BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

On Sun 2016-Sep-25 15:59:15 -0700, Stephen Satchell wrote: On 09/25/2016 07:32 AM, Jay R. Ashworth wrote: From: "Jay Farrell via NANOG" And of course Brian Krebs has a thing or two to say, not the least is which to push for BCP38 (good luck with that,

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sun 2016-Sep-25 17:01:55 -0400, John R. Levine wrote: https://www.internetsociety.org/sites/default/files/01_5.pdf The attack is triggered by a few spoofs somewhere in the world. It is not feasible to stop this. That paper is about reflection attacks. From what I've

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

It’s safe to ignore the silent minority that cannot really tell what is happening in most cases, but that doesn’t mean it “works” for any standard I would consider valid. Huh. So you're saying Bill Woodcock doesn't have the skills to see how his traffic is failing? Regards, John Levine,

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Assuming all transit providers your packets may traverse on the way to all of your customers is the kind of thing that leads to me quoting Mr. Bush… “I encourage my competitors to try this.” Owen > On Sep 25, 2016, at 6:32 PM, Mark Andrews wrote: > > > In message

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message , Owen DeLong writes: > > > On Sep 24, 2016, at 8:47 AM, John Levine wrote: > > > >>> Well...by anycast, I meant BGP anycast, spreading the "target" > >>> geographically to a dozen or more well connected/peered origins.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

> On Sep 24, 2016, at 8:47 AM, John Levine wrote: > >>> Well...by anycast, I meant BGP anycast, spreading the "target" >>> geographically to a dozen or more well connected/peered origins. At that >>> point, your ~600G DDoS might only be around >> >> anycast and tcp? the heck

Re: One Year On: IPv4 Exhaust

In message <1474840690.4107784.736591409.28e80...@webmail.messagingengine.com>, "Radu-Adrian Feurdean" writes: > On Sun, Sep 25, 2016, at 23:27, Mark Andrews wrote: > > > But it shows that if you turn on IPv6 on the servers you will get > > IPv6 traffic. We are no longer is a world where

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 09/25/2016 07:32 AM, Jay R. Ashworth wrote: From: "Jay Farrell via NANOG" > And of course Brian Krebs has a thing or two to say, not the least is which > to push for BCP38 (good luck with that, right?). > >

Re: IP addresses being attacked in Krebs DDoS?

On Sep 25, 2016, at 6:35 PM, Brett Glass wrote: > At 03:50 PM 9/25/2016, Patrick W. Gilmore wrote: >> What Brett is asking seems reasonable, even useful. Unfortunately, it is not >> as simple as posting a list of addresses on a website. >> >> Many devices are compromised

Re: One Year On: IPv4 Exhaust

> On Sep 25, 2016, at 3:58 PM, Radu-Adrian Feurdean > wrote: > > On Sun, Sep 25, 2016, at 23:27, Mark Andrews wrote: > >> But it shows that if you turn on IPv6 on the servers you will get >> IPv6 traffic. We are no longer is a world where turning on IPv6 >>

Re: IP addresses being attacked in Krebs DDoS?

On Sun, Sep 25, 2016 at 1:01 PM, Brett Glass wrote: > As an ISP who is pro-active when it comes to security, I'd like to know > what IP address(es) are being hit by the Krebs on Security DDoS attack. If > we know, we can warn customers that they are harboring infected PCs

Re: IP addresses being attacked in Krebs DDoS?

At 03:50 PM 9/25/2016, Patrick W. Gilmore wrote: What Brett is asking seems reasonable, even useful. Unfortunately, it is not as simple as posting a list of addresses on a website. Many devices are compromised because of default user/pass settings. Publishing a list of IP addresses which are

Re: One Year On: IPv4 Exhaust

> On Sep 25, 2016, at 10:19 AM, Paul Thornton wrote: > > On 25/09/2016 01:54, Jay R. Ashworth wrote: >> One year ago today, at 12:36pm EDT, Facebook On This Day reminds me, John >> Curran announced that the last IPv4 address block in ARIN's Free Pool had >> been assigned. >> >>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Baldur Norddahl wrote: > The sad thing is that if we boot out grandma they will just switch to one > of our competors and the TV will still be a bot. You can't win. Good thing the smart TV / other IoT manufacturers have taken the responsible approach and have committed to providing lifetime

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

> i wish you luck with that. explaining to grandma that her samsung smart tv > has been rooted and needs to be updated should be good fun. The sad thing is that if we boot out grandma they will just switch to one of our competors and the TV will still be a bot. You can't win.

