Re: [Nanog-futures] Transition update
On Jun 3, 2010, at 10:39 AM, Jay Hennigan wrote: Within less than 36 hours, you've gone from being tired of people coming back months later (as if it had all been over and done a long time ago) to It's been a very a small number of weeks (give them more time). This is total nonsense. The scale for responding to something that was announced weeks before is entirely different from the scale related to reasonable amount of time to handle a mind-numbing amount of work. This is a false equivalency. Rather than doing the time-warp and marginalizing those asking questions, how about some straight answers? Are you on the SC? Do you have anything to share in terms of facts or are you just here to call names and ridicule? No, I'm not on the SC. I'm just here to ridicule those who expect personalized answers and bunny-suited couriers from their unpaid, otherwise busy fellows who are trying to get this all done. Chill out. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On Jun 4, 2010, at 7:24 AM, Rich Kulawiec wrote: But I'll comment that from my outsider's view back here in the cheap seats, what has happened is indistinguishable from a coup. There is the lack of information about what really happened; there is the nebulous citation of alleged problems whose severity necessitated this action; there is the marginalization of those asking direct questions; there is the lack of a cogent public plan; If you haven't visited a country in a while and aren't aware of the civil unrest, then yeah you might assume that a revolution is a coup. If you had attended NANOG meetings recently and talked with your SC chairs and others involved in moving things forward, you'd know something. Hell, I've attended what, 2? in the last 10 years and the friction has always been apparent to me. Note: not saying that this is a good idea, or that it's being done well. I'm waiting to see how they approach this, just like the rest of you. But I've been down this road before and I know very well how much work is involved, so I have a lot more patience. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
Having served my maximum 4 years on the PC, I would characterize my own experience with interaction between the respective parties SC PC and merit as congruent with that of Dan's. I would observe that over my now 13 year involvement with nanog that the community revolt that produced the SC was probably the most important step in normalizing the the various roles, raising the level of accountability, and eleminating the arbirary exercise of power. while I'm disappointed with the progress so far I've been convinced that the responsibility for the nanog activity needs ultimately to be invested in the community and my opinion on suject hasn't changed since the reform project began. Successful/unsuccessful interaction with the merit organization has always been personalty driven, I have enourmous respect for the work that carol and betty and david and sue have done, but they work in this through the forebearance of merit. aol but where the heck are pro forma financial projections for the new nanog? we were to get them with lead time to actualy study and ask questions before now. randy ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On 6/8/10 3:25 PM, Jo Rhett wrote: No, I'm not on the SC. I'm just here to ridicule... +--+ | PLEASE | | DO NOT | | FEED THE | | TROLL | +--+ | | | | .\|.||/.. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On 6/8/10 3:25 PM, Jo Rhett wrote: and wrote and wrote and wrote No, I'm not on the SC. I'm just here to ridicule... +--+ | PLEASE | | DO NOT | | FEED THE | | TROLL | +--+ | | | | .\|.||/.. but, with no data from our fearless [0] leadership, what else are we to do, talk about NATO black helicopters? randy [0] - let us hope that the lack of fear is not their only attribute ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Strange practices?
Hi, On 7 Jun 2010, at 23:02, Joel M Snyder joel.sny...@opus1.com wrote: On 6/7/10 11:51 PM: Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? Yes, this is common and works fine. [...] Ugly, but given the vast chalice of despair that is the global BGP table, hardly a drop in the bucket. Ugly, failover might not work depending on just what is actually configured, and there is of course no need to take the full table if you want to do it right, with BGP. It does also marry your network to one provider, which might not suit depending on how independent you want to be (what will happen to your pricing with the address space incumbent at renew time, or what will happen in the event of their commercial failure). Because something will likely work, does not make it a scalable or sensible design. Just do it right from the start :-) Andy
BGP convergence problem
Hi, This morning there was an ethernet loop problem on DECIX, causing many BGP sessions to flap throughout the entire platform. While this can happen, I am myself facing with BGP convergence problems on our DECIX router (SUP720-3BXL with IOS SXI3). De DECIX loop has been solved two hours ago, but my BGP sessions are still flapping and not converging at all. This has been flooding our logs, and is still going on: Jun 8 11:47:03 x.x.x.131 239447: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.32 Up Jun 8 11:47:03 x.x.x.131 239448: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.231 Up Jun 8 11:47:03 x.x.x.131 239449: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.109 Up Jun 8 11:47:03 x.x.x.131 239450: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.50 Up Jun 8 11:47:03 x.x.x.131 239451: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.81 Up Jun 8 11:47:03 x.x.x.131 239452: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.28 Up Jun 8 11:47:03 x.x.x.131 239453: Jun 8 11:48:38.364 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.212 Up Jun 8 11:47:03 x.x.x.131 239454: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.147 Up Jun 8 11:47:03 x.x.x.131 239455: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.74 Up Jun 8 11:47:03 x.x.x.131 239456: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.241 Up Jun 8 11:47:03 x.x.x.131 239457: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.5 Up Jun 8 11:47:03 x.x.x.131 239458: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.40 Up Jun 8 11:47:03 x.x.x.131 239459: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A44:0:1 Up Jun 8 11:47:03 x.x.x.131 