produce in
short order.
(BTW: Need/want some more of our famous Colo Blend Mr. Thomas?)
That was some of the best joe I've had, and I'd welcome another
batch! Just don't tell the rest o' Team Cymru about it - it's mine,
all mine! Muahaha! :)
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http
changes.
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, Out of coffee!);
was in
the ARIN database, we were told not to. We tried to explain the
registration information was already public via ARIN, but were told
not to update the IANA registry. IANA and ARIN are working out
something to resolve this issue.
Great, thanks to all!
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http
have two ways to notify folks:
1. bogon-announce list, http://puck.nether.net/mailman/listinfo/
bogon-announce
2. Automated updates with the bogon route-servers, http://
www.cymru.com/BGP/bogon-rs.html
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, Out of coffee!);
/index.html
--
Rob Thomas
Team Cymru
http://www.cymru.com/
cmn_err(do_panic, Out of coffee!);
I'd guess the Cymru team is less likely to be hax0r'ed. But that's
just 'cause I'm afraid of them. (Especially if Rob's had coffee
recently. Which means I'm always afraid of them. :)
Muahaha! :)
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
] Thanks and I am really impressed with everyone's reaction to this attack.
] Especially Rob Thomas, he really has a grip on it.
Thanks muchly, Barrett, but the credit goes to Steve Gill. :)
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
and the like.
I don't like it. You don't like it. The miscreants love it. It's
always a balancing act.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
] other cctld servers have seen what are effectively ddos. rob thomas
] seems to have the most clue on this, so i hope this troll will entice
] him to speak.
Did someone say troll? :)
Yes, this is a real problem. These attacks have exceeded several
gigabits per second in size
/database servers, or transit through those routers,
etc. There's a reason why such devices are popular with
the criminals. :(
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
, and they need help. I also
didn't want folks to believe that it is a problem related to
one OS or demographic. It's a problem of crime, mostly.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
to
suggestions and quick to assist.
http://nfsen.sourceforge.net/
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
] It looks like they were given real ARIN allocations for those test
] prefixes, so its not like those blocks are going to assigned to some
] random network who goes to use them and finds out there is a Cymru
] announcement on their space.
Yes, agreed. :)
--
Rob Thomas
Team Cymru
http
everyone.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
using this login and
password?
Thanks!
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
common now. This provides
obfuscation and sometimes encryption.
Most of the changes are based on templates. Consider this bundled
clue, where the prowess of the template user isn't at all a factor.
Use the flows. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee
? Are
] your defenses against non-spoofed attacks really helped by the extra
] filtering?
Great question, and we're eager to hear the results as well. Our
study is well past its prime, to be sure.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
that I
think about it. Doh!
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
Here is Barrett's list, including and sorted by ASN.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
ASN IP AS Name
59 | 128.105.45.101 | WISC-MADISON-AS - University o
224 | 129.177.162.218 | UNINETT
.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
and abuses that might concern
you even more. It is generally the case that the tools and
techniques for both are the same.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
Just a FYI - we at Team Cymru are upgrading some of our infrastructure
today. This will result in partial and complete outages for most of
the day. We will be back online, new and improved, by the end of the
day.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http
.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
of salt. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
IPv6 obviously presents a huge address space, the miscreants
don't have to scan all of it, or compromise much more than a few
devices on it, to reap a reward. Just enough is good enough.
I'll take a pina colada anyway. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee
, for Team Cymru.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
, cursing the Sox. ;)
We continue to debug it with our peers. Stay tuned!
Apologies for the inconvenience.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
probably ask
them to change that.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
to announcing the test prefixes.
74.63.1.2
75.127.1.2
76.191.1.2
Sorry those weren't announced sooner!
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
] and statistical reliability. presumably that is coming and just
] hasn't been discussed or carried out yet.
Yep, that's being done since we announced the prefixes.
More details to come shortly. :)
Todd, thanks for checking on these prefixes and sharing what you
see!
Thanks,
Rob.
--
Rob
PROTECTED]
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
-bogon.html
Bogus ASN monitoring
- http://www.cymru.com/BGP/asnbogusrep.html
Please feel free to contact Team Cymru [EMAIL PROTECTED] with any comments,
questions, or concerns.
Thank you for your continued support.
Thanks!
Rob.
- --
Rob Thomas
http://www.cymru.com
Shaving with Occam's
,
questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQrjLPlkX3QAo5sgJAQFHwAP/Z8KrLp9id6PD51KNEjAlveJCxRnvP4ev
support.
