Re: Setting up DS-3 and 2 4xT1
Juniper makes a cute little box which was code-named Pepsi Lite. Don't know the productized name for it, but, should be easy to find. Should handle what you're looking for just fine. Also a used M5 on Ebay would do the trick. Owen --On Thursday, December 2, 2004 2:50 AM -0500 Joshua Brady [EMAIL PROTECTED] wrote: My apologies if some may find this a little off-topic. However, here is my issue. I need a router, which can take 2 4xT1's and a DS-3, while handing a Gbit for internal use. Now to complicate the entire situation, this needs to go into a 3 bedroom apartment, so I need to keep the power bills down if I can :) What would everyone recommend? Off-List replies are fine, I will summarize at the end. Thanks, Joshua Brady -- If it wasn't crypto-signed, it probably didn't come from me. pgpY9Z4MxaVnP.pgp Description: PGP signature
Re: My yearly post about environmental monitoring devices
On Thu, 2004-12-02 at 01:12 -0500, Alex Rubenstein wrote: I'm sure if you peruse the archives, you'll see that I post about this about every year. The answer to your question is 'No, I haven't found what I am looking for yet.' However, the quest I am on is slightly different. I am looking for a device that meets the following criteria. a) Reasonably small. This probably wouldn't be rack mounted; it'd be wall mounted, desk mounted, celing mounted, etc. b) Powered by PoE. c) Is SNMPable over Ethernet. NOT RS232 or serial, or anything archaic like that. Not MODBUS. It's 2004, people. d) Provides Temperature and Humidity. e) Has 4 or so input contact sensors (connections to AC units, etc.) f) Has 4 or so output contact sensors. I think what you are looking for is something like this: http://alexandria.paf.se/ietf-59/001598_G And folks: it does IPv6 *ONLY* and was, during that ietf reachable globally, so you could telnet into it ;) There is this large IPv6 toy setup somewhere in Japan and they seem to have all kinds of these devices and thus I think if you want one of these kind of toys you will have to look into that direction... Greets, Jeroen signature.asc Description: This is a digitally signed message part
Re: ULA and RIR cost-recovery
On Wed, 2004-12-01 at 21:30 +0100, JP Velders wrote: [ ... ] I think the risk of ISPs handing out /64s is very small. Actually I expect most of the consumer ISPs (and they are the ones with the large number of customers) to hand out /128s. Uhm, one of my private (as in I'm the consumer) ISP's over here in Holland gives me a /48... Granted it's done through a tunnelserver and labeled experimental, but they handed out /60's when it was based on sixbone space... http://www.xs4all.nl/uk/allediensten/experimenteel/ipv6.php I do believe XS4All is one of the larger consumer ISP's over here. XS4ALL is around 160k DSL lines last time I heard. Due note that they are a clued ISP unlike many others. The tunnelserver is only for people not using the PPP sessions. Folks with DSL and PPP can also get 'native' IPv6 by doing a PPP6 session next to the normal PPP session. Afaik most of the usage of the IPv6 there has moved away from 6bone and migrated to their RIR prefix already, though users can pick between them. Erik, comments and more details? :) Greets, Jeroen signature.asc Description: This is a digitally signed message part
Re: My yearly post about environmental monitoring devices
I am looking for a device that meets the following criteria. a) Reasonably small. This probably wouldn't be rack mounted; it'd be wall mounted, desk mounted, celing mounted, etc. b) Powered by PoE. c) Is SNMPable over Ethernet. NOT RS232 or serial, or anything archaic like that. Not MODBUS. It's 2004, people. d) Provides Temperature and Humidity. e) Has 4 or so input contact sensors (connections to AC units, etc.) f) Has 4 or so output contact sensors. Sorry Alex, but I think you are barking up the wrong tree. A cheap simple temperature and humidity sensor would be built around a PIC chip and would use a serial bus to communicate status. Since this is 2004 that would be an I2C serial bus, but in reality an RS-232 daisy chain would suit this application just fine. When you add Ethernet as a requirement then you are asking for an I/O interface that is more complex and more expensive than the basic temp/hum recorder on the PIC. However, it definitely is possible to do this and many people have done so. I suggest that you go to a company like http://www.edtp.com and tell them what you want and how many you would buy in the next year as well as an estimate of how many they could REALISTICALLY sell to other companies in 2005. When you look at the prices on his website, remember they are single unit hobbyist prices. I think that a PIC board built around his packet whacker Ethernet would do what you want and could easily be powered with PoE and be installed in a box with flexible mounting options. If you can't get what you want from this company, then start looking for people who do PIC development. You might even be able to get a college sophomore to design and manufacture these for you for some spare pocket money. The PIC code including TCP/IP stack, is readily available through googling. The only area where you might have to compromise is SNMP since I think most people who do this are trying to make PIC web servers. But it's simple to run a custom SNMP proxy on a server if you need to hook this into your management system. Please report back on what you find. I think a lot of people would be interested in this type of unit. --Michael Dillon
Re: My yearly post about environmental monitoring devices
Sorry Alex, but I think you are barking up the wrong tree. When you add Ethernet as a requirement then you are asking for an I/O interface that is more complex Ethernet is cheap and trivial, drop some code in one of these (cpu is built into the rj45 socket) http://www.lantronix.com/device-networking/embedded-device-servers/xport.html talk ibutton on the serial port and you're done. and more expensive than the basic temp/hum recorder on the PIC. Ethernet or don't bother. Serial is so last century. brandon
Re: How many backbones here are filtering the makelovenotspam screensaver site?
On Wed, 1 Dec 2004, Jeff Shultz wrote: They are running ADSL2+? Any idea what DSLAM/modems they are using? I'm afraid that my Swedish is insufficient (iow non-existant) for working my way through their website, if the answer is even there. I have this information but I am not sure I am at liberty to say. I can say though that it's ethernet/ip based, not ATM (on the uplink, over the DSL line it's ATM). -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 9:06 PM To: Suresh Ramasubramanian Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam screensaver site? I dont know how many providers are blocking them but at home I have a cox cable connection and they are blocking them... On Thu, 2004-12-02 at 07:04 +0530, Suresh Ramasubramanian wrote: I've heard reports of traceroutes through several backbones timing out or going !H after a few hops, and I note that the impact seems to have been enough for the site's IP to change .. [EMAIL PROTECTED] 06:56:27 [~]$ dnsip www.makelovenotspam.com 213.115.182.123 [EMAIL PROTECTED] 07:01:16 [~]$ dnsname 213.115.182.123 ua-213-115-182-123.cust.bredbandsbolaget.se Hosted on a cablemodem? Tch, tch, how the mighty have fallen The blocks are widespread. The reports of hackers are incorrect. The blackholes are what is stopping them. -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED]
Re: Setting up DS-3 and 2 4xT1
7206VXR with appropriate PAM's Scott C. McGrath On Thu, 2 Dec 2004, Joshua Brady wrote: My apologies if some may find this a little off-topic. However, here is my issue. I need a router, which can take 2 4xT1's and a DS-3, while handing a Gbit for internal use. Now to complicate the entire situation, this needs to go into a 3 bedroom apartment, so I need to keep the power bills down if I can :) What would everyone recommend? Off-List replies are fine, I will summarize at the end. Thanks, Joshua Brady
RE: My yearly post about environmental monitoring devices
I was at a trade show yesterday and they had some interesting boxes for remote control. They don't meet your spec but someone might be interested. This box has serial and digital control connections but works via GPRS rather than Ethernet. Makes an interesting back door that could be independent of any other connections you have. http://www.atop.com.tw/e/product/SG6103.htm Roy Engehausen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Rubenstein Sent: Wednesday, December 01, 2004 10:12 PM To: [EMAIL PROTECTED] Subject: My yearly post about environmental monitoring devices I'm sure if you peruse the archives, you'll see that I post about this about every year. The answer to your question is 'No, I haven't found what I am looking for yet.' However, the quest I am on is slightly different. I am looking for a device that meets the following criteria. a) Reasonably small. This probably wouldn't be rack mounted; it'd be wall mounted, desk mounted, celing mounted, etc. b) Powered by PoE. c) Is SNMPable over Ethernet. NOT RS232 or serial, or anything archaic like that. Not MODBUS. It's 2004, people. d) Provides Temperature and Humidity. e) Has 4 or so input contact sensors (connections to AC units, etc.) f) Has 4 or so output contact sensors. Help. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: is reverse dns required? (policy question)
Steven Champeon wrote: on Wed, Dec 01, 2004 at 03:34:43PM -0500, [EMAIL PROTECTED] wrote: On Wed, 01 Dec 2004 15:02:19 EST, Steven Champeon said: Connect:dhcp.vt.edu ERROR:5.7.1:550 go away, dynamic user Given the number of options available at our end, I can hardly blame other sites for considering this a reasonable rule - I can't think of a scenario we can't fix at our end, as long as the user bothers calling our help desk and asks for help fixing it... Exactly. That's why rDNS has been so useful for us. We can either whitelist exceptions (such as customers of ISPs who have sucky customer service and technical support) or try to educate them. It's (generally) easy to change, it requires static assignment in order to work properly, as an indication of the purpose(s) to which a given IP is put, etc. Instead of having 6936 regexp patterns to match and parse one gazillion different reverse DNS encodings you could simply mark the reverse DNS entries of IP addresses that are actually *supposed* to be mail servers. Reverse zone file for 10.0.0.0/24: 1.0.0.10.in-addr.arpa. IN PTR mail.example.com. _send._smtp._srv.1.0.0.10.in-addr.arpa. IN TXT 1 About as simple as it gets. And much easier than figuring out for 99% of all IP addresses that they are not supposed to send mail directly. Just turn the tables and tag those that are mail servers. And it allows for a nice and graceful transition too. Nicely described here: ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-stumpf-dns-mtamark-03.txt -- Andre (On the other hand, anybody who's filtering certain address blocks because they're our DHCP blocks deserves to be shot, for all the usual reasons and then some..) Sure, but I can certainly understand why, for example, someone might block all of AOL's dynamic blocks port 25, at least. Or Charter's. Or Cox's, or any of the other sources of massive and constant abuse. Wouldn't catch 1.2.3.4.dhcp.vt.edu.example.com anyway. Yeah, but that has 'dhcp' at something other than the 3rd level.. ;) Fair enough :) I was more interested in whether a rule like '*.dhcp.