Re: possible rsync validation dos vuln

[Barry Greene]

> On Oct 29, 2021, at 5:26 PM, Nick Hilliard  wrote:
> 
> Because this didn't happen, we now get to look forward to a weekend of 
> elevated risk, followed by people upending their calendars to handle 
> un-coordinated upgrades on monday morning.


That only happens if the team has the time to get the fix into the code, 
tested, validated, regressed, and deployed. I would say this is a classic 
example of “ego” to publish overruling established principles.

The University of Twente should explore requiring classes for responsible 
disclosure.

NCSC, it seems you threw out your own policy:

"The NCSC will try to resolve the security problem that you have reported in a 
system within 60 days. Once the problem has been resolved, we will decide in 
consultation whether and how details will be published.”

I would have expected you to council the researchers on responsible disclosure 
principles.


signature.asc
Description: Message signed with OpenPGP

Re: uPRF strict more

[Barry Greene]

uRPF Strict mode was always suppose a widget for source address validation 
(SAV). Just like DHCP Lease Query (DOCSIS), the TR-69 ACLs, general ACLs, and 
other vendor specific widgets. Like all widgets, there are places where it 
works and other place were it does not. The key principle is to deploy  on the 
customer - provider edge (with provider = to ISPs, CSPs and cloud providers). 

Which widget you select is an engineering decision. As Saku points out, some 
vendors PPS with uRPF is worse than a simple ACLs. But then the PPS hit might 
be OK if uRPF Strict mode cuts down the operational logistics maintaining the 
customer ACLs. No right or wrong, just engineering choices for SAV deployment.

Re: DDoS attack with blackmail

[Barry Greene]

DDoS Attack Preparation Workbook
https://www.senki.org/ddos-attack-preparation-workbook/ 



> On May 20, 2021, at 12:26 PM, Baldur Norddahl  > wrote:
> 
> Hello
> 
> We got attacked by a group that calls themselves "Fancy Lazarus". They want 
> payment in BC to not attack us again. The attack was a volume attack to our 
> DNS and URL fetch from our webserver.
> 
> I am interested in any experience in fighting back against these guys.
> 
> Thanks,
> 
> Baldur
> 

New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Barry Greene]

Hello Fellow NANOGer,

If you have not already seen it, experiences it, or read about it, working to 
head off another reflection DOS vector. This time it is memcached on port 11211 
UDP & TCP. There are active exploits using these ports. Reflection attacks and 
the memcached is not new. We know how reflection attacks work (send a spoofed 
packet to a device and have it reflected back (yes please deploy source address 
validation and BCP 38).

Operators are asked to review their networks and consider updating their 
Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP port 
11211 for all ingress and egress traffic. If you do not know about iACLs or 
Explorable port filters, you can use this white paper details and examples from 
peers on Exploitable Port Filters: 
http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/

Enterprises are also asked to update their iACLs, Exploitable Port Filters, and 
Firewalls to track or block UDP/TCP port 11211 for all ingress and egress 
traffic.

Deploying these filters will help protect your network, your organization, your 
customers, and the Internet.

Ping me 1:1 if you have questions.

Sincerely,

--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgre...@senki.org


Resources on memcached Exploit (to evaluate your risk):

More information about this attack vector can be found at the following:

• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html
• Qrator Labs: The memcached amplification attacks reaching 500 Gbps
https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
• Arbor Networks: memcached Reflection/Amplification Description and 
DDoS Attack Mitigation Recommendations
https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
• Cloudflare: Memcrashed – Major amplification attacks from UDP port 
11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
• Link11: New High-Volume Vector: Memcached Reflection Amplification 
Attacks
https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
• Blackhat Talk: The New Page of Injections Book: Memcached Injections 
by Ivan Novikov
https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
• Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/


signature.asc
Description: Message signed with OpenPGP

Re: Security release scheduling

[Barry Greene]

> 
> Hi Harlan,

The general principle is look out for the major network lock downs. Some times 
that is overlap with holidays. Other times it is over financial close months.

My personal $.02 is to avoid major vulnerability disclosures in December, 
during Lunar New Year weeks, during Ramadan, and June. Some would also include 
August (Euro holidays).

But these days there are timers given by the vulnerability finder (or CERT 
Team) and conference disclosures (security rock stars) that drive the 
disclosure to a time which is not optimal to the people who have to roll out 
the remediation. 

