:

> in the last 3-4 days, a *massive* amount of spam is making it past
> spamassassin to my users and to me.  see appended for example.  not
> all has dkim.
>
> clue?
>

>

-- 
--srs (iPad)


random dns queries with random sources

2014-02-18 Thread Joe Maimon

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I 
was getting mitigation down to acceptable levels.


But now this. At different times during the previous days and on 
different resolvers, routers with proxy turned on, etc...


Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any 
significant frequency)


What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)




Re: spamassassin

2014-02-18 Thread Michael Thomas

On 02/18/2014 05:52 PM, Randy Bush wrote:

in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.




It's been a while since i've been in this world, but I wonder whether 
bayes filters are
using the public key of the dkim selector as a token. if they don't 
change selectors/keys
they'd probably be s-canned pretty quickly. It would require that the 
dkim subsystem
talk to the bayes subsystem since the public key isn't in the signature, 
so i'm guessing

not.

Mike



Re: spamassassin

2014-02-18 Thread Randy Bush
> They are smart and dkim sign their messages; even though it's invalid I 
> believe that's why it has such a low bayes score.

lots of the spam getting through has no dkim

> It's getting marked as ham and not spam. Are you positive your 
> definitions are still updating?

sa-update has run.  and it runs cleanly

randy



Re: spamassassin

2014-02-18 Thread Private Sender

Randy Bush wrote:

in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?

randy

From: "SmallCapStockPlays" 
Subject: Could VIIC be our biggest play in 2014?  Check the stock today
To: 
Date: Tue, 18 Feb 2014 20:48:02 -0500
Return-path: 
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham 
version=3.3.2
Received: from psg.com ([2001:418:1::62])
by ran.psg.com with esmtp (Exim 4.76)
(envelope-from )
id 1WFwGl-0006al-Bu
for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +
Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)
by psg.com with esmtp (Exim 4.82 (FreeBSD))
(envelope-from )
id 1WFwGZ-000Lp8-0W
for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 +
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; 
d=icontactmail3.com; 
h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID;
 bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; 
b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q  
 camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH   
5bYunRCoGolocQ5HmAw=
Mime-Version: 1.0
Errors-To: bounces+796782.50654126.285...@icpbounce.com
List-Unsubscribe: 
,
 
X-List-Unsubscribe: 

X-Unsubscribe-Web: 

X-Feedback-ID: 01_796782_285374:01_796782:01:vocus
X-ICPINFO:
X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com
Content-Type: multipart/alternative; 
boundary="cdf82e78-582d-4a55-9037-dacf81ae37d3"
Message-ID: <0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com>

[1  ]
HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS

[1][png] [2][png] [3][png]

They are smart and dkim sign their messages; even though it's invalid I 
believe that's why it has such a low bayes score.


It's getting marked as ham and not spam. Are you positive your 
definitions are still updating?




Re: Work Practices of Cyber Security Professionals

2014-02-18 Thread Muhammad Adnan
Dear Valdis,

>1) If you're including network admins, you should also make sure to
>get system admins (though you'll be more successful asking elsewhere for
those).

We are also targeting system admins. As I mentioned in my e-mail, "targeted
participants for this survey are those who perform security related
activities as a part of their job". After this sentence, I mentioned a
couple of roles as an example. By those examples I meant "including but not
limited to".

>2) Having worn at least a partial hat of all those along my career, I'm
>curious what sort of tools will improve work practices for all the groups
>concerned.

The goal of this project is not to improve the work practices for all the
groups concerned. Instead, our aim is to first find out what cyber security
professionals (we are using this term to define anyone who performs
security related activities) do on day-to-day basis and which of  their
activities are relatively significant (i.e. performed frequently and
require more time) than others. Once we establish that, then we will pick a
couple of relatively significant activities from their workflow and build
tools for those activities, following a user-centered design process.

But, to get to that stage we first need to know that cyber security
professionals do, how often they do that, and how much time they spend on
doing that.

Hope that answers you questions. Feel free to ask if you have anymore.

