Re: Unusually High traffic from Akamai/Oracle - public-yum.oracle.com

[Jonathan Roach]

Hi James,

I've forwarded your email to the yum.oracle.com team internally; they've
acknowledged receipt and asked me to let the list know. Apologies for
the delay - I only noticed this thread today.

Kind regards,
Jon


On 09/05/18 20:48, James Stahr wrote:
> 
> 
> Hi,
> 
> Since I'm not a customer of either organization, I'm reaching out to
> NANOG for a contact and perhaps others may also be experiencing similar
> symptoms over the past 3-4 weeks.  The situation appears to be that
> customers of ours have Oracle Linux and when they attempt to download
> updates, their traffic goes through the roof for hours on end.  While
> researching this phenomenon, I found this discussion which coincides
> with the traffic I've seen, however there is no mention of excessive
> traffic resulting from this "corruption" nor have their been any
> additional reports:
> 
> https://community.oracle.com/thread/4138810
> 
> 
> Currently, I have two customer environments which are hitting about
> ~2Gb/s when normally their traffic levels are nearly zero.   At first I
> thought it was an isolated incident but then we observed the same issue
> with another customer.  All of this traffic is coming from
> 23.35.204.188:80, which belongs to Akamai.  Since that's somewhat of a
> dead end, we examined the hosts which are requesting the data from
> Akamai and found that they are all Oracle Linux boxes and it's a yum
> process on Oracle Linux which appears to be repeatedly downloading the
> same content for hours on end:
> 
> 
> [root@xyzzy noc]# netstat -plutan | grep :80
> tcp    0  0 172.16.122.112:14272    23.35.204.188:80
>    ESTABLISHED 58880/python
> [root@xyzzy noc]# ps auxww | grep python
> root 41015  0.0  0.3 401940 52044 ?    S    Apr30   0:02
> /usr/bin/python2 /usr/share/system-config-lvm/system-config-lvm.py
> root 58880 59.7  1.0 479680 164140 ?   R    18:24  27:18
> /usr/bin/python /usr/share/PackageKit/helpers/yum/yumBackend.py
> get-updates none
> 
> I can only assume that the data being downloaded is corrupt as this
> multiple hour download does not consume any disk space and because the
> file(s) are repeatedly downloaded, the logic behind the yum routines are
> also at fault for 1TB of
> 
> I don't expect anyone at Akamai to reach out to me since they are simply
> the middle man here, but I'm hoping that someone at Oracle will because
> the cost to Oracle for Akamai to deliver this junk traffic is not zero
> and I have a hard time seeing how this issue is isolated to our network.
>  I'd also be interested to hear from anyone else who has been seeing
> traffic spikes from public-yum.oracle.com.
> 
> 
> -James Stahr

-- 

Re: Please run windows update now

[Jonathan Roach]

Microsoft aren't stupid. They have learned lessons from the days in the
90s and early 2000s when they were a laughing stock in terms of
security, and since then Windows security has improved enormously. OK,
so it's not perfect, but what software is? Dirty Cow, Shellshock and
Heartbleed for example weren't exactly minor flaws, but the world moved on.

What's key is that administrators need to know how to secure their
estates. If they've failed to apply the patch, that's their failure, not
Microsoft's, but patching was not the only way to have curtailed this
weekend's outbreak. Admins may have had their reasons for not patching -
maybe to do so would have invalidated some kind of certification on an
embedded system for example - but there should have been other controls
in place to limit the spread of this outbreak or others like it.

Something that's puzzled me about events this weekend is that hardly
anyone is mentioning firewalling. Servers generally need ports
135-139/445 to be accessible in order to act as, well, servers - but
workstations don't. Why aren't people - even cash-starved organisations
like the NHS - using the Windows firewall to protect at least their
workstations on an ongoing basis? How did this infection spread between
organisations without being stopped by a border firewall at any point?
Was nothing learned from the Blaster days? (I don't have the answer.)

Although the malware was probably injected into multiple organisations
in numerous countries via multiple phishing attacks, the spread as
reported seemed too fast between organisations and countries for it to
have been driven by phishing attacks alone, and I haven't seen any
reports showing people how to spot the phishing attempts. So I'm
guessing a lot of the propagation even between orgs was by MS17-010.

It would be interesting to find out if anyone saw unusual spikes in SMB
traffic over the weekend? Or if there are insights into any of the
semi-rhetorical questions I posed above?

Cheers,
Jon