239460: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8605:0:1 Up Jun 8 11:47:03 x.x.x.131 239461: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::1A0B:0:1 Up Jun 8 11:47:03 x.x.x.131 239462: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::3029:0:1 Up Jun 8 11:47:03 x.x.x.131 239463: Jun 8 11:48:38.368 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::6E4:0:1 Up Jun 8 11:47:03 x.x.x.131 239464: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::CB0:0:1 Up Jun 8 11:47:03 x.x.x.131 239465: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::21C8:0:1 Up Jun 8 11:47:03 x.x.x.131 239466: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:2 Up Jun 8 11:47:04 x.x.x.131 239467: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::31AA:0:1 Up Jun 8 11:47:04 x.x.x.131 239468: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.29 Up Jun 8 11:47:04 x.x.x.131 239469: Jun 8 11:48:38.372 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::62BF:0:1 Up Jun 8 11:47:04 x.x.x.131 239470: Jun 8 11:48:39.656 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.101 Down BGP Notification sent Jun 8 11:47:04 x.x.x.131 239471: Jun 8 11:48:39.656 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.192.101 4/0 (hold time expired) 0 bytes Jun 8 11:47:07 x.x.x.131 239472: Jun 8 11:48:41.696 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.104 Up Jun 8 11:47:10 x.x.x.131 239473: Jun 8 11:48:44.488 CEST: %BGP-3-BGP_NO_REMOTE_READ: 80.81.193.187 connection timed out - has not accepted a message from us for 2ms (hold time), 1 messages pending transmition. Jun 8 11:47:10 x.x.x.131 239474: Jun 8 11:48:44.488 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.187 Down BGP Notification sent Jun 8 11:47:10 x.x.x.131 239475: Jun 8 11:48:44.488 CEST: %BGP-3-NOTIFICATION: sent to neighbor 80.81.193.187 4/0 (hold time expired) 0 bytes Jun 8 11:47:10 x.x.x.131 239476: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.61 Up Jun 8 11:47:10 x.x.x.131 239477: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.149 Up Jun 8 11:47:10 x.x.x.131 239478: Jun 8 11:48:44.900 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.136 Up Jun 8 11:47:10 x.x.x.131 239479: Jun 8 11:48:44.904 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::8463:0:1 Up Jun 8 11:47:10 x.x.x.131 239480: Jun 8 11:48:46.352 CEST: %BGP-5-ADJCHANGE: neighbor 2001:7F8::6268:0:1 Up Jun 8 11:47:14 x.x.x.131 239481: Jun 8 11:48:48.084 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.78 Up Jun 8 11:47:14 x.x.x.131 239482: Jun 8 11:48:49.172 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.239 Up Jun 8 11:47:14 x.x.x.131 239483: Jun 8 11:48:49.172 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.24 Up Jun 8 11:47:17 x.x.x.131 239484: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.194.45 Up Jun 8 11:47:17 x.x.x.131 239485: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.108 Up Jun 8 11:47:17 x.x.x.131 239486: Jun 8 11:48:52.160 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.192.164 Up Jun 8 11:47:17 x.x.x.131 239487: Jun 8 11:48:52.164 CEST: %BGP-5-ADJCHANGE: neighbor 80.81.193.49 Up Jun 8 11:47:17 x.x.x.131
Re: BGP convergence problem
Dear Andy This morning there was an ethernet loop problem on DECIX, causing many BGP sessions to flap throughout the entire platform. While this can happen, I am myself facing with BGP convergence problems on our DECIX router (SUP720-3BXL with IOS SXI3). De DECIX loop has been solved two hours ago, but my BGP sessions are still flapping and not converging at all. This has been flooding our logs, and is still going on: route half or more of the peering-network to Null - lowering bgp session up's. (at the other side, your bgp-router seems to be overloaded). Kind regards, Ingo Flaschberger
Re: BGP convergence problem
I finally decided to shut down all peerings and brought them back one by one. Everything is stable again, but I don't like the way I had to deal with it since it will most likely happen again when DECIX or an other IX we're at is having issues. I've seen a few BGP convergence discussions on NANOG, but none about deadlock situations and what could be done to avoid them. Setting higher MTU or bigger hold queues did not help. - Andy On Tue, Jun 8, 2010 at 2:35 PM, Ingo Flaschberger i...@xip.at wrote: Dear Andy This morning there was an ethernet loop problem on DECIX, causing many BGP sessions to flap throughout the entire platform. While this can happen, I am myself facing with BGP convergence problems on our DECIX router (SUP720-3BXL with IOS SXI3). De DECIX loop has been solved two hours ago, but my BGP sessions are still flapping and not converging at all. This has been flooding our logs, and is still going on: route half or more of the peering-network to Null - lowering bgp session up's. (at the other side, your bgp-router seems to be overloaded). Kind regards, Ingo Flaschberger
APNIC 30 - Call for Papers
[Apologies for duplicates] APNIC 30 - Call for Papers The APNIC 30 Program Committee is now seeking presentations for APNIC 30 to be held at Gold Coast, Australia from 24 - 27 August 2010. We are looking for presentations that would suit technical conference sessions. Please submit proposals online at: http://submission.apnic.net/ KEY DATES - Call for Papers Opens: 8 June 2010 First Deadline for Submissions: 9 July 2010 First Draft Program Published: 16 July 2010 Final Deadline for Submissions: 6 August 2010 Final Program Published: 10 August 2010 Final Slides Received: 20 August 2010 PROGRAM MATERIAL APNIC 30 Technical sessions will include presentations relevant to Internet Operations and Technologies. Here are some ideas for technical sessions relevant to APNIC 30: - IPv4 exhaustion / IPv6 deployment operations - ISP, Peering, Carrier, and IXP services - Network security - Internet policy - Access and Transport Technologies - Content Service Delivery If you have another idea, feel free to submit your proposal. CFP SUBMISSION -- Draft slides must be provided with all submissions. For work in progress, the most current information available at the time of submission is acceptable. Remember to submit early so you have plenty of time to arrange visas and travel! If you have questions, please email the Program Chair: pc-ch...@apnic.net For more information about APNIC 30, please visit: http://meetings.apnic.net/30 Regards, Jonny Martin Chair, APNIC 30 Program Committee
Re: BGP convergence problem
