Re: Block all servers?

2003-10-10 Thread Petri Helenius
Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. "I recommend my competition to do this" Secondly, it´s very hard, if impossible to come up with a NAT dev

Re: Block all servers?

2003-10-10 Thread Majdi S. Abbas
On Fri, Oct 10, 2003 at 08:07:05PM -0600, Adam Selene wrote: > IMHO, all consumer network access should be behind NAT. -snip- > As for plug-in "workgroup" networking (the main reason why > everything is open by default), when you create a Workgroup, > it should require a key for that workgroup an

Re: Block all servers?

2003-10-10 Thread ken emery
On Fri, 10 Oct 2003, Adam Selene wrote: > IMHO, all consumer network access should be behind NAT. Unfortuantely there are enough protocols and applications which don't work well behind a NAT that deploying this on a large scale is not practical. Most gamers require incoming connections. These

RE: edge interface bits

2003-10-10 Thread Michael Hallgren
> > On Fri, Oct 10, 2003 at 04:55:44PM +0300, Petri Helenius wrote: > > > > > > Does anyone know, either on the east coast US, London, Stockholm, > > Copenhagen, Amsterdam or Helsinki transit providers which would allow > > edge/handoff interface control to different traffic classes using BGP

Re: edge interface bits

2003-10-10 Thread Haesu
On Fri, Oct 10, 2003 at 04:55:44PM +0300, Petri Helenius wrote: > > > Does anyone know, either on the east coast US, London, Stockholm, > Copenhagen, Amsterdam or Helsinki transit providers which would allow > edge/handoff interface control to different traffic classes using BGP > communities?

Puerto Rico

2003-10-10 Thread Mehmet Akcin
Anyone living in Puerto Rico (if they are getting this mail, they should be working for computer/internet related anyway) can contact me offlist please? thanks. Mehmet Akcin

Re: [6bone] Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts...

2003-10-10 Thread Bill Manning
% Another funny one: % 3ffe:3::/32 Subnet of 3ffe::/24 Mismatching origin ASN, % should be 4555 (now: 29216) welcome to more root server testing w/ IPv6. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't r

Re: Block all servers?

2003-10-10 Thread Adam Selene
IMHO, all consumer network access should be behind NAT. However, the real solutions is (and unfortunately to the detriment of many 3rd party software companies) for operating system companies such as Microsoft to realize a system level firewall is no longer something to be "added on" or configure

RE: Block all servers?

2003-10-10 Thread Christopher Bird
I know they CAN, but the issue is do they have the mechanisms and operational capabilities of actually doing so? I would like to see my cable provider making it hard to do some of the things I do. Not because I should not be doing them, but those same holes that I exploit (hopefully in a benign fa

DDOS Today?

2003-10-10 Thread Greg Valente
I just got on today. Was there any large DDOS attacks today. Any specific networks impacted? -Original Message- From: Jeroen Massar [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 8:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Reserved ASN 64702, 6to4, 2 ghosts, other

Reserved ASN 64702, 6to4, 2 ghosts, other oddities and still no working contacts...

2003-10-10 Thread Jeroen Massar
-BEGIN PGP SIGNED MESSAGE- Checking http://www.sixxs.net/tools/grh/lg/?show=bogons&find=::/0 People might want to filter on private ASN's also when that ASN is being used as "transit"... 2001:a40::/32 AS64702 is reserved (path: 15516 3257 2497 4697 2914 10109 4538 4787 64702 20646 8763

RE: Block all servers?

2003-10-10 Thread Eric Kuhnke
The TOS/AUP for most residential broadband connections already allows the ISP to shut off service or do anything they want to the customer without prior notice. It has been this way for at least 3 or 4 years, since the advent of @Home. Take a look at the TOS/AUP for Comcast, Shaw Cable, MSN D

Re: contact at yahoo mail? (they think we're an open relay :< )

2003-10-10 Thread Suresh Ramasubramanian
Paul S. Brown writes on 10/11/2003 3:41 AM: As of last month Yahoo! are providing some mail services for BT Openworld in the UK, soon to be all of their consumer mail accounts. They've been providing mail services for SBC as well, since quite some time. -- srs (postmaster|suresh)@outblaze.com //

Re: contact at yahoo mail? (they think we're an open relay :< )

2003-10-10 Thread Paul S. Brown
On Thursday 09 October 2003 11:30 pm, chuck goolsbee wrote: > >>Today our email forwarders started getting this from yahoo.com > >>mail handlers: > > > > > >Us too. And more than one ISP that I have seen (for example, > >iglou.com mentioned that one of their boxes was being blocked) > > > >Someth

Re: RoadRunner now bouncing the mail...