In essence, write a disclose policy, put it on your website, and be open for 
improvements based on input from your constituents. Do your best. That is all 
your can do.

Barry

PS - Let me know if you need help writing the disclosure policy. 

Re: Security release scheduling

[Barry Greene]

> On Sep 29, 2015, at 3:57 PM, Harlan Stenn <st...@nwtime.org> wrote:
> 
> Good info, Barry - thanks!
> 
> I appreciate your offer, too!

Here is a brain dump: 
https://www.linkedin.com/pulse/5-principles-vulnerability-disclosure-barry-greene

For the people who are not vendors on the list, the post has some good 
questions to ask your vendors about their vulnerability disclosure processes. 

Re: large BCP38 compliance testing

[Barry Greene]

On Oct 2, 2014, at 6:23 PM, Jérôme Nicolle jer...@ceriz.fr wrote:

 
 
 Le 02/10/2014 12:28, Nick Hilliard a écrit :
 It would probably be more productive to pressurise transit providers to
 enforce bcp38 on their customer links.
 
 This. But let me ask you, how many transit provider actually implement
 strict prefix-filtering ? I've seen many using a max-prefix as their
 sole defense.
 
 Now, let's consider what you want is to match an interface ACL to
 prefixes received on a BGP session runing through the same interface.
 Ain't that what uRPF-strict is all about ?

uRPF Strict mode is NOT a tool to use on the transit connections. It was built 
for the SP-Customer connections. 

uRPF VRF mode _was_ built for the transit connections. You can take all the 
prefixes received from the peer and stick them into a VRF. You can then check 
all the incoming packet source addresses against that list. If there is no 
match, then it was not in the BGP advertisements. 





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: BGPMON Alert Questions

[Barry Greene]

Agreed - focus on the fix. Then take a deep breath and figure out what happened.

BTW - Indosat is down hard. Cannot call into their network (cell phone). I've 
got my team reaching in to their buddies to help.


On Apr 3, 2014, at 7:22 AM, Randy Bush ra...@psg.com wrote:

 note joels careful use of 'injected'.  imiho, 'hijacked' is perjorative
 implying evil intent.  i very much doubt that is the case here.  it
 looks much more like an accident.  could we try to be less accusatory
 with our language.  'injected', 'mis-originated', ... would seem to
 descrive the situation.
 
 and, btw, how many of those whose prefixes were mis-originated had
 registered those prefixes in the rpki?
 
 randy
 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: BGPMON Alert Questions

[Barry Greene]

Hi Team,

Confirmation from my team talking directly to Indosat - self inflected with a 
bad update during a maintenance window. Nothing malicious or intentional. 

Barry




signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: DNS Changer items

[Barry Greene]

On Aug 15, 2012, at 1:52 PM, Randy Bush ra...@psg.com wrote:

 It also sounds like RIPE did a big screw you to the Dutch police for
 trying to interfere.
 
 no, they caved.
 

No, they did not cave. Court orders through the Dutch courts are integrated 
in their processes. It was coordinated with RIPE before Law Enforcement 
requested the court orders. RIPE's problem was with the broad language. See all 
the details here:

https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/summons-of-the-ripe-ncc-against-the-state-of-the-netherlands

The bigger problem is written here:

http://www.senki.org/archives/948

Barry

DNSChanger Prefixes are re-allocated and advertised ...

[Barry Greene]

Hi Team,

FYI - Two prefixes from the DNS Changer/Rover Digital take down have been 
re-allocated. One of the prefixes - 85.255.112.0/20 - was advertised Friday 
morning. There is a blog post with some of the details here:

Beware! DNS Changer’s IP Blocks are re-allocated and advertised! - 
http://www.senki.org/archives/930

A general feeling of surprise summarizes several of the behind the scenes 
security conversation. A general recommendation of be careful of the traffic 
going to and from these netblocks is the best advice at this time. 

Barry

Re: Automatic attack alert to ISPs

[Barry Greene]

Shadowserver.org has a public benefit notification service.

Sent from my iPad

On Jun 22, 2012, at 2:46 PM, Yang Xiang xiang...@csnet1.cs.tsinghua.edu.cn 
wrote:

 Argus can alert prefix hijacking, in realtime.
 http://tli.tl/argus
 Hope to be useful to you.
 
 BR.
 
