First of all, have your tools ready so that whenever DoS pounds on you, you can
immediately activate them and they will give you an overview of the DoS attack
such as size of the attack, source/dest (random or one/two or spoofed?), et al.
Then you need to contact your upstream first to hve them d
On Tue, 7 Oct 2003, Avleen Vig wrote:
> You knew the sources are small and you knew where they were. You did the
> right thing by contacting FSU, and then their upstream.
> If either was unresponsive, they are being extremely neglegent.
Its generally a better idea to contact your own upstream pro
- Original Message -
From: "Mark Radabaugh" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 07, 2003 11:56 PM
Subject: Re: DoS Attacks
>
> I think I would follow two avenues next time - the direct approach with
FSU
> (or wherever the traffic is coming from) as well as
On Tue, Oct 07, 2003 at 11:45:35PM -0400, Brian Bruns wrote:
> So here I am, asking if anyone here has any advice on dealing with these
> issues in the future? Its painfully apparent noone takes these situations
> seriously enough. What should we do when we are put in a position like
> this? Ju
> So here I am, asking if anyone here has any advice on dealing with these
> issues in the future? Its painfully apparent noone takes these situations
> seriously enough. What should we do when we are put in a position like
> this? Just sit back and hope it goes away itself?
>
> Also, any idea
Greetings all,
Time for the "kooky routing idea of the year" post...
Scenario:
AS65000 is a bandwidth provider. One of their downstreams wishes
to peer with AS65100, or to multihome with AS65100 as a second
upstream. The obvious and 100% correct answer is for $downstream
to register their o
Oh boy, what a fun night this was. After a 4 or so hours downtime, my
servers are back up and running.
Heres the gorey details.
At about 7pm EST, we began having unusual issues with our network, the
router, and several machines on the network. For the first part of the
attack, we were held dow
I got a copy from someone on Videotron just a short while ago:
Return-Path: <[EMAIL PROTECTED]>
Received: from modemcable100.179-201-24.mtl.mc.videotron.ca
([24.201.179.100]) by fep02-mail.bloor.is.net.cable.rogers.com
(InterMail vM.5.01.05.12 201-253-122-126-112-20020820) wit
Looking for someone at Level3.
While this pales in comparison to Cisco's DoS situation, my home DSL
connection is currently getting slammed by a Level3 customer who has
in the past week attempted to send me 2.6 million email messages in
bursts that are swamping my connection--even though I reje
Charles,
Let's add a very important line:
"Then They Came for the OC-3 or smaller connections
and I did not speak out
because I run fat OC-12 - OC-48 pipes"
which doesn't help you much today.
I've seen attacks of around a Gbit/s bandwidth. So a OC-48 is already
in danger. The OC-12 is useless. A
Declan McCullagh <[EMAIL PROTECTED]> 10/7/03 3:58:33 PM >>>
>
>They're here:
>http://www.mccullagh.org/theme/icann-verisign-meeting-oct03.html
>
>I double-checked everyone's names and affiliations but I could have
>made an error. If I did, please let me know.
>
>Thanks,
>Declan
Is it just m
At 05:55 PM 07/10/2003, Declan McCullagh wrote:
On Mon, Oct 06, 2003 at 11:41:14PM -0400, Mike Tancsa wrote:
> http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top
> The article makes me wonder if CNET is the press, or an outlet for press
> releases. The Internet community is almost uniform i
They're here:
http://www.mccullagh.org/theme/icann-verisign-meeting-oct03.html
I double-checked everyone's names and affiliations but I could have
made an error. If I did, please let me know.
Thanks,
Declan
On Mon, Oct 06, 2003 at 11:41:14PM -0400, Mike Tancsa wrote:
> http://news.com.com/2100-1038_3-5087139.html?tag=nefd_top
> The article makes me wonder if CNET is the press, or an outlet for press
> releases. The Internet community is almost uniform in expressing outrage
> for numerous REAL reas
On Tue, Oct 07, 2003 at 09:27:06AM -0400, William Allen Simpson wrote:
> I will not participate in a VeriSign sponsored list, as that might
> give fodder for another "press release" claiming network operators and
> designers had reviewed and approved the VeriSign changes. I recommend
> that ot
On Mon, Oct 06, 2003 at 11:28:33PM -0400, Brian Bruns wrote:
> When smacked down about IE integration and WMP integration, they screamed
> bloody murder and claimed freedom of innovation. Exactly what
> NetSol/Verisign is doing. Maybe they have the same PR firm?
