Re: RIP Dave Mills

2024-01-28 Thread Hal Murray 
Word got out a week ago with a message from Vint cerf to the internet-history 
list.

The thread Vint started is here:
  https://elists.isoc.org/pipermail/internet-history/2024-January/009265.html

Vint is collecting anecdotes here:

Many good stories...  So much more than NTP.



-- 
These are my opinions.  I hate spam.

Re: Northern Virginia has had enough with data centers

2023-06-24 Thread Hal Murray 


> Even traditional data centers have not been known to be especially
> considerate about scheduling their -loud- genset tests. Doesn't matter so
> much in the middle of an industrial zone but when you do it near where people
> live you're going to make them angry. 

Why are gensets loud?

Is there a fundamental physics problem or are they all designed for industrial 
areas where the noise isn't much of a problem?

If I wanted a less noisy one, could I get it?  How much more would it cost?

Are the zoning people smart enough to include noise limits?  ...


-- 
These are my opinions.  I hate spam.

Re: ntp with dhcp

2021-10-03 Thread Hal Murray 


> I'm looking for statistics on setting NTP servers on clients using DHCP, in
> the wild. Does anyone know if there is any available somewhere? 

That brings up an interesting can of worms.

If you run a NAT box with lots of clients, please don't point your NTP clients 
at the pool.  I can't tell your/their traffic from DDoS traffic.

Please setup your own NTP server(s) and point your customers at them.  (If you 
need help with that, poke me off-list.)

I have a couple of servers in the pool.  The pool distributes the load by 
rotating DNS entries with a 150 second TTL.  I see bursts of  100 to 1000 
requests per second for roughly 150 seconds.



-- 
These are my opinions.  I hate spam.

Re: "Hacking" these days - purpose?

2020-12-16 Thread Hal Murray 
> Simple question: What's the purpose of obtaining illicit access to  random
> devices on the Internet these days ...

Aside from stealing user's information, there is also stealing industrial and 
diplomatic secrets.

The Chinese stole a lot of F-35 info.

The news is full of Russians hacking into US Treasury and Commerce 
Departments and probably more.



-- 
These are my opinions.  I hate spam.

Re: Is there any data on packet duplication?

2020-06-23 Thread Hal Murray via NANOG 


b...@herrin.us said:
>  NTP you say? How does iburst work during initial sync up?

How does it work, or how should it work?  1/2 :)

NTP has been around for a long time.  It looks very simple, so anybody thinks 
they can toss off an implementation without much thought.  It will probably 
work, mostly.

The response from an NTP server includes a timestamp that the client put into 
the request.  The client can use that to reject delayed responses to a 
previous request.

When I first started looking for duplicates, I found lots of them.  They were 
NTP version 1 requests.  NTP is up to version 4.  Version 1 came out in 1988, 
RFC 1059.  Since the requests are identical, there is no way for the client to 
separate expected responses from delayed responses from a previous request.

Does anybody happen to know what equipment or software or OS/distro is sending 
version 1 requests?


-- 
These are my opinions.  I hate spam.

Is there any data on packet duplication?

2020-06-22 Thread Hal Murray 


How often do packets magically get duplicated within the network so that the 
target receives 2 copies?  That seems like something somebody at NANOG might 
have studied and given a talk on.

Any suggestions for other places to look?

Context is NTP.  If a client gets an answer, should it keep the socket around 
for a short time so that any late responses or duplicates from the network 
don't turn into ICMP port unreachable back at the server.  Nothing critical, 
just general clutter reduction.

I have packet captures from a NTP server.  I'm trying to sort things out.  
There are a surprising (to me) number of duplicates that arrive back-to-back, 
sometimes the timestamp is the same microsecond.  They could come from buggy 
clients, but that seems like an unlikely sort of bug.

-- 
These are my opinions.  I hate spam.

Re: Abuse Desks

2020-04-30 Thread Hal Murray 


Mike Hammett said:
> IMO, the answer is balance.
> - Handful of SSH connection attempts against a server. Nobody got in,
> security hardening did it's job. I don't think that is worth reporting. -
> Constant brute force SSH attempts from a given source over an extended period
> of time, or a clear pattern of probing, yes, report that. 

