Useful URL for network operators
Misses, Misters, FYI : http://tools.bgp4.jp/index.php?tools%20team/tools Best Regards, Guillaume FORTAINE _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: NSP-SEC
Conclusion : if you can't reply to these fundamental questions, hire a CISO and build a CSIRT. sigh I *so* hate making an argument from authority (other than I think smb published a paper on that already), but in your case I'll make an exception. Go read http://www.sans.org/dosstep/roadmap.php Read the date, read the signatories. I have read with interest this document. 1) Remarks : -Bill Clinton is no longer the president of USA . Howard Schmidt is the new cybersecurity czar : http://www.facebook.com/howardas (By the way, Gadi Evron is in his Facebook friends ?!?) 2) Notes : a) Problem 1: Spoofing Problem 2: Broadcast Amplification http://docs.google.com/viewer?url=http://www.dca.fee.unicamp.br/~chesteve/pubs/LIPSIN_sigcomm2009_jokela.pdf b) Problem 3: Lack of Appropriate Response To Attacks http://docs.google.com/viewer?url=http://nanog.org/meetings/nanog47/presentations/Sunday/Green_Top10_Security_N47_Sun.pdf c) Problem 4: Unprotected Computers http://docs.google.com/viewer?url=http://www.whitehouse.gov/files/documents/cyber/Gourley_Bob_Open_Source_Software_and_Cyber_Defense_01_April_2009.pdf Ask yourself if you *really* want to be telling me that we need to build a CSIRT. (Answer - our CIRT was up and running back in 1991, and was well-known in 2000. So no, we don't need advice on how to start one. VT-CIRT : http://docs.google.com/viewer?url=http://www.it.vt.edu/publications/annualreports/annualreport2007-2008.pdf o Students designed, built, and are maintaining the vulnerability scan engines that are the core of the www.ids.cirt.vt.edu site. CSIRT-MU : http://docs.google.com/viewer?url=http://www.vabo.cz/spi/2009/presentations/03/02-celeda_rehak_CAMNEP_no_video.pdf Project Results Further Information: 3 Journal papers, including IEEE Intelligent Systems 20+ conference papers (RAID, AAMAS, IAT, FloCon,...) How to get it? University startups: -INVEA-TECH a.s. - FlowMon probes, collectors for high-speed data monitoring (with MU, VUT and CESNET) -Cognitive Security s.r.o. - CAMNEP system for real-time data mining (with CTU) Supported by: U.S. ARMY RDECOM-CERDEC, CESNET, Czech MOD We've got literally man-centuries of experience in running one already. By the way, where were you in 1991?) In 1991, I was in primary school. In 2000, the date of your link, I got my first access to Internet. And now ? ;) ! Best Regards, Guillaume FORTAINE
Re: NSP-SEC
On 03/20/2010 07:37 PM, William Pitcock wrote: On Sat, 2010-03-20 at 20:30 +0200, Hank Nussbacher wrote: On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. That is not what I mean and you know it. What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. I totally agree with William. Best Regards, Guillaume FORTAINE
Re: NSP-SEC
If I was such a clever 15 year old I would go to Google and enter contacting cisco ios security which would lead me to - http://www.cisco.com/en/US/products/products_security_advisories_listing.html which would lead me to - http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Same exercise can be repeated for most vendors you can choose. I would counter argue by quoting this article : http://www.breakingpointsystems.com/community/blog/cisco-becomes-the-weakest-link-in-national-infrastructure-security Cisco Becomes The Weakest Link In National Infrastructure Security Last week Cisco released patches in their semi-annual security announcement. The publication includes 11 advisories that address 12 individual vulnerabilities. Ten of the advisories address vulnerabilities in Cisco IOS and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Together these can affect routers and switches that not only use the Cisco Unified Communications Manager, but any device relying on the Cisco IOS operating system. To put it bluntly, this means a ton of devices critical to any network, and these vulnerabilities leave businesses and government agencies exposed to a barrage of attacks including denial-of-service (DDoS) or policy bypass. Much has been written about the announcement of the vulnerabilities. However, details are lacking and there are more questions than answers. This lack of information leads me to believe Cisco does not take security seriously and continues to not know how to work with the security community. Considering the lack of details and opinions, I thought I would provide a few of my own. 1) Twice A Year Is Not Enough The number of vulnerabilities patched by Cisco is not the issue. It is the potential danger these vulnerabilities pose. One of the IOS vulnerabilities allows unauthenticated attackers to bypass access control policies when the “Object Groups for Access Control Lists (ACLs)” feature is used. Your company is most likely protecting your critical components by leveraging