Re: [uknof] LINX84
Errr. At 12:42 13/02/2014, Rob Lister wrote: [...] more drugs were ingested and I pretty much passed out in my hotel room. Sounds like you'll fit right in! (I'm not allowed to talk about *those* LINX meetings...) I have fond memories of an early LINX meeting etiquette that required any participant who allowed their mobile to ring audibly during the meeting to buy all the attendees a beer each. As attendance reached 50+ that became a very serious issue! But I'm not allowed to talk about *those* LINX meetings...too much... Regards Nic ;-)
Re: [uknof] LINX84
On 13 February 2014 13:39, Nic Lewis n...@nlewis.net wrote: Errr. At 12:42 13/02/2014, Rob Lister wrote: [...] more drugs were ingested and I pretty much passed out in my hotel room. Sounds like you'll fit right in! (I'm not allowed to talk about *those* LINX meetings...) I have fond memories of an early LINX meeting etiquette that required any participant who allowed their mobile to ring audibly during the meeting to buy all the attendees a beer each. As attendance reached 50+ that became a very serious issue! But I'm not allowed to talk about *those* LINX meetings...too much... Hmm since I used to regularly buy everyone a beer after the meeting finished, perhaps I should just do that again and this time I'll just sit in the meeting happily taking calls all day long. Forfeit accepted! Steve Regards Nic ;-)
Re: [uknof] DNS/NTP censured, a solution !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2014 23:07, Robin Williams wrote: Interesting timing - we've also been seeing a big increase in the same over the last few weeks, mainly targeting schools from automated ( cheap!) online 'booter' services (presumably instigated by students who have had enough of their IT lessons). If you are seeing attacks against schools and Janet is upstream - please let us know as and when it occurs. Even if all that we do (and we try to do a lot more) is add it to our statistics it's still valuable to build up a picture of activity for the rest of the community. We can be contacted at i...@csirt.ja.net or 0300 999 2340. Thanks, James - -- James Davis0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS/NTNAAoJEHRLPxE0xhCCYQYIAM18kudXagMO4PkA4U66DeFW anZWm0BAwBPM2ap1dykbWOXdN1MztKehu3fLi7iv2sqB2tuC47smoi9fwJsuPvkM KWMFmleDGSBMvzDqP1sCKl7/FtyGyoQ/3Y5XwO2GZP0JC6v9CJNhxjiL8qdN/gly jxlRFzKc8rKnaOZHXx3KsL9515FTkc3AJfN9B/Aiaa7KWXeNVvTQ/pQ1tZYaNyVX +FcATQw1ig2y/RqsSeMRa3PVbTVwZ5H9Er9BPHyV/yg6waBoADU1qIlDjxFDvAhh C2eu4ACgl4ImgyjagWQALEDAY4RLh1loeKO76Wx++812tuyQNBKgxQ6hqv0eSaM= =ApMg -END PGP SIGNATURE- Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Re: [uknof] DNS/NTP censured, a solution !
On 13/02/14 17:14, Keith Mitchell wrote: On 02/12/2014 06:37 PM, Wright, Matthew wrote: List of open NTP servers from http://openntpproject.org/ Also http://www.openresolverproject.org But it's not just about NTP and DNS, pretty much any UDP-based service that can do amplification is in play, e.g SNMP, Chargen and I've even seen QOTD (UDP 19). Yep, one that hit us the other week was UDP Chargen. After seeing the source port in flows, I tried a few of them on TCP 19 as well, and to my surprise, there it was. And there was me thinking Chargen was a thing of the 80's! It'd be nice to be able to automatically pull the full lists from these various scanning projects to use in statistical analysis as part of DDoS mitigation (i.e. if my traffic has just shot up and the majority of it is coming from IPs listed in these databases, I can take a pretty fair bet at what's happening and start to rate limit or temporarily block these sources). Anyone know if there is an interface for automated downloading of the raw data? Is anyone involved in these projects on list? It looks like you can request the data manually at the moment. It'd also be good to discuss merging data from these projects into an upstream 'open-generalbadstuff-project'. Cheers, Robin
Re: [uknof] DNS/NTP censured, a solution !
It would also be useful to be able to run resolver scans via ASN or larger block reports too. Limited to a /22 takes a fair old while. Peter Knapp -Original Message- From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of Robin Williams Sent: 13 February 2014 18:05 To: Keith Mitchell Cc: uknof@lists.uknof.org.uk Subject: Re: [uknof] DNS/NTP censured, a solution ! On 13/02/14 17:14, Keith Mitchell wrote: On 02/12/2014 06:37 PM, Wright, Matthew wrote: List of open NTP servers from http://openntpproject.org/ Also http://www.openresolverproject.org But it's not just about NTP and DNS, pretty much any UDP-based service that can do amplification is in play, e.g SNMP, Chargen and I've even seen QOTD (UDP 19). Yep, one that hit us the other week was UDP Chargen. After seeing the source port in flows, I tried a few of them on TCP 19 as well, and to my surprise, there it was. And there was me thinking Chargen was a thing of the 80's! It'd be nice to be able to automatically pull the full lists from these various scanning projects to use in statistical analysis as part of DDoS mitigation (i.e. if my traffic has just shot up and the majority of it is coming from IPs listed in these databases, I can take a pretty fair bet at what's happening and start to rate limit or temporarily block these sources). Anyone know if there is an interface for automated downloading of the raw data? Is anyone involved in these projects on list? It looks like you can request the data manually at the moment. It'd also be good to discuss merging data from these projects into an upstream 'open-generalbadstuff-project'. Cheers, Robin