On Jun 8, 2010, at 10:27 AM, Andy B. wrote: I finally decided to shut down all peerings and brought them back one by one. Everything is stable again, but I don't like the way I had to deal with it since it will most likely happen again when DECIX or an other IX we're at is having issues. I've seen a few BGP convergence discussions on NANOG, but none about deadlock situations and what could be done to avoid them. Setting higher MTU or bigger hold queues did not help. The Cisco 7600 and 6500 platforms are getting fairly old and have underpowered cpus these days. Starting in SXH the control plane did not scale quite as well as in SXF. This got better in SXI, but is not back on par with SXF performance yet. I mostly attribute this to a combination of bloat in software and routing tables. I would start to look for a replacement sooner rather than later. - Jared
Re: BGP convergence problem
On Tue, Jun 8, 2010 at 7:27 AM, Andy B. globic...@gmail.com wrote: I finally decided to shut down all peerings and brought them back one by one. Everything is stable again, but I don't like the way I had to deal with it since it will most likely happen again when DECIX or an other IX we're at is having issues. I've seen a few BGP convergence discussions on NANOG, but none about deadlock situations and what could be done to avoid them. Setting higher MTU or bigger hold queues did not help. - Andy Some people have found that upgrading to an alternate router vendor helps. ^_^; Fundamentally, the CPU on your router is underpowered for the amount of state information that needs to be updated in the time window of the hold timers. If you can't move to a faster/more efficient platform, then you may need to negotiate raising the keepalive interval and corresponding hold timers with your neighbors, to give your router time to finish processing updates. Alternately, if you aren't in a position to be able to upgrade platforms, but have spare routers around, connecting a second router up to the exchange and splitting your neighbors up among two links into the exchange would reduce the load on each router during reconvergence, and buy you time until you can move to a more capable platform. Matt
Re: BGP convergence problem
On Tue, Jun 08, 2010 at 12:22:04PM -0400, Jared Mauch wrote: The Cisco 7600 and 6500 platforms are getting fairly old and have underpowered cpus these days. Starting in SXH the control plane did not scale quite as well as in SXF. This got better in SXI, but is not back on par with SXF performance yet. I mostly attribute this to a combination of bloat in software and routing tables. I would start to look for a replacement sooner rather than later. Place blame where blame is due, the cpu may be slow, but the crappy ios scheduler is the real problem here. We saw a huge reduction in the number of self-sustaining protocols timeouts cycles on these boxes (where the process of trying to bring up a new neighbor and converge routing uses so much cpu that it causes other neighbors to time out, resulting in a never-ending cycle of fail until you shut down everything and bring them up one neighbor at a time) with the move from SXF to the SR branches. We never really went down the SXH/SXI road, but I'd have assumed they would have introduced the same improvements there too. I guess you know what they say about assuming. :) Try the usual suspects: * Configure process-max-time 20 at the top level, this improves interactivity by making the scheduler switch processes more often. * Make sure you don't have an overly aggressive control-plane policer. In my experience the COPP rate-limits are quite harsh, and if you end up bumping against them you don't get a graceful slowing of the exchange of routes, you get protocol timeouts. * Make sure you don't have any stupid mls rate-limits, such as cef receive. I don't know why anyone would ever want to configure this, all it does is make your box fall over faster (as if these things need any help) by rate-limiting all traffic to the msfc. * You might want to try something like scheduler allocate 400 4000, which gives the vast majority of the cpu time to the control plane rather than process switching on the data plane (which in theory shouldn't happen on an entirely hw forwarded box like 6500/7600, though of course we all know that isn't true :P). Oh and also the OP should take this to the cisco-nsp mailing list, where all the good bitching about broken Crisco routers takes place. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Nato warns of strike against cyber attackers
From the NetSec mailing list... At http://www.timesonline.co.uk/tol/news/world/article7144856.ece June 6, 2010 Nato warns of strike against cyber attackers Michael Smith and Peter Warren NATO is considering the use of military force against enemies who launch cyber attacks on its member states. The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China. A team of Nato experts led by Madeleine Albright, the former US secretary of state, has warned that the next attack on a Nato country ³may well come down a fibre-optic cable². A report by Albright¹s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation. Article 5 is the cornerstone of the 1949 Nato charter, laying down that ³an armed attack² against one or more Nato countries ³shall be considered an attack against them all². It was the clause in the charter that was invoked following the September 11 attacks to justify the removal of the Taliban regime in Afghanistan. Nato is now considering how severe the attack would have to be to justify retaliation, what military force could be used and what targets would be attacked. The organisation¹s lawyers say that because the effect of a cyber attack can be similar to an armed assault, there is no need to redraft existing treaties. Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause ³if, for example, a cyber attack on a country¹s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack². Nato heads of government are expected to discuss the potential use of military force in response to cyber attacks at a summit in Lisbon in November that will debate the alliance¹s future. General Keith Alexander, head of the newly created US cyber command, said last week there was a need for ³clear rules of engagement that say what we can stop². The concerns follow warnings from intelligence services across Europe that computer-launched attacks from Russia and China are a mounting threat. Russian hackers have been blamed for an attack against Estonia in April and May of 2007 which crippled government, media and banking communications and internet sites. They also attacked Georgian computer systems during the August 2008 invasion of the country, bringing down air defence networks and telecommunications systems belonging to the president, the government and banks. Alexander disclosed last week that a 2008 attack on the Pentagon¹s systems, believed to have been mounted by the Chinese, successfully broke through into classified areas. Britain¹s Joint Intelligence Committee cautioned last year that Chinese-made parts in the BT phone network could be used to bring down systems running the country¹s power and food supplies. Some experts have warned that it is often hard to establish government involvement. Many Russian attacks, for example, have been blamed on the Russian mafia. The Kremlin has consistently refused to sign an international treaty banning internet crime. Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... We have a large supply of tin hats on stock ... My .02 All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 16:03, J. Oquendo writes:] All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. --
Re: Nato warns of strike against cyber attackers
None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. My .02
Re: Nato warns of strike against cyber attackers
Brielle Bruns wrote: Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I know it's akin to Apples and Oranges but maybe a network forfeiture (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: If your network is dirty, its gone including all your equipment I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/na...@merit.edu/msg50472.html (http://www.mail-archive.com/na...@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
On 6/8/2010 15:44, J. Oquendo wrote: Brielle Bruns wrote: Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I know it's akin to Apples and Oranges but maybe a network forfeiture (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: If your network is dirty, its gone including all your equipment I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/na...@merit.edu/msg50472.html (http://www.mail-archive.com/na...@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. I have for what, 20 years? been begging for vendors to provide clean service. But there is no hurry, the world government (spare me the the tin hats thing. Have you noticed what is going on in Washington lately?) will take care of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
RE: Nato warns of strike against cyber attackers
So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. -Original Message- From: J. Oquendo [mailto:s...@infiltrated.net] Sent: Tuesday, June 08, 2010 3:08 PM To: na...@merit.edu Subject: Nato warns of strike against cyber attackers From the NetSec mailing list... At http://www.timesonline.co.uk/tol/news/world/article7144856.ece June 6, 2010 Nato warns of strike against cyber attackers Michael Smith and Peter Warren NATO is considering the use of military force against enemies who launch cyber attacks on its member states. The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China. A team of Nato experts led by Madeleine Albright, the former US secretary of state, has warned that the next attack on a Nato country ³may well come down a fibre-optic cable². A report by Albright¹s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation. Article 5 is the cornerstone of the 1949 Nato charter, laying down that ³an armed attack² against one or more Nato countries ³shall be considered an attack against them all². It was the clause in the charter that was invoked following the September 11 attacks to justify the removal of the Taliban regime in Afghanistan. Nato is now considering how severe the attack would have to be to justify retaliation, what military force could be used and what targets would be attacked. The organisation¹s lawyers say that because the effect of a cyber attack can be similar to an armed assault, there is no need to redraft existing treaties. Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause ³if, for example, a cyber attack on a country¹s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack². Nato heads of government are expected to discuss the potential use of military force in response to cyber attacks at a summit in Lisbon in November that will debate the alliance¹s future. General Keith Alexander, head of the newly created US cyber command, said last week there was a need for ³clear rules of engagement that say what we can stop². The concerns follow warnings from intelligence services across Europe that computer-launched attacks from Russia and China are a mounting threat. Russian hackers have been blamed for an attack against Estonia in April and May of 2007 which crippled government, media and banking communications and internet sites. They also attacked Georgian computer systems during the August 2008 invasion of the country, bringing down air defence networks and telecommunications systems belonging to the president, the government and banks. Alexander disclosed last week that a 2008 attack on the Pentagon¹s systems, believed to have been mounted by the Chinese, successfully broke through into classified areas. Britain¹s Joint Intelligence Committee cautioned last year that Chinese-made parts in the BT phone network could be used to bring down systems running the country¹s power and food supplies. Some experts have warned that it is often hard to establish government involvement. Many Russian attacks, for example, have been blamed on the Russian mafia. The Kremlin has consistently refused to sign an international treaty banning internet crime. Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
On 6/8/10 3:08 PM, Peter Boone wrote: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. Note i'm just using Russia and China in examples here, no specific reason that it could only be them. If I didn't know any better, I'd say they let Bush write their policies. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Nato warns of strike against cyber attackers
On 2010-06-08 13:03, J. Oquendo wrote: Jorge Amodio wrote: All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. The bots don't need to spoof source addresses... and therefore the filtering associated with preventing that while a solid belt and suspenders exercise is by no means a panacea.
