Re: Death of the Internet, Film at 11

[John Weekes]

Ok, so this mailing list is a list of network operators.  Swell.  Every
network operator who can do so, please raise your hand if you have
*recently* scanned you own network and if you can -honestly- attest
that you have taken all necessary steps to insure that none of the
numerous specific types of CCVT thingies that Krebs and others identified
weeks or months ago as being fundamentally insecure can emit a single
packet out onto the public Internet.


Most of the time, scanning of your customers isn't strictly necessary, 
though it certainly won't hurt.


That's because attackers will scan your network /for /you, compromise 
the hosts, and use them to attack. When they inevitably attack one of my 
customers, I'll send you an abuse email. Some other networks do the 
same. So if you want to help, the real keys are to make sure that you 
disallow spoofing, that the RIR has up-to-date contact information for 
your organization, and that you handle abuse notifications effectively.


Large IoT botnets have been used extensively this year, launching 
frequent 100+ Gbps attacks (they were also used in prior years, but it 
wasn't to the degree that we've seen since January 2016). I've recorded 
about 2.4 million IP addresses involved in the last two months (a number 
that is higher than the number of actual devices, since most seem to 
have dynamic IP addresses). The ISPs behind those IP addresses have 
received notifications via email, so if you haven't heard anything, 
you're probably in good shape, assuming the RIR has the right abuse 
address on file for you.


The bulk of the compromised devices are non-NA. In a relatively small 40 
Gbps IoT attack a couple of days ago, we saw about 20k devices, for 
instance, and most were from a mix of China, Brazil, Russia, Korea, and 
Venezuela.


-John

Re: Honorary Unsubscribe: Leo Beranek

[Fletcher Kittredge]

Talk about a life well led. Leo Beranek had 102 years of sustained
creativity. Any one of his three or four careers would have been
remarkable. In the 1940s, 1950s, 1960s, he laid the foundation that young
whippersnappers such as Cerf and Postel would build on. He was contributing
into his 100s. He was always a kind and pleasant man who led by example and
deference.


On Sat, Oct 22, 2016 at 12:05 PM, Jay R. Ashworth  wrote:

> How many people remember that Bolt Beranek and Newman was originally an
> acoustical consultancy, specializing in concert halls?
>
>   http://www.honoraryunsubscribe.com/leo_beranek.html?awt_l=ACI.7&awt_
> m=JXfIgZRK.SAPkr
>
> Happy Landings, Leo!
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>



-- 
Fletcher Kittredge
GWI
207-602-1134
www.gwi.net

RE: Death of the Internet, Film at 11

[Josh Reynolds]

Modern medicine, sanitation, and sedentary lifestyles for the developed
world have effectively culled natural selection for most internet users.

On Oct 22, 2016 7:16 PM, "Keith Medcalf"  wrote:

>
> On: Saturday, 22 October, 2016 17:41, Jean-Francois Mezei <
> jfmezei_na...@vaxination.ca> wrote:
>
> > On 2016-10-22 19:03, Keith Medcalf wrote:
>
> > > This does not follow and is not a natural consequence of sealing the
> > little buggers up so that they cannot affect the Internet
>
> > Problem is that many of these gadgets want to be internet connected so
> > mother at work can check on her kids at home, start the cooking, raise
> > thermostat etc.
>
> This does not require that the devices be open to the Internet, nor does
> it require that they are under the control of an Internet based controller.
>
> > The problem is that as a novelty, people are quick to adopt, but don't
> > think about making their homes vulnerable to attack. (consider an
> > internet connected door lock)
>
> There are many people who do not read this list who would have nothing
> whatsoever to do with such a scheme (earlier similar schemes are routers &
> etc that are programmed and controlled from the "web", and remote access
> crap which is proxied through a third-party web server -- another
> ill-conceived and brain-dead idea).  This is a self-limiting issue.  Darwin
> will take care of it.  Unfortunately there will be collateral damage as
> those not fit to the continuation of the species are eliminated from the
> gene pool.
>
> We should do our duty and make sure that the pool cleaning proceeds with
> the maximum speed and efficiency possible.
>
>
>
>
>

RE: Death of the Internet, Film at 11

[Keith Medcalf]

On: Saturday, 22 October, 2016 17:41, Jean-Francois Mezei 
 wrote:

> On 2016-10-22 19:03, Keith Medcalf wrote:

> > This does not follow and is not a natural consequence of sealing the
> little buggers up so that they cannot affect the Internet

> Problem is that many of these gadgets want to be internet connected so
> mother at work can check on her kids at home, start the cooking, raise
> thermostat etc.

This does not require that the devices be open to the Internet, nor does it 
require that they are under the control of an Internet based controller.

> The problem is that as a novelty, people are quick to adopt, but don't
> think about making their homes vulnerable to attack. (consider an
> internet connected door lock)

There are many people who do not read this list who would have nothing 
whatsoever to do with such a scheme (earlier similar schemes are routers & etc 
that are programmed and controlled from the "web", and remote access crap which 
is proxied through a third-party web server -- another ill-conceived and 
brain-dead idea).  This is a self-limiting issue.  Darwin will take care of it. 
 Unfortunately there will be collateral damage as those not fit to the 
continuation of the species are eliminated from the gene pool.

We should do our duty and make sure that the pool cleaning proceeds with the 
maximum speed and efficiency possible.

Re: FW: Death of the Internet, Film at 11

[Jean-Francois Mezei]

On 2016-10-22 19:03, Keith Medcalf wrote:

> This does not follow and is not a natural consequence of sealing the little 
> buggers up so that they cannot affect the Internet

Problem is that many of these gadgets want to be internet connected so
mother at work can check on her kids at home, start the cooking, raise
thermostat etc.

The problem is that as a novelty, people are quick to adopt, but don't
think about making their homes vulnerable to attack. (consider an
internet connected door lock)

Re: Death of the Internet, Film at 11

[Scott Weeks]

> On Oct 22, 2016 5:11 PM, "Mark Andrews"  wrote:

> One way to deal with this would be for ISP's to purchase DoS attacks
> against their own servers (not necessarially hosted on your own
> network) then look at which connections from their network attacking
> these machines then quarantine these connections after a delay
> period so that attacks can't be corollated with quarantine actions
> easily.
> 
> This doesn't require a ISP to attempt to break into a customers
> machine to identify them.  It may take several runs to identify
> most of the connections associated with a DoS provider.


Josh Reynolds writes:
> 
> And then what?


--- ma...@isc.org wrote:
From: Mark Andrews 

They get in someone to clean up their network.  When they say it
is clean you reconnect them.  If this happens more often than once
a year you charge them a months fees per additional incident.  Have
the year timer start when reconnect is requested.  You give them
what data you have to backup the claim.
--


I invoke randy's "i encourage my competitor's to do this".

scott

Re: Death of the Internet, Film at 11

[Luke Guillory]

I was referring to your use case and it being a business, for residential I 
agree with you.

Sent from my iPhone

On Oct 22, 2016, at 12:21 PM, jim deleskie 
mailto:deles...@gmail.com>> wrote:


Sure, but now we put it outside the skill level of 99.99% of the people that 
don't read and understand this list.

-jim




Luke Guillory
Network Operations Manager


[cid:image3d3347.JPG@3f84cedc.4b99894e] 

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com
Web:www.rtconline.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084





Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission.


On Sat, Oct 22, 2016 at 2:09 PM, Luke Guillory 
mailto:lguill...@reservetele.com>> wrote:

VPNs can accomplish this without opening ports directly to devices.

Luke


Sent from my iPhone

On Oct 22, 2016, at 12:06 PM, jim deleskie 
mailto:deles...@gmail.com>> wrote:

It is also likely the desired use case.  In my office I like to be able to
login when needed when on the road, when the alarm company calls me at 2am
for a false alarm so I don't have to get someone else out of bed to have
them dispatched to check on the site.

-jim

On Sat, Oct 22, 2016 at 1:42 PM, Chris Boyd 
mailto:cb...@gizmopartners.com>> wrote:


On Oct 22, 2016, at 7:34 AM, Mike Hammett 
mailto:na...@ics-il.net>> wrote:

"taken all necessary steps to insure that none of the numerous specific
types of CCVT thingies that Krebs and others identified"

Serious question... how?

Putting them behind a firewall without general Internet access seems to
work for us.  We have a lot of cheap IP cameras in our facility and none of
them can reach the net.  But this is probably a bit beyond the capabilities
of the general home user.

—Chris





Luke Guillory
Network Operations Manager




Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com
Web:www.rtconline.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084





Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission.

Re: Death of the Internet, Film at 11

[Luke Guillory]

VPNs can accomplish this without opening ports directly to devices.