Without taking a position on the
Ok, I've been working on this for a while, its still v1.1 of the document,
so it needs some more work including references and stuff like that. I
wrote it in AbiWord, but it didn't translate to HTML so well, will work on
getting it better later on tonight. Comments are welcome.
http://www.sosdg
At 10:00 AM -0700 10/7/03, Owen DeLong wrote:
development, but, I think whatever comes out should be brought back here
for review before being launched at the press as a statement of community
position. I think it should also be taken to other similar lists and
The recently posted "LINX Letter to
On Tue, 7 Oct 2003, Howard C. Berkowitz wrote:
>
> At 10:27 AM +0100 10/7/03, [EMAIL PROTECTED] wrote:
> > >I think this list may be a very good choice of where to construct
> >>such a response.
> >
> >Are you being paid by Verisign?
>
> A disclaimer seems appropriate -- right now, I'm being onl
On Tue, Oct 07, 2003 at 11:28:34AM -0700, Crist Clark wrote:
==>Jared Mauch wrote:
==>>
==>> I've reported it to them in the past and their IT
==>> folks can't seem to get it fixed :(
==>
==>In BIND logs too, but if I do the check now, they both seem to be returning
==>authoritive record
Jared Mauch wrote:
>
> They've had this broken for weeks now.
>
> You'll also see (depending on nameserver)
>
> this in your logs:
>
> Oct 7 14:10:36 unix named[3502]: lame server resolving 'ftp.cisco.com' (in
> 'ftp.cisco.com'?): 64.102.255.39#53
> Oct 7 14:10:36 un
Crist Clark [07/10/03 10:51 -0700]:
> ftp.cisco.com name server rtp5-dirty-ddir.cisco.com
> ftp.cisco.com name server sjce-dirty-ddir.cisco.com
>
> Look at the query time. The other NS for ftp.cisco.com has a similar
> time for me. I didn't show it here, but the NS records for ftp.cisco.com
>
They've had this broken for weeks now.
You'll also see (depending on nameserver)
this in your logs:
Oct 7 14:10:36 unix named[3502]: lame server resolving 'ftp.cisco.com' (in
'ftp.cisco.com'?): 64.102.255.39#53
Oct 7 14:10:36 unix named[3502]: lame server resolving 'f
On 7 Oct 2003 17:39 UTC Ezequiel Carson <[EMAIL PROTECTED]> wrote:
| hi, can you resolve ftp.cisco.com?
|
| [EMAIL PROTECTED] /]# ping ftp.cisco.com
| ping: unknown host ftp.cisco.com
| [EMAIL PROTECTED] /]#
|
| something is wrong here
I can both resolve and reach it from opposite en
Subject: [IP] Yesterdays WJS article on Versign
http://www.interesting-people.org/archives/interesting-people/200310/msg00057.h
tml
--- Forwarded Message
Date: Tue, 07 Oct 2003 04:45:48 -0400
To: [EMAIL PROTECTED]
From: Dave Farber <[EMAIL PROTECTED]>
Subject: [IP] Yesterdays WJS article on
Ezequiel Carson wrote:
>
> hi,
>
> can you resolve ftp.cisco.com?
>
> [EMAIL PROTECTED] /]# ping ftp.cisco.com
> ping: unknown host ftp.cisco.com
> [EMAIL PROTECTED] /]#
>
> something is wrong here
Their DNS is a little strange and slow, but it resolves for me,
[521:~] host -t
Works from here:
[EMAIL PROTECTED] james]# tcptraceroute ftp.cisco.com 21
Selected device eth0, address 65.19.4.24 for outgoing packets
Tracing the path to ftp.cisco.com (198.133.219.27) on TCP port 21, 30 hops max
1 alb-router.cybermesa.com (65.19.1.2) 19.750 ms 0.234 ms 0.261 ms
2 albuqu
works here
Mehmet Akcin
- Original Message -
From: "Ezequiel Carson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 07, 2003 1:39 PM
Subject: ftp.cisco.com broken ?
