Re: chargen is the new DDoS tool?

[Damian Menscher]

On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt wrote:

> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
>

FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160
IPs (with large responses in violation of the RFC).  As I recall, some
quick investigation indicated it was mostly printers.  I notified several
of the worst offenders (rated by bandwidth).

While I think it's silly to be exposing chargen to the world (especially as
a default service in a printer!), the real problem here is networks that
allow spoofed traffic onto the public internet.  In the rare cases we see
spoofed traffic I put special effort into tracing them to their source, and
then following up to educate those providers about egress filtering.  I'd
appreciate it if others did the same.

Damian

RE: Any Level 3 / GBLX things going on tonight?

[David Hubbard]

And now the announcements are withdrawn.  Good times.

> -Original Message-
> From: David Hubbard 
> Sent: Wednesday, June 12, 2013 12:15 AM
> To: nanog@nanog.org
> Subject: Any Level 3 / GBLX things going on tonight?
> 
> I just got a bunch of bgpmon alerts that our prefixes were being
> seen as announced through GBLX 3549 from bgpmon's Finland location
> peer.
> 
> David
> 
> 
> 

Any Level 3 / GBLX things going on tonight?

[David Hubbard]

I just got a bunch of bgpmon alerts that our prefixes were being
seen as announced through GBLX 3549 from bgpmon's Finland location
peer.

David

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 22:55:12 -0400,  wrote:

Do you have any actual evidence that a .edu of (say) 2K employees
is statistically *measurably* less secure than a .com of 2K employees?


We're sorta lookin' at one now. :-)

But seriously, how do you measure one's security?  The scope is constantly  
changing.  While there are companies one can pay to do this, those reports  
are *very* rarely published.  And I've not heard of a single edu  
performing such an audit.  The only statistics we have to run with are of  
*known* breaches. And that's a very bad metric as a company with no  
security at all that's had no (reported) intrusions appears to have very  
good security, while a company with extensive security looks very bad  
after a few breaches.  One has noone sniffing around at all, while the  
other has teams going at it with pick-axes. One likely has noone in charge  
of security, while the other has an entire security department.

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess  wrote:

Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?


Duh, so people cannot print to them. (amungst various other creative  
pranks)


From a cybercriminal pov, to swipe the things you're printing... like that  
CC authorization form you just printed, or a confidential contract, etc.  
(also, in many offices, the printer is also the scanner and fax)


--Ricky

IANA AS Numbers registry update

[Leo Vegoda]

Hi,

The IANA AS Numbers registry has been updated to reflect two changes.
LACNIC has returned the range 61440-62463   in exchange for a block
composed of two non-contiguous ranges:

61440-61951 
263168-263679

Both ranges were allocated today. You can find the IANA AS Numbers
registry at:

http://www.iana.org/assignments/as-numbers

Regards,

Leo Vegoda
leo.veg...@icann.org

***
Internet Assigned Numbers Authority (IANA)
Internet Corporation for Assigned Names & Numbers
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094
Phone: +1 310 301 5800
Fax: +1-310-823-8649
***


smime.p7s
Description: S/MIME cryptographic signature

Re: chargen is the new DDoS tool?

[Valdis . Kletnieks]

On Tue, 11 Jun 2013 21:37:04 -0400, "Ricky Beam" said:

> Indeed I have. Which is why I haven't for a great many years.  Academics
> tend to be, well, academic. That is, rather far out of touch with the
> realities of running / securing a network.

Do you have any actual evidence that a .edu of (say) 2K employees
is statistically *measurably* less secure than a .com of 2K employees?

We keep hearing that meme - and yet, looking at the archives of this list,
I see a lot more stories of network providers who should know better doing
stupid stuff than I see of .edu's doing stupid stuff.

The Verizon report says small business is actually the biggest cesspit of abuse:

http://money.cnn.com/2013/04/22/smallbusiness/small-business-cybercrime/index.html
http://www.verizonenterprise.com/DBIR/2013/

~100 employee firms in health care appear to be a particular lost cause.



pgptXyM0kZMAP.pgp
Description: PGP signature

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/11/13, Majdi S. Abbas  wrote:
> On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
>> All of the above plus very poorly managed network / network
>> security. (sadly a Given(tm) for anything ending dot-e-d-u.)  a) why
>> are *printers* given public IPs? and b) why are internet hosts
>> allowed to talk to them?  I actually *very* surprised your printers
>> are still functional if the whole internet can reach them.

Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?


>   Guess what, they have /16s, they use them, and they like
> the ability to print from one side of campus to the other.  Are you
> suggesting gigantic NATs with 120,000 students and faculty behind them?

A per-building NAT would work,  with static translations for printers
in that building, and an ACL with an allow list including IPsec
traffic to the printer from the campus'  IP range.

They don't have to use NAT though to avoid unnecessary exposure of
services on internal equipment to the larger world.


>   I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.
>

They probably built their printer on top of a general purpose or
embedded OS they purchased from someone else, or reused,  that
included an IP stack -- as well as other features that were
unnecessary for their use case.

Or the chargen tool may have been used during stress tests to verify
proper networking, and that the IP stack processed bits without
corrupting them;  with the manufacturer forgetting/neglecting to turn
off the unnecessary feature, forgetting to remove/disable that bit of
software, or seeing no need to,  before mass producing.


>   --msa
-- 
-JH

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas  wrote:

You've never worked for one, have you?


Indeed I have. Which is why I haven't for a great many years.  Academics  
tend to be, well, academic. That is, rather far out of touch with the  
realities of running / securing a network.  I've used the work  
"incompotent" in previous conversations, but that's mostly a factor of  
overwork in an environment where few people are ever fired for such.



Guess what, they have /16s, they use them, and they like
the ability to print from one side of campus to the other.  Are you
suggesting gigantic NATs with 120,000 students and faculty behind them?


Guess what, there are companies that have /8's, and they manage to keep  
their network(s) reasonably secured.  I'm not talking about uber-large  
NAT; I'm talking about proper boundry security.  If you cannot figure out  
how to keep the internet away from your printers, you should look into  
other lines of employment.  Limiting access of the residential network  
into the departmental networks, is one of the first things in the design  
of a res-net. Otherwise, there's 25k potential script kiddies (or infected  
home computers now on your network) waiting to attack everything on  
campus. But we're headed into the weeds here...



I have a hard time blaming a school for this.  I have an easy
time wondering why printer manufacturers are including chargen support
in firmware.


I have the same bewilderment about people allowing such unsolicited  
traffic into their network(s) in the first place.  Even with IPv6 (where  
there's no NAT forcing the issue), I run a default deny policy... if  
nothing asked for it, it doesn't get in.


Also, why the hell aren't providers not doing anything to limit  
spoofing?!? I'll staring right at you AT&T (former Bellsouth.)


--Ricky

Re: chargen is the new DDoS tool?

[Joe Hamelin]

On Tue, Jun 11, 2013 at 4:57 PM, Majdi S. Abbas  wrote:

>
> I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.


Isn't that what printer do?  Generate characters?  It was in the design
spec.

/me thinks of PHB going down port list, "yep, need that one!"

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: chargen is the new DDoS tool?

[Majdi S. Abbas]

On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
> All of the above plus very poorly managed network / network
> security. (sadly a Given(tm) for anything ending dot-e-d-u.)  a) why
> are *printers* given public IPs? and b) why are internet hosts
> allowed to talk to them?  I actually *very* surprised your printers
> are still functional if the whole internet can reach them.

You've never worked for one, have you?

Guess what, they have /16s, they use them, and they like
the ability to print from one side of campus to the other.  Are you
suggesting gigantic NATs with 120,000 students and faculty behind them?

I have a hard time blaming a school for this.  I have an easy
time wondering why printer manufacturers are including chargen support
in firmware.

--msa

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 12:06:36 -0400, Brielle Bruns  wrote:
Are these like machines time forgot or just really bag configuration  
choices?


All of the above plus very poorly managed network / network security.  
(sadly a Given(tm) for anything ending dot-e-d-u.)  a) why are *printers*  
given public IPs? and b) why are internet hosts allowed to talk to them?   
I actually *very* surprised your printers are still functional if the  
whole internet can reach them.


