Re: Should ISP block child pornography?

[Lotia, Pratik M]

Thank you everybody for sharing your views. I think I've got a clear answer. 
It's better to not go down this slippery path.

With Gratitude,
 
Pratik Lotia  
 
“Security is like legos. You can build pretty much whatever you want if you 
have a clear vision of the final product and the skill to put the pieces 
together correctly.”

On 12/11/18, 12:27, "NANOG on behalf of Max Tulyev" 
 wrote:

Yes, in some countries (NOT in US, AFAIK) court can issue an order to
block IP/domain/URL.

If home operator of crime man is blocking the direct access - he have to
use TOR/VPN/... to avoid blocking (or may be you really believe he just
stop any tries to watch his lovely CP?)

If he use TOR/VPN/... to avoid blocking - the original home IP address
will be changed to the exit node of TOR/VPN - and we will lost any
chance to catch the crime man.

Is it clear?

11.12.18 21:06, John Lee пише:
> It is my understanding that ISPs block IP addresses and domains under
> court order now for copyright violations, criminal activity which would
> include CP. They require a court order as they cannot ascertain if it is
> CP or not, that is a Law Enforcement decision. The US Supreme Court
> decision's was just being nude is not lewd, also with aging software
> which can regress photos, LEOs in the US have to ascertain if this is CP
> or photo shopped. 
> 
> On Tue, Dec 11, 2018 at 12:54 PM Max Tulyev  <mailto:max...@netassist.ua>> wrote:
> 
> ...and you will see the TOR exit nodes instead of crime home IP if
> censorship is implemented.
> 
> 11.12.18 19:35, Aaron1 пише:
> > ... The only thing I can think of is the idea that I’ve heard
> before is
> > the way to catch someone is to watch them well they are accessing, 
the
> > concept of honeypots comes to mind
> >
> > Aaron
> >
> > On Dec 11, 2018, at 10:43 AM, Larry Allen  <mailto:mrallen1...@gmail.com>
> > <mailto:mrallen1...@gmail.com <mailto:mrallen1...@gmail.com>>> 
wrote:
> >
> >> I can't imagine a single rational argument against this. 
> >>
> >> On Tue, Dec 11, 2018, 10:56 William Anderson  <mailto:ne...@well.com>
> >> <mailto:ne...@well.com <mailto:ne...@well.com>> wrote:
> >>
> >> On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M
> >> mailto:pratik.lo...@charter.com>
> <mailto:pratik.lo...@charter.com <mailto:pratik.lo...@charter.com>>>
> wrote:
> >>
> >> Hello all, was curious to know the community’s opinion on
> >> whether an ISP should block domains hosting CPE (child
> >> pornography exploitation) content? Interpol has a 
‘worst-of’
> >> list which contains such domains and it wants ISPs to
> block it.
> >>
> >>
> >> This already happens in the UK, and has done for years.
> >>
> >> https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
> >>
> >>
> >> -n
> >>
> 


E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: Should ISP block child pornography?

[Lotia, Pratik M]

Very well explained, Max!


With Gratitude,
Pratik Lotia
 
“Information is not knowledge.”

On 12/7/18, 13:16, "NANOG on behalf of na...@jack.fr.eu.org" 
 wrote:

