On Sun, 29 Oct 2006, Douglas Otis wrote:
>
> On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote:
> > On Sun, 29 Oct 2006, Douglas Otis wrote:
> > >
> > > How would you identify and quell an SPF attack in progress?
> >
> > Okay, now I understand.
> >
> > You speak of an attack specifically uti
On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote:
> On Sun, 29 Oct 2006, Douglas Otis wrote:
> >
> > How would you identify and quell an SPF attack in progress?
>
> Okay, now I understand.
>
> You speak of an attack specifically utilizing SPF, not of how SPF
> relates to botnets or attack tr
On Sun, 29 Oct 2006, Douglas Otis wrote:
> On Sat, 2006-10-28 at 00:52 -0500, Gadi Evron wrote:
>
>
> > If you believe SPF prevents you from doing it, can you elaborate how?
>
> Spam referencing malicious SPF scripts can result in PASS or NEUTRAL,
> where the message and message rates may be no
On Sat, 2006-10-28 at 00:52 -0500, Gadi Evron wrote:
> If you believe SPF prevents you from doing it, can you elaborate how?
Spam referencing malicious SPF scripts can result in PASS or NEUTRAL,
where the message and message rates may be normal. Recipients will not
notice the role they are pla
On Fri, 27 Oct 2006, Douglas Otis wrote:
> As Steve already pointed out, BCP38 is not a complete solution. Not
> only does SPF prevent the source of a Botnet attack from being
> detected, it also enables significantly greater amplification than
> might be achieved with a spoofed source DNS
On Oct 27, 2006, at 10:03 AM, Chris L. Morrow wrote:
On Fri, 27 Oct 2006 [EMAIL PROTECTED] wrote:
Or you could look at it as a weakness of SPF that should be used
as a justification for discouraging its use. After all if we
discourage botnets because they are DDoS enablers, shouldn't we
> how did the thread about dns providers and rfc compliance morph into SPF
> and spam discussions?
for the spf hammerers, everything looks like a nail? :)
personally, i think it is overloading of mpls, dns, and bgp. :)
randy
On Fri, 27 Oct 2006 [EMAIL PROTECTED] wrote:
>
> Or you could look at it as a weakness of SPF that should be
> used as a justification for discouraging its use. After all
> if we discourage botnets because they are DDoS enablers,
> shouldn't we discourage other DDoS enablers like SPF?
under this
On Fri, 2006-10-27 at 14:11 +0200, Florian Weimer wrote:
> * Douglas Otis:
>
> > Spam being sent through Bot farms has already set the stage for
> > untraceable DNS attacks based upon SPF. In addition to taking out major
> > interconnects, these attacks can:
> >
> > a) inundate authoritative DN
> > > How is this attack avoided?
> >
> > Sounds like the attack is inherent in SPF. In that case,
>
> how did the thread about dns providers and rfc compliance morph into SPF
> and spam discussions?
Ask Doug Otis. He stated that SPF sets the stage for DDoS
attacks against DNS servers. Presumab
On Fri, 27 Oct 2006 [EMAIL PROTECTED] wrote:
>
> > How is this attack avoided?
>
> Sounds like the attack is inherent in SPF. In that case,
how did the thread about dns providers and rfc compliance morph into SPF
and spam discussions?
* Douglas Otis:
> Spam being sent through Bot farms has already set the stage for
> untraceable DNS attacks based upon SPF. In addition to taking out major
> interconnects, these attacks can:
>
> a) inundate authoritative DNS;
>
> b) requests A records from anywhere;
>
> c) probe IP address,
> How is this attack avoided?
Sounds like the attack is inherent in SPF. In that case,
avoiding it is simple. Discourage the use of SPF, perhaps
by putting any SPF using domain into a blacklist.
Eventually, people will stop using SPF and the attack
vector goes away.
--Michael Dillon
On Thu, 26 Oct 2006, Mikael Abrahamsson wrote:
>
> On Thu, 26 Oct 2006, Fergie wrote:
>
> > The point I'm trying to make is that if the community thinks it is
> > valuable, then the path is clear.
