On Wed, 6 Aug 2003, Paul Vixie wrote:
More and more there is less and less spoofing, its just not required and
it causes more damage with less effort :( Why spoof when you have 1000
machines pumping 1 packet per second? (or 10)
leaving the spoofing option open for future generations of
Randy Bush wrote:
There are requirements one can make of vendors.
These have been made, several times :) In fact there is an IETF working
group pushing these requirments now, Mr. Bush could provide the details
that have slipped my addled brain.
it is not a wg. but there is a draft
More and more there is less and less spoofing, its just not required and
it causes more damage with less effort :( Why spoof when you have 1000
machines pumping 1 packet per second? (or 10)
leaving the spoofing option open for future generations of attacks,
rather than having a witch-hunt and
On Tue, 5 Aug 2003, Mike Tancsa wrote:
At 07:02 PM 05/08/2003 +, Christopher L. Morrow wrote:
so long as you are sure they aren't spoofed, yes.
A recent post by Rob Thomas said, I've tracked 1787 DDoS attacks since 01
JAN 2003. Of that number, only 32 used spoofed sources. I rarely
On Mon, 4 Aug 2003, Jared Mauch wrote:
For those of you that are doing IPv6 deployments, might I suggest
you also take the time to do the same?I know that Cisco has v6 u-rpf
support already.
but not netflow as far as i remember. -hank
- Jared
--
There are requirements one can make of vendors.
These have been made, several times :) In fact there is an IETF working
group pushing these requirments now, Mr. Bush could provide the details
that have slipped my addled brain.
it is not a wg. but there is a draft being actively worked, see
[EMAIL PROTECTED] wrote:
If the client is behind a NAT, and the spoofed source address doesn't get
through, then that's OK because it means that no application in that same
location behind the NAT can use spoofed addresses.
Which is important given the number of NAT setups that only perform NAT
At 07:02 PM 05/08/2003 +, Christopher L. Morrow wrote:
so long as you are sure they aren't spoofed, yes.
A recent post by Rob Thomas said, I've tracked 1787 DDoS attacks since 01
JAN 2003. Of that number, only 32 used spoofed sources. I rarely see
spoofed attacks now.
Thats about 1%. Of
On Mon, 4 Aug 2003 [EMAIL PROTECTED] wrote:
On Mon, Aug 04, 2003 at 05:28:07PM -0400, [EMAIL PROTECTED] wrote:
I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is
I don't believe I ever said that the edges shouldn't filter... did I?
nope. but you said that backbones couldn't/wouldn't/shouldn't, and i
showed that transitivity = laundering, which means backbones MUST
filter, to within the best capabilities of current technology.
On 5 Aug 2003, Paul Vixie wrote:
i'd like to discuss these, or see them discussed. networks have edges,
even if some networks are edge networks and some are backbone networks.
bcp38 talks about various kinds of loose rpf, for example not accepting
a source for which there's no corresponding
On Tue, 5 Aug 2003, Christopher L. Morrow wrote:
Spoofed packets are harder to trace to the source than non-spoofed
packets. Knowing where a malicious packet is very important to the
this is patently incorrect: www.secsup.org/Tracking/ has some information
you might want to review.
On Wed, 6 Aug 2003, Paul Vixie wrote:
I don't believe I ever said that the edges shouldn't filter... did I?
nope. but you said that backbones couldn't/wouldn't/shouldn't, and i
showed that transitivity = laundering, which means backbones MUST
filter, to within the best capabilities of
They have existed in the past it was how many an irc server was
hacked.. It's just not easy to accomplish but there are many hacker
tools to do this still available, some with better capabilities at this
then others.