Luke


Sent from my iPhone

On Oct 22, 2016, at 12:06 PM, jim deleskie 
mailto:deles...@gmail.com>> wrote:

It is also likely the desired use case.  In my office I like to be able to
login when needed when on the road, when the alarm company calls me at 2am
for a false alarm so I don't have to get someone else out of bed to have
them dispatched to check on the site.

-jim

On Sat, Oct 22, 2016 at 1:42 PM, Chris Boyd 
mailto:cb...@gizmopartners.com>> wrote:


On Oct 22, 2016, at 7:34 AM, Mike Hammett 
mailto:na...@ics-il.net>> wrote:

"taken all necessary steps to insure that none of the numerous specific
types of CCVT thingies that Krebs and others identified"

Serious question... how?

Putting them behind a firewall without general Internet access seems to
work for us.  We have a lot of cheap IP cameras in our facility and none of
them can reach the net.  But this is probably a bit beyond the capabilities
of the general home user.

—Chris





Luke Guillory
Network Operations Manager


[cid:imagee03d14.JPG@65e9954a.43918993] 

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com
Web:www.rtconline.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084





Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission.

Re: Dyn DDoS this AM?

[Rob Szarka]

On 10/21/2016 7:34 PM, Keenan Tims wrote:
I don't have a horse in this race, and haven't used it in anger, but 
Netflix released denominator to attempt to deal with some of these 
issues:


https://github.com/Netflix/denominator

Their goal is to support the highest common denominator of features 
among the supported providers,


Maybe that helps someone.


Sadly, it looks like the project is stalled: 
.


--
Rob Szarka
http://szarka.org/

Re: Dyn DDoS this AM?

[Masood Ahmad Shah]

>
> > On Oct 21, 2016, at 6:35 PM, Eitan Adler  wrote:
> >
> > [...]
> >
> > In practice TTLs tend to be ignored on the public internet. In past
> > research I've been involved with browser[0] behavior was effectively
> > random despite the TTL set.
> >
> > [0] more specifically, the chain of DNS resolution and caching down to
> > the browser.
>
>
> Yes, but that it can be both better and worse than your TTLs does not mean
> that you can ignore properly working implementations.
>
> If the other end device chain breaks you that's their fault and out of
> your control.  If your own settings break you that's your fault.
>

+1 to what George wrote that we should make efforts to improve our part of
the network. There are ISPs that ignore TTL settings and only update their
cached records every two to three days or even more (particularly the
smaller ones). OTOH, this results in your DNS data being inconsistent but
it’s very common to cache DNS records at multiple levels. It's an effort
that everyone needs to contribute to.


>
> Sent from my iPhone

Re: Dyn DDoS this AM?

[Daniel Ankers]

On 22 October 2016 at 16:40, marcel.duregards--- via NANOG 
wrote:

> What about BCP38+84 on 30 tier-1 instead of asking/hoping 55k others
> autonomous-system having good filters in place ?


The originating ISPs are in a far better position to check that traffic
isn't from spoofed address ranges than transit networks are.  The best
thing to do is to ask EVERY network to do what they can, not just the few
biggest ones.

Any size ISP can be hit by and hurt by DDoS attacks, so every size ISP
should be doing what they can to make sure they are not either the source
or the victim of those attacks.

Dan

FW: Death of the Internet, Film at 11

[Keith Medcalf]

> It's also generally counter to them being available outside of that
> network.

This does not follow and is not a natural consequence of sealing the little 
buggers up so that they cannot affect the Internet (or you private networks).  
Even if you lock you pet mouse in a cage, you can still feed it and clean up 
the shit in the cage.  It just isn't free to wander out and eat the floral 
arrangements on the end-table.

> (web and proprietary interfaces needed, SSH and telnet not).
> That's also not much I can do as a network operator.
>
>
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Chris Boyd" 
> To: "Elizabeth Zwicky via NANOG" 
> Sent: Saturday, October 22, 2016 11:42:05 AM
> Subject: Re: Death of the Internet, Film at 11
>
>
> > On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote:
> >
> > "taken all necessary steps to insure that none of the numerous specific
> types of CCVT thingies that Krebs and others identified"
> >
> > Serious question... how?
>
> Putting them behind a firewall without general Internet access seems to
> work for us. We have a lot of cheap IP cameras in our facility and none of
> them can reach the net. But this is probably a bit beyond the capabilities
> of the general home user.
>
> —Chris
>

Re: Death of the Internet, Film at 11

[Jean-Francois Mezei]

On 2016-10-22 18:35, Ray Van Dolson wrote:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__hub.dyn.com_dyn-2Dblog_dyn-2Dstatement-2Don-2D10-2D21-2D2016-2Dddos-2Dattack&d=DQIBAg&c=n6-cguzQvX_tUIrZOS_4Og&r=r4NBNYp4yEcJxC11Po5I-w&m=iGvkbfzRJPqKO1A6YGa-c1m0RBLNkRk03hCjvVGTH3k&s=bScBNFncB3kt_cG0L3iys0mfXBmwwUR7A8rIDmi94D4&e=
>  

Thanks for the link.

10s of millons of IP addresses. Is it realistic to have 10s of millions
of infected devices ? Or is that the dense smoke that points to IP
spoofing ?

re: newspaper reports: how did Flashpoint obtain enough details, while
attack was ongoing to be able to draw conclusions told to the media ? Or
was it educated speculation ?

Obviously, Dyn had packet contents to look at and range of IPs being
used etc. Would such a company typically release that info to a trusted
investigator "as it happens" ? (would Flashpoint be such an outfit ?)

Did the attack generate valid DNS queries (overwhelm the servers) or
flood the links with long "random" UDP packets (overwhel the links).


While I can understand that mitigation methods can be seen as
"proprietary", releasing info on the specifics of the attack would help
any/all neteowkrs and data centres better protect themselves.

Assuming hackers don't talk to each others in the 21st century is silly.
They already know how this was done, yet the victims typically remain
silent for fear of educating the hackers for more attacks.

Honorary Unsubscribe: Leo Beranek

[Jay R. Ashworth]

How many people remember that Bolt Beranek and Newman was originally an
acoustical consultancy, specializing in concert halls?

  
http://www.honoraryunsubscribe.com/leo_beranek.html?awt_l=ACI.7&awt_m=JXfIgZRK.SAPkr

Happy Landings, Leo!

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Death of the Internet, Film at 11

[Josh Reynolds]

One sec, starting a relationship with $CPEvendor...

I'll let you know how this goes.

"Yes, every customer I went to had malware. That's okay, right?"

;)

On Oct 22, 2016 5:56 PM, "Mark Andrews"  wrote:

>
> In message  mail.gmail.com>
> , Josh Reynolds writes:
> >
> > And then what?
>
> They get in someone to clean up their network.  When they say it
> is clean you reconnect them.  If this happens more often than once
> a year you charge them a months fees per additional incident.  Have
> the year timer start when reconnect is requested.  You give them
> what data you have to backup the claim.
>
> > The labor to clean up this mess is not free. Who's
> > responsibility is it? The grandma who got a webcam for Christmas to watch
> > the squirrels? The ISP?... No... The vendor? What if the vendor had
> > released a patch to fix the issue months back, and grandma hadn't
> installed
> > it?
> >
> > Making grandma and auntie Em responsible for the IT things in their house
> > is likely not going to go well.
> >
>
> > Making the vendor responsible might work for the reputable ones to a
> point,
> > but won't work for the fly by night shops that will sell the same
> products
> > under different company names and model names until they get sued or "one
> > starred" into oblivion. Then they just change names and start all over.
> >
> > The ISPs won't do it because of the cost to fix... The labor and
> potential
> > loss of customers.
> >
> > So once identified, how do you suggest this gets fixed?
> >
> > On Oct 22, 2016 5:11 PM, "Mark Andrews"  wrote:
> >
> >
> > One way to deal with this would be for ISP's to purchase DoS attacks
> > against their own servers (not necessarially hosted on your own
> > network) then look at which connections from their network attacking
> > these machines then quarantine these connections after a delay
> > period so that attacks can't be corollated with quarantine actions
> > easily.
> >
> > This doesn't require a ISP to attempt to break into a customers
> > machine to identify them.  It may take several runs to identify
> > most of the connections associated with a DoS provider.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> >
> > --94eb2c030b6c594dc5053f7b994f
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > And then what? The labor to clean up this mess is not
> free. =
> > Who's responsibility is it? The grandma who got a webcam for
> Christmas =
> > to watch the squirrels? The ISP?... No... The vendor? What if the vendor
> ha=
> > d released a patch to fix the issue months back, and grandma hadn't
> ins=
> > talled it?
> > Making grandma and auntie Em responsible for the IT
> things i=
> > n their house is likely not going to go well.
> > Making the vendor responsible might work for the
> reputable o=
> > nes to a point, but won't work for the fly by night shops that will
> sel=
> > l the same products under different company names and model names until
> the=
> > y get sued or "one starred" into oblivion. Then they just
> change =
> > names and start all over.
> > The ISPs won't do it because of the cost to fix...
> The l=
> > abor and potential loss of customers.
> > So once identified, how do you suggest this gets
> fixed?
> > On Oct 22,
> 2016 5=
> > :11 PM, "Mark Andrews" 
> marka=
> > @isc.org> wrote: class=3D"quote"=
> >  style=3D"margin:0 0 0 .8ex;border-left:1px #ccc
> solid;padding-left:1ex"> > r>
> > One way to deal with this would be for ISP's to purchase DoS
> attacks > >
> > against their own servers (not necessarially hosted on your own
> > network) then look at which connections from their network attacking
> > these machines then quarantine these connections after a delay
> > period so that attacks can't be corollated with quarantine
> actions
> > easily.
> > 
> > This doesn't require a ISP to attempt to break into a customers
> > machine to identify them.=C2=A0 It may take several runs to identify
> > most of the connections associated with a DoS provider.
> > 
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE:  value=3D"+61298714742">+61 2=
> >  9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
> =C2=
> > =A0INTERNET: mailto:ma...@isc.org";>ma...@isc.org
> > 
> >
> > --94eb2c030b6c594dc5053f7b994f--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: Death of the Internet, Film at 11