*.{com|net|org|edu)' (blindly looking at the 3rd level domain and/or the 4th level for the two-letter TLDs) did any better/worse than having to maintain a list of 7K or so - are there enough variant forms that it's worth enumerating, or is it just that enumerating is easier than doing a wildcard? Ah, I see what you're getting at. Well, I started maintaining my long list of patterns because of the insane complexity of trying to construct simple rules like the above. At one point, I had five or six of them, but it got easier to just run the vetted generic hostnames through a quick perl script to generate a regex for each, and then check them all. Surprisingly, on a reasonably fast system with a moderate mail load it runs through the entire set pretty quickly, and it doesn't take up as much RAM as I'd expected it would. I could probably get better stats if you're interested. Quick example, though: of 6936 patterns currently in my list, if you just run a cut on \\ (which catches either '.' or '-' as the next char, for the most part) you get (matches of 20 or more): count first left-hand pattern part - 1572 ^[0-9]+ 206 ^.+ 200 ^host[0-9]+ 179 ^host 145 ^adsl 140 ^ip 121 ^ip[0-9]+ 121 ^.*[0-9]+ 89 ^dsl 83 ^ppp[0-9]+ 74 ^pc[0-9]+ 64 ^ppp 54 ^h[0-9]+ 52 ^dialup 48 ^dhcp 46 ^d[0-9]+ 45 ^dial 43 ^dhcp[0-9]+ 42 ^dsl[0-9]+ 40 ^user[0-9]+ 40 ^[a-z]+[0-9]+ 40 ^[0-f]+ 37 ^.+[0-9]+ 36 ^p[0-9]+ 36 ^[a-z]+ 36 ^.* 32 ^c[0-9]+ 32 ^adsl[0-9]+ 28 ^m[0-9]+ 28 ^cable 25 ^dyn 23 ^dial[0-9]+ 23 ^cable[0-9]+ 23 ^a[0-9]+ 22 ^user 22 ^s[0-9]+ 22 ^[a-z][0-9]+ 21 ^mail[0-9]+ 20 ^u[0-9]+ 20 ^pc 20 ^client It's really not as simple as just blocking .*(dsl|cable|dialup).*; the zombie botnets are sophisticated and they're /everywhere/. So you can't just block the largest 25% most likely sources, as the spammers just rotate through until they find another you aren't testing for. Throw in minor variations within a given ISP, language differences worldwide in naming conventions, and peculiarities in how sendmail's regex support works ('.' isn't picked up by '.+') and you've got a need for at least a few thousand patterns even if you strip off the domain part and try to match on the host part alone.
RE: My yearly post about environmental monitoring devices
I am looking for a device that meets the following criteria. I'd add: g) Inexpensive, so it can be widely deployed. A Basic Stamp might be the platform for such; but I've retired from hardware hacking projects. I'd suggest queries to sci.electronics.design in hopes of finding someome interested. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: How many backbones here are filtering the makelovenotspam screensaver site?
The site has already been hacked/defaced, per full-disclosure. I can't personally verify or refute this because I can't reach it. ---Rsk
RE: is reverse dns required? (policy question)
Quick example, though: of 6936 patterns currently in my list, if you just run a cut on \\ (which catches either '.' or '-' as the next char, for the most part) you get (matches of 20 or more): count first left-hand pattern part - 1572 ^[0-9]+ 206 ^.+ 200 ^host[0-9]+ 179 ^host Exceedingly long list cut Just to throw in my own 2 cents: I find it really ironic that we rely on reverse DNS data that potentially comes from a spammer in order to determine whether or not someone is a spammer. It probably works for the zombies. But in the long run, ip based filtering is quicker, since there's no DNS check and you have a better idea of the size of the netblock you're filtering. I'll be a lot happier once the smtp-submission port (587) catches on. It will make filtering a lot simpler.
Re: How many backbones here are filtering the makelovenotspam screensaver site?
Captain's Log, stardate Thu, 2 Dec 2004 09:25:15 -0500, from the fingers of Rich Kulawiec came the words: The site has already been hacked/defaced, per full-disclosure. I can't personally verify or refute this because I can't reach it. ---Rsk I'm insulted! I clicked on the map of Ireland on the front page of the site and it brought me to UK!!! Maybe that's what the defacement was?!!
What is the difference between RIPE and RadB
Is : - RADb the database where AS numbers are cross referenced to IP address prefixes - RIPE is an idependent project to map out the relationship of AS's and how their locations (relative to one and other) ??? Tony _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: My yearly post about environmental monitoring devices
g) Inexpensive, so it can be widely deployed. That's why I suggested talking to a college sophomore. This is the kind of thing that electronics engineering students do for a 3rd year project. A Basic Stamp might be the platform for such; I don't think that a Stamp or PICAXE will work. These are PIC devices with built-in BASIC interpreters. To do the SNMP, you need an IP stack on the device and that really has to be done in assembly language. All of the PIC projects I have seen interfacing to Ethernet or to RS-232 IP interfaces, have been done in assembly. As I said, 99% of the design work on this is available out there on the web. You just need someone willing to put it all together and manufacture the boxes. For an alternative approach, have a look at Netguardian. http://www.dpstele.com/products/ne/netguardian/ High capacity SNMP Alarm connector, NEBS 3, etc. --Michael Dillon
Re: Setting up DS-3 and 2 4xT1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joshua Brady wrote: | My apologies if some may find this a little off-topic. | | However, here is my issue. I need a router, which can take 2 4xT1's | and a DS-3, while handing a Gbit for internal use. Now to complicate | the entire situation, this needs to go into a 3 bedroom apartment, so | I need to keep the power bills down if I can :) | | What would everyone recommend? Off-List replies are fine, I will | summarize at the end. | Cisco 3800 ISR would do the job. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQFBr0c2E1XcgMgrtyYRAjg7AKDFUsS0Fvnc3wTY5+9Az/kcUAIVQwCeK2Sr 0kviF9GThRHzk5MMLdxZcgw= =DdR8 -END PGP SIGNATURE-
Re: My yearly post about environmental monitoring devices
I don't know if they're here yet, but, PICs with builitin Ethernet are definitely on the way. I'm not that much of a hardware geek, but, some of the hardware geeks I know have bee talking about these for a while in terms that make me think they're expecting samples any day. Owen --On Thursday, December 2, 2004 11:42 AM + [EMAIL PROTECTED] wrote: I am looking for a device that meets the following criteria. a) Reasonably small. This probably wouldn't be rack mounted; it'd be wall mounted, desk mounted, celing mounted, etc. b) Powered by PoE. c) Is SNMPable over Ethernet. NOT RS232 or serial, or anything archaic like that. Not MODBUS. It's 2004, people. d) Provides Temperature and Humidity. e) Has 4 or so input contact sensors (connections to AC units, etc.) f) Has 4 or so output contact sensors. Sorry Alex, but I think you are barking up the wrong tree. A cheap simple temperature and humidity sensor would be built around a PIC chip and would use a serial bus to communicate status. Since this is 2004 that would be an I2C serial bus, but in reality an RS-232 daisy chain would suit this application just fine. When you add Ethernet as a requirement then you are asking for an I/O interface that is more complex and more expensive than the basic temp/hum recorder on the PIC. However, it definitely is possible to do this and many people have done so. I suggest that you go to a company like http://www.edtp.com and tell them what you want and how many you would buy in the next year as well as an estimate of how many they could REALISTICALLY sell to other companies in 2005. When you look at the prices on his website, remember they are single unit hobbyist prices. I think that a PIC board built around his packet whacker Ethernet would do what you want and could easily be powered with PoE and be installed in a box with flexible mounting options. If you can't get what you want from this company, then start looking for people who do PIC development. You might even be able to get a college sophomore to design and manufacture these for you for some spare pocket money. The PIC code including TCP/IP stack, is readily available through googling. The only area where you might have to compromise is SNMP since I think most people who do this are trying to make PIC web servers. But it's simple to run a custom SNMP proxy on a server if you need to hook this into your management system. Please report back on what you find. I think a lot of people would be interested in this type of unit. --Michael Dillon -- If it wasn't crypto-signed, it probably didn't come from me. pgpAXTV7mxhoi.pgp Description: PGP signature
Re: is reverse dns required? (policy question)
On Thu, 02 Dec 2004 16:03:55 +0100, Andre Oppermann said: Reverse zone file for 10.0.0.0/24: 1.0.0.10.in-addr.arpa. IN PTR mail.example.com. _send._smtp._srv.1.0.0.10.in-addr.arpa. IN TXT 1 ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-stumpf-dns-mtamark-03.txt The problem with that is that for *Steven* to benefit from it, *I'd* have to get the appropriate people here to stick in the appropriate stuff in the in-addr.arpa zones for 128.173/16 and 198.82/16. In other words, it suffers from the same deployment problem as SPF records. (Actually, locally, it's harder to deploy because SPF needs one TXT at the top of the zone, which is mostly static and amenable to hand-editing - those __srv records on the other hand are down in zones that are automagically written by software which then needs to be modified to support splatting out the additional TXT record each time...) In other news, we discovered that when we published our SPF record, it managed to push the DNS response over 512 bytes, as we already had several TXT records and 5 NS/A records got returned as well - and we got bit by the usual places that don't do TCP/53 or EDNS0. Anybody else hit that one accidentally? (We ended up jettisoning several TXT's and got it down to 410, so no problem now). pgpZphNDQ2seH.pgp Description: PGP signature
