> > Obviously they didn't filter 135, 137-139, 445, and inbound
>
> Not obvious. I know of several sites that were infected even though they
> had filters in place, due to infected laptops being brought on-site.
Filtering ports 135, 137-139, 445, and only delays the inevitable...
On Tue, 19 Aug 2003 [EMAIL PROTECTED] wrote:
: > Obviously they didn't filter 135, 137-139, 445, and inbound
:
: Not obvious. I know of several sites that were infected even though they
: had filters in place, due to infected laptops being brought on-site.
:: The new EDS managed Navy Mar
If you check arin whois, you can find ip block 209.251.0.0 - 209.251.23.255
listed as NETBLK-SISCOM-BLK-1 (why would ARIN assign them /20 + /21 but
not make it easier for everyone and just do /19 ?):
[whois.arin.net]
OrgName:SISCOM
OrgID: SISC
Address:130 W. Second St.
Addr
On Tue, 19 Aug 2003, David Diaz wrote:
>
> Spam may be off topic but in this case relevant. Has anyone else
> noticed bounced emails that appear to have origionated from their
> nanog email boxes and contain viruses?
>
> Obviously some bot has gone threw the nanog list and is now forging
>
Yo Scott!
They better start blocking port 25 too. That has been the big problem
today...
RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +
In message <[EMAIL PROTECTED]>, Drew We
aver writes:
>Don't kill me for posting this, it may be slightly off topic but
>I have noticed a very odd spike in traffic with these virii that have .pifs
>attached to them.
>
>The subject is random.
>
>The body always says:
>
>"See attached f
: what sort of tools are you using to interpret netflow, other than cflowd
: (which I've found overly complex and not graphical enough)
CUGrapher.pl
> Obviously they didn't filter 135, 137-139, 445, and inbound
Not obvious. I know of several sites that were infected even though they
had filters in place, due to infected laptops being brought on-site.
Vern
Obviously they didn't filter 135, 137-139, 445, and inbound, so I
doubt we can hope that they were blocking it outbound to keep their
machines from infecting other networks...
scott
On Tue, 19 Aug 2003, Sean Donelan wrote:
:
:
: The new EDS managed Navy Marine Corps Intranet with 100,
-RBOCs (note, not ILECs) cannot move inter-lata traffic without being
-approved by PUC in each state for "interstate long distance". (I believe
-this is part of 1984 MFJ).
-CLECs have no restrictions on that. Neither do non-CLEC ISPs.
---alex
I thought this only applied to VOICE traffic.
AS fa
The new EDS managed Navy Marine Corps Intranet with 100,000 users has
become so congested by worm traffic it can not be used for useful work
today.
http://www.nwfusion.com/news/2003/0819navy.html
On Tue, 19 Aug 2003, Steven M. Bellovin wrote:
> I've gotten hundreds of such bounce messages today. Only a few have
> Received: lines, but those have differed. I don't know for sure if
> it's the nanog list, since I don't use a different email address for it.
I suspect it's the list archive
On a day like today, Net Flows was very useful to clue me into
by some dial up users were dead in the water. 500kbs of incoming ICMP.
James Edwards
Routing and Security
[EMAIL PROTECTED]
At the Santa Fe Office: Internet at Cyber Mesa
> I was told by various sources that unless the vendor of my choosing is a
> LEC of some sort, they cannot back-haul production traffic as a private
> network, and that this is a FCC restriction regarding LEC licensing for
> traffic/long distance etc. These various sources do not have actual
> da
Jade E. Deane wrote:
Drew,
You're not seeing things. I would say you can thank "W32/Sobig.F-mm",
referenced in http://news.com.com/2100-1002_3-5065494.html.
I'd like to point out that this variant is the most aggressive yet of
the Sobig family. However, I think this aggressiveness is possibly a
I am considering transporting back-up traffic through a non-LEC for a
possible DR design initiative using a couple DS3 transfer arrangements
that terminate through a 3rd parties network full time, allowing that
same 3rd party to redirect these same ports, during a disaster, to
various hot sites wi
Jason Frisvold wrote:
We used ip accounting the other night to detect and disable a large
number of worm infected users that took out the router completely.. I
think net flow would have been too much overhead at the time... Once we
were down to a more manageable number of infected users, we used
Now having personally experienced the worm myself.
This is how it went, there was no known way to remove the worm with
any current software for the variety that I had, it was mutagenic, recognized
AVP, and other forms of disinfectors and went nuts propagating itself to the
point the only soluti
> > > What are you looking at when you analyze this data? I've
> seen uses
> > > such as top 10 destination AS's for peering evaluations.
> What else?
> > > Billing?
> > >
> > > -Lance-
> >
> > Also to get some application-specific bandwidth utilization numbers.