[Mark Andrews]

In message 
, Josh Reynolds writes:
> 
> And then what?

They get in someone to clean up their network.  When they say it
is clean you reconnect them.  If this happens more often than once
a year you charge them a months fees per additional incident.  Have
the year timer start when reconnect is requested.  You give them
what data you have to backup the claim.

> The labor to clean up this mess is not free. Who's
> responsibility is it? The grandma who got a webcam for Christmas to watch
> the squirrels? The ISP?... No... The vendor? What if the vendor had
> released a patch to fix the issue months back, and grandma hadn't installed
> it?
> 
> Making grandma and auntie Em responsible for the IT things in their house
> is likely not going to go well.
>
 
> Making the vendor responsible might work for the reputable ones to a point,
> but won't work for the fly by night shops that will sell the same products
> under different company names and model names until they get sued or "one
> starred" into oblivion. Then they just change names and start all over.
> 
> The ISPs won't do it because of the cost to fix... The labor and potential
> loss of customers.
> 
> So once identified, how do you suggest this gets fixed?
> 
> On Oct 22, 2016 5:11 PM, "Mark Andrews"  wrote:
> 
> 
> One way to deal with this would be for ISP's to purchase DoS attacks
> against their own servers (not necessarially hosted on your own
> network) then look at which connections from their network attacking
> these machines then quarantine these connections after a delay
> period so that attacks can't be corollated with quarantine actions
> easily.
> 
> This doesn't require a ISP to attempt to break into a customers
> machine to identify them.  It may take several runs to identify
> most of the connections associated with a DoS provider.
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 
> --94eb2c030b6c594dc5053f7b994f
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> And then what? The labor to clean up this mess is not free. =
> Who's responsibility is it? The grandma who got a webcam for Christmas =
> to watch the squirrels? The ISP?... No... The vendor? What if the vendor ha=
> d released a patch to fix the issue months back, and grandma hadn't ins=
> talled it?
> Making grandma and auntie Em responsible for the IT things i=
> n their house is likely not going to go well.
> Making the vendor responsible might work for the reputable o=
> nes to a point, but won't work for the fly by night shops that will sel=
> l the same products under different company names and model names until the=
> y get sued or "one starred" into oblivion. Then they just change =
> names and start all over.
> The ISPs won't do it because of the cost to fix... The l=
> abor and potential loss of customers.
> So once identified, how do you suggest this gets fixed?
> On Oct 22, 2016 5=
> :11 PM, "Mark Andrews" marka=
> @isc.org> wrote:  style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> r>
> One way to deal with this would be for ISP's to purchase DoS attacks >
> against their own servers (not necessarially hosted on your own
> network) then look at which connections from their network attacking
> these machines then quarantine these connections after a delay
> period so that attacks can't be corollated with quarantine actions
> easily.
> 
> This doesn't require a ISP to attempt to break into a customers
> machine to identify them.=C2=A0 It may take several runs to identify
> most of the connections associated with a DoS provider.
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2=
>  9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: mailto:ma...@isc.org";>ma...@isc.org
> 
> 
> --94eb2c030b6c594dc5053f7b994f--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Death of the Internet, Film at 11

[Mike Hammett]

Thanks for the link. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Ray Van Dolson"  
To: "Mike Hammett"  
Cc: nanog@nanog.org 
Sent: Saturday, October 22, 2016 5:35:50 PM 
Subject: Re: Death of the Internet, Film at 11 

https://urldefense.proofpoint.com/v2/url?u=http-3A__hub.dyn.com_dyn-2Dblog_dyn-2Dstatement-2Don-2D10-2D21-2D2016-2Dddos-2Dattack&d=DQIBAg&c=n6-cguzQvX_tUIrZOS_4Og&r=5PqhtPogDeswmEQMQZk1IQ&m=6rpDhHbntFiyuuA6uUxOIVfEwHY13H9SH6zBwx93OBE&s=QIsYvf_c8f_VWuMbYe7DbF58d1UqsbxJBEjf8CYotcc&e=
 

On Sat, Oct 22, 2016 at 04:48:01PM -0500, Mike Hammett wrote: 
> Until Dyn says or someone says Dyn said, everything is assumed. 
> 
> - Original Message - 
> 
> From: "Peter Baldridge"  
> To: "Jean-Francois Mezei"  
> Cc: nanog@nanog.org 
> Sent: Saturday, October 22, 2016 4:45:13 PM 
> Subject: Re: Death of the Internet, Film at 11 
> 
> On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei 
>  wrote: 
> > Generic question: 
> > 
> > The media seems to have concluded it was an "internet of things" that 
> > caused this DDoS. 
> > 
> > I have not seen any evidence of this. Has this been published by an 
> > authoritative source or is it just assumed? 
> 
> Flashpoint[0], krebs[1], arstechnica[2]. I'm not sure what credible 
> looks like unless they release a packet but this is probably 
> consensus. 
> 
> > Has the type of device involved been identified? 
> 
> routers and cameras with shitty firmware [3] 
> 
> > Is it more plausible that those devices were "hacked" in the OEM 
> > firmware and sold with the "virus" built-in ? That would explain the 
> > widespread attack. 
> 
> The source code has been released. krebs [4], code [5] 
> 
> > Also, in cases such as this one, while the target has managed to 
> > mitigate the attack, how long would such an attack typically continue 
> > and require blocking ? 
> This is an actual question that hasn't been answered. 
> 
> > Since the attack seemed focused on eastern USA DNS servers, would it be 
> > fair to assume that the attacks came mostly from the same region (aka: 
> > devices installed in eastern USA) ? (since anycast would point them to 
> > that). 
> 
> Aren't heat maps just population graphs? 
> 
> > BTW, normally, if you change the "web" password on a "device", it would 
> > also change telnet/SSH/ftp passwords. 
> 
> Seems like no one is doing either. 

Re: MPLS in the campus Network?

[Mark Tinka]

On 22/Oct/16 23:59, Marian Ďurkovič wrote:

>
> The question here is, whether MPLS is the *optimal* solution for campus needs.
>
> The same functionality could be obviously achived by multiple technologies,
> and while MPLS is well supported on high-end SP routers, various limitations
> appear when people try to use it on commodity ASICs which typically empower
> today's ethernet switches - one of them being e.g. limited ability to
> effectively load-balance traffic over multiple parallel links.
>
> Yes, in theory we could build all campus LANs using high-end SP routers, but
> when 100GE backbone is desired (which is often the case in EDU/NREN sector), 
> the costs of such solution jump to unacceptable heights.
>
> Thus we looked for another technology, which doesn't have the usual L2 
> problems
> and is able to provide services we need (including L2 extensions to remote
> campuses) at reasonable costs and with enough simplicity. 
>
> To avoid typical L2 problems, you clearly need a solution based on L3 routing.
> And TRILL is exactly that - although it maintains L2 interface to the outside
> world, internally it performs dynamic L3 routing by IS-IS protocol with all
> safety belts like TTL check, RPF check etc. 
>
> IMHO, TRILL is much better fit for campus needs, since it was specifically
> designed for this networking space - and our 6-months production fully 
> confirms
> that view (of course, YMMV).

I don't consider the ASR920 or CES2000 to be particularly high-end
routers, but YMMV.

True, merchant silicon presents a number of data plane challenges that
may, at first, seem non-trivial or completely go unnoticed. That is why
we stay away from the ACX5000, for example. I expect improvements to
come with newer-generation ASIC's/NP's, but that tests one's patience.

