Re: Synful Knock questions...

[Roland Dobbins]

On 16 Sep 2015, at 11:51, Paul Ferguson wrote:

Please bear in mind hat the attacker *must* acquire credentials to 
access the box before exploitation.


And must have access to the box in order to utilize said credentials - 
which of course, there are BCPs intended to prevent same.


---
Roland Dobbins 

Re: Synful Knock questions...

[Blake Hudson]

Roland Dobbins wrote on 9/16/2015 1:27 AM:


On 16 Sep 2015, at 11:51, Paul Ferguson wrote:

Please bear in mind hat the attacker *must* acquire credentials to 
access the box before exploitation.


And must have access to the box in order to utilize said credentials - 
which of course, there are BCPs intended to prevent same.




There's a big used equipment market. Even in the new equipment market, 
these devices could be intercepted prior to delivery.

Re: Synful Knock questions...

[Michael Douglas]

It's unlikely the routers that got exploited were the initial entry point
of the attack.  The chain of events can look like this:

spearfishing email with exploit laden attachment
end user opens attachment, internal windows endpoint compromised
malware makes outbound connection to command & control server on internet;
downloads more horrible stuff
threat actor has access to windows endpoint via reverse tunnel
threat actor makes lateral attacks to other windows endpoints; key loggers
installed
threat actor attacks windows AD servers
threat actor achieves domain admin; and/or harvests user credentials via
keyloggers
threat actor connects via vpn using harvested user credentials

At this point when they start messing around with routers, you're going to
see activity coming from the intended internal management range using legit
credentials.  When the compromise becomes advanced enough the malware stops
being used, and everything is done via legit credentials, which makes the
badness more difficult to distinguish.

Part 2 of the Mandiant blog is up, it discusses detection, and seems to
reinforce these are backdoored IOS images, and not ROMMON.  Although given
the Cisco PSIRT post about backdoored ROMMON recently, there's probably
multiple attack trends going on concurrently.

https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis0.html


On Wed, Sep 16, 2015 at 2:27 AM, Roland Dobbins  wrote:

>
> On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
>
> Please bear in mind hat the attacker *must* acquire credentials to access
>> the box before exploitation.
>>
>
> And must have access to the box in order to utilize said credentials -
> which of course, there are BCPs intended to prevent same.
>
> ---
> Roland Dobbins 
>

Re: Synful Knock questions...

[Royce Williams]

HD Moore just posted the results of a full-Internet ZMap scan.  I didn't
realize that it was remotely detectable.

79 hosts total in 19 countries.

https://zmap.io/synful/

Royce

RE: Re: Synful Knock questions...

[Darden, Patrick]

That could NEVER happen.  :-)  

--p

http://www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_supply_chain_taps_ask_cisco_for_a_dead_drop/

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Blake Hudson
Sent: Wednesday, September 16, 2015 8:37 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Re: Synful Knock questions...
.
.
.
There's a big used equipment market. Even in the new equipment market, these 
devices could be intercepted prior to delivery.

Re: Synful Knock questions...

[Roland Dobbins]

On 16 Sep 2015, at 21:00, Michael Douglas wrote:

It's unlikely the routers that got exploited were the initial entry 
point of the attack.


I understand all that, thanks.

At this point when they start messing around with routers, you're 
going to
see activity coming from the intended internal management range using 
legit

credentials.


It would still be quite difficult, and readily detected if accomplished, 
had BCPs such as AAA, per-command auth, per-command logging, and 
monitoring of same been implemented.  Plus, iACLs would prevent C 
comms, and monitoring of all traffic to/from router interfaces would 
potentially pick that up, as well.


---
Roland Dobbins 

RE: SMS Gateway

[Clayton Zekelman]

As a retro twist on that, we still use alpha pagers with 
TAP.   Basement level coverage on a single AA battery that lasts 3 months.


The nice thing about them is that you can turn your cellphone off at 
night (yes, I do that), and still know that important alerts will 
come through the pager.


At 01:36 PM 15/09/2015, Gary T. Giesen wrote:

Another option might be an analog modem + phone line + carrier TAP gateway
(if your carrier(s) has/have one). Might or might not be more
cost-effective.