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves. They would not have needed the larger backbone if they cut down on the size of their response. They could have done anything with their client, but they chose to make it full web service with a valid XML response. Every transaction with their server looks to be about 3K. They could have implemented something minimal, like a basic socket connection and a minimal request, then sent something like a space delimited list of parameters. They could get rid of about 75% of the data and still preserve the same functionality. I personally like the idea, even though it's not original, it just took a large site to back it. Too bad they couldn't do it right. On Thu, 2 Dec 2004 10:28:26 -0500, Hannigan, Martin [EMAIL PROTECTED] wrote: -Original Message- From: Lionel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 8:40 AM To: Hannigan, Martin Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? On Thu, 2 Dec 2004 08:27:38 -0500 , Hannigan, Martin [EMAIL PROTECTED] wrote: Hosted on a cablemodem? Tch, tch, how the mighty have fallen The blocks are widespread. The reports of hackers are incorrect. The blackholes are what is stopping them. What amazing efficiency. I can't help but wonder if these same providers are as quick at blackholing spamsite hosts, or blocking the zombies on their user networks from spewing spam on port 25? If you tied all the spammers into a few controllers, you see it happen immediately. I've been following the news reports on this. Here's a quick summary of what I know without making any judgement or opinion: - The lycos screensaver campaign activated Tuesday - Major networks began activating blocks - When the controllers can't be reached, the clients die off - If screensaver is active when controllers die, it runs off the current target list. - If screensaver deactivates, then activates, it can't contact the servers and tells the user it's off the internet (I can't verify the veracity of the update process i.e. if it will die while active) - Blocks started going up early Wednesday morning - The press began reporting hackers due to an apparentdefacement being seen by many users. What they actually saw was the banner of an ISP that had blackholed the traffic and redirected port 80 to a notice. - Lycos moved their application to a hosting facility with bigger pipes - Target sites began using redirects sending the traffic back to Lycos - Press reports are coming out today regarding the blackholes - SpamCop is the source of the target list via a page that is public off of the SpamCop site (SpamCop is does not appear to have complicity) - The effectiveness of the blackholes is rising - There are a reported 100K clients downloaded. Less than you would expect due to the voluminous press coverage. Probably a result of the blackhole activity as well. I'm really not sure if Lycos knows about the blackholes at this point as the press has been reporting hackers all the while. If you think it's hacked, check the route. Here's some operational data captured via ethereal The target list generated by the botnet controller: GET /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 2023942308.xml HTTP/1.1 Referer: http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 9467456/12122010129438/CONFIG_28652023942308.xml x-flash-version: 7,0,19,0 User-Agent: Shockwave Flash Host: backend.makelovenotspam.com Cache-Control: no-cache HTTP/1.1 200 OK Server: Resin/2.1.14 Content-Type: text/xml; charset=UTF-8 Content-Length: 2889 Connection: close Date: Thu, 02 Dec 2004 15:22:00 GMT ?xml version=1.0 encoding=UTF-8? mlnstargets location=UStarget id=TVRBd01EQXdOVGt5 domain=myshopinternetcompany.com url=http://myshopinternetcompany.com/?e=aa5100; bytes=357460680 hits=2572309 percentage=100 responsetime01=498 responsetime02=0 location=BR /target id=TVRBd01EQXdOVEk0 domain=grlswaiting4u.com url=http://grlswaiting4u.com/; bytes=206765667 hits=1488797 percentage=100 responsetime01=11866 responsetime02=0 location=US /target id=TVRBd01EQXdOVGc0 domain=1stwebsitetheyourshop.com url=http://1stwebsitetheyourshop.com/?e=aa5100; bytes=317867325 hits=2288427 percentage=100 responsetime01=507 responsetime02=0 location=BR /target id=TVRBd01EQXdOVGcx domain=cheap-r-x.com url=http://cheap-r-x.com/; bytes=355920802 hits=2565612 percentage=100 responsetime01=787 responsetime02=0 location=CN /target id=TVRBd01EQXdOVGcz domain=www.hlplmanhds.biz url=http://www.hlplmanhds.biz/; bytes=317590861 hits=2269503 percentage=100 responsetime01=785 responsetime02=0 location=CN /target
Re: How many backbones here are filtering the makelovenotspam screensaver site?
Mikael Abrahamsson wrote: On Wed, 1 Dec 2004, Jeff Shultz wrote: They are running ADSL2+? Any idea what DSLAM/modems they are using? I'm afraid that my Swedish is insufficient (iow non-existant) for working my way through their website, if the answer is even there. I have this information but I am not sure I am at liberty to say. I can say though that it's ethernet/ip based, not ATM (on the uplink, over the DSL line it's ATM). Are there other options that qualify to the above criteria than Ericsson EDA, Packetfront IPD and Corecess IAS? Pete
Re: is reverse dns required? (policy question)
[EMAIL PROTECTED] wrote: On Thu, 02 Dec 2004 16:03:55 +0100, Andre Oppermann said: Reverse zone file for 10.0.0.0/24: 1.0.0.10.in-addr.arpa. IN PTR mail.example.com. _send._smtp._srv.1.0.0.10.in-addr.arpa. IN TXT 1 ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-stumpf-dns-mtamark-03.txt The problem with that is that for *Steven* to benefit from it, *I'd* have to get the appropriate people here to stick in the appropriate stuff in the in-addr.arpa zones for 128.173/16 and 198.82/16. In other words, it suffers from the same deployment problem as SPF records. (Actually, locally, it's harder to deploy because SPF needs one TXT at the top of the zone, which is mostly static and amenable to hand-editing - those __srv records on the other hand are down in zones that are automagically written by software which then needs to be modified to support splatting out the additional TXT record each time...) You would put in a global wildcard that says no smtp sender here. Only for those boxes being legitimate SMTP to outside senders you'd put in a more specific record as shown above. You probably have to enter some dozen to one hundred servers this way. Sure your reverse zone scripts need some changes but it's only two or three lines. Ideally you could tell your DNS server in the zone file this: _send._smtp._srv.*.*.173.128.in-addr.arpa. IN TXT 0 _send._smtp._srv.*.*.82.198.in-addr.arpa. IN TXT 0 being overidden by more specific information on single IP addresses. In other news, we discovered that when we published our SPF record, it managed to push the DNS response over 512 bytes, as we already had several TXT records and 5 NS/A records got returned as well - and we got bit by the usual places that don't do TCP/53 or EDNS0. Anybody else hit that one accidentally? (We ended up jettisoning several TXT's and got it down to 410, so no problem now). SPF and MTAMARK solve two entirely different problem sets. With SFP you designate that certain enumerated hosts are legitimate senders for emails from your *domain*. It does not de-legitimize some other random host on your network sending emails with a different domain (let's say @merit.edu). With MTAMARK you designate that certain IP's (hosts) are legitimate SMTP senders within your *network*. Domain doesn't matter here. That way you specify that all those 131'000 other IP's (hosts) on your network are *not* legitimate SMTP senders no matter for which domain. The nice thing with MTAMARK is that even if evil spammer uses SFP too for his $0.99 throw-away domain and puts the IP of one of the zombies of your network into his SFP record he will still get blocked because your MTAMARK record in the reverse zone will say this IP is not a designated SMTP sender. And since the ratio between non-SMTP senders and SMTP senders is very high you simply throw in a catch-all deny and only make a handful of exceptions for the real SMTP senders on your network. MTAMARK gives huge rewards for comparitative little work. The time you'd have to invest to solve the illegitimate SMTP sender problem for your *entire* network is measured in hours: changing the script that autogenerates the reverse zones and traking down all legitimate SMTP senders. But this you already have done and you can simply use the IP addresses from your SFP records. Like I said: as simple as it gets. -- Andre
Re: BIND + DLZ
I second the recommendation for PowerDNS. I built an anycasted, sql backended instant-update DNS server platform for a registrar who was interested in selling a premium dns service product. We looked long and hard at bind+dlz as well as PDNS. Both are great products, and the developer who works on the DLZ code is a great guy, but we were able to squeeze a lot more queries per second out of PDNS. matto On Wed, 1 Dec 2004, Jeroen Massar wrote: On Wed, 2004-12-01 at 20:17 +0100, Erik Haagsman wrote: And while we're on the subject...anyone know a reliable web-based admin front-end for BIND + DLZ + PostgreSQL...? Or does everybody just roll their own...? That is called PowerDNS with a bind-backend ;) Rolling your own is of course the best version as you can customize it the way you like, hook it where you want etc. Then again you can do that with PowerDNS too and with a lot of scripting basically with anything. Greets, Jeroen [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: BIND + DLZ
On Thu, 2 Dec 2004, just me wrote: I second the recommendation for PowerDNS. Dear Nanog, My apologies for not reading down the thread and seeing that the OP was looking for a way to *stop* using powerdns. My apologies also for failing once again to sign my post with my full, legal name, which is the entire purpose of this post. Love, Matt Ghali SSN 555-12-1212 [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: My yearly post about environmental monitoring devices
[EMAIL PROTECTED] writes: When you add Ethernet as a requirement then you are asking for an I/O interface that is more complex and more expensive than the basic temp/hum recorder on the PIC. Or not. http://www.lantronix.com/device-networking/embedded-device-servers/xport.html (no, it doesn't support POE, but that's an easy hack fi you think about it). ---Rob
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Hannigan, Martin wrote: -Original Message- From: Florian Weimer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 2:01 PM To: Brett Cc: Hannigan, Martin; nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves. The site that is being blackholed isn't on their network, AFAICS. Actually, I think this is an ingenious PR campaign, but it probably doesn't work the way it was conceived, though I blieve that the net outcome for Lycos will be utterly positive. Possibly. What will happen if the Lycos botnet gets hijacked? to expand on this point, since it seems the screensaver pulls a list which is basically the top newly spammed URL's from spamcop (and possibly other places), what if the owners of the domains being 'attacked' were to point their DNS at a new ip? or set of ips? They can now control the 'bots' instead of lycos doing the controlling. I'm also concerned that lycos is claiming: to only use 95% of the bandwidth the site has. How is that determined by lycos? Do they call each upstream and get verifiable info about the bandwidth toward the site(s) in question? Do they measure each client's output capability (and input capability) to ensure that 100 machines really equals 1.2mbps on a t1 ? There are so many holes in their 'plan', never mind the 'vigilante' parts of it which are horridly distasteful... Lycos has engineered a botnet just like any 14 year old kiddie does nightly, they just did it more publicly and under the guise of 'being helpful'. It's utterly irresponsible of them to promote this activity. -Chris
Susan's superior?