The bad guys have already gamed that system.  If you have a zillion bots, you 
can have each bot try a different name/password on a large batch of IP 
Addresses.  A victim only sees one try from each bot.

The daily logwatch reports that land in my mailbox are full of ssh attempts
that end with ": 1 Time".

---

Matt Corallo said:
> I'm open to ideas on what to do here, but the abuse system as it exists today
> is clearly broken for me, and its clearly broken for AWS/GCP/Azure/OVH/etc -
> have you ever tried emailing their registered abuse contacts? I have, the
> problem doesn't go away and there are no responses. 

> especially given most of the real crap out there comes from hosting providers
> like the above who don't have the bandwidth to respond.

"don't have the bandwidth" is an interesting term.  Is that because the 
problem is really hard and it would take a lot of bandwidth/money/whatever, or 
because they choose not to spend money on it and the rest of the net is 
letting them get away with it?

--

Tom Beecher said:
> Abuse departments should be properly handling LEGITIMATE abuse complaints.
> Not crufty background noise traffic that is never going away. 

Agreed.  But the abuse desk is the only place where somebody can find the 
signal in the noise, and with the current pattern, much of the signal is 
trying to hide in the noise.  The abuse desk will only see the signal if 
people actually send in abuse reports and the abuse desk actually looks at 
them.

--

Laszlo Hanyecz said:
> A lot of this  other stuff is just people abusing the abuse contacts to get
> someone  else taken offline.  Phishing websites fall into this category -
> it's  not network abuse, it's just content someone doesn't like, and one way
> to get it taken down is to threaten the network that carries the traffic  for
> it.

I don't report phishing websites unless somebody spams me with the URL.


-- 
These are my opinions.  I hate spam.

RE: Backhoe season?

2020-03-29 Thread Hal Murray 


> I heard, and am seeing that construction type jobs don't seem to be affected
> much with the virus shutdown.  I mean I see guys building homes and working
> on roads all around me...  furthermore, we've heard of a couple fiber cuts
> that have brought portions of our network down a couple times in the last
> week or so. 

I suspect any reduction in backhoe activity will depend strongly on where you 
are looking.  The San Francisco Bay area, including Silicon Valley is taking 
things seriously.

>From the City of Menlo Park, Calif, March 20th:

   Due to the statewide stay-at-home order, effective Friday, March 20, no
   construction activity is allowed within the city of Menlo Park, except
   for essential infrastructure projects as determined by the City
   Manager/Emergency Services Director, until further notice. Active
   construction sites are instructed to secure their site and cease all
   further work immediately. Only activities necessary to address
   immediate health and safety concerns, as determined by the City
   Manager/Emergency Services Director, are allowed. This action is not
   taken lightly and is out of extreme concern for the health and safety
   of construction workers and city employees. Further guidance in light
   of this decision is expected to be released the week of March 23, 2020.
   Please visit the city website at menlopark.org/coronavirus for updates.



-- 
These are my opinions.  I hate spam.

Re: UDP/123 policers & status

2020-03-23 Thread Hal Murray 
Steven Sommars said:
> The secure time transfer of NTS was designed to avoid amplification attacks.

I work on NTP software (ntpsec).  I have a couple of low cost cloud servers in 
the pool where I can test things and collect data.

I see bursts of 10K to several million packets "from" the same IP Address at 
1K to 10K packets per second.  Ballpark of 100 events per day, depending on 
the size cutoff.  I saw one that lasted for most of a day at 1K packeets/sec.

All the packets I've seen have been vanilla NTP requests - no attempt at 
amplification.  I'm only checking a very small fraction of the garbage.

I haven't seen any pattern in the target IP Address.  Reverse DNS names that 
look like servers are rare.  I see legitimate NTP requests from some of the 
targets.

