So, be careful as the Juniper solution varies depending on the platform
involved.
Make sure you check your devices. It took a few iterations for us to get the
right filters on everything.
- Jared
On Feb 17, 2014, at 12:26 AM, Yucong Sun sunyuc...@gmail.com wrote:
Just for the reference,
On Mon, 17 Feb 2014 15:27:25 +, Muhammad Adnan said:
I am a university researcher who is investigating the development of new,
usable tools that will improve the work practices of cyber security
professionals. As a first step to achieve this goal, I am undertaking a
survey to gain an
For knowledge on the list. We found that our Cisco Nexus 7000s had NTP enabled
on our public facing VDCs, even when the command feature ntp was not present.
I had to explicitly enter no feature ntp to prevent the NTP server service
from existing on our public facing 7K interfaces.
Thanks,
Hi,
If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?
Thanks!
--J
Hi,
If there are any Telia engineers lurking about could you please contact
me off-list regarding a routing question?
Thanks!
--J
On Tue, 18 Feb 2014 09:14:59 -0500
Jared Mauch ja...@puck.nether.net wrote:
prefix-list ntp-servers {
apply-path system ntp server *;
Some people also have a 'boot-server [server]' statement. In the
off chance that address is different than those listed in the server
statements,
On Tuesday, February 18, 2014 04:14:59 PM Jared Mauch wrote:
So, be careful as the Juniper solution varies depending
on the platform involved.
Make sure you check your devices. It took a few
iterations for us to get the right filters on
everything.
Indeed.
In particular, different
Here's a piece which uses the MIT ANA data to assert that the job is mostly
done already.
Unless I'm very much mistaken, it appears that a large percentage of the failed
BCP 38 spoofing tests listed in that data are actually due to customer side NAT
routers dropping packets...
which is of
Hi,
Just wondering if anyone could share some experiences with
server providers specifically in argentina, columbia and costa rica,
and pretty much anywhere in the UK region.
Please respond offlist.
Any feedback would be greatly appreciated. :)
Carlos.
That article is terrible.
Looking at the stats provided, only 2582 unique AS's were tested.
http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
currently in the routing table.
This means they have tested around 5% of the AS's on the Internet.
Dave
On 18 February 2014 17:20, Jay
Barry is a well respected security researcher. I'm surprised he posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe we should ask
him about it. I'll do that now
--
TTFN,
patrick
On Feb 18, 2014, at 13:31 , Dave Bell m...@geordish.org wrote:
That article is
I have to recommend Linode in the UK, from my experience they have
their act together and their prices are reasonable.
Sam Moats
Circle Net
On 2014-02-18 12:50, Carlos Kamtha wrote:
Hi,
Just wondering if anyone could share some experiences with
server providers specifically in argentina,
On 2/18/2014 11:20 AM, Jay Ashworth wrote:
Here's a piece which uses the MIT ANA data to assert that the job is
mostly done already.
Unless I'm very much mistaken, it appears that a large percentage of
the failed BCP 38 spoofing tests listed in that data are actually due
to customer side NAT
Is using data from a self-selected group even meaningful when
extrapolated? It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.
JM
On Tue, Feb 18, 2014 at 2:11 PM, Larry Sheldon
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net wrote:
Barry is a well respected security researcher. I'm surprised he posted this.
In his defense, he did it over a year ago (June 11, 2012). Maybe we should
ask him about it. I'll do that now
I'm not surprised in any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Below:
On 2/18/2014 11:22 AM, Jared Mauch wrote:
On Feb 18, 2014, at 1:40 PM, Patrick W. Gilmore patr...@ianai.net
wrote:
Barry is a well respected security researcher. I'm surprised he
posted this.
In his defense, he did it over a year
I've talked to HP and Cisco and neither side will commit to any kind of answer
to this question, so I thought I'd ask it here:
Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will
connect to an HP switch equipped with a HP X122 1G SFP LC BX-U Transceiver
J9143B SFP,
- Original Message -
From: Dave Bell m...@geordish.org
That article is terrible.
Looking at the stats provided, only 2582 unique AS's were tested.
http://www.cidr-report.org/as2.0/#General_Status has over 46k AS's
currently in the routing table.
This means they have tested
I note that the MIT ANA tester is only for desktop OSs, and none of the
network tools I've collected for Android have BCP38 filter testing built
in.
Does anyone know if there are such tools for Android and for iOS?
I assume that tether testing from a PC would be useless, as the NAT
On Feb 18, 2014, at 2:44 PM, Eric J Esslinger eesslin...@fpu-tn.com wrote:
I've talked to HP and Cisco and neither side will commit to any kind of
answer to this question, so I thought I'd ask it here:
Does anyone know if a Cisco switch equipped with a 1000BASE-BX10-D SFP will
connect to
On 2/18/2014 2:19 PM, James Milko wrote:
Is using data from a self-selected group even meaningful when
extrapolated? It's been a while since Stats in college, and it's very
likely the guys from MIT know more than I do, but one of the big things
they pushed was random sampling.