GTG

> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin
> Hotze
> Sent: September 15, 2015 8:37 AM
> To: nanog@nanog.org
> Subject: Re: SMS Gateway
>
> > From: Leonardo Arena 
> > To: Graham Johnston 
> > Cc: "'nanog@nanog.org'" 
> >
> > Il giorno lun, 14/09/2015 alle 14.53 +, Graham Johnston ha scritto:
> > > Today we use a product from MultiTech Systems call MultiModem iSMS
> > > to
> > send SMS text messages from our monitoring system to our on call staff.
> > This is a 2G product and we need to replace it soon. I know there are
> > more generic cellular modems that can do texting if you are willing to
> > put in the effort, the product we use currently though has a simple
> > HTTP based API specifically to send SMS. Is anybody out there using
> > something similar that can work on 3G or 4G networks?
> > >
> >
> > Here we use SMSTools (http://smstools3.kekekasvi.com/) on a Linux box
> > with a Multitech Serial/USB modem. It takes formatted text files from
> > a spooling directory. It never let us down since some years.
>
> +1 for smstools.
>
> and I'd add playsms.org
>
> grab yourself a compatible USB 3G stick which you can switch to a modem.
eg
> a HUAWEI E1762 should work. You might want to look into a device with an
> antenna plug so you can put the antenne out of your cabinet for better
> reception.
>
> martin


--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: Synful Knock questions...

[Stephen Fulton]

Follow-up to my own post, Fireeye has code on github:

https://github.com/fireeye/synfulknock

On 2015-09-16 10:27 AM, Stephen Fulton wrote:

Interesting, anyone have more details on how to construct the scan using
something like nmap?

-- Stephen

On 2015-09-16 9:20 AM, Royce Williams wrote:

HD Moore just posted the results of a full-Internet ZMap scan.  I didn't
realize that it was remotely detectable.

79 hosts total in 19 countries.

https://zmap.io/synful/

Royce

Re: Synful Knock questions...

[Stephen Fulton]

Interesting, anyone have more details on how to construct the scan using 
something like nmap?


-- Stephen

On 2015-09-16 9:20 AM, Royce Williams wrote:

HD Moore just posted the results of a full-Internet ZMap scan.  I didn't
realize that it was remotely detectable.

79 hosts total in 19 countries.

https://zmap.io/synful/

Royce

Ashburn

[Matt Hoppes]

What the world is going on in Ashburn?  Over the last two days I've seen 
multiple flaps from multiple carriers going through there.  They 
generally last about two to three minutes and then everything restores.

Re: Sign-On Letter to the Court in the FCC's Net Neutrality Case

[Peter Beckman]

Why don't you post a copy here or a link?

The message seems good; the process is broken.

Beckman

On Tue, 15 Sep 2015, Eric Brunner-Williams wrote:


i read it, its rather good.

-e

On 9/12/15 12:45 PM, John Levine wrote:

/*If you're willing to sign on and help today, please email me directly
(off list) */and I will be happy to share a copy of the letter for you
to review before you agree to sign on.

Why don't you just send us a copy or a link?  If you're planning to
file it as an amicus it's not like it's going to be a secret for very
long.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for 
Dummies",

Please consider the environment before reading this e-mail. http://jl.ly







---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Ashburn

[Christopher Morrow]

removal of nsa taps

On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes
 wrote:
> What the world is going on in Ashburn?  Over the last two days I've seen
> multiple flaps from multiple carriers going through there.  They generally
> last about two to three minutes and then everything restores.

Re: Ashburn

[Matt Hoppes]

I heard that yesterday... I can't figure out why NTT having issues is 
affecting other carriers that peer in Ashburn though  must be a 
routing table is blowing up somewhere there.


On 9/16/15 11:32 AM, Justin wrote:

I know NTT is having issues. We received an RFO stating there was an
issue and they were going to do software upgrades to fix.

On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes
> wrote:

What the world is going on in Ashburn?  Over the last two days I've
seen multiple flaps from multiple carriers going through there.
They generally last about two to three minutes and then everything
restores.

