Re: Spitballing IoT Security

[Ronald F. Guilmette]

In message <20161030044342.ga18...@thyrsus.com>, 
"Eric S. Raymond"  wrote:

>Ronald F. Guilmette :
>> Two kids with a modest amount of knowledge
>> and a lot of time on their hands can do it from their mom's basement.
>
>I in turn have to call BS on this.  If it were really that easy, we'd
>be inundated by Mirais -- we'd have several attacks a *day*.


You need to get out more.

http://www.nab.org/cybersecurity/Verisign-report-ddos-trends-Q22016.pdf

It *is* happening every day.  You just don't hear about it on CNN because
a "little"  80Mbps DDoS isn't even worthy of a headline anymore, even
though such an attack could CRUSH a local bank, and even many regional
banks into utter oblivion.

Now, where did I put those bitcoins...  It's ransom time!


Regards,
rfg


P.S.  Of course, things were oh so much better, ya know, back in those
idylic halcyon days a decade and a half ago...

Denial of e-commerce
Feb 10th 2000 
http://www.economist.com/node/281531

  "... The Computer Emergency Response Team of Carnegie Mellon University
  hears of roughly four DOS attacks a day..."

Whew!  I guess we need to count our blessings that insightful visionary
industry leaders came forward, back in the early 00s, and spearheaded
the global changes necessary to insure that DDoS attacks would become a
thing of the past, and a distant memory.

Oh!  Wait!  Nevermind.  Sorry.  I guess that I was dozing off and dreaming
again.

At the current rate of progress I think that I can confidently predict
that the Internet industry ought to have this whole problem completely
licked by the early 23rd century, you know, at the very latest.

Re: Spitballing IoT Security

[Eric S. Raymond]

Ronald F. Guilmette :
> Two kids with a modest amount of knowledge
> and a lot of time on their hands can do it from their mom's basement.

I in turn have to call BS on this.  If it were really that easy, we'd
be inundated by Mirais -- we'd have several attacks a *day*.
-- 
http://www.catb.org/~esr/;>Eric S. Raymond

Death of WHOIS, Film at 11

[Ronald F. Guilmette]

In message <58150673.5090...@foobar.org>, 
Nick Hilliard  wrote:

>David Conrad already pointed out that this problem has been solved using
>RDAP which supports referrals.  Try installing the nicinfo command from:
>
>https://github.com/arineng/nicinfo
>
>At a guess, I'd say referrals haven't been implemented in whois because
>the whois "protocol" is unfixably broken and unsuitable for distributed
>information sharing.

So basically, you're saying that the fact that port 43 is still open and
still providing answers... known inaccurante answers... at all of the
following places is just one big tease?

whois.iana.org
whois.arin.net
whois.ripe.net
whois.apnic.net
whois.lacnic.net
whois.afrinic.net

So the overall game plan is to continue to have these things all give
out inaccurate and/or misleanding answers until such time as all of
the trusting old school hacks like me either die out or get the memo
telling us to just stop using this stuff?

If so, thanks for telling me.  Nobody else has so far had the courtesy
to do so.


Regards,
rfg


P.S.  Traditional WHOIS supports referrals.  For an example, try this:

 whois -h whois.iana.org 1197

(Providing referrals in traditional WHOIS isn't exactly rocket surgery.
The fact that certain RIRs may be too... umm... preoccupied to take
the time to properly populate their data bases with such referrals
notwithstanding.)

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Ronald F. Guilmette]

In message <5815013f.2080...@foobar.org>, 
Nick Hilliard  wrote:

>> But my overall point remains.  If there were ever to be an election where
>> we were all asked who we wanted to see become the once and future Routing
>> Police, the RIRs would not be my own personal first choice.
>
>Great, we're agreed then.  So why do you keep on bringing them up in
>this context and criticising them whenever someone squats some block of
>address space?

References please?