ACLs, now imagine they are no longer in place. The human resources database with all that W-2 information? Hackers now have your salary, your direct deposit account, your medical history and of course your social security number. To make matters worse, replace that HR database with our government’s nuclear secrets; don’t you think Iran is aware of the Cisco vulnerabilities? Scary stuff, for sure, but how long has the vulnerability been around and recognized. The answer is unknown. The only fact we have is that each of these eleven vulnerabilities may have been around for at least six months. That is an eternity in the security space and has given hackers too much time to walk in through an open door. Microsoft is often a punching bag when it comes to vulnerabilities and it is sometimes warranted, but let’s be honest, the company does a good job of patching issues on a regular basis. With Microsoft, you know that you are going to get a patch each month and important details that help you make an informed security decision. Cisco should examine its patching schedule in light of the September 24th announcement; every six months is not acceptable. 2) Updating Routers and Switches is Now Critical You can never diminish the importance of a switch or router to your network infrastructure. They are the core to any network whether in a home, a large Enterprise or the Federal Government. If one fails you know it. However, if a vulnerability let’s people through due to a hack do you know it? While everyone remembers to patch their Mac or Windows laptop, how often do they patch the router, firewall or switch? To see how up-to-date folks are with their Cisco firmware I ran a quick test. During a 1-hour scan of the Internet I found 420 responding systems and NONE were patched with any fixes from this cycle or the last. That means 420 systems, at a minimum, are susceptible to a years worth of vulnerabilities. Microsoft had enough of people not patching and now it force feeds the patches. While I’m not a fan of that solution, it does work. Cisco needs to apply the same method to its products. It is irresponsible for Cisco to run its business in a way that could cause mass disruption to critical network infrastructures including government and military services. Cisco is not the only one to blame in this mess, the people responsible for getting their routers, switches and other network equipment up-to-date also must be held accountable. How many of you updated with the patches on September 24th, the day of the announcement? The quick scan I did is telling me not many. Kelly Jackson Higgins of Dark Reading put it best, “The dirty little secret about patching routers is that many enterprises don't bother for fear of the fallout any changes to their Cisco router software could have on the rest of the
NSP-SEC
Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/
Re: NSP-SEC
On 03/19/2010 04:52 AM, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment Could you argue, if possible, please ? I look forward to your answer, Best Regards, Guillaume FORTAINE
Re: anti-ddos test solutions ?
Dear jul, I would advise Breaking Point : -News : http://www.breakingpointsystems.com/news/press-releases/breakingpoint-distributed-denial-of-service-ddos-and-botnet-test-methodology-helps-networks-prepare-for-imminent-attack -Methodology http://www.breakingpointsystems.com/resources/testmethodologies/breakingpoint-ddos-botnet-testing-methodology -Documentation : http://docs.google.com/viewer?url=http://www.breakingpointsystems.com/resources/how-to-guides/simulating-distributed-denial-of-service.pdf Best Regards, Guillaume FORTAINE On 03/17/2010 07:45 AM, jul wrote: Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to maintenance mode) [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
Re: OBESEUS - A new type of DDOS protector
Infrastructure). http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx Best Regards, Guillaume FORTAINE On 03/15/2010 06:04 PM, Deepak Jain wrote: At first blush, I would say it's an interesting idea but won't actually resolve anything of the scariest DDOS attacks we've seen. (Unless I've missed something obvious about your doodle). The advantage/disadvantage of 100,000+ host drone armies is that they don't actually *have* to flood you, per se. 10 pps (or less) each and you are going to crush almost everything without raising any alarms based on statistically significant patterns especially based on IPs. Fully/properly formed HTTP port 80 requests to / won't set of any alarms since each host is opening 1 or 2 connections and sending keepalives after that. If you forcibly close the connection, it can wait 5 seconds or 15 minutes before it reopens, it doesn't really care. Anything that hits you faster than that is certainly obnoxious, but MUCH easier to address simply because they are being boring. You *can* punt those requests that are all identical to caches/proxies/IDS/Arbor/what have you and give higher priority to requests that show some differences from them... but you are still mostly at the mercy of serving them unless you *can* learn something about the originator/flow/pattern -- which might get you into a state problem. Where this might work is if you are a large network that only serves one sort of customer and you'd rather block rogue behavior than serve it (at the risk of upsetting your 1% type customers). This would work for that. Probably good at stomping torrents and other things as well. Best, Deepak -Original Message- From: Guillaume FORTAINE [mailto:gforta...