hat we can produce in
short order.
(BTW: Need/want some more of our famous "Colo Blend" Mr. Thomas?)
That was some of the best joe I've had, and I'd welcome another
batch! Just don't tell the rest o' Team Cymru about it - it's mine,
all mine! Muahaha! :)
ARIN database, we were told not to. We tried to explain the
registration information was already public via ARIN, but were told
not to update the IANA registry. IANA and ARIN are working out
something to resolve this issue.
Great, thanks to all!
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http
any changes.
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
not flowing anymore")
We have two ways to notify folks:
1. bogon-announce list, <http://puck.nether.net/mailman/listinfo/
bogon-announce>
2. Automated updates with the bogon route-servers, www.cymru.com/BGP/bogon-rs.html>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
ing/dnssumm/index.html>
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, "Out of coffee!");
I'd guess the Cymru team is less likely to be hax0r'ed. But that's
just 'cause I'm afraid of them. (Especially if Rob's had coffee
recently. Which means I'm always afraid of them. :)
Muahaha! :)
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
] Thanks and I am really impressed with everyone's reaction to this attack.
] Especially Rob Thomas, he really has a grip on it.
Thanks muchly, Barrett, but the credit goes to Steve Gill. :)
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
dcast and the like.
I don't like it. You don't like it. The miscreants love it. It's
always a balancing act.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
] other cctld servers have seen what are effectively ddos. rob thomas
] seems to have the most clue on this, so i hope this troll will entice
] him to speak.
Did someone say "troll?" :)
Yes, this is a real problem. These attacks have exceeded several
gigabits per
they need help. I also
didn't want folks to believe that it is a problem related to
one OS or demographic. It's a problem of crime, mostly.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
those
unix web/database servers, or transit through those routers,
etc. There's a reason why such devices are popular with
the criminals. :(
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
7;s also a large number of poorly
configured devices such as routers with easily guessed passwords,
overly permissive DNS name servers, etc.
It's not simply a Windows problem.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
en to
suggestions and quick to assist.
<http://nfsen.sourceforge.net/>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
] It looks like they were given real ARIN allocations for those test
] prefixes, so its not like those blocks are going to assigned to some
] random network who goes to use them and finds out there is a Cymru
] announcement on their space.
Yes, agreed. :)
--
Rob Thomas
Team Cymru
http
s of routers is also common now. This provides
obfuscation and sometimes encryption.
Most of the changes are based on templates. Consider this bundled
clue, where the prowess of the template user isn't at all a factor.
Use the flows. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www
t, et al.) prevented from using this login and
password?
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
ing about cooking up blame is that there is always
enough to serve everyone.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Are
] your defenses against non-spoofed attacks really helped by the extra
] filtering?
Great question, and we're eager to hear the results as well. Our
study is well past its prime, to be sure.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
u.com/BGP/asnbogusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with
any comments, questions, or concerns.
Thank you for your continued support.
Thanks,
Rob.
- --
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
stamp, now that I
think about it. Doh!
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
hanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
Here is Barrett's list, including and sorted by ASN.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
ASN IP AS Name
59 | 128.105.45.101 | WISC-MADISON-AS - University o
224 | 129.177.162.218 | UN
le attacks and abuses that might concern
you even more. It is generally the case that the tools and
techniques for both are the same.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
t that will permit
one to install a bot. Just-in-time DoSnets are readily built and used
in amplification attacks as well.
Bots have never been solely a Windows problem.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
Just a FYI - we at Team Cymru are upgrading some of our infrastructure
today. This will result in partial and complete outages for most of
the day. We will be back online, new and improved, by the end of the
day.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http
ore. Take it
with a grain of salt. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
While IPv6 obviously presents a huge address space, the miscreants
don't have to scan all of it, or compromise much more than a few
devices on it, to reap a reward. Just enough is good enough.
I'll take a pina colada anyway. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
r own, I should probably ask
them to change that.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
ardent Cubs fan, cursing the Sox. ;)
We continue to debug it with our peers. Stay tuned!
Apologies for the inconvenience.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Cymru do all the work.
Fire up a peering session to the Bogon route-servers today!
<http://www.cymru.com/BGP/bogon-rs.html>
As always, if you are having difficulty reaching the three test IP
addresses, please drop us a note at [EMAIL PROTECTED]
Thanks!
Rob.
--
Rob Thomas
http://www.
EMAIL PROTECTED]
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
] and statistical reliability. presumably that is coming and just
] hasn't been discussed or carried out yet.
Yep, that's being done since we announced the prefixes.
More details to come shortly. :)
Todd, thanks for checking on these prefixes and sharing what you
see!
Thanks,
Ro
resses prior to announcing the test prefixes.
74.63.1.2
75.127.1.2
76.191.1.2
Sorry those weren't announced sooner!