*I* didn't introduce the topic of RIRs into this thread.  It would appear
that Ken Chase did that:

   http://mailman.nanog.org/pipermail/nanog/2016-October/088943.html

Later on, I bemoaned what I still feel is a rather lousey WHOIS referrals
system, among and between the various RIR WHOIS data bases... with
respect to *allocations* (not route registrations)... and it was
entirely appropriate for me to mention that, in this thread, as the
problem most definitely did impact not only _my_ ability to figure
out who the bleep, if anyone, 103.11.67.0/24 is actually registered
to, but actually, anyone's ability to do so, including, apparently,
bgp.he.net.

But this criticism has/had nothing whatever to do, specifically, with
either routing or the (hypothetical) Routing Police.  If the totality
of the RIR WHOIS data bases are needlessly difficult to extract accurate
information out of, then this negatively affects *all* uses (and all
users) of these data bases, whether one is investigating possible
routing squats, or whether one is just trying to figure out who
currently owns the block that all of your corporate intellectual
property has just been surreptitiously exfiltrated to.


Regards,
rfg

Re: Spitballing IoT Security

[Ronald F. Guilmette]

In message <20161029180730.ga10...@thyrsus.com>, 
"Eric S. Raymond"  wrote:

>You don't build or hire a botnet on Mirai's scale with pocket change.

Proof please?

Sorry, but I am compelled to call B.S. on the above statement.  This
is a really important point that I, Krebs, and others have been trying
to drive home:  In an era when you've got a half million CCTV cams
just lying around without even passwords on them, and in an era when
nobody makes any fuss anymore about the dozens or hundreds or people
and/or organizations (e.g. Shodan) that are out there scanning your
box and my box and everybody's boxes, every damn day, you don't need
to be either an omnious "state actor" or even SPECTER to assemble a
truly massive packet weapon.  Two kids with a modest amount of knowledge
and a lot of time on their hands can do it from their mom's basement.

It is comforting, for some, to think that this is not the case, just
as it is, to this day, comforting, for some, to believe, based on scant
evidence, that it -wasn't- just some lone nut case who killed President
Kennedy.  Psychologically, people have trouble coming to terms with
great impactful tragedies unless they can be blamed on large, unseen,
but enormously capable dark forces.  And the actual available hard
evidence relating to such events does not diminish the human yearning
for a convenient comic book supervillain to pin it all on.

>And the M.O. doesn't fit a criminal organization - no ransom demand,
>no attempt to steal data.

Allow me to refer you to an alternative possible motivation:

   https://en.wiktionary.org/wiki/lulz

>That means the motive was prep for terrorism or cyberwar by a
>state-level actor.

Frankly, I am dismayed to see a well-known Internet persona with a respected
name spreading this kind of absurd, alarmist, over-the-top, retorical fear-
mongering inference, which is without clear basis in either fact or evidence.

Even the hardest of the hard-core dyed-in-the-wool Clinton surrogates are
too circumspect in their pronouncements (i.e. with respect to Russia's
"obvious" connection to the DNC hack) to ever reach anything like this
level of unfounded hyperbole.  (And for the record, I am no Trump supporter
either.  I find myself equally disgusted when either side employs the
currently fashionable verbal sleight-of-hand that politicians of all stripes
have, of late, adopted whenever they want to say something without
themselves having to take responsibility for its truth or accuracy.  I get
angry when I hear Clinton surrogates using the "Some people are saying..."
dodge, e.g. when it comes to alleged nefarious Russian involvement with
anything and everything evil, just as I do when Trump uses the exact same
dodge in reference to... well... everything.)

>Bruce Schneier is right and is only saying what
>everybody else on the InfoSec side I've spoken with is thinking - the
>People's Liberation Army is the top suspect, with the Russian FSB
>operating through proxies in Bulgaria or Romania as a fairly distant
>second.

Yes, but I believe that Schneier was a bit more careful to separate the
known facts from his personal speculations.

In any case, all of this searching for who is to blame isn't contributing
a damn thing towards actually fixing the problem.  And if we really need
to find someone to blame, I think we should all just look in the mirror.