@live.com] Sent: Monday, March 15, 2010 2:57 AM To: nanog@nanog.org Subject: Re: OBESEUS - A new type of DDOS protector Dear Mister Wyble, Thank you for your reply. On 03/15/2010 07:00 AM, Charles N Wyble wrote: The paper is pretty high level, and the software doesn't appear to be available for download. http://www.loud-fat-bloke.co.uk/obeseus.html http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz So it's kinda theoretical. We have it running parallel with a commercial product and it detects the following attacks ▪ SYN floods ▪ RST floods ▪ ICMP floods ▪ General UDP floods ▪ General TCP floods Best Regards, Guillaume FORTAINE
CSIRT - Backbone Security : Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems
Misses, Misters, Let me introduce myself : Guillaume FORTAINE, Engineer in Computer Science. Me and my partners, INVEA-TECH (please see the attached file invea.pdf) [0] and Cognitive Security (please see the attached file cs.pdf) [1], are currently working on High-Speed Network Security Solutions. By the way, we would greatly appreciate to invite you to a further reading of the publication entitled Obeseus – a lightweight DDOS detector for big attacks (please see the attached file obeseus2.pdf) The point mentioned: Would be self-learning with black lists in this publication is of particular interest . We think that this last one is pretty much the core of a system that does big attack detection on backbones and is driving the new tools in this area according to our readings. The abilities to be assisted on the learning phase, to detect and block zero-day attacks. That's why we would greatly appreciate to invite you to a further reading about our methodology (please see the attached files paper4.pdf, Camnep.pdf and CognitiveSecurity.pdf). For a demo : http://demo.cognitivesecurity.cz/ We look forward to your answer, Best Regards, Guillaume FORTAINE Tel : +33(0)631092519 Mail : gforta...@gfortaine.biz Google Wave : gforta...@googlewave.com [0] http://www.invea-tech.com/ [1] http://www.cognitivesecurity.cz/
Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems
Misses, Misters, I have read with interest what everybody told in this thread and it seems that they consider everything new as spam. My conclusion is that they fear what it is new. Best Regards, Guillaume FORTAINE On 03/18/2010 02:09 AM, Michael Sokolov wrote: My spammy sense is going nuts just at the whole ALL CAPS of this guy's last name. I thought all-uppercase last names were a traditional French convention... This guy is French, isn't he? - judging by his name. His habit of addressing everyone as Mister is peculiar indeed, but maybe he is really just very new to the customs and conventions of the Anglophone Internet community? Just wondering... MS
Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems
Misses, Misters, There are people who know my name but theirs isn't familiar to me. Especially, they are mentioning really old stuff. I am asking myself : a) Why do they remember me ? b) How do you remember me ? My new vaporware is there my friend : http://www.invea-tech.com http://www.cognitivesecurity.cz Sponsored by the US Army, 10 years of RD ;) ! Best Regards, Guillaume FORTAINE On 03/18/2010 03:01 AM, George Imburgia wrote: On Thu, 18 Mar 2010, Michael Sokolov wrote: His habit of addressing everyone as Mister is peculiar indeed, but maybe he is really just very new to the customs and conventions of the Anglophone Internet community? Probably not. He has been trolling techie lists for a few years. Some of his previous vaporware projects included designing a new cell phone, and a secure OS. Not sure what his motivation is. He usually wants people to donate knowledge and time to his projects, which never go anywhere.
Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems
Dear Mister Amodio, Thank you for your reply. http://66.102.9.132/search?q=cache:uh4LLvF7vGUJ:www.gtld-mou.org/gtld-discuss/mail-archive/08015.html+Information+Network+Engineering+Groupcd=3hl=enct=clnk Jeff Williams' FAQ. (99/01) -- 1. Who is Jeff Williams? Jeffrey A. Williams, jwkck...@ix.netcom.com, has claimed in postings to various lists: -- to be the Chief Executive Officer and the Co-Founder of the 4.8 billion dollar privately held employee owned INEG. INC -- to be the Director of Internet Network Engineering and Senior Java/CORBA Engineer for the Information Network Engineering Group, INEG INC. -- to be an ex-IBM Fellow, -- to have to have graduated from UTD and to have a law degree from SMU Law School -- to have three degrees, MBA, Masters in Computer Science and Engineering, and Law -- to have served as a judge for 7 years -- to be a member of the IETF -- to serve on several medium sized business boards and on the boards of several banks -- to be the author of two books and is working on a third -- to own 3 ISPs, including Frisco net, Deltanet and Wiltel, with 1.6 million users -- to have been a fighter pilot with USMC, flying missions in Chile and for the DEA, as a reserve pilot in the USMC, stationed out of Grand Prairie air station just south of Dallas -- to have been acting squadron commander of the Marine combat F4 squadron VMF214 (Black Sheep) at Tan Son Nhut during the Viet Nam war -- to have spent several years in NIS (Naval Investigative Service) -- Graduate of Naval Staff War College -- Retired Colonel, United States Marine Corps -- to own 8% of eBay However, -- Jeff's 'INEG. INC' does not exist except as a fantasy in Jeff Williams' mind. -- Jeff changed the name of the company in his .sig, in Jan 1998, from 'Information Eng. Group' to Information Network Eng. Group. INEG. INC., when the real Information Engineering Group http://www.ieg-america.com/, became aware of Jeff's use of their name. -- SMU Law School Registrar's office, (214) 768-2618, disclaims all knowledge of Jeff. Jeffrey A. Williams is a fake and an imposter. -- 2. Why should I take care in sending private email to Jeff Williams? He may post it to the list. Ironically, in his postings of others' private email so far the content has been counter-productive to his reputation and credibility. You should presume any email to him will posted to the list. -- 3. Is there other material available on Jeff Williams? http://www.gtld-mou.org/gtld-discuss/mail-archive/03504.html http://www.gtld-mou.org/gtld-discuss/mail-archive/05347.html http://www.gtld-mou.org/gtld-discuss/mail-archive/05398.html http://www.gtld-mou.org/gtld-discuss/mail-archive/05525.html http://www.gtld-mou.org/gtld-discuss/mail-archive/08015.html Best Regards, Guillaume FORTAINE On 03/18/2010 03:02 AM, Jorge Amodio wrote: Lets do something, here is somebody that can help you with your projects. Call INEG INC at 214-244-4827 and ask for Jeffrey, he is the CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. I'm almost sure he will be a perfect match for what you are looking for. Cheers Jorge On Wed, Mar 17, 2010 at 7:53 PM, Guillaume FORTAINEgforta...@live.com wrote: Misses, Misters, There are people who know my name but theirs isn't familiar to me. Especially, they are mentioning really old stuff. I am asking myself : a) Why do they remember me ? b) How do you remember me ? My new vaporware is there my friend : http://www.invea-tech.com http://www.cognitivesecurity.cz Sponsored by the US Army, 10 years of RD ;) ! Best Regards, Guillaume FORTAINE
Re: CSIRT - Backbone Security : Runtime Monitoringand DynamicReconfiguration for Intrusion Detection Systems
This is really not funny. Especially coming from a monkey with a fixurpc pattern in his email address. My friend, I believe that I can give you a serious course in Computer Architecture ;) ! Best Regards, Guillaume FORTAINE On 03/18/2010 03:11 AM, Joe wrote: Ok, off topic, but hey, its St.Patricks day gotta have a laugh. off_topic_sarcasm His responses remind me of this fellow in Nigeria. He (Prince Tatobany) really needed my help, and thankfully I was there to lend a hand. Hopefully someone will help him out with his endeavors and his spam ^h^h^h^h information. /off_topic_sarcasm Regards, -Joe -Original Message- From: Guillaume FORTAINE [mailto:gforta...@live.com] Sent: Wednesday, March 17, 2010 9:54 PM To: nanog@nanog.org Subject: Re: CSIRT - Backbone Security : Runtime Monitoringand DynamicReconfiguration for Intrusion Detection Systems Misses, Misters, There are people who know my name but theirs isn't familiar to me. Especially, they are mentioning really old stuff. I am asking myself : a) Why do they remember me ? b) How do you remember me ? My new vaporware is there my friend : http://www.invea-tech.com http://www.cognitivesecurity.cz Sponsored by the US Army, 10 years of RD ;) ! Best Regards, Guillaume FORTAINE On 03/18/2010 03:01 AM, George Imburgia wrote: On Thu, 18 Mar 2010, Michael Sokolov wrote: His habit of addressing everyone as Mister is peculiar indeed, but maybe he is really just very new to the customs and conventions of the Anglophone Internet community? Probably not. He has been trolling techie lists for a few years. Some of his previous vaporware projects included designing a new cell phone, and a secure OS. Not sure what his motivation is. He usually wants people to donate knowledge and time to his projects, which never go anywhere.