Well said


On 12/07/2018 07:48 PM, Max Tulyev wrote:
> Hi All,
> 
> we are fighting with censorship in our country. So I have something to 
say.
> 
> First, censorship is not just "switch off this website and that
> webpage". No magic button exist. It is more complex, if you think as for
> while system.
> 
> Initially, networks was build without systems (hardware and software)
> can block something.
> 
> Yes, you may nullroute some IP with some site, but as the collateral
> damage you will block part of Cloudflare or Amazon, for example. So you
> have to buy and install additional equipment and software to do it a bit
> less painful. That's not so cheap, that should be planned, brought,
> installed, checked and personal should be learned. After that, your
> system will be capable to block some website for ~90% of your customers
> will not proactively avoid blocking. And for *NONE* who will, as CP
> addicts, terrorists, blackmarkets, gambling, porn and others do.
> 
> Yep. Now you network is capable to censor something. You just maid the
> first step to the hell. What's next? Some people send you some websites
> to ban. This list with CP, Spamhaus DROP, some court orders, some
> semi-legal copyright protectors orders, some "we just want to block it"
> requests... And some list positions from time to time became outdated,
> so you need to clean it from time to time. Do not even expect people
> sent you the block request will send you unblock request, of course.
> Then, we have >6000 ISPs in our country - it is not possible to interact
> with all of them directly.
> 
> So, you end up under a lot of papers, random interactions with random
> people and outdated and desyncronized blocking list. It will not work.
> 
> Next, government realizes there should be one centralized blocking list
> and introduces it.
> 
> Ok. Now we have censored Internet. THE SWITCH IS ON.
> 
> In a very short time the number of organizations have permission to
> insert something in the list dramatically increases. Corruption rises,
> it becomes possible, and then becomes cheap to put your competitor's
> website into the list for some time. And of course, primary target of
> any censorship is the elections...
> 
> What about CP and porn addicts, gamblers, killers, terrorists? Surprise,
> they are even more fine than at the beginning! Why? Because they learned
> VPN, TOR and have to use it! Investigators end up with TOR and VPN exit
> IP addresses from another countries instead of their home IPs.
> 
> Hey. It is a very very bad and very very danger game. Avoid it.
> Goal of that game is to SWITCH ON that system BY ANY REASON. CP, war,
> gambling - any reason that will work. After the system will be switched
> on - in several months you will forget the initial reason. And will
> awake in another world.
> 
> 07.12.18 08:06, Lotia, Pratik M пише:
>> Hello all, was curious to know the community’s opinion on whether an ISP
>> should block domains hosting CPE (child pornography exploitation)
>> content? Interpol has a ‘worst-of’ list which contains such domains and
>> it wants ISPs to block it.
>>
>> On one side we want the ISP to not do any kind of censorship or
>> inspection of customer traffic (customers are paying for pipes – not for
>> filtered pipes), on the other side morals/ethics come into play. Keep in
>> mind that if an ISP is blocking it would mean that it is also logging
>> the information (source IP) and law agencies might be wanting access to 
it.
>>
>>  
>>
>> Wondering if any operator is actively doing it or has ever considered
>> doing it?
>>
>>  
>>
>> Thanks.
>>
>>  
>>
>>  
>>
>> With Gratitude,
>>
>> * *
>>
>> *Pratik Lotia*  
>>
>>  
>>
>> “Information is not knowledge.”
>>
>> The contents of this e-mail message and
>> any attachments are intended solely for the
>> addressee(s) and may contain confidential
>> and/or legally privileged information. If you
>> are not the intended recipient of this message
>> or if

Re: Should ISP block child pornography?

[Lotia, Pratik M]

>>What is “ROKSO's DROP list” ?

ROKSO:
The Register of Known Spam Operations database is a depository of information 
and evidence on known persistent spam operations, assembled to assist service 
providers with customer vetting and the Infosec industry with Actor Attribution.

Spamhaus (https://www.spamhaus.org) provides a 'DROP' list which is a list of 
domains which are hijacked or leased by professional spam operations. As per 
them this is Not a list of just 'suspicious' domains - they are 100% sure that 
these are bad domains and one should not peer with them or have a route to them.


With Gratitude,
 
Pratik Lotia 
 
“Information is not knowledge.”

On 12/7/18, 11:47, "NANOG on behalf of Aaron1"  wrote:

What is “ROKSO's DROP list” ?

Aaron

> On Dec 7, 2018, at 8:57 AM, John Von Essen  wrote:
> 
> ROKSO's DROP list



E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: Should ISP block child pornography?

[Lotia, Pratik M]

>> The only issue with blocking domains of CPE is I imagine those domains 
>> change all the time as they get shutdown, if you block the IP

>> (from domain lookup) its likely that IP maybe be legitimate in the future.

The list would be updated daily/weekly. The ACLs would have to be updated 
accordingly – this can be automated. This way no stale entries are present.

