Re: Tier1 BGP filter generation data sources & frequency

[Aftab Siddiqui]

Hi Jon, (and anyone with similar issues)


> BTW...speaking of MANRS, if there's someone on-list who can help out with
> some questions, I'd appreciate the contact.  For $work, I'd been talking
> to Kevin Meynell about our joining.  It fell through the cracks and
> recently popped back up.  Recent email to Kevin got no reply.


Kevin is the right person but the email queue recently has doubled (more
than double in just 2021). We have implemented the ticketing system now in
order to avoid this happening again. But still no excuses :( you can keep
ma...@isoc.org in loop


> The MANRS web site could use quite a bit of clarification (or maybe just
> toss it and
> start over).
>

Yes, we are taking the later approach. Couple of months and it should be
better.

Re: Tier1 BGP filter generation data sources & frequency

[babydr DBA James W. Laferriere]

Hello Jon ,

On Mon, 24 May 2021, Jon Lewis wrote:

On Mon, 24 May 2021, Job Snijders via NANOG wrote:


On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:

Curious if anyone is aware of other Tier1s deprecating support for RADB?


Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database software capable of RPKI Origin Validation ala RIPE-731.


I suspect the attitude is "why bother when we can just require that everyone 
use the IRR run by their RIR, rely on the RIR to not allow bogosity in thier 
IRR, and keep using our existing software, just limiting the IRR sources from 
which it'll accept objects?"


	While I am not a big player (or even a bump in the road) in this group I 
do find it rather odd that people & corporate entities allow (& sponsor) 
another grab at ,  imo ,  taking over the proper way we as players in this 
arena should be working WITH each other .  The "just leave it to big brother" 
is just plain a cop out to laziness (agn imo) .


Sorry I'll say no more on the above as I'd just rant .


BTW...speaking of MANRS, if there's someone on-list who can help out with 
some questions, I'd appreciate the contact.  For $work, I'd been talking to 
Kevin Meynell about our joining.  It fell through the cracks and recently 
popped back up.  Recent email to Kevin got no reply.  The MANRS web site 
could use quite a bit of clarification (or maybe just toss it and start 
over).


	To be honest the manrs site left me feeling rather blase' ,  The place 
that interested me is the Implementation Guide .  Which seems to be a compendium 
of the [RFC|BCP]'s of the Proper way to maintain records at and with the entity 
that dispenses the resource(s) being used .



Also, I'm curious how common it is for networks to build IRR-based 
prefix-list filters for all their peers (i.e. IX peers, where you have lots 
of peers)?


--
Jon Lewis, MCP :)   |  I route
StackPath, Sr. Neteng   |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Twyl ,  Back to silent mode .  JimL
--
+-+
| James   W.   Laferriere| SystemTechniques | Give me VMS |
| Network & System Engineer  | 3237 Holden Road |  Give me Linux  |
| j...@system-techniques.com | Fairbanks, AK. 99709 |   only  on  AXP |
+-+

Re: Tier1 BGP filter generation data sources & frequency

[Jon Lewis]

On Mon, 24 May 2021, Job Snijders via NANOG wrote:


On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:

Curious if anyone is aware of other Tier1s deprecating support for RADB?


Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database software capable of RPKI Origin Validation ala RIPE-731.


I suspect the attitude is "why bother when we can just require that 
everyone use the IRR run by their RIR, rely on the RIR to not allow 
bogosity in thier IRR, and keep using our existing software, just 
limiting the IRR sources from which it'll accept objects?"


BTW...speaking of MANRS, if there's someone on-list who can help out with 
some questions, I'd appreciate the contact.  For $work, I'd been talking 
to Kevin Meynell about our joining.  It fell through the cracks and 
recently popped back up.  Recent email to Kevin got no reply.  The MANRS 
web site could use quite a bit of clarification (or maybe just toss it and 
start over).


Also, I'm curious how common it is for networks to build IRR-based 
prefix-list filters for all their peers (i.e. IX peers, where you 
have lots of peers)?


--
 Jon Lewis, MCP :)   |  I route
 StackPath, Sr. Neteng   |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Tier1 BGP filter generation data sources & frequency

[Job Snijders via NANOG]

On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:
> Curious if anyone is aware of other Tier1s deprecating support for RADB?

Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database software capable of RPKI Origin Validation ala RIPE-731.

https://www.ripe.net/publications/docs/ripe-731

http://irrd.net/

Kind regards,

Job

Re: Tier1 BGP filter generation data sources & frequency

[Christopher Morrow]

On Sun, May 23, 2021 at 4:29 PM Laura Smith via NANOG 
wrote:

> I thought everyone was supposed to be migrating to MANRS. ;-)
>
>
...if you aren't cracking a joke about the 15th of 14 standards...

MANRS is an umbrella project that is supposed to (depending on where you
fit in the ecosystem, but generally):
  1) bcp-38 your customer/your traffic
  2) publish your routing intent data in an IRR
  3) publish your routing origin data in RPKI
  4) filter your customer/peer/partner/ routes to/from them: "Do not
send them nonsesne, do not accept nonsense"
  5) tell more people about the above (there, I accomplished a MANRS
requirement!!)

srsly though... manrs is about being a reasonable adult on the inter-tubes.
The particular question from the OP was:
  "Hey, I have routing data, others also do, what does it take to get
people to believe my routing data?"

I think:
  1) publish your IRR content properly, keep it updated
  2) publish your ROA/RPKI data, keep it updated
  3) automate the above 2 so you don't have to make a hoomon do the work


>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐ Original Message ‐‐‐
> On Saturday, 22 May 2021 00:40, Clinton Work  wrote:
>
> > Is there any compiled information for Tier1 providers on the supported
> BGP filter generation data sources and frequency?
> >
> > This is what I have been able to determine so far:
> >
> > -   TATA AS6453: IRR and RPKI ROAs (
> http://lg.as6453.net/doc/cust-routing-policy.html)
> > -   Cogent AS174: unknown
> > -   NTT 2914: IRR, ARIN WHOIS OriginAS, NIC.br whois, RPKI ROAs (
> https://www.gin.ntt.net/support-center/policies-procedures/routing/)
> > -   Lumen AS3356: IRR
> > -   Telia AS1299: IRR
> >
> > TATA is going to deprecate new RADB, NTTCOM, and ALTDB route objects
> starting Aug 15, 2021 and I was hoping that more providers would add RPKI
> ROAs as a data source for BGP filter generation. Supporting RPKI ROAs would
> mean that you don't have to create both IRR route objects and RPKI ROAs for
> each IP block.
> >
> > --
> > Clinton Work
> >
>
>
>

Re: Tier1 BGP filter generation data sources & frequency

[Luca Salvatore]

Curious if anyone is aware of other Tier1s deprecating support for RADB?

On Sun, May 23, 2021 at 4:29 PM Laura Smith via NANOG 
wrote:

> I thought everyone was supposed to be migrating to MANRS. ;-)
>
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐ Original Message ‐‐‐
> On Saturday, 22 May 2021 00:40, Clinton Work  wrote:
>
> > Is there any compiled information for Tier1 providers on the supported
> BGP filter generation data sources and frequency?
> >
> > This is what I have been able to determine so far:
> >
> > -   TATA AS6453: IRR and RPKI ROAs (
> http://lg.as6453.net/doc/cust-routing-policy.html)
> > -   Cogent AS174: unknown
> > -   NTT 2914: IRR, ARIN WHOIS OriginAS, NIC.br whois, RPKI ROAs (
> https://www.gin.ntt.net/support-center/policies-procedures/routing/)
> > -   Lumen AS3356: IRR
> > -   Telia AS1299: IRR
> >
> > TATA is going to deprecate new RADB, NTTCOM, and ALTDB route objects
> starting Aug 15, 2021 and I was hoping that more providers would add RPKI
> ROAs as a data source for BGP filter generation. Supporting RPKI ROAs would
> mean that you don't have to create both IRR route objects and RPKI ROAs for
> each IP block.
> >
> > --
> > Clinton Work
> >
>
>
>

Re: DDoS attack with blackmail

[Jon Sands]

I can also name one recent instance in which a client of mine was without
doubt DdoS'd by a mitigation provider they were getting a quote from, and
sadly this didn't even end up being the worst of the behavior we had to
deal with from them before ultimately terminating our contract with them.
It's not surprising either, if you look into the history of the
owner/founder (hint: fbi serving warrants for cybercrime). The security
sector is sadly rife with this crap in my experience