>
> hi,
>
> can you resolve ftp.cisco.com?
>
> [EMAIL PROTECTED] /]# ping ftp.cisco.com
> ping: u
> we're only upset because Verisign makes money off of this.
I'm sure that is a factor too.
Verisign have a contract to operate a shared registry, as a monopoly is
unreasonable, but hijack it to make a different service that nobody
else gets to bid for running.
If such a service were a feasibl
On Tue, 7 Oct 2003, Ezequiel Carson wrote:
> can you resolve ftp.cisco.com?
>
> [EMAIL PROTECTED] /]# ping ftp.cisco.com
> ping: unknown host ftp.cisco.com
> [EMAIL PROTECTED] /]#
Probably something to do with the DDoS they said they were under
yesterday.
Non-authoritative answer:
>We're continuing the work the issue, and would be grateful if operators
>would check for 40-byte spoofed TCP headed towards 198.133.219.25/32 and
>trace/block it as warranted. Your patience and understanding are greatly
>appreciated.
>
>Thanks!
>
>
hi,
can you resolve ftp.cisco.com?
[EMAIL PROTECTED] /]# ping ftp.cisco.com
ping: unknown host ftp.cisco.com
[EMAIL PROTECTED] /]#
something is wrong here
ezequiel.
--On Tuesday, October 7, 2003 10:27 AM +0100 [EMAIL PROTECTED]
wrote:
I think this list may be a very good choice of where to construct
such a response.
Are you being paid by Verisign?
Absolutely not. In fact, I would be almost as glad to see Verisign
disappear
as Micr0$0ft. Lately, I'm beg
foro de redes has been going on since '91. the mailing list is
enredo.
randy
On Mon, 6 Oct 2003, Matt wrote:
The nsp-security list coordinates the interaction between ISPs and NSPs in
near real-time. The list has helped mitigate attacks and will continue to
do so. Those interested in being members and that fulfill the
requirements should review:
https://puck.nether.n
Hi Brad, Paul,
I received the below note from ARIN yesterday evening regarding their NS
changes on Thursday. This should explain what we're seeing. It appears
some older versions of BIND and some os-bundled resolver libraries may be
affected.
Trent
Original Message
Subject: R
At 10:59 AM -0400 10/7/03, William Allen Simpson wrote:
"Howard C. Berkowitz" wrote:
> I hope to get to at least part of the ICANN meeting
I think I'll have myself organized enough to get there for the
afternoon part of the meeting. Wish they had said if there was a
working lunch.
In the i
On Mon, 6 Oct 2003, wayne wrote:
> As seen on /.
>
> http://news.com.com/2010-1071-5086769.html
Also on /. a parody of that article too funny not to link to:
http://yro.slashdot.org/comments.pl?sid=81344&cid=7150189
I reformatted it for easier reading here:
http://kod.inch.com/pics/funny/Veri
"Howard C. Berkowitz" wrote:
>
> At 10:27 AM +0100 10/7/03, [EMAIL PROTECTED] wrote:
> >And this list is definitely not the place to
> >discuss writing a letter of protest. If political
> >activity is your bag, then try http://www.meetup.com
>
Mr. Dillon forgets that all inter-human activity, in
"Stephen J. Wilcox" wrote:
> You are making assumptions.. Cisco havent said if the source was spoofed or not,
> as a recent nanog thread indicated a lot of attacks do not use spoofed addresses
> any more simply because the controllers have access to enough legitimate windows
> boxes to not care a
At 9:27 AM -0400 10/7/03, William Allen Simpson wrote:
Mark Kosters wrote:
In the interest in gaining more community review and comment, a discussion
list has been setup to discuss factually-based technical issues
and solutions surrounding the operational impact of wildcards in
top-level domain
FYI. Sent yesterday :
Submission by the London Internet Exchange to the ICANN Security and Stability
Advisory Committee Regarding Verisign's Deployment of Wildcard DNS Records
The London Internet Exchange (LINX) is Europe's largest Internet exchange point.
Owned mutually by nearly 140 member In
Mark Kosters wrote:
>
> In the interest in gaining more community review and comment, a discussion
> list has been setup to discuss factually-based technical issues
> and solutions surrounding the operational impact of wildcards in
> top-level domains on Internet applications.
