Re: Dynamic IP log retention = 0?
How did a simple thread about network scanning get so derailedwe have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know. You can ask their abuse department to intervene but that is all up to that department. They may have told you they don't have them just because they didn't want you pestering them anymore or they may really not have them, who knows. Don't try to judge them but try to fix this very minute problem in a way you can control. The ways you can control this are simple. 1) Block all of covad (not very smart) 2) Block all of covad except for essential ports (25,80,443 or whatever other common ports they may need) 3) Setup a perimeter protection that blocks hosts that are scanning you and removes them after a determined amount of time This trying to shun people in public because they aren't following your guide to network administration probably isn't going to work very well for you. If 65000 covad addresses were ddosing you then I would agree that you have a legitimate gripe but focus on what you can control and not what you believe others should be doing. -- Ross ross [at] dillio.net I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's no way to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. Well, maybe you want to ban our entire /15 at your perimeter... I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end? -- Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax)br...@wrl.org
Re: Dynamic IP log retention = 0?
On Mar 12, 2009, at 12:25 AM, Ross wrote: How did a simple thread about network scanning get so derailedwe have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. it's nanog, you expect something different? :)
Re: Redundant Array of Inexpensive ISP's?
Tim Utschig wrote: [Please reply off-list. I'll summarize back to the list if there is more than a little interest in me doing so.] Please do. There are many rural ISPs and WISPs that might benefit from a decent look at these products, or any open source clones that might be available to test refine these tricks. Pricing for even a fractional DS3 in the rural US is still very high. Being able to shift bandwidth from a colo facility in a large city to a remote site served by 3 or 4 consumer grade broadband links could be a helpful development, if the bottom line works out. Thanks, Ken I'm curious if anyone has experience with products from Talari Networks, or anything similar, and would like to share. Did they live up to your expectations? Caveats? -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Dynamic IP log retention = 0?
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): Ross wrote: There seems to be a big misconception that he asked them to hand over the info. As I read the OP, he asked Comcast to do something about it and Comcast said we can't do anything about it because we don't have logs. Here's a quote from the OP: I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's no way to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. IMHO, that's a bunch of BS from whoever he's talking with at Comcast. In the normal course of business they would have logs of which customer had that IP just 48 hours earlier. They *can* do something about their customer. And they *should* do something about their customer who is causing problems on another network, the same as if that customer was spewing spam, or actually attacking (DDoS etc.) another network. So the question circles back around to how does the OP get Comcast to step up, internally identify and take care of their problem customer? What path should he take to get connected with someone who has more clue about this type of problem so that they can address it in a timely fashion? Has it come to needing to get a lawyer to write a strongly worded letter just to get this type of thing done today? jc [Disclaimer - I am a lawyer, and I write strongly worded letters to pay my bills.] Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. -- _ Nachman Yaakov Ziskind, FSPA, LLM aw...@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Re: Dynamic IP log retention = 0?
On Wed, 11 Mar 2009 07:53:01 -0800, Marcus Reid said: A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here. You *do* realize that has a public address does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say bugger off to unwanted traffic. And you can put a firewall appliance inline without using NAT as well. pgpXjezqNw16b.pgp Description: PGP signature
Re: Dynamic IP log retention = 0?
valdis.kletni...@vt.edu wrote: You *do* realize that has a public address does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say bugger off to unwanted traffic. And you can put a firewall appliance inline without using NAT as well. The other big benefit to using real public IPs is abuse related. There's a scenario we encounter on a semi-regular basis where we forward a report of an apparently infected host to a customer who responds back: How can I tell which one of our hosts is infected? We've got 200 workstations inside our NAT and this abuse report only has our single public address. So I recommend a packet sniffer inside their LAN or accounting on their firewall. But sometimes the source is a salesperson's laptop, and they've gone on a business trip. So no new reports come in and everyone decides it must have been a false alarm. Now imagine that salesperson only stops back in the office once a month, at random undocumented intervals to make backups. How do we ever track him down? The abuse report cycle just doesn't turn around fast enough - often we don't even get reports for a day or two. So I find myself advising customers in this situation to give every user a public IP. Even if they still do 1:1 NAT, the problem is mostly resolved provided they faithfully document MAC addresses and keep DHCP logs for a suitable length of time. Mike
Re: Dynamic IP log retention = 0?