> >
> I wonder how do you ma
http://calgary.cbc.ca/regional/servlet/View?filename=ca_aircanada20030819
Web Posted Aug 19 2003 01:36 PM MDT
Air Canada hit by computer slowdown Calgary - A pair of computer
viruses is being blamed for major disruptions in airports across
North America Tuesday, including Calgary International
On Tue, 2003-08-19 at 16:12, Jack Bates wrote:
> Number one use for netflow, scan detections. I detect most users
> infected with a virus before remote networks can auto-gen a report. I
> also detect mail being sent from various customer machines. High volume
> traffic flags me so I can investig
At 04:01 PM 8/19/2003, Mike Tancsa wrote:
sobig.f is REALLY making the rounds. I think its been effective as it
plays on the public awareness of "some security hole" and "needed fixes
from Microsoft." As the worm says, "Hi, I am from Microsoft, you need
this patch" a greater than normal amount
Drew,
You're not seeing things. I would say you can thank "W32/Sobig.F-mm",
referenced in http://news.com.com/2100-1002_3-5065494.html.
Allow me to quote a bit from the story:
[quote]
The sender appears to be someone from a recognized domain name, such as
ibm.com, zdnet.com or microsoft.com. The
>
> > What are you looking at when you analyze this data? I've
> > seen uses such as top 10 destination AS's for peering
> > evaluations. What else? Billing?
> >
> > -Lance-
>
> Also to get some application-specific bandwidth utilization
> numbers.
>
I wonder how do you map your netflow data to
Well,
On ciscos, we use it to track down DOS attacks in a put it on,
troubleshoot, take it off manner. Works great on not Catalyst stuff...
put it on.. wait 30 seconds look for anything with K packets and you've
got your bad guy, hopefully.
Thanks,
Paul
On Tue, 2003-08-19 at 15:55, [EMAIL
On Tue, Aug 19, 2003 at 12:55:33PM -0700, [EMAIL PROTECTED] wrote:
>
> Are operators frequently using netflow nowadays? I assume that if you are, you turn
> it on only for
> some limited duration to collect your data and then go back and do your analysis.
> Is this assumption correct?
>
> Wh
[EMAIL PROTECTED] wrote:
Are operators frequently using netflow nowadays? I assume that if you are, you turn
it on only for
some limited duration to collect your data and then go back and do your analysis. Is
this assumption correct?
Netflow overhead is relatively low considering what it does.
> What are you looking at when you analyze this data? I've
> seen uses such as top 10 destination AS's for peering
> evaluations. What else? Billing?
>
> -Lance-
Also to get some application-specific bandwidth utilization
numbers.
Don't kill me for posting this, it may be
slightly off topic but I have noticed a very odd spike in traffic with these virii
that have .pifs attached to them.
The subject is random.
The body always says:
"See attached file for details" and they're
always a pif file.
Joe-
Sounds like this:
http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/2
0030819/tc_nm/airlines_aircanada_virus_dc
-d
-Original Message-
From: Joe Abley [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 3:40 PM
To: [EMAIL PROTECTED]
Subject: some wide-sca
On Tuesday, 19 August 2003, at 15:55PM, Mark Segal wrote:
I heard.. (via CBC I think).. That their computer system in Toronto
crashed
during the power outage.. My guess is they have some serious problem
with
their DB.
I just booked a ticket.. Hopefully I am going somewhere. :)
Google pointe
At 03:40 PM 19/08/2003 -0400, Joe Abley wrote:
The consistent component of the ongoing rumour mill is that this is due to
"some computer virus".
sobig.f is REALLY making the rounds. I think its been effective as it plays
on the public awareness of "some security hole" and "needed fixes from
Mic
I heard.. (via CBC I think).. That their computer system in Toronto crashed
during the power outage.. My guess is they have some serious problem with
their DB.
I just booked a ticket.. Hopefully I am going somewhere. :)
Mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284
Are operators frequently using netflow nowadays? I assume that if you are, you turn
it on only for
some limited duration to collect your data and then go back and do your analysis. Is
this assumption correct?
What are you looking at when you analyze this data? I've seen uses such as
top 10 d
I'm sitting on the tarmac on AC63 from YVR to ICN which was due to take
off about half an hour ago. So far they have about a quarter of the
plane loaded.
The problem I am hearing is that there's a system-wide network issue
with Air Canada, and other airlines as well: "apparently everybody" is
i'm getting spammed from there...
[sa:i386] ./find-spam.pl 209.251.0.0/19
SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
FROM spam s LEFT JOIN bodies b ON s.bo
Forwarding this for Mark, he deserved some credit for verifying the
IP but did not want his other addy harvested.
It's like you need a wing man now for posting to mail lists!