>
> I of course realise that it's best if user cannot spoof at all, but it
> might be easier for ISP
On Thu, 2006-10-26 at 13:03 -0400, Steven M. Bellovin wrote:
> On Thu, 26 Oct 2006 17:07:32 +0200, Florian Weimer <[EMAIL PROTECTED]>
> wrote:
>
> > * Steven M. Bellovin:
> >
> > > As you note, the 20-25% figure (of addresses) has been pretty
> > > constant for quite a while. Assuming that subv
- Original Message -
From: "william(at)elan.net" <[EMAIL PROTECTED]>
To: "Don" <[EMAIL PROTECTED]>
Cc:
Sent: Thursday, October 26, 2006 8:17 AM
Subject: Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
On Thu, 26 Oct 2006, Don w
On Thu, 26 Oct 2006, Don wrote:
Has anyone put together a centralized system where you can send in a list of
attacking bots, let it automatically sort by allocation, and then let it
notify the appropriate admin with a list of [potentially] compromised hosts?
mynetwatchman [1] comes to mind
On Thu, 26 Oct 2006 17:07:32 +0200, Florian Weimer <[EMAIL PROTECTED]>
wrote:
> * Steven M. Bellovin:
>
> > As you note, the 20-25% figure (of addresses) has been pretty constant
> > for quite a while. Assuming that subverted machines are uniformly
> > distributed (a big assumption)
>
> I doub
Put another way, anti-spoofing does three things: it makes reflector
attacks harder, it makes it easier to use ACLs to block sources, and it
helps people track down the bot and notify the admin. Are people actually
successfully doing either of the latter two?
I think it's a time constraint- look
On Oct 26, 2006, at 9:33 AM, Steven M. Bellovin wrote:
Put another way, anti-spoofing does three things: it makes reflector
attacks harder, it makes it easier to use ACLs to block sources,
and it
helps people track down the bot and notify the admin. Are people
actually
successfully doing ei
* Steven M. Bellovin:
> As you note, the 20-25% figure (of addresses) has been pretty constant
> for quite a while. Assuming that subverted machines are uniformly
> distributed (a big assumption)
I doubt this assumption about distribution is valid. At least over
here, consumer-grade ISPs (thin
On Thu, 26 Oct 2006 02:20:48 -0400 (EDT), Sean Donelan <[EMAIL PROTECTED]>
wrote:
>
> The only data I have is from the MIT anti-spoofing test project which
> has been pretty consistent for a long time. About 75%-80% of the nets,
> addressses, ASNs tests couldn't spoof, and about 20%-25% could.
On Thu, 2006-10-26 at 02:20 -0400, Sean Donelan wrote:
> http://spoofer.csail.mit.edu/summary.php
>
> If someone finds the silver bullet that will change the remaining 25% or
> so of networks, I think ISPs on every continent would be interested.
>
Financial incentive is the key. If there is non
On Thu, 26 Oct 2006, Fergie wrote:
The point I'm trying to make is that if the community thinks it is
valuable, then the path is clear.
What is the biggest problem to solve? Would it be enough for ISPs to make
sure that they will not send out packets which didn't belong within their
PA bloc
This would appear, on its face, to be an easy exercise in educating
the IPSs in the foodchain.
Is there reasonable enough interest with NANOG to do that? If so,
I volunteer to workshop at the next NANOG.
But only if there is reasonable consensus to that effect. Or someone
else could do it, too.
The only data I have is from the MIT anti-spoofing test project which
has been pretty consistent for a long time. About 75%-80% of the nets,
addressses, ASNs tests couldn't spoof, and about 20%-25% could.
The geo-location maps don't show much difference between parts of
the world. RIPE count
Actually, I misspoke earlier, but not quite. ;-)
Rob Beverly has an ongoing project which I have wholly endorsed,
but it has gotten relatively little attention:
http://spoofer.csail.mit.edu/
I would highly recommend that folks how choose to so, please
participate. :-)
- ferg
p.s. Statistics
No.
I think that is indicative of the problem.
Don't you?
- ferg
-- Sean Donelan <[EMAIL PROTECTED]> wrote:
On Thu, 26 Oct 2006, Fergie wrote:
> I don't want to detract from the heat of this discussion, as
> important as it is, but it (the discussion) illustrates a point
> that RIPE has rec
On Thu, 26 Oct 2006, Fergie wrote:
I don't want to detract from the heat of this discussion, as
important as it is, but it (the discussion) illustrates a point
that RIPE has recognized -- and is actively perusing -- yet, ISPs
on this continent seem consistently to ignore: The consistent
implemen
29 matches
Mail list logo