- Original Message -
From: william(at)elan.net [EMAIL PROTECTED]
To: John Obi [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 3:42 AM
Subject: Re: UUNet Offer New Protection Against DDoS
On Tue, 2 Mar 2004, John Obi wrote:
Hello Nanogers!
I'm happy to
- Original Message -
From: Deepak Jain [EMAIL PROTECTED]
To: william(at)elan.net [EMAIL PROTECTED]
Cc: John Obi [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 2:56 AM
Subject: Re: UUNet Offer New Protection Against DDoS
william(at)elan.net wrote:
On Tue, 2
On Wed, 2004-03-03 at 09:26, Paul G wrote:
cant speak for them, but this would be my preferred first step. next step
is, of course, an attempt to filter on {source, unique characteristics, what
have you} and removing the blackhole.
What most people seem to forget is that neither of these
erik,
- Original Message -
From: Erik Haagsman [EMAIL PROTECTED]
To: Paul G [EMAIL PROTECTED]
Cc: Deepak Jain [EMAIL PROTECTED]; william(at)elan.net [EMAIL PROTECTED];
John Obi [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 3:47 AM
Subject: Re: UUNet Offer New
From: On Behalf Of John Obi
Sent: Wednesday, March 03, 2004 2:21 AM
MCI/WorldCom Monday unveiled a new service level agreement (SLA)
At the risk of sounding thoroughly underwhelmed... Uhm, where's the beef? All I see
is the opportunity to get a service credit should one complain loud
Hi Paul,
snip
correct. from our pov, it is gone. given that 'solving the problem' is not
always possible, this is almost as good as it gets in the real world.
Fully agree, and this is basically the way it should be: a customer
shouldn't be concerned about the carrier solving the problem or
On Wed, 3 Mar 2004, Stephen J. Wilcox wrote:
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
their code to outwit the virus scanners.. is this a new trend in virus writing -
beat the systems by evolving your code quicker than the security firms can
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
their code to outwit the virus scanners.. is this a new trend in virus writing -
beat the systems by evolving your code quicker than the security firms can
release updates?
Steve
On Tue, 2 Mar 2004, Larry
The key here is that it is part of the SLA. Customers are elligible for credit
based on outages depending on the circumstance. In the past this was only telco
and backbone related outages. Therefore, depending on the nature of the attack
and the cooperation of the customer, they ~may~ be
Hi John,
While the formalities of the CW acquisition have yet to kick in, I
have no reason to believe that anything will change here: Savvis
pioneered the 15 minute response time for DoS issues - whether or not
it's our customer calling in. If it involves Savvis customers in any
way, we
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
their code to outwit the virus scanners.. is this a new trend in virus writing -
beat the systems by evolving your code quicker than the security firms can
release updates?
new trend in that it started
Hi guys,
Is there anyone with a fiber drop or something around Penn Station in NYC? Or
some non T-Mobile wireless presence?
We're trying to get some bandwidth in the Pennsylvania Hotel in july, and I had
hoped to do this through T-Mobile's wireless, but that doesn't seem to be
an option
When I first saw this post I thought that MCI/UU.Net implemented some DDOS
BGP community strings like CW implemented a month ago. If only all of my
upstreams would have this type of BGP Community string my life would be made
easier. Here is the customer release letter from from CW dated Januray
it has gotten to the point for me that i am looking for a whitelisting
option on my firewall/a-v gateway instead of a blacklisting one for
attachments.
Stephen J. Wilcox wrote:
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
their code to outwit the virus
Date: Wed, 3 Mar 2004 16:15:39 + (GMT)
From: Stephen J. Wilcox [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Erm is it me or are the writers of Bagle and Netsky determined to keep morphing
their code to outwit the virus scanners.. is this a new trend in virus writing -
beat
To the best of my knowledge, MCI/UUNET ~was~ the first to implement this. I've
been using it for well over a year now.