With Gratitude,


Pratik Lotia

From: NANOG  on behalf of John Von Essen 

Date: Friday, December 7, 2018 at 08:59
To: "nanog@nanog.org" 
Subject: Re: Should ISP block child pornography?


I block stuff all the time (like ROKSO's DROP list). The only issue with 
blocking domains of CPE is I imagine those domains change all the time as they 
get shutdown, if you block the IP (from domain lookup) its likely that IP maybe 
be legitimate in the future.

It should be stopped it at the DNS level, but even that has workarounds. I 
would think CPE is a violation of terms of "most" registrars.

-John
On 12/7/18 1:06 AM, Lotia, Pratik M wrote:
Hello all, was curious to know the community’s opinion on whether an ISP should 
block domains hosting CPE (child pornography exploitation) content? Interpol 
has a ‘worst-of’ list which contains such domains and it wants ISPs to block it.
On one side we want the ISP to not do any kind of censorship or inspection of 
customer traffic (customers are paying for pipes – not for filtered pipes), on 
the other side morals/ethics come into play. Keep in mind that if an ISP is 
blocking it would mean that it is also logging the information (source IP) and 
law agencies might be wanting access to it.

Wondering if any operator is actively doing it or has ever considered doing it?

Thanks.


With Gratitude,

Pratik Lotia

“Information is not knowledge.”
The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Should ISP block child pornography?

[Lotia, Pratik M]

Hello all, was curious to know the community’s opinion on whether an ISP should 
block domains hosting CPE (child pornography exploitation) content? Interpol 
has a ‘worst-of’ list which contains such domains and it wants ISPs to block it.
On one side we want the ISP to not do any kind of censorship or inspection of 
customer traffic (customers are paying for pipes – not for filtered pipes), on 
the other side morals/ethics come into play. Keep in mind that if an ISP is 
blocking it would mean that it is also logging the information (source IP) and 
law agencies might be wanting access to it.

Wondering if any operator is actively doing it or has ever considered doing it?

Thanks.


With Gratitude,

Pratik Lotia

“Information is not knowledge.”
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: Tata Scenic routing in LAX area?

[Lotia, Pratik M]

9498/Airtel seems to be leaking a lot of routes.

Source: https://bgpstream.com/

All Events for BGP Stream.
Event type

Country

ASN

Start time (UTC)

End time (UTC)

More info

BGP Leak

Origin AS: Etisalat Lanka (Pvt) Ltd. (AS 17470)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 19:41:26

More detail

BGP Leak

Origin AS: Bharti Airtel Lanka Pvt. Limited (AS 132045)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 19:41:26

More detail

BGP Leak

Origin AS: Antena3 S.A. (AS 47220)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 19:22:39

More detail

BGP Leak

Origin AS: INDOSATM2 ASN (AS 4795)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 18:46:59

More detail

BGP Leak

Origin AS: KANARTEL (AS 33788)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 18:33:09

More detail

BGP Leak

Origin AS: FranTech Solutions (AS 53667)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 18:04:47

More detail

BGP Leak

Origin AS: Pure Line Co. For Telecommunications & Internet Ltd. (AS 59458)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 18:04:05

More detail

BGP Leak

Origin AS: Sepehr Ava Data Processing Company (LTD) (AS 51541)
Leaker AS: BHARTI Airtel Ltd. (AS 9498)

2018-11-15 18:01:09

More detail




~Pratik Lotia

“Improvement begins with I.”


From: NANOG  on behalf of Marcus Josephson 

Date: Thursday, November 15, 2018 at 13:48
To: Christopher Morrow , "stillwa...@gmail.com" 

Cc: nanog list 
Subject: RE: Tata Scenic routing in LAX area?

I have tried to reach out to Airtel, no response yet, but yah I could see my 
issue being due to them leaking routes.


-Marcus

From: NANOG  On Behalf Of Christopher Morrow
Sent: Thursday, November 15, 2018 3:30 PM
To: stillwa...@gmail.com
Cc: nanog list 
Subject: Re: Tata Scenic routing in LAX area?


