at Monday, January 27, 2003 7:50 PM, [EMAIL PROTECTED] [EMAIL PROTECTED]
was seen to say:
This is not correct. VPN simply extends security policy to a different
location. A VPN user must make sure that local security policy
prevents other traffic from entering VPN connection.
This is nice in
Wow, for a minute I thought I was looking at one of our old
plots, except for the fact that the x-axis says January 2003
and not September 2001 :) :)
seeing that the etiology and effects of the two events were quite
different, perhaps eyeglasses which make them look the same are
not
From:
So far it's been visible as an apparently accidental byproduct of an
attack
with other goals. Are you willing to bet your bifocals that the same
mechanism can't be weaponized and used against the routing infrastructure
directly in the future?
Yet the question becomes the reasoning
So far it's been visible as an apparently accidental byproduct of an
attack
with other goals. Are you willing to bet your bifocals that the same
mechanism can't be weaponized and used against the routing infrastructure
directly in the future?
Yet the question becomes the reasoning
From: [EMAIL PROTECTED]
snip
On the other hand, we also know (from private communications and from
other mailing lists.. ahem) that high rate and high src/dst diversity
of scans causes some network devices to fail (devices that cache flows, or
devices that suffer from cpu overload under such
At 09:47 AM 28-01-03 -0600, Jack Bates wrote:
From: [EMAIL PROTECTED]
snip
On the other hand, we also know (from private communications and from
other mailing lists.. ahem) that high rate and high src/dst diversity
of scans causes some network devices to fail (devices that cache flows, or
On Tue, Jan 28, 2003 at 03:34:15PM +, [EMAIL PROTECTED] wrote:
Some BGP-speaking routers (not all, by any means, but some subpopulation)
found themselves pegged at 100% CPU on Saturday. Just one example:
http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html
I wonder how
http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html Was it not
known that under certain conditions the router would flatline? What
percautionary measures were put into place in such an event to limit
the damage?
scheduler allocate
-hc
Alex, although technically correct, its not practical. How many end users
vpn in from home from say a public ip on their dsl modem leaving
themselves open to attack but now also having this connection back to the
Secure inside network. Has anyone heard of any confirmed cases of this
yet?
On Mon, 27 Jan 2003, Scott Granados wrote:
Alex, although technically correct, its not practical. How many end users
vpn in from home from say a public ip on their dsl modem leaving
themselves open to attack but now also having this connection back to the
Secure inside network. Has
On Mon, 27 Jan 2003 14:50:22 EST, [EMAIL PROTECTED] said:
This is not correct. VPN simply extends security policy to a different
location. A VPN user must make sure that local security policy prevents
other traffic from entering VPN connection.
Given that the head of one of our
On Mon Jan 27, 2003 at 03:03:09PM -0500, [EMAIL PROTECTED] wrote:
Alex, although technically correct, its not practical. How many end users
vpn in from home from say a public ip on their dsl modem leaving
themselves open to attack but now also having this connection back to the
Secure
On Mon Jan 27, 2003 at 03:03:09PM -0500, [EMAIL PROTECTED] wrote:
Alex, although technically correct, its not practical. How many end users
vpn in from home from say a public ip on their dsl modem leaving
themselves open to attack but now also having this connection back to the
This is not correct. VPN simply extends security policy to a different
location. A VPN user must make sure that local security policy prevents
other traffic from entering VPN connection.
Given that the head of one of our three-letter-agencies managed to get
this sort of thing wrong,
On Mon, 27 Jan 2003 15:33:34 EST, [EMAIL PROTECTED] said:
This is not correct. VPN simply extends security policy to a different
location. A VPN user must make sure that local security policy prevents
other traffic from entering VPN connection.
Given that the head of one of our
On Mon, Jan 27, 2003 at 08:10:15PM +, Simon Lockhart wrote:
As I suspected, but I keep being told that these problems were in old style
VPN clients, and stuff is much better these days. I remain unconvinced.
A good VPN client (I'm familiar with Nortel) will enforce no *simultaneous*
Given that the head of one of our three-letter-agencies managed to get
this sort of thing wrong, what makes you think that Joe Middle-Manager
who's more concerned about fixing a spreadsheet will get it correct?
Because it is not that difficult. A security policy of a little office
On Mon Jan 27, 2003 at 04:00:51PM -0500, [EMAIL PROTECTED] wrote:
It is very easy.
Deny everything.
Allow outbound port 80
Allow mail server to 25
Allow ident
If you need netmeeting, allow netmeeting server to other servers.
