Re: [Operational] Internet Police
Let's put it this way. 1. If you host government agencies, provide connectivity to say a nuclear power plant or an army base, or a bank or .. .. - you'd certainly work with your customers to meet their security requirements. 2. If you are a service provider serving up DSL - why then, there are some governments (say Australia) that have blacklists of child porn sites - and I think Interpol came up with something similar too. And yes there's CALEA and a few other such things .. not much more that's new. Separating rhetoric and military metaphors will help you see this a lot more clearly. As will not dismissing the entire idea with contempt. As a service provider for anything at all, you'll see your share of attacks. Whether coordinated by 4chan or by comrade joe chan shouldnt really matter, except at the level where you work with law enforcement etc to coordinate a response that goes beyond the technical. [And ALL responses to these are not going to restrict themselves to being solvable by technical means]. --srs On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith mich...@hmsjr.com wrote: How is what to block identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered? What does the technical solution look like? Any solutions to maintain some semblance of freedom? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: [Operational] Internet Police
And if I ever find the genius who came up with the we are not the internet police meme ... On Fri, Dec 10, 2010 at 12:19 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: Let's put it this way. 1. If you host government agencies, provide connectivity to say a nuclear power plant or an army base, or a bank or .. .. - you'd certainly work with your customers to meet their security requirements. 2. If you are a service provider serving up DSL - why then, there are some governments (say Australia) that have blacklists of child porn sites - and I think Interpol came up with something similar too. And yes there's CALEA and a few other such things .. not much more that's new. Separating rhetoric and military metaphors will help you see this a lot more clearly. As will not dismissing the entire idea with contempt. As a service provider for anything at all, you'll see your share of attacks. Whether coordinated by 4chan or by comrade joe chan shouldnt really matter, except at the level where you work with law enforcement etc to coordinate a response that goes beyond the technical. [And ALL responses to these are not going to restrict themselves to being solvable by technical means]. --srs On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith mich...@hmsjr.com wrote: How is what to block identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered? What does the technical solution look like? Any solutions to maintain some semblance of freedom? -- Suresh Ramasubramanian (ops.li...@gmail.com) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: [Operational] Internet Police
On Fri, Dec 10, 2010 at 12:42 AM, Randy Bush ra...@psg.com wrote: And if I ever find the genius who came up with the we are not the internet police meme ... he died over a decade ago All due respect to him, but I didnt want to kick his teeth in or anything, merely ask if he'd like to reconsider it, given the new security threats we all face that have outdated that meme. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Windows Encryption Software
On Fri, Dec 10, 2010 at 6:25 AM, Brandon Kim brandon@brandontek.com wrote: Wow, sounds like TrueCrypt it is.not a single other app was suggested!!! Thank you gentlemen! There's also PGP WDE (Whole Disk Encryption) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Cloud proof of failure - was:: wikileaks unreachable
On Mon, Dec 6, 2010 at 3:08 PM, Peter Dambier pe...@peter-dambier.de wrote: The cloud is a failure. Too easy to get it down. I guess wikileaks returning to dedicated hosting proofs that. I haven't used this sign in nearly a decade. And certainly not on nanog. Anyway .. I'll end this thread now. And folks .. .:\:/:. +---+ .:\:\:/:/:. | PLEASE DO NOT |:.:\:\:/:/:.: | FEED THE TROLLS | :=.' - - '.=: | | '=(\ 9 9 /)=' | Thank you, | ( (_) ) | Management | /`-vvv-'\ +---+ / \ | |@@@ / /|,|\ \ | |@@@ /_// /^\ \\_\ @x@@x@| | |/ WW( ( ) )WW \/| |\| __\,,\ /,,/__ \||/ | | | jgs (__Y__) /\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Free Ping services that test your servers Availability from the Internet
An alternative would be Gomez GPN .. however all these are a bit of overkill for what you specifically need (uptime) - pingdom does very well for that. On Sat, Nov 27, 2010 at 12:59 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: Webmetrics provides such a service (full disclosure I used to work for these guys)... http://www.webmetrics.com/ -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Blocking International DNS
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. There are also of course the various great firewalls of various countries. In case you'd prefer that to having to blacklist them at your end .. Doing this for trademark infringement is going to be a bit thick though. On Mon, Nov 22, 2010 at 2:02 AM, Joe Sniderman joseph.snider...@thoroquel.org wrote: So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no. /me waits for the knock at the door and the yell of Search warrant, we hear you're running an uncensored BIND -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: The i-root china reroute finally makes fox news. And congress.
I had the timeframe wrong then and it was the April 8 routing leaks. Sorry for the false alarm. On Wed, Nov 17, 2010 at 8:07 PM, Lindqvist Kurt Erik kur...@kurtis.pp.se wrote: I can detect from the report that this has anything to do with i.root? Can you explain that? Looking at the dates referred to it seem more to be related to the routing leaks on April 8th. Or do you have additional information? -- Suresh Ramasubramanian (ops.li...@gmail.com)
The i-root china reroute finally makes fox news. And congress.
http://www.foxnews.com/politics/2010/11/16/internet-traffic-reportedly-routed-chinese-servers/ -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: The i-root china reroute finally makes fox news. And congress.
On Wed, Nov 17, 2010 at 6:09 AM, Jorge Amodio jmamo...@gmail.com wrote: Cheers BTW avoid foxnews, not much operational content there. I know it, you know it .. and the problem is that operational content turning up there has a nasty way of getting political As it is, fox news is reporting something which was presented to congress So, lessigisms like code is law aside, I guess yes, it IS political now. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: The i-root china reroute finally makes fox news. And congress.
Man in the middle rewriting of DNS query responses is the only thing I can think of. On Wed, Nov 17, 2010 at 11:47 AM, Fred Baker f...@cisco.com wrote: I have read the article and the list, and I'm puzzled. It's pretty clear that the root gets its records from a common source, and that the copies of them being delivered by a given root server were different. As a result, traffic intended to go place A went to place B if the TLD lookup happened to go to the particular root server in question. How did an instance of the root server find itself serving changed records? While there is no obvious indication of who made the change or for what reason, it's unlikely it was accidental. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Low end, cool CPE.
And does this take cellular modems as a backup? The only wifi AP I've seen that would take SIM cards besides ethernet was a no-name chinese brand I saw in a Hong Kong electronics store. On Fri, Nov 12, 2010 at 7:18 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Try the Linksys RV016. We're using this to load balance three satellite uplinks in Afghanistan, 2 Mbps each, but it will supposedly handle much higher. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: BGP support on ASA5585-X
Juniper srx runs JunOS. On Sat, Oct 30, 2010 at 11:31 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Juniper Netscreen does, in case the OP is looking for alternatives. Best regards, Jeff -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Dutch Hotels Must Register As ISPs
Oh I dont know. There's lots of hotels that charge something like 20 Euro for a day's worth of wifi [the same with paris airport] You can get a month's worth of high speed dsl for 20 euro. So, what's sauce for the goose is sauce for the gander, or however that translates into dutch. On Wed, Oct 13, 2010 at 2:47 PM, Wayne E. Bouchard w...@typo.org wrote: Okay, if we go down that road, that makes Starbucks, Borders, a number of restaurants, and any other place that offers publically accessible wifi (free or otherwise) an ISP. If they start to increase the burden on these businesses, expect to see wifi hotspots diminish. IMO, that classification would be a bad thing. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: do you use SPF TXT RRs? (RFC4408)
On Mon, Oct 4, 2010 at 12:47 PM, Greg Whynott greg.whyn...@oicr.on.ca wrote: A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record. This is pure unadulterated BS from someone who doesnt understand either DDOS mitigation, or SPF .. or more likely both. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: do you use SPF TXT RRs? (RFC4408)
dig throwaway1.com NS dig throwaway2.com NS etc etc ... and then check_sender_ns_access in postfix, for example. Scales much better than whackamoling one domain after the other on the same NS On Mon, Oct 4, 2010 at 4:59 PM, valdis.kletni...@vt.edu wrote: 140 million .coms. Throw-away domains. I do believe that Marcus Ranum had trying to enumerate badness on his list of Six stupidest security ideas. This won't scale as long as you have more spammers adding new domains faster than your NOC staff can add them to the blacklist. (And even centralized blacklists run by dedicated organizations haven't solved the problem yet, so I'm not holding my breath waiting for that to work out...) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Copyright Enforcement DoS/DDoS Attacks
On Fri, Sep 10, 2010 at 1:29 AM, khatfi...@socllc.net wrote: Kind of a shame.. We are likely already tracking his botnets so I almost welcome it as well. Out of curiosity, I did pull some stats over the last 60 days and we have seen more attacks originating from the India area than we have seen in the past 12 months. There's no shortage of botted PCs and wide open dsl providers in India - extremely high # of cbl listings for massmailer bots for example. So could be any number of bots .. not like russian, brazilian etc botmasters arent able to compromise PCs in India, or in Outer Mongolia if they want to. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Copyright Enforcement DoS/DDoS Attacks
If that's the india story .. seems to be a press release fed by the vendor - which from their website also offers medical transcription and SEO On Thu, Sep 9, 2010 at 10:15 AM, Brandon Galbraith brandon.galbra...@gmail.com wrote: http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-down-internet-pirates-20100907-14ypv.html http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-down-internet-pirates-20100907-14ypv.htmlHas anyone dealt with this in the wild? I wasn't aware DoS/DDoS attacks were suddenly legal. -- Brandon Galbraith Voice: 630.492.0464 -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: IPv4 squatters on the move again?