We, society, but especially those of us with more-than-average techno savvy,
have for years been only too eager to lap up whatever whiz-bang new techno
gadgets industry could crank out, with barely an afterthought given to
the longer term implications, like security and also how the hell we are
ever going to be able to recycle any of this s***.  We've all been doing
the exact same thing, since at least Windows 3.1 or earlier, and yet we
continue to expect a different outcome.  We eagerly grab for new capabilities
and new gadgets, thinking about security last or, more often, not at all.
In short, to quote Pogo, "We have met the enemy and he is us."


Regards,
rfg


P.S.  Even if the evidence were to support the view that only a superpower-
level nation-state could have pulled off the Dyn attack... and I'm not at
all persuaded that it does... it kills me that everyone seems to jump,
within a millisecond, immediately from -that- unwarranted conclusion to
the separate unwarranted conclusion that it must have been either Russia
or China.  Apparently, nobody even stops to consider the *other* elephant
in the room, the one that stretches from sea to shining sea, and which
itself has been heard to publically brag about its own cyber-offensive
capabilities of late.

In short, maybe our own guys did this.

OK, so maybe this theory -is- worthy of le Carre, but that don't mean it
ain't possible.  I mean we aren't stupid.  We don't build warehouses full
of nuclear weapons without at least testing the design once or twice first,
you know, to make sure they aren't all gonna end up being duds 

Re: Spitballing IoT Security

[Alan Buxey]

Hi,

Hi,

>Put it another way: you bring home a NEST and the first thing you the
>expert might do is read the net to figure out which ports to open.  Are
>you really going to not open those ports?

Put onto its own isolated vlan with only internet access.  Unfortunately no 
basic routers that are for the home come with such a setup by default.  That's 
the first big win. 

alan

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Nick Hilliard]

Ronald F. Guilmette wrote:
> Oh, gz!  ...
> 
> Showing 1 to 10 of 1,823 entries

Yeah, get over it.  Number resource transfers are a thing, and this
number is only going to increase.

> You are correct.  In this case, it would have been helpful if APNIC's WHOIS
> server returned something, when queried about 103.11.67.105, that would
> include an explicit referral to the ARIN WHOIS server.  I mean they
> obviously know all the transfers they've made.
> 
> But I guess that somebody somwhere decided that that's just too much
> trouble.

David Conrad already pointed out that this problem has been solved using
RDAP which supports referrals.  Try installing the nicinfo command from:

https://github.com/arineng/nicinfo

At a guess, I'd say referrals haven't been implemented in whois because
the whois "protocol" is unfixably broken and unsuitable for distributed
information sharing.

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Nick Hilliard]

Ronald F. Guilmette wrote:
> I wasn't talking about irrdb.  I was just talking about the WHOIS records
> for IPv4 allocations within the AFRINIC region.

afrinic, ripe ncc and apnic run a combined (+ partially authenticated)
irrdb and whois server.

> But my overall point remains.  If there were ever to be an election where
> we were all asked who we wanted to see become the once and future Routing
> Police, the RIRs would not be my own personal first choice.

Great, we're agreed then.  So why do you keep on bringing them up in
this context and criticising them whenever someone squats some block of
address space?

Nick

Re: Spitballing IoT Security

[bzs]

On October 29, 2016 at 15:35 beec...@beecher.cc (Tom Beecher) wrote:
 > "That means the motive was prep for terrorism or cyberwar by a
 > state-level actor. "
 > 
 > Or, quite possibly ( I would argue probably) it was marketing. Show off the
 > capabilities of the botnet to garner more interest amongst those who pay for
 > use of such things. 

Supposedly Khalid Sheikh Mohammed's widely publicized video of him
beheading Daniel Pearl was basically an ad for his group's for-hire
mercenary services. Look at how ruthless we are! Didn't seem to lead
to much of a career.

However the one fly in this ointment is that the Mirai virus code has
since been distributed. So unless there's some critical piece of that
they've held back it's not much of a property.