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote: On 6/8/10 3:08 PM, Peter Boone wrote: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. Note i'm just using Russia and China in examples here, no specific reason that it could only be them. If I didn't know any better, I'd say they let Bush write their policies. Packets of mass destruction? The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in Washington, even at the policy-maker level. I'm currently a member of a National Academies study committee on cyberdeterrence (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad nauseum. Consider this text from p. 9 of our letter report: for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed that some are. In general, prompt technical attribution of an attack or exploitation—that is, identification of the responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the event in question—is quite problematic, and any party accused of launching a given cyberintrusion could deny it with considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an intrusion to its actual origination point past intermediate nodes is what is most difficult.) But read the next paragraph, which discusses other ways to figure out who did it. We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP addresses of the actual attacking machines as a definitive indicator. Given how widely understood that is, it's not even on my list of things to worry about. The question that report is tackling is this: *if* there is a serious online attack on critical infrastructure -- say, turning off some generators with extreme prejudice (http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a kinetic response on the table? This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a subpoena for your enable passwords. And while people in Washington (or Beijing or Moscow or the capital of Elbonia) can be quite stupid, they're (usually) not quite as stupid as as all that. And yes, serious mistakes can be made. One more quote from the report (p. 8): History shows that when human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they often substitute supposition for knowledge. In the words of a former senior administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.' --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 1:30 PM, Brielle Bruns br...@2mbit.com wrote: On 6/8/10 2:12 PM, Dave Rand wrote: It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Problem is, there's no financial penalties for providers who ignore abuse coming from their network. Actually, the real problem is that if providers *don't* start doing something to remediate abuse originating within their customer base -- and begin policing themselves -- I don't think they will like someone else (e.g. the gummint) forcing them to do something (which actually may be worse). The opportunity for providers to address this problem by policing themselves is being overshadowed by the real possibility that the government may step in and force them to do so, unfortunately. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDrt9q1pz9mNUZTMRAl7nAKC3hrq4Jbyq3HzOPJBrQFSDAESroACgxzPu ZiRk4x2DQGNqPcLOn/iqDIA= =x4JB -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: BGP convergence problem
The Cisco 7600 and 6500 platforms are getting fairly old and have underpowered cpus these days. the hamsters in them were never well fed, ever. though i have never run one, too yucchhy, i have measured receiving a research feed from one. over ten minutes for a full table while a router takes two. some researcher into archeology might try to measure if is just a sick tcp or if it is closer to rib-out. randy
Re: Nato warns of strike against cyber attackers
On 6/8/10 10:07 PM, J. Oquendo wrote: So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... We must distinguish between the m.o. of an actual response, and deterrence. If we speak of deterrence, I wrote about it not long ago. Deterrence online is one of the biggest idiocies of the past couple of years. There are some interesting research possibilities in the subject matter, but not as it is portrayed today -- a cure-all strategy. Strategic experts are very comfortable with Cold War strategy following around 70 years of practicing it, so when asked to deal with the Internet, they ran to deterrence. In order to have deterrence, you require first an ability to respond to an attack. On the Internet, you may never find out who is attacking you, and data may be intentionally misleading when you think you do have some bread crumbs. It is just virtually impossible to tell who is behind an attack from technical data alone. Thus, deterrence against whom? You may say that by setting an occasional example, it doesn't matter who you attack. That is mostly false as well. If we do know who is attacking us, then consider the players can now be (and indeed are) unaffiliated individuals or groups who may not care about the infrastructure of the country they are in nor have any infrastructure to speak of (which can in turn be targeted). Any attack will likely be against a third-party that has been hacked, i.e. compromised. And if you're dealing with large-scale attacks, such as DDoS, responding in kind (with DDoS, botnets, etc.) will also hurt the Internet itself with collateral damage. There are some particular instances where deterrence does work online, and it may also be used as a general addition to real-world deterrence (we have cyberweapons -- beware!), but these are just points that would muddy the water in the wider argument before us. I think supporting such folly is generally folly itself. For further reading, I'd point you to this comprehensive and quite excellent document: Cyber Deterrence and Cyber War, by Martin C. Libicki: http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf Gadi. -- Gadi Evron, http://gadievron.com/
Re: Nato warns of strike against cyber attackers
On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me. I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind. Gadi. -- Gadi Evron, http://gadievron.com/
RE: Nato warns of strike against cyber attackers
Have no fear geolocation is here, you are not in peril. It will be a surgical strike. If Google and others are willing to assist, they will know exactly where to send the JDAM. Chrome now collects data from your wireless card if you let it. When you are asked where you are, Chrome then also records any IP and MACs it hears over your card (or so I am told). The same is being done on cell phone OS. Being on a GRE tunnel will make no difference. http://www.google.com/support/chrome/bin/answer.py?answer=142065hl=en http://google-code-updates.blogspot.com/2008/10/introducing-gears-geolocatio n-api-for.html http://news.cnet.com/8301-30684_3-20006342-265.html Here is one commercial application of this process. http://www.skyhookwireless.com Cowering under my desk, Jim -Original Message- From: Gadi Evron [mailto:g...@linuxbox.org] Sent: Tuesday, June 08, 2010 3:46 PM To: nanog@nanog.org Subject: Re: Nato warns of strike against cyber attackers On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me. I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind. Gadi. -- Gadi Evron, http://gadievron.com/
Re: Nato warns of strike against cyber attackers
Military reply doesn't have to mean bombs and guns. There is nothing keeping it form mean offensive cyber counter attacks. This would mean manage the battlefields :) On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron g...@linuxbox.org wrote: On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me.