If you need AIM, allow AIM from workstations to oscar.aol.com
On Mon Jan 27, 2003 at 04:16:00PM -0500, [EMAIL PROTECTED] wrote:
Again, but why does it talk to the outside world unsupervised? Your
organization clearly has a border that separates its internal systems from
external ones. Why not apply those restrictions on *those* borders?
From inside the
On Mon, 27 Jan 2003 16:00:51 EST, [EMAIL PROTECTED] said:
It is very easy.
Deny everything.
Allow outbound port 80
Bzzt! You just let in an ActiveX exploit. Or Javascript. Or
Allow mail server to 25
Bzzt! You just let in a new Outlook exploit.
If you need AIM, allow AIM from
Simon Lockhart [EMAIL PROTECTED] wrote:
On Mon Jan 27, 2003 at 04:16:00PM -0500, [EMAIL PROTECTED] wrote:
Again, but why does it talk to the outside world unsupervised? Your
organization clearly has a border that separates its internal systems
from
external ones. Why not apply those
On Sun, Jan 26, 2003 at 12:17:20AM -0500, Tim Griffin mooed:
hc wrote:
I am on Verizon-GNI via Qwest and Genuity and seeing the same problem as
well.
here's a plot showing the impact on BGP routing tables from seven ISPs
(plotted using route-views data):
Deny everything.
Allow outbound port 80
Bzzt! You just let in an ActiveX exploit. Or Javascript. Or
And I have successfully blocked everything other than AcriveX or JavaScript
or whatever else.
Allow mail server to 25
Bzzt! You just let in a new Outlook exploit.
It is talking
here's a plot showing the impact on BGP routing tables from seven ISPs
(plotted using route-views data):
http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html
And as an interesting counterpoint to this, this graph shows
the number of BGP routing updates received at MIT
On Mon, Jan 27, 2003 at 06:15:33PM -0800, Randy Bush mooed:
Wow, for a minute I thought I was looking at one of our old
plots, except for the fact that the x-axis says January 2003
and not September 2001 :) :)
seeing that the etiology and effects of the two events were quite
On Sat, 25 Jan 2003, Bill Woodcock wrote:
On Sat, 25 Jan 2003, Mikael Abrahamsson wrote:
Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint
Looks like we may have a winner for DDoS of the year (so far)
What kind of traffic levels are you
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
Keep in mind that these problems aren't from 'well behaved' hosts, and
'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED
classic DoS attack scenario. :(
I understand the evils, but are we really at the mercy of situations like
From: Michael Lamoureux
Note that in the case of a worm, a VPN could work against you. If you
have all the right filters in place at your perimeter and yet let
your employees in through a VPN solution of some sort, you could still
be screwed if one of their home systems gets infected
]] On Behalf Of
hc
Sent: Friday, January 24, 2003 11:39 PM
To: Joel Perez
Cc: Aaron Burnett; Alex Rubenstein; [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
Okay this is getting bad.. one of our routers just locked up from udp
1434's. Can't even telnet to it now.
-hc
Joel Perez wrote:
My
Not just L3Genuity is getting whacked. ELI is getting whacked.
Somebody needs to be gelded.
Andrew
into it.
But i am on Qwest and GBLX.
-Original Message-
From: Alex Rubenstein [mailto:[EMAIL PROTECTED]]
Sent: Sat 1/25/2003 1:04 AM
To: hc
Cc: [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
I dunno about that. But, I am seeing, in the last
]
To: Alex Rubenstein [EMAIL PROTECTED]
Cc: hc [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, January 24, 2003 10:37 PM
Subject: Re: Level3 routing issues?
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours, all
kinds
of new
nuts with hits on UDP port 1434 also from
everywhere!
-Original Message-
From: Aaron Burnett [mailto:[EMAIL PROTECTED]]
Sent: Sat 1/25/2003 1:19 AM
To: Alex Rubenstein
Cc: hc; [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
On Sat
; [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
We just had a box inside one of my customers networks start
sending tons of small packets not sure what kind yet.
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
I dunno about that. But, I am seeing, in the last couple hours
Hey Blaine,
On Sat, Jan 25, 2003 at 01:53:49AM -0600, Blaine Kahle wrote:
Same symptoms here. After disabling MS SQL, which required a reboot as
the process didn't want to shut down normally, the traffic stopped. I
found 3 boxes on our network that were generating massive amounts of
From: Dave Stewart
Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint
Looks like we may have a winner for DDoS of the year (so far)
Temporary block in place. My border cpu was starting to hammer up.
Outbound stat about 2 minutes later:
deny udp any any eq 1434
MS SQL, or SQL Monitor?
On Sat, 25 Jan 2003, Blaine Kahle wrote:
On Sat, Jan 25, 2003 at 02:05:42AM -0500, Kevin Welch wrote:
I am seeing similar traffic loads on my network at this hour, one of our
MS SQL servers seemed to be sending a large amount of traffic out to the
Internet.