Yeah. This is just the way snowshoe spammers operate - GRE or VPN tunnels back to a master server, and a /24 full of output points with throwaway hostnames / reverse dns On Tue, Sep 7, 2010 at 8:05 PM, Jon Lewis jle...@lewis.org wrote: I haven't seen that excuse/justification from customers. What I did see recently that I have to admit was very slick was a customer who claimed they were going to be doing a bunch of remote terminals in stores VPN'd into their dedi servers and would be streaming video from the servers to the clients. This was of course 99% BS. There was VPN involvedthey used the dedi servers as VPN endpoints for their spam servers that were hosted elsewhere. When we shut them down, there was absolutely nothing incriminating of spam operations on their servers...and all they had to do was sign up for service at another hosting company, setup the VPN server, change the IPs their spam servers VPN to, and they're back in business. When sales brought me their initial request, I really didn't believe it, but I didn't have good enough cause to reject it. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: ISP port blocking practice
No. It'd just increase a LOT, astronomically. Something on the lines of turning a firehose of petrol on a wildfire On Tue, Sep 7, 2010 at 7:00 AM, Randy Bush ra...@psg.com wrote: i suspect that, if we opened smtp relays again, unblocked 25 for consumer chokeband, etc., total spam received would likely increase a bit. but my guess, and i mean guess, is that the limiting parameter could well be how many bots the perps can get, not how well those bots are blocked. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: ISP port blocking practice
On Tue, Sep 7, 2010 at 7:29 AM, Randy Bush ra...@psg.com wrote: i keep hearing that, but am having a hard time finding supporting data. Might see the stats from http://cbl.abuseat.org - by AS. Then compare the stats on a non port 25 filtered network (they have stats by AS) to stats on a network that is filtered on port 25 The networks that are filtered on port 25 will of course have any bots on that network originating spam by other means (social networks, webmail scripting etc), or other types of nastiness (DDoS etc). But you won't find them mailing out direct on port 25. The bots are very much there - and if the port 25 filtering were to be taken out, you'd at once see the increase in spam volumes. --srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: ISP port blocking practice
Zhiyun, this is by far the most comprehensive paper I've seen on asymmetric routing spam .. a technique that's as old as, for example, Alan Ralsky. So been around for about a decade. Congratulations, great effort. Do you have more results available (in more detail than were published in this paper)? Should be worth seeing. thanks --srs On Fri, Sep 3, 2010 at 3:29 AM, Zhiyun Qian zhiy...@umich.edu wrote: Sorry for bringing this old topic back. But we have made some academic effort investigating the spamming behaviors using assymetric routing (we named it triangualr spamming). This work appeared in this year's IEEE Security Privacy conference. You can take a look at it if you are interested (and feedbacks are welcome): http://www.eecs.umich.edu/~zhiyunq/pub/oakland10_triangular-spamming.pdf -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: ISP port blocking practice
BCP38 / RFC2827 were created specifically to address some quite similar problems. And googling either of those two strings on nanog will get you a lot of griping and/or reasons as to why these aren't being more widely adopted :) --srs On Fri, Sep 3, 2010 at 7:47 AM, Zhiyun Qian zhiy...@umich.edu wrote: Suresh, thanks for your interest. I see you've had a lot of experience in fighting spam, so you must have known this. Yes, I know this spamming technique has been around for a while. But it's surprising to see that the majority of the ISPs that we studied are still vulnerable to this attack. That probably indicates that it is not as widely known as we would expect. So I thought it would be beneficial to raise the awareness of the problem. In terms of more results, the paper is the most detailed document we have. Otherwise, if you interested in the data that we collected (which ISPs or IP ranges are vulnerable to this attack). We can chat offline. Regards. -Zhiyun
Re: Other NOGs around the world?
and of course apricot (www.apricot.net) On Sun, Aug 22, 2010 at 7:47 PM, Marshall Eubanks t...@americafree.tv wrote: SANOG (Southeast Asia) - http://www.sanog.org/ PACNOG (Pacific) - http://www.pacnog.org/ -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: net-neutrality
If you announce anything worth reaching in that AS of yours .. MAYBE, JUST MAYBE they'd care rather than yawn 84.22.96.0/19 has, for instance - 84.22.96.254 cock-is.huge.nl If sony music etc want to engage in a size war with you, that's entirely up to them. Meanwhile, please leave nanog out of this. It is your toy AS with what looks like little or no production traffic on it, and you're free to play with it as you like. --srs On Wed, Aug 11, 2010 at 4:22 PM, Sven Olaf Kamphuis s...@cb3rob.net wrote: Hi, considering the fact that several organisations have been severely undermining net-neutrality over the past few months, which they seem to see as less important than their copyright bullshit, we have decided to set an example: Should the following networks, to which list more will be added over the coming month, desire to exchange traffic with AS34109, they can obtain a traffic relay contract at sa...@cb3rob.net, the costs of which amount to 1 euros per month, excl. 19% VAT, if not, well, then it's simply no more internets for them... sorry peeps. 193.108.8.0/21#GEMA-NET 195.109.249.64/29#SONYMUSIC 195.143.92.160/27#SBMG1-NETS 212.123.224.240/29#Net-WEGENER-MEDIA-BV 212.123.227.64/29#BumaStemra2 212.136.193.216/29#BUMA 212.78.179.240/28#BUMA-STEMRA 213.208.242.160/29#NL-COLT-BUMA-STEMRA 217.148.80.112/28#NL-NXS-CUST-1004613 85.236.46.0/24#IX-UNIVERSAL-NET -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration: HRA 42834 B BERLIN Phone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE: CBSK1-RIPE e-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: net-neutrality
On Wed, Aug 11, 2010 at 4:59 PM, Sven Olaf Kamphuis s...@cb3rob.net wrote: hmm funny, it had the piratebay on it, the 3rd most visted .org domain in the world, as well as number 7 or so on the list of most visted websites in the entire world, until a few months ago. no, that doesnt matter as much as just how much traffic you actually exchange with those asns
Re: net-neutrality
Not that I am speaking for anybody but myself here. I'll killfile this thread now On Wed, Aug 11, 2010 at 5:14 PM, Raymond Dijkxhoorn raym...@prolocation.net wrote: btw, considering that you appearantly run a larger network than the 3 networks we own and operate, willing to sell? :P That would be rarther funny Sven, you buying IBM. Sweet dreams. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Feds disable movie piracy websites in raids
On Thu, Jul 1, 2010 at 11:11 AM, Michael Painter tvhaw...@shaka.com wrote: As randy said not too long ago, First they came for... No. Not Randy. That was pastor martin neimoller about the nazis. So, you just invoked godwin's law. Thread over. thank you suresh
Re: eur.army.mil net ops contact?