Being an edu, even if they aren't globally reachable, there is *plenty*  
mischievousness already inside the borders!  Securing a campus from the  
world... easy; securing a campus from it's own users... good luck with  
that.


--Ricky

Re: Cisco ASA SME's

[Phil Fagan]

Thank you


On Tue, Jun 11, 2013 at 5:42 PM, Dobbins, Roland  wrote:

>
> On Jun 12, 2013, at 6:36 AM, Phil Fagan wrote:
>
> > Any ASA sme's out there?
>
> Suggest you check on the cisco-nsp list.
>
> ---
> Roland Dobbins  // 
>
>   Luck is the residue of opportunity and design.
>
>-- John Milton
>
>
>


-- 
Phil Fagan
Denver, CO
970-480-7618

Re: Cisco ASA SME's

[Dobbins, Roland]

On Jun 12, 2013, at 6:36 AM, Phil Fagan wrote:

> Any ASA sme's out there?

Suggest you check on the cisco-nsp list.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Cisco ASA SME's

[Phil Fagan]

Any ASA sme's out there?

-- 
Phil Fagan
Denver, CO
970-480-7618

Re: chargen is the new DDoS tool?

[Dobbins, Roland]

On Jun 12, 2013, at 2:13 AM, Leo Bicknell wrote:

> The number is non-zero?  In 2013?

These are largely modern printers and other 'embedded' devices which are 
running OS configurations apparently cribbed out of 20-year-old gopher docs.

;>

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Mechanics of CALEA taps

[Rick Robino]

> Message: 1
> Date: Sun, 9 Jun 2013 18:59:16 -0400
> From: Randy Fischer 
> To: North American Network Operators Group 
> Subject: Mechanics of CALEA taps
> Message-ID:
>   
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Dear nanog:
> 
> Honestly, I expect replies to this question to range between zero and none,
> but I have to ask it.
> 
> I understand the CALEA tap mechanism for most ISPs, generally, works like
> this:
> 
> * we outsource our CALEA management to company X
> * we don't even know there's been a request until we've gotten a bill from
> X.
> 
> And that's the extent of it.
> 
> Well, golly Slothrop, maybe someone else has started picking up the tab.
> Would you even know?
> 
> Is that possible?
> 
> Thanks,
> 
> Randy Fischer


Operators can choose to be involved, or they can choose not to be involved, 
according to the specs - the extent is ultimately up to them.  It is perhaps 
possible that some operators know nothing more about the intercepts happening 
on their network than what their bill tells them.  I can believe that but I 
would hope that it is rare.  Likewise, I believe that any operator who makes an 
effort to understand and have control over their network could be fooled so 
easily.

CALEA tap mechanism does not necessarily work as you have outlined.  The 
telecom industry fought for and won two other options that give the operator 
more involvement and authority over the execution of the intercepts.

All of the options end up impacting your network, as you have to decide how to 
feed a copy of all of the data belonging to the subscriber(s) named in a 
warrant to a CALEA probe.  The probe drops all of the packets that don't belong 
to the subject, then it ASN.1-encodes the data and tunnels it over the public 
network to a law-enforcement agency (or their contractor).

That's generally how it works.  Once the taps and probes and mediation device 
are in place, it's just a matter of provisioning.  But that engineering is the 
tough part - after that just about all you see is the warrant itself, and then 
some phone calls and email from the law-enforcment folks setting up the 
transport stuff.  No lawyers visit, no law-enforcement officials visit, you 
just get a warrant and then how you handle it is up to you.

So if an operator chooses to engage themselves instead of handing control over 
to someone else, they can be quite sure of what is happening.  For reasons I 
don't quite understand, however, it doesn't seem like many operators who don't 
otherwise outsource ISP services do tend to outsource CALEA.

In my opinion, if you manage your own DNS and/or mail servers, you can handle 
CALEA.  Not only could it save you some money, but it gives you a discrete way 
to isolate test-traffic on your network with a more intuitive filter (ie 
subscriber name) than just an IP or a MAC address.*  If you live in wireshark 
all day then you will appreciate having the haystack separated from the needle 
before it enters your system.

