Internet Traffic Begins to Bypass the U.S.
http://www.nytimes.com/2008/08/30/business/30pipes.html?partner=rssuserland&emc=rss&pagewanted=all -Hank
RE: ingress SMTP
Apologies for not being more clear, because I see the responses going in tangents I hadn't expected. Most anti-spam products drop the connection or issue some kind of rejection message during the SMTP exchange. If the connection is dropped, the subscriber's MTA/MUA will likely try and try again until it reaches expiration time. For MS Exchange I think that's two or three days. For Outlook Express, that message just sits in the Outbox. If a rejection message was issued, hopefully the sender can interpret what the MUA is saying, or the MTA sends back an undeliverable. So, for service providers who require their subscribers to smarthost messages through their server, how are they letting the subscribers know in some kind of active way? Frank -Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 8:39 PM To: Frank Bulk Cc: Matthew Moyle-Croft; nanog@nanog.org Subject: Re: ingress SMTP On Sat, Sep 13, 2008 at 11:38 PM, Frank Bulk <[EMAIL PROTECTED]> wrote: > How do you alert mail server operators who are smarthosting their e-mail > through you that their outbound messages contain spam? > > Frank If those are actual mailservers smarthosting and getting MX from you then you doubtless have quite a lot of reporting already set up. Have you seen what Messagelabs, MXLogic etc do? There's also feedback loops, ARF formatted, where users on those mailservers can report inbound spam to the filtering vendor. .. or was that a rhetorical question and am I missing something here? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ingress SMTP
*Hobbit* wrote: > How do you alert mail server operators who are smarthosting their > e-mail through you that their outbound messages contain spam? You don't let them falsify their envelope or headers to contain fields utterly unrelated to your own infrastructure, for starters. They try it, their mail bounces. It's a very rare piece of spam that actually comes from who it says it comes from anymore. Are you suggesting that only ISP domains should be allowed through? (eg. [EMAIL PROTECTED]) If you're forcing people to use your mail servers as a smart host then you wouldn't be very popular ... MMC
Re: ingress SMTP
> How do you alert mail server operators who are smarthosting their > e-mail through you that their outbound messages contain spam? You don't let them falsify their envelope or headers to contain fields utterly unrelated to your own infrastructure, for starters. They try it, their mail bounces. It's a very rare piece of spam that actually comes from who it says it comes from anymore. Do that before thinking about rate-limiting or any other fanciness, and you've likely licked 90% of the problem right there. A smarthost with a strong "sense of self" backed up by port-25 rules is exactly what I'm talking about, and if certain large providers ever *read* their abuse boxes they'd find the same advice from me in more than one instance followed by a clear example of why. _H*
Re: ingress SMTP
On Sat, Sep 13, 2008 at 11:38 PM, Frank Bulk <[EMAIL PROTECTED]> wrote: > How do you alert mail server operators who are smarthosting their e-mail > through you that their outbound messages contain spam? > > Frank If those are actual mailservers smarthosting and getting MX from you then you doubtless have quite a lot of reporting already set up. Have you seen what Messagelabs, MXLogic etc do? There's also feedback loops, ARF formatted, where users on those mailservers can report inbound spam to the filtering vendor. .. or was that a rhetorical question and am I missing something here? -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: ingress SMTP
Frank Bulk wrote: How do you alert mail server operators who are smarthosting their e-mail through you that their outbound messages contain spam? Typically a ticket gets injected into helpdesk who then contact them via email or via a phone call depending on the situation. I don't think we've automated it as often these kinds of people don't react well or ignore it - so a human being needs to intervene and often give help. We also take measures such as rate limiting the amount of email they can send (kbps, msg per hour wise) to limit the damage. We offer a URL for customers that allows them to see their "spam" rating for their IPs (this includes if they're sending out viruses as well) - including a text only version (2 lines of text) so it can be easily parsed by machine if someone wanted to integrate it into their own checking. We try and have default settings that protect us and the users as much as possible, but allow people who (at least think they) know what they're doing to change them to be more open. Our general customer base tends to be biased towards the techy type who want this kind of thing. (We sponsor things like the Australian Systems