Don't know if anyone else is seeing this, but We're having trouble getting
to/from ATT datacenter in Phoenix from several locations. It looks like
traffic from Mountain View is getting dropped at ATT in LA. However,
looking
at ATT network stats, they seem to have virtually no connectivity
will anyone miss it? :-)
Does anyone have a contact at msn.com that will respond to a situation
similar to this thread? Our email queries to support/abuse/etc
@msn.com have gone unanswered.
We have a class C allocated from one of our /16's that has been
blocked by MSN without any prior warning/notice from them.
Anybody have a pointer to scripts to map IP to AS?
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked their miscreant customers.
http://isc.sans.org/port_details.html?port=1434
--
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Anybody have a pointer to scripts to map IP to AS?
Google is your friend ;-)
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Anybody have a pointer to scripts to map IP to AS?
I suspect the easiest thing to do would be to write some code to query a
looking glass, perhaps even install your own for this
There are still 10K-20K hosts spewing M$SQL
At 08:07 AM 20-02-03 -0600, Alif The Terrible wrote:
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Anybody have a pointer to scripts to map IP to AS?
Google is your friend ;-)
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked their miscreant customers.
Its too early for such harsh measures. Unless you can live without
most major consumer ISPs.
I don't
Then you'd better reach over to all of your upstream routers and just pull
the plug, since you are likely to see Sapphire packets from here on in, on a
regular basis.
Better is to do the whois lookup and send pre-formatted e-mail about the
infected server as people did after Code-Red.
On Thu, Feb 20, 2003 at 08:09:31AM -0500, William Allen Simpson quacked:
Anybody have a pointer to scripts to map IP to AS?
There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
and I'd like to start blocking routing to those irresponsible AS's
that haven't blocked
Careful. Many whoisds don't appreciate automated queries will block YOUR
ip address for sometime if you cross their max query rate threshold.
You can use a quick perl wrapper around whois, or you
could use this terribly ugly hacked up traceroute-ng that I
wrote to do lookups:
I should have been a bit more specific. The hacked up traceroute-ng
queries the radb, not a whoisd. I've never had problems
being blocked when doing radb queries, but YMMV, of course. I also
suggest that people be nice and rate-limit their queries so that
others don't have to do it for them...
M$SQL is different from other infections mentioned, as it hits the
entire net so quickly. The only thing keeping it in bay is widespread
backbone filtering, which isn't feasible in the long term.
Just like random source addresses, the only answer is edge filtering
(preventing the bad packets
### On Thu, 20 Feb 2003 09:11:02 -0800, Martin J. Levy [EMAIL PROTECTED]
### casually decided to expound upon David G. Andersen [EMAIL PROTECTED],
### William Allen Simpson [EMAIL PROTECTED] the following thoughts
### about Re: scripts to map IP to AS?:
MJV Dave (and anyone that downloads
On Thu, 20 Feb 2003 12:14:28 PST, Jake Khuon [EMAIL PROTECTED] said:
Just a reminder to everyone who intends to query the IRR/RADB... Please be
nice to the RADB whois server and don't DoS it. Open a persistant
Are there any recommendations for caching of the results? Do, don't, not for
over
You could just rune trace from a cisco router (or do a trace from a
looking glass). It shows the AS numbers along the path. Just pick out the
last one. It also has the advantage of telling you who is really
announcing it at this time rather then who 'should' be announcing
it.
Guessing a script
### On Thu, 20 Feb 2003 15:25:52 -0500, [EMAIL PROTECTED] casually
### decided to expound upon [EMAIL PROTECTED] (Jake Khuon) the following
### thoughts about Re: scripts to map IP to AS? :
VK Are there any recommendations for caching of the results? Do, don't, not for
VK over 72 hours, etc? I
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Worse, it only takes 1 infected host to re-infect the entire net in
about 10 minutes. So, the entire 'net has to cooperate, or we'll see
continual re-infection.
Only if people didn't fix their servers. And if they didn't, this
reverse denial
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Anybody have a pointer to scripts to map IP to AS?