Susan, Since you yourself have neglected and ignored my requests via email, and phone; I am now asking if the list has contact information on Susan Harris' supervisor at MERIT. Chances are, I will be censored for this and banned almost immediatly, so off-list replies are greatly helpful. Or anyone who can maybe point me in the right direction. Best Regards, Joshua Brady
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Steve [1] http://newpaper.asia1.com.sg/top/story/0,4136,67698-1,00.html There may be millions of such PCs around and they can be rented for as little as US$100 ($176)-per-hour. http://www.messagelabs.com/emailthreats/intelligence/reports/monthlies/October04/default.asp Some estimates have suggested a botnet in excess of tens of thousands of computers. [per virus outbreak] http://www.usatoday.com/tech/news/computersecurity/2004-07-07-zombie-pimps_x.htm Small groups of young people creating a resource out of a 10-30,000-strong computer network are renting them out to anybody who has the money, a source in Scotland Yard's computer crime unit told Reuters. http://www.sans.org/newsletters/newsbites/newsbites.php?vol=6issue=43#315 CipherTrust recently published research claiming that all phishing attacks on the Internet are conducted with the use of one of five zombie networks, or botnets. Each botnet comprises roughly 1,000 PCs. In addition, the research shows that 70% of zombie PCs are also used to send spam. http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm Linford said that every week more than 100,000 PCs are recruited into botnets without the owner's knowledge. A botnet is a collection of -- usually -- Windows-based PCs that have been stealthily taken over by malware. Users have no idea that their computer has been corrupted. [2] the CBL, for example, currently lists 1.1M, and (here, anyway) only blocks around 15-25% of our incoming spam. I've seen round robin attacks of upwards of fifty bots at a time (same timeframe, sender, and target, from multiple hosts in multiple countries/ISPs/networks) whereas suspected zombies account for 35-45% of all inbound spam delivery attempts here. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam screensaver site?
On Thu, 2 Dec 2004, Petri Helenius wrote: Are there other options that qualify to the above criteria than Ericsson EDA, Packetfront IPD and Corecess IAS? Paradyne, Siemens, Nokia, Lucent. Basically every vendor has an ethernet only option nowadays. Some are quick fixes to existing platforms, some are new from ground up. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Make love, not spam....
The point behind the initiative is not to attack the email senders, but the source of money. If the spam websites are never up, then the recipients cannot buy products advertised. Without the sales, there are not finances to support the spamming. If spammers can't make money sending email, then they will find something else profitable to do . . . . like phishing :-) On Mon, 29 Nov 2004 10:52:22 -0500, Rich Kulawiec [EMAIL PROTECTED] wrote: On Mon, Nov 29, 2004 at 02:14:01PM +, Fergie (Paul Ferguson) wrote: Techdirt has an article this morning that discusses how Lycos Europe is encouraging their users to run a screensaver that constantly pings servers suspected to be used by spammers and also suggests that In other words, it's a distributed denial of service attack against spammers by Lycos. Already noted as unbelievably stupid and dissected on Spam-L, but: getting into a bandwidth contest with spammers is a guaranteed loss, as they have an [essentially] infinite amount available to them for free. Apparently Lycos is unaware of zombies (including those hosting web sites), HTTP redirectors, rapidly-updating DNS, throwaway domains, and other facts of life in the spam sewer. ---Rsk
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. -Chris
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 12:55:02PM -0800, Chad Skidmore wrote: quoting me: What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Well, the primary difference is that Lycos is trying to market what they are doing as a good thing in a fairly public manner. If their vigilante efforts become accepted as OK then it further opens the door for others to take the next step towards making dDOS attacks ok as long as you feel your motivations are pure. As network operators we all need to make sure that we enforce our AUPs and make it known that breaking those AUPs is not ok just because you feel your motives are pure. Most AUPs have some language that basically states that dDOS and simlar activities are bad and we will take action if you engage in said bad activities. My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. To your other point, how do you know that other botnets are not being identified and taken down every day by network operators? I know for a fact that they are, they just are not nearly as public as this one so those activities go largely unacknowledged. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 08:58:03PM +, Christopher L. Morrow wrote: On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. I agree. I also think it's up to the companies providing the Internet connectivity to the non-Lycos-owned botnets to prevent such activity from affecting others. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. I couldn't agree more that vigilantism isn't the answer. My earlier remarks were directed to the shock and awe evident in the possibility that - via Lycos - there might be, heaven forbid, /large numbers of computers under the control of spammers, that could be used in spamming and abuse/. All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 12:55:02PM -0800, Chad Skidmore wrote: quoting me: What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? Well, the primary difference is that Lycos is trying to market what they are doing as a good thing in a fairly public manner. If their vigilante efforts become accepted as OK then it further opens the door for others to take the next step towards making dDOS attacks ok as long as you feel your motivations are pure. As network operators we all need to make sure that we enforce our AUPs and make it known that breaking those AUPs is not ok just because you feel your motives are pure. Most AUPs have some language that basically states that dDOS and simlar activities are bad and we will take action if you engage in said bad activities. My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. -M
Banned on NANOG
: Susan Harris' supervisor at MERIT. Chances are, I : will be censored for this and banned almost This whole censorship thing has me wondering as to the continued viability of this list as a place where the clue-heavy hang out and speak freely. Paul Vixie has been warned, randy Bush has been banned. Who else has been banned that'd be considered a clue-heavy NANOG poster? Why are folks being banned? Last I heard, procmail still works. Folks are becoming afraid to post due to worries about being banned. S/N: Isn't the goal to increase S and reduce N? If you reduce both S and N, you don't get a better signal. With randy gone, the S has definitely decreased. Who else is gone that reduces S? __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:14 PM To: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 08:58:03PM +, Christopher L. Morrow wrote: On Thu, 2 Dec 2004, Steven Champeon wrote: on Thu, Dec 02, 2004 at 02:56:29PM -0500, Hannigan, Martin wrote: Possibly. What will happen if the Lycos botnet gets hijacked? The conversations between the clients and the servers don't appear to be keyed. If a million clients got owned, it would be the equivalent of an electronic Bubonic Plague with no antidote. You mean, like the existing botnets we already know exist but are already under the control of spammers? What's the difference? Why is everyone so upset about Lycos and nobody seems to be doing much of anything about the /existing botnets/, which conservative estimates[1] already put at anywhere from 1-3K per botnet to upwards of 1-5M hosts total[2]? perhaps the difference is 'reponsible people' don't go out and recruit botnets... Lycos, as a corporate entity with it's business model dependent upon the health and wellbeing of the Internet would try to be 'responsible', or so I would have thought. I agree. I also think it's up to the companies providing the Internet connectivity to the non-Lycos-owned botnets to prevent such activity from affecting others. arguing that there are murderers and rapists out there and that 'nothing is being done' is hardly reason to become one yourself. I couldn't agree more that vigilantism isn't the answer. My earlier remarks were directed to the shock and awe evident in the possibility that - via Lycos - there might be, heaven forbid, /large numbers of computers under the control of spammers, that could be used in spamming and abuse/. Can you direct me toward a singluar entity of 1MM bots controlled by a single master? All I was pointing out was that, surprise, surprise, there already are. So why anyone thinks Lycos' botnet being hacked is /any different/ from /the current situation/ is utterly beyond my ken. Why would any spammer bother to hack Lycos' botnet? They /already have their own/. I think you might be behind on what's going on in botland lately.