Re: Nato warns of strike against cyber attackers
So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ...
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 14:30, Brielle Bruns writes:] Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I'm somewhat familiar with the concept :-) But yes, this indeed is currently the only effective way to cause change at the ISP level. Ferg is very correct in that Change Is Coming at the goverment level. That is the wrong place for it to happen, but it will also be very effective. I'm hopeful that more networks will take it upon themselves to make it happen before it is forced on them. --
Re: Nato warns of strike against cyber attackers
Perhaps a government operated black-hole list, run by same friendly folks that run the no-fly list, with a law that says no US ISP can send packets to or accept packets from any IP on the list. Now that would be some real fun to watch! :) On Tue, Jun 8, 2010 at 8:27 PM, Dave Rand d...@bungi.com wrote: [In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 14:30, Brielle Bruns writes:] Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I'm somewhat familiar with the concept :-) But yes, this indeed is currently the only effective way to cause change at the ISP level. Ferg is very correct in that Change Is Coming at the goverment level. That is the wrong place for it to happen, but it will also be very effective. I'm hopeful that more networks will take it upon themselves to make it happen before it is forced on them. --
Re: Nato warns of strike against cyber attackers
Changes the meaning of guns a blazing Bryan On Jun 8, 2010, at 8:31 PM, jim deleskie deles...@gmail.com wrote: Military reply doesn't have to mean bombs and guns. There is nothing keeping it form mean offensive cyber counter attacks. This would mean manage the battlefields :) On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron g...@linuxbox.org wrote: On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me.
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 5:45 PM, Dorn Hetzel dhet...@gmail.com wrote: Perhaps a government operated black-hole list, run by same friendly folks that run the no-fly list, with a law that says no US ISP can send packets to or accept packets from any IP on the list. Now that would be some real fun to watch! :) Personally, I think that's a horrible idea -- there's a real slippery slope to subjective blocking of offensive sites (not just malicious ones) like what they are trying to do in Australia. But again, since U.S. providers have demonstrated that they do not have the desire, nor the will, to police themselves, it is hardly a surprise that Government intervention is being considered as an alternative. I think residential-broadband ISPs need to follow the lead of [e.g. Qwest, Comcast, etc.], which are making a legitimate attempt to identify, notify, and mitigate abusive/botnetted customers. Also, the U.S. leads the rest of the world in hosting providers which are hosting Eastern European criminal malfeasance -- this is a fact. In other words, as things stand now, U.S. providers kind of deserve whatever the U.S. Government dishes out, since they have show that they do not have a willingness to police their own backyards. It is really sad, actually. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDuv6q1pz9mNUZTMRAjVqAJ480dH3CSSGYp9LOjlXwFNm+egdiQCfYcKJ I0tMJo4UuD7OrFiF8H6L/cA= =+5X/ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Team Cymru BOGON feed over IPv6
off and on list feedback welcome. I'd personally like to get an idea of how many people are: 1) using the new Team Cymru BOGON lists *via BGP* 2) use the new v4 list 3) use the v6 list 4) monitor the Cymru BGP session as diligently as they would a peer/provider session 5) attempted the BOGON peering over IPv6 6) have a stable BOGON peering over IPv6 Disclaimer: I don't work for, nor do I have any personal or business interests in anything that Team Cymru does. I'm just very curious, and would like to compile some initial statistics based on feedback for myself. Steve
Re: Nato warns of strike against cyber attackers
On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) pgpMMsR6Uys8L.pgp Description: PGP signature
RE: Team Cymru BOGON feed over IPv6
We're using it...;) Please see inline... Paul 1) using the new Team Cymru BOGON lists *via BGP* Yes 2) use the new v4 list Yes 3) use the v6 list Yes 4) monitor the Cymru BGP session as diligently as they would a peer/provider session Spot check it - in the several years we've used the original IPv4 lists we've never had an issue 5) attempted the BOGON peering over IPv6 6) have a stable BOGON peering over IPv6 Yes - very stable, no issues
RE: Nato warns of strike against cyber attackers
Actually I was thinking of my neighbor's noisy dog and what a predator strike to his house would do. :) -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Tuesday, June 08, 2010 8:32 PM To: Jorge Amodio Cc: na...@merit.edu Subject: Re: Nato warns of strike against cyber attackers On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.829 / Virus Database: 271.1.1/2926 - Release Date: 06/08/10 13:35:00
Re: BGP convergence problem
* globic...@gmail.com (Andy B.) [Tue 08 Jun 2010, 16:28 CEST]: I finally decided to shut down all peerings and brought them back one by one. Sadly that's often the way it has to be done, modulo mild tweaks. Everything is stable again, but I don't like the way I had to deal with it since it will most likely happen again when DECIX or an other IX we're at is having issues. As others have said upthread in more polite wordings, get a better router if yours can't handle the load. (Or use the route servers more - it's what they're there for.) I've seen a few BGP convergence discussions on NANOG, but none about deadlock situations and what could be done to avoid them. Setting higher MTU or bigger hold queues did not help. I hope you didn't change the MTU to anything different from what everybody else on the DE-CIX Peering LAN uses - that only leads to suffering. -- Niels. -- It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account. -- roy edroso, alicublog.blogspot.com
Re: Nato warns of strike against cyber attackers
Dave, I realize your fond of punishing all of us to subsidize the ignorant, but I would rather see those with compromised machines pay the bill for letting their machines get compromised than have to subsidize their ignorant or worse behavior. Owen Sent from my iPad On Jun 8, 2010, at 1:12 PM, d...@bungi.com (Dave Rand) wrote: [In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 16:03, J. Oquendo writes:] All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. --
Re: Nato warns of strike against cyber attackers
Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 13:33, Owen DeLong writes:] I realize your fond of punishing all of us to subsidize the ignorant, = but I would rather see those with compromised machines pay the bill for = letting their machines get compromised than have to subsidize their = ignorant or worse behavior. I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done. --
Re: Nato warns of strike against cyber attackers
Sent from my iToilet why you will penalize with fees the end customer that may not know that her system has been compromised because what she pays to Joe Antivirus/Security/Firewall/Crapware is not effective against Billy the nerd insecure code programmer ? No doubt ISPs can do something, but without additional regulation and safeguards that they wont be sued for sniffing or filtering traffic nothing will ever happen. Do we want more/any regulation ? who will oversee it ? On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? My .02 Jorge I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done.
Re: Nato warns of strike against cyber attackers
On Tue, 08 Jun 2010 22:01:35 CDT, Jorge Amodio said: On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? Bad analogy. There's some plumes of oil in the Gulf of Mexico that are getting mapped out very well by only a few ships. You don't have to examine every molecule to find parts-per-million oil, or to figure out who's oil rig the oil came from. And you don't need to look at every packet to find abusive traffic either - in most cases, simply letting the rest of the net do the work for you and just reading your abuse@ mailbox and actually dealing with the reports is 95% of what's needed. pgp08eherLqiF.pgp Description: PGP signature
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. For instance, if you build a pool in your backyard, and you don't properly fence it, and kids illegally trespass on your property to get in to your pool, and they get hurt, you will be sued and will be held liable. You built this dangerous thing, and you didn't properly secure (fence it), and it's your responsibility even when someone *illegally* gains access and hurts themselves (or others). There are numerous other examples of attractive nuisances where individuals and companies are held liable for injuries caused by people who illegally gained access to improperly secured property and items. Why hasn't *someone* brought this up with Microsoft and Windows? http://en.wikipedia.org/wiki/Attractive_nuisance_doctrine jc
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 8:59 PM, JC Dill jcdill.li...@gmail.com wrote: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted? Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxLoq1pz9mNUZTMRAl5MAKDaMY6WeUbWp4l4tzYrJNNsLz/tqQCg6lNw xQsaZQxjjRym7vPPvlW+OTY= =8667 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy. jc
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 9:06 PM, JC Dill jcdill.li...@gmail.com wrote: Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy. Again, you can all continue to dance around and ignore the problem chance the probability that the U.S. Government will step in and force you to do it. Pick your poison. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxcQq1pz9mNUZTMRAgFRAKDX0N+DYck8tiOyRPMJ2E31fq0vEQCfVJEp dQuZqomm/Z42gZRgzshlLsc= =mRrQ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Nato warns of strike against cyber attackers
On 6/8/2010 23:22, Paul Ferguson wrote: Again, you can all continue to dance around and ignore the problem chance the probability that the U.S. Government will step in and force you to do it. Pick your poison. Or the world government will (note misspelled NATO in the Subject:). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? -- TTFN, patrick
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 9, 0:26, Steven Bellovin writes:] A liability scheme, with penalties on users and vendors, is certainly = worth considering. Such a scheme would also have side-effects -- think = of the effect on open source software. It would also be a lovely source = of income for lawyers, and would inhibit new software development. The = tradeoff may be worth while -- or it may not, because I have yet to see = evidence that *anyone* can produce really secure software without = driving up costs at least five-fold. The vast majority of users that I interact with (and yes, I am first to admit that it has been only thousands, perhaps less than 10,000 over the years, so it is a small sample) are quite happy to be informed of a compromised system. It's not, for the most part, that they are malicious. Just unaware. The bad guys are very stealthy, and the but, I can't see anything wrong on my screen! is a huge obstacle to overcome. Once they are made aware of the problem, the vast majority work quickly to fix it. Yes, some are clueless. Some want someone else to fix it. But most are simply unaware that they have been owned, and want the infection gone. We've tried to educate users for tens of years of the dangers of unsafe computing. Doesn't work. The users have been trained to click and install whatever they are told, because that makes it work. But when they _are_ compromised, and _are_ informed, most users do seek out a fix. Some will do it themselves. Some will hire someone to do it for them. When abuse desks content-filter reports, and don't pass on notifications to the customer, or wait until there are more complaints, or... this ends up with networks that have massive levels of infection. Yes, I know - we're all busy, and abuse@ is kind of the last priority on most networks, but it really is bad out there, and we need the network operators to help. Please. For those network operators that would like a 5 year view on their network, please drop me an email with your ASN, and I'll be happy to send you a text file, xls, or ods (your pick) of a view of the historical spam traffic. No obligation, and no salesman will call. Really. --
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 9:36 PM, Patrick W. Gilmore patr...@ianai.net wrote: But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Actually, it *is* market-share. That's the low-hanging fruit for criminals. And educating users? That bus left the station long ago. Let's not be distracted from the issue here -- ISPs. xSPs, and other similar providers have a responsibility here that should not shirk, or pass along. Police your own backyards. Before someone else forces you to do so. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxwAq1pz9mNUZTMRAssSAJ9HDGFhEQ3X1mfV25FPoVLCpx7xDACg3/Hr UbkgB/Mb+J0/Z7YRBO9OPL8= =E0MH -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Strange practices?