2003-10-10 Thread Mark Jeftovic
It looks like they're taking our mail again now On Fri, 10 Oct 2003, Mark Jeftovic wrote: > > > What number did you call to talk to them? > > On Fri, 10 Oct 2003, Alan Sparks wrote: > > > Mark Jeftovic said: > > > It seems RoadRunner is no longer deferring us or refusing our > > > connectio

Re: RoadRunner now bouncing the mail...

2003-10-10 Thread Mark Jeftovic
What number did you call to talk to them? On Fri, 10 Oct 2003, Alan Sparks wrote: > Mark Jeftovic said: > > It seems RoadRunner is no longer deferring us or refusing our > > connections... they're BOUNCING everything. > > That's what they did to us. No deferrals, just started 571'ing > everyth

Re: RoadRunner now bouncing the mail...

2003-10-10 Thread Alan Sparks
Mark Jeftovic said: > It seems RoadRunner is no longer deferring us or refusing our > connections... they're BOUNCING everything. That's what they did to us. No deferrals, just started 571'ing everything. I sent a query to the spamblock mail address, received autoreply and nothing else. We fin

Re: RoadRunner now bouncing the mail...

2003-10-10 Thread Suresh Ramasubramanian
Mail [EMAIL PROTECTED] - they are whitehat, and you'll know the people there from spam-l. Oh, they respond quite fast. suresh Mark Jeftovic writes on 10/11/2003 1:54 AM: It seems RoadRunner is no longer deferring us or refusing our connections... they're BOUNCING everything. -- srs (postmaste

RoadRunner now bouncing the mail...

2003-10-10 Thread Mark Jeftovic
It seems RoadRunner is no longer deferring us or refusing our connections... they're BOUNCING everything. Nice. Oct 10 16:04:28 10.0.2.42 postfix/smtp[11683]: 778A77050E: to=<[EMAIL PROTECTED]>, relay=flmx04.mgw.rr.com[65.32.1.50], delay=5, status=bounced (host flmx04.mgw.rr.com[65.32.1.50] sai

Re: first Yahoo, now RoadRunner?

2003-10-10 Thread Gerald
On Fri, 10 Oct 2003, Ray Wong wrote: > RR has been using a lot of blocks for quite some time. Fortunately, they > were very responsive when I mailed their abuse address as indicated on that > URL. I gave them the allocation I was responsible for, asked for that > subset of addresses to be unblo

The Earth's not slowing down fast enough to

2003-10-10 Thread bmanning
> Date: Tue, 07 Oct 2003 23:33:45 -0700 > Subject: The Earth's not slowing down fast enough to suit Motorola > > Motorola reports that several GPS receivers in its Oncore line will > misdisplay the date on 28 Nov 2003 at midnight UTC. For a one-second window > the receivers will mistakenly repor

Re: New attack against port 135?

2003-10-10 Thread Mike Tancsa
Yes, we saw this yesterday and posted to full-disclosure. Here is a sample packet. 13:43:38.511675 xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx 0800 62: 64.7.nn.yy.3512 > 16.181.zz.aa.135: S [tcp sum ok] 3772716186:3772716186(0) win 65340 (DF) (ttl 127, id 63248, len 48) 0x 4500 0030 f710 4000

PGP key signing at NANOG 29 in Chicago [REVISED]

2003-10-10 Thread Joe Abley
[the original mail I sent had the wrong date in the third paragraph; this one has the right date. sorry about the confusion.] There will be a brief introduction to PGP key signing presented in the General Session at 11:15 a.m. on Monday, entitled "Building a Web of Trust". New for NANOG 29: yo

Re: New attack against port 135?