But, like I said, I have not run TRILL myself, so I'm not going to tell
you that it's not an ideal technology for this use-case. All I'll say is
that MPLS is not limited to high-end platforms, even when custom silicon
is involved.

Mark.

Re: Death of the Internet, Film at 11

[Josh Reynolds]

I wish you luck with your plan, and please subscribe me to your newsletter
in digest format.

On Oct 22, 2016 5:32 PM, "Mark Foster"  wrote:

> The person who owns the internet connection still has responsibility for
> what happens on it.
>
> So if the owners are educated to select reputable brands in order to
> prevent themselves from being implicated in a DDoS and liable for a fine or
> some other punitive thing, they 'vote with their feet' and the
> fly-by-nighters suddenly lose a chunk of marketshare, unless they up their
> game?
>
> I'm as sympathetic to Aunty Em and Grandma as the next
> I-started-on-a-helpdesk guys, but 'you get what you pay for' applies here
> as much as it does everywhere else...?
>
>
> On 23/10/2016 11:22 a.m., Josh Reynolds wrote:
>
>> And then what? The labor to clean up this mess is not free. Who's
>> responsibility is it? The grandma who got a webcam for Christmas to watch
>> the squirrels? The ISP?... No... The vendor? What if the vendor had
>> released a patch to fix the issue months back, and grandma hadn't
>> installed
>> it?
>>
>> Making grandma and auntie Em responsible for the IT things in their house
>> is likely not going to go well.
>>
>> Making the vendor responsible might work for the reputable ones to a
>> point,
>> but won't work for the fly by night shops that will sell the same products
>> under different company names and model names until they get sued or "one
>> starred" into oblivion. Then they just change names and start all over.
>>
>> The ISPs won't do it because of the cost to fix... The labor and potential
>> loss of customers.
>>
>> So once identified, how do you suggest this gets fixed?
>>
>
> *snip*
>

Re: Death of the Internet, Film at 11

[Ray Van Dolson]

https://urldefense.proofpoint.com/v2/url?u=http-3A__hub.dyn.com_dyn-2Dblog_dyn-2Dstatement-2Don-2D10-2D21-2D2016-2Dddos-2Dattack&d=DQIBAg&c=n6-cguzQvX_tUIrZOS_4Og&r=r4NBNYp4yEcJxC11Po5I-w&m=iGvkbfzRJPqKO1A6YGa-c1m0RBLNkRk03hCjvVGTH3k&s=bScBNFncB3kt_cG0L3iys0mfXBmwwUR7A8rIDmi94D4&e=
 

On Sat, Oct 22, 2016 at 04:48:01PM -0500, Mike Hammett wrote:
> Until Dyn says or someone says Dyn said, everything is assumed. 
> 
> - Original Message -
> 
> From: "Peter Baldridge"  
> To: "Jean-Francois Mezei"  
> Cc: nanog@nanog.org 
> Sent: Saturday, October 22, 2016 4:45:13 PM 
> Subject: Re: Death of the Internet, Film at 11 
> 
> On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei 
>  wrote: 
> > Generic question: 
> > 
> > The media seems to have concluded it was an "internet of things" that 
> > caused this DDoS. 
> > 
> > I have not seen any evidence of this. Has this been published by an 
> > authoritative source or is it just assumed? 
> 
> Flashpoint[0], krebs[1], arstechnica[2]. I'm not sure what credible 
> looks like unless they release a packet but this is probably 
> consensus. 
> 
> > Has the type of device involved been identified? 
> 
> routers and cameras with shitty firmware [3] 
> 
> > Is it more plausible that those devices were "hacked" in the OEM 
> > firmware and sold with the "virus" built-in ? That would explain the 
> > widespread attack. 
> 
> The source code has been released. krebs [4], code [5] 
> 
> > Also, in cases such as this one, while the target has managed to 
> > mitigate the attack, how long would such an attack typically continue 
> > and require blocking ? 
> This is an actual question that hasn't been answered. 
> 
> > Since the attack seemed focused on eastern USA DNS servers, would it be 
> > fair to assume that the attacks came mostly from the same region (aka: 
> > devices installed in eastern USA) ? (since anycast would point them to 
> > that). 
> 
> Aren't heat maps just population graphs? 
> 
> > BTW, normally, if you change the "web" password on a "device", it would 
> > also change telnet/SSH/ftp passwords. 
> 
> Seems like no one is doing either. 

Re: Death of the Internet, Film at 11

[Mark Foster]

The person who owns the internet connection still has responsibility for 
what happens on it.


So if the owners are educated to select reputable brands in order to 
prevent themselves from being implicated in a DDoS and liable for a fine 
or some other punitive thing, they 'vote with their feet' and the 
fly-by-nighters suddenly lose a chunk of marketshare, unless they up 
their game?


I'm as sympathetic to Aunty Em and Grandma as the next 
I-started-on-a-helpdesk guys, but 'you get what you pay for' applies 
here as much as it does everywhere else...?



On 23/10/2016 11:22 a.m., Josh Reynolds wrote:

And then what? The labor to clean up this mess is not free. Who's
responsibility is it? The grandma who got a webcam for Christmas to watch
the squirrels? The ISP?... No... The vendor? What if the vendor had
released a patch to fix the issue months back, and grandma hadn't installed
it?

Making grandma and auntie Em responsible for the IT things in their house
is likely not going to go well.

Making the vendor responsible might work for the reputable ones to a point,
but won't work for the fly by night shops that will sell the same products
under different company names and model names until they get sued or "one
starred" into oblivion. Then they just change names and start all over.

The ISPs won't do it because of the cost to fix... The labor and potential
loss of customers.

So once identified, how do you suggest this gets fixed?


*snip*

Re: Death of the Internet, Film at 11

[Josh Reynolds]

And then what? The labor to clean up this mess is not free. Who's
responsibility is it? The grandma who got a webcam for Christmas to watch
the squirrels? The ISP?... No... The vendor? What if the vendor had
released a patch to fix the issue months back, and grandma hadn't installed
it?

Making grandma and auntie Em responsible for the IT things in their house
is likely not going to go well.

Making the vendor responsible might work for the reputable ones to a point,
but won't work for the fly by night shops that will sell the same products
under different company names and model names until they get sued or "one
starred" into oblivion. Then they just change names and start all over.

The ISPs won't do it because of the cost to fix... The labor and potential
loss of customers.

So once identified, how do you suggest this gets fixed?

On Oct 22, 2016 5:11 PM, "Mark Andrews"  wrote:


One way to deal with this would be for ISP's to purchase DoS attacks
against their own servers (not necessarially hosted on your own
network) then look at which connections from their network attacking
these machines then quarantine these connections after a delay
period so that attacks can't be corollated with quarantine actions
easily.

This doesn't require a ISP to attempt to break into a customers
machine to identify them.  It may take several runs to identify
most of the connections associated with a DoS provider.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Death of the Internet, Film at 11

[Mark Andrews]

One way to deal with this would be for ISP's to purchase DoS attacks
against their own servers (not necessarially hosted on your own
network) then look at which connections from their network attacking
these machines then quarantine these connections after a delay
period so that attacks can't be corollated with quarantine actions
easily.

This doesn't require a ISP to attempt to break into a customers
machine to identify them.  It may take several runs to identify
most of the connections associated with a DoS provider.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: MPLS in the campus Network?

[Marian Ďurkovič]

On Sat, 22 Oct 2016 21:29:22 +0200, Mark Tinka wrote 
> On 21/Oct/16 19:02, Javier Solis wrote:
> > With that said, what are the best options to be able to cost effectively
> > scale without using vlans and maintaining a routed core? What technology 
> > would someone suggest (mpls, vxlan,etc) to be the best possible solution?
  
> IME, MPLS is a good use-case here. If you are going to use the same /24 (or
> whatever prefix applies to you) across multiple locations, you will need some
> kind of overlay. Be it IP-in-IP, GRE, MPLS (l2vpn's or l3vpn's) or plain old >
Ethernet, you will need something.
>
> MPLS makes a lot of sense to me. It's native in hardware, upper-layer
> agnostic, mature, and reasonably affordable even at low scale.

The question here is, whether MPLS is the *optimal* solution for campus needs.

The same functionality could be obviously achived by multiple technologies,
and while MPLS is well supported on high-end SP routers, various limitations
appear when people try to use it on commodity ASICs which typically empower
today's ethernet switches - one of them being e.g. limited ability to
effectively load-balance traffic over multiple parallel links.

Yes, in theory we could build all campus LANs using high-end SP routers, but
when 100GE backbone is desired (which is often the case in EDU/NREN sector), 
the costs of such solution jump to unacceptable heights.

Thus we looked for another technology, which doesn't have the usual L2 problems
and is able to provide services we need (including L2 extensions to remote
campuses) at reasonable costs and with enough simplicity. 