Cougar
Subject: Re: Virus emails from nanog mail list
From: "Mark J. Scheller"
To: David Diaz <[EMAIL PROTECTED]>
Dat
UPDATED: The Nachi worm will infect vulnerable Windows XP and 2000 machines
using the same exploit used by the MS Blast worm family. The main difference
between Nachi and MS Blast, is that Nachi will remove and disable MS Blast
infections that it encounters, and download and install the correct
>
> The IP address (which may or may not be accurate) appears to be
> [195.157.87.253].
>
> Has anyone else noticed this recently?
>
I have received 100+ SoBig trojan emails in the last few hours from
IP 12.107.153.212. It figures, seems to be located in AT&T land
so there might also be conne
On Tue, 19 Aug 2003 12:42:49 EDT, David Diaz <[EMAIL PROTECTED]> said:
> Obviously some bot has gone threw the nanog list and is now forging
> headers such that they appear to come from those addresses, and they
> are attaching viruses.
More likely, some poor lurker at the IP address listed ha
I have not seen the NANOG email problem, but have received several tens
of thousans of SPAM messages that claim to be from
'[EMAIL PROTECTED]'. The originating address in the messages is
66.218.66.70. As David pointed out, this may or may not be correct.
Dan
-Original Message-
From: Da
In message <[EMAIL PROTECTED]>, David Diaz writes:
>
>Spam may be off topic but in this case relevant. Has anyone else
>noticed bounced emails that appear to have origionated from their
>nanog email boxes and contain viruses?
>
>Obviously some bot has gone threw the nanog list and is now forgin
> Date: Tue, 19 Aug 2003 12:42:49 -0400
> From: David Diaz <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
>
>
> Spam may be off topic but in this case relevant. Has anyone else
> noticed bounced emails that appear to have origionated from their
> nanog email boxes and contain viruses?
>
> O
Looks like someone on the list is infected with SoBig-F.
If you are using Windows, you may want to update A/V, folks.
g
On Tue, 19 Aug 2003 12:27:02 EDT
"CERT(R) Coordination Center" <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
>
> **
Are they blocking just icmp echo or everything ?
---Mike
At 12:29 PM 19/08/2003 -0400, Ingevaldson, Dan (ISS Atlanta) wrote:
The "Nachi" worm propagates via MSRPC DCOM and the IIS WebDAV bug. It
may be causing this storm because it runs 300 scanning threads, and it
pings each IP first
Spam may be off topic but in this case relevant. Has anyone else
noticed bounced emails that appear to have origionated from their
nanog email boxes and contain viruses?
Obviously some bot has gone threw the nanog list and is now forging
headers such that they appear to come from those address
On Tue, 19 Aug 2003 12:19:28 EDT, Paul Jasa <[EMAIL PROTECTED]> said:
> A call to AT&T Worldnet confirms that AT&T Worldnet service is blocking ICMP in
> order to deal with an undefined emergency. Nothing posted on their site, nor
> any other info is available. If anyone has info related to th
The "Nachi" worm propagates via MSRPC DCOM and the IIS WebDAV bug. It
may be causing this storm because it runs 300 scanning threads, and it
pings each IP first.
http://xforce.iss.net/xforce/alerts/id/150
MS Blast wasn't multithreaded.
Regards,
===
Daniel Ingevaldso
-BEGIN PGP SIGNED MESSAGE-
***
[NOTE -- THIS IS AN AUTOMATED RESPONSE]
Thank you for contacting the CERT(R) Coordination Center. We
appreciate your contacting us and consider your communications with
A call to AT&T Worldnet confirms that AT&T Worldnet service is blocking ICMP in order
to deal with an undefined emergency. Nothing posted on their site, nor any other info
is available. If anyone has info related to this "icmp outage", please advise.
Thanks!
pj
=
Capstone and Ingersoll-Rand NG turbines seem to be in favor these days among the
paranoid.
http://www.capstoneturbine.com/
http://www.irpowerworks.com/
These may be up to 2x the cost of a diesel, but they run forever, you can put them
anywhere, they always start, and the fuel never gets fouled
Any worldnet people on the list? It looks like
they blacklisted one of my email servers and the reason: is truncated and I
have no idea why, I've tried sending a bunch of email to them from
another domain but I've been summarily ignored.
Thanks,
-Drew
Title: Message
I'd be
interested in this information as well.
Thanks,
Jeff
-Original Message-From: Drew Weaver
[mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 10:21
AMTo: '[EMAIL PROTECTED]'Subject: Natural Gas Generator
manufacturer opinions? (might be off topi
> > Anybody watching the bgp routing table.. I see about 5,000 less routes than
> > usual. Anybody know a good pointer..
>
> Okay, here are a couple quick screenshots of what we're looking at
> tonight. [..]
We've collected some more plots and maps describing BGP outage
patterns during las
54 matches
Mail list logo