Rob.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQl578FkX3QAo5sgJAQEBUQQAhxlGUyzcvxzHVF2/PHZt27K04nSCxSWu
k0G70eCN6QRib3h9HIlz3GCu24aBPJMcM+zH6SOGjydVHsDFJFFGuw42HcTWAttV
35nbzeN4jqBQQZGtel3he+lNPcd60uHloE3za/4F6P
Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQks9clkX3QAo5sgJAQFCHgP/V6mR3gVMiNQ5bvkfSgsT5nkIw0bn2BJA
nE4qKGQrB22WL6t83PMsMONjW7GvHJA7Ds4DVgVggTUBJ/SqupM1xQ3SBwEokHcW
oydTMiUrsS1dmZMdoLoSHNdGC6hLciTgYayIO
.
http://www.cymru.com/BGP/bogon-rs.html
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
uses TFTP to update itself as well.
Please note that I am NOT advocating the blocking of TFTP.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
Hi, Hank.
] How would this scale for say 200K routers? 2M? -Hank
Dave Deitrich of Team Cymru will be presenting on this very
topic at the next NANOG. Short answer: We're ready when
you are. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
, and they are, yet no one notices.
Most of these compromised routers are at the end of FR or
frac-T connections. I suspect a great many of them were
configured once, then left to rot with the same code and
configuration for years and years.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving
Hi, Bryan.
] Rob T - this should be a periodic FAQ:
]
]http://www.cymru.com/Bogons/
That's a great idea! Everyone knows I don't send out nearly enough
email. :) Seriously, we'll try to be better about sending out
regular reminders.
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT
that encrypted packets
keep them safe. Encryption != security.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
.
So while a new approach to security with IPv6 may be warranted, many of
the same old threats await you there.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
of filtering. We and others provide those as well:
http://www.cymru.com/Documents/secure-bgp-template.html
http://www.cymru.com/gillsr/documents/junos-bgp-template.htm
ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT
!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
to deploy more
if necessary.
By the way we recommend that folks peer with at least two of the
Bogon route-servers.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
/Reach/garbage.html
http://www.cymru.com/Reach/darknet.html
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
http://www.cymru.com/Darknet/
We hope you find this of use. Comments and suggestions are always
welcome!
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
and
the flows on them. Comments, feedback, and coffee are always welcome! :)
Thanks!
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQL/W4VkX3QAo5sgJAQG3QQP9FT6jwkPbdLaCFBLds4ftjFaNGAjaBMM7
to the Coldlife botherd.
Ka-ching, another botnet stolen. Things have evolved in a
distributed manner from this feature.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Please feel free to contact Team Cymru [EMAIL PROTECTED] with any
comments, questions, or concerns.
Thanks!
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQJApa1kX3QAo5sgJAQHypAP+NF/noJVKOCT8jfTviUyOvEUmr
the post? I'm low on coffee tonight. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
- http://www.cymru.com/Bogons/index.html#dns
Monitoring
Bogon prefix monitoring
- http://www.cymru.com/BGP/robbgp-bogon.html
Please feel free to contact Team Cymru [EMAIL PROTECTED] with any
comments, questions, or concerns.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http
from from CW dated Januray 23,
] 2004:
UUNET/MCI has had that capability since circa 2002, I believe. Several
ISPs borrowed heavily from the following page to create similar services.
http://www.secsup.org/CustomerBlackHole/
Kudos to Chris and Brian. :)
Thanks,
Rob.
--
Rob Thomas
http
the following URL for
more details:
http://www.cymru.com/BGP/bogon-rs.html
You do not have to be an ISP or a large enterprise network to peer
with the bogon route-servers. We are happy to help you to filter
the prefixes provided by the bogon route-servers.
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
] 2.1.17 Simplicity
]
] The architecture MUST be simple enough so that Radia Perlman can
] explain all the important concepts in less than an hour.
Oh, phew, good thing that isn't me. I've never been able to explain
anything in less than an hour. :)
--
Rob Thomas
http
Hi, NANOGers.
] Cooperation with the bogon project seems logical too.
We at Team Cymru are happy to help in any way we can!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
to contact Team Cymru with any comments, questions, or
concerns.
We hope to see you in [sunny|warm|no snow] Miami! :)
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
with the modification and testing of
filters, please don't hesitate to ping on us!
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Hate to follow up to myself, but as someone just pointed out, 65333 is the
] cymru bogons server.
Woohoo, we're on route-views! We've made the big time! :) That
said, please remember to strip off such things with peers and
customers. :)
Thanks,
Rob.
--
Rob Thomas
http
.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
with very small pipes (circa T1) and very large
netblocks (circa /16). These folks paid a heavy price when
hit with the scan all IPs in the netblock worms.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the official
announcement. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
BGP prefix
updates.
Please feel free to contact Team Cymru with any comments, questions, or
concerns.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
of the latest IDS at their borders, only to be
owned from within or owned by a method not yet in the
ever-behind signature database of the IDS devices. One can
waste money on security just as easily as one can waste money
on anything else.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee
for my presentation instead. I'm
a moving target, and that makes it much more fun. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Next topic: multiple origin ASNs ..
