Re: Cisco/Level3 takedown
On 9 April 2015 at 19:16, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy It seems to me from reading the article that the defence to this is to set up a legitimate hosting company in the same IP space, even if it only has 1 customer. Then if you get blocked you turn around and shout and scream that level3 are abusing their market dominance to prevent a rival firms customers (this legitimate hosting company) being able to use the Internet. How screwed would they be in in court? I suspect it won't be a US court that gets to side with a US company and ignore everyone else, I suspect it would be an EU court case where there are actual consequences to a company trying to abuse their market dominance to force others to do what they want. This specific group might not have the balls to try sueing level3, but if they make a habit of blocking peoples access to the internet then ambulance chasing lawyers will likely try to trick them in to screwing up and blocking their clients. - Mike
Re: Cisco/Level3 takedown
Oh well. Don't do business with dirtbags. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Mike Jones m...@mikejones.in To: Randy Bush ra...@psg.com Cc: nanog@nanog.org Sent: Saturday, April 11, 2015 2:37:07 AM Subject: Re: Cisco/Level3 takedown On 9 April 2015 at 19:16, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy It seems to me from reading the article that the defence to this is to set up a legitimate hosting company in the same IP space, even if it only has 1 customer. Then if you get blocked you turn around and shout and scream that level3 are abusing their market dominance to prevent a rival firms customers (this legitimate hosting company) being able to use the Internet. How screwed would they be in in court? I suspect it won't be a US court that gets to side with a US company and ignore everyone else, I suspect it would be an EU court case where there are actual consequences to a company trying to abuse their market dominance to force others to do what they want. This specific group might not have the balls to try sueing level3, but if they make a habit of blocking peoples access to the internet then ambulance chasing lawyers will likely try to trick them in to screwing up and blocking their clients. - Mike
RE: Cisco/Level3 takedown
Seems like it this is pretty ineffective. The group already moved subnets once, they will likely do this again, all Cisco/L3 have done is slow them down a bit. Stephen Mikulasik -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sameer Khosla Sent: Thursday, April 09, 2015 9:31 AM To: nanog@nanog.org Subject: Cisco/Level3 takedown Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
Re: Cisco/Level3 takedown
Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Cisco/Level3 takedown
On Apr 9, 2015, at 11:29 AM, Mel Beckman m...@beckman.org wrote: Wrong. Batman, for example, wears a black hat. Thank you, Mask Man. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Cisco/Level3 takedown
Just to add to the noise I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it? -jim On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush ra...@psg.com wrote: Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Cisco/Level3 takedown
Warrior Nun Areala wears a black hat. http://en.wikipedia.org/wiki/Warrior_Nun_Areala -b On April 9, 2015 at 18:29 m...@beckman.org (Mel Beckman) wrote: Wrong. Batman, for example, wears a black hat. -mel via cell On Apr 9, 2015, at 11:17 AM, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy
Re: Cisco/Level3 takedown
On Apr 9, 2015, at 3:01 PM, Matt Olney (molney) mol...@cisco.com wrote: In response to Sameer Khosla's comment that we should work with the entire service provider community: Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. While I agree that the (at least temporary) mitigation of the threat was overall a good thing, I'm not really happy with the method used. Decisions to drop/block/filter traffic should be done locally. I would have appreciated Talos coming to the various *nog lists and saying something like Hey, there's some really bad guys here. Here's the evidence of their bad behavior, you really should block them. That probably would have had a wider reach than just going to Level3. --Chris
Re: Cisco/Level3 takedown
folk are getting kinda bent out of shape about this, and about L3 doing 'something' but look at: https://stat.ripe.net/widget/bgplay#w.resource=23.234.60.140 what's 4134 doing there? This one as well: https://stat.ripe.net/widget/bgplay#w.resource=103.41.124.0w.ignoreReannouncements=truew.starttime=142791w.endtime=1428601200w.instant=nullw.type=bgpw.rrcs=0,1,6,7,11,14,3,4,5,10,12,13,15 wowsa! howdy 4134, having fun there? On Thu, Apr 9, 2015 at 2:39 PM, jim deleskie deles...@gmail.com wrote: Just to add to the noise I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it? -jim On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush ra...@psg.com wrote: Wrong. Batman, for example, wears a black hat. vigilantes always wear white hats. i stand corrected
Re: Cisco/Level3 takedown
In response to Sameer Khosla's comment that we should work with the entire service provider community: Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. Thank you in advance, Matthew Olney Manager, Talos Threat Intelligence Analytics Cisco
Re: Cisco/Level3 takedown
--- skho...@neutraldata.com wrote: From: Sameer Khosla skho...@neutraldata.com Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. --- The authors lost some of their credibility when they wrote Since then two class C networks have been... At least they used slash notation for the rest of the article. If cisco won't stop using this terminology how will we get others to stop? Should I point them to https://en.wikipedia.org/wiki/Classful_network where they can see when a Class C (when it was a valid term) is all addresses that start with 110 in their leading bits and are in this range: 192.0.0.0 - 223.255.255.255. The addresses mentioned are from the historical Class A range even! G, a pet peeve of mine. Someone here says Class C and I ask them how a Class C is defined and then launch into the whole story. The short of it is they never use that phrase around me again. ;-) Last Gone are the days when detectors and protectors can sit on the Internet’s sidelines when a group is brazenly attacking a wide range of systems around the world. [...] Cisco and Level 3 Communications agreed that it was time to step in and make it stop. Declaration of war? I'm getting my popcorn ready. http://i294.photobucket.com/albums/mm86/JohnLeland1789/Funny/PopcornHugeBags.jpg scott
Re: Cisco/Level3 takedown
Wrong. Batman, for example, wears a black hat. -mel via cell On Apr 9, 2015, at 11:17 AM, Randy Bush ra...@psg.com wrote: It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy
Re: Cisco/Level3 takedown
I think that, properly, Batman wears a cowl, not a hat. On 4/9/2015 11:29 AM, Mel Beckman wrote: Wrong. Batman, for example, wears a black hat. -mel via cell
Re: Cisco/Level3 takedown
On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla skho...@neutraldata.com wrote: Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: Oh crap, my root account DOES have password123 as the password :()
Re: Cisco/Level3 takedown
Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now. I love the AS's address: descr:Jl. Marcedes Bens No.258 descr:Gunung Putri, Bogor descr:Jawa Barat 16964 country:ID While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). --Blake Sameer Khosla wrote on 4/9/2015 10:31 AM: Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
Re: Cisco/Level3 takedown
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). vigilantes always wear white hats. randy