On Wed, May 19, 2010 at 5:48 PM, Malte von dem Hagen m...@hosteurope.de wrote: We cannot reach www.army.mil, we cannot reach their nameservers, we cannot reach their MXes. Any further hints? In plainer english - Your customer contacts his contact (friend / relative / customer etc) in the US army The army guy contacts his base IT staff to bitch about his email His base IT staff escalates the bitching up through a long and twisty channel Then you may or may not hear a status back, or get your AS unblocked Sit tight and wait, till then -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: eur.army.mil net ops contact?
There's this old joke - spread across multiple countries around the world - about there being three ways to do something .. 1. The right way 2. The wrong way 3. The army way viel glück On Wed, May 19, 2010 at 6:06 PM, Malte von dem Hagen m...@hosteurope.de wrote: Am 19.05.10 14:28, schrieb Suresh Ramasubramanian: Your customer contacts his contact (friend / relative / customer etc) in the US army The army guy contacts his base IT staff to bitch about his email His base IT staff escalates the bitching up through a long and twisty channel Then you may or may not hear a status back, or get your AS unblocked Sit tight and wait, till then I am aware of this way, sure. I just hoped, there would be a more... efficient way. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Config and scheduled event management software?
http://snmpstat.sourceforge.net/ and its cisco configuration repository look good On Tue, May 18, 2010 at 10:34 AM, George Bonser gbon...@seven.com wrote: Anyone have any recommendations of software for Configuration Management (change control for hardware, networks etc) and event scheduling? We are using a hodgepodge of homegrown stuff and RT but are outgrowing it. What's good? What sucks? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: DDoS mitigation services from SPs
Might also try Prolexic. Or level3, which resells Prolexic. And then there's other forms of redundancy - ultradns or similar for your nameservers, for example. On Wed, Apr 28, 2010 at 7:39 PM, William McCall william.mcc...@gmail.com wrote: All: I did some searching and have not found any concrete replies on the list, but what carriers can offer L3 DDoS mitigation? Specifically, I noticed an old UUnet offering, but it seems like I must be speaking the wrong language to my sales drones. Specifically, we're dealing with ATT, Qwest and Verizon Business. My thought is that they all offered some type of service like this, but my security folks have been driving this and having limited success. Names of other SPs (we're looking at Verisign) is helpful, but we are stuck with the Dallas area. Note: I am not interested in changing DNS records and prefixes should be able to be advertised through BGP like normal. (Apparently, people like to do funky DNS stuff to make this work and sometimes don't want to do BGP in other scenarios.) Thanks in advance, -- William McCall -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Mail Submission Protocol
Log and monitor all that you can. And watch for a large number of IPs logging into an account over a day (over a set limit - even across country - that takes into account home - blackberry - airport lounge - airport lounge in another country - hotel - RIPE meeting venue type scenarios). And especially watch for and/or firewall off logins from areas from where you see particularly high levels of smtp auth abuse / logins to compromised accounts --srs 2010/4/21 Alex Kamiru nderitua...@gmail.com: Inside customers, we have not changed to force port 587 and authentication for email clients, but the topic has come up in discussions. This won't of course, stop spammers if they are hijacking the users local email client settings. How best would you stop spammers hijacking local users email clients -Mike
Re: Mail Submission Protocol
No. UCEProtect is certainly not a decent or any other kind of place to start. The MAAWG BCPs have far more available than one of the worst maintained blacklists that has ever been in existence. If you want FAQs from blocklists - there is much that's available on the spamhaus.org website On Thu, Apr 22, 2010 at 8:24 AM, Franck Martin fra...@genius.com wrote: If you have left port 25 open, this is a good place to start. http://www.uceprotect.net/en/rblcheck.php I suspect any decent IDS will tell you which machine has weird traffic. I suppose you can put rules based on the IDS result to redirect them to a special web page to tell them, they have to do something. The main issue, it not to know which machines are hijacked, but to support these machines. - Original Message - From: Suresh Ramasubramanian ops.li...@gmail.com To: Alex Kamiru nderitua...@gmail.com Cc: nanog@nanog.org Sent: Thursday, 22 April, 2010 1:35:56 PM Subject: Re: Mail Submission Protocol Log and monitor all that you can. And watch for a large number of IPs logging into an account over a day (over a set limit - even across country - that takes into account home - blackberry - airport lounge - airport lounge in another country - hotel - RIPE meeting venue type scenarios). And especially watch for and/or firewall off logins from areas from where you see particularly high levels of smtp auth abuse / logins to compromised accounts --srs 2010/4/21 Alex Kamiru nderitua...@gmail.com: Inside customers, we have not changed to force port 587 and authentication for email clients, but the topic has come up in discussions. This won't of course, stop spammers if they are hijacking the users local email client settings. How best would you stop spammers hijacking local users email clients -Mike -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: FCC dealt major blow in net neutrality ruling favoring, Comcast
On Mon, Apr 12, 2010 at 11:41 AM, Paul WALL pauldotw...@gmail.com wrote: It should probably be noted, for purpose of establishing bias, that Richard is a Washington lobbyist, hired to represent Comcast on regulatory matters. What he views as overstepping legal bounds, others may view as protecting consumers... Hell, funnily enough Susan Crawford warned at the time that the FCC action wouldn't stand up in court the way it was done. http://www.circleid.com/posts/comcast_vs_the_fcc_a_reply_to_susan_crawfords_article/ --srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
You have multiple options 1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier class, enterprise grade more like it] 2. Outsource to a provider like Messagelabs or MXLogic that only handles the spam filtering, lets you host your own mailboxes 3. Outsource to one or more vendors of hosted email services - Google Apps, Microsoft BPOS, IBM Lotuslive etc your choice based on what meets your requirements. --srs (full disclosure - head, antispam @ ibm lotuslive) 2010/4/12 Alex Kamiru nderitua...@gmail.com: I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
Right. Just to add one more choice into your mix .. Bizanga is one such vendor that I've seen deployed by carriers who want an appliance. They were recently acquired by Cloudmark. There are also rate limiting .. kind of like netflow for email type devices - Symantec E160, and Mailchannels (mailchannels.com).These might be worth considering for systemwide filtering after which you can apply your own policies per user. ps: About Barracuda - I am not aware, they may have a carrier grade / larger scale product too. If you see one of those, or any other vendor that meets your needs go for it. -suresh 2010/4/12 Alex Kamiru nderitua...@gmail.com: Suresh, I am more interested in option 1 and would want opinion from those with experience on that. -Original Message- From: Suresh Ramasubramanian ops.li...@gmail.com To: Alex Kamiru nderitua...@gmail.com Cc: nanog nanog@nanog.org Subject: Re: Carrier class email security recommendation Date: Mon, 12 Apr 2010 15:37:46 +0530 You have multiple options 1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier class, enterprise grade more like it] 2. Outsource to a provider like Messagelabs or MXLogic that only handles the spam filtering, lets you host your own mailboxes 3. Outsource to one or more vendors of hosted email services - Google Apps, Microsoft BPOS, IBM Lotuslive etc your choice based on what meets your requirements. --srs (full disclosure - head, antispam @ ibm lotuslive) 2010/4/12 Alex Kamiru nderitua...@gmail.com: I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
The man did say carrier class .. not small webhost for four families and dog. You're talking multiple mailservers + filtering gateways / appliances etc, clustered .. rather tough to do that with one pizzabox 1U running a linux that's not updated in years and configured with webmin. And have you used / deployed any of those devices to claim they don't support NTP? Or whether that's a bigger constraint than an underpowered linux box? :) On Mon, Apr 12, 2010 at 7:48 PM, todd glassey tglas...@earthlink.net wrote: Yes William, but realize that was an easiest method solution. There are any number of others as well. The point is that integrating an appliance type functionality is pretty easy if you bother to take the time. What I really wanted to point out is how many of the devices dont allow authenticated NTP meaning they are worthless from an evidence perspective, something that we as network engineers are constrained by as well. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