>
We already have
At 8:13 AM -0400 10/7/03, Kee Hinckley wrote:
At 10:27 AM +0100 10/7/03, [EMAIL PROTECTED] wrote:
>I think this list may be a very good choice of where to construct
such a response.
Are you being paid by Verisign?
A "constructed" response is the worst thing we could
do. Everyone should write their
At 10:27 AM +0100 10/7/03, [EMAIL PROTECTED] wrote:
>I think this list may be a very good choice of where to construct
such a response.
Are you being paid by Verisign?
A disclaimer seems appropriate -- right now, I'm being only
occasionally paid for consulting by clients not having anything to do
Stephen J. Wilcox [10/7/2003 6:06 PM] :
You are making assumptions.. Cisco havent said if the source was spoofed or not,
as a recent nanog thread indicated a lot of attacks do not use spoofed addresses
any more simply because the controllers have access to enough legitimate windows
boxes to not
For those still interested, here is the status of this issue.
I suspect that my NIC is in promiscuous mode - I run winpcap for traffic
monitoring on my home network. Of course in the world of Microsoft it
isn't always straightforward to determine these things! So it isn't a
great surprise that so
On Tue, 7 Oct 2003, Suresh Ramasubramanian wrote:
> Terry Baranski [10/7/2003 6:05 AM] :
>
> > Maybe this will have the positive effect of motivating Cisco to do more
> > to encourage best practices such as edge anti-spoof filtering. To begin
> > with, Barry Green's presentations on these issue
"For this vocal minority, resentment lingers at the very fact that the Internet
is used for commercial purpose, which ignores the fact that it's a critical part
of our economy."
So verisign admit its about the $$$s then?
Sticking on the commercial argument claim which this argument is about,
I just received an email proporting to be from Symantec that contained an
anti-virus signature update. The message originated in the
Netherlands. The attachment has been submitted to Symantec and FortiNet
for review, however, I thought the community might want a heads up since I
do not know t
At 10:27 AM +0100 10/7/03, [EMAIL PROTECTED] wrote:
>I think this list may be a very good choice of where to construct
such a response.
Are you being paid by Verisign?
A "constructed" response is the worst thing we could
do. Everyone should write their own responses in their
own words based on the
-BEGIN PGP SIGNED MESSAGE-Hash: SHA1
AS5384 routing table is not propagating very good here and I see atleast 50 instances of that
I was checking it for a peer trying to get a better route result
- -Henry R Linneweh
-BEGIN PGP SIGNATURE-Version: PGP 8.0.2 - not licensed for commerc
Innovation and the Internet
http://news.com.com/2010-1071-5086769.html
is about 12 hours old on google news
-HenryBrian Bruns <[EMAIL PROTECTED]> wrote:
Well, I donno about anyone else, but I absolutely suck on the PR end ofthings.Now, I *am* good at writing documentation for end users (I used
>I think this list may be a very good choice of where to construct
>such a response.
Are you being paid by Verisign?
A "constructed" response is the worst thing we could
do. Everyone should write their own responses in their
own words based on their own experiences or their own
skills and knowle
>I know personally I would love to put out a paper, but I have no idea
where
>to begin.
If you don't have the time to write a paper then
sit down and write a case study about your own
experiences that could be published in a trade
magazine or your local newspaper. Submit it to
your favorite pub
>Having been involved in the community internet for as long as I have, I
>want to wretch. I'd think Mark would be one of those, as well.
Whether he does or doesn't want to retch,
Mark does need a job and he happens to have
one currently at Verisign as do a number of
other skilled technical people
>In the interest in gaining more community review and comment, a
discussion
>list has been setup to discuss factually-based technical issues
>and solutions surrounding the operational impact of wildcards in
>top-level domains on Internet applications.
If anyone wants to follow this via the web
On 06.10 23:51, Mark Kosters wrote:
>
> In the interest in gaining more community review and comment, a discussion
> list has been setup to discuss factually-based technical issues
> and solutions surrounding the operational impact of wildcards in
> top-level domains on Internet applications.
>
One soundbite which just came to me:
"What if the company which has the Yosemete restaraunt
consession put up a 300 foot rig and drilled for oil
behind the kitchen?"
-george william herbert
[EMAIL PROTECTED]
59 matches
Mail list logo