RE: Abuse desk software

2009-10-30 Thread Bradley Freeman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

You can do something with RTIR, it picks up IPs/Hostnames in emails sent
into it and with a single click you can view more information about that IP
including open/closed incidents, blocks, whois, etc.

Cheers

Bradley

- -Original Message-
From: Drew Weaver [mailto:drew.wea...@thenap.com] 
Sent: 30 October 2009 15:48
To: 'nanog@nanog.org'
Subject: Abuse desk software

Howdy,

Can anyone recommend a decent software package one can use to download
e-mail sent to an abuse alias which then grabs IPs/hostnames out of the body
of the email and makes nice actionable reports?

Anything out there exist?

thanks,
- -Drew



-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.12.0 (Build 1035)
Charset: us-ascii

wj8DBQFK6xMcT7xmwrSDM90RAlDAAJ9QTviIE8hr2KWXQO39VV148RZiygCfb1MQ
nXO0lAUl9I5vgKhQS1lpbBs=
=+lgz
-END PGP SIGNATURE-

RE: Botnet hunting resources

2009-08-11 Thread Bradley Freeman 
I surprised that nobody has mentioned the work of shadowserver.org, they are
able to send reports of malware infections on your networks (see
http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). The service
has proved to a brilliant tool in mitigating various forms of malware such
as Conficker with almost 0% false positives.

Cheers

Bradley

-Original Message-
From: Jack Bates [mailto:jba...@brightok.net] 
Sent: 11 August 2009 14:11
To: J.D. Falk
Cc: NANOG
Subject: Re: Botnet hunting resources

J.D. Falk wrote:
> Hi, Luke!  MAAWG recently published a document to help ISPs deal with 
> infected machines in their networks.  It's not the same kind of 
> pressure, but (as we learned with open relays at MAPS) pressure isn't 
> very effective unless there are tools available to deal with the problem.

It could also use a lot more resources? Watching traffic flows for 
traffic destined to known C&C addresses is nice, but including a pointer 
to a resource that actually gives those addresses is much more useful. 
For those who don't deal with it every day, the document just says they 
need to spend even more time with google.


Jack

RE: DOS in progress ?

2009-08-06 Thread Bradley Freeman 
http://status.twitter.com/

"We are defending against a denial-of-service attack, and will update status
again shortly."

-Original Message-
From: Marshall Eubanks [mailto:t...@americafree.tv] 
Sent: 06 August 2009 16:57
To: Jorge Amodio
Cc: NANOG
Subject: Re: DOS in progress ?


On Aug 6, 2009, at 11:25 AM, Jorge Amodio wrote:

> Are folks seeing any major DOS in progress ?
>
> Twitter seems to be under one and FB is flaky.
>
>

Twitter is very flaky & slow to load today, but that is hardly unusual.

Do you have any other evidence ?

Regards
Marshall

RE: ISP best practices

2009-05-21 Thread Bradley Freeman 
In regards to DNS there is a great secure BIND template here
http://www.cymru.com/Documents/secure-bind-template.html which will help
stop your server from being an unneeded open resolver, or sending out root
hints which are used all the time to amplify DDOS attacks often without you
realising.

Bradley


-Original Message-
From: Philip Lavine [mailto:source_ro...@yahoo.com] 
Sent: 21 May 2009 14:39
To: nanog@nanog.org
Subject: ISP best practices


To all,

I am sure this has been asked 10 to the 1 millionth power times, however may
be the rules have changed. I am looking to set up a really small ISP with a
few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
practices on setting up multihomed BGP and DNS with BIND so I don't blow up
the Internet.

Thx

Philip

Re: Any recent predictions for routing table growth?

2008-11-04 Thread Bradley Freeman 
Thank you very much David, the Routing Growth estimates is exactly the
research I was after.

2008/11/4 David Andersen <[EMAIL PROTECTED]>

> Hey, Brad - the latest I know of are ours, but I'm possibly out of date:
>
> http://www.cs.cmu.edu/~dga/papers/aip-sigcomm2008-abstract.html
>
> Look in section 4.1.  The #s were from routeviews, June 30, 2008.  The
> gist:
>
> June 2008:  247K entries
> Growth rate:  17% per year
>
> So - June 2009:  288k
>
> There's an embarrassing typo in the formula in the paper - it says "2.07 *
> 10^4" as the base, when it's obvious that it means 2.47 * 10^5.  Sigh.  I'll
> get that corrected. :)
>
> Also note that our #s differ a bit from, say, CIDR report since we used
> routeviews as our baseline.  If you use the june 6, 2008 CIDR report as your
> starting point, which starts at 267k, the 17% exponential growth would
> predict that the October 31, 2008 CIDR report would report 284k prefixes;
>  in reality, it reported 286.  So, reasonably close.  But you want to start
> with the # of prefixes that YOU observe, since that's going to be a little
> different depending on your vantage point.
>
> Plug in:
>
> STARTING_NUM_PREFIXES * e^(NUM_DAYS_ELAPSED * 0.0004253)
>
> e.g., 267000 * e^(147 * 0.0004253)
>
> and you'll have a pretty decent prediction unless things change course. :)
>
>
> On Nov 3, 2008, at 6:38 PM, Brad Freeman wrote:
>
>  Hi,
>>
>> I am looking for some recent estimates of future IPv4 & IPv6 routing table
>> growth, the most recent reliable estimate I can find was done by Vince
>> Fuller in his presentation in March 2007, is there any newer or
>> alternative
>> figures out?
>>
>> Thanks
>>
>> Bradley
>>
>>
>

Re: Any recent predictions for routing table growth?

2008-11-03 Thread Bradley Freeman 
Thanks for that link Bradley (& Joe who replied off list), but IPv4 address
depletion has been discussed to exhaustion and I was looking more for the
speculative sizes of the routing table in 5 to 10+ years time such as on
page 19 of this presentation www.vaf.net/prezos/*r*rg-prague.pdf  is there
anything similar available?

Thanks

2008/11/4 Bradley Huffaker <[EMAIL PROTECTED]>

> Geoff Huston's has http://www.potaroo.net/tools/ipv4/ which goes up to
> the present.
>
> On Mon, Nov 03, 2008 at 11:38:58PM +, Brad Freeman wrote:
> > Hi,
> >
> > I am looking for some recent estimates of future IPv4 & IPv6 routing
> table
> > growth, the most recent reliable estimate I can find was done by Vince
> > Fuller in his presentation in March 2007, is there any newer or
> alternative
> > figures out?
> >
> > Thanks
> >
> > Bradley
>
> --
> Bradley HuffakerWe have all drunk from a well we did not dig
> CAIDA/SDSC/UCSD   - Mark Shields
>