Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 27 Sep 2016, at 12:31, Jason Hofmann wrote: It probably was a tough sell to get people to realize they were fully responsible for their in-home wiring, but optional "inside wire maintenance plans" made that clear while also adding to providers' coffers. Perhaps something similar would

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 27 Sep 2016, at 12:14, Mark Andrews wrote: I'm yet to see a set top box, DVR, TV, games console, phone, etc. that didn't require selecting the WiFi SSID or require you to plug in a ethernet cable. I've 'seen' tens of millions of them, worldwide. You're generalizing your particular

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message , Roland Dobbins writes: > On 27 Sep 2016, at 11:43, Mark Andrews wrote: > > > Why not? You call a washing machine mechanic when the washing machine > > plays up. This is not conceptually different. > > Washing machines aren't a

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 27 Sep 2016, at 11:43, Mark Andrews wrote: Why not? You call a washing machine mechanic when the washing machine plays up. This is not conceptually different. Washing machines aren't a utility. Internet is viewed as a utility. Actually I don't believe that. They do know what machines

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message , Roland Dobbins wri tes: > > On 27 Sep 2016, at 6:58, Christopher Morrow wrote: > > > wouldn't something as simple as netflow/sflow/ipfix synthesized on the > > CPE and kept for ~30mins (just guessing) in a circular buffer be 'good >

Re: Request for comment -- BCP38

This seems to have split into a few different sub-threads and had some cross-talk on which network is being described where (thanks in no small part to my flub on John's figures and target), but this seems to be exactly the kind of info folks are looking for but missing at

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 27 Sep 2016, at 6:58, Christopher Morrow wrote: wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE and kept for ~30mins (just guessing) in a circular buffer be 'good enough' to present a pretty clear UI to the user? +1 for this capability in CPE. OTOH, it will be

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Therein lies the problem if the traffic does not look anomalous I suppose. But even if it does look unusual, ISPs would be asking consumers to trash/update/turn off a lot of devices in time – like when every home has 10s or 100s of these devices. ISP: Dear customer, looks like one of your

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews wrote: > > Giving them real time access to the anomalous traffic log feed for > their residence would also help. They or the specialist they bring > in will be able to use that to trace back the problem. > > wouldn't this work better

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message <20160926234142.6e7705515...@rock.dv.isc.org>, Mark Andrews writes: > > In message <03dc1038-024a-4d9f-ac5b-3e88cdf56...@cable.comcast.com>, > "Livingood, Jason" writes: > > On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" > ma...@isc.org> wrote: > > > A good ISP would be

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message <03dc1038-024a-4d9f-ac5b-3e88cdf56...@cable.comcast.com>, "Livingood, Jason" writes: > On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" ma...@isc.org> wrote: > > A good ISP would be informing their customers that they are seeing > anomalous traffic. > > Therein lies the problem

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" wrote: > A good ISP would be informing their customers that they are seeing anomalous > traffic. Therein lies the problem if the traffic does not look anomalous I suppose. But even if it does look unusual, ISPs would be asking consumers to

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On 9/25/16, 5:57 PM, "NANOG on behalf of Patrick W. Gilmore" wrote: > Yeah, ‘cause that was so successful in the past. > Remember University of Wisconsin vs. D-Link and their hard-coded NTP server > address? Ha! Yeah, an oldie but a

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

In message <20160926155649.14061.qm...@ary.lan>, "John Levine" writes: > >>That paper is about reflection attacks. From what I've read, this was > >>not a reflection attack. The IoT devices are infected with botware > >>which sends attack traffic directly. Address spoofing is not

routing issues between NTT/ATT/Level3?

Starting on 9/23 and really bad over the weekend we have had issues with end points out on AT's US network specifically in the Texas and Michigan areas. When our end points with AT drop, we end up losing monitored endpoints on Level3's network as well. Really bad periods of packetloss. Both of

is someone with BCP38.info update privs summarizing this discussion?

I think some pretty good information has surfaced, that would be WONDERFUL to have on that site.