On Mon, Apr 12, 2010 at 8:45 PM, todd glassey tglas...@earthlink.net wrote: On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote: The man did say carrier class .. not small webhost for four families and dog. yes he did Suresh ... meaning that something larger and more secure than the off-the-shelf copy of Linux is needed. Funny the NSA and many others would disagree with you. I know of (and have been the postmaster for) multiple million user installations that run happily on linux + postfix (and sendmail, qmail..). None that run on one server running webmin, even a 3U server. or layered as stages within a new system design based on GPU's which allow for the specific assignment of threads of control to specific processes. Imaging a cloud type environment running in a single GPU with the abililty to properly map threads to GPU threads. You don't have single of anything at all for large and well scaled environments. OK our server is 3U but that was because I wanted bigger fans inside it... The 1U single TESLA based email GW is exactly what you describe - a 512 thread CUDA based GPU with serious capabilities therein. So how many users do you run on that one 3U box? 100K? 300K? A couple of million? :) The man said carrier class. And when you talk that you dont just talk features, you talk operations on a rather larger scale than what you're describing. --srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
Its nanog and not an RFQ process or I'd have asked him that too :) On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali z...@zaidali.com wrote: I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
I did ask him how many users he was looking to size email for. But a lot of questions like, and beyond, that - you may or may not want to answer on nanog. The man said carrier class .. and you have a set of assumptions. If you say enterprise you're assuming like 300K..400K mailboxes for the very largest enterprises. Tops. That'd be a small to mid sized carrier to spec carrier class for. I'll end this thread here. On Mon, Apr 12, 2010 at 9:47 PM, Zaid Ali z...@zaidali.com wrote: I think it is a perfectly reasonable question to ask in NANOG. If someone asks how much memory do I need on my router to do BGP, you have to ask the fundamental question of how big your routing table will be. I don't see this as any different. Its helpful to provide opinions when you are guided by some data :) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Carrier class email security recommendation
Scale it all. Then manage it centrally. Provision users. Manage security. etc etc. You use much the same IOS whether you run a router for a T1 or run networks for a tier 1 :) On Mon, Apr 12, 2010 at 9:51 PM, joel jaeggli joe...@bogus.com wrote: I build basically the same mail-system where is collapsed into a single box or spread out across a cluster. sendmail + clamav milter + milter graylist - procmail - spamd - maildir delivery - dovecot imap. When you need to scale the front end you deploy a load balancer and fire up more smtp boxes... When you need to scale the filestore you move it to nfs and divide and conquer. When you need to scale imap you shift it in front of the load balancer and deploy more boxes. For load balancer we used LVS back in the day. can replace sendmail with postfix or exim, it's mostly a place to hang the various on-connect filter regimes. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: BGP hijack from 23724 - 4134 China?
It depends. Preventing packet flow from a rather more carefully selected list of prefixes may actually make sense. These for example - www.spamhaus.org/drop/ Filtering prefixes that your customers may actually exchange valid email / traffic with, and that are not 100% bad is not the best way to go. Block specific prefixes from China, the USA, Eastern Europe, wherever - that are a specific threat to your network .. great. Even better if you are able to manage that blocking and avoid turning your router ACLs into a sort of Hotel California for prefixes. On Fri, Apr 9, 2010 at 11:52 AM, Daniel Karrenberg daniel.karrenb...@ripe.net wrote: Selectively preventing packet flow is *not* a security measure. Selectively preventing packet flow leads to unexpected and hard to diagnose breakage. Many independent actors selectively preventing packet flow will eventually partition the Internet sufficiently to break it beyond recognition. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: FCC dealt major blow in net neutrality ruling favoring Comcast
On Wed, Apr 7, 2010 at 8:12 PM, Chris Grundemann cgrundem...@gmail.com wrote: They are now using the phrase Open Internetworking to describe their stance on the issue. How very sensible of ISOC. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: What is The Internet TCP/IP or UNIX-to-UNIX ?
On Sun, Apr 4, 2010 at 2:42 PM, James Bensley jwbens...@gmail.com wrote: Also having the email account ipv3@gmail.com, thats not very useful? He's still got to reach the heights of IPv9 -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Books for the NOC guys...
The Limoncelli etc book is brilliant. There's phil smith and barry greene's old Cisco ISP Essentials too. Very good if somewhat outdated And then there's this if you just want security - http://www.amazon.com/Router-Security-Strategies-Securing-Network/dp/1587053365/ref=sr_1_1?ie=UTF8s=booksqid=1270223489sr=1-1 On Fri, Apr 2, 2010 at 9:06 PM, Eliot Lear l...@cisco.com wrote: On 4/2/10 2:09 PM, Robert E. Seastrom wrote: So, what are you having your up-and-coming NOC staff read? Practice of System and Network Administration by Limoncelli, Hogan, and Challup. I may be biased, being married to Hogan. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: FTC / Nexband
On Thu, Apr 1, 2010 at 8:24 PM, Mark Andrews ma...@isc.org wrote: You only need to add PTR records for the addresses in use. Not really the way most automated dns provisioning systems work today .. and where would they be without $GENERATE in bind? :) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: NEED ANY LINK OR SAMPLE TEMPLATE FOR ROUTINE NETWORK (ISP) MAINTENANCE PLAN
If you want to search for something - use google http://www.google.co.in/search?hl=enq=routine+network+maintenance+plansourceid=navclient-ffrlz=1B3GGGL_enIN311IN311ie=UTF-8 If you want to ask specific questions, use nanog, or as you're in the asiapac region, use sanog. Before you ask questions, show your work .. say what you have done, what you plan to do, and what question you have based on that. On Tue, Mar 16, 2010 at 3:44 PM, sakthi vadivel sakthivadivel.c...@gmail.com wrote: .It doesn't mean that we have a title that every one knows everything...First of all , i am not a document specialist, i come across some requirement where i need to search for ...that is what all other people do.. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: OBESEUS - A new type of DDOS protector
That's right M.Fortaine .. and your model does not, as yet, appear to address what you term as EDoS and what the general security community calls DDoS On Tue, Mar 16, 2010 at 7:29 AM, Guillaume FORTAINE gforta...@live.com wrote: From my point of view, it seems similar to the EDoS concept : http://www.rationalsurvivability.com/blog/?s=EDos EDoS attacks, however, are death by a thousand cuts. EDoS can also utilize distributed attack sources as well as single entities, but works by making legitimate web requests at volumes that may appear to be “normal” but are done so to drive compute, network, and storage utility billings in a cloud model abnormally high. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: OBESEUS - A new type of DDOS protector
I got your point. What I was saying is that what he calls EDoS (and I'm sure he'll say obliterating infrastructure is the ultimate form of an economic dos) is just what goes on ... You may or may not be able to overload the AWS infrastructure by too many queries but you sure as hell will blow the application out if that ddos isnt filtered .. edos again. On Tue, Mar 16, 2010 at 7:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: eh.. I guess I'm splitting hairs. the goal of 100k bots sending 1 query per second to a service that you know can only sustain 50k queries/second is.. not to economically Dos someone, it's to obliterate their service infrastructure. Sure, you could ALSO target something hosted (for instance) at Amazon-AWS and increase costs by making lots and lots and lots of queries, but that wasn't the point of what Deepak wrote, nor what i corrected. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Hotels in Tampa
tripadvisor.com probably has a lot of hotel reviews for you. carrier hotels that allow smoking (!) might be more on topic on nanog i guess? On Sat, Feb 27, 2010 at 11:40 AM, Joe Hamelin j...@nethead.com wrote: I'm going to be in Tampa for two weeks turning up a 4G data center. Any recommendations on good hotels that allow smoking? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Email Portability Approved by Knesset Committee
Am I missing something? All the ISP has to do is to provision a pop3 / imap / webmail mailbox for that user and keep it around. On Mon, Feb 22, 2010 at 10:14 PM, Owen DeLong o...@delong.com wrote: There are huge differences in LNP/WLNP vs. Email Address portability. Prior to LNP/WLNP, there was already SS7 which is, essentially a centralized layer of indirection for phone numbers. This was necessary in order to support -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Spamhaus