: 616.493.0577 Cell Ph: 616.437.3861
-Original Message-
From: Blaine Kahle [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 25, 2003 2:54 AM
To: Kevin Welch
Cc: 'Alex Rubenstein'; 'hc'; [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
On Sat, Jan 25, 2003 at 02:05:42AM -0500
* Josh Richards [EMAIL PROTECTED] [20030124 23:25]:
Same here. We first saw what looked like a DoS at about
09:00 PST. We're seeing strange stuff all over the place.
Oops, meant to say 09:30 PST.
-jr
Josh Richards jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }
Geek
From: Mikael Abrahamsson
What kind of traffic levels are you seeing? With a handful of /16 etc
we're not seeing more than 5-10 megabits of traffic according to my
global transit graphs.
People who havent null routed their unused prefixes properly will probably
see a lot of problems though
Has someone reported the details to CERT yet?
Preferably someone who's got logs and such?
-george william herbert
[EMAIL PROTECTED]
.
-Original Message-
From: Alex Rubenstein [mailto:[EMAIL PROTECTED]]
Sent: Sat 1/25/2003 1:04 AM
To: hc
Cc: [EMAIL PROTECTED]
Subject: Re: Level3 routing issues?
I dunno about that. But, I am seeing, in the last couple hours, all kinds
of new traffic.
like, customers who
my transit traffic doubled (luckily it is the low time of the night for
me) from 10-12ish
I work at a really large east coast University. Our sensors show the problem
starting between 12:30-12:45am this morning...
Eric :)
On Sat, Jan 25, 2003 at 01:13:30AM -0800, Bill Woodcock wrote:
On Sat, 25 Jan 2003, Mikael Abrahamsson wrote:
Lots of traffic on udp port 1434 coming in here via TW Telecom and Sprint
Looks like we may have a winner for DDoS of the year (so far)
What kind of traffic
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
Somebody remind me why Microsoft is still allowed to exist?
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with lawsuits, in the
computer world tho people seem to get around for some reason.
Steve
On Sat, Jan 25, 2003 at 02:57:16AM -0500, Alex Rubenstein wrote:
MS SQL, or SQL Monitor?
Are those two separate programs? I don't know; I'm not a windows guy. I
just watched over the shoulders of a few other techs as they shut what
appeared to be everything-MSSQL down. I just found the
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Would it not also be a good idea/practice *not* to ever let a MS SQL
server (or *any* database server)
From what I have read and researched, it does.
On Sat, 25 Jan 2003, Jack Bates wrote:
From: Avleen Vig
snip
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Has it been verified
BIll,
- Original Message -
From: Bill Woodcock [EMAIL PROTECTED]
I'd agree with it. Except the herds of losers who still buy exploding
crap from Vendor M don't seem to be thinning themselves out quickly
dude, the Exploding Cars are so much easier to drive than the ones from
Vendor L.
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part of SQL Server SP3
Would it not also be a good
Would it not also be a good idea/practice *not* to ever let a MS SQL
server (or *any* database server) sit on a network that is directly
accessible from the internet ? Having a firewall(s) in front of your
database server regardless of the type is pretty much common sense, right?
Its
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
Including the developers of SSHD, HTTPD, NAMED, CVS?
How about Linus? Wanna call him up?
I am no windows cheerleader, but to think this is something that happens
only in windows-land is whack -- might as well put your head in the sand.
It is
At 11:56 AM 1/25/2003, Bill Woodcock wrote:
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with
lawsuits, in the
computer world tho people seem to get around for some reason.
Not true, look at cars and recalls. Also as I
Not sure you can claim something you have for free is liable or with
guarantee
Thats total rubbish. Whether you pay for it or not shouldn't matter.