Best wishes,
Adnan





On Tue, Feb 18, 2014 at 2:28 PM,  wrote:

> On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said:
>
> > I am a university researcher who is investigating the development of new,
> > usable tools that will improve the work practices of cyber security
> > professionals. As a first step to achieve this goal, I am undertaking a
> > survey to gain an in-depth understanding of the day-to-day activities of
> > cyber security professionals. The targeted participants for this survey
> are
> > those who perform security related activities as a part of their job
> (e.g.
> > security analysts, network administrators, penetration testers).
>
> Several comments:
>
> 1) If you're including network admins, you should also make sure to
> get system admins (though you'll be more successful asking elsewhere for
> those).
>
> 2) Having worn at least a partial hat of all those along my careeer, I'm
> curious what sort of tools will improve work practices for all the groups
> concerned.  Probably the only place you'll find much overlap is in record
> keeping - but even there the record keeping that a sysadmin needs to do for
> changelogging their boxes is fairly different from what security analysts
> working an incident and pen testers engaged in a test will need.  There's
> also the problem that many sites have their change logging integrated into
> their version control system or other workflow software already...
>
> Good luck!
>


spamassassin

2014-02-18 Thread Randy Bush
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me.  see appended for example.  not
all has dkim.

clue?

randy

From: "SmallCapStockPlays" 
Subject: Could VIIC be our biggest play in 2014?  Check the stock today
To: 
Date: Tue, 18 Feb 2014 20:48:02 -0500
Return-path: 
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham 
version=3.3.2
Received: from psg.com ([2001:418:1::62])
by ran.psg.com with esmtp (Exim 4.76)
(envelope-from )
id 1WFwGl-0006al-Bu
for ra...@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +
Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)
by psg.com with esmtp (Exim 4.82 (FreeBSD))
(envelope-from )
id 1WFwGZ-000Lp8-0W
for ra...@psg.com; Wed, 19 Feb 2014 01:48:04 +
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; 
d=icontactmail3.com; 
h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID;
 bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; 
b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q  
 camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH   
5bYunRCoGolocQ5HmAw=
Mime-Version: 1.0
Errors-To: bounces+796782.50654126.285...@icpbounce.com
List-Unsubscribe: 
,
 
X-List-Unsubscribe: 

X-Unsubscribe-Web: 

X-Feedback-ID: 01_796782_285374:01_796782:01:vocus
X-ICPINFO: 
X-Return-Path-Hint: bounces+796782.50654126.285...@icpbounce.com
Content-Type: multipart/alternative; 
boundary="cdf82e78-582d-4a55-9037-dacf81ae37d3"
Message-ID: <0.1.f.afd.1cf2d149fe8fd9...@drone166.ral.icpbounce.com>

[1  ]
HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS

[1][png] [2][png] [3][png]



Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 4:52 AM, Tony Tauber  wrote:

> maybe we should conclude that most of the spoofing is coming from somewhere 
> else; perhaps including colo and cloud providers.

My theory - not yet backed by data - is that probably most spoofed traffic 
these days does in fact emanate from IDC networks, and that a non-trivial 
proportion of same emanates from a relatively small number of such networks.

In many cases, it's possible to put 'naked' hosts on home broadband 
connections, however - and how common that is, and what proportion of those 
broadband access networks don't run any form of anti-spoofing, is an open 
question.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Fibre/Layer2 In San Jose

2014-02-18 Thread Geraint Jones
Hi 

I am wondering if anyone knows anyone with Fibre or L2 service between
Equinix SV1 (11 Great Oaks) and CoreSite (55 S Market).

It seems we need it sooner rather than later.

Thanks.
-- 
Geraint Jones
Director of Systems & Infrastructure
Koding 
https://koding.com
gera...@koding.com
Phone (415) 653-0083





Re: Changing the way we talk about BCP38 [Was: Re: "Everyone should be deploying BCP 38! Wait, they are ...."]

2014-02-18 Thread Dobbins, Roland

On Feb 19, 2014, at 2:43 AM, Paul Ferguson  wrote:

> This is why I am now using the phrase "anti-spoofing" when talking about this 
> in public.

+1

It's also more semantically correct, in many cases.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton




Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Jay Ashworth
Spybot, adaware, and MalWare bytes.