On Thu, 12 Mar 2009, Glen Turner wrote: William Allen Simpson wrote: A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that? !-- rambling One of the funniest things I see with these arguments (dishing out info to someone else) is what I perceive to be a sort of chain-mail like trickle effect where no matter what anyone says, don't trust them. We never give out information sayeth the forms on many a vendor. This does not mean if that company is bought old the purchaser won't dish out your information. So then who do you see? So your basic problem is that you have a law enforcement problem, and the law enforcers don't give this priority. Which leads to one of those vicious circle thingies, where the ISPs don't give a stuff about their customers running scans, since they aren't seeing any hassle from Mr Plod, those customers aren't seeing any consequences, and so the amount of scanning increases, to the extent where people believe it is normal and acceptable. Why should it be given priority. There is only so much a provider can do. I'm with you when you state providers can do more but guess what? So can vendors of operating systems. Should we point the finger back at Microsoft for making things as simple as possible for the average non-technical user? Maybe petition them to close all ports by default and allow its users to open up what they need when they need it? How long before their userbase drops? Grandma: Say who, what? What's a netbios? Port? 137? Huh? Darling, I just want to print and send pictures... Oh darn forget it! Why not contact the FBI. Not because it will help. But because if even 1% of the libraries in the country do that then the FBI will take the path of least resistance, which is to hassle ISPs with enough warrants until the ISPs find it economic to clean up their act, at least with regard to their own customers. If 1% of the cases of port scanning were even taken serious, I'd be pretty pissed my tax money is going down the toilet - I mean it's bad enough my economy is tanking, no need to add to it. With this said, re-take on another analogy I've done on this before... Acme Superlocks states certain versions of their locks may be picked. I know this because for one, not only did I receive the e-mail from them, the news is showing that many owners of Acme Superlocks have had their homes and businesses broken into. As an owner of Acme Superlocks seeing the newsflashes, getting the emails, I decide to continue using the locks. My home is intruded. Who's fault is it, Acme Superlocks or was I the idiot for not taking a second to fix my lock. After all the company did some form of due diligence in explaining that 1) their lock is fubar'd 2) they did send me the email 3) I did see the news 4) I'm not cripple - but competent enough to Google Acme Superlock. Who's to blame? Now take this a step further, if I were about to do an insurance claim, do you think my insurance company would cover my claim after (at this point) I neglected to act on my own behalf. Claim Adjustor: We see you did receive the warnings Me: My bad. Sure I knew they were vulnerable... When you get down to the nitty-gritty, it was my own negligence that cause this at the end of the day. We can say for those instances where I was the first person hit up that I was just unlucky, but at what point in time should I stop shifting blame to my provider or say Microsoft. I already *know* it's not my providers role to protect me. I already *know* Microsoft can be an insecure operating system. So here I am not doing anything about it, yet shifting the blame when compromised. rambling -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP Enough research will tend to support your conclusions. - Arthur Bloch A conclusion is the place where you got tired of thinking - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Four blocks of AS Numbers allocated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The IANA AS Numbers registry has been updated to reflect the allocation of four blocks of AS Numbers recently. 49152-50175Assigned by RIPE NCC whois.ripe.net 2009-03-06 50176-51199Assigned by RIPE NCC whois.ripe.net 2009-03-06 51200-52223Assigned by RIPE NCC whois.ripe.net 2009-03-06 52224-53247Assigned by LACNIC whois.lacnic.net 2009-03-11 The registry can be found at: http://www.iana.org/assignments/as-numbers/as-numbers.xml Regards, Leo Vegoda Number Resources Manager, IANA -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFJuUXxvBLymJnAzRwRAkgiAJ4gPAIF9egizyMbGGB/2MAciOCsdQCfXQfX N4gRb5lyNjDDcKZ4bhf5AqY= =LKc/ -END PGP SIGNATURE-
microsoft please contact me off list
Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203
RE: microsoft please contact me off list
Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00
Re: microsoft please contact me off list
You are getting dossed from a Microsoft network range? Really? Perhaps they got bit by a worm targeting windows systems? :) Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
RE: microsoft please contact me off list
More likely spoofed sources. Good luck. -Original Message- From: ext Charles Wyble [mailto:char...@thewybles.com] Sent: Thursday, March 12, 2009 12:40 PM To: Thomas P. Galla Cc: nanog@nanog.org Subject: Re: microsoft please contact me off list You are getting dossed from a Microsoft network range? Really? Perhaps they got bit by a worm targeting windows systems? :) Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
Re: microsoft please contact me off list
He's gonna need it! On Thu, Mar 12, 2009 at 12:54 PM, chris.ra...@nokia.com wrote: More likely spoofed sources. Good luck. -Original Message- From: ext Charles Wyble [mailto:char...@thewybles.com] Sent: Thursday, March 12, 2009 12:40 PM To: Thomas P. Galla Cc: nanog@nanog.org Subject: Re: microsoft please contact me off list You are getting dossed from a Microsoft network range? Really? Perhaps they got bit by a worm targeting windows systems? :) Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName: Microsoft Corp OrgID: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName: MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType: Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate: 1988-11-11 Updated: 2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: ...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: ...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
Re: Dynamic IP log retention = 0?