Also you could have 2 ip addresses on the same host different
interfaces
How would the spoofing program, or its user, be able to tell if
it was successful? Unless I'm very confused, the definition of
spoofing is that the return packets aren't going to come back to you.
the whole thing would have to take place during a tcp control session
which used d-h to
On Tue, 5 Aug 2003, Christopher L. Morrow wrote:
Spoofed packets are harder to trace to the source than non-spoofed
packets. Knowing where a malicious packet is very important to the
this is patently incorrect: www.secsup.org/Tracking/ has some information
you might want to
] I don't believe I ever said that the edges shouldn't filter... did I?
Nope. I've always heard you say quite the opposite - the edges
should filter. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
[EMAIL PROTECTED] (Christopher L. Morrow) writes:
There are many cases in which the backbone can't determine the 'proper'
traffic an edge is sending in.
i'd like to discuss these, or see them discussed. networks have edges,
even if some networks are edge networks and some are backbone
On Tue, Aug 05, 2003 at 07:25:47AM +0300, Hank Nussbacher wrote:
On Mon, 4 Aug 2003, Jared Mauch wrote:
For those of you that are doing IPv6 deployments, might I suggest
you also take the time to do the same?I know that Cisco has v6 u-rpf
support already.
but not netflow as far as
Hi, NANOGers.
] leaving the spoofing option open for future generations of attacks,
] rather than having a witch-hunt and tracking down and upgrading every
] insecure edge, is just about the worst thing we could do.
When I first looked at this problem back in March 2001, I did a
study of one
On Thu, Jul 31, 2003 at 09:09:34PM +0300, [EMAIL PROTECTED] said:
[snip]
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
with 1500 byte packets a T3 customer as well. You can't stop this without
Filtering the bogons does help, and everyone should perform anti-spoofing
in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient.
anti-spoofing is useful, but vastly insufficient, and hence not necessary
randy
anti-spoofing eliminates
Filtering the bogons does help, and everyone should perform anti-spoofing
in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient.
anti-spoofing is useful, but vastly insufficient, and hence not necessary
anti-spoofing eliminates certain avenues of
On Mon, Aug 04, 2003 at 05:28:07PM -0400, [EMAIL PROTECTED] wrote:
I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
Randy Bush wrote:
anti-spoofing eliminates certain avenues of attack allowing one to focus
on remaining avenues, and hence (as Vix stated) is necessary but not
sufficient.
it turns 1% of the technical problem into a massive social business
problem which, even if it was solvable (which it
Filtering the bogons does help, and everyone should perform anti-spoofing
in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient.
anti-spoofing is useful, but vastly insufficient, and hence not necessary
anti-spoofing eliminates certain avenues
On Mon, Aug 04, 2003 at 05:28:07PM -0400, [EMAIL PROTECTED] wrote:
I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
On Mon, Aug 04, 2003 at 04:59:53PM -0500, Jack Bates wrote:
on has to contact each IP owner and find out if spoof protection is
enabled.
it's worse than that. If they have it enabled (eg: 10.0.0.0/24 has
it enabled), but nobody else does, it allows everyone else to spoof
from the
it all comes down to filtering, filtering, filtering.
announcement filtering, anti-spoof filtering, peer filtering.
If you're not doing this, you *SHOULD* be. I know it's hard
to do these things in the current business environment. Those of
you that can, please take
Hi, NANOGers.
] Also, if you can't do it everywhere, doing it where you _can_ is preferable to
] not doing anything at all.
Indeed, every little bit helps. We will win these battles by
degrees, folks, not through a single panacea. So, with that
said, I have to make a shameless plug for the
Hi, NANOGers.
] For those of you that are doing IPv6 deployments, might I suggest
] you also take the time to do the same? I know that Cisco has v6 u-rpf
] support already.
It's shameless plug and solicitation of feedback day here at Team
Cymru. :) We have put together a very rough
On Mon, 4 Aug 2003, Jack Bates wrote:
Randy Bush wrote:
anti-spoofing eliminates certain avenues of attack allowing one to focus
on remaining avenues, and hence (as Vix stated) is necessary but not
sufficient.
it turns 1% of the technical problem into a massive social business
CLM Date: Sat, 2 Aug 2003 02:45:29 + (GMT)
CLM From: Christopher L. Morrow
CLM EBD Who should be held accountable for vulnerable boxen?