To avoid typical L2 problems, you clearly need a solution based on L3 routing.
And TRILL is exactly that - although it maintains L2 interface to the outside
world, internally it performs dynamic L3 routing by IS-IS protocol with all
safety belts like TTL check, RPF check etc. 

IMHO, TRILL is much better fit for campus needs, since it was specifically
designed for this networking space - and our 6-months production fully confirms
that view (of course, YMMV).


   With kind regards,

   M.

Re: Death of the Internet, Film at 11

[Stephen Satchell]

That's what VPNs are for.

On 10/22/2016 10:04 AM, jim deleskie wrote:
> It is also likely the desired use case.  In my office I like to be able to
> login when needed when on the road, when the alarm company calls me at 2am
> for a false alarm so I don't have to get someone else out of bed to have
> them dispatched to check on the site.
> 
> -jim
> 
> On Sat, Oct 22, 2016 at 1:42 PM, Chris Boyd  wrote:
> 
>>
>>> On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote:
>>>
>>> "taken all necessary steps to insure that none of the numerous specific
>> types of CCVT thingies that Krebs and others identified"
>>>
>>> Serious question... how?
>>
>> Putting them behind a firewall without general Internet access seems to
>> work for us.  We have a lot of cheap IP cameras in our facility and none of
>> them can reach the net.  But this is probably a bit beyond the capabilities
>> of the general home user.
>>
>> —Chris
>>
>>

Re: Death of the Internet, Film at 11

[Mike Hammett]

Until Dyn says or someone says Dyn said, everything is assumed. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Peter Baldridge"  
To: "Jean-Francois Mezei"  
Cc: nanog@nanog.org 
Sent: Saturday, October 22, 2016 4:45:13 PM 
Subject: Re: Death of the Internet, Film at 11 

On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei 
 wrote: 
> Generic question: 
> 
> The media seems to have concluded it was an "internet of things" that 
> caused this DDoS. 
> 
> I have not seen any evidence of this. Has this been published by an 
> authoritative source or is it just assumed? 

Flashpoint[0], krebs[1], arstechnica[2]. I'm not sure what credible 
looks like unless they release a packet but this is probably 
consensus. 

> Has the type of device involved been identified? 

routers and cameras with shitty firmware [3] 

> Is it more plausible that those devices were "hacked" in the OEM 
> firmware and sold with the "virus" built-in ? That would explain the 
> widespread attack. 

The source code has been released. krebs [4], code [5] 

> Also, in cases such as this one, while the target has managed to 
> mitigate the attack, how long would such an attack typically continue 
> and require blocking ? 
This is an actual question that hasn't been answered. 

> Since the attack seemed focused on eastern USA DNS servers, would it be 
> fair to assume that the attacks came mostly from the same region (aka: 
> devices installed in eastern USA) ? (since anycast would point them to 
> that). 

Aren't heat maps just population graphs? 

> BTW, normally, if you change the "web" password on a "device", it would 
> also change telnet/SSH/ftp passwords. 

Seems like no one is doing either. 

[0] https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/ 
[1] 
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
 
[2] 
http://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/
 
[3] 
https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-attack.html
 
[4] 
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ 
[5] https://github.com/jgamblin/Mirai-Source-Code 
-- 

Pete Baldridge 
206.992.2852 

Re: Death of the Internet, Film at 11

[Peter Baldridge]

On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei
 wrote:
> Generic question:
>
> The media seems to have concluded it was an "internet of things" that
> caused this DDoS.
>
> I have not seen any evidence of this. Has this been published by an
> authoritative source or is it just assumed?

Flashpoint[0], krebs[1], arstechnica[2].  I'm not sure what credible
looks like unless they release a packet but this is probably
consensus.

> Has the type of device involved been identified?

routers and cameras with shitty firmware [3]

> Is it more plausible that those devices were "hacked" in the OEM
> firmware and sold with the "virus" built-in ? That would explain the
> widespread attack.

The source code has been released. krebs [4], code [5]

> Also, in cases such as this one, while the target has managed to
> mitigate the attack, how long would such an attack typically continue
> and require blocking ?
  This is an actual question that hasn't been answered.

> Since the attack seemed focused on eastern USA DNS servers, would it be
> fair to assume that the attacks came mostly from the same region (aka:
> devices installed in eastern USA) ? (since anycast would point them to
> that).

Aren't heat maps just population graphs?

> BTW, normally, if you change the "web" password on a "device", it would
> also change telnet/SSH/ftp passwords.

Seems like no one is doing either.

[0] https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/
[1] 
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
[2] 
http://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/
[3] 
https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-attack.html
[4] 
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
[5] https://github.com/jgamblin/Mirai-Source-Code
-- 

Pete Baldridge
206.992.2852

Re: Death of the Internet, Film at 11

[Mel Beckman]

> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.


UPNP exposes many IoT devices to the Internet, plus they're always exposed on 
the LAN, where many viruses find them and use backdoors to conscript them. 
Several bad actors are currently selling access to their IoT minions for ddos 
purposes. 

This is not new. What's new is that minion control seems to have been 
aggregated into a small number of malicious twerps. 

 -mel beckman

> On Oct 22, 2016, at 1:48 PM, Jean-Francois Mezei 
>  wrote:
> 
> Generic question:
> 
> The media seems to have concluded it was an "internet of things" that
> caused this DDoS.
> 
> I have not seen any evidence of this. Has this been published by an
> authoritative source or is it just assumed?
> 
> Has the type of device involved been identified?
> 
> I am curious on how some hacker in basement with his TRS80 or Commodore
> Pet would be able to reach "bilions" of these devices to reprogram them.
> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.
> 
> I amn guessing/hoping such devices have been identified and some
> homweoners contacted ans asked to volunteer their device for forensic
> analysis of where the attack came from ?
> 
> Is it more plausible that those devices were "hacked" in the OEM
> firmware and sold with the "virus" built-in ? That would explain the
> widespread attack.
> 
> Also, in cases such as this one, while the target has managed to
> mitigate the attack, how long would such an attack typically continue
> and require blocking ?
> 
> Since the attack seemed focused on eastern USA DNS servers, would it be
> fair to assume that the attacks came mostly from the same region (aka:
> devices installed in eastern USA) ? (since anycast would point them to
> that).
> 
> OPr did the attack use actual IP addresses instead of the unicast ones
> to specifically target servers ?
> 
> 
> 
> BTW, normally, if you change the "web" password on a "device", it would
> also change telnet/SSH/ftp passwords.

Re: Death of the Internet, Film at 11

[Jean-Francois Mezei]

Generic question:

The media seems to have concluded it was an "internet of things" that
caused this DDoS.

I have not seen any evidence of this. Has this been published by an
authoritative source or is it just assumed?

Has the type of device involved been identified?

I am curious on how some hacker in basement with his TRS80 or Commodore
Pet would be able to reach "bilions" of these devices to reprogram them.
 Vast majority of homes are behind NAT, which means that an incoming
packet has very little chance of reaching the IoT gizmo.

I amn guessing/hoping such devices have been identified and some
homweoners contacted ans asked to volunteer their device for forensic
analysis of where the attack came from ?

Is it more plausible that those devices were "hacked" in the OEM
firmware and sold with the "virus" built-in ? That would explain the
widespread attack.

Also, in cases such as this one, while the target has managed to
mitigate the attack, how long would such an attack typically continue
and require blocking ?

Since the attack seemed focused on eastern USA DNS servers, would it be
fair to assume that the attacks came mostly from the same region (aka:
devices installed in eastern USA) ? (since anycast would point them to
that).

OPr did the attack use actual IP addresses instead of the unicast ones
to specifically target servers ?



BTW, normally, if you change the "web" password on a "device", it would
also change telnet/SSH/ftp passwords.

Re: MPLS in the campus Network?

[Mark Tinka]

On 21/Oct/16 19:02, Javier Solis wrote:

> With that said, what are the best options to be able to cost
> effectively scale without using vlans and maintaining a routed core?
> What technology would someone suggest (mpls, vxlan,etc) to be the best
> possible solution?
>

IME, MPLS is a good use-case here. If you are going to use the same /24
(or whatever prefix applies to you) across multiple locations, you will
need some kind of overlay. Be it IP-in-IP, GRE, MPLS (l2vpn's or
l3vpn's) or plain old Ethernet, you will need something.

MPLS makes a lot of sense to me. It's native in hardware, upper-layer
agnostic, mature, and reasonably affordable even at low scale. While I
would not say MPLS is simple from a "complexity in your network"
standpoint, it does provide a notable amount of simplicity when you're
looking for an overlay that is transparent to all manner of Layer 2 and
Layer 3 applications that a packet-based network needs to transport.

Mark.