Administrator's Guild etc) MMC Frank -Original Message- From: Matthew Moyle-Croft [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 12:41 AM To: Bill Stewart Cc: nanog@nanog.org Subject: Re: ingress SMTP Hi Bill, Bill Stewart wrote: In some sense, anything positive you an accomplish by blocking Port 25 you can also accomplish by leaving the port open and advertising the IP address on one of the dynamic / home broadband / etc. block lists, which leaves recipients free to whitelist or blacklist your users. Except that this tends to lead to a worse situation for people like yourself who wish to run a mailserver - because ultimately you'll have to resort to using an ISP's forwarder anyway because there will be more spam from the IP ranges you're in leaving to the wide world, thus a worse reputation, and so more blocking. ie. by blocking outbound SMTP by default and getting customers to use our mail cluster their email is more likely to arrive and not be dropped as coming from a potential spam source. I've toned down my vehemence about the blocking issue a bit - there's enough zombieware out there that I don't object strongly to an ISP that has it blocked by default but makes it easy for humans to enable. That's what we do - by default most customers have a small ACL applied which protects them from traffic from various windows ports, ensures SMTP goes via our mail cluster etc. Having customers send mail out via us is actually better because we do spam checking and can alert customers to their machines being compromised etc (or at least customers can look at their status themselves). But, customers can easily turn the filtering off via the portal we have. We have no issues with customers running servers - most people don't, and those who do value the ability to do so. MMC -- Matthew Moyle-Croft - Internode/Agile - Networks
Re: Cisco uRPF failures
On (2008-09-13 13:26 -0500), Brandon Ewing wrote: Hey Brandon, > Are you sure? According to the IOS guide for 3560E/3750E, "ip verify" is > still an unsupported interface command. I don't have a 3560E handy to test > on, but I know that a non-E 3560 refuses it with a notice regarding how > verification is not supported by hardware. To be honest I'm not sure. Feature-wise highlights what I've taken note of E series in 3560 is jumbo MTU support in L3 and uRPF in comparison to non E, apart from the obvious 10GE and PSU enhancements. While I haven't personally ran 3560E, I'm fairly confident that it's supported, in hardware (And software to turn it on). uRPF is mentioned here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/product_data_sheet0900aecd805bac22.html Advanced Security • Unicast RPF feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. -- ++ytti
Re: Identifying when netblocks have been assigned
Frank Bulk wrote: When I do that it lists the organization's AS, but not any netblocks associated with that AS. Frank -Original Message- From: Jake Mertel [mailto:[EMAIL PROTECTED] Frank, Add the > operator in front of the organizations ARIN ID when you do your WHOIS query and it will show all of the resources allocated to that organization. Keep in mind that the "> OrgID" trick only works for allocations or assignments made directly by ARIN; it won't necessarily show you everything that was SWIPed to them, since many SWIPs are not tagged with an OrgID. To find those, you have to search on the name of the customer and hope it shows up correctly in the CustName field. Also, many companies end up with lots of OrgIDs, and many of them may not have the correct current name due to M&A activity. Finding them all may take a while and isn't easily automated. S
Re: Cisco uRPF failures
On Thu, Sep 11, 2008 at 08:11:28PM +0300, Saku Ytti wrote: > > Sound like these shops are using 3550 as router, which is common for > smaller shops, especially in EU. And indeed, 3550 would not do uRPF. > (3560E does). > Are you sure? According to the IOS guide for 3560E/3750E, "ip verify" is still an unsupported interface command. I don't have a 3560E handy to test on, but I know that a non-E 3560 refuses it with a notice regarding how verification is not supported by hardware. http://tinyurl.com/5qbqzb -- Brandon
RE: ingress SMTP