On Thu, Nov 15, 2018 at 3:21 PM Michael Still 
mailto:stillwa...@gmail.com>> wrote:
FYI 29791 isn't the only origin I'm seeing this on from one point of view:
  AS path: 3257 6453 9498 4637
  AS path: 3257 6453 9498 4637 10310 26085 14210
  AS path: 3257 6453 9498 4637 20773 29066
  AS path: 3257 6453 9498 4637 2906
  AS path: 3257 6453 9498 4637 2906 40027
  AS path: 3257 6453 9498 4637 29791
  AS path: 3257 6453 9498 4637 30844
  AS path: 3257 6453 9498 4637 30844 36991
  AS path: 3257 6453 9498 4637 30844 38056 38056 38056
  AS path: 3257 6453 9498 4637 37468 37230
  AS path: 3257 6453 9498 4637 37468 37230 37230 37230
  AS path: 3257 6453 9498 4637 47869
  AS path: 3356 6453 9498 4637
  AS path: 3356 6453 9498 4637 1299 2906
  AS path: 3356 6453 9498 4637 1299 3491 20485 20485 4809 
49209
  AS path: 3356 6453 9498 4637 20773 29066
  AS path: 3356 6453 9498 4637 2906
  AS path: 3356 6453 9498 4637 29791
  AS path: 3356 6453 9498 4637 30844
  AS path: 3356 6453 9498 4637 30844 36991
  AS path: 3356 6453 9498 4637 30844 38056 38056 38056
  AS path: 3356 6453 9498 4637 37468 37230
  AS path: 3356 6453 9498 4637 37468 37230 37230 37230
  AS path: 3356 6453 9498 4637 47869

I'm not sure what is supposed to be there for 6453_9498 but I suspect not 
nearly as much as is currently present (only 4637 listed here for brevity).


huh... us-carrier -> tata -> airtel -> telstra .. that seems TOTALLY 
PLAUSIBLE.. no.



On Thu, Nov 15, 2018 at 2:53 PM John Weekes 
mailto:j...@nuclearfallout.net>> wrote:
Marcus,

From route-views output, it looks like AS9498/airtel is probably leaking your 
route between two of its upstreams (AS6453/Tata and AS4637/Telstra) overseas, 
funneling some of your traffic through their router.

route-views>sh ip bgp 23.92.178.22 | i 9498
  3356 6453 9498 4637 29791
  1403 6453 9498 4637 29791
  3549 3356 6453 9498 4637 29791
  19214 3257 6453 9498 4637 29791
  1403 6453 9498 4637 29791
  286 6453 9498 4637 29791
  53364 3257 6453 9498 4637 29791
  3257 6453 9498 4637 29791
  1239 6453 9498 4637 29791
  2497 6453 9498 4637 29791
  57866 6453 9498 4637 29791
  7660 2516 6453 9498 4637 29791
  701 6453 9498 4637 29791
  3561 209 6453 9498 4637 29791

You might try halting advertisements to your AS4637/Telstra peer while you 
contact AS9498.

-John
On 11/15/2018 10:43 AM, Marcus Josephson wrote:
Anyone else seeing an odd Scenic routing in the LAX/SJE area for tata.

traceroute t

Re: Switch with high ACL capacity

[Lotia, Pratik M]

Mike,

Can you shed some light on the use case? Looks like you are confusing ACLs and 
BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a 
different use case. ACLs cannot be configured using Flowspec announcements. 
Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot 
more to it than just L4). I doubt if a there is a Switch which can hold a large 
number of Flowspec entries.

 
~Pratik Lotia
“Improvement begins with I.”
 

On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett"  wrote:

I am looking for recommendations as to a 10G or 40G switch that has the 
ability to hold a large number of entries in ACLs.

Preferred if I can get them there via the BGP flow spec, but some sort of 
API or even just brute force on the console would be good enough.

Used or even end of life is fine.

-Mike HammettIntelligent Computing SolutionsMidwest Internet 
ExchangeThe Brothers WISP


E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

RE: automatic rtbh trigger using flow data

[Lotia, Pratik M]

>many operators doing this have concentrated on common 
>port-pairs observed in UDP reflection/amplification attacks.

Yes, because that's a great starting point.