RE: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems
Do you have any concern against fat dudes ? Best Regards, Guillaume FORTAINE From: charles.chu...@harris.com To: char...@knownelement.com; gforta...@live.com; nanog@nanog.org Date: Wed, 17 Mar 2010 20:42:49 -0400 Subject: Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems isn't Obeseus the greek god of fat dudes? - Original Message - From: char...@knownelement.com To: Guillaume FORTAINE ; nanog@nanog.org Sent: Wed Mar 17 20:18:40 2010 Subject: Re: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems Mods, Can we get the spam off the list? Its getting old. --Original Message-- From: Guillaume FORTAINE To: nanog@nanog.org Subject: CSIRT - Backbone Security : Runtime Monitoring and DynamicReconfiguration for Intrusion Detection Systems Sent: Mar 17, 2010 5:14 PM Misses, Misters, Let me introduce myself : Guillaume FORTAINE, Engineer in Computer Science. Me and my partners, INVEA-TECH (please see the attached file invea.pdf) [0] and Cognitive Security (please see the attached file cs.pdf) [1], are currently working on High-Speed Network Security Solutions. By the way, we would greatly appreciate to invite you to a further reading of the publication entitled Obeseus – a lightweight DDOS detector for big attacks (please see the attached file obeseus2.pdf) The point mentioned: Would be self-learning with black lists in this publication is of particular interest . We think that this last one is pretty much the core of a system that does big attack detection on backbones and is driving the new tools in this area according to our readings. The abilities to be assisted on the learning phase, to detect and block zero-day attacks. That's why we would greatly appreciate to invite you to a further reading about our methodology (please see the attached files paper4.pdf, Camnep.pdf and CognitiveSecurity.pdf). For a demo : http://demo.cognitivesecurity.cz/ We look forward to your answer, Best Regards, Guillaume FORTAINE Tel : +33(0)631092519 Mail : gforta...@gfortaine.biz Google Wave : gforta...@googlewave.com [0] http://www.invea-tech.com/ [1] http://www.cognitivesecurity.cz/ Sent via BlackBerry from T-Mobile _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: NEED ANY LINK OR SAMPLE TEMPLATE FOR ROUTINE NETWORK (ISP) MAINTENANCE PLAN
Dear Mister Vadivel, First of all, it would be more enjoyable if you didn't write the title of your email in capital letters. People will assimilate this as spam. Moreover, I have already asked myself if you were serious in your post about clean pipes. A two seconds search on Google was enough to provide you the needed replies. According to your Linkedin profile [1], you are a network consultant. This post is more than questionable. What are you paid for ? I suppose that Mister Lenton laugh to not tell you that he will not do your homeworks for free as everybody on this mailing-list. On my side, I simply find this pathetic. Good luck :) ! Best Regards, Guillaume FORTAINE [1] http://in.linkedin.com/pub/sakthi-vadivel/b/895/a79 On 03/16/2010 10:07 AM, Christopher Lenton wrote: Bahahahahaha. On 16 March 2010 20:03, sakthi vadivelsakthivadivel.c...@gmail.com wrote: Hi all, If someone have come across with this topic Network / preventive maintenance plan”, please offer me some url to obtain more info on this. Regards, sakthi
Re: NEED ANY LINK OR SAMPLE TEMPLATE FOR ROUTINE NETWORK (ISP) MAINTENANCE PLAN
Let's use Google Caffeine : http://209.85.225.103/ Best Regards, Guillaume FORTAINE On 03/16/2010 11:22 AM, Mark Smith wrote: On Tue, 16 Mar 2010 15:48:21 +0530 Suresh Ramasubramanianops.li...@gmail.com wrote: If you want to search for something - use google http://www.google.co.in/search?hl=enq=routine+network+maintenance+plansourceid=navclient-ffrlz=1B3GGGL_enIN311IN311ie=UTF-8 A better version - http://tinyurl.com/yen2722 If you want to ask specific questions, use nanog, or as you're in the asiapac region, use sanog. Before you ask questions, show your work .. say what you have done, what you plan to do, and what question you have based on that. On Tue, Mar 16, 2010 at 3:44 PM, sakthi vadivel sakthivadivel.c...@gmail.com wrote: .It doesn't mean that we have a title that every one knows everything...First of all , i am not a document specialist, i come across some requirement where i need to search for ...that is what all other people do.. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: OBESEUS - A new type of DDOS protector
Dear Mister Dobbins, Thank you for your reply. Flow telemetry has demonstrated its extraordinary utility to network operators worldwide over the last decade, and continued advances such as Cisco's Flexible NetFlow and the IETF IPFIX/PSAMP effort signify that this is the broad consensus of the operational community. What about Argus ? [1] http://qosient.com/argus/ Layer-7 attacks against various types of services/apps can achieve significant amplification effects and disproportionate impact, are increasing in frequency and impact, and therefore must be addressed by any operationally viable solution in this space. https://www.dpacket.org/ I believe that an effective and operationally useful open-source solution for basic DDoS detection/classification/traceback/mitigation can be implemented using existing widely-used and -understood tools/techniques as described here: http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html Me and my partners are working on a Flow Based Security Awareness Framework for High-Speed Networks. http://docs.google.com/viewer?url=http://www.vabo.cz/spi/2009/presentations/03/02-celeda_rehak_CAMNEP_no_video.pdf For a demo : http://demo.cognitivesecurity.cz/ I look forward to your answer, Best Regards, Guillaume FORTAINE [1] https://tools.netsa.cert.org/wiki/download/attachments/10027010/Bullard_IntroductionToArgus.pdf?version=1modificationDate=1263221338000