Would data be useful?  If so, who, what, ... (poke me off list)

I don't see any good solution that a NTP server can implement.  If I block 
them all, the victim can't get time.  If I let some fraction through, that 
just reduces the size of the DDoS.  I don't see a fraction that lets enough 
through so the victim is likely to get a response to a legitimate request 
without also getting a big chunk of garbage.  I'm currently using a fraction 
of 0.  If the victim is using several servers, one server getting knocked out 
shouldn't be a big deal.  (The pool mode of ntpd should drop that system and 
use DNS to get another.)

If NTS is used, it would be possible to include the clients IP Address in the 
cookie and only respond to requests with cookies that were issued to the 
client.  That has privacy/tracking complications.

--

I don't want to start a flame war, but why isn't BCP 38 widely deployed?  Can 
somebody give me a pointer to a talk at NANOG or such?  What fraction of the 
world does implement BCP 38?

I'd also be interested in general background info on DDoS.  Who is DDoS-ing 
whom and/or why?  Is this gamers trying to get an advantage on a competitor?  
Bad guys making a test run to see if the server can be used for a real run?  
Is DDoS software widely available on the dark web?  ...





-- 
These are my opinions.  I hate spam.

RE: Internet diameter?

2018-11-24 Thread Hal Murray 


Keith Medcalf  said:
> "just static content" would be more accurate ...

  and using http rather than https

> There were many attempts at this by Johhny-cum-lately ISPs back in the 90's
> -- particularly Telco and Cableco's -- with their "transparent poxies".
> Eventually they discovered that it was more cost efficient to actually
> provide the customer with what the customer had purchased. 

One of the complications in this area is an extra layer of logging which could 
turn into privacy invasion.

I'm pretty sure it was Comcast, but a quick search didn't find a good 
reference.  Many years ago, there were a lot of complaints when customers 
discovered that their transparent proxy web site traffic was getting logged.  
Comcast said they weren't using it for anything beyond normal operations work, 
but nobody believed them.  Shortly after that, they gave up on proxying.

I'm sure the general reputation of modern Telcos and Cablecos for privacy 
invasion didn't help.


-- 
These are my opinions.  I hate spam.

Re: WWV Broadcast Outages

2017-03-02 Thread Hal Murray 
"Majdi S. Abbas"  said:
>   That said, I and many others "still use" WWV -- there aren't exactly a
> surplus of suitable backup methods to GPS these days. 

Any suggestions for gear and/or software that works with WWV (or CHU)?  Or 
general suggestions for non GPS sources of time?

Dave Mills had a driver in ntpd that used a PC audio port to listen to WWV.  
I don't know anybody who ever used it.  I think there was code to tell some 
brand of receiver with a serial/USB port how to change frequencies so you 
could use the one that worked best for that time of day.

There used to be WWVB (60 KHz) receivers.  The good ones phase locked to the 
carrier.  The general rise in EMI made those close to useless in most 
locations.  NIST finished the job when they changed the modulation format a few 
years ago.  As far as I know, there aren't any replacements for the old gear 
that take advantage of the new modulation format.  GPS works too well.

There are some boxes that recover the time from nearby cell phone towers.  I 
think they will stop working as the towers get upgraded to the newer 
protocols that use a different form of timing.  That will probably take many 
years.  But the cell phone towers depend on GPS.  (You can ususlly spot the 
conical antenna(s) if you look around a bit.)



-- 
These are my opinions.  I hate spam.

Re: ddos attack blog

2014-02-14 Thread Hal Murray 

 I was being a bit extreme, I don't expect UDP to be blocked and there  are
 valid uses for NTP and it needs to pass. Can you imagine the trading
 servers not having access to NTP? 

Sure.

They could setup internal NTP servers listening to GPS.  Would it be as good 
overall as using external servers?   Probably not, but it might be good 
enough.  I doubt if it would be very high on any trading floors list of nasty 
problems.

They could arrange to poke holes through the generic UDP block - whitelist 
the few known cases where UDP traffic is expected.  Would it be a pain to 
administer?  Probably, but I'll bet it could be made to work.


-- 
These are my opinions.  I hate spam.

Re: [VoiceOps] (cross post) VoIP heat charts...

2014-01-15 Thread Hal Murray 
 http://www.nanpa.com/nanp1/allutlzd.zip lists NPANXX and Ratecentre.