If that's true, that the virus code was subsequently distributed by
the actors, it also raises doubts about a state actor. Why would they
distribute the code? State actors tend to work in an atmosphere of
secrecy unless they're flaunting their deeds.

But, whatever, one doesn't know until one knows.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Spitballing IoT Security

[Tom Beecher]

"That means the motive was prep for terrorism or cyberwar by a
state-level actor. "

Or, quite possibly ( I would argue probably) it was marketing. Show off the
capabilities of the botnet to garner more interest amongst those who pay
for use of such things.

On Sat, Oct 29, 2016 at 2:07 PM, Eric S. Raymond  wrote:

> b...@theworld.com :
> >
> > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote:
> >  > On 10/28/2016 10:14 PM, b...@theworld.com wrote:
> >  > > Thus far the goal just seems to be mayhem.
> >  >
> >  > Thus far, the goal on the part of the botnet opearators is to make
> >  > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?
> >
> > You're speaking in general terms, right? We don't know much anything
> > about the perpetrators of these recent Krebs and Dyn attacks such as
> > whether there was any DDoS for hire involved.
>
> We can deduce a lot from what didn't happen.
>
> You don't build or hire a botnet on Mirai's scale with pocket change.
> And the M.O. doesn't fit a criminal organization - no ransom demand,
> no attempt to steal data.
>
> That means the motive was prep for terrorism or cyberwar by a
> state-level actor.  Bruce Schneier is right and is only saying what
> everybody else on the InfoSec side I've spoken with is thinking - the
> People's Liberation Army is the top suspect, with the Russian FSB
> operating through proxies in Bulgaria or Romania as a fairly distant
> second.
>
> Me, I think this fits the profile of a PLA probing attack perfectly.
> --
> http://www.catb.org/~esr/;>Eric S. Raymond
>

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Ronald F. Guilmette]

In message <58146e84.3030...@foobar.org>, 
Nick Hilliard  wrote:

>> P.S.  I may be wrong about this, but it has come to my attention that
>> many, most, or all of the WHOIS records reflecting allocations made by
>> the AFRINIC RIR are utterly devoid of either (a) information specifying
>> the dates on which the relevant allocations were made or (b) email
>> contact addresses for the relevant number resource registrants.
>
>Works fine for me.  Did you use the "-B" flag when querying the Afrinic
>irrdb?

I wasn't talking about irrdb.  I was just talking about the WHOIS records
for IPv4 allocations within the AFRINIC region.

Anyway, yes, I do believe that  used the -B flag.  But nontheless, I
really did see some AFRINIC WHOIS records that had -no- email contacts,
nor any date information.

I will have to try to see if I can dredge those out again.

But my overall point remains.  If there were ever to be an election where
we were all asked who we wanted to see become the once and future Routing
Police, the RIRs would not be my own personal first choice.


Regards,
rfg

Re: Spitballing IoT Security

[Jean-Francois Mezei]

On 2016-10-29 14:07, Eric S. Raymond wrote:

> You don't build or hire a botnet on Mirai's scale with pocket change.
> And the M.O. doesn't fit a criminal organization - no ransom demand,
> no attempt to steal data.

it is wrong to underestimate script kiddies and open source code. It is
wrong to underestimate a community that shares their own experiences
with different devices. One contributes default password for brand X
camera, one gives the defaults for brand Y router etc.

Imagine someone writes code for university project to scan the network
for improperly protected devices. That code, while designed as a
security audit, could be integrated into something far nastier.

At the end of the day, you may have plenty of open source information
available to assemble this into something like Mirai.


Yeah, there may be more sinister forces out there. The DYN attack may
have been a "demo" of capabilities that will be part of
threats/balckmail against other large players on the Internet.




> everybody else on the InfoSec side I've spoken with is thinking - the
> People's Liberation Army is the top suspect, with the Russian FSB
> operating through proxies in Bulgaria or Romania as a fairly distant
> second.