Re: Request for comment -- BCP38

BCP 38 does NOT prevent multi-homed clients. Naive deployment of BCP 38 prevents multi-homed clients. There is NOTHING in BCP 38 that says you may not also accept other prefixes allocated to your clients. BCP 38 says accept allocated address, drop everything else. Now it should be possible

Re: Request for comment -- BCP38

Guys, You're getting wrapped around the axle. Start by solving the 90% problem, and worry about the 10% one later. BGP38 addresses the former very well, and the other 10% requires enough manual labor already that you can charge it back. Eliot On 9/26/16 8:44 PM, Laszlo Hanyecz wrote: > > >

Re: Lightower (ASN:46887) RTBH community info

Hi all, there is a well-known BLACKHOLE BGP community underway [0]: 65535:666 All transit providers and IXPs are kindly asked to support it. DE-CIX will support this community on all its IXPs soon. Best regards, Thomas [0]: https://datatracker.ietf.org/doc/draft-ietf-grow-blackholing/ On

Re: Request for comment -- BCP38

This means we can receive some packet on transit port A and then route out a ICMP response on port B using the interface address from port A. But transit B filters this ICMP packet because it has a source address belonging to transit A. Interesting. But this looks like a feature request for

Re: Lightower (ASN:46887) RTBH community info

Backwards from what you want (sorted by provider rather than supported "feature" e.g. RTBH), but: http://onesc.net/communities/ fwiw -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Mon 2016-Sep-26 14:23:10 -0500, George Skorup

Re: Lightower (ASN:46887) RTBH community info

Windstream: 7029:4507 GTT: 3257:2666 are the two I know of. On 9/26/2016 1:58 PM, Nick Ellermann wrote: I would love to know which ISP's support RTBH? We have struggled to get anyone to support communities. If their website says they do, their NOC sure doesn't know it or agree... I don't

Re: Request for comment -- BCP38

* Baldur Norddahl: > Den 26. sep. 2016 18.02 skrev "Mike Hammett" : >> >> The only asymmetric routing broken is when the source isn't in public > Internet route-able space. That just leaves those multi-ISP WAN routers > that NAT it. > > Some of our IP transits implement

Re: IP addresses being attacked in Krebs DDoS?

Just give me thise ips so i can add em in dronebl Kind regards, Alexander Maassen - Technical Maintenance Engineer Parkstad Support BV- Maintainer DroneBL- Peplink Certified Engineer Oorspronkelijk bericht Van: Brett Glass Datum: 25-09-16 22:01

Re: Request for comment -- BCP38

Den 26. sep. 2016 18.02 skrev "Mike Hammett" : > > The only asymmetric routing broken is when the source isn't in public Internet route-able space. That just leaves those multi-ISP WAN routers that NAT it. Some of our IP transits implement filtering. All of our transits assigned

RE: Lightower (ASN:46887) RTBH community info

I would love to know which ISP's support RTBH? We have struggled to get anyone to support communities. If their website says they do, their NOC sure doesn't know it or agree... I don't want to list names here, but truly we would love RTBH capabilities with our upstreams. Sincerely, Nick

Re: Request for comment -- BCP38

On 2016-09-26 18:03, John Levine wrote: If you have links from both ISP A and ISP B and decide to send traffic out ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* drop that traffic on the floor. This is a legitimate and interesting use case that is broken by BCP38.

Re: Request for comment -- BCP38

>>> >>> If you have links from both ISP A and ISP B and decide to send traffic >>> out ISP A's link sourced from addresses ISP B allocated to you, ISP A >>> *should* drop that traffic on the floor. > >> This is a legitimate and interesting use case that is broken by BCP38. > >I don't agree that

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 12:39:21 -0400, John R. Levine wrote: If we're talking about networks with that kind of MRC, is it really that far of a stretch to require PI space for this? Then again: If we're talking about that kind of MRC, then I'm assuming ISP A can be coaxed to

Re: Request for comment -- BCP38

If we're talking about networks with that kind of MRC, is it really that far of a stretch to require PI space for this? Then again: If we're talking about that kind of MRC, then I'm assuming ISP A can be coaxed to allow explicit and well-defined exceptions on the customer's links. Yes. A)

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 12:25:58 -0400, John R. Levine wrote: I gather the usual customer response to this is "if you don't want our $50K/mo, I'm sure we can find another ISP who does." I myself am talking about the latter and included the option of PI space to cover that

Re: Request for comment -- BCP38

I would assume that on a broadband grade connection it shouldn't work unless you have a niche player and proper LOA. I would assume that on a BGP level circuit that it would work, again, given proper documentation (LOAs, IRRDB entry, etc.). IRRDBs make this wonderfully easier. By default,