How does number portability interact with this?

What fraction of numbers have been ported?  (Where should I look/google to 
find the answer?)


-- 
These are my opinions.  I hate spam.

Re: Mikrotik Cloud Core Router and BGP real life experiences?

2013-12-27 Thread Hal Murray 

nanog-requ...@nanog.org said:
 We replaced a few Maxxwave 6 port Atom's with the CCR. ~400Mb/s and ~40K
 pps aggregate across all ports. CPU load went from ~25% to ~0-2%. These are
 in a configuration where they have little or no firewall/nat/queue rules.
 And in most cases are running MPLS. 

How much CPU does it take to implement BCP-38?



-- 
These are my opinions.  I hate spam.

Re: Automatic abuse reports

2013-11-12 Thread Hal Murray 
William Herrin b...@herrin.us said:
 That's the main problem: you can generate the report but if it's about
 some doofus in Dubai what are the odds of it doing any good?

It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops to report 
abuse.  Have you tried reporting a drop box to Yahoo or Google lately?

On top of that, many outfits big enough to own a CIDR block are outsourcing 
their mail to Google.  Google has a good spam filter.  It's good enough to 
reject spam reports to abuse@hosted-by-google

I wonder what would happen if RIRs required working abuse mailboxes.  There 
are two levels of working.  The first is doesn't bounce or get rejected 
with a sensible reason.  The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how long 
would you let an ISP host a spammer's web site or DNS server or ...?  What 
about retail ISPs with zillions of zombied systems?


-- 
These are my opinions.  I hate spam.

Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

2013-06-20 Thread Hal Murray 

 at what point is the Internet a piece of infrastructure whereby we
 actually need a way to watch this thing holistically as it is one system and
 not just a bunch of inter-jointed systems? Who's job is it to do nothing but
 ensure that the state of DNS and other services is running as it
 shouldwho's the clearing house here.

 The Internet:  Discovering new SPOF since 1969! 
:)  Thanks.

Perhaps we should setup a distributed system for checking things rather than 
another SPOF.  That's distributed both geographically and administratively 
and using several code-bases.

In this context, I'd expect lots of false alarms due to people changing their 
DNS servers but forgetting to inform their monitoring setup (either internal 
or outsourced).

How would you check/verify that the communication path from the monitoring 
agency to the right people in your NOC was working correctly?


-- 
These are my opinions.  I hate spam.

Re: OOB core router connectivity wish list

2013-01-09 Thread Hal Murray 

It might help clarify things if you added two (hopefully) short sections:

  One discussing how to get off the ground.
  How do I get my ssh key on a factory-reset box?

  Another discussing security.
  There may be conflicting requirements for different usage scenarios.



-- 
These are my opinions.  I hate spam.

Re: FYI Netflix is down

2012-07-02 Thread Hal Murray 

George Herbert george.herb...@gmail.com said:

 I worked for a Sun clone vendor (Axil) for a while and took some of our
 systems and storage to Comdex one year in the 90s.  We had a RAID unit
 (Mylex controller) we had just introduced.  Beforehand, I made REALLY REALLY
 SURE that the pull-the-disk and pull-the-redundant-power tricks worked.  And
 showed them to people with the Please keep in mind that this voids the
 warranty, but here we *rip* go  All of the other server vendors were
 giving me dirty looks for that one. Apparently I sold a few systems that
 way. 

:)  Nice.  Thanks.

Many years ago, I worked for one of DEC's research groups.  We built a 
network using FDDI 4B/5B link technology based on AMD TAXI chips.  (They were 
state of the art back then.)  The switches were 3U(?) boxes with 12 ports.  
It took a rack of 6 or 8 of them in the phone closet to cover a floor.  
Workstations had 2 cables plugged into different switches.  In theory, we 
covered any single point of failure.

My office was near the phone closet.  I got to watch my boss give demos to 
visiting VIPs.  He was pretty good at it.  In the middle of explaining 
things, he would grab a power cord and yank it.  Blinka-blinka=blinka and the 
remaining switches would reconfigure and go back to work.  (It took under a 
second.)