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:15:34PM -0500, Hannigan, Martin wrote: quoting me: My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? No, I cannot. I *can*, and have, forward on reports by those more in the know than I that estimate 100K new bots / day are being added, and I can certainly point to incidents here which suggest that the problem is widespread, that the spammers responsible are few, and that many ISPs continue to refuse to contain the problem. Do the math. 100K / day new bots, added by a few responsible parties, and it's not hard to see that over a brief period of time any one of those parties might control over a million hosts or more. I think you might be behind on what's going on in botland lately. By all means, enlighten me. All I see from my limited pov is that bots are useless if disallowed from sending spam via port 25 outbound, and that every day sees hundreds if not thousands, of new bots trying to send spam to my users, which suggests that /nothing is being done to prevent them from using the available resources/. Convince me otherwise, please. I'm all ears. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? on Thu, Dec 02, 2004 at 04:15:34PM -0500, Hannigan, Martin wrote: quoting me: My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. http://w3.cambridge-news.co.uk/business/story.asp?StoryID=65877 Lycos Europe's 20 million users will all be invited to download the software, but it is available to anyone with an internet connection running either Windows or Mac OSX or Mac OS9 operating systems. http://edition.cnn.com/2004/TECH/internet/12/02/anti.spamvigi.ap/ Around 65,000 people already signed up for the offensive, called Make Love not Spam before Tuesday's official launch on a website by the same name, the company said. It is urging its 22 million users to download the screen-saver, but says anyone with a computer is welcome to it.
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 02 Dec 2004 16:18:52 EST, Hannigan, Martin said: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? Well, it was a while ago that some Polish guys were openly advertising their 465K zombie network - I'd be most surprised if it isn't over 1M by now. And remember that hierarchical design is understood in the black hat world too. If somebody has 1M bots, it won't be 1M bots in one network, it will be several hundred subnets of several thousand bots, and some automated way to signal several hundred control nodes to each fire up their several thousand bots. So you may already have whacked off a 1% chunk of that 1M net several times already and not even realized it pgpC7axGKrLbY.pgp Description: PGP signature
Re: Banned on NANOG
On Thu, 2 Dec 2004, nanog gonan wrote: This whole censorship thing has me wondering as to the continued viability of this list as a place where the Perhaps if the core purpose of the list could be maintained without having dozens of off-topic/useless/banteresque messages per day the list would serve more purpose. I grow weary of having to sift through all the b.s. some people drift into. It's gotten to the point where several times I've considered unsubscribing. How about everyone exhibit a little more self control regarding off-topic posts, and use reply-to-sender instead of cc'ing the list when not necessary.
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
on Thu, Dec 02, 2004 at 04:46:00PM -0500, Hannigan, Martin wrote: quoting me: Um, not 1 million bots - in concert. And you know this how, exactly? I'm sure not convinced. http://w3.cambridge-news.co.uk/business/story.asp?StoryID=65877 Lycos Europe's 20 million users will all be invited to download the software, but it is available to anyone with an internet connection running either Windows or Mac OSX or Mac OS9 operating systems. http://edition.cnn.com/2004/TECH/internet/12/02/anti.spamvigi.ap/ Around 65,000 people already signed up for the offensive, called Make Love not Spam before Tuesday's official launch on a website by the same name, the company said. It is urging its 22 million users to download the screen-saver, but says anyone with a computer is welcome to it. Yes, yes - I know that Lycos has tens of thousands. What I want to know is how you know that there aren't existing 1M bot zombie nets aside from the Lycos attempt (which as you can see, is thus far only comparable to the 100K/day estimate given by Steve Linford). -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Steven Champeon [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the CC server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. It is certainly more than onesy-twosy increments but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Regards, Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/ g70E3QaL3VOcZvILXD80AqjF =he0W -END PGP SIGNATURE-
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? Nobody can, except the single master who's in control of same, and whoever that is -- if there is -- is unlikely to voluntarily share that information publicly. That's part of the problem: we know that that are huge numbers of them. How huge? 10e7 was probably a good estimate early in 2004, 10e8 is starting to look plausible given reported discovery rates. And the quasi-related problem of spyware/adware is exacerbating it: it's not like that cruft is exactly fastidious about making sure that it doesn't open the door to things worse than itself. We don't know how many there are. We probably can't know how many there are -- unless they do something to make themselves noticed, and surely those controlling them are smart enough to realize this and keep plenty in reserve. We can only know how many have made themselves visible, and even knowing that's hard. We don't know who's controlling them: are we up against 10 people or 10,000? We don't know everything they're doing with them. We don't know everything they're going to try to do with them. We don't know where they'll be next: they may move around (thanks to DHCP and similar), may show up in multiple places (thanks to VPNs) or they may *really* move around (laptops). We don't know how many are server systems as opposed to end-user systems. We don't know how to how to keep more from being created. We don't have a mechanism for un-zombie'ing the ones that already exist (other than laboriously going after them one at a time). We don't have a means to keep them from being re-zombied -- just as soon as the latest IE-bug-of-the-day hits Bugtraq. We don't have a viable way of controlling their actions other than disconnecting them entirely: sure, blocking outbound port 25 connections stops them from attempting spam delivery directly into mail servers, but surely nobody is so naive as to think those controlling these botnets are going to shrug their shoulders and give up when that happens? There are all kinds of other things they could be doing. *Are doing*. We don't have a clear understanding of who they're being controlled: are they quasi-autonomous? centrally directed? via a tree structure? do they phone home? are they operating p2p? all of the above? And so on. But we darn well should find out. ---Rsk
where the zombies come from, hide, and finding them [was: How many backbones here ...]
Well, it was a while ago that some Polish guys were openly advertising their 465K zombie network - I'd be most surprised if it isn't over 1M by now. And remember that hierarchical design is understood in the black hat world too. If somebody has 1M bots, it won't be 1M bots in one network, it will be several hundred subnets of several thousand bots, and some automated way to signal several hundred control nodes to each fire up their several thousand bots. So you may already have whacked off a 1% chunk of that 1M net several times already and not even realized it These guys are used to be on the run, looking for places to stash their botnets. IRC networks (which are not scared, and then usually just a few renegade opers and volunteers) are the ones who fight these networks. Hunting them down in different channels. Girlbots a year ago used an interesting algorithm to generate random channel names according to the date and time.. these guys are not that easy to find. Then there are the virus reversers and network analysts who reverse the sample or sniff the traffic to see where bots go, and shut that place down. Controllers/runners just move their bots quickly to a new location, and even if they lost one army.. there are others. Ever heard of don't put all your eggs in one basket? Regardless, they can always get new ones... and the people fighting them are in the shadows.. not even supported by their own people in many cases. IRC servers for example, are very afraid of pissing these kiddies off, so that they won't DDoS them. How many times have we seen an IRC DDoS taking down the entire ISP? There are other ways of controlling armies.. but so far IRC has proven to be the easiest in utilization and in moving quickly. Any other control mechanism would have to answer two main opposing factors. The easier it is to control them, the easier it is to take them away from you. How do you balance the two, if you are a kiddie? It's a never ending race. Think of that in P2P terms, and you will see what I mean. Exposure vs. ease of control. Who would go against them when they'd know their ISP would be down the very next day, though? There is no easy solution... and as long as AV companies treat Trojan horses as garbage and/or not worth detecting, this is definitely not going to change. Then there is the issue of open source malware (not to be confused with the open source community). Today, any kid can find many code samples of writing their own Trojan horses, not to mention support forums online. Take for example the huge increase in malware per month, these past few years. One of the strains started with sdbot.. then ircbot.. then agobot.. then phatbot, rbot, whatever bot, korgobots (argh!) etc. Thousands of different samples, all related - and for most you can find quite a few versions of their sources online. It never ends.. I am just glad this is getting some attention now. Gadi Evron.
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: How many backbones here are filtering the makelovenotspam scr eensaver site? [SNIP] As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Glad to hear that. Overall, I'm offering some operational content on the publicity intensive Lycos botnet and provide some level of operational analysis free of judgement of Lycos. I'd be happy to argue about breadth, depth, and width of botnets and their commodity status in email. :) -M
what we do know about botnets - per your questions [was: How many backbone ...]