The community is 701:. Any route you tag with that community gets dropped
accross the entire 701 edge. Feel free to contact support and tell them you
want to setup the
Of course, I'm certain Sandvine is selling something to solve the
problem, but it is still a very nice article with some measurable
numbers.
http://www.globeandmail.com/servlet/story/RTGAM.20040303.gtsandmar2/BNStory/Technology/
On any given day, its white paper concluded, between 2 and 12 per
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
Also, does anyone have tools for regexp and purging these mails from unix
mailbox (not maildir) mailspool files? Eg purging these mails after the
fact if they were delivered to
- Original Message -
From: william(at)elan.net [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 3:07 PM
Subject: Warning - new trend of attempts to infect ISP users (possibly
virus)
I have just seen emails (several different kinds) pretending to be sent
from
Could someone from whoever owns CAIS Internet (AS3491) please
contact me offlist? One of your customers has a machine that is making
a lame attempt at a DDOS attack.
Although ineffectual, it is causing a slight uptick in bandwidth usage and
we need to get this stopped before I take it to your
-Original Message-
From: Dan Hollis [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 3, 2004 08:24 PM
To: '[EMAIL PROTECTED]'
Subject: dealing with w32/bagle
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
Also, does
Quoting Dan Hollis [EMAIL PROTECTED]:
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
Also, does anyone have tools for regexp and purging these mails from unix
mailbox (not maildir) mailspool files? Eg purging these mails
On Mar 3, 2004, at 11:24 AM, Stephen Perciballi wrote:
To the best of my knowledge, MCI/UUNET ~was~ the first to implement
this. I've
been using it for well over a year now.
Indeed. One could even get fancy and set of different community
sets to allow customers to drop traffic only on peering
The clamav team is doing a great job of keeping up to date with the Bagle
varients, and they've also deployed a couple of generic signatures which
should catch at least some variations as they show up.
As for finding them on the filesystem once delivered, an easy place to
start is [EMAIL
Hi, NANOGers.
] When I first saw this post I thought that MCI/UU.Net implemented some DDOS
] BGP community strings like CW implemented a month ago. If only all of my
] upstreams would have this type of BGP Community string my life would be made
] easier. Here is the customer release letter
On Wed, 3 Mar 2004, Brian Wilson wrote:
Quoting Dan Hollis [EMAIL PROTECTED]:
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
I am also interested in what network/mail folks are doing about this
situation.
Blocking all
Quoting Dan Hollis [EMAIL PROTECTED]:
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only
We created bogus DNS entries for the following entries, known to be targeted by the worm:
www.sportscheck.de
www.songtext.net
www.songtext.de
www.maiklibis.de
www.gfotxt.net
postertog.de
permail.uni-muenster.de
The entries directed traffic to an interface on a router that can handle the traffic.
Turns out that the ZIP file format that all of these beasties are
using is a little bit non-standard. Specifically they are all version
1.0 zip archives and the first (and only) component is not
compressed.
At MIT we are matching these two strings to recognize the infected ZIP
files while
XO set up a similar customer community last year for our customers to
trigger their own black hole at our edge. There is no such thing as an
original idea. :) This promised response probably means if you press 3
on your phone, you will get a CSR to open a ticket within 15 minutes.
Sounds like
Greetings from Wyoming --
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl)
DSBL
NJABL (dynablock)
Are there any other good lists out there that you folks have had good
experience with? Any that we might want
Global Crossing has this, already in production.
I was on the phone with Qwest yesterday this was one
of this things I asked about. Qwest indicated they are
going to deploy this shortly. (i.e., send routes tagged with
a community which they will set to null)
James Edwards
Routing and Security
Global Crossing has this, already in production.
Idem, Teleglobe,
mh
I was on the phone with Qwest yesterday this was one of
this things I asked about. Qwest indicated they are going to
deploy this shortly. (i.e., send routes tagged with a
community which they will set to null)
I'm puzzled by one aspect on the implementation.. how to build your customer
prefix filters.. that is, we have prefix-lists for prefix and length. Therefore
at present we can only accept a tagged route for a whole block.. not good if the
announcement is a /16 etc !