CLM
CLM I believe the vendor should, but my opinion matters not :)
I agree. It stinks when cutting code, knowing that _some_
competitor is slinging out
EBD Date: Sun, 3 Aug 2003 20:06:16 + (GMT)
EBD From: E.B. Dreger
EBD Sort of like deaggregating routes, helping track down and
Ugh.
s/helping/not helping/
Eddy
--
Brotsman Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone:
Hi, NANOGers.
] Yes. External attacks are mostly show-offs by kids. Insiders intend to
] do damage - that's the whole point of those attacks.
True. Internal oops also tend to do far more damage than an
oops from the outside. I've seen more than one bit of malware
get loose on a corporate
However, I would like to see Java or Other Language to run on the
routers,
(I know you can install and play Quake on one vendor´s boxes) but I mean
to do things really belonging to the router but so far I have yet to see
a vendor
to take programmable boxen (outside their own development)
However, I would like to see Java or Other Language to run on the
routers,
(I know you can install and play Quake on one vendor´s
boxes) but I mean
to do things really belonging to the router but so far I
have yet to see
a vendor
to take programmable boxen (outside their own
McBurnett, Jim wrote:
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
In a sense, I would agree with you. The best method for what you
Vadim Antonov wrote:
On Thu, 31 Jul 2003, Petri Helenius wrote:
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
would actually
On Thu, 31 Jul 2003, Dave Israel wrote:
Personally, it'll be a long time before I'm convinced that I want my
routers running Java. (Like how I brought that almost back on topic
in the end, there?)
or your ATM switch running windowsNT ? Wait, that already happened, damn!
On Fri, 1 Aug 2003, Jack Bates wrote:
There is nothing in C which guarantees that code will be unreliable or
insecure.
Lack of real strong typing, built-in var-size strings (so the compiler can
actually optimize string ops) and uncontrollable pointer operations is
enough to guarantee that
CLM Date: Wed, 30 Jul 2003 22:37:21 + (GMT)
CLM From: Christopher L. Morrow
CLM The problem isn't the network, nor the filtering /
CLM lack-of-filtering, its a basic end host security problem.
Beyond basic filtering, it's a whack-a-mole to deal with rogue
systems. Until the pain of having
PH Date: Thu, 31 Jul 2003 21:09:34 +0300
PH From: Petri Helenius
PH However, since improvements are always welcome, please
PH recommend tools which would allow us to progress above and
PH beyond C and it´s deficencies.
I'll pick on you for a bit, although this applies to all too many
technical
Vadim Antonov wrote:
Lack of real strong typing, built-in var-size strings (so the compiler can
actually optimize string ops) and uncontrollable pointer operations is
enough to guarantee that any complicated program will have buffer-overflow
vulnerabilities.
Typing can be enforced if the
On Sat, 2 Aug 2003, E.B. Dreger wrote:
CLM Date: Wed, 30 Jul 2003 22:37:21 + (GMT)
CLM From: Christopher L. Morrow
CLM The problem isn't the network, nor the filtering /
CLM lack-of-filtering, its a basic end host security problem.
Beyond basic filtering, it's a whack-a-mole to
1) The OS/software/default settings for a lot of internet connected
machines are weak, making it easy to attack from multiple locations.
I´ll start looking for this to happen when Microsoft manages to release
an OS version which does not contain remote exploitable flaw before
the boxes hit
1) The OS/software/default settings for a lot of internet connected
machines are weak, making it easy to attack from multiple locations.
I´ll start looking for this to happen when Microsoft manages to release
an OS version which does not contain remote exploitable flaw before
the boxes
Paul Vixie wrote:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of every host for itself but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
The most popular applications
On Wed, 30 Jul 2003, Christopher L. Morrow wrote:
Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
and you can prove I did the attacking how? You can't because I and 7 other
hackers all are fighting eachother over ownership of the poor UW student
schlep's computer...