On Mon, Feb 22, 2010 at 12:08 AM, Joel M Snyder joel.sny...@opus1.com wrote: but the false positive count jumped by 112 messages per 10,000 (because APEWS was somehow having a lousy month). In general, the more reputation services you include, the more likely it is you're going to have false positives. Christ. You pick APEWS as a reputation filter.. and then even bother to *count* the false positives? That's not a list that's particularly designed to minimize FPs, to put it very mildly. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Spamhaus and Barracuda Networks BRBL
Is it your position that, as a vendor of antispam services, nobody else should offer their services for a fee? That would be strange indeed. On Fri, Feb 19, 2010 at 5:41 AM, Dean Drako dr...@barracuda.com wrote: With respect to Barracuda Networks and Spamhaus. I expect, but I do not know, that Spamhaus probes on port 25 in order to identify Barracuda Spam and Virus Firewalls and then block their access to their RBL. Many Barracuda customers have been cut off without warning causing them trouble and pain. Barracuda attempted to find a deal that would work for licensing Spamhaus for our products, however, spamhaus's desire for money could not be met without significantly increasing the price to each of our customers. They wanted us to charge the spamhaus feed price to each of our customers. We tried to find an arrangement for a long time. I personally love the work that spamhaus has done. I was disappointed that we could not find an arrangement once they changed into a commercial entity and started charging customers. When they were providing a free service we promoted them strongly, but when they started charging the customers that really used it, we had to part ways. It is a pity. We recommend customers use only Barracuda's Free RBL: BRBL and this is now built into the Barracuda Spam and Virus Firewall. http://www.barracudacentral.org/rbl The BRBL is provided at no charge to anyone who wants to use it (even non barracuda customers). The BRBL has a full time staff that answers phone and email to correct any false positives and handle removal requests -- unlike competing services that charge money and who do not provide a staff. We will consider providing data feeds if anyone has interest. We currently provide the BRBL as a free service. We make no claims about it being better or worse than any other RBL. It does use a massive amount of data in order to determine which IP's should be on the list. Others have made claims about its accuracy and say great things about it. Others complain that we unjustly block them, however, 99.9% of the people who are blocked and who contact us find a BOT in their network. Sincerely, Dean Drako CEO Barracuda Networks -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: The Internet Revealed - A film about IXPs v2.0: now available
On Thu, Feb 11, 2010 at 7:50 AM, Randy Bush ra...@psg.com wrote: But, as a hyper-aware viewer I did detect a tone in favor of network neutrality type arguments- and I suppose that is OK. is this a bug or a feature bug -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Yahoo abuse
On Tue, Feb 9, 2010 at 8:20 PM, Drew Weaver drew.wea...@thenap.com wrote: Half of the time our abuse people spend is wading through the spam at the abuse@ addresses =) Oh we love that. Find some way to automate feeding all that to your spam filters and you got yourself a sizeable trap, if the abuse address is about a decade old. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Yahoo abuse
That's IODEF, if and when it picks up enough steam to get widely deployed. On Wed, Feb 10, 2010 at 10:37 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: Unfortunately this seems very focused on reporting SPAM and other email related abuses. What I was looking for was a way to format a generic abuse report where the most important parts would be type of abuse, IP doing the abuse, time the abuse occured and free text field about what happened that could be used by end users. Creating a new MIME type precludes most end users from ever using it because their MUA won't support it. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: google contact? why is google hosting/supporting/encouraging spammers?
ab...@gmail.com maybe? Looks like some random spammer based in Dubai judging by the airport code. On Thu, Feb 4, 2010 at 11:37 AM, Jim Mercer j...@reptiles.org wrote: we have recently started getting alot of spam, out of dubai, from ecampaigners@gmail.com all of the spam comes from/through google and google groups. is this accepted/supported activity on google? if not, where might i find a contact who can cluefully respond? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Mitigating human error in the SP
Never said it was, and never said foolproof either. Minimizing the chance of error is what I'm after - and ssh'ing in + hand typing configs isn't the way to go. Use a known good template to provision stuff - and automatically deploy it, and the chances of human error go down quite a lot. Getting it down to zero defect from there is another kettle of fish altogether - a much more expensive with dev / test, staging and production environments, documented change processes, maintenance windows etc. On Wed, Feb 3, 2010 at 7:00 AM, Michael Dillon wavetos...@googlemail.com wrote: It is easy to create a tangled mess of OSS applications that are glued together by lots of manual human effort creating numerous opportunities for human error. So while I wholeheartedly support automation of network configuration, that is not a magic bullet. You also need to pay attention to the whole process, the whole chain of information flow. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Mitigating human error in the SP
On Tue, Feb 2, 2010 at 7:51 AM, Chadwick Sorrell mirot...@gmail.com wrote: This outage, of a high profile customer, triggered upper management to react by calling a meeting just days after. Put bluntly, we've been told Human errors are unacceptable, and they will be completely eliminated. One is too many. Automated config deployment / provisioning. And sanity checking before deployment. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Mitigating human error in the SP
I'll say as vijay gill notes after Stefan posted those two very interesting links. He's saying much the same that I did - in a great deal more detail. Fascinating. http://www.nanog.org/meetings/nanog44/presentations/Monday/Gill_programatic_N44.pdf His Blog article on Infrastructure is Software further expounds upon the benefits of such an approach - http://vijaygill.wordpress.com/2009/07/22/infrastructure-is-software/ On Tue, Feb 2, 2010 at 8:28 AM, Dave CROCKER d...@dcrocker.net wrote: Otherwise, as Suresh notes, the only way to eliminate human error completely is to eliminate the presence of humans in the activity. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Countries with the most botnets
The CBL has stats too - http://cbl.abuseat.org/totalflow.html - total spamtrap flow http://cbl.abuseat.org/country.html - by country (india leads the pack yay?) http://cbl.abuseat.org/domain.html - by ISP On Thu, Jan 28, 2010 at 4:37 AM, Steven Bellovin s...@cs.columbia.edu wrote: A colleague needs to know, along with citable sources if possible. Ideally - number of zombified PCs, percentage of zombified PCs, name of nation, source. Threat reports from symantec and macafee suggest the US leads, with China a very close second. Yes, we realize that answers will be imperfect. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Enhancing automation with network growth
This should help with part of what you're doing - snmpstat and cisco config repository. http://snmpstat.sourceforge.net/ On Thu, Jan 21, 2010 at 8:24 AM, Steve Bertrand st...@ibctech.ca wrote: One thing that would take a major load off would be if my MRTG system could simply update its config/index files for itself, instead of me having to do it on each and every port change. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Virbl: The First IPv6 enabled dnsbl?
The listing method is if you actually receive virus traffic over v6. Which someone will, sooner or later .. Yes, I agree with listing a slightly larger range - given that /64 seems to be what most anyone gets these days with a free tunnel. I wish you all the very best of fun trying to run dnsbl zones serving up v6. --srs On Fri, Jan 15, 2010 at 9:20 PM, Mark Schouten ma...@bit.nl wrote: Hi, FYI: http://virbl.bit.nl/index.php#ipv6 Comments on the listing method are appreciated. Regards, -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 5, 2010 at 8:36 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: We have such a configuration in progress, it works great without any of the issues you're proposing. So .. this is interesting. The firewall would have to frontend your mail / web / whatever application .. and if something goes beyond the firewall's rated capacity (100k ++ - maybe nearly 150..175k connections per second for a high end firewall), the firewall falls over. And even before that, there's the risk of whatever application you're protecting getting pounded flat if your firewall passes even a small percentage of this traffic. Do you - 1. Have (say) two firewalls in HA config? 2. Back your firewall with routing based measures, S/RTBH, blackhole communities your upstream offers, etc [the standard nspsec bootcamp stuff] 3. Simply back the firewall with a netflow based device? 4. Estimate that the risk of a DDoS that exceeds your firewall's rated capacity is extremely low? [and yes, 150k ++ connections per second ddos is going to be massive, and relatively rare for most people] --srs -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: D/DoS mitigation hardware/software needed.