Re: Request for comment -- BCP38

On 26 September 2016 at 16:47, Laszlo Hanyecz wrote: > > On 2016-09-26 15:12, Hugo Slabbert wrote: > >> >> If you have links from both ISP A and ISP B and decide to send traffic >> out ISP A's link sourced from addresses ISP B allocated to you, ISP A >> *should* drop that

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 09:21:55 -0700, Hugo Slabbert wrote: On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett wrote: - Original Message - From: "John Levine" To: nanog@nanog.org Sent: Monday, September 26, 2016 11:04:33 AM Subject:

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett wrote: - Original Message - From: "John Levine" To: nanog@nanog.org Sent: Monday, September 26, 2016 11:04:33 AM Subject: Re: Request for comment -- BCP38 If you have links from both ISP A and ISP B

Re: Request for comment -- BCP38

Are you talking BGP level customers or individual small businesses' broadband service? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "John Levine" To: nanog@nanog.org

Re: Request for comment -- BCP38

>If you have links from both ISP A and ISP B and decide to send traffic out >ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* >drop that traffic on the floor. There is no automated or scalable way for >ISP A to distinguish this "legitimate" use from spoofing; unless

Re: Request for comment -- BCP38

On 9/26/16 07:47, Stephen Satchell wrote: On 09/26/2016 07:11 AM, Paul Ferguson wrote: No -- BCP38 only prescribes filtering outbound to ensure that no packets leave your network with IP source addresses which are not from within your legitimate allocation. So, to beat that horse to a

Re: Request for comment -- BCP38

The only asymmetric routing broken is when the source isn't in public Internet route-able space. That just leaves those multi-ISP WAN routers that NAT it. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

>>That paper is about reflection attacks. From what I've read, this was >>not a reflection attack. The IoT devices are infected with botware >>which sends attack traffic directly. Address spoofing is not particularly >>useful for controlling botnets. > >But that's not only remaining use of

Re: Request for comment -- BCP38

On 2016-09-26 15:12, Hugo Slabbert wrote: On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote: This might break some of those badly-behaving "dual ISP" COTS routers out there that use different inbound from outbound paths since each is the fastest of either link. As it

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Mon, Sep 26, 2016 at 7:23 AM, Mark Milhollan wrote: > > On Sun, 25 Sep 2016, Stephen Satchell wrote: > > >Yeah, right. I looked at BCP38.info, and there is very little concrete > >information. > > Yeah, it's pretty naked. But how-to isn't the usual stumbling block, as >

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sun, 25 Sep 2016, Stephen Satchell wrote: >Yeah, right. I looked at BCP38.info, and there is very little concrete >information. Yeah, it's pretty naked. But how-to isn't the usual stumbling block, as has been pointed out in this thread there needs to be the will to spend resources

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote: This might break some of those badly-behaving "dual ISP" COTS routers out there that use different inbound from outbound paths since each is the fastest of either link. As it should. If you have links from both ISP A and

Re: Request for comment -- BCP38

On Mon 2016-Sep-26 07:47:50 -0700, Stephen Satchell wrote: On 09/26/2016 07:11 AM, Paul Ferguson wrote: No -- BCP38 only prescribes filtering outbound to ensure that no packets leave your network with IP source addresses which are not from within your legitimate

Re: Request for comment -- BCP38

> On Sep 26, 2016, at 7:47 AM, Stephen Satchell wrote: > > On 09/26/2016 07:11 AM, Paul Ferguson wrote: >> No -- BCP38 only prescribes filtering outbound to ensure that no >> packets leave your network with IP source addresses which are not >> from within your legitimate

Re: charges for prefix filter updates (was Re: Any ISPs using AS852 for IP Transit?)

I've used HE's tunnelbroker (BGP) a few times to get our ARIN space to a site while waiting on a local carrier to turn up v6, get the proper LOA, etc. I've received better service from the NOC there for a service I didn't pay for than I have from any ISP I've ever given money. They are doing a

Re: Request for comment -- BCP38

Re Stephen, > So, to beat that horse to a fare-thee-well, to be BCP38 compliant I need, on > every interface sending packets out to the internet, to block any source > address matching a subnet in the BOGON list OR not matching any of my > routeable network subnets? Plus add null-route entries

Re: charges for prefix filter updates (was Re: Any ISPs using AS852 for IP Transit?)