Hi, On Tue, Jun 8, 2010 at 6:50 AM, Dale Cornman bstym...@gmail.com wrote: Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice I have seen it quite often. It allows an enterprise to be multihomed w/o getting PI or PA address space so they are usually pretty happy with it. as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. AFAIR prefixes can be originated by more than one AS so there shouldn't be any issues. -- SY, Jen Linkova aka Furry
Re: Nato warns of strike against cyber attackers
On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote: On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Remove the users. The problem goes away. Just kidding on that. Really, the only way ahead is educating the users of the threats and all and maybe a learning experience is due for most of them. -- TTFN, patrick
Re: Nato warns of strike against cyber attackers
At 15:07 08/06/2010 -0400, J. Oquendo wrote: At http://www.timesonline.co.uk/tol/news/world/article7144856.ece A report by Albright¹s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation. Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause ³if, for example, a cyber attack on a country¹s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack². Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 Lets try to seperate the attacks into those that we (NANOG) have dealt with and those that NATO are referring to - and there is *no* overlap between the two. Attacks such as botnets, hpings, compromised machines, DDOS attacks, site defacements, prefix hijacks is what this list deals with, sometimes well and other times not. The attacks NATO is referring to are ones like causing trains to crash into each other, attacks causing oil and gas pipelines to overload and explode, attacks altering blood bank data, attacks poisoning the water supply, etc. - all of which can be done remotely. NATO is in no way (unless they have been out in the sun too long) condoning an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 people die from some cyber attack as listed above (I have many more scenerios). -Hank
Re: Nato warns of strike against cyber attackers
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Owen On Jun 8, 2010, at 7:39 PM, Larry Sheldon wrote: Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 8:01 PM, Jorge Amodio wrote: Sent from my iToilet why you will penalize with fees the end customer that may not know that her system has been compromised because what she pays to Joe Antivirus/Security/Firewall/Crapware is not effective against Billy the nerd insecure code programmer ? So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. No doubt ISPs can do something, but without additional regulation and safeguards that they wont be sued for sniffing or filtering traffic nothing will ever happen. Do we want more/any regulation ? who will oversee it ? Those safeguards are already in place. There are specific exemptions in the law for data collection related to maintaining the service and you'd be very hard pressed to claim that identifying and correcting malicious activity is not part of maintaining the service. On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? Your initial premise is flawed, so the conclusion is equally flawed. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. Owen My .02 Jorge I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done.
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 9:06 PM, JC Dill wrote: Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. Heck, at this point, I'd be OK with it being a regulatory issue. Perhaps we need regulators to step in and put forth something like the following: 1. An ISP who receives an abuse complaint against one of their customers shall not be held liable for damages to the complainant or other third parties IF: A. Said ISP investigates and takes remedial action for valid complaints within 24 hours of receipt of said complaint. B. Said ISP responds to said abuse complaint within 4 hours of their determination including the determination made and what, if any, remedial action was taken. and C. If the complaint was legitimate, the remedial action taken by said ISP causes the reported abuse to stop. 2. Any ISP who takes remedial action against one of their customers as outlined in the previous section shall charge their customer a fee which shall not be less than $100 and not more than the ISP's full costs of investigation and remedial action. I'm not saying I necessarily like the idea of more regulation, but, if we as an industry are unwilling to solve this because of the above competitive concerns, then, perhaps that is what is necessary to get us to act. Owen
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong o...@delong.com wrote: Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often. Actually, that is another fallacy. The majority of SQL Injections are on Apache-based systems. Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever. The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys. I would certainly love to hear your solution to this problem. And stop pointing fingers. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDyh1q1pz9mNUZTMRAqUSAKD9e+Bt+f1Q6+xE1f0MS3edKfbCtwCeMMEp cGOjbQNIcm58ZPj5JaT5Q74= =Oz/Q -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/