The three options are:

1.  Rent CALEA gear - hand warrant to company X

2.  Build your own CALEA gear - evaluate and execute the warrant yourself.

3.  Buy company Y's gear - evaluate and execute the warrant yourself.

Obviously one could outsource the evaluation of a warrant to a third party;  
and sure you could probably have a private line between you and the LEA... the 
details vary, I am drawing a very generic picture here.

So, generally, the biggest problem is a technical one:  how to add this "tap" 
feature to your network - either with real physical taps or mirror-ports of 
some kind.  There are lots of such considerations and lots of options.  Once 
they're done you can probably make use of them for worthwhile operational 
purposes, but probably only with options 2 and 3.

The smaller problem is the legal one:  is a lawyer required to read the warrant 
and then make the provisioning call, or not?



* Disclosure:  I try not to be biased, but I do work for a vendor of a CALEA 
probe product, so "caveat lector".  Comments submitted here have nothing to do 
with my employer, however, and are provided only as a help to those that really 
don't know that they can and ought to be fully involved and aware of any "taps".


-- 
Rick Robino














signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/11/13, Justin M. Streiner  wrote:
> Other than providing another DDoS vector, I'm not aware of any legitimate
> reason to keep these services running and accessible.  As always, YMMV.

They are useful for troubleshooting and diagnostic purposes.   Just be
sure to limit the maximum possible response rate and bandwidth for any
source network,   and be sure to truncate the length of the response
to the length of the original query,  so they cannot be used for
amplification.   If you can't do that, then shut them off :)


The risk that they be used to DoS the server that runs those services remains.


> jms
--
-JH

Re: chargen is the new DDoS tool?

[Valdis . Kletnieks]

On Tue, 11 Jun 2013 15:38:45 -0400, "David Edelman" said:
> I can just see someone spoofing a packet from victimA port 7/UDP to victimB
> port 19/UDP.

For a while, it was possible to spoof packets to create a TCP connection from a
machine's chargen port to its own discard port and walk away while it burned to
the ground.  Fun times.



pgpDMylGGUUiq.pgp
Description: PGP signature

RE: chargen is the new DDoS tool?

[David Edelman]

I can just see someone spoofing a packet from victimA port 7/UDP to victimB
port 19/UDP.  

--Dave


-Original Message-
From: Leo Bicknell [mailto:bickn...@ufp.org] 
Sent: Tuesday, June 11, 2013 3:13 PM
To: Bernhard Schmidt
Cc: nanog@nanog.org
Subject: Re: chargen is the new DDoS tool?


On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt  wrote:

> This seems to be something new. There aren't a lot of systems in our 
> network responding to chargen, but those that do have a 15x 
> amplification factor and generate more traffic than we have seen with 
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the
problem, I would recommend doing an internal nmap scan for such things,
finding the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the
owners were still using SunOS 4.x boxes for some reason, had accidentally
enabled chargen, or if some malware had set up the servers.  Inquiring minds
would like to know!

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

Re: chargen is the new DDoS tool?

[Leo Bicknell]

On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt  wrote:

> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the 
problem, I would recommend doing an internal nmap scan for such things, finding 
the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the owners 
were still using SunOS 4.x boxes for some reason, had accidentally enabled 
chargen, or if some malware had set up the servers.  Inquiring minds would like 
to know!

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: chargen is the new DDoS tool?

[Justin M. Streiner]

On Tue, 11 Jun 2013, Vlad Grigorescu wrote:

We got hit with this in September. UDP/19 became our most busiest port 
overnight. Most of the systems participating were printers. We dropped 
it at the border, and had no complaints or ill effects.


Dropping the TCP and UDP "small services" like echo (not ICMP echo), 
chargen and discard as part of default firewall / filter policies probably 
isn't a bad idea.  Those services used to be enabled by default on Cisco 
routers, but that hasn't been since probably around 11.3 (mid-late 90s).


Other than providing another DDoS vector, I'm not aware of any legitimate 
reason to keep these services running and accessible.  As always, YMMV.


jms

Re: chargen is the new DDoS tool?