Re: One Year On: IPv4 Exhaust

On Sun, Sep 25, 2016, at 23:27, Mark Andrews wrote: > But it shows that if you turn on IPv6 on the servers you will get > IPv6 traffic. We are no longer is a world where turning on IPv6 > got you a handful of connections. There are billions of devices > that can talk IPv6 to you today the

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sep 25, 2016, at 5:50 PM, ryan landry wrote: > On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews wrote: >> This is such a golden opportunity for each of you to find compromised >> hosts on your network or your customer's network. The number of >> genuine

Re: IP addresses being attacked in Krebs DDoS?

On Sep 25, 2016, at 4:01 PM, Brett Glass wrote: > As an ISP who is pro-active when it comes to security, I'd like to know what > IP address(es) are being hit by the Krebs on Security DDoS attack. If we > know, we can warn customers that they are harboring infected PCs

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews wrote: > > This is such a golden opportunity for each of you to find compromised > hosts on your network or your customer's network. The number of > genuine lookups of the blog vs the number of botted machine would > make it almost

Re: One Year On: IPv4 Exhaust

In message <1474836642.4090975.736557521.25674...@webmail.messagingengine.com>, "Radu-Adrian Feurdean" writes: > On Sun, Sep 25, 2016, at 18:29, Ca By wrote: > > Think it is fair to say big content and big eyeballs have moved to IPv6 > > (notable exceptions exist) > > > >

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

https://www.internetsociety.org/sites/default/files/01_5.pdf The attack is triggered by a few spoofs somewhere in the world. It is not feasible to stop this. That paper is about reflection attacks. From what I've read, this was not a reflection attack. The IoT devices are infected with

Re: One Year On: IPv4 Exhaust

On Sun, Sep 25, 2016, at 19:40, Seth Mattinen wrote: > ARIN's last /8 was run to zero last year. > > Anything since then has been randomness from the waiting list such as: > https://www.arin.net/announcements/2016/20160902.html and a slightly more restricted "really last" /10 :

IP addresses being attacked in Krebs DDoS?

As an ISP who is pro-active when it comes to security, I'd like to know what IP address(es) are being hit by the Krebs on Security DDoS attack. If we know, we can warn customers that they are harboring infected PCs and/or IoT devices. (And if all ISPs did this, it would be possible to curtail

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

This time around its not about spoofing. I presume this is development of the same botnet/worm that we seen day2 of Shellshock public disclosure - its was pretty hightech - golang, arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly) very effective password guessing. It

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

> From deles...@gmail.com Sun Sep 25 20:26:56 2016 > Sorry you don't understand how multinational companies and > peering agreements work Right, thanks for letting me know. > nor any of the relationships my past networks would of had with akamai I don't care what yours were in the past, if

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Brandon, Sorry you don't understand how multinational companies and peering agreements work, nor any of the relationships my past networks would of had with akamai. But be confident in the fact none of your concerns would of been an issue and it certainly wasn't because decisions were made

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

> From: jim deleskie > Sorry but you are mistaken. I've worked at Sr. levels for several LARGE and > medium sized networks. What does it cost and what do we make doing it, > over rules what is "good for the internet" every time it came up. "nice network you have there, shame

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

> On Sep 24, 2016, at 7:47 AM, John Levine wrote: > >>> Well...by anycast, I meant BGP anycast, spreading the "target" >>> geographically to a dozen or more well connected/peered origins. At that >>> point, your ~600G DDoS might only be around >> >> anycast and tcp? the heck

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Has anyone stopped to consider what a gift these hackers gave all of us? They exposed their capabilities and nobody got hurt. We all had a notion as to what sort of attacks were possible in theory. Now we have reality. Business being what it is, customers may not be interested in others'

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sunday, September 25, 2016, jim deleskie wrote: > Sorry but you are mistaken. I've worked at Sr. levels for several LARGE > and medium sized networks. > > mazel tov > > What does it cost and what do we make doing it, over rules what is "good > for the internet" every

Re: One Year On: IPv4 Exhaust

On 25/09/2016 18:40, Seth Mattinen wrote: On 9/25/16 9:19 AM, Paul Thornton wrote: I can't find an equivalent ARIN page of "how much we've allocated from our last /8" - the statistics show that just over 2x /16s worth have been assigned/allocated between January 2016 and July 2016, so a lower

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Sorry but you are mistaken. I've worked at Sr. levels for several LARGE and medium sized networks. What does it cost and what do we make doing it, over rules what is "good for the internet" every time it came up. On Sun, Sep 25, 2016 at 2:27 PM, Ca By wrote: > On Sunday,