How do you alert mail server operators who are smarthosting their e-mail through you that their outbound messages contain spam? Frank -Original Message- From: Matthew Moyle-Croft [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 12:41 AM To: Bill Stewart Cc: nanog@nanog.org Subject: Re: ingress SMTP Hi Bill, Bill Stewart wrote: > In some sense, anything positive you an accomplish by blocking Port 25 > you can also accomplish by leaving the port open and advertising the IP > address > on one of the dynamic / home broadband / etc. block lists, > which leaves recipients free to whitelist or blacklist your users. > Except that this tends to lead to a worse situation for people like yourself who wish to run a mailserver - because ultimately you'll have to resort to using an ISP's forwarder anyway because there will be more spam from the IP ranges you're in leaving to the wide world, thus a worse reputation, and so more blocking. ie. by blocking outbound SMTP by default and getting customers to use our mail cluster their email is more likely to arrive and not be dropped as coming from a potential spam source. > I've toned down my vehemence about the blocking issue a bit - > there's enough zombieware out there that I don't object strongly to an ISP > that has it blocked by default but makes it easy for humans to enable. > That's what we do - by default most customers have a small ACL applied which protects them from traffic from various windows ports, ensures SMTP goes via our mail cluster etc. Having customers send mail out via us is actually better because we do spam checking and can alert customers to their machines being compromised etc (or at least customers can look at their status themselves). But, customers can easily turn the filtering off via the portal we have. We have no issues with customers running servers - most people don't, and those who do value the ability to do so. MMC -- Matthew Moyle-Croft - Internode/Agile - Networks Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
RE: Identifying when netblocks have been assigned
No problem, I had my coffee 2 hours ago. 1) I would prefer e-mail, and ideally on-demand querying from a web form. And even more pie in the sky, something like Google Trends (i.e. http://www.google.com/trends?q=hurricane+katrina&ctab=0&geo=all&date=all) that shows the quantity of IP addresses that are being advertised over time. 2) Basically I would sign up for certain AS' and be informed when new blocks are added, or when blocks stop being advertised (for a full 24-hour period, I don't think there's value in seeing when it's withdrawn and re-advertised in one day). There might be some people that want to know when a block is first advertised, but that's less likely unless they're tracking the de-BOGON announcements. Regards, Frank -Original Message- From: Bill Woodcock [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 12:57 PM To: Frank Bulk Cc: [EMAIL PROTECTED]; Vijay Kumar Adhikari; nanog@nanog.org Subject: Re: Identifying when netblocks have been assigned On Sat, 13 Sep 2008, Bill Woodcock wrote: > By that, I mean that they could be run daily, and specific results emailed > to people who were interested in following the allocation patterns for > specific organizations, any time there was a match. Following up on my own post for the second time tells me that I'm posting too early in the morning, or without the recommended seven-second broadcast delay between brain and fingers, but... My colleagues have reminded me that we already built this system two years ago, and it produces an RSS feed, rather than email results. Also, that we hadn't done as much as we should do to provide filtering tools to narrow down the results. So, two questions for the community: 1) Would people prefer to receive these results via email, or RSS, or some other mechanism? 2) What would the structure of the query or filter look like, ideally? What key would you like to be querying on, and how would you like the results focused? -Bill
RE: Identifying when netblocks have been assigned
Ok, so not so simple. =) I'm not familiar with the layout of PCH's data (I did find some .gz files, so I presume that's the data that's gathered on a daily basis), but if I was, I would have to take the divide-and-conquer approach for a certain AS to find out when a block was first announced. I'm guessing that I would have to do the hard work. Perhaps Renesys is already doing this? (but for a fee). Regards, Frank -Original Message- From: Bill Woodcock [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 12:47 PM To: Frank Bulk Cc: [EMAIL PROTECTED]; Vijay Kumar Adhikari; nanog@nanog.org Subject: Re: Identifying when netblocks have been assigned On Sat, 13 Sep 2008, Bill Woodcock wrote: > Those are both very simple reports to run from PCH's existing databases > and data-feeds. By that, I mean that they could be run daily, and specific results emailed to people who were interested in following the allocation patterns for specific organizations, any time there was a match. -Bill
Re: Identifying when netblocks have been assigned
On Sat, 13 Sep 2008, Bill Woodcock wrote: > By that, I mean that they could be run daily, and specific results emailed > to people who were interested in following the allocation patterns for > specific organizations, any time there was a match. Following up on my own post for the second time tells me that I'm posting too early in the morning, or without the recommended seven-second broadcast delay between brain and fingers, but... My colleagues have reminded me that we already built this system two years ago, and it produces an RSS feed, rather than email results. Also, that we hadn't done as much as we should do to provide filtering tools to narrow down the results. So, two questions for the community: 1) Would people prefer to receive these results via email, or RSS, or some other mechanism? 2) What would the structure of the query or filter look like, ideally? What key would you like to be querying on, and how would you like the results focused? -Bill