[Charles Wyble]

Hmmm. Do you not run a default deny at your border, which would catch this sort 
of thing? Granted thats not always possible I suppose. Maybe block all UDP you 
dont specifically need? Do you have an ids/ips? If not, look at SecurityOnion 
on a SPAN port, it will provide great insight into whats happening. 

Generally these sort of legacy services are only used for malicious activity 
and will light up an ids/ips like a Christmas tree. 

They must be old boxes. I cant think of any recent os distributions which would 
even have these services listening, let alone installed. 

Bernhard Schmidt  wrote:

>Heya everyone,
>
>we have been getting reports lately about unsecured UDP chargen servers
>in our network being abused for reflection attacks with spoofed sources
>
>http://en.wikipedia.org/wiki/Character_Generator_Protocol
>
>| In the UDP implementation of the protocol, the server sends a UDP
>| datagram containing a random number (between 0 and 512) of characters
>| every time it receives a datagram from the connecting host. Any data
>| received by the server is discarded.
>
>We are seeing up to 1500 bytes of response though.
>
>This seems to be something new. There aren't a lot of systems in our
>network responding to chargen, but those that do have a 15x
>amplification factor and generate more traffic than we have seen with
>abused open resolvers.
>
>Anyone else seeing that? Anyone who can think of a legitimate use of
>chargen/udp these days? Fortunately I can't, so we're going to drop
>19/udp at the border within the next hours.
>
>Regards,
>Bernhard

--
Charles Wyble 
char...@knownelement.com / 818 280 7059 
CTO Free Network Foundation (www.thefnf.org)

NIST - BGP-SRx now based on Quagga 0.99.22

[Borchert, Oliver]

For all that are interested in NIST's RPKI prefix/origin validation reference 
implementation for Quagga (BGPSRx / QuaggaSRx),
we merged the code from Quagga 0.99.16 to be based on Quagga 0.99.22.
The code is available at http://www-x.antd.nist.gov/bgpsrx

For questions or comments don't hesitate to contact us at
bgpsrx-...@nist.gov

Thanks,
Oliver

-
Oliver Borchert, Computer Scientist
National Institute of Standards and Technology
(Phone) 301.975.4856 , (Fax) 301.975.6238

Re: chargen is the new DDoS tool?

[Vlad Grigorescu]

We got hit with this in September. UDP/19 became our most busiest port 
overnight. Most of the systems participating were printers. We dropped it at 
the border, and had no complaints or ill effects.

—-Vlad Grigorescu
  Carnegie Mellon University


On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt  wrote:

> Heya everyone,
> 
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
> 
> http://en.wikipedia.org/wiki/Character_Generator_Protocol
> 
> | In the UDP implementation of the protocol, the server sends a UDP
> | datagram containing a random number (between 0 and 512) of characters
> | every time it receives a datagram from the connecting host. Any data
> | received by the server is discarded.
> 
> We are seeing up to 1500 bytes of response though.
> 
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
> 
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
> 
> Regards,
> Bernhard

Call for Papers: RIPE 67

[Filiz Yilmaz]

Dear NANOG Community, 

RIPE Programme Commitee is now seeking proposals for RIPE 67 that will take 
place in Athens during 14-18 October 2013.
Please find the CFP below and note the submission deadline: 4 August. 

We hope to see your contributions towards a successful programme with Plenary, 
BoF and Tutorial sessions.
If you have any questions, you can contact us at pc [at] ripe [dot] net.

Kind regards
Filiz Yilmaz
Chair, the RIPE Programme Committee

http://www.ripe.net/ripe/meetings/ripe-meetings/pc
http://www.ripe.net/ripe/meetings/ripe-meetings

---

Call for Papers: RIPE 67

A RIPE Meeting is an open event where Internet Service Providers, network 
operators and other interested parties get together. Although the meeting is 
mostly technical, it is also a chance for people to meet and network with 
others in their field.

RIPE 67 will take place on 14-18 October 2013 in Athens, Greece.