Followup: we did the quote/PO/sign-the-order dance. That took about 3-4 days not including our side's lag (which was not insignificant, Im not the guy with the pen). But now it's gone to provisioning and will be a standard *5 days*. Cogent will do this in about 1-6 hours if you provide the LOA's

Re: Request for comment -- BCP38

On 09/26/2016 07:11 AM, Paul Ferguson wrote: No -- BCP38 only prescribes filtering outbound to ensure that no packets leave your network with IP source addresses which are not from within your legitimate allocation. So, to beat that horse to a fare-thee-well, to be BCP38 compliant I need, on

Re: Request for comment -- BCP38

This might break some of those badly-behaving "dual ISP" COTS routers out there that use different inbound from outbound paths since each is the fastest of either link. I did this manually when I was messing around with multiple broadband links on a fbsd router years ago, was glad it worked at

Re: Request for comment -- BCP38

No -- BCP38 only prescribes filtering outbound to ensure that no packets leave your network with IP source addresses which are not from within your legitimate allocation. - ferg On September 26, 2016 7:05:49 AM PDT, Stephen Satchell wrote: >Is this an accurate thumbnail

Request for comment -- BCP38

Is this an accurate thumbnail summary of BCP38 (ignoring for the moment the issues of multi-home), or is there something I missed? The basic philosophy of BCP38 boils down to two axioms: Don't let the "bad stuff" into your router Don't let the "bad stuff" leave your router

RE: AS4233852001 advertising 192.0.0.0/2?

Looks like they're announcing quite a bit -Original Message- From: "Adam Greene" Sent: Monday, September 26, 2016 8:52am To: nanog@nanog.org Subject: AS4233852001 advertising 192.0.0.0/2? We were alerted to this by https://radar.qrator.net. This seems

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

On Sun, 25 Sep 2016 22:59:15 + Stephen Satchell wrote: > In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY > filtering system -- BSD, Linux, Cisco. There is some here for integrating Team Cymru's bogon BGP service into various router platforms:

Re: One Year On: IPv4 Exhaust

> From: "Owen DeLong" > >> I know, but for the "server guys" turning on IPv6 it's pretty low on >> priority list. > > Which is a selfish, arrogant, and extremely short-sighted and unenlightened > view of self-interest. Yes, yes, but is it economically rational? Jared

Re: AS4233852001 advertising 192.0.0.0/2?

On Mon, Sep 26, 2016 at 08:52:20AM -0400, Adam Greene wrote: > We were alerted to this by https://radar.qrator.net. > > This seems wrong from a number of angles . Maybe the alerting system was confused. I don't see this confirmed in RIPE RIS: https://stat.ripe.net/AS4233852001#tabId=routing

AS4233852001 advertising 192.0.0.0/2?

We were alerted to this by https://radar.qrator.net. This seems wrong from a number of angles . Adam

Re: One Year On: IPv4 Exhaust

On Mon, Sep 26, 2016, at 01:01, Mark Andrews wrote: > > In message > <1474840690.4107784.736591409.28e80...@webmail.messagingengine.com>, > "Radu-Adrian Feurdean" writes: > > > > I know, but for the "server guys" turning on IPv6 it's pretty low on > > priority list. > > Are those server guys

Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

❦ 26 septembre 2016 09:14 CEST, valdis.kletni...@vt.edu : >> Linux: >> From /etc/sysctl.conf: >> >> # Uncomment the next two lines to enable Spoof protection (reverse-path=20 >> # filter) >> # Turn on Source Address Verification in all interfaces to >> # prevent some spoofing attacks >>

Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

On Sun, 25 Sep 2016 21:19:31 -0700, Hugo Slabbert said: > Linux: > From /etc/sysctl.conf: > > # Uncomment the next two lines to enable Spoof protection (reverse-path=20 > # filter) > # Turn on Source Address Verification in all interfaces to > # prevent some spoofing attacks >

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

Hi Ryan, On 9/25/16 11:50 PM, ryan landry wrote: > for isp's it's a resourcing vs revenue problem. always has been. Sure. The question is whether IoT can make a change in consumer attitudes. Riek, Bohme, et al have been working on this [1]. And there is earlier work as well. What that