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sunday, September 25, 2016, John Levine wrote: > >> Yeh, bcp38 is not a viable solution. > > Krebs said this DDoS came from insecure IoT devices, of which there > are a kazillion, with the numbers growing every day. Why would they > need to spoof IPs? How would BCP38 help? >

Re: One Year On: IPv4 Exhaust

On 9/25/16 9:19 AM, Paul Thornton wrote: I can't find an equivalent ARIN page of "how much we've allocated from our last /8" - the statistics show that just over 2x /16s worth have been assigned/allocated between January 2016 and July 2016, so a lower rate by some margin than RIPE - but there

Re: One Year On: IPv4 Exhaust

On Sunday, September 25, 2016, Paul Thornton wrote: > > On 25/09/2016 17:29, Ca By wrote: > > For your use case , would ipv6 solve anything? >> >> Think it is fair to say big content and big eyeballs have moved to IPv6 >> (notable exceptions exist) >> >>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sunday, September 25, 2016, John Kristoff wrote: > On Sun, 25 Sep 2016 14:36:18 + > Ca By > wrote: > > > As long as their is one spoof capable network on the net, the problem > will > > not be solved. > > This is not strictly true. If it

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

>> Yeh, bcp38 is not a viable solution. Krebs said this DDoS came from insecure IoT devices, of which there are a kazillion, with the numbers growing every day. Why would they need to spoof IPs? How would BCP38 help? R's, John

Re: One Year On: IPv4 Exhaust

ARIN exhausted their last /8 about a year ago. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Paul Thornton" To: nanog@nanog.org Sent: Sunday, September 25, 2016

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sun, 25 Sep 2016 14:36:18 + Ca By wrote: > As long as their is one spoof capable network on the net, the problem will > not be solved. This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

You don't need complete adoption to reduce the attacks. If ASes representing 25% of the current spoofed traffic implemented BCP38, then guess what, there's 25% less of an attack. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX

Re: One Year On: IPv4 Exhaust

On 25/09/2016 17:29, Ca By wrote: For your use case , would ipv6 solve anything? Think it is fair to say big content and big eyeballs have moved to IPv6 (notable exceptions exist)

Re: One Year On: IPv4 Exhaust

On Sunday, September 25, 2016, Paul Thornton wrote: > On 25/09/2016 01:54, Jay R. Ashworth wrote: > >> One year ago today, at 12:36pm EDT, Facebook On This Day reminds me, John >> Curran announced that the last IPv4 address block in ARIN's Free Pool had >> been assigned. >> >>

Re: One Year On: IPv4 Exhaust

On 25/09/2016 01:54, Jay R. Ashworth wrote: One year ago today, at 12:36pm EDT, Facebook On This Day reminds me, John Curran announced that the last IPv4 address block in ARIN's Free Pool had been assigned. How's that been workin' out for everyone? If you'll all indulge a bit of a

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sunday, September 25, 2016, Jay R. Ashworth wrote: > - Original Message - > > From: "Ca By" > > > > On Sunday, September 25, 2016, Jay Farrell via NANOG > > > wrote: > > > >> And of course Brian Krebs

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

- Original Message - > From: "Ca By" > On Sunday, September 25, 2016, Jay Farrell via NANOG > wrote: > >> And of course Brian Krebs has a thing or two to say, not the least is which >> to push for BCP38 (good luck with that, right?). >> >>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

I've heard people say doing BCP38 is hard for big networks and it is if you do it at your provider\peering edges. It's easier if done at the customer edge. Simply don't allow the traffic onto your network to start with. Limit the spoofing attacks to just a single random ASN. How much smaller

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sunday, September 25, 2016, Jay Farrell via NANOG wrote: > And of course Brian Krebs has a thing or two to say, not the least is which > to push for BCP38 (good luck with that, right?). > > https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ > > Yeh, bcp38

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

- Original Message - > From: "Jay Farrell via NANOG" > And of course Brian Krebs has a thing or two to say, not the least is which > to push for BCP38 (good luck with that, right?). > > https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ Well, given

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

And of course Brian Krebs has a thing or two to say, not the least is which to push for BCP38 (good luck with that, right?). https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ On Sun, Sep 25, 2016 at 12:43 AM, Jay R. Ashworth wrote: > - Original

Re: Status of IPv6 on Charter Communications

On Sat, Sep 10, 2016 at 11:14:13AM -0400, David Hill wrote: > On Sat, Sep 10, 2016 at 06:55:59AM -0700, Stephen Satchell wrote: > > Would someone at Charter Communications who is on this list indicate the > > roll-out schedule for IPv6 to business customers using cable modems as > > opposed to