2003-10-10 Thread Andrew D Kirch
The kiddies have finally exploited the RPC SS/RPC DCOMII exploits that microsoft patched after internal auditing. I first got word of a working exploit about a week ago, but no real confirmation, and I put very little creedance in " I hax0rz your b0x3n!" then scanning went exponentially through

Re: PGP key signing at NANOG 29 in Chicago

2003-10-10 Thread Joe Abley
On 10 Oct 2003, at 13:30, [EMAIL PROTECTED] wrote: On Fri, 10 Oct 2003 13:20:16 EDT, you said: Chicago. We have been scheduled to meet on Monday, June 2, after the ISP Security and NSP-SEC BOF, at around 9pm in Salon F. If the BOF runs date/time/location check??? Arrgh. Monday 20 October, is w

New attack against port 135?

2003-10-10 Thread Peter John Hill
I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone have a name for this? It is less aggressive than the welchia scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes. Thanks Peter Hill Network Engineer Carnegie Mellon

PGP key signing at NANOG 29 in Chicago

2003-10-10 Thread Joe Abley
There will be a brief introduction to PGP key signing presented in the General Session at 11:15 a.m. on Monday, entitled "Building a Web of Trust". New for NANOG 29: you will find stickers available at the checkin desk which which you can stick on your name tag. The red dot means "I sign keys"

Why not UUNet too? (was Re: first Yahoo, now RoadRunner?)

2003-10-10 Thread Crist Clark
Since the topic is mysterious rejections from MTAs, I have one from UUNet. One of our business partners has UUNet for an ISP and is using UUNet for a tertiary MTA. Occasionally, mail ends up going to that MTA (quite often actually, their primary gets unresponsive from time to time and I've _never_

Re: SOLVED? was Re: contact at yahoo mail?...

2003-10-10 Thread Leo Bicknell
In a message written on Fri, Oct 10, 2003 at 11:59:56AM -0400, Scott Stursa wrote: > They are blocking only the server where we put undergraduate accounts, > over 60% of which have forwarding set, most frequently to Hotmail, Yahoo > and AOL accounts. When the spam volume coming in here gets too hig

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Suresh Ramasubramanian
Steven M. Bellovin writes on 10/10/2003 9:37 PM: Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution. --Steve Bellovin, http://www.research.att.com/

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Steven M. Bellovin
Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution. --Steve Bellovin, http://www.research.att.com/~smb

Re: SOLVED? was Re: contact at yahoo mail?...

2003-10-10 Thread Scott Stursa
On Fri, 10 Oct 2003, Suresh Ramasubramanian wrote: > Mark Jeftovic [10/10/03 08:33 -0400]: > > > > I've received an email offlist that this problem should be back to > > "pre-yesterday" conditions. It looks better on our end, as it should for > > all else affected I would think. > > Our problem l

Re: Sitefinder and DDoS

2003-10-10 Thread Owen DeLong
But, that requirement simply says that if at x time you query *.something and otherwise-unmatched.something, you get the same result. It doesn't say that if you query at *.something at x time and otherwise-unmatched at x+5 time, you will get the same result. DNS servers can return different answe

Fw: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Brian Bruns
MessageThis is something I sent to someone offlist. I've strpped out his name, etc. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: Brian B

Re: first Yahoo, now RoadRunner?

2003-10-10 Thread Ray Wong
RR has been using a lot of blocks for quite some time. Fortunately, they were very responsive when I mailed their abuse address as indicated on that URL. I gave them the allocation I was responsible for, asked for that subset of addresses to be unblocked, and things were fine within the day. W

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Steven Champeon
on Fri, Oct 10, 2003 at 08:47:51PM +0530, Suresh Ramasubramanian wrote: > Set up header checks in sendmail / postfix to block all mail with > Received: headers showing Ralsky IPs. PCRE header checks in postfix > would be like - Sendmail rulesets to block Ralsky: KRalsky1 regex [EMAIL PROTEC

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Brian Bruns
Title: Message Just FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack.  Should be online by this afternoon at the latest.   Ok, this is where I need to ask for your guys help as well.  If anyone here has experience with postfix

RE: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Bob German
He grabbed a couple of our customers' IMAIL servers, and I'm pretty sure discovered a few weak passwords by brute force. Bob -Original Message- From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 11:27 AM To: Brian Bruns Cc: Bob German; [EMAIL PROTE