The RIPE Programme Committee (PC) is now seeking content proposals from the 
RIPE community for the Plenary, BoF and Tutorial sessions at RIPE 67. The PC is 
looking for presentations covering topics of network engineering and 
operations, including but not limited to:

- IPv6 deployment
- Managing IPv4 scarcity in operations
- Commercial transactions of IPv4 addresses
- Data center technologies
- Network and DNS operations
- Internet governance and regulatory practices
- Network and routing security
- Content delivery
- Internet peering and mobile data exchange


Submissions

Attendees of the RIPE meetings are quite sensitive to keeping presentations 
non-commercial, and product marketing talks are strongly discouraged. Repeated 
audience feedback shows that the most successful talks focus on operational 
experience, research results, or case studies. For example, presenters wishing 
to describe a commercial solution should focus on the underlying technology and 
not attempt a product demonstration.

Presenters who are proposing a panel or BoF are encouraged to include speakers 
from several (perhaps even competing) companies and/or a neutral facilitator.

In addition to presentations selected in advance for the Plenary, the RIPE PC 
also offers several time slots for “Lightning Talks” which are selected 
immediately before or during the conference.

The following requirements apply:

- Proposals for Plenary talks, BoFs, Panels and Tutorials must be submitted for 
full consideration no later than 4 August 2013, using the meeting submission 
system at:

https://ripe67.ripe.net/submit-topic/

Proposals submitted after this date will be considered on a space-available 
basis.

- Presenters should indicate how much time they will require (30 minutes for 
Plenary talks is a common maximum duration, although some talks can be longer).

- Proposals for talks will only be considered by the PC if they contain at 
least draft presentation slides (slides may be updated later on). For panels, 
proposals must contain a clear description as well as names of invited 
panelists, presenters and moderators.

- Due to potential technical issues, it is expected that most if not all 
presenters/panelists will be physically present at the RIPE meeting.

- Tutorials are sessions with educational content and are alotted about 2 
hours. 

- BOFs (Birds of a Feather sessions) are informal gatherings on topics of 
shared interest  among RIPE Meeting attendees. Technical facilities and 
logistical support are limited and 
provided based on best effort and availability.  

- Lightning talks should also be submitted using the meeting submission system. 
They must be short (10 minutes maximum) and often involve more timely topics. 
They can be submitted at any time. The allocation of lightning talk slots will 
be announced one day prior to the relevant session.

If you have any questions or requests concerning content submissions, please 
email pc [at] ripe [dot] net.

  

Re: Webcasting as a replacement for traditional broadcasting (was Re: Wackie 'ol Friday)

[Michael McConnell]

On Jun 7, 2013, at 9:53 AM, Jay Ashworth  wrote:

> - Original Message -
>> From: "Michael Painter" 
> 
>> Anyone besides jra remember the last Super Bowl?
>> Better this year? Worse?
>> I'm sure whomever is listening in would like to know as well.
>> 
>> http://www.multichannel.com/blogs/translation-please/multicast-unicast-and-super-bowl-problem
> 
> Well, in fact, the most recent Massive Failure was the webcast of the 
> Concert For Boston, on 5/31.  They were using a vendor called LiveAlliance.tv,
> who did not appear to be farming it out to Limelight or Akamai or Youtube, a..
> far as I could tell, and they apparently only figured for a scale 5 audience,
> and then got more than 500k attempts.

Such a common story. ..

> 
> They got rescued by a vendor named Fast Hockey who are an amateur hockey
> webcast aggregator, I gather, and *are* an Akamai client.
> 
> My estimation is that the reason that webcasting will never completely
> replace broadcasting is that -- because it is mostly unicast -- its
> inherent complexity factor is a) orders of magnitude higher than bcast, and
> b) *proportional to the number of viewers*.  Like Linux, that doesn't scale.

This is the primary reason companies including Internap, Peer1 and XO (The list 
goes on and on, and includes several company that only provide CDN services) 
all used to run their own CDN networks and now all three have outsourced this 
CDN service / sold their customers to Limelight. Edgecast even sold off all 
their services in Asia and just runs a US based CDN.

The general policy in data centres has been 30 - 40% utilisation to allow for 
bursting and unexpected temporary increases, in CDN its more like 5 - 10% 
especially when you are a CDN for hire you really can't make any predictions 
about what your customers might do. Its common for CDN's to have entire rack's 
sitting powered off that only need to be powered up to join the cluster, our 
company has multiple full racks per data centre just a alert to the NOC staff 
or email away from being turned on.