Ooo, one of our faves. :) For a simple view:
http://www.cymru.com/BGP/incon01.html
http://www.cymru.com/BGP/incon01-list.html
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] (so I guess I got the last room).
You may have. There is a convention of surgeons running at the same
time as NANOG. The good news is that I can be assured of quick
resuscitation if we run out of coffee. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
if you go beyond the 64K mark. Take a look here for some
(slightly dated *sigh*) suggestions along these lines.
http://www.cymru.com/Documents/ip-stack-tuning.html
As with anything, don't simply crank it up to 11 because it can
be done. Plan, tune, measure, repeat. :)
Thanks,
Rob.
--
Rob
for this purpose is far more in
vogue. Watch out for worms such as W32.Sanper, which also
provide a built-in spam relay network. Remove all of the
open mail relays and you are left with...lots of spam.
More at NANOG... ;)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, Mat.
] So who thinks allowing anyone to route to or from IANA Reserved blocks
] (Bogons) is acceptable?
It's a continuing mystery to me, when it's not exactly impossible
to do.
http://www.cymru.com/Bogons/index.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
;
I am saying that the cost hasn't been realistically quantified.
Of course all of this is hand-waving until the market places
security above other requirements, such as increased performance
and shiny new features.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
/lame.html
Our thanks to those of you who have donated additional data for
the cause. It is greatly appreciated. :)
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
) a filtering service.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
just might end up as an
example in my next presentation. ;)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hey, Chris.
] No... I have one T1 to Sprint and one T1 to ATT, I think my ATT bill
] will be high this month so I stop sending OUT ATT and only accept...
Yep, this is a very common tactic, for reasons of finance, politics,
responsiveness, etc.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
anonymous, as you prefer. Such donations help
the community at large. Be the first in your ASN to donate
data! :) If you are interested in donating data, please
contact us at team-cymru at cymru.com.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
/Documents/secure-bgp-template.html
http://www.qorbit.net/documents/junos-bgp-appnote.htm
] ...no offense Rob, I'm pretty sure our beliefs are aligned here :-).
None taken, I completely agree.
Thanks,
Rob, not just the bogon guy. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
in there! I hope the power is restored to everyone soon. If
there is anything I or Team Cymru can do to assist, don't hesitate
to ping on us.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] I don't believe I ever said that the edges shouldn't filter... did I?
Nope. I've always heard you say quite the opposite - the edges
should filter. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
tool out of their toolbox. We win this battle by degrees.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] See show ip bgp inconsistant-as on cisco. YMMV.
On that theme, please also see:
http://www.cymru.com/BGP/incon01.html
http://www.cymru.com/BGP/incon01-list.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
. through HTML, text, DNS, and BGP
peering.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
of it is not.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
of 10K bots often introduces only the
most minor of delays. :(
Regarding sophistication: I never make the mistake of believing the
enemy is dumb. I also do not believe the enemy will go further than
what is necessary to accomplish the mission. Just enough is good
enough.
Thanks,
Rob.
--
Rob
] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
] and you can prove I did the attacking how? You can't because I and 7 other
] hackers all are fighting eachother over ownership of the poor UW student
] schlep's computer...
Only seven? Must be a lame box. :)
--
Rob
issue.
I'll slightly modify that statement; it is a *PEOPLE* issue.
People who write code. People who use systems and networks.
People who abuse all of the above for monetary gain.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the
script kiddies while I've seen those same script kiddies
own over 500K devices since 01 JAN 2003. What a bunch of
lamers, they should have owned 1M devices by now, eh? :|
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Oh, joy -- more spam instead of telemarketers.
UGH. This of course requires more hosts sending spam, which in turn
raises the value of a compromised host or router.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
suppose the reason they don't own hundreds is because that isn't
enough. :/
] Like most statistics, the truth is probably a little harder to find, and
] a little bit scarier.
Indeed.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
it. :) For those who
offered to assist I'll let you sneak out before I begin my next NANOG
Security BoF presentation. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the plethora of other malware that can also forward spam.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] mentality.
For those who herd bots, this in theory provides the capability to
get-it-done-right *AND* get-it-done-now. :/
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
, and I look pretty darn NANOGish if I do say so
myself. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
for any me too incidents
we can find.
Is anyone else having issues down there?
Replies on or off list appreciated.
Alif Terranson
Savvis Communications
(314) 628-7602
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
to buy a
cup of coffee for Rob at the SLC NANOG if you feel kindly. :)
You can read more about the project here:
http://www.cymru.com/BGP/bogon-rs.html
You can read more about bogon filtering and tracking here:
http://www.cymru.com/Bogons/
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http
this change.
You should update any filters you have.
The bogus ASN report, which shows ASNs leaking private, unallocated,
and reserved ASNs, is located here:
http://www.cymru.com/BGP/asnbogusrep.html
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
are always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
1 - 100 of 144 matches
Mail list logo