You might also want to consider reading the various software agreement
licenses that come with various pieces of software both free and
I think you are on the right lines below in suggesting that products and
services should be supplied safe and not require additional maintenance out of
the box to make them so (additional changes should make them weaker)
There is no such thing as safe! You have control over what risks you
On 1/25/03 2:53 PM, Christopher L. Morrow [EMAIL PROTECTED] wrote:
Keep in mind that these problems aren't from 'well behaved' hosts, and
'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED
classic DoS attack scenario. :(
Well not everyone plays fair out there. I imagine
On Saturday 25 January 2003 10:03 am, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their
boxes
:-)
A patch was released mid-2002
Third point to the correlation above: The vast majority of Windows admins
are dingbat-morons, self-proclaimed experts. Had then not been
dingbat-morons, and applied the readily available and widely announced
patches (as zealously as unix folks patch thier stuff), this'd be all
moot, and we'd
On Sat, 25 Jan 2003, Neil J. McRae wrote:
I think you are on the right lines below in suggesting that products and
services should be supplied safe and not require additional maintenance out of
the box to make them so (additional changes should make them weaker)
There is no such thing
On Sat, 25 Jan 2003, K. Scott Bethke wrote:
BIll,
- Original Message -
From: Bill Woodcock [EMAIL PROTECTED]
I'd agree with it. Except the herds of losers who still buy exploding
crap from Vendor M don't seem to be thinning themselves out quickly
dude, the Exploding Cars are
On Sat, 25 Jan 2003, Avleen Vig wrote:
On Sat, Jan 25, 2003 at 12:20:41PM -0500, C. Jon Larsen wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
[snip]
Let's not blame MS for admins who don't know how to secure their boxes
:-)
A patch was released mid-2002 and was also part
On Sat, Jan 25, 2003 at 05:08:22PM +, Stephen J. Wilcox wrote:
Also; everyone who just posted to this list made it abundantly clear that
they don't have a firewall in front of at least one MS SQL server on their
network. Should you really have port 1433/4 open to the world? Would you
What about doing some priority-based QoS? If a single IP exceeds X amount
of traffic, prioritize traffic above that threshold as low. It would keep
any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited to 10mb of prioirty
traffic.
On Sat, 25 Jan 2003, Stephen J. Wilcox wrote:
I've not looked at any great detail into the exact sources but of the few I
looked at earlier I was surprised to find them on ADSL .. these may be corporate
networks this is the bit I dont know but some of them seemed to be residential,
weird!
MS Date: Sat, 25 Jan 2003 10:17:01 -0800 (PST)
MS From: Marc Slemko
MS It is interesting to note that one inadvertent advantage of open
MS source (when it requires people to compile from source, and pick
MS and choose options at compile time... popular distributions with
MS precompiled packages
## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
SJW
SJW
SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW dont need and listen to folks who have real world experience.
SJW
SJW Steve
SJW
Please don't start a flame war about this but are you
On Sun, 26 Jan 2003, Rafi Sadowsky wrote:
## On 2003-01-25 20:04 - Stephen J. Wilcox typed:
SJW
SJW
SJW Heres my advice to the uninitiated. Run linux, run firewalls, disable what you
SJW dont need and listen to folks who have real world experience.
SJW
SJW Steve
SJW
From: Robert A. Hayden
What about doing some priority-based QoS? If a single IP exceeds X amount
of traffic, prioritize traffic above that threshold as low. It would keep
any one single host from saturating a link if the threshold is low.
For example, you may say that each IP is limited
On Sat, Jan 25, 2003 at 02:10:59PM -0800, Stephen Milton wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
verification so far that it did.
Since all the providers have been blocking the attack spread
MS SQL SP3, _NOT_ MS Windows 2000 SP3.
BIG DIFFERENCE.
http://www.microsoft.com/sql/downloads/2000/sp3.asp
On Sat, 25 Jan 2003, Stephen Milton wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
On Sat, Jan 25, 2003 at 08:56:06AM -0800, Bill Woodcock wrote:
Dunno, arent they negligent?
In any other industry a fundemental flaw would be met with lawsuits, in the
computer world tho people seem to get around for some reason.
Not true, look at cars and
From: K. Scott Bethke
Well not everyone plays fair out there. I imagine this is built into
SLA's
too right? My network will be up as long as everyone is well behaved
You know that customers won't behave. Prepare for it.
I understand the evils, but are we really at the mercy of situations
On Sat, Jan 25, 2003 at 10:02:54PM +, Christopher L. Morrow wrote:
On Sat, 25 Jan 2003, Avleen Vig wrote:
The market we are in was specifically bred by Microsoft in the 90's when
they claimed Windows was so eay to use, anyone could admin it.
They've since changed their tune, but
At 05:10 PM 1/25/2003, you wrote:
We have had multiple customers who had SP3 on their boxes that were
hit. SP3 was _supposed_ to include this patch, there is no
verification so far that it did.
Since all the providers have been blocking the attack spread from the
routers, installing SP3 on
If a customer is infected, then the problem is on their end. The fact that
they don't have throughput is their issue, not that of the provider's.
Many, many customers don't understand this - if they don't have throughput,
it's the provider's problem and the provider has to fix it. One of
I've seen various references to this worm firing off and saturating
networks worldwide within 1 minute... if *that* isn't scary, I don't know
what is. It shows that someone, with the right tools and enough vulnerable
servers can take out a good portion of the Internet in seconds. And how
76 matches
Mail list logo