Or some guy in Arkansas starting a new blackmail/extortion business,
hoping to cash in on the software he put together.

And if we're gonna talk conspiracies, include Trump. he publishes a
"policy" on cyber attacks on a day, a couple days later a major cyber
attack happens. Coincidence ? :-)


I think the focus should be on preventing such attacks, and reducing
their impacts when they happen and improving traceability tools as they
happen. Speculating on who is reponsible doesn't do much to proect the
internet against such attacks.

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Ronald F. Guilmette]

In message <5814696f.3060...@foobar.org>, 
Nick Hilliard  wrote:

>Ronald F. Guilmette wrote:
>>  I always start with whatver whois.iana.org has to
>> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
>> I only looked at what whois.apnic.net had to say about 103.11.67.105.
>
>yeah, this prefix was transferred from APNIC to ARIN.  You can search
>for the details here:
>
>https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs

Oh, gz!  ...

Showing 1 to 10 of 1,823 entries

>> This isn't the first time I've wished that the right hand knew (or cared)
>> what the left hand was doing.  I've asked the folks at IANA about this
>> sort of thing in the past, i.e. them giving pointers to the apparently
>> wrong RiR whois server, and they just won't fix it.
>
>It's not an IANA problem to fix.  IANA handles the initial allocation...

You are correct.  In this case, it would have been helpful if APNIC's WHOIS
server returned something, when queried about 103.11.67.105, that would
include an explicit referral to the ARIN WHOIS server.  I mean they
obviously know all the transfers they've made.

But I guess that somebody somwhere decided that that's just too much
trouble.


Regards,
rfg

Re: Spitballing IoT Security

[bzs]

On October 29, 2016 at 14:07 e...@thyrsus.com (Eric S. Raymond) wrote:
 > b...@theworld.com :
 > > 
 > > On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote:
 > >  > On 10/28/2016 10:14 PM, b...@theworld.com wrote:
 > >  > > Thus far the goal just seems to be mayhem.
 > >  > 
 > >  > Thus far, the goal on the part of the botnet opearators is to make
 > >  > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?
 > > 
 > > You're speaking in general terms, right? We don't know much anything
 > > about the perpetrators of these recent Krebs and Dyn attacks such as
 > > whether there was any DDoS for hire involved.
 > 
 > We can deduce a lot from what didn't happen.
 > 
 > You don't build or hire a botnet on Mirai's scale with pocket change.

Do we know this or is this just a guess?

The infamous 1988 Morris worm was also thought to be something
similarly sinister for a short while until Bob Morris, Jr et al owned
up to it just being an experiment by a couple of students gone out of
control.

Back around 1986 I accidentally brought down at least half the net by
submitting a new hosts file (for Boston Univ) with an entry that
tickled a bug in the hosts.txt->/etc/hosts code which everyone ran at
midnight (whatever) causing a loop which filled /tmp (this would be
unix hosts but by count they were by far most of the connected
servers) and back then a full /tmp crashed unix and it often didn't
come back up until a human intervened.

Ok I doubt this was an accident, tho its scale could've been an
accident, a prank gone wild.

Anyhow what do we *know*?

That the effect was large doesn't necessarily imply that it required a
lot of resources.

We live in a world rife with asymmetric warfare. A few boxcutters and
3,000+ people dead.

 > And the M.O. doesn't fit a criminal organization - no ransom demand,
 > no attempt to steal data.

Same question. Would Dyn et al publicize ransom demands at this point?

And even if not how do we rule out a prank or similar?

Is there something specific about this attack which required
significant resources? How significant?

 > 
 > That means the motive was prep for terrorism or cyberwar by a
 > state-level actor.  Bruce Schneier is right and is only saying what
 > everybody else on the InfoSec side I've spoken with is thinking - the
 > People's Liberation Army is the top suspect, with the Russian FSB
 > operating through proxies in Bulgaria or Romania as a fairly distant
 > second.