> And when we're using techniques like 
>QoSing down certain ports/protocols, we must err on the side of caution,

Arbor report mentions volumetric attacks using DNS, NTP form 75+% of the 
attacks. Then QoSing certain ports and protocols is the best way to start with.

~Pratik Lotia  



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins
Sent: Friday, August 31, 2018 11:13 AM
To: NANOG list
Subject: Re: automatic rtbh trigger using flow data


On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:

> Instead of rtbh I would suggest blocking/rate limiting common ports 
> used in DDoS attacks.

This isn't an 'instead of', it's an 'in addition to'.  And it must be 
done judiciously; many operators doing this have concentrated on common 
port-pairs observed in UDP reflection/amplification attacks.

It's important to understand that any kind of packet of any 
protocol/ports (if such concepts apply on the protocol in question) can 
be used to launch DDoS attacks.

We've many tools in the toolbox, and should use them in a 
situationally-appropriate manner.  And when we're using techniques like 
QoSing down certain ports/protocols, we must err on the side of caution, 
lest we cause larger problems than the attacks themselves.

---
Roland Dobbins 
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

RE: automatic rtbh trigger using flow data

[Lotia, Pratik M]

Instead of rtbh I would suggest blocking/rate limiting common ports used in 
DDoS attacks. That will block 90% of the DDoS attacks. We recently open sourced 
a BGP Flowspec based tool for DDoS Mitigation. It applies Flowspec rules per 
victim IP Addr.
https://github.com/racompton/docker-auto-flowspec


~Pratik Lotia 


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of H I Baysal
Sent: Friday, August 31, 2018 3:09 AM
To: Michel Py; Aaron Gould; mic...@arneill-py.sacramento.ca.us
Cc: Nanog@nanog.org
Subject: Re: automatic rtbh trigger using flow data

Most of the solutions mentioned are paid, or fastnetmon is partially 
paid. And the thing you want is paid i believe
Nice tool though, not saying anything against it. However

My personal view is, as long as you can store your flow info in a 
timeseries database (like influxdb and NOT SQL LIKE!!!) you can do 
whatever you want with the (raw) data. And create custom triggers for 
different calculations.

Flows are on the fly and are coming in constantly, you could have a 
calculation like group by srcip and whatever protocol you want or just 
srcip,
and make a calculation for every x seconds or minutes. As i mentioned 
the flow data is a constant stream, so you could have it triggered as 
fast as you want.

(and the nice thing is, with sflow, you also get as path, peer as, 
localpref,community (if enabled). You could group by anything.. :)

I admit it takes a bit more time to setup but the outcome is amazing ;) 
(especially if you graph it then with grafana)
And in your case it would be a script that does a influxdb command to 
make the calculations and if the outcome shows an IP meeting the 
thresholds you have set in the calculation, you trigger a script that 
adjusts the route to be announced to your upstream with the correct 
(rtbh) community.
( as i mentioned, as long as you have the "raw" flows, you can do anything )


Good luck, whatever you choose :)