Re: large-scale IPSEC tunnel deployment

2003-10-10 Thread Alex Yuriev
> Orchestream has some of this functionality for setting the tunnels up, > you can then use the corba interface to setup management with > tools like SMARTS. The other problem is managing the keys, if you > don't have a CA it will be painful if you need to change the keys. We > have had some succe

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Suresh Ramasubramanian
Brian Bruns writes on 10/10/2003 8:42 PM: Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't fe

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Suresh Ramasubramanian
Bob German writes on 10/10/2003 8:29 PM: A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against the

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Mike Tancsa
Cant speak for others, but the server that was blocked for us by Yahoo! is ACL'd by IP address. It would be very helpful if the Yahoo! folk could post an official explanation as to what happened so we can pass it on to our customers. e.g. a URL somewhere on Yahoo! ? ---Mike At 10:59

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Andrew D Kirch
On Fri, 10 Oct 2003 10:59:46 -0400 "Bob German" <[EMAIL PROTECTED]> wrote: > A colleague informed me this morning that Alan Ralsky is doing > widespread bruteforce attacks on SMTP AUTH, and they are succeeding, > mainly because it's quick, painless (for him), and servers and IDS > signatures don'

Re: New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Brian Bruns
Title: Message Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now.  I've known about this for a few weeks now.  Its not surprising.  Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance.

New mail blocks result of Ralsky's latest attacks?

2003-10-10 Thread Bob German
Title: Message A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.   Could this be why

Re: Hotmail Problems

2003-10-10 Thread Suresh Ramasubramanian
Michael Heitland writes on 10/10/2003 7:41 PM: Has anyone seen issues with hotmail receiving emails several days after they are sent. We are not getting bounces, just long delays in what appears to be hotmails posting to inboxes. Yes. Since quite some time. -- srs (postmaster|suresh)@outblaze.co

Re: first Yahoo, now RoadRunner?

2003-10-10 Thread Suresh Ramasubramanian
Mark Jeftovic writes on 10/10/2003 7:33 PM: rr.com blocking our netblock since this morning now 5.7.1 Mail Refused - 216.220.40 - See http://security.rr.com/mail_blocks.htm#security Mail them at [EMAIL PROTECTED] - RR has good people reading it. -- srs (postmaster|suresh)@outblaze.com // gpg

RE: Hotmail Problems

2003-10-10 Thread Geo.
>>> Has anyone seen issues with hotmail receiving emails several days after they are sent. We are not getting bounces, just long delays in what appears to be hotmails posting to inboxes. >>We've been seeing lots of server timeouts and connection resets to hotmail.com and msn MXs over the last c

Re: first Yahoo, now RoadRunner?

2003-10-10 Thread Alan Sparks
On Fri, 2003-10-10 at 08:03, Mark Jeftovic wrote: > rr.com blocking our netblock since this morning now > > 5.7.1 Mail Refused - 216.220.40 - See > http://security.rr.com/mail_blocks.htm#security > > Anyone else? We got hit with same last night. Still trying to determine cause. This page

Re: Hotmail Problems

2003-10-10 Thread Patrick_McAllister
Yes, but vice versa, I have received e-mails over the last few days that are literally weeks old Michael Heitland

Re: Hotmail Problems

2003-10-10 Thread Alan Sparks
On Fri, 2003-10-10 at 08:11, Michael Heitland wrote: > > Has anyone seen issues with hotmail receiving emails several days after they are sent. We are not getting bounces, just long delays in what appears to be hotmails posting to inboxes. > > Some customers have waited 2 days to see an email

Hotmail Problems

2003-10-10 Thread Michael Heitland
Has anyone seen issues with hotmail receiving emails several days after they are sent. We are not getting bounces, just long delays in what appears to be hotmails posting to inboxes. Some customers have waited 2 days to see an email reach their inbox. We have tested this from not only our doma

first Yahoo, now RoadRunner?