Rich Kulawiec wrote: On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote: Can you direct me toward a singluar entity of 1MM bots controlled by a single master? Nobody can, except the single master who's in control of same, and whoever that is -- if there is -- is unlikely to voluntarily share that information publicly. Back in 1997, a luser showed up on IRC in one of the help channels that formed to help users get rid of Trojan horses (after the big return in `96 - no hat Trojan horses ever really went away). The guy was a spammer. He owned nekkidchicks dot something. He studied the works, and disappeared 6 months later. This is a losing battle, a tsunami we are now trying to stop with stones and sticks. Actually, these kids share them like candy, as a friend of mine likes to say. I doubt there is just one singular master. It's the macro level we see, why not take the macro level into account? That's part of the problem: we know that that are huge numbers of them. How huge? 10e7 was probably a good estimate early in 2004, 10e8 is starting to look plausible given reported discovery rates. And the quasi-related problem of spyware/adware is exacerbating it: it's not like that cruft is exactly fastidious about making sure that it doesn't open the door to things worse than itself. In most network, I see about 50% of the traffic being spyware/malware related.. and that's in good cases. But than again, these are only my observations. We don't know how many there are. Does it matter? I believe we can call it an epidemic and move on. We probably can't know how many there are -- unless they do something to make themselves noticed, and surely those controlling them are smart enough to realize this and keep plenty in reserve. We can only know how many have made themselves visible, and even knowing that's hard. I can tell you that 50-90% of the occupants of the different IRC networks are drones. The 5 big IRC networks have between 20K and 150K lusers at any given time. You add the numbers. We don't know who's controlling them: are we up against 10 people or 10,000? Much like with any social structure, it is difficult to say. Is someone a hacker, a cracker or a kiddie? They still do what they do, regardless of who they are and what their capabilities are. Kids trade them like candy, spammers use them to spam. Organized crime does what organized crime does. People who want to be anonymous stay anonymous. Gangs get protection money (absurd on the net, if you pay in real life you at least know you won't be attacked, and if you would be by someone else, this gang you paid would protect you - doesn't work online). Then there are those who just like to feel like God. Go figure. We don't know everything they're doing with them. It doesn't matter. They are there. They can do whatever they want with them. It is an epidemic and it has been growing for years. We don't know everything they're going to try to do with them. See above. Irrelevant. We don't know where they'll be next: they may move around (thanks to DHCP and similar), may show up in multiple places (thanks to VPNs) or they may *really* move around (laptops). We don't know how many are server systems as opposed to end-user systems. Depends on the malware discussed. I can give you many examples. Sometimes there are several types used by one controller/runner, whose entire wish is to (a) recruit new drones, (b) use them to spam/network-scan to recruit new drones, (c) use these to spam for money and (d) have backup. I have seen similar set-ups on Yahoo! chat and on IM. It is not limited to one media. On Yahoo! (which basically does nothing about abuse) you can recruit, or more like.. draft.. a 10K net in a couple of days. We don't know how to how to keep more from being created. People are stupid. I don't have a solution. Maybe not allow this s**t to go through our networks? It is becoming an hazard to their operation. We don't have a mechanism for un-zombie'ing the ones that already exist (other than laboriously going after them one at a time). We used to de-zombie them. You can try and make like a zombie and see what a controller/runner does, or reverse engineer a sample and see what the passwd and commands are. You can send it out in an IRC channel or remotely connect to all of them. Some of it is legal, some of it is very shaky, legally. Non of which is a solution. We don't have a means to keep them from being re-zombied -- just as soon as the latest IE-bug-of-the-day hits Bugtraq. Or one from last year.. makes no difference. And they do get re-zombied. Users are stupid. And I used to think NOBODY is really stupid.. I was wrong. Stupid in this case may mean needs to earn a driving license for a computer as he/she are clueless. We don't have a viable way of controlling their actions other than disconnecting them entirely: sure, blocking outbound port 25 connections stops them from attempting spam delivery
Re: is reverse dns required? (policy question)
In article [EMAIL PROTECTED] you write: You would put in a global wildcard that says no smtp sender here. Only for those boxes being legitimate SMTP to outside senders you'd put in a more specific record as shown above. You probably have to enter some dozen to one hundred servers this way. Sure your reverse zone scripts need some changes but it's only two or three lines. Ideally you could tell your DNS server in the zone file this: _send._smtp._srv.*.*.173.128.in-addr.arpa. IN TXT 0 _send._smtp._srv.*.*.82.198.in-addr.arpa. IN TXT 0 being overidden by more specific information on single IP addresses. You obviouly do not know how wildcard work in the DNS or you would not have made this suggestion. Please read RFC 1034 and work though Section 4.3.2. Algorithm with a QNAME of _send._smtp._srv.1.1.173.128.in-addr.arpa.
RE: What good is a noc team? How do you mitigate this? [was: How many backbones ...]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 3:21 PM To: Chad Skidmore Cc: Aaron Glenn; [EMAIL PROTECTED] Subject: What good is a noc team? How do you mitigate this? [was: How many backbones ...] Okay, making this an operational issue. Say you are attacked. Say it isn't even a botnet. Say a new worm is out and you are getting traffic from 19 different class A's. Who do you call? What do you block? How can a noc team here help? Please block any outgoing connections from your network to ours on port 25? Please? I tried this once.. it doesn't help. I ended up blackholing an entire country just to mitigate it a bit, for a few hours. Any practical suggestions? Gadi. Well, the easy answer is that it depends. Lets use SQL Slammer as one example that might be comparable to the scenario you mention. During Slammer some networks did stay up. We'd have to ask each one of them what they did to know why they stayed up but I think I can guess at some. Shortly after Slammer there was a NANOG presentation on Slammer and some discussion at the NSP-Sec BOF at that NANOG regarding why some people survived and others didn't. What came out of that was enlightening, if not obvious in hind sight. 1. Those providers that made use of contacts at other providers and worked together, shared information, etc. were less affected than those that did not. 2. Those providers that had various mechanisms in place for just such an issue did better than those that did not. This included, but was not limited to, darknet monitoring quick reaction to darknet data anomalies, automated and semi-automated sifting of Netflow data, pre-staged classification ACLs on at least key backbone/peering/transit routers, and BGP (or other) triggered blackhole mechanisms. 3. Teams with dedicated incident response teams did better than those that didn't. 4. Those with grossly oversubscribed networks did worse than those with sufficient bandwidth to handle the ebb and flow of traffic that rides the Internet today. Good traffic engineering practices don't mean that you have to purchase lots of excess bandwidth to make this happen. Not being oversubscribed is also not just an issue of circuit utilization. For example, make sure you have enough CPU on your routers, line cards, whatever so that you can turn various features on to help track and mitigate an attack without making your routers fall over. So, armed with that data you can assume the following. With good darknet monitoring practices you would likely see a rapid up tick in scanning, backscatter, etc. and could start investigating the cause prior to the issue becoming service affecting. Maybe it is so crazy and randomized that you don't see it on your darknet monitoring but you see it on your PPS data collection. More often than not I know we see indications of miscreant activity on PPS monitoring first. The classification ACLs are a good way to turn the router into a poor mans sniffer (assuming it isn't so heavily loaded already that it falls over) so you can see what types of traffic you are dealing with. Using MCI/UUs method you could track any spoofed traffic back to where it enters your network pretty easily. I know that Chris and company do it with amazing speed across 701. If it works for them then it likely works for the rest of you. Netflow data would likely lead you to sources of the most pain so you could go after those first. Fighting an attack isn't always about making the attack go away. Often times the key to not getting killed is to find the big guns and get them silenced first. Sure, you're still getting shot, but it isn't going to kill you and you can take some additional time to find the smaller guns. If you are seeing the bulk of the attack come from a few sources let their security teams deal with it and take the pain away from you. Armed with the data you glean from this approach you will usually be able to get a positive response from your upstream or peers. If not make a quick note to yourself that you need to replace them once your attack is over and done with. If all else fails blackhole the host under attack at your borders, or even better on your upstream's network via BGP triggered blackhole (if they don't support it make a note to replace them with someone who does when the attack is over). You might sacrifice that host but you'll save the rest of your network and likely buy yourself some more time to track back to the source and kill it. I'm certainly not suggesting I have all the answers or that I have it all figured out. I also realize that the world is not a rosy place where inter-provider communication is perfect and I always get the answers I need when I call them. I'm just tired of seeing people play the victim, complaining how the Big Providers won't protect them, etc. without looking
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at gray hat hosts who are open relays or something? My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, botnets, DDOS, etc. and dream of a day when these are under control again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn [EMAIL PROTECTED] Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth. -- Mark Twain - Original Message - From: Chad Skidmore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:21 PM Subject: RE: How many backbones here are filtering the makelovenotspam scr eensaver site? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Steven Champeon [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the CC server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. It is certainly more than onesy-twosy increments but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer
Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004, Justin Ryburn wrote: This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Common sense?