JM
Isn't it
I agree that Barry's post can be read in misleading ways and I seem to
recall chatting about that with him at some point.
As to one poster's comment about random sampling, I'm pretty sure the
Spoofer project likely fell short in a number of ways (e.g. being
documented in not every language).
So,
Spybot, adaware, and MalWare bytes.
I hadn't even thought of them; I was all fixated on Ookla... and why it
wouldn't work.
I will query those folks.
Cheers,
- jra
On February 18, 2014 3:56:19 PM EST, Robert Drake rdr...@direcpath.com wrote:
On 2/18/2014 2:19 PM, James Milko wrote:
Is using
On Feb 19, 2014, at 2:43 AM, Paul Ferguson fergdawgs...@mykolab.com wrote:
This is why I am now using the phrase anti-spoofing when talking about this
in public.
+1
It's also more semantically correct, in many cases.
---
Hi
I am wondering if anyone knows anyone with Fibre or L2 service between
Equinix SV1 (11 Great Oaks) and CoreSite (55 S Market).
It seems we need it sooner rather than later.
Thanks.
--
Geraint Jones
Director of Systems Infrastructure
Koding
https://koding.com
gera...@koding.com
Phone
On Feb 19, 2014, at 4:52 AM, Tony Tauber ttau...@1-4-5.net wrote:
maybe we should conclude that most of the spoofing is coming from somewhere
else; perhaps including colo and cloud providers.
My theory - not yet backed by data - is that probably most spoofed traffic
these days does in fact
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.
clue?
randy
From: SmallCapStockPlays i...@smallcapstockplays.com
Subject: Could VIIC be our biggest play in 2014? Check the stock today
To:
Dear Valdis,
1) If you're including network admins, you should also make sure to
get system admins (though you'll be more successful asking elsewhere for
those).
We are also targeting system admins. As I mentioned in my e-mail, targeted
participants for this survey are those who perform security
Randy Bush wrote:
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.
clue?
randy
From: SmallCapStockPlays i...@smallcapstockplays.com
Subject: Could VIIC be our biggest play in 2014? Check the
They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.
lots of the spam getting through has no dkim
It's getting marked as ham and not spam. Are you positive your
definitions are still updating?
sa-update has run. and it
On 02/18/2014 05:52 PM, Randy Bush wrote:
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.
It's been a while since i've been in this world, but I wonder whether
bayes filters are
using the
Hey all,
DNS amplification spoofed source attacks, I get that. I even thought I
was getting mitigation down to acceptable levels.
But now this. At different times during the previous days and on
different resolvers, routers with proxy turned on, etc...
Thousand of queries with thousands of
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that. Just that and nothing more.
Says nothing at all about the email's reputation - whether it is spam or
not.
--srs
On
On 2/18/2014 8:42 PM, Randy Bush wrote:
They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.
lots of the spam getting through has no dkim
It's getting marked as ham and not spam. Are you positive your
definitions are still
In message 5304201a.3040...@ttec.com, Joe Maimon writes:
Hey all,
DNS amplification spoofed source attacks, I get that. I even thought I
was getting mitigation down to acceptable levels.
But now this. At different times during the previous days and on
different resolvers, routers with
I couldn't resolve that domain or subdomains that I tried.
If that domain did respond, I'd guess it's tailored to be a large junky
response. Varying the qname prevents people from using iptables to
block specific queries.
On 2/18/2014 10:08 PM, Joe Maimon wrote:
Hey all,
DNS
Mark Andrews wrote:
What is the purpose of this?
Indirect attack on the 5kkx.com servers?
18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
swe.5kkx.com IN A + (66.199.132.5)
I have seen dozens of different second level parts.
How is this any more effective then
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?
Doug
Totally was trying to figure out how to ask the same thing. How exactly
are you the POC in this situation? lol
On 2/18/14, 7:35 PM, Doug Barton do...@dougbarton.us wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a
On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:
What is the purpose of this?
Resource-exhaustion attack against the recursive DNS?
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
On Feb 19, 2014, at 10:32 AM, Joe Maimon jmai...@ttec.com wrote:
How is this any more effective then sending it direct?
If they're attacking the authoritative DNS servers for 5kkx.com, just
reflecting gives them indirection and presumably makes traceback harder for
5kkx.com (at least, in the
On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:
What is the purpose of this?
Resource-exhaustion attack against the recursive DNS?
so... i could be nuts, but in the example joe clipped, the resolved
On Feb 19, 2014, at 10:44 AM, Dobbins, Roland rdobb...@arbor.net wrote:
Resource-exhaustion attack against the recursive DNS?