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
- <http://www.cymru.com/Bogons/index.html#dns>
Monitoring
Bogon prefix monitoring
- <http://www.cymru.com/BGP/robbgp-bogon.html>
Bogus ASN monitoring
- <http://www.cymru.com/BGP/asnbogusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> wit
ring
- <http://www.cymru.com/BGP/asnbogusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with any comments,
questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving
gusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thank you for your continued support.
Rob.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQl578Fk
free to contact Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQk
llowing URL.
<http://www.cymru.com/BGP/bogon-rs.html>
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
uses TFTP to update itself as well.
Please note that I am NOT advocating the blocking of TFTP.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
Hi, Hank.
] How would this scale for say 200K routers? 2M? -Hank
Dave Deitrich of Team Cymru will be presenting on this very
topic at the next NANOG. Short answer: We're ready when
you are. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
s would be rather
obvious, and they are, yet no one notices.
Most of these compromised routers are at the end of FR or
frac-T connections. I suspect a great many of them were
configured once, then left to rot with the same code and
configuration for years and years.
Thanks,
Rob.
--
Rob Thomas
htt
Hi, Bryan.
] Rob T - this should be a periodic FAQ:
]
]http://www.cymru.com/Bogons/
That's a great idea! Everyone knows I don't send out nearly enough
email. :) Seriously, we'll try to be better about sending out
regular reminders.
Thanks!
Rob.
--
Rob Thomas
http://www.c
ssume that encrypted packets
keep them safe. Encryption != security.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
.
So while a new approach to security with IPv6 may be warranted, many of
the same old threats await you there.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
us why. Suggestions
are always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the RIB clean. That means the
use of filtering. We and others provide those as well:
<http://www.cymru.com/Documents/secure-bgp-template.html>
<http://www.cymru.com/gillsr/documents/junos-bgp-template.htm>
<ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates
prefix-list that would permit you to filter on a prefix
and anything more specific. Stay tuned!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
deploy more
if necessary.
By the way we recommend that folks peer with at least two of the
Bogon route-servers.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
work to earn your
trust with each project. I think we've done a fair job of
that.
Suggestions and feedback (along with coffee) are always welcome!
Thanks,
Rob, not the only member of Team Cymru. :)
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
rnet garbage. :)
<http://www.cymru.com/Reach/garbage.html>
<http://www.cymru.com/Reach/darknet.html>
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
page at
the following URL.
<http://www.cymru.com/Darknet/>
We hope you find this of use. Comments and suggestions are always
welcome!
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
tworks and
the flows on them. Comments, feedback, and coffee are always welcome! :)
Thanks!
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQL/W4VkX3QAo5sgJAQG3QQP9FT6jwkPbdLaCFBLds4ftjFaNGA
ost it
infected, and report the contents to the Coldlife botherd.
Ka-ching, another botnet stolen. Things have evolved in a
distributed manner from this feature.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.cymru.com/Bogons/index.html#dns>
Monitoring
Bogon prefix monitoring
- <http://www.cymru.com/BGP/robbgp-bogon.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thanks!
Rob, for Team Cymru.
- --
:)
Or did I misunderstand the post? I'm low on coffee tonight. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
eful consideration of the
support ramifications of it.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] And the amount of time it took me to update my bogon filters is
] Zero. Zip.
] Because I use Team Cymru's bogon route servers :-)
Thanks, Michel! We aim to please. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
from from CW dated Januray 23,
] 2004:
UUNET/MCI has had that capability since circa 2002, I believe. Several
ISPs borrowed heavily from the following page to create similar services.
<http://www.secsup.org/CustomerBlackHole/>
Kudos to Chris and Brian. :)
Thanks,
Rob.
--
Rob Thoma
following URL for
more details:
<http://www.cymru.com/BGP/bogon-rs.html>
You do not have to be an ISP or a large enterprise network to peer
with the bogon route-servers. We are happy to help you to filter
the prefixes provided by the bogon route-servers.
Thanks,
Rob, for Team Cymru.
--
Rob
] 2.1.17 Simplicity
]
] The architecture MUST be simple enough so that Radia Perlman can
] explain all the important concepts in less than an hour.
Oh, phew, good thing that isn't me. I've never been able to explain
anything in less than an hour. :)
--
Rob T
Hi, NANOGers.
] Cooperation with the bogon project seems logical too.
We at Team Cymru are happy to help in any way we can!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Please feel free to contact Team Cymru with any comments, questions, or
concerns.
We hope to see you in [sunny|warm|no snow] Miami! :)
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
e assistance with the modification and testing of
filters, please don't hesitate to ping on us!
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
personal favorite is the bogon route-server
project, but feel free to pick any or all of the data feeds.
You will find all of them listed at the following URL:
<http://www.cymru.com/Bogons/>
We hope this helps!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Hate to follow up to myself, but as someone just pointed out, 65333 is the
] cymru bogons server.