Re: OBESEUS - A new type of DDOS protector
Dear Mister Dobbins, Thank you for your reply. Argus is OK, but I believe that it mainly relies upon packet capture - it does now support NetFlow v5, and v9 support as well as support for Juniper flow telemetry and others is supposed to be coming. Argus is a superset of Netflow [1]. It's a *better* Netflow : http://docs.google.com/viewer?url=http://www.cert.org/flocon/2009/presentations/Bullard_ControlPlane.pdf I've personally not played with Argus and NetFlow; nfdump/nfsen is a useful open-source NetFlow collection/analysis system. There is also Psyche from Pontetec that is a better nfsen : http://psyche.pontetec.com/ Me and my partners are working on a Flow Based Security Awareness Framework for High-Speed Networks. http://docs.google.com/viewer?url=http://www.vabo.cz/spi/2009/presentations/03/02-celeda_rehak_CAMNEP_no_video.pdf For a demo : http://demo.cognitivesecurity.cz/ It's always good to see folks motivated to work on solutions they believe will benefit the community at large. Thank you. The question is : Who are the people interested in our work ? Best Regards, Guillaume FORTAINE [1] http://www.qosient.com/argus/argusnetflow.htm
Re: OBESEUS - A new type of DDOS protector
Dear Mister Wyble, Thank you for your reply. On 03/15/2010 07:00 AM, Charles N Wyble wrote: The paper is pretty high level, and the software doesn't appear to be available for download. http://www.loud-fat-bloke.co.uk/obeseus.html http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz So it's kinda theoretical. We have it running parallel with a commercial product and it detects the following attacks ▪ SYN floods ▪ RST floods ▪ ICMP floods ▪ General UDP floods ▪ General TCP floods Best Regards, Guillaume FORTAINE
Re: OBESEUS - A new type of DDOS protector
Dear Mister Jain, Thank you for your reply. You are speaking about EDoS (Economic Denial of Sustainability). Please see the following article : http://www.rationalsurvivability.com/blog/?s=EDos Consider a new take on an old problem based on ecommerce: Click-fraud. I frame this new embodiment as something called EDoS — economic denial of sustainability. Distributed Denial of Service (DDoS) attacks are blunt force trauma. The goal, regardless of motive, is to overwhelm infrastructure and remove from service a networked target by employing a distributed number of attackers. An example of DDoS is where a traditional botnet is activated to swarm/overwhelm an Internet connected website using an asynchronous attack which makes the site unavailable due to an exhaustion of resources (compute, network, or storage.) EDoS attacks, however, are death by a thousand cuts. EDoS can also utilize distributed attack sources as well as single entities, but works by making legitimate web requests at volumes that may appear to be “normal” but are done so to drive compute, network, and storage utility billings in a cloud model abnormally high. An example of EDoS as a variant of click fraud is where a botnet is activated to visit a website whose income results from ecommerce purchases. The requests are all legitimate but purchases are never made. The vendor has to pay the cloud provider for increased elastic use of resources but revenue is never recognized to offset them. We have anti-DDoS capabilities today with tools that are quite mature. DDoS is generally easy to spot given huge increases in traffic. EDoS attacks are not necessarily easy to detect, because the instrumentation and business logic is not present in most applications or stacks of applications and infrastructure to provide the correlation between “requests” and “ successful transactions.” In the example above, increased requests may look like normal activity. Many customers do not invest in this sort of integration and Cloud providers generally will not have visibility into applications that they do not own. Best Regards, Guillaume FORTAINE On 03/15/2010 06:04 PM, Deepak Jain wrote: At first blush, I would say it's an interesting idea but won't actually resolve anything of the scariest DDOS attacks we've seen. (Unless I've missed something obvious about your doodle). The advantage/disadvantage of 100,000+ host drone armies is that they don't actually *have* to flood you, per se. 10 pps (or less) each and you are going to crush almost everything without raising any alarms based on statistically significant patterns especially based on IPs. Fully/properly formed HTTP port 80 requests to / won't set of any alarms since each host is opening 1 or 2 connections and sending keepalives after that. If you forcibly close the connection, it can wait 5 seconds or 15 minutes before it reopens, it doesn't really care. Anything that hits you faster than that is certainly obnoxious, but MUCH easier to address simply because they are being boring. You *can* punt those requests that are all identical to caches/proxies/IDS/Arbor/what have you and give higher priority to requests that show some differences from them... but you are still mostly at the mercy of serving them unless you *can* learn something about the originator/flow/pattern -- which might get you into a state problem. Where this might work is if you are a large network that only serves one sort of customer and you'd rather block rogue behavior than serve it (at the risk of upsetting your 1% type customers). This would work for that. Probably good at stomping torrents and other things as well. Best, Deepak -Original Message- From: Guillaume FORTAINE [mailto:gforta...@live.com] Sent: Monday, March 15, 2010 2:57 AM To: nanog@nanog.org Subject: Re: OBESEUS - A new type of DDOS protector Dear Mister Wyble, Thank you for your reply. On 03/15/2010 07:00 AM, Charles N Wyble wrote: The paper is pretty high level, and the software doesn't appear to be available for download. http://www.loud-fat-bloke.co.uk/obeseus.html http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz So it's kinda theoretical. We have it running parallel with a commercial product and it detects the following attacks ▪ SYN floods ▪ RST floods ▪ ICMP floods ▪ General UDP floods ▪ General TCP floods Best Regards, Guillaume FORTAINE