I hadn't even thought of them; I was all fixated on Ookla... and why it 
wouldn't work.

I will query those folks.

Cheers,
- jra


On February 18, 2014 3:56:19 PM EST, Robert Drake  wrote:
>
>On 2/18/2014 2:19 PM, James Milko wrote:
>> Is using data from a self-selected group even meaningful when
>> extrapolated?  It's been a while since Stats in college, and it's
>very
>> likely the guys from MIT know more than I do, but one of the big
>things
>> they pushed was random sampling.
>>
>> JM
>>
>>
>Isn't it probable that people who know enough to download the spoofer 
>projects program and run it might also be in position to fix things
>when 
>it's broken, or they may just be testing their own networks which 
>they've already secured, just to verify they got it right.
>
>I may put it on my laptop and start testing random places like 
>Starbucks, my moms house, conventions and other things, but if I'm 
>running it from my home machine it's just to get the gold "I did this"
>star.
>
>So yeah, data from the project is probably meaningless unless someone 
>uses it as a worm payload and checks 50,000 computers randomly (of 
>course I don't advise this.  I just wish there was a way to really push
>
>this to be run by everyone in the world for a week)
>
>Maybe with enough hype we could get CNN to advise people to download 
>it.  Actually, it would be nice if someone who writes security software
>
>like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it
>
>into their test suite.  Then you get the thousands of users from them 
>added to the results.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Tony Tauber
I agree that Barry's post can be read in misleading ways and I seem to
recall chatting about that with him at some point.

As to one poster's comment about random sampling, I'm pretty sure the
Spoofer project likely fell short in a number of ways (e.g. being
documented in not every language).

So, if NATs prevent (many? most?) end-user machines for being able inject
spoofed IPv4 source addresses (IPv6 home gateways may well not provide such
protection), maybe we should conclude that most of the spoofing is coming
from somewhere else; perhaps including colo and cloud providers.

I wonder how many users/admins of those kinds of machines ran the Spoofer
test SW.

Tony


On Tue, Feb 18, 2014 at 2:22 PM, Jared Mauch  wrote:

>
> On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore  wrote:
>
> > Barry is a well respected security researcher. I'm surprised he posted
> this.
> >
> > In his defense, he did it over a year ago (June 11, 2012). Maybe we
> should ask him about it. I'll do that now
>
> I'm not surprised in any regard.  There are too many names for BCP-38,
> SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
>
> There are many networks that perform this best practice either by
> "default" through NAT/firewalls or by explicit configuration of the devices.
>
> There are many networks that one will never be able to measure nor audit
> as well, but that doesn't mean we shouldn't continue to work on tracking
> back spoofed packets and reporting the attacks, and securing devices.
>
> - Jared
>
>
>


Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Robert Drake


On 2/18/2014 2:19 PM, James Milko wrote:

Is using data from a self-selected group even meaningful when
extrapolated?  It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.

JM


Isn't it probable that people who know enough to download the spoofer 
projects program and run it might also be in position to fix things when 
it's broken, or they may just be testing their own networks which 
they've already secured, just to verify they got it right.


I may put it on my laptop and start testing random places like 
Starbucks, my moms house, conventions and other things, but if I'm 
running it from my home machine it's just to get the gold "I did this" star.


So yeah, data from the project is probably meaningless unless someone 
uses it as a worm payload and checks 50,000 computers randomly (of 
course I don't advise this.  I just wish there was a way to really push 
this to be run by everyone in the world for a week)


Maybe with enough hype we could get CNN to advise people to download 
it.  Actually, it would be nice if someone who writes security software 
like NOD32 or Malwarebytes, or spybot, adaware, etc, would integrate it 
into their test suite.  Then you get the thousands of users from them 
added to the results.




Re: HP to Cisco fiber

2014-02-18 Thread Jared Mauch

On Feb 18, 2014, at 2:44 PM, Eric J Esslinger  wrote:

> I've talked to HP and Cisco and neither side will commit to any kind of 
> answer to this question, so I thought I'd ask it here:
> Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will 
> connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver 
> J9143B SFP, assuming they are already talking over dual fiber links and both 
> units support the single fiber sfp's? (they do).
> 
> All the specs look like they should but Cisco and HP are doing the old 'will 
> neither confirm nor deny interoperability'.
> 
> Off list reply is fine, I'd like someone with a definite 'yes I did it and it 
> works fine' or 'no I tried it and it did not', not 'it should' because that's 
> where I'm at for the moment.