Woohoo, we're on route-views! We've made the big time! :) That
said, please remember to strip off such things with peers and
customers. :)
Thanks,
Rob.
--
Rob T
folks with very small pipes (circa T1) and very large
netblocks (circa /16). These folks paid a heavy price when
hit with the "scan all IPs in the netblock" worms.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
official
announcement. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
BGP prefix
updates.
Please feel free to contact Team Cymru with any comments, questions, or
concerns.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
hat installed
numerous pods of the latest IDS at their borders, only to be
owned from within or owned by a method not yet in the
ever-behind signature database of the IDS devices. One can
waste money on security just as easily as one can waste money
on anything else.
Thanks,
Rob.
--
Rob Thom
tten fruit for my presentation instead. I'm
a moving target, and that makes it much more fun. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] Thanks Rob. Noticed one of our routes there that an upstream was also
] originating, for no reason. That's cleared up, so one less inconsistent
] AS...
No worries and thank YOU. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Next topic: multiple origin ASNs ..
Ooo, one of our faves. :) For a simple view:
<http://www.cymru.com/BGP/incon01.html>
<http://www.cymru.com/BGP/incon01-list.html>
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] (so I guess I got the last room).
You may have. There is a convention of surgeons running at the same
time as NANOG. The good news is that I can be assured of quick
resuscitation if we run out of coffee. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
, repeat. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
s for this purpose is far more in
vogue. Watch out for worms such as W32.Sanper, which also
provide a built-in spam relay network. Remove all of the
open mail relays and you are left with...lots of spam.
More at NANOG... ;)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.com/DNS/lame.html>
This report does not include last week's filename typo. :)
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
b, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-rs.html>
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, Mat.
] So who thinks allowing anyone to route to or from IANA Reserved blocks
] (Bogons) is acceptable?
It's a continuing mystery to me, when it's not exactly impossible
to do.
<http://www.cymru.com/Bogons/index.html>
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.c
is based on
a paucity of data. I'm not saying these things don't have a cost;
I am saying that the cost hasn't been realistically quantified.
Of course all of this is hand-waving until the market places
security above other requirements, such as increased performance
and shiny new features.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.com/DNS/lame.html>
Our thanks to those of you who have donated additional data for
the cause. It is greatly appreciated. :)
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hey, Chris.
] No... I have one T1 to Sprint and one T1 to AT&T, I think my AT&T bill
] will be high this month so I stop sending OUT AT&T and only accept...
Yep, this is a very common tactic, for reasons of finance, politics,
responsiveness, etc.
Thanks,
Rob.
--
Rob
responsive, you just might end up as an
example in my next presentation. ;)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
e bandwidth from providers who sell (yes, CHARGE YOU
MONEY) a filtering service.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
ymru.com/Documents/secure-bgp-template.html>
<http://www.qorbit.net/documents/junos-bgp-appnote.htm>
] ...no offense Rob, I'm pretty sure our beliefs are aligned here :-).
None taken, I completely agree.
Thanks,
Rob, not just the "bogon guy." :)
--
Rob Thomas
ht
source anonymous, as you prefer. Such donations help
the community at large. Be the first in your ASN to donate
data! :) If you are interested in donating data, please
contact us at team-cymru at cymru.com.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
g bored waiting for us to run out of fuel)
Hang in there! I hope the power is restored to everyone soon. If
there is anything I or Team Cymru can do to assist, don't hesitate
to ping on us.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, Brennan.
] does anyone know if the scanning is sequential once
] a range is chosen or is it random within a range?
In all of my tests the scanning is sequential, e.g.
1.1.1.1, 1.1.1.2, 1.1.1.3, etc.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] I don't believe I ever said that the edges shouldn't filter... did I?
Nope. I've always heard you say quite the opposite - the edges
should filter. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
mprovement. It takes
another tool out of their toolbox. We win this battle by degrees.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
de the IPv4 data, e.g. through HTML, text, DNS, and BGP
peering.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
;m short. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] See "show ip bgp inconsistant-as" on cisco. YMMV.
On that theme, please also see:
<http://www.cymru.com/BGP/incon01.html>
<http://www.cymru.com/BGP/incon01-list.html>
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
me of it is bogus,
enough of it is not.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
10K bots often introduces only the
most minor of delays. :(
Regarding sophistication: I never make the mistake of believing the
enemy is dumb. I also do not believe the enemy will go further than
what is necessary to accomplish the mission. Just enough is good
enough.
Thanks,
Rob.
--
Rob
] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
] and you can prove I did the attacking how? You can't because I and 7 other
] hackers all are fighting eachother over ownership of the poor UW student
] schlep's computer...
Only seven? Must be a lame bo
1 - 100 of 179 matches
Mail list logo