Re: Security Guideance
snip The problem is that a user on this box appears to be launching high traffic DOS attacks from it towards other sites. These are UDP based floods that move around from time to time - most of these attacks only last a few minutes. Maybe it's not 'malicious' at all. For instance, is there a Bittorrent client on the box? snip
Re: Security Guideance
On 2/23/2010 5:38 PM, Nathan Ward wrote: Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely to not work if there's a rootkit on the box. The whole point of a rootkit is to hide processes and files from these tools. Get some statically linked versions of these bins on to the server, and hope they haven't patched your kernel. See if you can get a binary of busybox which has those tools and they're all contained in the binary. It should run from any folder. http://busybox.net Very handy. --Curtis
Re: Spamhaus...
On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote: But if the origin domain has not provided SPF records, there are some unusual cases left open, where a bounce to a potentially fake address may still be required. Third time: SPF plays no role in mitigating this. Nothing stops an attacker from using a throwaway domain to send traffic to known backscatterers, who will then backscatter it to $throwawaydomain, whose MX's are set to $victim's MX's. This is not a hypothetical, BTW, and there are a number of more interesting attack scenarios that I'll leave as an exercise for the reader. (Some of these have been discussed in detail on spam-l, and may be found in the archives.) However, even if SPF is in play, a surprising (and perhaps disturbing) number of mail operations authenticate users but then do not require that the sender match the authenticated user. This permits the attacker to use j...@example.com to target s...@example.com with backscatter, if the user-part can be set independently. (Even if s...@example.com does not exist, it still permits targeting of example.com.) And if the domain-part can be set independently, then obviously third parties can be targeted. (Again, see the archives of spam-l where all of this has been analyzed and discussed in great depth.) Yes, yes, yes, we can argue that some of this is bad mail system practice on the part of example.com, and we can argue that this is bad security practice on the part of joe, and both of these arguments have merit, but it's one the first principles of abuse control that abuse should always be squelched where possible, never passed on, reflected or even worse, amplified. A little transient schadenfreude might feel good, but it's poor operational practice -- it's never appropriate to respond to abuse with abuse. ---Rsk
Re: Spamhaus...
On Wed, Feb 24, 2010 at 8:21 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote: But if the origin domain has not provided SPF records, there are some unusual cases left open, where a bounce to a potentially fake address may still be required. Nothing stops an attacker from using a throwaway domain to send traffic to known backscatterers, who will then backscatter it to $throwawaydomain, whose MX's are set to $victim's MX's. So? You, I and everyone else these days are no longer running open relays. You don't host $throwawaydomain so the session will end at the rcpt command. If someone merely wants to DDOS your server there are far easier ways. Regards, Bill Herrin it's never appropriate to respond to abuse with abuse. ---Rsk -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Looking Glass software - what's the current state of the art?
Thomas Kernen wrote: On 2/21/10 7:41 PM, Joel M Snyder wrote: We are migrating our web server from platform A to mutually incompatible platform B and as a result the 7-year-old DCL script I wrote that does Looking Glass for us needs to be replaced. (from my comments, looks like I stole the idea from e...@digex.net...) I'm guessing that someone else has done a better job and I should be just downloading and using an open source tool. What's the current thinking on a good standalone Looking Glass that can be opened to the Internet-at-large? jms If you want to try other Looking Glass sources, I've listed a few of the more recent implementations here: http://www.traceroute.org/#source%20code HTH, Thomas If you are looking for something fancy with a graphical interface that not only represents the current state of your routing but also history of routechanges you might want to look at ibgplay http://www.ibgplay.org/lookingGlass.html Link is not included in the www.traceroute.org website, so if some maintainer is reading along Grtz Johan
Re: Security Guideance
On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote: Once upon a time, Matt Sprague mspra...@readytechs.com said: The user could also be running the command inline somehow or deleting the file when they log off. Check who was logged onto the server at the time of the attack to narrow down your search. I like the split the users idea, though it could be several iterations to narrow down the culprit. We've also seen this with spammers. They'll upload a PHP via a compromised account, connect to it via HTTP, and then delete it from the filesystem. The PHP continues to run, Apache doesn't log anything (because it only logs at the end of a request), and the admin is left scratching his head to figure out where the problem is. I've never used it myself, but Apache's mod_log_forensic is documented to write two log entries for each request, one before and one after. Aaron
1.0.0.0/8 route from MERIT ?
Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. NetworkNext HopMetric LocPrf Weight Path * 1.0.0.0/8 4.59.200.5 0 60 0 (65001 65105) 3356 7018 237 i Is this supposed to be? I thought 1.0.0.0/8 is allocated to APNIC. Alex
Re: 1.0.0.0/8 route from MERIT ?
I am seeing the same thing: 1.0.0.0/8 *[BGP/170] 3d 13:48:10, MED 0, localpref 100, from 206.223.138.126 AS path: 3549 7018 237 I On Feb 24, 2010, at 2:13 PM, Alex H. Ryu wrote: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. NetworkNext HopMetric LocPrf Weight Path * 1.0.0.0/8 4.59.200.5 0 60 0 (65001 65105) 3356 7018 237 i Is this supposed to be? I thought 1.0.0.0/8 is allocated to APNIC. Alex
Re: 1.0.0.0/8 route from MERIT ?
2010/2/24 Alex H. Ryu r.hyuns...@ieee.org: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. IIRC, there was an email/wiki/announcement last month about 1/8 undergoing some testing soon. -Jim P.
Re: 1.0.0.0/8 route from MERIT ?
On Wed, 2010-02-24 at 14:21 -0500, Jim Popovitch wrote: 2010/2/24 Alex H. Ryu r.hyuns...@ieee.org: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. IIRC, there was an email/wiki/announcement last month about 1/8 undergoing some testing soon. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt extract from that, last update 22/feb/2010: Prefix DesignationDate Whois Status [1]Note 000/8 IANA - Local Identification1981-09 RESERVED [2] 001/8 APNIC 2010-01 whois.apnic.net ALLOCATED 002/8 RIPE NCC 2009-09 whois.ripe.netALLOCATED
Re: 1.0.0.0/8 route from MERIT ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2/24/2010 2:21 PM, Jim Popovitch wrote: 2010/2/24 Alex H. Ryu r.hyuns...@ieee.org: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. IIRC, there was an email/wiki/announcement last month about 1/8 undergoing some testing soon. See the APNIC WHOIS for 1.0.0.0/8: route: 1.0.0.0/8 descr: MERIT Network Inc. 1000 Oakbrook Drive, Suite 200 Ann Arbor MI 48104, USA origin: AS237 mnt-by: MAINT-AS237 remarks:This announcement is part of an APNIC approved experiment. For additional information please send email to mka...@merit.edu This would appear related to Manish Karir's e-mail on the How polluted is 1/8 thread from 06 FEB 2010 (Message-ID: 609933721.3935701265474878472.javamail.r...@crono). Regards, Tim Wilde - -- Tim Wilde, Senior Software Engineer, Team Cymru, Inc. twi...@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/ -BEGIN PGP SIGNATURE- iEYEARECAAYFAkuFgFoACgkQluRbRini9thLlQCfQNqRZsjX6vvcV1TX5P4NykQH pJEAniiz6OTlnXfey+EH/U7qoSTYt8fX =ieC1 -END PGP SIGNATURE-
Re: Security Guideance
On Tue, Feb 23, 2010 at 11:46 AM, Paul Stewart pstew...@nexicomgroup.net wrote: The problem is that a user on this box appears to be launching high traffic DOS attacks from it towards other sites. These are UDP based floods that move around from time to time - most of these attacks only last a few minutes. Do the UDP floods have source-addresses that belong to your machine, or are they spoofed? Make sure you block that noise; depending on the applications the users think they've implemented, do you need to allow any outbound UDP other than 53? Can you move the users onto virtual machines instead of real ones? That can make it easier to isolate the problem users, or at least to cram an IDS in front of it. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: 1.0.0.0/8 route from MERIT ?
On 25/02/2010, at 6:13 AM, Alex H. Ryu wrote: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. NetworkNext HopMetric LocPrf Weight Path * 1.0.0.0/8 4.59.200.5 0 60 0 (65001 65105) 3356 7018 237 i Is this supposed to be? I thought 1.0.0.0/8 is allocated to APNIC. Yes, this is supposed to be. This is one of a number of planned experiments in advertising all and selected parts of 1/8 in the coming weeks. Geoff Huston APNIC