Sounds like it should based on your description.  You should make sure other 
media settings match, such as speed, etc.. While this may seem illogical on a 
1G SFP, some devices have varying expectations of that, so sometimes "speed 
nonegotiate" is necessary.

If you are going from HP-HP to Cisco-HP, you may need to disable their 
transciever eeprom check on the Cisco side.

- Jared


BCP38 filtering on Mobile IP networks

2014-02-18 Thread Jay Ashworth
I note that the MIT ANA tester is only for desktop OSs, and none of the
network tools I've collected for Android have BCP38 filter testing built
in.

Does anyone know if there are such tools for Android and for iOS?

I assume that tether testing from a PC would be useless, as the NAT
implementation would drop the packets -- does anyone know if there
are any leaky NAT implementations that *won't* drop packets with bogus 
source addresses?

Or, alternatively, does anyone know *authoritatively* that any cell carrier's
mobile IP network already implements BCP38?  And if so, why aren't they
bragging about it; at least here?  :-)

I have added the Small Business page to BCP38.info.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274



Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Jay Ashworth
- Original Message -
> From: "Dave Bell" 

> That article is terrible.
> 
> Looking at the stats provided, only 2582 unique AS's were tested.
> http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
> currently in the routing table.
> 
> This means they have tested around 5% of the AS's on the Internet.

Well, it did strike me, when someone cited the same data last week, that
it seemed an awful lot of stew to make from that few oysters. 

I suppose it does depend on what percentage of end nodes are subsumed
by those AS's, but there's no authoritative way to know that from on top.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274



HP to Cisco fiber

2014-02-18 Thread Eric J Esslinger
I've talked to HP and Cisco and neither side will commit to any kind of answer 
to this question, so I thought I'd ask it here:
Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will 
connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver 
J9143B SFP, assuming they are already talking over dual fiber links and both 
units support the single fiber sfp's? (they do).

All the specs look like they should but Cisco and HP are doing the old 'will 
neither confirm nor deny interoperability'.

Off list reply is fine, I'd like someone with a definite 'yes I did it and it 
works fine' or 'no I tried it and it did not', not 'it should' because that's 
where I'm at for the moment.

-
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpunet.com/
(931)433-1522 ext 165



This message may contain confidential and/or proprietary information and is 
intended for the person/entity to whom it was originally addressed. Any use by 
others is strictly prohibited.



Changing the way we talk about BCP38 [Was: Re: "Everyone should be deploying BCP 38! Wait, they are ...."]

2014-02-18 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Below:

On 2/18/2014 11:22 AM, Jared Mauch wrote:
> 
> On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore 
> wrote:
> 
>> Barry is a well respected security researcher. I'm surprised he
>> posted this.
>> 
>> In his defense, he did it over a year ago (June 11, 2012). Maybe
>> we should ask him about it. I'll do that now
> 
> I'm not surprised in any regard.  There are too many names for
> BCP-38, SAV, SSAC-004, BCP-84, Ingress Filtering, etc..
> 

This is why I am now using the phrase "anti-spoofing" when talking
about this in public. It far less cryptic, and I am breaking into
bite-sized components that people can actually understand.

As engineers & technical people, we need to start using language
people can wrap their brains around easily.