]
Cc: NANOG [EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 4:17 PM
Subject: Re: WANTED: ISPs with DDoS defense solutions
On Wed, 30 Jul 2003, Rob Thomas wrote:
I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number,
only 32 used spoofed sources. I rarely see spoofed attacks now
Thomas [EMAIL PROTECTED]
Cc: NANOG [EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 4:17 PM
Subject: Re: WANTED: ISPs with DDoS defense solutions
On Wed, 30 Jul 2003, Rob Thomas wrote:
I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number,
only 32 used spoofed sources. I rarely
more quickly than packets from legitimate addresses.
Pete
- Original Message -
From: [EMAIL PROTECTED]
To: Rob Thomas [EMAIL PROTECTED]
Cc: NANOG [EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 4:17 PM
Subject: Re: WANTED: ISPs with DDoS defense solutions
On Wed, 30
## On 2003-07-31 09:27 -0400 McBurnett, Jim typed:
MJ
MJ I tend to agree here.
MJ I have noticed so many attacks etc coming from
MJ APNIC as of recent that on our corp network we have an ACL
MJ to block a number of APNIC blocks.
MJ If there was a dynamic method to add null0 routes to
MJ
How about quoting the excerpt in question than telling me to pick up
a book that I would lose interest in after the first ten pages?
On 31 Jul 2003, Paul Vixie wrote:
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of every host for itself but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
Not everything could be hidden behind a firewall,
I?ll start looking for this to happen when Microsoft manages to release
an OS version which does not contain remote exploitable flaw before
the boxes hit the store self.
If FreeBSD, OpenBSD, NetBSD, RedHat, Debian, SuSE were packaged and
and sold in stores, how would this be any different? Oh
If FreeBSD, OpenBSD, NetBSD, RedHat, Debian, SuSE were packaged and
and sold in stores, how would this be any different? Oh wait, They
are packaged and sold in stores!
Just by comparing the OpenBSD security track record to the one of any Windows
release would dismiss your point.
People find
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
would actually make software makers to pay for bugs and security
On Thu, 31 Jul 2003, Petri Helenius wrote:
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
would actually make software
However, since improvements are always welcome, please recommend tools
which would allow us to progress above and beyond C and it's deficencies.
I've never been able to program a buffer overrun vulnerability in Modula 3,
or Perl, or any version of Lisp or Scheme. It's possible that the
So by telling people to shut up you expect to make the world more secure? Right :)
No, but merely talking about the how much the vendor sucks doesn't
make them suck any less nor the users suck any more.
On Thu, 31 Jul 2003, Omachonu Ogali wrote:
So by telling people to shut up you expect to make the world more secure? Right :)
No, but merely talking about the how much the vendor sucks doesn't
make them suck any less nor the users suck any more.
In some cultures shame is a powerful
Hi, Rich.
] Do you have any ideas as to why that is?
The anti-spoofing filtering, while not ubiquitous, has had an effect.
The increase in the size of botnets is another reason. The fact that
the number of vulnerable hosts has reached commodity level is perhaps
the primary reason. The loss of
Paul Vixie said:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of every host for itself but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
if *all* dsl and cablemodem plants
I did a test about 6 months ago. almost a honeypot, but not quite.
put a standard windows ME system on a RW IP
put a $60 cable router in front of a similiar system.
the ME was compromised and made into a Bot in 3 hours.
The $60 router protected one was not compromised in the
2 weeks it was
On Thu, 31 Jul 2003, Petri Helenius wrote:
What we need is a new programming paradigm, capable of actually producing
secure (and, yes, reliable) software. C and its progeny (and program
now, test never lifestyle) must go. I'm afraid it'll take laws which
would actually make software
Private deployment of software written in C is very different from a
major public release, especially so when included with source code.
you're right. when i've been involved in non-opensource products which
were written in C and then shipped as binaries, i was scared to death
about the lack
There's nothing wrong with low level languages, and with the proper
libraries, they gain some of the advantages of high level languages.