It was interesting to watch the VIPs.  Most of them got it: the network 
really could recover quickly. The interesting ones had a telco background.  
They were really surprised.  The concept of disrupting live traffic for 
something as insignificant as a demo was off scale in their culture.

It was just a research lab.  We were used to eating our own dog food.

--

Greg D. Moore moor...@greenms.com said:

 If folks have not read it, I would suggest reading Normal Accidents  by
 Charles Perrow.

+1

 The it can't happen is almost guaranteed to happen. ;-)  And when  it
 does, it'll often interact in ways we can't predict or sometimes  even
 understand. 

My memory of that sort of event is roughly...  (see above for context)

The hardware broke and turned a vanilla packet into a super-long packet.  My 
FPGA code was supposed to catch that case and do something sane.  It was 
never tested and didn't work.  It poured crap all over memory.  Needless to 
say, things went downhill from there.

Easy to spot in hindsight.  None of us thought that was an interesting case 
while we were testing.


-- 
These are my opinions.  I hate spam.

NTP/THunderbolt (was Re: strat-1 gps)

2012-06-26 Thread Hal Murray 

   Thing with the Thunderbolts is not all revisions of the firmware seem to
 play nice with ntpd.

Would anybody with more info please contact me off-list.

We should be able to fix that, or at least document it.



-- 
These are my opinions.  I hate spam.

RE: EBAY and AMAZON

2012-06-11 Thread Hal Murray 
[Snip good collection of security setting suggestions.  Does anybody have 
others or a URL?]

 I could never quite understand how anyone could get phished by e-mail
 since I have never ever seen a phishing or other malicious message that
 was not obviously so, even when I don't have me spectacles on!

Your imagination needs serious recalibration.

  You are a geek, not a naive, dumb, or unfortunately, typical user. 

  Windows security sucks.

  Most users will pick convenience over security.  What fraction of users 
(customers) would be happy with your suggested settings?

  Phishers are smart.  They are willing to work for high value targets.

Google for spear phishing.  After you have read a few of those, google for 
spear phishing RSA.

From the comments section of an Arstechnica article on the RSA event:
 So why do any workplace computers in sensitive environments
 have Flash in the first place?
 Because the training materials are no doubt flash based. 

:)

If you are interested in security, the whole comments section may be worth 
scanning.

My probably naive view is that this type of problem could easily be solved by 
having the serious work done on a special class of well locked down machines 
and making a pool of more open systems available for checking mail or 
facebook or whatever.

I've heard stories of people filling USB slots with epoxy so idiots can't 
insert thumb drives found in the parking lot or brought from home.  I forget 
the context.


-- 
These are my opinions.  I hate spam.

CVV numbers

2012-06-09 Thread Hal Murray 

In response to my comment about:

 If I'm not supposed to not tell anyone, why is it even printed where I can 
 read it?

(Sorry for the extra not in there.)

I got an off list suggestion of:
  http://www.cvvnumber.com/

It looks reasonable.

But then, whois for cvvnumber.com says:

Registrant:
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

Should I really take them seriously?


-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin,

2012-06-08 Thread Hal Murray 

 I have accounts at probably 100's of sites. Am I to understand
 that I am supposed to remember each one of them and dutifully
 update them every month or two?

 Yes; of course if most of those accounts are moribund and unused then you
 don't need to change them so often, but the passwords you use frequently
 should be changed at regular intervals.

 It's pretty commonsensical once the threat is understood. 

Does anybody have a good URL explaining that idea?  It's been kicking around 
for many years.  I've never seen a convincing writeup.

Does your bank request/require that you change the PIN on your ATM card every 
few months?

Security is a tradeoff.  I think there are two cases for passwords.  I'll 
call them important and junk.  I'm willing to store the junk ones in a file 
or piece of paper that I'm careful with.  I have to memorize the important 
ones.

I'm only smart enough to memorize a few good passwords.  If I change them 
every few months, they will be less good, or fewer of them.


-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin, [and proposed mitigation approach

2012-06-08 Thread Hal Murray 
 Yes, well, I'm being cynical ...

Yes, but are you being cynical enough?