On 31-08-18 02:14, Michel Py wrote:
>> Aaron Gould wrote :
>> I'm really surprised that you all are doing this based on source ip, simply 
>> because I thought the distribution of botnet members around
>> the world we're so extensive that I never really thought it possible to 
>> filter based on sources, if so I'd like to see the list too.
> I emailed you. For years I ran it at home on a Cisco 1841, 100,000 BGP 
> prefixes is nothing these days. I am not surprised that Joe pushes that to 
> some CPEs.
>
>> Even so, this would not stop the attacks from hitting my front door, my side 
>> of my Internet uplink...when paying for a 30 gigs CIR
>> and paying double for megabits per second over that, up to the ceiling of 
>> 100 gig every bit that hits my front door over 30 gig
>> would cost me extra, remotely triggering based on my victim IP address 
>> inside my network would be my solution to saving money.
> I agree. If you want to get a real use of source blacklisting, to save 
> bandwidth, you probably went to rent a U in a rack at your upstream(s) to 
> block it there.
> I never did it past 1GE, and I have never measured seriously the bandwidth it 
> would save, would be curious to know.
> I think the two approaches are complementary to each other though.
>
> Michel.
>
>
> On Aug 30, 2018, at 6:43 PM, Michel Py  wrote:
>
>>> Joe Maimon wrote :
>>> I use a bunch of scripts plus a supervisory sqlite3 database process all 
>>> injecting into quagga
>> I have the sqlite part planned, today I'm using a flat file :-( I know :-(
>>
>>> Also aimed at attacker sources. I feed it with honeypots and live servers, 
>>> hooked into fail2ban and using independent host scripts. Not very 
>>> sophisticated, the remotes use ssh executed commands to add/delete. I also 
>>> setup a promiscuous ebgp RR so I can extend my umbrella to CPE with diverse 
>>> connectivity.
>> I would like to have your feed. How many attacker prefixes do you currently 
>> have ?
>>
>>> Using flow data, that sounds like an interesting direction to take this 
>>> into, so thank you!
>> The one thing we can share here is the attacker prefixes. The victim 
>> prefixes are unique to each of us but I expect our attacker prefixes to be 
>> very close.
>>
>> Michel.
>>
>> TSI Disclaimer:  This message and any files or text attached to it are 
>> intended only for the recipients named above and contain information that 
>> may be confidential or privileged. If you are not the intended recipient, 
>> you must not forward, copy, use or otherwise disclose this communication or 
>> the information contained herein. In the event you have received this 
>> message in error, please notify the sender immediately by replying to this 
>> message, and then delete all copies of it from your system. Thank you!...

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not 

RE: tcp md5 bgp attacks?

[Lotia, Pratik M]

Just to point out -
Data about md5 attacks from various organizations will depend on a number of 
factors such as -
Is BGP TTL Security check being done?
Are anti-spoofing ACLs enabled?
uRPF enabled? Strict or Loose?
BGP Session over a separate interface (tunnel)?



With Gratitude,


Pratik Lotia  |  Security Engineer  | Advanced Engineering Security
Charter Communications

"A satisfied customer is the best business strategy of all."

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush
Sent: Tuesday, August 14, 2018 3:39 PM
To: North American Network Operators' Group
Subject: tcp md5 bgp attacks?

so we started to wonder if, since we started protecting our bgp
sessions with md5 (in the 1990s), are there still folk trying to
attack?

we were unable to find bgp mib counters.  there are igp interface
counters, but that was not our immediate interest.  we did find
that md5 failures are logged.

looking at my logs for a few years, i find essentially nothing;
two 'attackers,' one my own ibgp peer, and one that noted evildoer
rob thomas, bgprs01.ord08.cymru.com.

we would be interested in data from others.

note that we are neither contemplating nor suggesting removing md5
from [y]our bgp sessions.

randy
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

RE: SP security knowledge build up

[Lotia, Pratik M]

On Mon, Jul 23, 2018 at 03:22:46PM +0200, Ramy Hashish wrote:
> I am planning to build up a security team of fresh engineers whom are 
> "network oriented", any advice on the knowledge resources we can start 
> with?

To add to the academic programs - 

CU Boulder has an excellent telecom program for network security and network 
engineering; one of their courses focuses solely on SP networks (full 
disclosure: I am a CU Boulder alumnus).


With Gratitude,

Pratik Lotia  |  Security Engineer III  
Charter Communications


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Tuesday, July 24, 2018 10:43 AM
To: nanog@nanog.org
Subject: Re: SP security knowledge build up

On Mon, Jul 23, 2018 at 03:22:46PM +0200, Ramy Hashish wrote:
> I am planning to build up a security team of fresh engineers whom are 
> "network oriented", any advice on the knowledge resources we can start 
> with?

1. Start with one or more engineers who aren't "fresh".  This is more 
expensive, potentially much more expensive, but it's much more likely to result 
in success than trying to feed a crash course in security into the brains of 
people who've never done any of this before.  Even if all those experienced 
people do is stop you from making well-known mistakes, then the investment will 
be more than worth it.

2. I see that several academic programs were mentioned downthread; one that I'd 
add to the list is UMBC, which is excellent.

---rsk
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.