Personally, it'll be a long time before I'm convinced that I want my
routers running Java. (Like how I brought that almost back on topic
in the end,
On Tue, Jul 29, 2003 at 04:33:28PM -0700, Lane Patterson wrote:
[ obnoxious text wordwrapped :) ]
We have some DDoS-sensitive customers asking us to refer them to the
best ISPs for in-the-core DDoS defense. Other than UUnet (hi Chris!)
and MFN, I'm not aware of any ISPs in North America
At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
If someone abuses the PSTN, or other networks they eventually
will get their service terminated. If people abuse their access by
launching DoS attacks, we need to catch them and get their access
Gee, wouldnt that be nice. Having
On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
If someone abuses the PSTN, or other networks they eventually
will get their service terminated. If people abuse their access by
launching DoS attacks, we need to catch
At 03:19 PM 30/07/2003 -0400, Jared Mauch wrote:
On Wed, Jul 30, 2003 at 02:43:16PM -0400, Mike Tancsa wrote:
At 10:58 AM 30/07/2003 -0400, Jared Mauch wrote:
If someone abuses the PSTN, or other networks they eventually
will get their service terminated. If people abuse their access
On Wed, 30 Jul 2003, Mike Tancsa wrote:
I recall one of our users was involved in a DoS once a few years back
when the giant pings could crash MS boxes. The fact that his perceived
anonymity was removed was enough to keep him from repeating his
attacks
That's the heart of the problem.
On Wed, 30 Jul 2003 [EMAIL PROTECTED] wrote:
On Wed, 30 Jul 2003, Mike Tancsa wrote:
I recall one of our users was involved in a DoS once a few years back
when the giant pings could crash MS boxes. The fact that his perceived
anonymity was removed was enough to keep him from repeating
But in the telco world, how often do you have people's home phones
trojanned and directed to 'DoS' another company? To pull that off
with great magnitude, you need a whole lot of coordinated access
to the physical plant, which is either impossible or extremely
noticeable. But in a scenario like
At 10:37 PM 30/07/2003 +, Christopher L. Morrow wrote:
Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
and you can prove I did the attacking how?
You can at least TRY and see where the controlling traffic stream is
originating from. i.e. if crap is coming out of box
] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
] and you can prove I did the attacking how? You can't because I and 7 other
] hackers all are fighting eachother over ownership of the poor UW student
] schlep's computer...
Only seven? Must be a lame box. :)
--
Rob
On Wed, 30 Jul 2003, Rob Thomas wrote:
] Sure, trace my attacks to the linux box at UW, I didn't spoof the flood
] and you can prove I did the attacking how? You can't because I and 7 other
] hackers all are fighting eachother over ownership of the poor UW student
] schlep's computer...
Filtering the bogons does help, and everyone should perform anti-spoofing
in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient. but if we knew the source addresses were
authentic, then some pressure on the RIRs to make address block holders
I agree with Pauls' position on anti-spoofing, without that, you are fighting A
losing battle.
Henry R LinnewehPaul Vixie [EMAIL PROTECTED] wrote:
Filtering the bogons does help, and everyone should perform anti-spoofing in the appropriate places. It isn't, however, a silver bullet.it's
Filtering the bogons does help, and everyone should perform anti-spoofing
in the appropriate places. It isn't, however, a silver bullet.
it's necessary but not sufficient.
anti-spoofing is useful, but vastly insufficient, and hence not necessary
randy
We have some DDoS-sensitive customers asking us to refer them to the best ISPs for
in-the-core DDoS defense. Other than UUnet (hi Chris!) and MFN, I'm not aware of
any ISPs in North America developing a reputation for consistent DDoS defense. Could
folks contact me either off-list or
83 matches
Mail list logo