Now, I could do as per the
So maybe a guy with customer connections to each of these networks will
offer a BGP-redirector whereby you can send it 1 prefix and it will send
it to all the customer networks.
Boy. Is that abusable. eesh.
Deepak Jain
AiNET
james wrote:
Global Crossing has this, already in production.
I
As long as we're doing Me Too...
Savvis has had prefix:666 for around 18 months as well.
Alif Terranson
OpSec Engineering Manager
Operations Security Department
Savvis Communications Corporation
(314) 628-7602 Voice
(314) 208-2306 Pager
(618) 558-5854 Cell
-Original Message-
From:
On Mar 3, 2004, at 4:47 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your
customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore
at present we can only accept a tagged route for a whole block.. not
good if the
I'm puzzled by one aspect on the implementation.. how to build your customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore at present we can only accept a tagged route for a whole block..
not good if the announcement is a /16 etc !
MCI handles this
On Wed, 3 Mar 2004, Brandon Shiers wrote:
Are there any other good lists out there that you folks have had good
experience with? Any that we might want to consider taking a look at?
Thanks,
Have you look at graylisting, temp failing mail with a sender/receiver/IP
you have not seen before?
On Mar 3, 2004, at 5:22 PM, Stephen J. Wilcox wrote:
I'm puzzled by one aspect on the implementation.. how to build your
customer
prefix filters.. that is, we have prefix-lists for prefix and length.
Therefore at present we can only accept a tagged route for a whole
block..
not good if the
We still implement exact match prefix filtering, but also generate a
second aggregated prefix-list for customers to match more specifics.
If a prefix matches 3561:666 _and_ falls within the DDoS/aggregated
prefix-list, we accept it and blackhole it. If a customer announces the
more specific
On Mar 3, 2004, at 4:23 PM, Brandon Shiers wrote:
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl)
DSBL
NJABL (dynablock)
Are there any other good lists out there that you folks have had good
experience with?
pass. I will be the first to admit that using mail as a file transfer protocol
isn't the way to go, but getting people to realize that (and forcing them to
change) is next to impossible.
Until there's an easy way of getting a file to your friend down the
street that's as easy as
We created bogus DNS entries for the following entries, known to be
targeted by the worm:
www.sportscheck.de
www.songtext.net
www.songtext.de
www.maiklibis.de
www.gfotxt.net
postertog.de
permail.uni-muenster.de
For what its worth ns{1,2,3,4}.everydns.net will answer for the
If it ain't one thing, it's...
http://www.vnunet.com/News/1153081
I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks le /32. The following
terms (term 2 and above) in the
I don't know what the prevailing attitude is, but it seems to me
that 451ing unknown senders is a good way to get on the bad side of
sysadmins who have to deal with the backlog until your server decides to
accept them.
I would think if you're willing to spend other's resources on reducing
your
Oh, and I strip their communities, and apply no-export, on the first
term of my route map so the /32 does not get out. Of course my peer
facing policy requires specific communities to get out as well (belt and
suspenders).
This method works very well, and you do not have to give up length
On Wed, 3 Mar 2004 17:45:59 -0500 Patrick W.Gilmore [EMAIL PROTECTED] wrote:
On Mar 3, 2004, at 4:23 PM, Brandon Shiers wrote:
Just a real quick question for the folks on the Nanog list:
We are using the following RBL's on our MTA right now:
Spamhaus (sbl-xbl)
DSBL
NJABL (dynablock)
On Mar 3, 2004, at 5:51 PM, Lumenello, Jason wrote:
I struggled with this, and came up with the following.