--

 Is 14 months a excusable length of time for someone not to have
 changed their password after a break?  

That cuts both ways.  Who is changing the password, the good guys or the bad 
guys?



-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin,

2012-06-08 Thread Hal Murray 

 Does your bank request/require that you change the PIN
 on your ATM card every few months?

 ATM cards are not passwords, they are a coarse form of two-factor
 authentication - You have the card, you have the PIN.  

 You have to possess both in order to transact - at least in in theory.

 Compare that with the secrecy surrounding the CVV - the last three digits
 on the number on the back of the card which you are not meant to tell
 anyone and which _will_ be different if your card is lost/stolen and
 reissued.

If I'm not supposed to not tell anyone, why is it even printed where I can 
read it?



[Context is only having so-many brain cycles to memorize passwords.]

 It's harder as we get old.  Use technology to aid with the heavy lifting.  :-)

Right.  But the meta problem is figuring out which technology to trust.

Phishing is the tip of the iceberg on social engineering.  So far, the bad 
guys are winning.





-- 
These are my opinions.  I hate spam.

Re: Wacky Weekend: The '.secure' gTLD

2012-06-01 Thread Hal Murray 

 I think this is an interesting concept, but i don't know how well it will
 hold up in the long run.  All the initial verification and continuous
 scanning will no doubtingly give the .secure TLD a high cost relative to
 other TLD's. 

Right.  But your high cost is relative to dime-a-dozen vanity domains 
and/or domains for small/tiny businesses.  That's not their target market.

How much would it be worth to a bank if they could keep a few of their 
customers from being scammed?  How much would it be worth to an ISP if they 
could keep a few of their customers from being phished?  For starters, just 
consider the support costs.

Here is a note from a different context that says it only costs $99 for 
Verisign to certify you to sign secure-boot stuff for Windows 8, so I think 
that's the right ballpark.
  http://mjg59.dreamwidth.org/12368.html

I'm assuming that the hard part is the initial verification, not the ongoing 
monitoring that can be automated.  YMMV.  I might be all wet.  ...


-- 
These are my opinions.  I hate spam.

RE: Outdoor Wireless Access Point

2012-03-31 Thread Hal Murray 

 Hi...How do I do it!
 I'm utterly amazed how many people give away free consultant work.
 We need to keep people working... not giving it away.   
 Ethics... Security... etc...
 Does the university give away free diploma's?   I don't think so. 

I don't expect a free diploma, but many universities are offering free 
internet videos of various classes.

If you want a sample, here are a few good starting points:
  http://ocw.mit.edu/
  http://oyc.yale.edu/
  http://webcast.berkeley.edu/


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)

2012-02-01 Thread Hal Murray 
I'm not a lawyer nor an operator.

 Imagine that instead of www.google.com, it was www.whitehouse.gov

 At some point, I suspect that this gets service to get it fixed RIGHT NOW.
 At some point, the guys informing you it's RIGHT NOW show up with badges.

Where is Milo Medin when we need him?

 The question is, when is it badges?  It can be construed as a denial of
 service attack on the addresses' rightful owners.  They will respond to any
 major government site being hijacked.  Probably to Apple or Google.  Likely
 to a Tier-1 ISPs internal infrastructure. 

How long should it take to fix a problem like this?

Why didn't one of the players upstream from the bad guy pull their plug or 
drop the bogus announcement?  Why didn't any of the players between the first 
upstream and the tier 1s apply pressure?

Do existing contracts cover this case?  If not, what needs to be fixed?  Is a 
RFC needed so the lawyers have something to reference?

Would a session to discuss this at a NANOG gathering help?


 a) law enforcement doesn't understand the problem. and b) the law moves
 very slowly. 

It might be a good idea to make sure that somebody in law enforcement does 
understands what happened here so they can think about what who needs to do 
what the next time something like this happens.  (Make sure that operators 
know how to get in touch with somebody who knows.)


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)

2012-02-01 Thread Hal Murray 
 Where is Milo Medin when we need him?
 how would he be helping?

He would have pulled the plug.

The story is from the very early days of the internet, probably long before 
NANOG existed.