J. Oquendo wrote: On Thu, 12 Mar 2009, Glen Turner wrote: William Allen Simpson wrote: A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that? Hey, bad quotation! I'm not from Australia. That's not my writing. Nor did I ever advocate releasing a customer's details -- to anybody. :-( I also disagree with your point about responsibilities of ISPs. Yes, it's true that Microsoft externalized its costs upon its customers. But only the ISPs are in a position to detect the abuse, and that's part of the business. Some of us take network security seriously.
Re: microsoft please contact me off list
Yes I agree. I forgot to do the *raises an incredulous eyebrow* bit. :) By the way try calling that number and reaching an operator then asking for the NOC. chris.ra...@nokia.com wrote: More likely spoofed sources. Good luck.
Re: microsoft please contact me off list
On Thu, 12 Mar 2009 12:40:06 PDT, Charles Wyble said: You are getting dossed from a Microsoft network range? Really? Perhaps they got bit by a worm targeting windows systems? :) You mean like this? http://www.theregister.co.uk/2001/07/20/code_red_bug_hits_microsoft/ (To be fair, screw-ups happen at *all* vendors eventually - the RedHat/Fedora crew had a small whoops! with the system that digitally signs their RPM packages a while ago. Just proves that security is harder to get right than a lot of people think...) pgpGWyhwKXmWq.pgp Description: PGP signature
Re: microsoft please contact me off list
In our case we didn't bother with where it was coming from - our router guy figured out where it was going to - and had that IP shut down a couple levels away from us. Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Jeff Shultz
Re: Dynamic IP log retention = 0?
In message 20090312120816.b...@egps.egps.com, N. Yaakov Ziskind writes: JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): Ross wrote: There seems to be a big misconception that he asked them to hand over the info. As I read the OP, he asked Comcast to do something about it and Comcast said we can't do anything about it because we don't have logs. Here's a quote from the OP: The real problem is that Covad claim (second hand) that they can't identify the perpetrator(s). I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's no way to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
FYI RE: microsoft please contact me off list
Here is what I got back OBTW thanx Thomas = Sent: Thursday, March 12, 2009 4:22 PM To: Thomas P. Galla Subject: FW: microsoft please contact me off list Importance: High Thomas, I work in the research group managing the network range that you are reporting. Your network could be randomly included Honeymonkey(http://en.wikipedia.org/wiki/HoneyMonkey) or another research project(http://research.microsoft.com/en-us/um/redmond/projects/strider). Could you give me more details on what you are seeing or the IP range on your side that is being hit? Thx Steve Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:35 PM To: nanog@nanog.org Subject: RE: microsoft please contact me off list Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00
Re: FYI RE: microsoft please contact me off list
What were the traffic characteristics that lead you to believe you were under a DDOS attack? Thomas P. Galla wrote: Here is what I got back OBTW thanx Thomas = Sent: Thursday, March 12, 2009 4:22 PM To: Thomas P. Galla Subject: FW: microsoft please contact me off list Importance: High Thomas, I work in the research group managing the network range that you are reporting. Your network could be randomly included Honeymonkey(http://en.wikipedia.org/wiki/HoneyMonkey) or another research project(http://research.microsoft.com/en-us/um/redmond/projects/strider). Could you give me more details on what you are seeing or the IP range on your side that is being hit? Thx Steve Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:35 PM To: nanog@nanog.org Subject: RE: microsoft please contact me off list Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
Re: Dynamic IP log retention = 0?
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Again, why worry about things out of your control, especially when we are talking about port scanning. I would think people have more pressing issues, guess not. -- Ross ross [at] dillio.net In message 20090312120816.b...@egps.egps.com, N. Yaakov Ziskind writes: JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): Ross wrote: There seems to be a big misconception that he asked them to hand over the info. As I read the OP, he asked Covad to do something about it and Covad said we can't do anything about it because we don't have logs. Here's a quote from the OP: The real problem is that Covad claim (second hand) that they can't identify the perpetrator(s). I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's no way to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
Re: Dynamic IP log retention = 0?
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Yes, it's all a business decision. That kind of antisocial thinking is the sort of thing that has allowed all manner of bad guys to remain attached to the Internet. Again, why worry about things out of your control, especially when we are talking about port scanning. Yes, why not talk about rapists and drug dealers instead. They're much worse. It's just that this forum ... isn't for that. I would think people have more pressing issues, guess not. While I am all for increasing overall security on the Internet, the reality is that there will often be devices that are attached that are found to be vulnerable in new and intriguing ways. Port scanning is a primary method for finding these vulnerabilities. To the extent that an ISP might proactively port scan its own userbase, that's a good use and probably a good idea (has tradeoffs), but bad guys finding holes in random devices so that they can launch multiGbps attacks against random destinations is a bad thing. If your idea of operations is to make your router work and collect your paycheck for another day, then this discussion probably does not make any sense to you and you probably don't understand the importance of the issue. If your idea of operations is to ensure the reliable operation and uphold the performance standards of an IP network, then it should not be beyond comprehension that allowing miscreants access to the network is one of many things that can adversely affect operations. If you accept that the presence of miscreants on the network is a negative, it shouldn't be hard to see that complaining about consistent and persistent port scans from what is probably an identifiable host is one way to make an impact. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dynamic IP log retention = 0?
Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. Any sufficiently advanced NANOG conversation is indistinguishable from Comcast-bashing. Rob (Not agreeing, just observing.)
Re: Dynamic IP log retention = 0?
In message c229aa5b01749718e25f61ae579659a3.squir...@www.dillio.net, Ross writ es: Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Again, why worry about things out of your control, especially when we are talking about port scanning. I would think people have more pressing issues, guess not. -- Ross ross [at] dillio.net Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
Re: Dynamic IP log retention = 0?
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dynamic IP log retention = 0?
N. Yaakov Ziskind wrote: Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. Oops, my bad. Well, and Covad's bad too. :-) jc
Re: Dynamic IP log retention = 0?
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco jgr...@ns.sol.net wrote: Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better. Port scanning is the Internet equivelant of the common cold. They're a dime a dozen. I recommend taking some Vitamin B and D. Block, and Drop. Best, Martin -- Martin Hannigan mar...@theicelandguy.com p: +16178216079
RE: Redundant Array of Inexpensive ISP's?
In answer to a question below about experience with similar products... Cisco IOS has the dynamic routing injection feature as part of recent IOS versions. The feature is now called Performance Routing (PfR) formerly known as OER (Optimized Edge Routing) and as of 12.4(24)T, it can optimize routing protocols other than BGP or static routes (called PIRO Protocol Independent Route Optimization), including IS-IS, OSPF and EIGRP. RIP folks should learn about routing protocols :-D PfR does not do compressions/tokenization of the data, so it has no Caching/compression/WAN Acceleration features, BUT it does do dynamic path re-routing based on your policy or observed metrics like latency, packet loss, jitter etc and can also do it based on observed Netflow data and automatic instatiation of IP SLA active probes to see what happens for a RTP data stream marked with dscp 46 or video stream marked with dscp 34 and so on. As of recent IOS versions (12,4(9)T + I think), it can control both inbound and outbound directions, and can do things like send your traffic to ISP X up to bandwidth Bx and then shift traffic over to ISP Y up to bandwidth By to do dynamic load sharing of traffic to IP transit commit levels Not a bad feature for free. Larger scale deployments should probably use a dedicated controller box making the re-routing decisions, but any WAN egress point to an Internet or private WAN provider is your border device used by the master to get information, setup probes and learn netflow data to make decisions. I've used it for testing purposes on enterprise WAN deployment and it works pretty well. We are planning on deploying on a production DMVPN solution when the MGRE bug below is resolved. My main beef is a bug related to use of PfR on mGRE tunnel interfaces and the memory-hog nature of the feature... It will detect your brown-out issues like increased packet loss for traffic through provider X that cause customers to call you about broken applications and will re-route the traffic so you may never even know there was an issue!! The solution is particularly good for enterprises with only a few WAN or Internet exits from a location and for dynamically load sharing traffic to paid-for commit levels to reduce recurring cost and get the most out of existing connectivity without paying burst charges. We've done testing on use for our internet border routing in the advice mode, where is just says what changes it would maek, without actually making the changes. Production deployment soon as part of the ever popular cost-reduction efforts currently in vogue in enterprises right now given the current economy. http://www.cisco.com/go/pfr There's some similar solutions out there.. RouteScience was mentioned, but I didn't see anyone mention InterNAP FCP, which is part of the basis for InterNAP's PNAP business model... They also sell it to others enterprises and ISPs. -Original Message- From: Ken A [mailto:k...@pacific.net] Sent: Thursday, March 12, 2009 9:18 AM To: nanog@nanog.org Subject: Re: Redundant Array of Inexpensive ISP's? Tim Utschig wrote: [Please reply off-list. I'll summarize back to the list if there is more than a little interest in me doing so.] Please do. There are many rural ISPs and WISPs that might benefit from a decent look at these products, or any open source clones that might be available to test refine these tricks. Pricing for even a fractional DS3 in the rural US is still very high. Being able to shift bandwidth from a colo facility in a large city to a remote site served by 3 or 4 consumer grade broadband links could be a helpful development, if the bottom line works out. Thanks, Ken I'm curious if anyone has experience with products from Talari Networks, or anything similar, and would like to share. Did they live up to your expectations? Caveats? -- Ken Anderson Pacific Internet - http://www.pacific.net