Re: Death of the Internet, Film at 11

[David Conrad]

Mike,

On October 22, 2016 at 8:09:34 AM, Mike Hammett (na...@ics-il.net) wrote:

How can I as a network operator seek out and eliminate the sources of these 
attacks? 
Maybe (not sure) one way would be to examine your resolver query logs to look 
for queries for names that fit domain generation algorithm patterns, then 
tracking down the customers/devices that are issuing those queries and politely 
suggest they remove the malware on their systems? 

Regards,

-drc




signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: Death of the Internet, Film at 11

[jim deleskie]

Sure, but now we put it outside the skill level of 99.99% of the people
that don't read and understand this list.

-jim

On Sat, Oct 22, 2016 at 2:09 PM, Luke Guillory 
wrote:

> VPNs can accomplish this without opening ports directly to devices.
>
> Luke
>
>
> *Sent from my iPhone*
>
> On Oct 22, 2016, at 12:06 PM, jim deleskie  wrote:
>
> It is also likely the desired use case.  In my office I like to be able to
> login when needed when on the road, when the alarm company calls me at 2am
> for a false alarm so I don't have to get someone else out of bed to have
> them dispatched to check on the site.
>
> -jim
>
> On Sat, Oct 22, 2016 at 1:42 PM, Chris Boyd 
> wrote:
>
>
> On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote:
>
>
> "taken all necessary steps to insure that none of the numerous specific
>
> types of CCVT thingies that Krebs and others identified"
>
>
> Serious question... how?
>
>
> Putting them behind a firewall without general Internet access seems to
>
> work for us.  We have a lot of cheap IP cameras in our facility and none of
>
> them can reach the net.  But this is probably a bit beyond the capabilities
>
> of the general home user.
>
>
> —Chris
>
>
>
>
>
> Luke Guillory
> Network Operations Manager
>
>
> 
> Tel: 985.536.1212
> Fax: 985.536.0300
> Email: lguill...@reservetele.com
> Web: www.rtconline.com
> Reserve Telecommunications
> 100 RTC Dr
> Reserve, LA 70084
>
>
>
>
>
>
> *Disclaimer:*
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material which should not disseminate,
> distribute or be copied. Please notify Luke Guillory immediately by
> e-mail if you have received this e-mail by mistake and delete this e-mail
> from your system. E-mail transmission cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. Luke Guillory therefore
> does not accept liability for any errors or omissions in the contents of
> this message, which arise as a result of e-mail transmission.
>
>

Re: Death of the Internet, Film at 11

[Mike Hammett]

It's also generally counter to them being available outside of that network. 
(web and proprietary interfaces needed, SSH and telnet not). That's also not 
much I can do as a network operator. 






- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Chris Boyd"  
To: "Elizabeth Zwicky via NANOG"  
Sent: Saturday, October 22, 2016 11:42:05 AM 
Subject: Re: Death of the Internet, Film at 11 


> On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote: 
> 
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 
> 
> Serious question... how? 

Putting them behind a firewall without general Internet access seems to work 
for us. We have a lot of cheap IP cameras in our facility and none of them can 
reach the net. But this is probably a bit beyond the capabilities of the 
general home user. 

—Chris 

Re: Death of the Internet, Film at 11

[jim deleskie]

It is also likely the desired use case.  In my office I like to be able to
login when needed when on the road, when the alarm company calls me at 2am
for a false alarm so I don't have to get someone else out of bed to have
them dispatched to check on the site.

-jim

On Sat, Oct 22, 2016 at 1:42 PM, Chris Boyd  wrote:

>
> > On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote:
> >
> > "taken all necessary steps to insure that none of the numerous specific
> types of CCVT thingies that Krebs and others identified"
> >
> > Serious question... how?
>
> Putting them behind a firewall without general Internet access seems to
> work for us.  We have a lot of cheap IP cameras in our facility and none of
> them can reach the net.  But this is probably a bit beyond the capabilities
> of the general home user.
>
> —Chris
>
>

Re: Death of the Internet, Film at 11

[Chris Boyd]

> On Oct 22, 2016, at 7:34 AM, Mike Hammett  wrote:
> 
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 
> 
> Serious question... how? 

Putting them behind a firewall without general Internet access seems to work 
for us.  We have a lot of cheap IP cameras in our facility and none of them can 
reach the net.  But this is probably a bit beyond the capabilities of the 
general home user.

—Chris

Re: Dyn DDoS this AM?

[marcel.duregards--- via NANOG]

Patrick,

We are client of 3 tier1. On our netflow collector, we can observe that
RFC1918 sources ip traffic is entering our AS via 2 of those tier-1.
Yes, 2 bigs tier-1 allow private ip traffic coming from their networks,
clients, peerings to reach others customers, via Internet link, on
public ip.Of course this traffic is dropped on our BGP borders as we
are filtering. But it's still filling the pipe, and this is still
INVALID/UNNAUTHORIZED traffic.

We wrote to them to verify if customers are technically allowed to send
RFC1918 traffic over their backbone, and if we are also allowed to do
so. And the answer was really evasive like :"contractually you're are
not allowed".

So now tell me WTF BCP38 will provide you when tier1 does not care at
all and does not maintain basic filtering to/from their customers.
And then they try to sell you their anti ddos services, because you know
DDOS it sucks. Big joke.

What about BCP38+84 on 30 tier-1 instead of asking/hoping 55k others
autonomous-system having good filters in place ?

--
Marcel

On 21.10.2016 17:48, Patrick W. Gilmore wrote:
> To the rest of the community:
> If you can help, please do. I know a lot of you are thinking “what can I do?" 
> There is a lot you can do. BCP38 & BCP84 instantly come to mind. Sure, that 
> doesn’t help Mirai, but it still helps. There are many other things you can 
> do as well.

Re: Dyn DDoS this AM?

[Ken Chase]

(Inband signalling - bad except for BGP?)

General comment: why are we blaming the client devices for the lack of security?

This is like Microsoft villifying linux in the late 90s because "there's no
restrictions on use or packet crafting on the client side" - of course there
isn't, in Windows either -- cant trust the client side, ever. Check out online
gaming, so many h4x 'n bots.

Let's stop trying to fix the clients, there'll always be bad actors/crappy 
coding.

Let's fix the networks. 

Pay-to-play? People are sensitive in the pocketbooks. NetCoin or something to
purchase dataflows? I dont know. Also sounds terrible. ("That's an internet
tax!!!111"). But Something Must Be Done[tm], by us, soon, or we'll be
dealing with govt cures which will be worse than the disease.

Regulating devices will never happen. Have you checked out world trade
regulations?  The US can't get Chinese firms to stop shipping
deadly-to-the-touch chemwep/drug carfentanil, how we gonna enforce security
standards on COTS electronics? (More govt soln's/approvals too. Fear.)

We have control of the networks. Lets do something.

(cant find the carfentanil story on nytimes anymore, pulled?
http://www.nytimes.com/aponline/2016/10/07/world/asia/ap-as-china-chemical-weapons.html
 )

/kc


On Sat, Oct 22, 2016 at 04:54:47PM +0200, Mikael Abrahamsson said:
  >On Sat, 22 Oct 2016, Alexander Maassen wrote:
  >
  >>Remember ping packets containing +++ATH0 ?
  >
  >THat only worked because of patents:
  >
  >https://en.wikipedia.org/wiki/Time_Independent_Escape_Sequence
  >
  >Inband signaling is bad, mmmkay?
  >
  >-- 
  >Mikael Abrahamssonemail: swm...@swm.pp.se

--
Ken Chase - Guelph Canada

Re: Dyn DDoS this AM?

[Florian Weimer]

* Randy Bush:

> anyone who relies on a single dns provider is just asking for stuff such
> as this.

Blaming the victim isn't helpful.  And without end-user-visible
changes, most of the victims would still depend on Verisign as a
single provider for a critical part of their DNS service.

Re: Death of the Internet, Film at 11

[Mike Hammett]

Not trolling in the least. I'm genuinely trying my best to help the greater 
community. 

Agreed on ShadowServer. I get their reports and I recommend others do the same. 

Oh, okay, I responded to someone that said: 

= 
Every 
network operator who can do so, please raise your hand if you have 
*recently* scanned you own network and if you can -honestly- attest 
that you have taken all necessary steps to insure that none of the 
numerous specific types of CCVT thingies that Krebs and others identified 
weeks or months ago as being fundamentally insecure can emit a single 
packet out onto the public Internet. 
= 

That's the direction I was heading. How can I as a network operator seek out 
and eliminate the sources of these attacks? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Brandon Butterworth"  
To: na...@ics-il.net 
Cc: nanog@nanog.org 
Sent: Saturday, October 22, 2016 10:02:42 AM 
Subject: Re: Death of the Internet, Film at 11 

> From nanog-boun...@nanog.org Sat Oct 22 15:51:34 2016 
> If they are easy to trace, then it should be easy for you to 
> tell me how to find them on my network. 