Re: Ashburn

[Justin]

I know NTT is having issues. We received an RFO stating there was an issue
and they were going to do software upgrades to fix.

On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes 
wrote:

> What the world is going on in Ashburn?  Over the last two days I've seen
> multiple flaps from multiple carriers going through there.  They generally
> last about two to three minutes and then everything restores.
>

Re: Ashburn

[Keith Stokes]

Or router bugs.

Or even inserting new NSA taps since some of the rest have been caught.

---

Keith Stokes


From: NANOG  on behalf of Christopher Morrow 

Sent: Wednesday, September 16, 2015 10:34 AM
To: Matt Hoppes
Cc: North American Network Operators' Group
Subject: Re: Ashburn

removal of nsa taps

On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes
 wrote:
> What the world is going on in Ashburn?  Over the last two days I've seen
> multiple flaps from multiple carriers going through there.  They generally
> last about two to three minutes and then everything restores.

Re: Ashburn

[Jared Mauch]

If there are ongoing issues at NTT I’m not aware of them, please contact me 
off-list with details.  Happy to follow-up.

- Jared

> On Sep 16, 2015, at 11:36 AM, Matt Hoppes  wrote:
> 
> I heard that yesterday... I can't figure out why NTT having issues is 
> affecting other carriers that peer in Ashburn though  must be a routing 
> table is blowing up somewhere there.
> 
> On 9/16/15 11:32 AM, Justin wrote:
>> I know NTT is having issues. We received an RFO stating there was an
>> issue and they were going to do software upgrades to fix.
>> 
>> On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes
>> > wrote:
>> 
>>What the world is going on in Ashburn?  Over the last two days I've
>>seen multiple flaps from multiple carriers going through there.
>>They generally last about two to three minutes and then everything
>>restores.
>> 
>> 

Re: Ashburn

[Jared Mauch]

*chuckle*

I did hear rumors of a fiber cut yesterday in the area but no hard details.

- Jared

> On Sep 16, 2015, at 11:34 AM, Christopher Morrow  
> wrote:
> 
> removal of nsa taps
> 
> On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes
>  wrote:
>> What the world is going on in Ashburn?  Over the last two days I've seen
>> multiple flaps from multiple carriers going through there.  They generally
>> last about two to three minutes and then everything restores.

Re: root zone archive

[Sean Donelan]

On Thu, 17 Sep 2015, Joe Abley wrote:
Is anybody here aware of a complete or partial archive of root zone data that 
is older than the set available at DNS-OARC? OARC's archive has nothing older 
than July 2009.


I covered most of the root changes up to 2002 on a DNS timeline.

http://www.donelan.com/dnstimeline.html

Re: root zone archive

[Joe Abley]

Hi Alvin,

On 17 Sep 2015, at 1:27, alvin nanog wrote:


On 09/17/15 at 12:33am, Joe Abley wrote:
...
I'm particularly interested in zone data that describes the build out 
of the
original root zone NS set to nine servers in mid-1994, the renaming 
under
the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, L 
and M.


wouldn't that info be in the files included with bind-0.x


I don't know, but worth a look. Good idea, thanks!


Joe

root zone archive

[Joe Abley]

Hi all,

Is anybody here aware of a complete or partial archive of root zone data 
that is older than the set available at DNS-OARC? OARC's archive has 
nothing older than July 2009.


I'm particularly interested in zone data that describes the build out of 
the original root zone NS set to nine servers in mid-1994, the renaming 
under the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, 
L and M.


I realise this is a bit of a long shot, but the answer's always no if 
you don't ask :-)


[I'm asking the same question on a small handful of lists; apologies if 
you get multiple copies of this.]



Joe

Re: root zone archive

[alvin nanog]

hi

On 09/17/15 at 12:33am, Joe Abley wrote:
...
> I'm particularly interested in zone data that describes the build out of the
> original root zone NS set to nine servers in mid-1994, the renaming under
> the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, L and M.

wouldn't that info be in the files included with bind-0.x 

have fun
alvin