RE: Identifying when netblocks have been assigned
When I do that it lists the organization's AS, but not any netblocks associated with that AS. Frank -Original Message- From: Jake Mertel [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2008 10:50 AM To: Frank Bulk Cc: nanog@nanog.org Subject: Re: Identifying when netblocks have been assigned Frank, Add the > operator in front of the organizations ARIN ID when you do your WHOIS query and it will show all of the resources allocated to that organization. -- Regards, Jake Mertel Nobis Technology Group, L.L.C. Frank Bulk wrote: > Perhaps there's no answer to this, or it's obvious and I ought to know. > > How can I find out when ARIN or the applicable registry has assigned a block > to a certain organization, and I don't know the block, just the > organization. > If that's not possible, is there a site/way that has a timeline for the > first time a certain AS announced a block? > > Frank > > >
Re: Identifying when netblocks have been assigned
On Sat, 13 Sep 2008, Bill Woodcock wrote: > Those are both very simple reports to run from PCH's existing databases > and data-feeds. By that, I mean that they could be run daily, and specific results emailed to people who were interested in following the allocation patterns for specific organizations, any time there was a match. -Bill
Re: Identifying when netblocks have been assigned
On Sat, 13 Sep 2008, Frank Bulk wrote: > Perhaps there's no answer to this, or it's obvious and I ought to know. > How can I find out when ARIN or the applicable registry has assigned a block > to a certain organization, and I don't know the block, just the > organization. > If that's not possible, is there a site/way that has a timeline for the > first time a certain AS announced a block? Those are both very simple reports to run from PCH's existing databases and data-feeds. The only tricky part is how you specify the organization name... Are you planning on using the RIR OrgID, or an exact-match on the organization name, or a substring or regex match? Or would you like something that tries to map through origin AS? -Bill
Re: New Intercage upstream
On Sat, 13 Sep 2008, Andrew Clover wrote: Marco d'Itri wrote: Look at what else this AS is announcing: Cernel, UkrTeleGroup and Inhoster are all aliases of Esthost. These are their blocks that are physically operated by Intercage, so it's not surprising they're to be found together. PIE is another colo operation housed at the same facility as Intercage (200 Paul Avenue, SF). Their focus appears to be hosting Japanese sites in the US (colo inside Japan itself has historically been quite expensive). They may well be unaware of the nature of their datacentre-neighbours. I don't know if this AS is evil, and quite possibly it isn't. However, it has every intention of keeping Atrivo / Intercage as a slient. Perhaps we need to talk to their transit providers, after all, it is the exact same network just somewhere else. No changes. Gadi.
Re: Identifying when netblocks have been assigned
Frank, Add the > operator in front of the organizations ARIN ID when you do your WHOIS query and it will show all of the resources allocated to that organization. -- Regards, Jake Mertel Nobis Technology Group, L.L.C. Frank Bulk wrote: Perhaps there's no answer to this, or it's obvious and I ought to know. How can I find out when ARIN or the applicable registry has assigned a block to a certain organization, and I don't know the block, just the organization. If that's not possible, is there a site/way that has a timeline for the first time a certain AS announced a block? Frank
Identifying when netblocks have been assigned
Perhaps there's no answer to this, or it's obvious and I ought to know. How can I find out when ARIN or the applicable registry has assigned a block to a certain organization, and I don't know the block, just the organization. If that's not possible, is there a site/way that has a timeline for the first time a certain AS announced a block? Frank
Re: New Intercage upstream
On Saturday 13 September 2008 06:11:25 Marco d'Itri wrote: > Interested parties can consult http://www.bofh.it/~md/drop-stats.txt > (randomly updated, I am still looking for a permanent home for it) > for a detailed list of who is announcing the networks listed in SBL > DROP, what else they announce and who is providing transit to the ASes > announcing them. The code used to generate it is available on request. Hmmm. Callout to Randy Bush: tools like this and the techniques to use them are tailor-made for cluepon, no?
