On Tue, 11 Jun 2013 19:52:02 -0400
"Ricky Beam" wrote:
> All of the above plus very poorly managed network / network
> security. (sadly a Given(tm) for anything ending dot-e-d-u.)
That broad sweeping characterization, without any evidence, can be
as casually dismissed without evidence. However,
Getting back to the topic. I just saw quite a few of our hosts scanned
for this by 192.111.155.106 which doesn't say much on its own as
http://dacentec.com/ is a hosting company.
On Tue, Jun 11, 2013 at 11:27 PM, Ricky Beam wrote:
> On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess wrote:
>>
>> Who
On Wed, Jun 12, 2013 at 7:14 AM, Aaron Glenn wrote:
> On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson wrote:
>>
>>
>> Banks and insurance companies supposedly have some interesting actuarial
>> data on this.
>>
>
> Do you know of any publicly available sources?
>
I don't. There's a US entity that
I thought the modern measure was hours and dollars wasted... Err I mean
spent.
Nick
On Jun 12, 2013 5:21 AM, "Joel M Snyder" wrote:
>
> >> Do you have any actual evidence that a .edu of (say) 2K employees
> >> is statistically *measurably* less secure than a .com of 2K employees?
>
> >We're sorta
On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson wrote:
>
>
> Banks and insurance companies supposedly have some interesting actuarial
> data on this.
>
Do you know of any publicly available sources?
thanks,
aaron
I'm going to bypass the academic vs. non-academic security argument
because I've worked everywhere, and from a security viewpoint, there
is plenty of fail to go around.
On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote:
> I run a default deny
> policy... if nothing asked for it, it doesn'
On 6/12/13, Joel M Snyder wrote:
> >But seriously, how do you measure one's security?
> In ounces, unless it's a European university, in which case you use
> liters. Older systems of measuring security involving mass (pounds and
> kilos) have been deprecated, and you should not be using them any
>> Do you have any actual evidence that a .edu of (say) 2K employees
>> is statistically *measurably* less secure than a .com of 2K employees?
>We're sorta lookin' at one now.
>But seriously, how do you measure one's security?
In ounces, unless it's a European university, in which case you use
On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess wrote:
> On 6/12/13, shawn wilson wrote:
>>> The scope is constantly changing.
>> Not really. The old tricks are the best tricks. And when a default install
> By best, you must mean effective against the greatest number of targets.
>
By best, I mean e
On 6/12/13, shawn wilson wrote:
> This is basically untrue. I can deal with a good rant as long as there's
> some value in it. As it is (I'm sorta sorry) I picked this apart.
> On Jun 12, 2013 12:04 AM, "Ricky Beam" wrote:
>> On Tue, 11 Jun 2013 22:55:12 -0400, wrote:
>>>>>
This is basically untrue. I can deal with a good rant as long as there's
some value in it. As it is (I'm sorta sorry) I picked this apart.
On Jun 12, 2013 12:04 AM, "Ricky Beam" wrote:
>
> On Tue, 11 Jun 2013 22:55:12 -0400, wrote:
>>
>
> But seriously, how do you measure one's security?
Banks
On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt wrote:
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these
On Tue, 11 Jun 2013 22:55:12 -0400, wrote:
Do you have any actual evidence that a .edu of (say) 2K employees
is statistically *measurably* less secure than a .com of 2K employees?
We're sorta lookin' at one now. :-)
But seriously, how do you measure one's security? The scope is constantly
On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess wrote:
Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?
Duh, so people cannot print to them. (amungst various other creative
pranks)
From a cybercriminal pov, to swipe th
On Tue, 11 Jun 2013 21:37:04 -0400, "Ricky Beam" said:
> Indeed I have. Which is why I haven't for a great many years. Academics
> tend to be, well, academic. That is, rather far out of touch with the
> realities of running / securing a network.
Do you have any actual evidence that a .edu of (sa
On 6/11/13, Majdi S. Abbas wrote:
> On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
>> All of the above plus very poorly managed network / network
>> security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why
>> are *printers* given public IPs? and b) why are internet hosts
>
On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas wrote:
You've never worked for one, have you?
Indeed I have. Which is why I haven't for a great many years. Academics
tend to be, well, academic. That is, rather far out of touch with the
realities of running / securing a network.
On Tue, Jun 11, 2013 at 4:57 PM, Majdi S. Abbas wrote:
>
> I have a hard time blaming a school for this. I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.
Isn't that what printer do? Generate characters? It was in the design
spec.
On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
> All of the above plus very poorly managed network / network
> security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why
> are *printers* given public IPs? and b) why are internet hosts
> allowed to talk to them? I actually *v
On Tue, 11 Jun 2013 12:06:36 -0400, Brielle Bruns wrote:
Are these like machines time forgot or just really bag configuration
choices?
All of the above plus very poorly managed network / network security.
(sadly a Given(tm) for anything ending dot-e-d-u.) a) why are *printers*
given publ
On Jun 12, 2013, at 2:13 AM, Leo Bicknell wrote:
> The number is non-zero? In 2013?
These are largely modern printers and other 'embedded' devices which are
running OS configurations apparently cribbed out of 20-year-old gopher docs.
;>
---
On 6/11/13, Justin M. Streiner wrote:
> Other than providing another DDoS vector, I'm not aware of any legitimate
> reason to keep these services running and accessible. As always, YMMV.
They are useful for troubleshooting and diagnostic purposes. Just be
sure to limit the maximum possible res
On Tue, 11 Jun 2013 15:38:45 -0400, "David Edelman" said:
> I can just see someone spoofing a packet from victimA port 7/UDP to victimB
> port 19/UDP.
For a while, it was possible to spoof packets to create a TCP connection from a
machine's chargen port to its own discard port and walk away while
I can just see someone spoofing a packet from victimA port 7/UDP to victimB
port 19/UDP.
--Dave
-Original Message-
From: Leo Bicknell [mailto:bickn...@ufp.org]
Sent: Tuesday, June 11, 2013 3:13 PM
To: Bernhard Schmidt
Cc: nanog@nanog.org
Subject: Re: chargen is the new DDoS tool
On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt wrote:
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
The number
On Tue, 11 Jun 2013, Vlad Grigorescu wrote:
We got hit with this in September. UDP/19 became our most busiest port
overnight. Most of the systems participating were printers. We dropped
it at the border, and had no complaints or ill effects.
Dropping the TCP and UDP "small services" like echo
Hmmm. Do you not run a default deny at your border, which would catch this sort
of thing? Granted thats not always possible I suppose. Maybe block all UDP you
dont specifically need? Do you have an ids/ips? If not, look at SecurityOnion
on a SPAN port, it will provide great insight into whats ha
We got hit with this in September. UDP/19 became our most busiest port
overnight. Most of the systems participating were printers. We dropped it at
the border, and had no complaints or ill effects.
—-Vlad Grigorescu
Carnegie Mellon University
On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt w
Brielle Bruns wrote:
Hey,
>> we have been getting reports lately about unsecured UDP chargen servers
>> in our network being abused for reflection attacks with spoofed sources
>>
>> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>>
>> | In the UDP implementation of the protocol, the s
On 6/11/13 9:39 AM, Bernhard Schmidt wrote:
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of th
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP
| datagram
31 matches
Mail list logo