This little script works fairly well. Just feed it a file with the each
network on a seperate line. Obviously don't overload the route servers by
running it too often.
--
Simon Lyall.
I am looking for an IP management which has flexible management
capabilities. I need it for managing my customers IP assignments, and
keeping stock of my IP pool.
Do you have any suggestions?
Iljitsch van Beijnum [EMAIL PROTECTED] wrote:
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Worse, it only takes 1 infected host to re-infect the entire net in
about 10 minutes. So, the entire 'net has to cooperate, or we'll see
continual re-infection.
Only if people didn't fix
On Thu, 20 Feb 2003 22:11:06 +0100, Iljitsch van Beijnum said:
Seems to me that filtering is no longer necessary unless you have reason
to believe your customers are going to install new vulnerable boxes or
vulnerable software on existing boxes AND their pipe to you is so big
new vulnerable
Yo Joshua!
On Thu, 20 Feb 2003, Joshua Smith wrote:
i still get 8K plus hits against my acls per day for udp/1434...(75 in the
time it took to write this email)
You are probably doing as much damage as good.
udp/1434 is not a reserved port. A lot of what you are blocking is legit
traffic
I am looking for an IP management which has flexible management
capabilities. I need it for managing my customers IP assignments, and
keeping stock of my IP pool.
Do you have any suggestions?
Here's one. I haven't used it in production, but the demo that I was
given was pretty slick. Works
Check out Georgetown in Washington DC, the exploding manhole capital of
the world. They have a lot of experience with exploding manholes, from
many different causes. The most recent incident was in the last couple of
days. There is a lot of energy in being pumped into utility lines. A
short
On Thu, 20 Feb 2003, Daniel Abbey wrote:
I am looking for an IP management which has flexible management
capabilities. I need it for managing my customers IP assignments, and
keeping stock of my IP pool.
Do you have any suggestions?
http://www.brownkid.net/NorthStar/ looked pretty
I use NorthStar in my network, and actually was a developer on it for a
while. It's fairly stable, but development has somewhat stalled because of
real life issues for the primary developer.
Thanks,
Adam Tauvix Debus
Linux Certified Professional, Linux Certified Administrator #447641
Network
Is anyone running an automated Terror Alert system that's
real time with the DHS?
-M
On Thu, Feb 20, 2003 at 08:08:58PM -0500, Richard Irving wrote:
Yes.
But, until elections 2004, the FUD field is hardcoded to High.
However, if there are changes to the -=actual=- dhs.gov status,
it sends out an automatic Amazon.Com order for
Hip Boots for all members of the list.
People who bought HIP BOOTS also shopped for:
* Duct Tape
* Jack Daniels
* Def Leppard CD's
* Clean Underwear
on-topic: I use a plug-in for my NMS that looks for abnormalities in the
load times of various popular sites. (it's helped me spot routing problems
more than once). Looking back at
All of this begs the question, what specifically would you do if the alert
level went to red or yellow? Would you broadcast the change to customers,
place disaster recover teams on stand-by or stand-down, implement an
expanded ACL, etc.? Seriously, I'm interested in a response to this.
Ok,
What we really need is something like what NOAA has for space weather:
http://www.maj.com/sun/noaa.html
Currently, the weather is active and unsettled...
Eric :)
On Thu, 20 Feb 2003, Martin Hannigan wrote:
Is anyone running an automated Terror Alert system that's
real time with the DHS?
CNN (or Fox, MSNBC, etc) news satellite feed (for national alerts)
Radio Shack National Weather Service Alert radio (for local alerts)
Individual states have other
Hi Johannes,
] Anybody have a pointer to scripts to map IP to AS?
] Grab a routing table snapshot from the routeviews archive and run it
] through parse_bgp_dump from CAIDA's CoralReef package. Then use
] CAIDA::ASFinder or Net::Patricia to do the lookups.
In fact I have 2 scripts to do
35 matches
Mail list logo