> 
> And broadcasters are not prone to think of the world in a view where you
> have to provide technical support to people just to watch your show.
> 
> "He's at the 40... the 30... the 20... this is gonna be the Super Bowl, 
> folks... the 10... [buffering]"
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
> St Petersburg FL USA   #natog  +1 727 647 1274
> 


--

Michael McConnell
WINK Streaming;
email: mich...@winkstreaming.com
phone: +1 312 281-5433 x 7400
cell: +506 8706-2389
skype: wink-michael
web: http://winkstreaming.com

Re: chargen is the new DDoS tool?

[Bernhard Schmidt]

Brielle Bruns  wrote:

Hey,

>> we have been getting reports lately about unsecured UDP chargen servers
>> in our network being abused for reflection attacks with spoofed sources
>>
>> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>>
>> | In the UDP implementation of the protocol, the server sends a UDP
>> | datagram containing a random number (between 0 and 512) of characters
>> | every time it receives a datagram from the connecting host. Any data
>> | received by the server is discarded.
>>
>> We are seeing up to 1500 bytes of response though.
>>
>> This seems to be something new. There aren't a lot of systems in our
>> network responding to chargen, but those that do have a 15x
>> amplification factor and generate more traffic than we have seen with
>> abused open resolvers.
>>
>> Anyone else seeing that? Anyone who can think of a legitimate use of
>> chargen/udp these days? Fortunately I can't, so we're going to drop
>> 19/udp at the border within the next hours.
>>
>
> *checks her calendar*  I for a second worried I might have woken up from 
> a 20 year long dream
>
> Are these like machines time forgot or just really bag configuration 
> choices?

Not sure. The affected IPs are strongly clustered around the Faculty of
Medicine, so from experience I would assume stone-old boxes. But not
sure yet.

Bernhard

Re: chargen is the new DDoS tool?

[Brielle Bruns]

On 6/11/13 9:39 AM, Bernhard Schmidt wrote:

Heya everyone,

we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources

http://en.wikipedia.org/wiki/Character_Generator_Protocol

| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.

We are seeing up to 1500 bytes of response though.

This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.

Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.




*checks her calendar*  I for a second worried I might have woken up from 
a 20 year long dream



Are these like machines time forgot or just really bag configuration 
choices?



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

chargen is the new DDoS tool?

[Bernhard Schmidt]

Heya everyone,

we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources

http://en.wikipedia.org/wiki/Character_Generator_Protocol

| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.

We are seeing up to 1500 bytes of response though.

This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.

Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.

Regards,
Bernhard

Re: Webcasting as a replacement for traditional broadcasting (was Re: Wackie 'ol Friday)

[Rajiv Asati (rajiva)]

This is very interesting and insightful. 

While the broadcasting would seem more efficient (and cheaper in many respect) 
than webcasting for the live content, the former can't quite serve multiple 
devices with varying form-factors with the same efficiency. The latter can. 
Isn't that a key differentiation? 

Cheers,
Rajiv

Sent from my Phone

On Jun 11, 2013, at 1:03 AM, "Michael Painter"  wrote:

> Jay Ashworth wrote:
> sniip
>> And, quite aside from broadcast networks protecting the ad revenues
>> of their contracted affiliates -- the primary reason for most of the
>> (from an engineering standpoint) stupidity surrounding the intersection
>> of broadcasting and new technology -- social networking is beginning
>> to drive this aspect, to the point where the Golden Globes stopped
>> tape-delaying the west coast broadcast so those viewers didn't get
>> spoiled on twitter.
>> Thanks for your views, Eric.
>> Cheers,
>> -- jra
> 
> The Sportsbar I deal with has purchased every one of the Ultimate Fighting 
> Championships PPV events (161).
> Now, after UFC's deal with FOX, the prelims for any fight on FUEL are only 
> shown on...FACEBOOK.
> 
> Bad Craziness as Hunter Thompson would have said.
> 
> Thanks for everyone's comments.
> --Michael
>