Well, barring further details one can go anywhere with a few
suppositions.

 > 
 > Me, I think this fits the profile of a PLA probing attack perfectly.
 > -- 
 >  http://www.catb.org/~esr/;>Eric S. Raymond

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Spitballing IoT Security

[Eric S. Raymond]

b...@theworld.com :
> 
> On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote:
>  > On 10/28/2016 10:14 PM, b...@theworld.com wrote:
>  > > Thus far the goal just seems to be mayhem.
>  > 
>  > Thus far, the goal on the part of the botnet opearators is to make
>  > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?
> 
> You're speaking in general terms, right? We don't know much anything
> about the perpetrators of these recent Krebs and Dyn attacks such as
> whether there was any DDoS for hire involved.

We can deduce a lot from what didn't happen.

You don't build or hire a botnet on Mirai's scale with pocket change.
And the M.O. doesn't fit a criminal organization - no ransom demand,
no attempt to steal data.

That means the motive was prep for terrorism or cyberwar by a
state-level actor.  Bruce Schneier is right and is only saying what
everybody else on the InfoSec side I've spoken with is thinking - the
People's Liberation Army is the top suspect, with the Russian FSB
operating through proxies in Bulgaria or Romania as a fairly distant
second.

Me, I think this fits the profile of a PLA probing attack perfectly.
-- 
http://www.catb.org/~esr/;>Eric S. Raymond

Re: Spitballing IoT Security

[bzs]

On October 28, 2016 at 22:27 l...@satchell.net (Stephen Satchell) wrote:
 > On 10/28/2016 10:14 PM, b...@theworld.com wrote:
 > > Thus far the goal just seems to be mayhem.
 > 
 > Thus far, the goal on the part of the botnet opearators is to make
 > money.  The goal of the CUSTOMERS of the botnet operators?  Who knows?

You're speaking in general terms, right? We don't know much anything
about the perpetrators of these recent Krebs and Dyn attacks such as
whether there was any DDoS for hire involved.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

RE: IPv6 automatic reverse DNS

[Keith Medcalf]

On Friday, 28 October, 2016 19:37, Steve Atkins  wrote:

> > On Oct 28, 2016, at 6:04 PM, Karl Auer  wrote:

> >> 1b) anti spam filters believe in the magic of checking
> >> forward/reverse match.

> > Someone in this thread said that only malware-infested end-users are
> > behind IP addresses with no reverse lookup. Well - no. As long as we
> > keep telling anyone who isn't running a full-bore commercial network to
> > "consume, be silent, die", we are holding everyone back, including
> > ourselves.

> If you send mail over IPv6 from an address with no reverse DNS you
> will see quite a lot of this sort of thing:

> 550 5.7.1 [*] Our system has detected that this message
> 5.7.1 does not meet IPv6 sending guidelines regarding PTR records and
> 5.7.1 authentication. Please review
> 5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for
> more
> 5.7.1 information.

> > It's fine to use no-reverse-lookup as a component of a spamminess
> > score. It's not OK to use it as proof of spamminess.

> People running large mailservers made that decision some time
> ago. Disagreeing with them won't make them accept your email.

Actually, it was *long* before that.  I think it is STD 1 or STD 2 -- 
requirements for connecting a host to the internet.  All "deliberate" Internet 
hosts performing useful functions should have matching forward and reverse DNS 
and should expect to be labelled as "untrustworthy in the extreme" if they do 
not.  Assigning meaning to the resolved DNS name (embeded parts) is what came 
much later.

RE: IPv6 automatic reverse DNS

[White, Andrew]

Thanks for the clarification, Wes.

Has anyone proposed the method of publishing v6 PTRs on-the-fly as addresses 
are observed passing through an ISP's router?