Milo worked at NASA and found a cracker from Finland on one of NASAs 
machines.  The link from Finland to the rest of the world went through Norway 
to NASA.  (That's THE link, there was only one link connecting all of 
Scandinavia to the rest of the net.)  So Milo called the guy in Finland and 
said Please fix it.  The reply was We can't do anything.  We respect civil 
liberties.  Soon he got the message because  he wasn't connected to the net 
any more.

If anybody has a good URL for the story, please let me know.  I found one 
reference in google-books that said 1988.

-

 AFAIK there's no law covering the use of what party X considers their 32 bit
 numbers (assigned by party A) by party Y.

Do contracts cover that?  I'd expect that the paperwork for peer-peer, 
customer-ISP and ISP-backbone links would include some nice broad legalese 
about not doing nasty things.


 Besides, how would that work?  Say ARIN assigns US company X (operating only
 in the US) a block, but German company Y (with no US operations) starts
 announcing the same block.  How are US or German laws going to help, when
 the parties have no common jurisdiction? 

The law could be written to apply to the company bringing the bogus 
announcements across the US border.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: Recent DNS attacks from China?

2011-11-30 Thread Hal Murray 

 I am wondering if anyone else is seeing a sudden increase in DNS attacks
 emanating from chinese IP addresses?  Over the past 24 hours we've seen a
 sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

 This anomalous traffic started roughly 24 hours ago, and while we've had
 occasions of anomalous chinese traffic, never anything of this type.

I don't know if it's related, but at about the same time USNO reported an 
attack on their NTP servers.

I could easily imagine a piece of malware with a bug that does massive 
retransmits on both DNS and NTP.

---

From: Rich schmidt.r...@gmail.com
Newsgroups: comp.protocols.time.ntp
Subject: NTP Denial of Service attack 29 November 2011
Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST)
Organization: http://groups.google.com
NNTP-Posting-Host: 199.211.133.254

USNO is seeing an apparent coordinated denial of service attack on NTP
originating with the following IPs:
220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. 

--

At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command
ordered USNO to take NTP servers in Washington, DC offline, and USNO
complied.   USNO serves more than 3 million clients.  This is the
first time in 17 years that we have ceased NTP operations.



NTP Service from USNO Washington was restored at 30.56 November 2011
UTC.  No further information is available for dissemination at this
time.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: First real-world SCADA attack in US

2011-11-23 Thread Hal Murray 

 Like any of the decades largest breaches this could have been avoided by
 following BCP's.  In addition SCADA networks are easily protected via
 behavioral and signature based security technologies.  

Is there a BCP that covers security for SCADA?

Note that Google for BCP SCADA finds
  BS-25999 Business Continuity Plan Implementation Checklist ...

--

Suppose a friend of yours was a low-level geek working for either a 
user/operator of a SCADA system or a vendor of software/hardware for that 
market.  If he asked you for info about security, where would you send him?  
(Assume he knows all about SCADA but little about networks or security.)

For that matter, is there any good security info for small to medium sized 
businesses?  Say a local store, travel agency, or doctor/dentist.



-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: First real-world SCADA attack in US

2011-11-21 Thread Hal Murray 

 On an Illinois water utility:
 http://www.msnbc.msn.com/id/45359594/ns/technology_and_science-security

That URL says:
 The Nov. 8 incident was described in a one-page report from the Illinois
 Statewide Terrorism and Intelligence Center, according to Joe Weiss, a
 prominent expert on protecting infrastructure from cyber attacks.

Joe Weiss gave a good talk at Stanford last Oct 12.
  http://www.stanford.edu/class/ee380/

My quick summary: The whole SCADA industry isn't tuned into network security 
issues.  It's not part of their culture.

--

Several years ago, Idaho National Labs ran an experiment.  They blew up a 
diesel generator by remote control.  Aurora is the buzzword.

The abstract page for his talk has a link to a CNN video.  It only has a few 
seconds of the generator.  Here is a longer version on YouTube:
  http://www.youtube.com/watch?v=fJyWngDco3g


-- 
These are my opinions, not necessarily my employer's.  I hate spam.