Fat-finger, sorry - should also state 'Or against the authoritative servers for
5kkx.com?'
---
On Tue, Feb 18, 2014 at 10:47 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
On Tue, Feb 18, 2014 at 10:44 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:
What is the purpose of this?
Resource-exhaustion attack against
Right. Nonzero chances that you (Joe's site) are the target...
Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects. You could be sourcing
the spoofing if not...
On Tue, Feb 18, 2014 at 7:44 PM, Dobbins, Roland
Doug Barton wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?
Doug
Thousands of queries _from_ thousands
Dobbins, Roland wrote:
On Feb 19, 2014, at 10:08 AM, Joe Maimon jmai...@ttec.com wrote:
What is the purpose of this?
Resource-exhaustion attack against the recursive DNS?
On anything that is going to stay open, not even close.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that. Just that and
On Feb 19, 2014, at 10:48 AM, Christopher Morrow morrowc.li...@gmail.com
wrote:
apologies. both chl.net and chl.com ... which appear to be parts of ttec ...
which is joe.
Premature send - I meant to add 'Or against the authoritative servers for
5kkx.com?'
We've been seeing a spate of
On 02/18/2014 07:59 PM, Joe Maimon wrote:
Doug Barton wrote:
On 02/18/2014 07:08 PM, Joe Maimon wrote:
Thousand of queries with thousands of source ip addresses.
Pardon if I missed a memo, but how are your resolver systems receiving
these thousands of very different source addresses?
Doug
I would not advise that. Plenty of things can render a dkim sig invalid.
Not all of them are evidences of malice.
You might be well advised to check for a DMARC record (which asserts policy
using a combination of DKIM and SPF) and if there's a reject there, feel
free to trash the email if
Doug Barton wrote:
On 02/18/2014 07:59 PM, Joe Maimon wrote:
Are you running open resolvers?
Yes
If so, please stop doing that,
No
it's
widely known to be a bad idea for over a decade now,
At this point, doing anything on the internet is a bad idea.
and you are
providing the
George Herbert wrote:
Right. Nonzero chances that you (Joe's site) are the target...
Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects. You could be sourcing
the spoofing if not...
It seems to me that the
On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote:
Get back to me when the same cant be done with auth servers.
There are ways to deal with it on authoritative servers, like RRL.
---
Roland Dobbins
On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote:
What I cant figure out is what is the target and how this attack method is
any more effective then the others.
The target appears to be the authoritative servers for the domain in question,
yes?
The attacker may consider it
On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote:
George Herbert wrote:
Right. Nonzero chances that you (Joe's site) are the target...
Also, check if you have egress filtering of spoofed addresses below these
DNS resources, between them and any user objects. You could
Dobbins, Roland wrote:
On Feb 19, 2014, at 12:44 PM, Joe Maimon jmai...@ttec.com wrote:
Get back to me when the same cant be done with auth servers.
There are ways to deal with it on authoritative servers, like RRL.
There are ways to deal with it on resolvers as well, like RRL and IDS
Dobbins, Roland wrote:
On Feb 19, 2014, at 12:48 PM, Joe Maimon jmai...@ttec.com wrote:
What I cant figure out is what is the target and how this attack method is any
more effective then the others.
The target appears to be the authoritative servers for the domain in question,
yes?
I
On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote:
There are ways to deal with it on resolvers as well, like RRL and IDS and
iptables
None of these things work well for recursive resolvers; they cause more
problems than they solve.
as i said, much of the crap coming through, 10-20 times normal, does not
have dkim. i suggest that focusing on dkim is a red herring. and yes,
i know how dkim works.
If that is the case, there must be someway to configure to reject if the
dkim signature is invalid.
5.0-0.8 is a large valus,
Owen DeLong wrote:
On Feb 18, 2014, at 9:48 PM, Joe Maimon jmai...@ttec.com wrote:
This assumes several facts not in evidence:
1. It is an attack.
2. It is deliberate
3. There is a target
4. It is more effective than others
On what do you base those assumptions? To
Dobbins, Roland wrote:
On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote:
There are ways to deal with it on resolvers as well, like RRL and IDS and
iptables
None of these things work well for recursive resolvers; they cause more
problems than they solve.
Whatever I am
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have
said:
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.
clue?
--As for the rest, it is mine.
The spamassassin list
A fix should be in the rules update today or tomorrow - or you can rescore
it to the same as BAYES_99 (someplace in the 3 range by default, I
believe). That's what used to catch that mail: it used to mean 99-100%,
and now means 99-99.9%.
trying the copy 99-999 now. thanks!
randy
64 matches
Mail list logo