Remember: We are living in the age of instant gratification and
Attention Deficit Disorder.  :-)

- - ferg


> There are many networks that perform this best practice either by
> "default" through NAT/firewalls or by explicit configuration of the
> devices.
> 
> There are many networks that one will never be able to measure nor
> audit as well, but that doesn't mean we shouldn't continue to work
> on tracking back spoofed packets and reporting the attacks, and
> securing devices.
> 
> - Jared
> 
> 
> 
> 


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMDt90ACgkQKJasdVTchbIBrwD/YyUeK4SvS6grQdarKnoJiZXD
2YoTf+lRXpXnkSTPUdUA/3TH8jnXNx6DkOw9nkbVIi6Ek8ehTLUPpDPBe0oELQj4
=Cf2C
-END PGP SIGNATURE-



Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Jared Mauch

On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore  wrote:

> Barry is a well respected security researcher. I'm surprised he posted this.
> 
> In his defense, he did it over a year ago (June 11, 2012). Maybe we should 
> ask him about it. I'll do that now

I'm not surprised in any regard.  There are too many names for BCP-38, SAV, 
SSAC-004, BCP-84, Ingress Filtering, etc..

There are many networks that perform this best practice either by "default" 
through NAT/firewalls or by explicit configuration of the devices.

There are many networks that one will never be able to measure nor audit as 
well, but that doesn't mean we shouldn't continue to work on tracking back 
spoofed packets and reporting the attacks, and securing devices.

- Jared




Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread James Milko
Is using data from a self-selected group even meaningful when
extrapolated?  It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.

JM


On Tue, Feb 18, 2014 at 2:11 PM, Larry Sheldon  wrote:

> On 2/18/2014 11:20 AM, Jay Ashworth wrote:
>
>> Here's a piece which uses the MIT ANA data to assert that the job is
>> mostly done already.
>>
>> Unless I'm very much mistaken, it appears that a large percentage of
>> the failed BCP 38 spoofing tests listed in that data are actually due
>> to customer side NAT routers dropping packets...
>>
>> which is of course egress filtering rather than ingress filtering,
>> and thus doesn't actually apply to our questions.
>>
>> Am I interpreting that correctly?
>>
>
> The date seems a little past "buy by" in light of the very recent
> observations and comments here.
>
>  http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
>>
>
>
> --
> Requiescas in pace o email   Two identifying characteristics
> of System Administrators:
> Ex turpi causa non oritur actio  Infallibility, and the ability to
> learn from their mistakes.
>   (Adapted from Stephen Pinker)
>
>


Re: "Everyone should be deploying BCP 38! Wait, they are …."

2014-02-18 Thread Larry Sheldon

On 2/18/2014 11:20 AM, Jay Ashworth wrote:

Here's a piece which uses the MIT ANA data to assert that the job is
mostly done already.

Unless I'm very much mistaken, it appears that a large percentage of
the failed BCP 38 spoofing tests listed in that data are actually due
to customer side NAT routers dropping packets...

which is of course egress filtering rather than ingress filtering,
and thus doesn't actually apply to our questions.

Am I interpreting that correctly?


The date seems a little past "buy by" in light of the very recent 
observations and comments here.



http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)



Re: looking for feedback on virtual/dedicated server providers in latin/south america/UK

2014-02-18 Thread Sam Moats
I have to recommend Linode in the UK, from my experience they have 
their act together and their prices are reasonable.

Sam Moats
Circle Net

On 2014-02-18 12:50, Carlos Kamtha wrote:

Hi,

Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica,
and pretty much anywhere in the UK region.

Please respond offlist.

Any feedback would be greatly appreciated. :)

Carlos.





Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Patrick W. Gilmore
Barry is a well respected security researcher. I'm surprised he posted this.

In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask 
him about it. I'll do that now

-- 
TTFN,
patrick

On Feb 18, 2014, at 13:31 , Dave Bell  wrote:

> That article is terrible.
> 
> Looking at the stats provided, only 2582 unique AS's were tested.
> http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
> currently in the routing table.
> 
> This means they have tested around 5% of the AS's on the Internet.
> 
> Dave
> 
> 
> On 18 February 2014 17:20, Jay Ashworth  wrote:
> 
>> Here's a piece which uses the MIT ANA data to assert that the job is
>> mostly done already.
>> 
>> Unless I'm very much mistaken, it appears that a large percentage of the
>> failed BCP 38 spoofing tests listed in that data are actually due to
>> customer side NAT routers dropping packets...
>> 
>> which is of course egress filtering rather than ingress filtering, and
>> thus doesn't actually apply to our questions.
>> 
>> Am I interpreting that correctly?
>> 
>> http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
>> 
>> (Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new
>> contributors for signing up to help so far this week.)
>> 
>> Cheers,
>> - jra
>> --
>> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>> 
> 




Re: "Everyone should be deploying BCP 38! Wait, they are ...."