Not sure if you're trolling now, apologies if what I wrote 
wasn't clear. 

If you did want to find them before they attack then you could 
scan for them, the miscreants already did and easily found them. 

For some attack vectors there are services that are doing it 
for you, see the excellent 
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork 

> The addresses being known to them doesn't help me at all clean 
> up my network or help other networks clean up theirs. 

Did you read my whole mail? The suggestion is people who get attacked 
tell the ISPs of the devices doing the attacking 

> It would be rather difficult for me (and I'm sure many other operators) 
> to distinguish normal Dyn traffic from DDoS Dyn traffic. 

I was not suggesting you try and guess, I was suggesting you be given 
data from actual attacks. 

brandon 

Re: Death of the Internet, Film at 11

[Brandon Butterworth]

> From nanog-boun...@nanog.org  Sat Oct 22 15:51:34 2016
> If they are easy to trace, then it should be easy for you to
> tell me how to find them on my network. 

Not sure if you're trolling now, apologies if what I wrote
wasn't clear.

If you did want to find them before they attack then you could
scan for them, the miscreants already did and easily found them.

For some attack vectors there are services that are doing it
for you, see the excellent
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

> The addresses being known to them doesn't help me at all clean
> up my network or help other networks clean up theirs. 

Did you read my whole mail? The suggestion is people who get attacked
tell the ISPs of the devices doing the attacking

> It would be rather difficult for me (and I'm sure many other operators)
> to distinguish normal Dyn traffic from DDoS Dyn traffic. 

I was not suggesting you try and guess, I was suggesting you be given
data from actual attacks.

brandon

Re: Dyn DDoS this AM?

[Mikael Abrahamsson]

On Sat, 22 Oct 2016, Alexander Maassen wrote:


Remember ping packets containing +++ATH0 ?


THat only worked because of patents:

https://en.wikipedia.org/wiki/Time_Independent_Escape_Sequence

Inband signaling is bad, mmmkay?

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Death of the Internet, Film at 11

[Mike Hammett]

If they are easy to trace, then it should be easy for you to tell me how to 
find them on my network. 

The addresses being known to them doesn't help me at all clean up my network or 
help other networks clean up theirs. 

It would be rather difficult for me (and I'm sure many other operators) to 
distinguish normal Dyn traffic from DDoS Dyn traffic. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Brandon Butterworth"  
To: na...@ics-il.net 
Cc: nanog@nanog.org 
Sent: Saturday, October 22, 2016 9:41:52 AM 
Subject: Re: Death of the Internet, Film at 11 

> "their" Whose addresses are known 

The "CCVT thingies" you refer to. Unlike spoof 
attacks these are easy to trace 

> and who are they known to? 

Those who were attacked by them or worked on mitigation of 
the attack. If not this time then they should next time 
as there will be a next time. 

> Some work can produce Dyn allocations, I suppose. 

Indeed, that is what I was saying 

brandon 

Re: Death of the Internet, Film at 11

[Rich Kulawiec]

On Sat, Oct 22, 2016 at 03:22:55PM +0100, Brandon Butterworth wrote:
> Well their addresses are now known so one way would be for each ISP to
> drop traffic from them. If people don't fix them why should these
> devices stay on the net?

Bingo.  The manufacturer of these decided to build them as cheaply as
possible in order to maximize profit.  They neglected even rudimentary
security and maintenance/update measures.  Because they could.  Because
they chose to.  They thus shifted the burden, and thus the cost,
of running them in a secure fashion onto us.

Yesterday everyone paid that cost.

It's time to shift the cost back.  Drop all their traffic and when the
support calls come, tell them that they bought a known-defective device
which is an operational hazard to the network, and refer them to
the manufacturer for replacement/repair/refund.

Note: every other vendor out there who might be tempted to cut corners is
no doubt watching this and trying to gauge whether they can do the same.

---rsk

Re: Death of the Internet, Film at 11

[Brandon Butterworth]

> "their" Whose addresses are known

The "CCVT thingies" you refer to. Unlike spoof
attacks these are easy to trace

> and who are they known to?

Those who were attacked by them or worked on mitigation of
the attack. If not this time then they should next time
as there will be a next time.

> Some work can produce Dyn allocations, I suppose. 

Indeed, that is what I was saying

brandon

Re: Death of the Internet, Film at 11

[Mike Hammett]

"their" Whose addresses are known and who are they known to? I certainly don't 
know the addresses of anyone involved. Some work can produce Dyn allocations, I 
suppose. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Brandon Butterworth"  
To: na...@ics-il.net 
Cc: nanog@nanog.org 
Sent: Saturday, October 22, 2016 9:22:55 AM 
Subject: Re: Death of the Internet, Film at 11 

> From: Mike Hammett  
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 
> 
> Serious question... how? 

Well their addresses are now known so one way would be for each ISP to 
drop traffic from them. If people don't fix them why should these 
devices stay on the net? If say Comcast has a million of them it might 
be tricky to scale but not impossible 

It'd take a bit of effort and care to aggregate and disseminate the 
data to each responsible AS, there'd be risk of bad guys getting the 
data and false positives/people spoofing to attack others. They'd also 
be building a tool that some might try to hijack for other purposes. 

None of that is an excuse to do nothing as is usually the result with 
any suggested measure that involves doing work to fix a problem 

I know ISPs generaly don't want the support calls but they'll end up 
with them and a legislative burden with commerial liability if they 
don't sort it out themselves. 

brandon 

Re: Death of the Internet, Film at 11

[Brandon Butterworth]

> From: Mike Hammett 
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 
> 
> Serious question... how? 

Well their addresses are now known so one way would be for each ISP to
drop traffic from them. If people don't fix them why should these
devices stay on the net? If say Comcast has a million of them it might
be tricky to scale but not impossible

It'd take a bit of effort and care to aggregate and disseminate the
data to each responsible AS, there'd be risk of bad guys getting the
data and false positives/people spoofing to attack others. They'd also
be building a tool that some might try to hijack for other purposes.

None of that is an excuse to do nothing as is usually the result with
any suggested measure that involves doing work to fix a problem

I know ISPs generaly don't want the support calls but they'll end up
with them and a legislative burden with commerial liability if they
don't sort it out themselves.

brandon

Re: Death of the Internet, Film at 11

[Stephen Satchell]

On 10/22/2016 05:34 AM, Mike Hammett wrote:
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 
> 
> Serious question... how? 
> 

Network operators can only do so much.  By the time traffic enters into
an ISP's traffic aggregation point, any flow monitoring and throttling
would have a minimal effect.  Not saying that it shouldn't be
considered.  The correct answer includes throttling the traffic much
closer to the source.

The obvious answer is that the device that bridges IoT to the upstream
link in the home or office have the capability of rate-limiting upstream
traffic.  Perhaps on a per-MAC basis.  When does a thermostat, light
bulb, or refrigerator need 1-megabyte/s uplink channels?  For that
matter, how many computers -- especially laptops -- need that kind of
upstream capacity?

(Yes, yes, YouTube publishers and VLAN links to the office, to name two,
will need that kind of channel; see below.  Gamers need small,
low-latency channels, so the throttling can't be too aggressive.
Public-access storage, web and mail servers, obviously.  IP-connected
Web cameras need some upstream capacity, but not a full-bore one.  The
uplink throttle can take into consideration "reasonable" upstream rates
for cameras.)

For wireless access points, the place to start would be with the OpenWRT
package, to serve as a model for what *can* be done.  Once we have a
proof of concept, it would raise the bar for "commercial"
implementations.  THAT would then provide an opportunity for the
three-letter Federal agencies to specify reasonable regulations, should
Congress so decide this is necessary.  It's much easier for regulatory
bodies to say "this software does it, why can't yours?" instead of
saying "you [manufacturer] go figure it out".

The ripple effect throughout the world would go a long way to curbing
the problem.  Especially if other regulatory administrations follow
suit, so that the enabling crap routers are weeded out.

What about the exceptions?  For those rare cases where one needs a
high-rate upstream channel for a node on the wireless network (or wired
network, for that matter), the firmware in the traffic aggregating
device can allow for specific exceptions to the rate-limit rules.  One
method is to tie exceptions to the device MAC address, or range of MAC
addresses.  Another is to tie exceptions to ports, with WiFi being a
single "port" in this context.  Generators of high-speed upstream
traffic would, for example, need a wired connection in order to do this.
 This would *not* affect most WiFi-connected peripherals, like printers,
because the AP would limit upstream traffic, not downstream.

The ISP would then have something to sell to the customer, to replace
the local POS router/WAP that the customer is currently using.