We basically use a standard route-map for all customers where the first
term looks for the community. The customer also has a prefix-list on
their neighbor statement allowing their blocks
On Wed, 3 Mar 2004, Scott Call wrote:
On Wed, 3 Mar 2004, Nathan Allen Stratton wrote:
Have you look at graylisting, temp failing mail with a sender/receiver/IP
you have not seen before?
I don't know what the prevailing attitude is, but it seems to me
that 451ing unknown senders is a
We actually accept up to the customers aggregate. So if they have a
/16, they can tag the whole /16. And we do not tag no-export. I saw
some time ago on a list, and I think Bill Manning suggested it, that if
you are getting bits for unused address space, to announce that address
space (up to
On Mar 3, 2004, at 6:00 PM, Richard Welty wrote:
Of the ones above, I only use spamhaus, combined with opm.blitzed.org
relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of
the
spamhaus xbl, perhaps the only one at the present time, but that could
change.)
[I know it is not spam-l, but I still am interested. :-]
On Mar 3, 2004, at 6:32 PM, Nathan Allen Stratton wrote:
On Wed, 3 Mar 2004, Scott Call wrote:
On Wed, 3 Mar 2004, Nathan Allen Stratton wrote:
Have you look at graylisting, temp failing mail with a
sender/receiver/IP
you have not seen
I have heard rumors of a new low-end 1U Juniper router, aimed directly
at replacing the 2600/3600 series. Supposedly its code name is
Pepsi... Does anyone have more info on this? :-)
| What follows are the base64 encoded strings. I have put an asterisk
| between the first and second character, so my own filters won't reject
| this message, do remove that before using...
|
| U*EsDBAoAA = Matches unencrypted ZIP file
| U*EsDBAoAAQAAA = Matches encrypted version.
Hi,
On Wed, 3 Mar 2004 18:35:27 -0500 Patrick W.Gilmore [EMAIL PROTECTED] wrote:
On Mar 3, 2004, at 6:00 PM, Richard Welty wrote:
Of the ones above, I only use spamhaus, combined with opm.blitzed.org
relays.visi.com
i use the same ones as Patrick, but i also use the cbl (a component of
[..] set up a similar customer community last year for our customers to
[snip a whole bunch of we've been doing this for some time posts]
Yeah - lots of ISPs have been advertising blackhole communities for over
a year now. However, UUNET did say they'd got an SLA set up for this.
So,
Dan Hollis [3/4/2004 1:54 AM] :
Also, does anyone have tools for regexp and purging these mails from unix
mailbox (not maildir) mailspool files? Eg purging these mails after the
fact if they were delivered to user's mailboxes before your virus scanner
got a database update.
Others have given
[..] set up a similar customer community last year for our
customers to
[snip a whole bunch of we've been doing this for some time
posts]
Yeah - lots of ISPs have been advertising blackhole communities
for over a year now. However, UUNET did say they'd got an SLA
set up for this.
Randy Bush [3/4/2004 6:40 AM] :
i think the north american idiom is putting your money where your
mouth is.
Thank you. That's exactly what I was driving at.
Hmm.. one of the people in that we've been doing this too thread was
XO. Do I take it then that XO provides for DDoS downtime in its
- Original Message -
From: Suresh Ramasubramanian [EMAIL PROTECTED]
To: Randy Bush [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 8:21 PM
Subject: Re: UUNet Offer New Protection Against DDoS
Randy Bush [3/4/2004 6:40 AM] :
i think the
Curtis Maurand wrote:
Until there's an easy way of getting a file to your friend down the
street that's as easy as sending an email, we're stuck with this.
There are actually several, some with features much superior to using
email as the truck.
The problem with them is: Nobody wants to
--- Patrick W.Gilmore [EMAIL PROTECTED] wrote:
What's wrong with letting customers announce /32s
into your network, as
long as you do not pass it to anyone else (including
other customers)?
Theoretically nothing. However, you do need to watch
out, because there are a certain percentage of
64 matches
Mail list logo