2014-02-18 Thread Dave Bell
That article is terrible.

Looking at the stats provided, only 2582 unique AS's were tested.
http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
currently in the routing table.

This means they have tested around 5% of the AS's on the Internet.

Dave


On 18 February 2014 17:20, Jay Ashworth  wrote:

> Here's a piece which uses the MIT ANA data to assert that the job is
> mostly done already.
>
> Unless I'm very much mistaken, it appears that a large percentage of the
> failed BCP 38 spoofing tests listed in that data are actually due to
> customer side NAT routers dropping packets...
>
> which is of course egress filtering rather than ingress filtering, and
> thus doesn't actually apply to our questions.
>
> Am I interpreting that correctly?
>
> http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/
>
> (Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new
> contributors for signing up to help so far this week.)
>
> Cheers,
> - jra
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>


looking for feedback on virtual/dedicated server providers in latin/south america/UK

2014-02-18 Thread Carlos Kamtha
Hi, 

Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica, 
and pretty much anywhere in the UK region.  

Please respond offlist. 

Any feedback would be greatly appreciated. :)

Carlos. 



"Everyone should be deploying BCP 38! Wait, they are …."

2014-02-18 Thread Jay Ashworth
Here's a piece which uses the MIT ANA data to assert that the job is mostly 
done already.

Unless I'm very much mistaken, it appears that a large percentage of the failed 
BCP 38 spoofing tests listed in that data are actually due to customer side NAT 
routers dropping packets...

which is of course egress filtering rather than ingress filtering, and thus 
doesn't actually apply to our questions. 

Am I interpreting that correctly?

http://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/

(Oh, and bcp38.info is now the number 2 Ghit for "bcp38"; thanks to 5 new 
contributors for signing up to help so far this week.)

Cheers,
- jra
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


Re: JunOS NTP - Re: OpenNTPProject.org

2014-02-18 Thread Mark Tinka
On Tuesday, February 18, 2014 04:14:59 PM Jared Mauch wrote:

> So, be careful as the Juniper solution varies depending
> on the platform involved.
> 
> Make sure you check your devices.  It took a few
> iterations for us to get the right filters on
> everything.

Indeed.

In particular, different hardware and software combinations 
for the EX line have different match conditions for ports 
compared to the routers.

Mark.


signature.asc
Description: This is a digitally signed message part.


Re: JunOS NTP - Re: OpenNTPProject.org

2014-02-18 Thread John Kristoff
On Tue, 18 Feb 2014 09:14:59 -0500
Jared Mauch  wrote:

> >prefix-list ntp-servers {
> >apply-path "system ntp server <*>";

Some people also have a 'boot-server [server]' statement.  In the
off chance that address is different than those listed in the server
statements, you may need to account for it as well.  If you can, just
make sure it is also listed as one of the configured servers.

John



Telia contact

2014-02-18 Thread Jay Coley
Hi,

If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?

Thanks!
--J



Telia contact

2014-02-18 Thread Jay Coley
Hi,

If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?

Thanks!
--J



RE: OpenNTPProject.org

2014-02-18 Thread Mike Walter
For knowledge on the list.  We found that our Cisco Nexus 7000s had NTP enabled 
on our public facing VDCs, even when the command "feature ntp" was not present. 
 I had to explicitly enter "no feature ntp" to prevent the NTP server service 
from existing on our public facing 7K interfaces.

Thanks,

Mike

-Original Message-
From: Blake Dunlap [mailto:iki...@gmail.com] 
Sent: Monday, February 17, 2014 11:03 AM
To: nanog@nanog.org
Subject: Re: OpenNTPProject.org

If you're trying to actually run a ntp server setup as opposed to just
trusting the world, I strongly suggest reading the documentation for the
service, as most people don't deploy it correctly while they think they
have.

At minimum, you want a cluster of 3 - 4 servers internally, configured as
peers of each other, and listening to some source of time, preferably
multiple like a few on the internet from the big public pool, and if you
really care about time, set up a GPS receiver or two.