Hmmm...something to thing about as I build the Linux IPTABLES Firewall
Rule Generator Mk III...

Re: Death of the Internet, Film at 11

[Leo Bicknell]

In a message written on Sat, Oct 22, 2016 at 07:34:55AM -0500, Mike Hammett 
wrote:
> "taken all necessary steps to insure that none of the numerous specific types 
> of CCVT thingies that Krebs and others identified" 

From 
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/#more-36754

The part that should outrage everyone on this list:

That's because while many of these devices allow users to change
the default usernames and passwords on a Web-based administration
panel that ships with the products, those machines can still be
reached via more obscure, less user-friendly communications services
called "Telnet" and "SSH."

"The issue with these particular devices is that a user cannot
feasibly change this password," Flashpoints Zach Wikholm told
KrebsOnSecurity.  "The password is hardcoded into the firmware, and
the tools necessary to disable it are not present. Even worse, the
web interface is not aware that these credentials even exist."

As much as I hate to say it, what is needed is regulation.  It could
be some form of self regulation, with retailers refusing to sell
products that aren't "certified" by some group.  It could be full
blown government regulation.  Perhaps a mix.

It's not a problem for a network operator to "solve", any more than
someone who builds roads can make an unsafe car safe.  Yes, both
the network operator and rood operator play a role in building safe
infrastructure (BCP38, deformable barriers), but neither can do
anything for a manufacturer who builds a device that is wholely
deficient in the first place.

-- 
Leo Bicknell - bickn...@ufp.org
PGP keys at http://www.ufp.org/~bicknell/


pgp6awICsYz1u.pgp
Description: PGP signature

Re: Death of the Internet, Film at 11

[Mike Hammett]

"taken all necessary steps to insure that none of the numerous specific types 
of CCVT thingies that Krebs and others identified" 

Serious question... how? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Ronald F. Guilmette"  
To: nanog@nanog.org 
Sent: Saturday, October 22, 2016 12:53:42 AM 
Subject: Re: Death of the Internet, Film at 11 


Laszlo Hanyecz wrote: 

>What does BCP38 have to do with this? 

Your're right. That's not specifically related to *this* attack. Nobody 
needs to spoof anything when you've got a zillion fire hoses just lying 
around where any 13 year old can command them from the TRS 80 in his mom's 
basement. (I've seen different estimates today. One said there's about 
a half million of these things, but I think I saw where Dyn itself put 
the number of unique IPs in the attack at something like ten million.) 

I just threw out BCP 38 as an example of something *very* minimal that 
the collective Internet, if it had any brains, would have made de rigueur 
for everyone ten+ years ago. BCP 38 is something that I personally view 
as a "no brainer", that is already widely accepted as being necessary, 
and yet is a critical security step that some (many?) are still resisting. 
So, it's like "Well, if the Internet-at-large can't even do *this* simple 
and relatively non-controversial thing, then we haven't got a prayer in 
hell of ever seeing a world-wide determined push to find and neutralize 
all of these bloody damn stupid CCTV things. And when the day comes when 
somebody figures out how to remotely pop a default config Windoze XP 
box... boy oh boy, will *that* be a fun day... NOT! Because we're not 
ready. Nobody's ready. Except maybe DoD, and I'm not even taking bets 
on that one." 

I didn't intend to focus on BCP 38. Everybody knows that's only one 
thing, designed to deal with just one part of the overall problem. The 
overall problem, in my view, is the whole mindset which says "Oh, we 
just connect the wires. Everything else is somebody else's problem." 

Ok, so this mailing list is a list of network operators. Swell. Every 
network operator who can do so, please raise your hand if you have 
*recently* scanned you own network and if you can -honestly- attest 
that you have taken all necessary steps to insure that none of the 
numerous specific types of CCVT thingies that Krebs and others identified 
weeks or months ago as being fundamentally insecure can emit a single 
packet out onto the public Internet. 

And, cue the crickets... 

Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and 
today's events make it perfectly clear to even the most blithering of 
blithering idiots that network operators, en mass, have to start scanning 
their own networks for insecurities. And you'd all better get on that, 
not next fiscal year or even next quarter, but right effing now, because 
the next major event is right around the corner. And remember, *you* 
may not be scanning your networks for easily pop'able boxes, but as we 
should all be crystal clear on by now, that *does not* mean that nobody 
else is doing so. 


Regards, 
rfg 


P.S. The old saying is that idle hands are the devil's playground. In 
the context of the various post-invasion insurgancies, etc., in Iraq, is 
is often mentioned that it was a somewhat less than a brilliant move for 
the U.S. to have disbanded the Iraq army, thereby leaving large numbers 
of trained young men on the streets with no jobs and nothing to do. 

To all of the network operators who think that (or argue that) it will 
be too expensive to hire professionals to come in an do the work to 
scan your networks for known vulnerabilities, I have a simple suggestion. 
Go down to your local high school, find the schmuck who teaches the 
kids about computers, and ask him for the name of his most clever student. 
Then hire that student and put him to work, scanning your network. 

As in Iraq, it will be *much* better to have capable young men inside the 
tent, pissing out, rather than the other way around. 

Re: Dyn DDoS this AM?

[Alexander Maassen]

Remember ping packets containing +++ATH0 ?
Kind regards,
Alexander Maassen
- Technical Maintenance Engineer Parkstad Support BV- Maintainer DroneBL- 
Peplink Certified Engineer

 Oorspronkelijk bericht Van: Alain Hebert  
Datum: 21-10-16  23:37  (GMT+01:00) Aan: nanog@nanog.org Onderwerp: Re: Dyn 
DDoS this AM? 
    Just a FYI,

    That "horrific trend" has been happening since some techie got
dissed on an IRC channel over 20 years ago.

    He used a bunch of hosted putters to ICMP flood the IRC server.

    Whatever the community is behind, until the carriers decide to wise
up this will keep happening, that is without talking about the
industries being developed around DDoSes events.

    Enjoy your weekend. ( I ain't on call anymore anyway =D )

-
Alain Hebert    aheb...@pubnix.net   
PubNIX Inc.    
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 10/21/16 11:52, Brian Davies via NANOG wrote:
> +1!
>
> Well said, Patrick.
>
> B
>
> On Friday, October 21, 2016, Patrick W. Gilmore  wrote:
>
>> I cannot give additional info other than what’s been on “public media”.
>>
>> However, I would very much like to say that this is a horrific trend on
>> the Internet. The idea that someone can mention a DDoS then get DDoS’ed Can
>> Not Stand. See Krebs’ on the Democratization of Censorship. See lots of
>> other things.
>>
>> To Dyn and everyone else being attacked:
>> The community is behind you. There are problems, but if we stick together,
>> we can beat these miscreants.
>>
>> To the miscreants:
>> You will not succeed. Search "churchill on the beaches”. It’s a bit
>> melodramatic, but it’s how I feel at this moment.
>>
>> To the rest of the community:
>> If you can help, please do. I know a lot of you are thinking “what can I
>> do?" There is a lot you can do. BCP38 & BCP84 instantly come to mind. Sure,
>> that doesn’t help Mirai, but it still helps. There are many other things
>> you can do as well.
>>
>> But a lot of it is just willingness to help. When someone asks you to help
>> trace an attack, do not let the request sit for a while. Damage is being
>> done. Help your neighbor. When someone’s house is burning, your current
>> project, your lunch break, whatever else you are doing is almost certainly
>> less important. If we stick together and help each other, we can - we WILL
>> - win this war. If we are apathetic, we have already lost.
>>
>>
>> OK, enough motivational speaking for today. But take this to heart. Our
>> biggest problem is people thinking they cannot or do not want to help.
>>
>> --
>> TTFN,
>> patrick
>>
>>> On Oct 21, 2016, at 10:55 AM, Chris Grundemann > > wrote:
>>> Does anyone have any additional details? Seems to be over now, but I'm
>> very
>>> curious about the specifics of such a highly impactful attack (and it's
>>> timing following NANOG 68)...
>>>
>>> https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-
>> twitter-spotify-reddit/
>>> --
>>> @ChrisGrundemann
>>> http://chrisgrundemann.com
>>

Re: Death of the Internet, Film at 11

[Richard Irving]

Then, again, Ayn Rands idea of "sex" was to get slapped around first.. I 
am not sure I would

acquire my "life philosophy" from her

and, as *proudly* *independent* as she was, in the end, she relied upon 
American Social Security

to get by

talk is cheap.

On 10/21/2016 09:02 PM, James Downs wrote:

On Oct 21, 2016, at 17:39, Ronald F. Guilmette  wrote:
P.S.  To all of you Ayn Rand devotees out there who still vociferously
argue that it's nobody else's business how you monitor or police your
"private" networks, and who still refuse to take even minimalist steps

What does Ayn Rand have to do with it? She would hardly countenance 
incompetence.