Two more options. And for Netflow device - read that to mean Arbor or its competitors. 5 Ditch the stateful firewall and exclusively use a netflow device 6. Outsource to a hosted DDoS mitigation service (Prolexic etc) On Tue, Jan 5, 2010 at 8:43 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: Do you - 1. Have (say) two firewalls in HA config? 2. Back your firewall with routing based measures, S/RTBH, blackhole communities your upstream offers, etc [the standard nspsec bootcamp stuff] 3. Simply back the firewall with a netflow based device? 4. Estimate that the risk of a DDoS that exceeds your firewall's rated capacity is extremely low? [and yes, 150k ++ connections per second ddos is going to be massive, and relatively rare for most people]
Re: D/DoS mitigation hardware/software needed.
With these safeguards in place - and with flow devices being part of the mix somewhere .. what you propose is quite reasonable. There's still the question of whether an application that receives a lot of new / untrusted traffic - a mail or web server - would benefit from having a stateful firewall in front .. Roland seems to think not. --srs On Tue, Jan 5, 2010 at 9:35 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: 1. We have multiple nodes conducting DDoS scrubbing, one failing would not be catastrophic. 2. Indeed. 3. Sort of, such devices are downstream for extremely valid reasons I won't get into now. 4. Indeed, were equipped to handle substantially higher than 150kpps. I'm sure Arbor is really neat but I disagree that any DDoS appliance is a standalone solution. I don't expect an employee of the vendor themselves to attest to this though. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 5, 2010 at 10:35 AM, Rick Ernst na...@shreddedmail.com wrote: I'm interested in seeing products (including software) that already have the development (anomaly detection, trends/reports, etc.) work done so I can spend my cycles elsewhere. This might fit the bill - http://www.zurich.ibm.com/aurora/ Now commercially available as http://www-01.ibm.com/software/tivoli/products/netcool-performance-flow/ Full disclosure - I work for big blue - but not in any division that works on Aurora / Tivoli Netcool. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 5, 2010 at 10:38 AM, Dobbins, Roland rdobb...@arbor.net wrote: Additional mitigation would be via manual or automatic RTBH or security/abuse@ involvement with upstreams. Automagic is generally bad, as it can be gamed. ... and manual wont scale in ddos -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 5, 2010 at 10:52 AM, Dobbins, Roland rdobb...@arbor.net wrote: I'm referring to the employment and selection of situationally-appropriate tools, mind. The tools themselves must of necessity perform their work in a largely automated fashion once they're employed, which is what I believe you actually meant. fair enough. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Article on spammers and their infrastructure
On Sun, Jan 3, 2010 at 10:24 PM, Eric Brunner-Williams brun...@nic-naa.net wrote: On 1/2/10 11:38 PM, Suresh Ramasubramanian wrote: ... it would be interesting if some process were developed to deaccredit or otherwise kill off the shell registrars Suresh, Why? My comment was more in the context of this thread's original topic - killing off bogus spam / botnet operations that become registrars (and/or registrar resellers) who buy an outsourced instance of one of the registrar in a box services, and are immediately in business. Though, you might want to prevent shell registrars for the same reasons that auctions try to weed out shill bidders. And while it is a rational economic idea for a bidder to game an auction by setting up shills, the auctioneer and the other bidders lose out in the end. Now, shell registrars are a pain in the ass, not for operational reasons, but because every time someone wants to say something stupid and get away with it they say some large number of registrars. That too of course. Reminds you of Tammanny Hall sometimes? :) Shell registrars are not, generally, the source of primary registrations of arbitrarily abusive intent. That problem lies elsewhere and is adequately documented. Wasn't talking about shell entities setup by various registrars for drop catching and such. Though as I pointed out, those could be weeded out for fairly sensible economic reasons, for the same reasons such practices are discouraged in elections, auctions, rationing systems (like the depression era / WW-II food stamps system) etc. Was talking about totally bogus registrars that are spammer sets up an LLC, said LLC submits all the paperwork to become a registrar, rents an instance of a DIY registrar service .. and starts doing roaring business with just one customer - the spammer) --srs
Re: Are the Servers of Spamhaus.rg and blackholes.us down?
If our friend here is checking for spamhaus.rg he's out of luck. I am sure he'll have better luck checking for spamhaus.ORG instead --srs On Thu, Dec 31, 2009 at 6:41 PM, John Peach john-na...@johnpeach.com wrote: On Thu, 31 Dec 2009 12:28:41 +0100 (CET) Raymond Dijkxhoorn raym...@prolocation.net wrote: Are this Blacklistservers since x-mas down. We receive in the last days many errors from this servers... blackholes.us has been non-existent for over a year. Their netblocks Can't help you with spamhaus...
Re: Article on spammers and their infrastructure
While not at all touching the accuracy of knujon's stats with a bargepole, it would be interesting if some process were developed to deaccredit or otherwise kill off the shell registrars .. and the bogus LIRs (which is how the thread started). On Thu, Dec 31, 2009 at 10:02 PM, Eric Brunner-Williams brun...@nic-naa.net wrote: [1] shell registrars exist for another exploit, to maximize race contention results for the VGRS drop pool, the acquisition of expired names which have name value or residual traffic monitization value. Four companies control 318 US domiciled ICANN accreditations: eNom (116), Directi/PDR (47), Dotster (51), and Snapnames (104). Source: http://www.knujon.com/registrars/ -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: RBN and it's spin-offs
On Thu, Dec 31, 2009 at 4:00 AM, Keith Medcalf kmedc...@dessus.com wrote: Reportedly started by someone operating under the name Flyman, RBN is known as the mother of cybercrime among online investigators. François Paget, senior expert for the McAfee company, says that RBN began as an Internet provider and offered impenetrable hosting for $600 a month. This meant a guarantee that it would not give out information about its clients, no matter what business they were in. This is a commendable position and one that should be the default for all businesses. Severe penalties (such as cutting out of the tongue or cutting off hands) should be dealt to anyone who releases private information without having first ensured that such disclosure is in accordance with a properly obtained court order issued by a competent court in a public hearing (and no, administrative tribunals are not courts of law). Wow. I always knew there existed some alternate universe where the RBN were actually the good guys. Didn't expect to find it so fast, and on nanog at that. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: RBN and it's spin-offs
Ferg nailed it. I'll shut up now as he's made my point and its new year's eve .. On Thu, Dec 31, 2009 at 9:42 AM, Paul Ferguson fergdawgs...@gmail.com wrote: That's funny. You're assuming that the MLAT [1] process works -- it doesn't. - - ferg [1] http://en.wikipedia.org/wiki/Mutual_Legal_Assistance_Treaty -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Article on spammers and their infrastructure
With the added refinement of spammer / botmaster controlled LIRs .. after spammer / botmaster controlled registrars. I did wonder sometimes how some snowshoe spammers could keep acquiring a series of /20 to /15 sized CIDRs over the past year or two. On Tue, Dec 22, 2009 at 6:38 PM, Tony Finch d...@dotat.at wrote: Sounds like a snowshoe setup to me. Tony. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Article on spammers and their infrastructure
On Wed, Dec 23, 2009 at 4:24 AM, Joel Jaeggli joe...@bogus.com wrote: Christopher Morrow wrote: On Tue, Dec 22, 2009 at 4:24 PM, Jon Lewis jle...@lewis.org wrote: Should US based networks be willing to route RIPE ASSIGNED PA space customers provide? Are any of your customers multinationals? What would you do if a shell company (the european equivalent of a LLC with a UPS store address) came to you with a large sized PA netblock from out of region, and asked you to route it for them? -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Tools BOF at NANOG-48
Hi. I'd like to see some content on log aggregation from multiple sources (parse mail / web / IDS / netflow / ... etc logs) and analysis of logs from these multiple sources. For security, traffic engineering etc etc. Using a tool like Splunk, for example - and any other alternatives to homegrown perl scripts. --srs On Sun, Dec 20, 2009 at 10:42 PM, Mohit Lad mohit...@gmail.com wrote: As part of the tools BOF, I also plan to run a short 15-20 min Tools roundup outlining the most common non-commercial tools used for day to day networking tasks. The objective of this is not to present details of tools, but rather a rough taxonomy. Feel free to suggest tools you find useful. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Arrogant RBL list maintainers
Security by obscurity, in this day and age? :) On Wed, Dec 16, 2009 at 11:42 AM, James Hess mysi...@gmail.com wrote: As is common for many domains. Spammers coming in by scanning large ranges of IPs, have no pointer to report the mailserver they discovered is �...@example.com inbound (or outbound) mail. Since the RDNS domain is different, and in fact generic, which helps avoid assisting the spammer in identifying the IP as an inbound mail server. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Qwest mail admin contact?