You can definitely go farther than the above, but that's the start to doing
it right. Anything short of the above is just trusting the world at large,
and you'll likely happily follow along with any time skew like that thing a
few months/year ago with either tick or tock.

Without the above, you don't have enough sane sources to discredit bad
advisers (you need 3 for a time lock).

-Blake


On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams  wrote:

>
> Blake:
>
>  Just to make sure I've got this down, listing a device as a "peer" in
> the ntp.conf file will create a situation where both devices are saying,
> "I know what time it is" and splitting the difference?  Whereas when you
> list a device as a "server", it's using that as the authority on the
> correct time?
>
> Example:
> --
>
> #
> peer192.168.1.1 iburst
> peer192.168.1.2 iburst
>
>
> #
> server  ntp.colby.edu   minpoll 6 maxpoll 10 iburst
> server  bonehed.lcs.mit.edu minpoll 6 maxpoll 10 iburst
>
>
>
>
>
> On 2/17/2014 10:28 AM, Blake Dunlap wrote:
> > Peer means it considers the other side an equal and they will mutually
> skew
> > time together. If you have peer on for devices you don't consider your
> time
> > servers, you're opening yourself up to problems.
> >
> > -Blake
>
>
>



Re: Work Practices of Cyber Security Professionals

2014-02-18 Thread Valdis . Kletnieks
On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said:

> I am a university researcher who is investigating the development of new,
> usable tools that will improve the work practices of cyber security
> professionals. As a first step to achieve this goal, I am undertaking a
> survey to gain an in-depth understanding of the day-to-day activities of
> cyber security professionals. The targeted participants for this survey are
> those who perform security related activities as a part of their job (e.g.
> security analysts, network administrators, penetration testers).

Several comments:

1) If you're including network admins, you should also make sure to
get system admins (though you'll be more successful asking elsewhere for those).

2) Having worn at least a partial hat of all those along my careeer, I'm
curious what sort of tools will improve work practices for all the groups
concerned.  Probably the only place you'll find much overlap is in record
keeping - but even there the record keeping that a sysadmin needs to do for
changelogging their boxes is fairly different from what security analysts
working an incident and pen testers engaged in a test will need.  There's
also the problem that many sites have their change logging integrated into
their version control system or other workflow software already...

Good luck!


pgpTUABvpu9sQ.pgp
Description: PGP signature


JunOS NTP - Re: OpenNTPProject.org

2014-02-18 Thread Jared Mauch
So, be careful as the Juniper solution varies depending on the platform 
involved.

Make sure you check your devices.  It took a few iterations for us to get the 
right filters on everything.

- Jared

On Feb 17, 2014, at 12:26 AM, Yucong Sun  wrote:

> Just for the reference, here is a more complete solution for Junos (took me
> a while searching the web to figure it out), hope it helps someone.
> 
> policy-options {
>prefix-list lo0.0-inet-address {
>apply-path "interfaces lo0 unit 0 family inet address <*>";
>}
>prefix-list ntp-servers {
>apply-path "system ntp server <*>";
>}
> }
> 
> firewall {
>family inet {
>filter lo-filter {
>term ntp-allow {
>from {
>source-prefix-list {
>ntp-servers;
>lo0.0-inet-address;
>}
>protocol udp;
>destination-port ntp;
>}
>then accept;
>}
>term ntp-other-discard {
>from {
>protocol udp;
>destination-port ntp;
>}
>then {
>discard;
>}
>}
>term zz-accept {
>then accept;
>}
>}
>   }
> }
> 
> 
> 
> On Sun, Feb 16, 2014 at 8:42 PM, Mark Tinka  wrote:
> 
>> On Monday, February 17, 2014 06:35:46 AM Lyndon Nerenberg
>> wrote:
>> 
>>> I was suggesting it as an alternative to just chopping
>>> off NTP at your border.  Presumably it would be a
>>> one-off thing until Juniper issues a patch.
>> 
>> In Junos, applying the right filters to your router's
>> control plane will fix the issue. You don't need to block
>> NTP in the data plane.
>> 
>> Mark.
>>