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Justin Ryburn [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:18 PM To: Chad Skidmore; [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at gray hat hosts who are open relays or something? I agree 100%. I believe that I get to decide what is or is not ok traffic on my network. I define that in my AUP and customers agree to and understand that when they buy service from me. My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, Also agree 100%. If there is traffic hitting my network that I don't believe is ok then I can choose not to carry that traffic on my network. It doesn't give me the right to attack the originator of that traffic or the person that I believe to be the originator of that traffic. That's why I am a very firm believer in the power of ip route x.x.x.x y.y.y.y null0 command. :) Makes the problem go away for me (for the most part) and doesn't cause anyone else any pain as a result except my customers, who agreed to let me use that power when they purchased service from me. botnets, DDOS, etc. and dream of a day when these are under control again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn [EMAIL PROTECTED] Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth. -- Mark Twain - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+yXU2RUJ5udBnvEQLX1gCglUjYXtQXyrSMFdfsQeZg9beq/xsAoI/C jOJ77EI+PIQs01sPNEnBphWK =ZScz -END PGP SIGNATURE-
Re: Banned on NANOG
[EMAIL PROTECTED] (nanog gonan) writes: This whole censorship thing has me wondering as to the continued viability of this list as a place where the clue-heavy hang out and speak freely. Paul Vixie has been warned, randy Bush has been banned. Who else has been banned that'd be considered a clue-heavy NANOG poster? on the one hand, thank you for your kind words. inside isc i'm known as being somewhat clue-light most of the time (probably with justification.) on the other hand, susan's warnings to me were absolutely called for, as i was off in the weeds a little bit TOO often. i'm fine w/ what happened. Why are folks being banned? Last I heard, procmail still works. Folks are becoming afraid to post due to worries about being banned. S/N: Isn't the goal to increase S and reduce N? If you reduce both S and N, you don't get a better signal. With randy gone, the S has definitely decreased. Who else is gone that reduces S? i think you're looking at this the wrong way. consider what happens to a habitat when a given species has no limit to its population -- no shortage of food, no natural predator. the first time i heard the word overrun it was not about buffer size but about biology. individual humans usually have a conscience. groups of humans usually don't. if not for susan reminding us from time to time why this mailing list exists and why we subscribed to it in the first place, and prodding us gently to get on with that business and stay out of side topics, the S would remain constant but the N would ratchet upward and we'd be back on Usenet again. i'm hoping that there will be an in-person discussion of mailing list rules of the road in las vegas. if any significant chunk of the nanog population feels that there are presently too many rules, and too high an S, and not enough N, then they'll presumably vote with their feet (or cause the rules to become more relaxed.) -- Paul Vixie
[OT] Re: Banned on NANOG
I'm under the impression that a discussion of that sort will occur in Los Vegas. There has been significant off-list chatter regarding this. Its entirely possible for nanog-l to be self policing, or, failing that, for users to simply use procmail on those who wander off-topic (for some definition of off-topic). Putting an [OT] subject banner on such posts is also nice. There's such a thing as throwing the baby out with the bathwater. When highly clued, genuinely contributing folks are treated poorly for the occasional in-joke or comment, the S:N ratio will suffer in the longer term. I'm certainly hoping that the network operations community will feel no need to talk with their feet after we all sit down with the Merit staff and let our feelings be known, but that is certainly a possibility. - Dan On 12/2/04 8:48 PM, Paul Vixie [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (nanog gonan) writes: This whole censorship thing has me wondering as to the continued viability of this list as a place where the clue-heavy hang out and speak freely. Paul Vixie has been warned, randy Bush has been banned. Who else has been banned that'd be considered a clue-heavy NANOG poster? on the one hand, thank you for your kind words. inside isc i'm known as being somewhat clue-light most of the time (probably with justification.) on the other hand, susan's warnings to me were absolutely called for, as i was off in the weeds a little bit TOO often. i'm fine w/ what happened. Why are folks being banned? Last I heard, procmail still works. Folks are becoming afraid to post due to worries about being banned. S/N: Isn't the goal to increase S and reduce N? If you reduce both S and N, you don't get a better signal. With randy gone, the S has definitely decreased. Who else is gone that reduces S? i think you're looking at this the wrong way. consider what happens to a habitat when a given species has no limit to its population -- no shortage of food, no natural predator. the first time i heard the word overrun it was not about buffer size but about biology. individual humans usually have a conscience. groups of humans usually don't. if not for susan reminding us from time to time why this mailing list exists and why we subscribed to it in the first place, and prodding us gently to get on with that business and stay out of side topics, the S would remain constant but the N would ratchet upward and we'd be back on Usenet again. i'm hoping that there will be an in-person discussion of mailing list rules of the road in las vegas. if any significant chunk of the nanog population feels that there are presently too many rules, and too high an S, and not enough N, then they'll presumably vote with their feet (or cause the rules to become more relaxed.) --
Re: is reverse dns required? (policy question)
On Thu, 2004-12-02 at 16:03, Mark Andrews wrote: In article [EMAIL PROTECTED] you write: You would put in a global wildcard that says no smtp sender here. Only for those boxes being legitimate SMTP to outside senders you'd put in a more specific record as shown above. You probably have to enter some dozen to one hundred servers this way. Sure your reverse zone scripts need some changes but it's only two or three lines. Ideally you could tell your DNS server in the zone file this: _send._smtp._srv.*.*.173.128.in-addr.arpa. IN TXT 0 _send._smtp._srv.*.*.82.198.in-addr.arpa. IN TXT 0 being overidden by more specific information on single IP addresses. You obviouly do not know how wildcard work in the DNS or you would not have made this suggestion. Please read RFC 1034 and work though Section 4.3.2. Algorithm with a QNAME of _send._smtp._srv.1.1.173.128.in-addr.arpa. The proposal did say that it does not involve changing DNS? It would be nice to have a method to publish mail policy in a global fashion without confronting the problems of wildcards or walking the directories. *.tld TXT != mail policy thanks to exists +-~... kitchen sink. : ( -Doug
Re: [OT] Re: Banned on NANOG
From: Daniel Golding [EMAIL PROTECTED] ... Its entirely possible for nanog-l to be self policing, or, failing that, for users to simply use procmail on those who wander off-topic (for some definition of off-topic). Putting an [OT] subject banner on such posts is also nice. i don't want widescale procmail to be the only way nanog@ is readable by a big subset of the netops community, simply because i know a lot of the folks here (lazy overworked disorganized bums, mostly) and if it takes way more effort to be subscribed than not, many will just unsubscribe. There's such a thing as throwing the baby out with the bathwater. When highly clued, genuinely contributing folks are treated poorly for the occasional in-joke or comment, the S:N ratio will suffer in the longer term. nope nope nope no-no-nope. that's a subjective standard. there's no way to moderate based on does more good than harm without strong and formal and objective definitions of what good is and what harm is, plus an appeals process. trust me: we don't want strong formal process. (my own system, which has produced only two warnings in about 10 years, is to make the good:harm ratio high enough in any given message that the in jokes are merely a tolerable percentage of the mass of THAT message; what i see some other bums doing, though, is pure-in-joke messages.) I'm certainly hoping that the network operations community will feel no need to talk with their feet after we all sit down with the Merit staff and let our feelings be known, but that is certainly a possibility. like the libertarians say, use your dollar votes! i'm comfortable with a system whereby susan occasionally turns around in the front seat of ye olde station wagon and says you'd better stop that right now, because if i have to stop this car and come back there, you'll be sorry and the rest of the time we just keep the fighting down to (bloodless) dull roar. but if you have a better system in mind you should propose it; and if you can't get traction for it inside nanog, there's always room for another ops list. (in Usenet days we used to say could you move this thread to $other_group, where it will be on-topic, and where i'm not a subscriber? and it WORKED a lot of the time, just to wake folks up and show that topic-consensus was a property both nec'y and desireable in ALL forums, digital or otherwise.)
[OT] Re: Banned on NANOG
On Thu, 2 Dec 2004, Daniel Golding wrote: ...after we all sit down with the Merit staff and let our feelings be known. Uh, didn't you guys do that at the last NANOG? Is someone under the misimpression that there's anyone at Merit who doesn't know your feelings? -Bill
RE: [OT] Re: Banned on NANOG
I wanted to say the same thing earlier, but a hands-off approach works best on NANOG. The question at hand is not whether procmail will work . . . It's whether procmail should have to work. Joe Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Thursday, December 02, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [OT] Re: Banned on NANOG From: Daniel Golding [EMAIL PROTECTED] ... Its entirely possible for nanog-l to be self policing, or, failing that, for users to simply use procmail on those who wander off-topic (for some definition of off-topic). Putting an [OT] subject banner on such posts is also nice. i don't want widescale procmail to be the only way nanog@ is readable by a big subset of the netops community, simply because i know a lot of the folks here (lazy overworked disorganized bums, mostly) and if it takes way more effort to be subscribed than not, many will just unsubscribe. There's such a thing as throwing the baby out with the bathwater. When highly clued, genuinely contributing folks are treated poorly for the occasional in-joke or comment, the S:N ratio will suffer in the longer term. nope nope nope no-no-nope. that's a subjective standard. there's no way to moderate based on does more good than harm without strong and formal and objective definitions of what good is and what harm is, plus an appeals process. trust me: we don't want strong formal process. (my own system, which has produced only two warnings in about 10 years, is to make the good:harm ratio high enough in any given message that the in jokes are merely a tolerable percentage of the mass of THAT message; what i see some other bums doing, though, is pure-in-joke messages.) I'm certainly hoping that the network operations community will feel no need to talk with their feet after we all sit down with the Merit staff and let our feelings be known, but that is certainly a possibility. like the libertarians say, use your dollar votes! i'm comfortable with a system whereby susan occasionally turns around in the front seat of ye olde station wagon and says you'd better stop that right now, because if i have to stop this car and come back there, you'll be sorry and the rest of the time we just keep the fighting down to (bloodless) dull roar. but if you have a better system in mind you should propose it; and if you can't get traction for it inside nanog, there's always room for another ops list. (in Usenet days we used to say could you move this thread to $other_group, where it will be on-topic, and where i'm not a subscriber? and it WORKED a lot of the time, just to wake folks up and show that topic-consensus was a property both nec'y and desireable in ALL forums, digital or otherwise.)