Related to any of these? http://www.spamhaus.org/sbl/listings.lasso?isp=data102.com Or maybe this - http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51908 $ whois -h whois.cymru.com 128.168.0.0/16 AS | IP | AS Name 33302 | 128.168.0.0 | ONS-COS - Data 102, LLC Whatever the issue is, it might make sense for you to fix it before you contact Qwest - they'd be more likely to respond that way. On Fri, Dec 11, 2009 at 1:06 AM, randal k na...@data102.com wrote: If one is listening, can I get a Qwest mail admin to drop me a line off-list? Numerous emails to postmaster, abuse, relay, etc all seem to be deadends. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Earthlink SMTP Admin Contact?
Is the IP space anywhere near these - http://www.spamhaus.org/sbl/listings.lasso?isp=limestonenetworks.com Found 7 SBL listings for IPs under the responsibility of limestonenetworks.com SBL82484 69.162.119.163/32 limestonenetworks.com 03-Dec-2009 18:14 GMT BOA phish site SBL81933 74.63.211.0/24 limestonenetworks.com 25-Nov-2009 01:23 GMT Snowshoe spam range (Dynabucks) SBL81769 69.162.115.157/32 limestonenetworks.com 22-Nov-2009 21:54 GMT Spammed malware sites on fast-flux hacked systems SBL81707 216.245.216.64/27 limestonenetworks.com 21-Nov-2009 16:24 GMT MMF snowshoe spam SBL81125 216.245.222.192/26 limestonenetworks.com 10-Nov-2009 14:00 GMT Suspected Snowshoe Spam Range SBL78721 69.162.68.160/29limestonenetworks.com 17-Sep-2009 08:03 GMT emailmkt.org SBL78720 216.245.204.32/27 limestonenetworks.com 17-Sep-2009 08:01 GMT emailmkt.org On Wed, Dec 9, 2009 at 10:26 PM, Ryan Gelobter r.gelob...@limestonenetworks.com wrote: Thanks for the number, but their NOC was unable to help me. They referred me back to their Abuse Mailbox and abuse e-mail addresses (blockedbyearthl...@abuse.earthlink.net, ab...@abuse.earthlink.net). They were unable to provide any alternative number or e-mail address. I ended up calling their corporate office (404.815.0770) and spoke to an operator who confirmed with senior tech's that the abuse team their checks the mailbox but they apparently are not in the office and work from home. Senior tech support tells me the mail server is not blocked even though I get blocked messages and escalating it further would not do anything as they show it as not blocked. Tech support uses the same procedure as the mail administrator does which is to e-mail blockedbyearthlink@ address with the subject BLOCKED: xxx.xxx.xxx.xxx (replace with the ip) and if it is blocked they will unblock you. Sadly, I tried that already. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: SPF Configurations
Absolutely #3 - far more of a threat than #1 and #2. On Tue, Dec 8, 2009 at 10:09 PM, Tony Finch d...@dotat.at wrote: Three :-) 1. Forwarding users on your campus - with mailboxes that accept a lot of spam and then forward it over to student / alumni AOL, Comcast, Yahoo etc accounts 2. Spam generated by infected PCs / laptops, hacked machines etc on your campus LAN 3. Spammers abusing your webmail and/or remote message submission service using phished credentials. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: SPF Configurations
On Mon, Dec 7, 2009 at 11:21 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Personally, I think SPF is a major PITA operations-wise .. but if you've ever had to fill out the form to get un-blacklisted at Yahoo/AOL, that's one of the first things they ask .. do you have a spfv1 record defined?. With yahoo and aol - they'd be just as satisfied if you used, say, DKIM. Hotmail's the only one that insists on sender-id (not spfv1 either) As for a university smarthost getting blocked you'd probably need to look at one of two things - 1. Forwarding users on your campus - with mailboxes that accept a lot of spam and then forward it over to student / alumni AOL, Comcast, Yahoo etc accounts 2. Spam generated by infected PCs / laptops, hacked machines etc on your campus LAN If you took steps to fix some of these - 1. Isolate your forwarding through a separate IP or subnet, filter it before forwarding on 2. Separate your outbound to another set of IPs, again filter and a few other things - related to this .. you'd get blocked far less. Joe St.Sauver of UOregon, being a maawg senior tech advisor and also active in EDUCAUSE etc, might have a white paper on this, like he does on most other security related issues under the sun :) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Breaking the internet (hotels, guestnet style)
Swisscom Eurospot - found all through europe and ruinously expensive at like 25 euro a day, 9 euro an hour See http://www.mcabee.org/lists/nanog/Feb-07/msg00046.html for what goes on there .. dns proxying, and broken at that. On Tue, Dec 8, 2009 at 6:08 AM, Jared Mauch ja...@puck.nether.net wrote: On Dec 7, 2009, at 7:23 PM, Brielle Bruns wrote: I'm noticing alot of these places are doing things which work perfectly with Windows, but not Mac, Linux, etc. Drives me bonkers, and we make sure to let management know we won't stay at their hotel in the future because of said issues. I'd prefer to not create a blacklist of hotels that have ghetto internet access, but perhaps this is something we can aggregate? I'm mostly tired of people saying the internet is http(s) only. Even had hotels in Japan do some really nasty things... - Jared -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Breaking the internet (hotels, guestnet style)
You could just firewall off port 25 and leave 587 open - to save yourself from a bunch of viruses and such. A lot of people will use webmail anyway - from a hotel. And you avoid getting blacklisted The other option is to install a device that examines email flows and allows only stuff it doesnt think is spammy (netflow for email kind of, with all the bayesian etc secret sauce). Two devices come to mind * Symantec E160 (used to be called turntide, and before that, back in 2002-03, spam squelcher) * Mailchannels (www.mailchannels.com) There's probably a few more that do this and are totally transparent. On Tue, Dec 8, 2009 at 6:54 AM, Andrew Cox and...@accessplus.com.au wrote: I would be interested to hear what people have to say about this, as the only other option I could think of would involve checking the incoming connection to see if the end user was trying to authenticate to a mail server before determining where to forward the connection onto (Layer 7 stuff, gets a bit tricky) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Remote hands requested near sherman oaks LA [urgent]
Sorry for the noise .. Got me a (personal) box that has a borked grub after an OS upgrade. Need to get somebody there who can just go in, probably fix /boot/grub/menu.lst to say the right thing, run grub (maybe boot in with a live cd, mount and run grub.. you know the drill) Is anybody in or near Sherman Oaks LA who can help fix this? Please email ASAP, I'll hook you up with the person who can get you access. Sorry for the urgent - that box has been down for over 24 hrs now. gave up waiting for root device common problem: boot args (cat/proc/cmdline) check root delay = (did the system wait long enough?) check root = (did the system wait for the right device?0 missing modules (cat/pro/modules;ls/dev) alert! /dev/disk/by-uuid/42b8599e-f7bc-4626-ad08-4ba6427513d1 does not exist. dropping to a shell busybox v1.13.3(ubuntu 1:1.13.3-1ubuntu7 built in shell (ash) enter 'help' for a list of commands (initramfs): -- Suresh Ramasubramanian (ops.li...@gmail.com)
Sherman Oaks CA - Re: Remote hands requested near sherman oaks LA [urgent]
Too damn early (5:23 AM) .. the box is at Sherman Oaks CA - near Los Angeles LA. Sigh. --Original Message-- From: Suresh Ramasubramanian To: nanog@nanog.org Subject: Remote hands requested near sherman oaks LA [urgent] Sent: Dec 6, 2009 15:42 Sorry for the noise .. Got me a (personal) box that has a borked grub after an OS upgrade.