2003-10-10 Thread Mark Jeftovic
rr.com blocking our netblock since this morning now 5.7.1 Mail Refused - 216.220.40 - See http://security.rr.com/mail_blocks.htm#security Anyone else? -- Mark Jeftovic <[EMAIL PROTECTED]> Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Petri Helenius
Avleen Vig wrote: Personally I'm in favour of specific port filtering, and charging a (small) premium ($10 a month?) for be able to run servers on residential broadband connections. So you are happy to pay a $10 premium for your VoIP phone if it allows inbound calls? Pete

edge interface bits

2003-10-10 Thread Petri Helenius
Does anyone know, either on the east coast US, London, Stockholm, Copenhagen, Amsterdam or Helsinki transit providers which would allow edge/handoff interface control to different traffic classes using BGP communities? (for example to announce DDoS destinations and/or sources with different com

Re: SOLVED? was Re: contact at yahoo mail?...

2003-10-10 Thread Suresh Ramasubramanian
Mark Jeftovic [10/10/03 08:33 -0400]: > > > I've received an email offlist that this problem should be back to > "pre-yesterday" conditions. It looks better on our end, as it should for > all else affected I would think. > Our problem looks considerably larger than pre yesterday conditions now

RE: Block all servers?

2003-10-10 Thread Christopher Bird
I agree that Michael is "right on". The social, psychological and financial issues are in many ways more tricky than the technical issus. However, I think there are ways to help. But first some history When I signed up for Cable broadband access several years ago, I was told, "And of course

SOLVED? was Re: contact at yahoo mail?...

2003-10-10 Thread Mark Jeftovic
I've received an email offlist that this problem should be back to "pre-yesterday" conditions. It looks better on our end, as it should for all else affected I would think. Thanks to all who replied, compared notes and emailed offlist with suggestions or ideas. -mark -- Mark Jeftovic <[EMAIL

The Cidr Report

2003-10-10 Thread cidr-report
This report has been generated at Fri Oct 10 21:48:24 2003 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table Hist

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Suresh Ramasubramanian
[EMAIL PROTECTED] writes on 10/10/2003 4:39 PM: Why don't you come to the next NANOG in Miami in February and give a presentation on how people are doing these things? The trouble with a mailing list discussion is that it wanders all over the place. But at NANOG you could focus on the network oper

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Michael . Dillon
>With all due respect, we have a *problem*. End user machines on >broadband connections are being misconfigured and/or compromised in >frightening numbers. These machines are being used for everything >from IRC flooder to spam engines, to DNS servers to massive DDoS >infrastructure. If the ab

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Michael . Dillon
>I mentioned before that it doesn't really make much sense with web >hosting because the port can easily be changed so it's not very effective >at all. Stop thinking of policing the user and start thinking of providing a security service. The default setting of the security service might incl

Block all servers?

2003-10-10 Thread Michael . Dillon
>I think it's more complicated than "prevent residential users from >hosting servers". You're right. As soon as we begin talking about what all ISPs should do, we are out of the realm of technical solutions and into the realm of psychology and politics. After all, we first have to convince all

Re: large-scale IPSEC tunnel deployment

2003-10-10 Thread Neil J. McRae
> Hello, > Does anyone have any experience with large scale production IPSEC > tunnel deployment, where large scale is defined as over 100 net-to-net > tunnels to different destination networks active at any time? > If so, would such person(s) mind sharing any > quirks/platform

Re: Wired mag article on spammers playing traceroute games with trojaned boxes

2003-10-10 Thread Niels Bakker
* [EMAIL PROTECTED] (Andy Ellifson) [Fri 10 Oct 2003, 01:04 CEST]: > > And as soon as you call law enforcement what happends? The spammer is > located offshore. Then what? This hasn't stopped the FTC before. Recently it named a Dutch national in a complaint: http://www.ftc.gov/opa/2003/09/fyi

Re: Finding ASN from IP address

2003-10-10 Thread Henk Uijterwaal (RIPE-NCC)
Avleen, > I want to create a mapping of IP addresses to ASN, for a specific like > of IP addresses. Eg: > 1.2.3.4 > 12.34.56.78 > > etc, gathered from my system logs. > > What is the best way of doing this? > > I thought about something along the lines of: > install routing software (zebra?

Re: Sitefinder and DDoS

2003-10-10 Thread Bruce Campbell
On Thu, 9 Oct 2003, Kee Hinckley wrote: > At 10:41 PM +0300 10/9/03, Petri Helenius wrote: > >With $100M annual revenue at stake, I would be willing to provide > >distributed solutions > >to this problem if you send me a reasonable fraction of that money. > > But can you do it without breaking th