Andrew


Ληdrеw Whiте
Charter Network Operations - DAS DNS
Desk: 314-394-9594 ? Cell: 314-452-4386
andrew.whi...@charter.com


-Original Message-
From: Wesley George [mailto:wesgeo...@puck.nether.net] 
Sent: Saturday, October 29, 2016 7:41 AM
To: White, Andrew
Cc: Steve Atkins; NANOG list
Subject: Re: IPv6 automatic reverse DNS


> On Oct 28, 2016, at 11:03 PM, White, Andrew  wrote:
> 
> There are two competing drafts for synthetic rule-based PTR responses for 
> IPv6 rDNS:
> 
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
> 
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
> 

At the risk of getting into IETF administrivia, a little clarification is 
important here: The first draft you mention above was replaced by the draft I 
referenced in my previous email. It is currently an adopted WG draft in DNSOP, 
moving toward working group last call as a consensus document., thus the window 
for capturing and incorporating feedback is closing soon. The second document 
does not appear to be associated with any IETF Working Group yet, but it also 
isn't competing with the first document. The first draft is informational 
status, discussing the issues and considerations surrounding this problem, of 
which generating on-the-fly reverse records is one possible solution. The 
second draft is a proposed standard defining *how* to generate those on-the-fly 
reverse records assuming one decides that is the right path to take in one's 
network, and would dovetail nicely via reference to section 2.5 of isp-ip6-rdns.

Wes George

Re: IPv6 automatic reverse DNS

[Wesley George]

> On Oct 28, 2016, at 11:03 PM, White, Andrew  wrote:
> 
> There are two competing drafts for synthetic rule-based PTR responses for 
> IPv6 rDNS:
> 
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
> 
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
> 

At the risk of getting into IETF administrivia, a little clarification is 
important here: The first draft you mention above was replaced by the draft I 
referenced in my previous email. It is currently an adopted WG draft in DNSOP, 
moving toward working group last call as a consensus document., thus the window 
for capturing and incorporating feedback is closing soon. The second document 
does not appear to be associated with any IETF Working Group yet, but it also 
isn't competing with the first document. The first draft is informational 
status, discussing the issues and considerations surrounding this problem, of 
which generating on-the-fly reverse records is one possible solution. The 
second draft is a proposed standard defining *how* to generate those on-the-fly 
reverse records assuming one decides that is the right path to take in one's 
network, and would dovetail nicely via reference to section 2.5 of isp-ip6-rdns.

Wes George



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[David Conrad]

On Oct 29, 2016, at 5:18 PM, Nick Hilliard  wrote:
> There
> are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
> authoritative for the address space once its been RIR-allocated.

While true, hopefully referrals in RDAP will address the need to identify 
registration information down to the leaves.

> I.e. you should no longer depend on whois.iana.org for accurate resource
> delegation information.

Well, it should be accurate at the top-level delegation (albeit, the IANA Whois 
server only deals with /8s).

Regards,
-drc
(speaking only for myself)





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Nick Hilliard]

Ronald F. Guilmette wrote:
> In my actual comment I merely noted that RIRs are in fact -not- the
> Internet Police, and that none of them have ever displayed even the
> slightest desire to become that (and indeed, when asked, they have,
> without exception, exhibited a clear desire -not- to be assigned any
> such role).

just to be clear: this is a bottom up position, not top-down.  The
registry roles of the RIRs exist by mandate of the communities they
serve to provide a database of integer allocations and assignments.  If
there's been no inclination to become "Internet Police", it's because
their memberships do not want their respective RIRs to take on this role.

> Given that I do not have an entirely unequivocal admiration for the
> quality and consistancy of the work that RIRs are already clearly
> responsible for, do you really believe that it would be my first
> choice to assign an entirely seperate but equally critical set of
> -new- authorities and responsibilities to the RiRs?

This will, of course, vary between RIRs.  At least in the RIPE NCC
service region, all allocations and assignments by the RIPE NCC are
covered by written contractual links and complete records of these
contracts are kept by the organisation.  Sub-assignments by LIRs may not
be as accurate.  Other RIR service regions will have different policies.