Re: OBESEUS - A new type of DDOS protector
Dear Mister Morrow, Thank you for your reply. To quote : The advantage/disadvantage of 100,000+ host drone armies is that they don't actually *have* to flood you, per se. 10 pps (or less) each and you are going to crush almost everything without raising any alarms based on statistically significant patterns especially based on IPs. Fully/properly formed HTTP port 80 requests to / won't set of any alarms since each host is opening 1 or 2 connections and sending keepalives after that. If you forcibly close the connection, it can wait 5 seconds or 15 minutes before it reopens, it doesn't really care. Anything that hits you faster than that is certainly obnoxious, but MUCH easier to address simply because they are being boring. From my point of view, it seems similar to the EDoS concept : http://www.rationalsurvivability.com/blog/?s=EDos EDoS attacks, however, are death by a thousand cuts. EDoS can also utilize distributed attack sources as well as single entities, but works by making legitimate web requests at volumes that may appear to be “normal” but are done so to drive compute, network, and storage utility billings in a cloud model abnormally high. Best Regards, Guillaume FORTAINE On 03/16/2010 02:47 AM, Christopher Morrow wrote: On Mon, Mar 15, 2010 at 9:44 PM, Guillaume FORTAINEgforta...@live.com wrote: Dear Mister Jain, Thank you for your reply. You are speaking about EDoS (Economic Denial of Sustainability). Please see the following article : http://www.rationalsurvivability.com/blog/?s=EDos Consider a new take on an old problem based on ecommerce: Click-fraud. I actually deepak was just saying that if you diffuse the botnet enough you don't have to send more traffic from individual nodes than would be normally expected. In total they swamp the end service (potentially). There wasn't any discussion of clickfraud in his note.
Re: OBESEUS - A new type of DDOS protector
Misters, Thank you for your reply. 1) First of all, I am absolutely not related to the Obeseus project. From my point of view, the interesting things were that : a) This project was unknown. http://www.google.com/search?q=obeseus+ddosbtnG=Searchhl=enesrch=FT1sa=2 b) This project comes from an ISP. http://www.loud-fat-bloke.co.uk/links.html c) Its code is Open Source. http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz My conclusion is that I give far more credit to Obeseus than to Arbor Networks. By the way, I am surprised that this post didn't generate more interest given the uninteresting babble that I have been forced to read in the past on the NANOG mailing-list from the so-called experts. 2) EDoS is a DDoS 2.0 DDoS is about malicious traffic. EDoS is malicious traffic engineered to look like legitimate one. However, the goal is the same : to obliterate the service infrastructure, to quote Mister Morrow. 3) I do my homeworks something that doesn't seem to be the case for a lot of people on this mailing-list. a) I would want to highlight the post of Tom Sands, Chief Network Engineer, Rackspace Hosting entitled DDoS mitigation recommendations [1]. -It seems evidence that he tried the Arbor solution so the three Arbor++ mails don't make sense. -About the fourth one : Sorry but RTFM http://mailman.nanog.org/pipermail/nanog/2010-January/thread.html#16675 Best regards Hey kid, Tom Sands subscribed nearly a decade ago on the NANOG mailing-list. When you went out of school, he was already dealing with DoS concerns : http://www.mcabee.org/lists/nanog/Jan-02/msg00177.html b) I am really asking myself how much credit I could give to a spam expert, Suresh Ramasubramanian, about a DDoS related post [2]. c) Mister Morrow, even if you are a Network Security engineer at Google [3] (morr...@google.com) : -You didn't provide any useful feedback on Obeseus. -You totally missed the point on my other mails. This is definitely disappointing. Is this mailing-list a joke ? Especially, where is Roland Dobbins ? Best Regards, Guillaume FORTAINE [1] http://mailman.nanog.org/pipermail/nanog/2010-January/016675.html [2] http://www.hserus.net/ [3] http://www.linkedin.com/in/morrowc On 03/16/2010 03:11 AM, Suresh Ramasubramanian wrote: I got your point. What I was saying is that what he calls EDoS (and I'm sure he'll say obliterating infrastructure is the ultimate form of an economic dos) is just what goes on ... You may or may not be able to overload the AWS infrastructure by too many queries but you sure as hell will blow the application out if that ddos isnt filtered .. edos again. On Tue, Mar 16, 2010 at 7:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: eh.. I guess I'm splitting hairs. the goal of 100k bots sending 1 query per second to a service that you know can only sustain 50k queries/second is.. not to economically Dos someone, it's to obliterate their service infrastructure. Sure, you could ALSO target something hosted (for instance) at Amazon-AWS and increase costs by making lots and lots and lots of queries, but that wasn't the point of what Deepak wrote, nor what i corrected.