RE: [OT] Re: Banned on NANOG
On Thu, 2 Dec 2004, Joe Johnson wrote: I wanted to say the same thing earlier, but a hands-off approach works best on NANOG. The question at hand is not whether procmail will work . . . It's whether procmail should have to work. I don't want to use procmail for nanog posts, I've long enough rules already... I think to be more fair it would be good if suspensions were not permanent but for period of time (with period doubling or tripling on subsequent suspensions if it happens). At least people will not be as upset when they are suspended and know its just a period for them to calm down and do more reading of nanog then posting... -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: [OT] Re: Banned on NANOG
I am going out on a limb here, and leaving lurk mode on this issue. If I get banned, well, Randy and I can start our own mailing list. We're as about as grumpy as each other. I disagree with William entirely. Suspensions are idiotic, and only detract from the usefulness of the list. S:N is important, but so is being an human being. People are people; we are not robots. This list serves a specific purpose, as does anything in life. Sometimes people do things with stuff that is out of bounds with said stuff, but, again, people make mistakes. We're not in school, we don't need suspensions. We need to act like adults, use this list for it's intended purpose. If someone is a dodo for a message or two here or there, then, well, we tolerate it and move on, maybe someone on the list sends that person an email saying, Dude, your email was dopey, please stop. If the person continues to be a dodo, get rid of the problem. It's as simple as that. I think we all agree that RAS and Randy don't fall into the above category of having to be gotten ridden of. Again, it's all relative. So, go ahead and ask, But, that won't work, will it? My rebutt: It's how inet-access (people from 1993 to 2000 or so will know what this is) worked, and, well, except for the very occasional whack-job, it worked well. It was a useful list. The reason it died had nothing to do with S:N on that list; it had to do with the fact that the industry supporting that list more or less evaporated. Disagree with me, perhaps I didn't even make sense; perhaps that tells you about how much sleep I've gotten recently, or the insanity of this entire situation. On Thu, 2 Dec 2004, william(at)elan.net wrote: I think to be more fair it would be good if suspensions were not permanent but for period of time (with period doubling or tripling on subsequent suspensions if it happens). At least people will not be as upset when they are suspended and know its just a period for them to calm down and do more reading of nanog then posting... -- William Leibzon Elan Networks [EMAIL PROTECTED] -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Bogon filtering (don't ban me)
Considering the talk of banning going on, I was reluctant to post this, anyhow, I wondered how many (if any) have ever thought about the aspect of vendors deciding to implement some form of default bogon filtering on their products. With all of the talk about DoS botnets, and issues surrounding allocated address ranges (for whatever the purpose), I'm curious to know why a vendor like Juniper, or Cisco, or whomever doesn't implement a mechanism to automatically do the filtering. Wouldn't this minimize a vast amount of issues surrounding DoS attacks? From an admin/user perspective, I would not mind having my equipment implement this as long as it was manageable to add/remove addresses on the fly. Perhaps a command line syntax: ip bogon add add.res.s/8 or ip bogon remove add.res.s/8 How much would easier would it be for a NAP (per-se) to have their entire network configured properly to avoid having their network send malicious traffic out of their net. I thought about it over and over, and wonder why this hasn't been done. Any care to beat me with a clue stick or two. I can understand the arguments of not wanting a vendor to have control of some aspect of my business, or control over my network, but correct me if I am wrong, wouldn't this solve a heck of a lot of issues concerning network based attacks, spam, scumware/spyware/fooware/$*something? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x51F9D78D sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster? Joseph McCarthy America's Retreat from Victory
Re: Bogon filtering (don't ban me)
We've proposed what vendors need to better support bogon filtering, even wrote a draft: http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt but last time I talked to cisco ios person (which was just two weeks ago at IPv6 Summit), it still has not been done. Perhaps couple more people who buy their hardware asking them about it will make a difference ... On Fri, 3 Dec 2004, J. Oquendo wrote: Considering the talk of banning going on, I was reluctant to post this, anyhow, I wondered how many (if any) have ever thought about the aspect of vendors deciding to implement some form of default bogon filtering on their products. With all of the talk about DoS botnets, and issues surrounding allocated address ranges (for whatever the purpose), I'm curious to know why a vendor like Juniper, or Cisco, or whomever doesn't implement a mechanism to automatically do the filtering. Wouldn't this minimize a vast amount of issues surrounding DoS attacks? From an admin/user perspective, I would not mind having my equipment implement this as long as it was manageable to add/remove addresses on the fly. Perhaps a command line syntax: ip bogon add add.res.s/8 or ip bogon remove add.res.s/8 How much would easier would it be for a NAP (per-se) to have their entire network configured properly to avoid having their network send malicious traffic out of their net. I thought about it over and over, and wonder why this hasn't been done. Any care to beat me with a clue stick or two. I can understand the arguments of not wanting a vendor to have control of some aspect of my business, or control over my network, but correct me if I am wrong, wouldn't this solve a heck of a lot of issues concerning network based attacks, spam, scumware/spyware/fooware/$*something? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x51F9D78D sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster? Joseph McCarthy America's Retreat from Victory
Re: Bogon filtering (don't ban me)
On Fri, 3 Dec 2004, J. Oquendo wrote: Considering the talk of banning going on, I was reluctant to post this, anyhow, I wondered how many (if any) have ever thought about the aspect of vendors deciding to implement some form of default bogon filtering on their products. With all of the talk about DoS botnets, and issues surrounding allocated address ranges (for whatever the purpose), I'm curious to know why a vendor like Juniper, or Cisco, or whomever doesn't implement a mechanism to automatically do the filtering. Wouldn't this minimize a vast amount of issues surrounding DoS attacks? From an admin/user perspective, I would not mind having my equipment implement this as long as it was manageable to add/remove addresses on the fly. Perhaps a command line syntax: ip bogon add add.res.s/8 or ip bogon remove add.res.s/8 do you mean like using uRPF and null routes of the bogon/unallocated networks to drop traffic on input? cause that's already there... I thought about it over and over, and wonder why this hasn't been done. Any care to beat me with a clue stick or two. I can understand the it has been done... see any of the several past nanog presentations on security that Barry Greene, Tim Battles, Wayne Gustavus have given (and Joe S from Juniper... I'd butcher his spelling, sorry joe!) I think the arguements have gone against 'default blocking' becuase 'default for the internet' is not 'default for enterprise Z'. -Chris
Re: [OT] Re: Banned on NANOG
Alex Rubenstein wrote: We're not in school, we don't need suspensions. We need to act like adults, use this list for it's intended purpose. If someone is a dodo for a message or two here or there, then, well, we tolerate it and move on, maybe someone on the list sends that person an email saying, Dude, your email was dopey, please stop. If the person continues to be a dodo, get rid of the problem. It's as simple as that. I think we all agree that RAS and Randy don't fall into the above category of having to be gotten ridden of. Again, it's all relative. So, go ahead and ask, But, that won't work, will it? My rebutt: It's how inet-access (people from 1993 to 2000 or so will know what this is) worked, and, well, except for the very occasional whack-job, it worked well. It was a useful list. The reason it died Rumors of inet-access's death are greatly exaggerated. It's quieter now, but it's not dead, we had 168 posts in the past 3 months, so an average of about 2 a day. It tends to come in a bursty fashion, quiet for a few days, then someone posts a question and there is a flurry of replies. had nothing to do with S:N on that list; it had to do with the fact that the industry supporting that list more or less evaporated. Very true, there are far fewer ISPs (especially small ISPs) today. Subscription numbers to the inet-access list have been falling steadily since the dot.bomb. Many people who used to work at ISPs now work for vendors or other non-ISP companies and have left the list (or are just lurking these days). List subscription info at: http://inet-access.net/mailman/listinfo/list jc
Fw: [pignet]
- Original Message - From: [EMAIL PROTECTED] To: Pacific Internet Users Group Mailing List [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 2:47 PM Subject: [pignet] The Politics are starting I found this in the Washington Post - Interesting? By Shaun Waterman UNITED PRESS INTERNATIONAL Published December 2, 2004 Former CIA Director George J. Tenet yesterday called for new security measures to guard against attacks on the United States that use the Internet, which he called a potential Achilles' heel. I know that these actions will be controversial in this age when we still think the Internet is a free and open society with no control or accountability, he told an information-technology security conference in Washington, but ultimately the Wild West must give way to governance and control. The former CIA director said telecommunications -- and specifically the Internet -- are a back door through which terrorists and other enemies of the United States could attack the country, even though great strides have been made in securing the physical infrastructure. The Internet represents a potential Achilles' heel for our financial stability and physical security if the networks we are creating are not protected, Mr. Tenet said. He said known adversaries, including intelligence services, military organizations and non-state actors, are researching information attacks against the United States. Within the federal government, the Department of Homeland Security has the lead role in protecting the Internet from terrorism. But the department's head of cyber-security recently quit amid reports that he had clashed with his superiors. Mr. Tenet, who retired in July as director of the CIA after seven years, warned that al Qaeda remains a sophisticated group, even though its first-tier leadership largely has been destroyed. It is undoubtedly mapping vulnerabilities and weaknesses in our telecommunications networks, he said. Mr. Tenet pointed out that the modernization of key industries in the United States is making them more vulnerable by connecting them with an Internet that is open to attack. The way the Internet was built might be part of the problem, he said. Its open architecture allows Web surfing, but that openness makes the system vulnerable, Mr. Tenet said. Access to networks like the World Wide Web might need to be limited to those who can show they take security seriously, he said. Mr. Tenet called for industry to lead the way by establishing and enforcing security standards. Products need to be delivered to government and private-sector customers with a new level of security and risk management already built in. The national press, including United Press International (UPI), were excluded from yesterday's event, at Mr. Tenet's request, organizers said. Copyright © 2004 News World Communications, Inc. All rights reserved. Reagrds = Andrew *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To unsubscribe send a blank email to : [EMAIL PROTECTED] *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* To be on this list you must be an ISOC member: Register at www.isoc.org it is free. Select the Pacific Islands Chapter.
Re: Bogon filtering (don't ban me)
In Ciscoland its called Autosecure (IOS 12.3): http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/cas11_ds.htm Blocks all IANA reserved IP address blocks The actual doc: http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf Problem is, I still do not see that Cisco has a way of auto-updating a router that has used autosec_complete_bogon or autosec_iana_reserved_block. -Hank We've proposed what vendors need to better support bogon filtering, even wrote a draft: http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt but last time I talked to cisco ios person (which was just two weeks ago at IPv6 Summit), it still has not been done. Perhaps couple more people who buy their hardware asking them about it will make a difference ...