> P.S.  I may be wrong about this, but it has come to my attention that
> many, most, or all of the WHOIS records reflecting allocations made by
> the AFRINIC RIR are utterly devoid of either (a) information specifying
> the dates on which the relevant allocations were made or (b) email
> contact addresses for the relevant number resource registrants.

Works fine for me.  Did you use the "-B" flag when querying the Afrinic
irrdb?

% whois -h whois.afrinic.net " -B x.x.x.x"

Nick

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

[Nick Hilliard]

Ronald F. Guilmette wrote:
>  I always start with whatver whois.iana.org has to
> say.  And it says that that 103.0.0.0/8 belongs to APNIC, so of course,
> I only looked at what whois.apnic.net had to say about 103.11.67.105.

yeah, this prefix was transferred from APNIC to ARIN.  You can search
for the details here:

https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs

There's a full log on their ftp site:

ftp://ftp.apnic.net/public/transfers/apnic/transfer-apnic-latest

No doubt other RIRs have their own transfer listings.

> This isn't the first time I've wished that the right hand knew (or cared)
> what the left hand was doing.  I've asked the folks at IANA about this
> sort of thing in the past, i.e. them giving pointers to the apparently
> wrong RiR whois server, and they just won't fix it.

It's not an IANA problem to fix.  IANA handles the initial allocation to
the RIR, but does not account for subsequent inter-RIR transfers.  There
are 5 RIRs, so 20 different ways for data to flow, and IANA is no longer
authoritative for the address space once its been RIR-allocated.  This
excludes ERX space, which is another bundle of fun.

I.e. you should no longer depend on whois.iana.org for accurate resource
delegation information.

The LACNIC whois server (whois.lacnic.net) appears to maintain pointer
information, judging by a couple of queries.

Nick

Re: Spitballing IoT Security

[Eliot Lear]

Hi Chris,


On 10/25/16 1:51 PM, Chris Boyd wrote:
>> On Oct 25, 2016, at 3:10 AM, Ronald F. Guilmette  
>> wrote:
>>
>> An IoT is -not- a general purpose computer.  In the latter case, it is
>> assumed that the owner will "pop the hood" when it comes to the software
>> configuration.
> Ah, but they are.  In many cases you can ship a product faster and cheaper 
> with an ARM based system running a stripped down Linux and some specialty I/O 
> than building a properly hardened custom microcontroller.

That something has a CPU doesn't tell you whether it is a general
purpose computer.  What tells you if a device is a general purpose is
whether it is intended for particular uses or not (the key word there
being "purpose").  More importantly, if you view every Thing as a
general purpose computer you are missing an opportunity to impose an
engineering constraint on the problem space.  If that in turn let's you
easily solve for the general case, you've had a huge win.

Eliot




signature.asc
Description: OpenPGP digital signature

Re: Spitballing IoT Security

[Eliot Lear]

Hi Mike,


On 10/27/16 11:04 AM, Mike Meredith wrote:
> On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear 
> may have written:
>> Well yes.  uPnP is a problem precisely because it is some random device
>> asserting on its own that it can be trusted to do what it wants.  Had
> From my own personal use (and I'm aware that this isn't a general
> solution), I'd like a device that sat on those uPnP requests until I logged
> into the admin interface to review them. Now if you could automate _me_
> then it might become more generally useful :-

You need to go further.  It is no longer enough to tackle this problem
simply as a firewall problem, because there are too many
reflection-style attacks.  Not only do you want to prevent devices from
opening pinholes to the Internet, but you really want to know what
they're going to be doing inside the home.  And Quite frankly, I
disagree that you want to nag the user unless it is absolutely
necessary.  To me, that means authorizing the device in the first place,
and the access point having access to enough intelligence to know what
sort of access is necessary for a device, given its purpose.

> As someone who manages an application-based firewall, every problem looks
> like it would be easier to solve using an application-based firewall :)

I don't generally prefer application firewalls except in limited
circumstances.

Eliot



signature.asc
Description: OpenPGP digital signature