Re: OBESEUS - A new type of DDOS protector
Dear Mister Dobbins, Thank you for your reply. What do you think about Obeseus ? I look forward to your answer, Best Regards, Guillaume FORTAINE On 03/16/2010 05:16 AM, Dobbins, Roland wrote: On Mar 16, 2010, at 10:47 AM, Guillaume FORTAINE wrote: Especially, where is Roland Dobbins ? At your service. ; --- Roland Dobbinsrdobb...@arbor.net //http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: OBESEUS - A new type of DDOS protector
Misters, No comments ? http://docs.google.com/viewer?url=http://www.loud-fat-bloke.co.uk/obeseus2.pdf http://docs.google.com/viewer?url=http://www.parliament.uk/documents/upload/F012Interoute121109.pdf http://barometer.interoute.com/barom_main.php I look forward to your answer, Best Regards, Guillaume FORTAINE On 03/13/2010 12:05 AM, Guillaume FORTAINE wrote: Misters, Let me introduce myself : Guillaume FORTAINE, Engineer in Computer Science. I am currently working on High-Speed Network Security Solutions. DDoS is considered as The Mother of All Cyber Threats [1] therefore I have intensively studied this topic. By the way, I have read with interest the NANOG mails [2] [3] [4] and the Linkedin groups [5] [6] on this subject. Being an FPGA engineer, I approached this concern from an algorithmic point of view and that's why I would greatly appreciate to have your comments on this project, if possible, please : OBESEUS - A new type of DDOS protector [7] http://www.loud-fat-bloke.co.uk/obeseus2.pdf For a better overview of the background of the project, please see the following document : INQUIRY INTO EU POLICY ON PROTECTING EUROPE FROM LARGE SCALE CYBER-ATTACKS http://www.parliament.uk/documents/upload/F012Interoute121109.pdf I look forward to your answer, Best Regards, [1] http://events.linkedin.com/Webcast-DDoS-Mother-All-Cyber-Threats/pub/171074 [2] http://mailman.nanog.org/pipermail/nanog/2009-November/014963.html [3] http://mailman.nanog.org/pipermail/nanog/2010-January/016675.html [4] http://mailman.nanog.org/pipermail/nanog/2010-January/017604.html [5] http://www.linkedin.com/groups?home=gid=2040519 [6] http://www.linkedin.com/groups?home=gid=2632190 [7] http://www.loud-fat-bloke.co.uk/obeseus.html Guillaume FORTAINE Tel : +33(0)631092519
OBESEUS - A new type of DDOS protector
Misters, Let me introduce myself : Guillaume FORTAINE, Engineer in Computer Science. I am currently working on High-Speed Network Security Solutions. DDoS is considered as The Mother of All Cyber Threats [1] therefore I have intensively studied this topic. By the way, I have read with interest the NANOG mails [2] [3] [4] and the Linkedin groups [5] [6] on this subject. Being an FPGA engineer, I approached this concern from an algorithmic point of view and that's why I would greatly appreciate to have your comments on this project, if possible, please : OBESEUS - A new type of DDOS protector [7] http://www.loud-fat-bloke.co.uk/obeseus2.pdf For a better overview of the background of the project, please see the following document : INQUIRY INTO EU POLICY ON PROTECTING EUROPE FROM LARGE SCALE CYBER-ATTACKS http://www.parliament.uk/documents/upload/F012Interoute121109.pdf I look forward to your answer, Best Regards, [1] http://events.linkedin.com/Webcast-DDoS-Mother-All-Cyber-Threats/pub/171074 [2] http://mailman.nanog.org/pipermail/nanog/2009-November/014963.html [3] http://mailman.nanog.org/pipermail/nanog/2010-January/016675.html [4] http://mailman.nanog.org/pipermail/nanog/2010-January/017604.html [5] http://www.linkedin.com/groups?home=gid=2040519 [6] http://www.linkedin.com/groups?home=gid=2632190 [7] http://www.loud-fat-bloke.co.uk/obeseus.html Guillaume FORTAINE Tel : +33(0)631092519