 在 2012年6月22日星期五，Ganbold Tsagaankhuu 写道：
 
 Hi,
 
 Is there any well known free services or scripts that sends automatic
 attack alerts based on some logs to corresponding ISPs (based on src
 address)?
 I have seen dshield.org and mynetwatchman, but I don't know yet how
 good they are.
 If somebody has recommendations in this regard please let me know.
 
 thanks in advance,
 
 Ganbold
 
 
 
 -- 
 _
 Yang Xiang. Ph.D candidate. Tsinghua University
 Argus: argus.csnet1.cs.tsinghua.edu.cn

Re: Penetration Test Assistance

[Barry Greene]

Hi Tim,

A _good_ pen test team would not need a network diagram. Their first round of 
penetration test would have them build their own network diagram from their 
analysis of your network. 

Barry


On Jun 5, 2012, at 7:52 AM, Green, Timothy wrote:

 Howdy all,
 
 I'm a Security Manager of a large network, we are conducting a Pentest next 
 month and the testers are demanding a complete network diagram of the entire 
 network.  We don't have a complete network diagram that shows everything 
 and everywhere we are.  At most we have a bunch of network diagrams that show 
 what we have in various areas throughout the country. I've been asking the 
 network engineers for over a month and they seem to be too lazy to put it 
 together or they have no idea where everything is.
 
 I've never been in this situation before.  Should I be honest to the testers 
 and tell them here is what we have, we aren't sure if it's accurate;  find 
 everything else?  How would they access those areas that we haven't 
 identified?   How can I give them access to stuff that I didn't know existed?
 
 What do you all do with your large networks?  One huge network diagram, a 
 bunch of network diagrams separated by region, or both?  Any pentest horror 
 stories?
 
 Thanks,
 
 Tim
 
 
 This e-mail and any attachments are intended only for the use of the 
 addressee(s) named herein and may contain proprietary information. If you are 
 not the intended recipient of this e-mail or believe that you received this 
 email in error, please take immediate action to notify the sender of the 
 apparent error by reply e-mail; permanently delete the e-mail and any 
 attachments from your computer; and do not disseminate, distribute, use, or 
 copy this message and any attachments.

Re: need help about bgd and ospf

[Barry Greene]

Hi Deric,

I would strongly suggest that you watch a couple of the NANOG tutorials on 
routing. The would help you answer these and other questions. 

Go to this page - http://www.nanog.org/meetings/archive/ - pick a meeting and 
find the BGP tutorial. There are a few taught each year. 

Barry

Sent from my iPad

On May 18, 2012, at 10:13 AM, Deric Kwok deric.kwok2...@gmail.com wrote:

 Hi all
 
 Can I have questions about bgp and ospf
 
 1/ Do I have to redistrt bgd in ospf to make ospf to know which
 upstrem bgp routers to go out
 
 2/ If yes, how many routes can ospf database handle as one full bgp
 table is about 400,000 routes
 
 3/ When we have 8 ospf routers to run redistrubt bgp, ls it 8 x
 400,000 routes in ospf database?
 
 4/ If not redistribted bgp, how ospf to know which upstream to go out
 
 Thank you for your help
 

Re: Weekend Gedankenexperiment - The Kill Switch

[Barry Greene]

 The Internet is not immune to the law, as you should well know. In fact,
 the Internet seems to be a legal proving ground these days, so word to
 the wise.

And, the US National Communication Service (http://www.ncs.gov/index.html) 
technically has the ability to order all US telecommunications providers to 
disconnect for the express purpose of maintaining the integrity of the US 
Telecommunications system. If the NCS does not have implicit authority, a 
Executive order would grant it. 

So beware, most of the US Internet Kill Switch talk in Washington DC is 
politics from people who have not read that can be done now using existing 
authorities. 

RE: IPv6 Advertisements

[Barry Greene (bgreene)]

 

  This assumes a single machine scanning, not a botnet of 
 1000 or even 
  the 1.5m the dutch gov't collected 2 yrs ago.
  Again, a sane discussion is in order. Scanning isn't AS 
 EASY, but it 
  certainly is still feasible,
 With 1.5 million hosts it will only take 3500 years... for a 
 _single_ /64!
 
 I'm not sure that's what I would call feasible.

I would call that not understanding today's security world. Scanning
is not the primary mode of looking for vulnerabilities today. There are
several more effective come here and get infected and click on this
attachment and get infected techniques. 

What scanning that does go on today usually not the lets scan the
Internet. No money in it. You target your scans to the address ranges
of the sites you are trying to mine (i.e. build BOTNETs) or go after.