On Mon, May 24, 2021, 12:59 PM Matt Erculiani  wrote:

> Jim,
>
> While I don't envy those who put in long hours to mitigate DDoSes at the
> 11th hour, the security industry as a whole, DDoS mitigation included,
> doesn't have a perfectly clean track record. Public court records offer
> plenty of evidence, and convictions from foul play while trying to win bids.
>
> An individual I worked with previously personally handled a long, drawn
> out DDoS event that was ultimately perpetrated by a security contractor
> bidding for a job (I didn't work it personally, but it was a frequent topic
> of discussion while it was ongoing). Fortunately, after subsequent months
> of law enforcement investigation, the contractor was brought up on charges.
>
> It's definitely not "crap" , it's a fact, albeit not necessarily common.
>
> -Matt
>
> On Mon, May 24, 2021 at 10:38 AM jim deleskie  wrote:
>
>> While I have no design to engage in over email argument over how much
>> latency people can actually tolerate, I will simply state that most people
>> have a very poor understanding of it and how much additional latency is
>> really introduced by DDoS mitigation.
>>
>> As for implying that DDoS mitigation companies are complicit or involved
>> in attacks, while not the first time i heard that crap it's pretty
>> offensive to those that work long hours for years dealing with the
>> garbage.  If you honestly believe anyone your dealing with is involved with
>> launching attacks you clearly have not done your research into potential
>> partners.
>>
>>
>>
>> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
>> nanog@nanog.org> wrote:
>>
>>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>>
>>>
>>>
>>> The video game industry is one of them and there might be others that
>>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>>
>>>
>>>
>>> As a side note, my former employer in video game was bidding for these
>>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>>> stopped.
>>>
>>> I am not saying they are working on both side, but still the coincidence
>>> was interesting. In the end, we never used them because they were not able
>>> to perfectly block the threat without impacting all the others projects.
>>>
>>>
>>>
>>> I think these mitigators are nice to have as a very last resort. I
>>> believe what is more important for Network Operators is: to be aware of
>>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>>> like magic, where did that rabbit go?
>>>
>>>
>>>
>>> The art of war taught me everything there is to know about DDoS attacks
>>> even if it was written some 2500 years ago.
>>>
>>>
>>>
>>> I suspect that the attack that impacted Baldur’s assets was a very easy
>>> DDoS to detect and block, but can’t confirm.
>>>
>>>
>>>
>>> @Baldur: do you care to share some metrics?
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG  *On Behalf Of *Jean
>>> St-Laurent via NANOG
>>> *Sent:* May 21, 2021 10:52 AM
>>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
>>> Norddahl' 
>>> *Cc:* 'NANOG Operators' Group' 
>>> *Subject:* RE: DDoS attack with blackmail
>>>
>>>
>>>
>>> I also recommend book Art of War from Sun Tzu.
>>>
>>>
>>>
>>> All the answers to your questions are in that book.
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG  *On Behalf Of *Lady
>>> Benjamin Cannon of Glencoe, ASCE
>>> *Sent:* May 20, 2021 7:18 PM
>>> *To:* Baldur Norddahl 
>>> *Cc:* NANOG Operators' Group 
>>> *Subject:* Re: DDoS attack with blackmail
>>>
>>>
>>>
>>> 20 years ago I wrote an automatic teardrop attack.  If your IP spammed
>>> us 5 times, then a script would run, knocking the remote host off the
>>> internet entirely.
>>>
>>>
>>>
>>> Later I modified it to launch 1000 teardrop attacks/second…
>>>
>>>
>>>
>>> Today,  contact the FBI.
>>>
>>>
>>>
>>> And get a mitigation service above your borders if you can.
>>>
>>>
>>>
>>>
>>>
>>> —L.B.
>>>
>>>
>>>
>>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>>
>>> 6x7 Networks & 6x7 Telecom, LLC
>>>
>>> CEO
>>>
>>> l...@6by7.net
>>>
>>> "The only fully end-to-end encrypted global telecommunications company
>>> in the world.”
>>>
>>> FCC License KJ6FJJ
>>>
>>>
>>>
>>>
>>> On May 20, 2021, at 12:26 PM, Baldur Norddahl 
>>> wrote:
>>>
>>>
>>>
>>> Hello
>>>
>>>
>>>
>>> We got attacked by a group that calls themselves "Fancy La