Re: Remote hands requested near sherman oaks LA [urgent]
Remote hand found. Thank you.
Re: port scanning from spoofed addresses
On Thu, Dec 3, 2009 at 10:35 PM, Matthew Huff mh...@ox.com wrote: We are seeing a large number of tcp connection attempts to ports known to have security issues. The source addresses are spoofed from our address range. They are easy to block at our border router obviously, but the number and volume is a bit worrisome. Our upstream providers appear to be uninterested in tracing or blocking them. Is this the new normal? One of my concerns is that if others are seeing probe attempts, they will see them from these addresses and of course, contact us. Any suggestions on what to do next? Or just ignore. Filter it out and then ignore. Might as well filter it out - see http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html
Re: SPF Configurations
On Fri, Dec 4, 2009 at 9:55 PM, Jeffrey Negro jne...@billtrust.com wrote: I'm wondering if a few DNS experts out there could give me some input on SPF record configuration. Our company sends out about 50k - 100k emails a day, and most emails are on behalf of customers to their end users at SPF records aren't going ot help as much as some list sending and deliverability best practices (feedback loops etc) are. Look at the MAAWG senders best practices document - www.maawg.org - Published Documents Other than delivery to hotmail, spf is a total waste of time - plus it plays russian roulette with whatever email you handle
Re: ATT SMTP Admin contact?
On Thu, Dec 3, 2009 at 12:08 AM, Chris Owen ow...@hubris.net wrote: On Dec 2, 2009, at 12:31 PM, Rich Kulawiec wrote: Because SenderID and SPF have no anti-spam value, and almost no anti-forgery value. Not that this stops a *lot* of people who've drunk the kool-aid from trying to use them anyway, OK, I'll bite--How exactly do you go about forging email from my domain name if the host receiving it is checking SPF? Dont let me stop you playing russian roulette with your users' email.
Re: Finding asymmetric path
Yes - term the account would be my recommendation And if you filter port 25 traffic do it both ways Read these old nanog threads .. http://www.irbs.net/internet/nanog/0408/0465.html and http://www.mail-archive.com/na...@merit.edu/msg28863.html On Sun, Nov 29, 2009 at 3:58 AM, William Herrin herrin-na...@dirtside.com wrote: On Sat, Nov 28, 2009 at 2:14 PM, ML m...@kenweb.org wrote: Brielle is correct. The customer in question is spamming networks and we are having trouble filtering them because another provider allows them to source traffic however they please. What trouble? SMTP requires two-way traffic with a static port number that nothing else uses. If for some reason you don't want to simply terminate their account altogether, block packets outbound to your customer sourced from TCP port 25 but not from your SMTP smarthosts. Seriously though, if you can prove they're spamming (regardless of whether the packets pass through your network) save yourself some grief and just terminate the account. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: I got a live one! - Spam source
On Wed, Nov 25, 2009 at 10:55 PM, Michael Peddemors mich...@linuxmagic.com wrote: Could you elaborate on what constitutes correct swip information? Sure, you just opened the door to my opinions on this :) Dysfunctional rwhois servers sounds more like general brokenness than malice. The other interesting (!) characteristic of thie sort of bulk mailer discussed in this thread is that the netblock is most likely swipped / rwhois'd to a brand new shell company LLC, headquartered in what looks like a UPS store maildrop.
fight club :) richard bennett vs various nanogers, on paid peering
http://gigaom.com/2009/11/22/how-video-is-changing-the-internet/ Does the FTC's question 106 hurt paid peering or not? 88 comments. Makes real interesting reading, I must say. srs
Re: I got a live one! - Spam source
On Wed, Nov 25, 2009 at 8:52 AM, Russell Myba rusm...@gmail.com wrote: Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host. Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field. Sounds like what spamhaus.org calls snowshoe. What /24 would this be?
Re: dealing with bogon spam ?
Ah, colo4jax I see. Jacksonville, Florida. 68.234.16.0/20 shows up as unallocated but as these guys own the previous /20 its probably a stale arin db and a brand new allocation Prefix AS Path Aggregation Suggestion 68.234.0.0/204777 2497 25973 40430 68.234.16.0/20 4608 1221 4637 3561 40430 69.174.96.0/21 4777 2497 25973 40430 173.205.80.0/20 4777 2497 25973 40430 204.237.184.0/21 4777 2497 25973 40430 204.237.192.0/22 4777 2497 25973 40430 208.153.96.0/22 4777 2497 25973 40430 208.169.228.0/22 4777 2497 25973 40430 On Wed, Oct 28, 2009 at 12:14 PM, Leslie les...@craigslist.org wrote: Yes, unallocated (at least according to ARIN's whois db) but not unannounced - obviously our network can get to the space or else I wouldn't be having a spam problem with them! I'm actually seeing this /20 as advertised through Savvis from AS40430 It seems to me like the best solution might be a semi-hacky solution of asking arin (and other IRR's) if i can copy its DB and creating an internal peer which null routes unallocated blocks (updated nightly?) Has anyone seen an IRR's DB's not being updated for more than 30 days after allocations? I always assumed that they are quickly updated. Thanks again, Leslie Jon Lewis wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help. On Tue, 27 Oct 2009, Church, Charles wrote: This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -- Sent using BlackBerry -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: dealing with bogon spam ?
You are using it the wrong way .. most of the drop list is directly spammer controlled space used as, for example, CC for botnets. You'd see tons of abuse and little or no smtp traffic from a lot of those hosts. On Thu, Oct 29, 2009 at 12:26 AM, Jason Bertoch ja...@i6ix.com wrote: Justin Shore wrote: As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
Re: dealing with bogon spam ?
What /20 would this be, and can you blame an out of date whois client or whois db for it? If the /20 is being routed, and announced - chances are it IS allocated. On Wed, Oct 28, 2009 at 5:40 AM, Leslie les...@craigslist.org wrote: I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use) Leslie
Re: dealing with bogon spam ?
Having been postmastering at various places for about a decade, I have seen that too - yes. But cymru style filtering means its kind of out of fashion now. Though - a lot of the cases I've seen have been 1. Out of date whois client and the IP's been allocated after the whois client came out (with a hardcoded list of unallocated IPs) 2. Whois db is out of date - comparatively rarer but known to occur Especially if you see a mainstream carrier routing it instead of some small outfit in Eastern Europe .. chances are its stale db somewhere rather than totally unallocated block and phantom routing On Wed, Oct 28, 2009 at 6:25 AM, Jon Kibler jon.kib...@aset.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh Ramasubramanian wrote: If the /20 is being routed, and announced - chances are it IS allocated. Don't bet on it. This is one of the oldest spammer tricks in the book. I worked with ISPs as far back as the late 90s trying to track down poachers who temporarily squat on an unallocated block and announce it to the world.
Re: dealing with bogon spam ?
Seen it before - but mostly for malware rather than for spam. And certainly not long enough / persistent enough for a full fledged spam campaign (4..5 days rather than a day or two at the most when people start noticing and dropping the bogus announcement) On Wed, Oct 28, 2009 at 6:57 AM, Jon Lewis jle...@lewis.org wrote: Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help.