Re: New Intercage upstream
Marco d'Itri wrote: > Look at what else this AS is announcing: Cernel, UkrTeleGroup and Inhoster are all aliases of Esthost. These are their blocks that are physically operated by Intercage, so it's not surprising they're to be found together. PIE is another colo operation housed at the same facility as Intercage (200 Paul Avenue, SF). Their focus appears to be hosting Japanese sites in the US (colo inside Japan itself has historically been quite expensive). They may well be unaware of the nature of their datacentre-neighbours. --
Re: New Intercage upstream
On Sep 13, "Jon O." <[EMAIL PROTECTED]> wrote: > Looks like this might be somewhat bulletproof, check the other sites off this > "AS" > http://www.robtex.com/dns/pacificinternetexchange.net.html#a2 It may be, yes. Look at what else this AS is announcing: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453 (cernel/esthost) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36702 (the infamous UkrTeleGroup network) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53319 (inhoster) Interested parties can consult http://www.bofh.it/~md/drop-stats.txt (randomly updated, I am still looking for a permanent home for it) for a detailed list of who is announcing the networks listed in SBL DROP, what else they announce and who is providing transit to the ASes announcing them. The code used to generate it is available on request. Hint: there is not just Intercage. -- ciao, Marco signature.asc Description: Digital signature
Re: community real-time BGP hijack notification service
On 13/09/2008, at 7:21 PM, Randy Bush wrote: i am occasionally asked if there have been real bgp attacks (not slips). the answer is, of course yes, but there are none which can be publicly described. when bucks and embarrassment are involved, security through obscurity seems to rule. but tony and alex did us an enormous favor by publicly conducting such an attack, see http://www.merit.edu/mail.archives/nanog/msg10357.html so, what i want to know is which, if any of the tools being discussed on this thread *actually* did or could detect and/or mitigate the tony/ alex defcon attack. i appreciate the dozens of tools that detect and mitigate finger or brain fumbles. but those are not where the black hats are gonna go to make the big bucks. Yep, that was my point before. My concern is that unless there is big bold text saying that it's not a solution, and then reference to longer optional text for those that care about why, people will get a false sense of security. -- Nathan Ward
Re: community real-time BGP hijack notification service
i am occasionally asked if there have been real bgp attacks (not slips). the answer is, of course yes, but there are none which can be publicly described. when bucks and embarrassment are involved, security through obscurity seems to rule. but tony and alex did us an enormous favor by publicly conducting such an attack, see http://www.merit.edu/mail.archives/nanog/msg10357.html so, what i want to know is which, if any of the tools being discussed on this thread *actually* did or could detect and/or mitigate the tony/alex defcon attack. i appreciate the dozens of tools that detect and mitigate finger or brain fumbles. but those are not where the black hats are gonna go to make the big bucks. randy
Re: community real-time BGP hijack notification service
Nathan Ward wrote: On 13/09/2008, at 5:48 PM, Matthew Moyle-Croft wrote: Arnaud de Prelle wrote: I think that most of us (me included) are already using it but the problem is that they don't have BGP collectors everywhere in the world. This is in fact a generic issue for BGP monitoring. In this case it's very important to have a lot of collectors broadly distributed listening in many ASes. For example: If I know there are two BGP collectors driving this service, and they're in, say, AS701 and AS1239, then if I wanted to do a partial hijack (which might be good enough for my evil purposes) then I could advertise a path which had those ASes stuffed in it and prevent downstream collectors in AS701 and AS1239 from learning the hijack path. Note that the attack becomes less and less effective if you're path stuffing ASes, as it will be preferred by fewer and fewer networks. Put collection points in say 10 networks, and the attack becomes pretty useless. Unless of course you are announcing a more specific prefix than the authentic one. Absolutely - but it depends how wide you want the hijack - a global one is very obvious, but you can see that a very narrow one of some sites it might be harder (take longer) to detect and live longer. ie. If I just wanted to disrupt a website to a country or region for political reasons or just to get the ad revenue for a small amount of time, then it might be acceptable to limit the scale in order to evade detection. I'm not saying this is the end of the world, just reenforcing that widely distributed BGP monitors are necessary for detection. It might be that various projects which have these distributed tools etc can help by becoming feeds for these kinds of notification projects. MMC -- Nathan Ward