Re: DDoS attack with blackmail

[Matt Erculiani]

Jim,

While I don't envy those who put in long hours to mitigate DDoSes at the
11th hour, the security industry as a whole, DDoS mitigation included,
doesn't have a perfectly clean track record. Public court records offer
plenty of evidence, and convictions from foul play while trying to win bids.

An individual I worked with previously personally handled a long, drawn out
DDoS event that was ultimately perpetrated by a security contractor bidding
for a job (I didn't work it personally, but it was a frequent topic of
discussion while it was ongoing). Fortunately, after subsequent months of
law enforcement investigation, the contractor was brought up on charges.

It's definitely not "crap" , it's a fact, albeit not necessarily common.

-Matt

On Mon, May 24, 2021 at 10:38 AM jim deleskie  wrote:

> While I have no design to engage in over email argument over how much
> latency people can actually tolerate, I will simply state that most people
> have a very poor understanding of it and how much additional latency is
> really introduced by DDoS mitigation.
>
> As for implying that DDoS mitigation companies are complicit or involved
> in attacks, while not the first time i heard that crap it's pretty
> offensive to those that work long hours for years dealing with the
> garbage.  If you honestly believe anyone your dealing with is involved with
> launching attacks you clearly have not done your research into potential
> partners.
>
>
>
> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
> nanog@nanog.org> wrote:
>
>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>
>>
>>
>> The video game industry is one of them and there might be others that
>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>
>>
>>
>> As a side note, my former employer in video game was bidding for these
>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>> stopped.
>>
>> I am not saying they are working on both side, but still the coincidence
>> was interesting. In the end, we never used them because they were not able
>> to perfectly block the threat without impacting all the others projects.
>>
>>
>>
>> I think these mitigators are nice to have as a very last resort. I
>> believe what is more important for Network Operators is: to be aware of
>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>> like magic, where did that rabbit go?
>>
>>
>>
>> The art of war taught me everything there is to know about DDoS attacks
>> even if it was written some 2500 years ago.
>>
>>
>>
>> I suspect that the attack that impacted Baldur’s assets was a very easy
>> DDoS to detect and block, but can’t confirm.
>>
>>
>>
>> @Baldur: do you care to share some metrics?
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG  *On Behalf Of *Jean
>> St-Laurent via NANOG
>> *Sent:* May 21, 2021 10:52 AM
>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
>> Norddahl' 
>> *Cc:* 'NANOG Operators' Group' 
>> *Subject:* RE: DDoS attack with blackmail
>>
>>
>>
>> I also recommend book Art of War from Sun Tzu.
>>
>>
>>
>> All the answers to your questions are in that book.
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG  *On Behalf Of *Lady
>> Benjamin Cannon of Glencoe, ASCE
>> *Sent:* May 20, 2021 7:18 PM
>> *To:* Baldur Norddahl 
>> *Cc:* NANOG Operators' Group 
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> 20 years ago I wrote an automatic teardrop attack.  If your IP spammed us
>> 5 times, then a script would run, knocking the remote host off the internet
>> entirely.
>>
>>
>>
>> Later I modified it to launch 1000 teardrop attacks/second…
>>
>>
>>
>> Today,  contact the FBI.
>>
>>
>>
>> And get a mitigation service above your borders if you can.
>>
>>
>>
>>
>>
>> —L.B.
>>
>>
>>
>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>
>> 6x7 Networks & 6x7 Telecom, LLC
>>
>> CEO
>>
>> l...@6by7.net
>>
>> "The only fully end-to-end encrypted global telecommunications company in
>> the world.”
>>
>> FCC License KJ6FJJ
>>
>>
>>
>>
>> On May 20, 2021, at 12:26 PM, Baldur Norddahl 
>> wrote:
>>
>>
>>
>> Hello
>>
>>
>>
>> We got attacked by a group that calls themselves "Fancy Lazarus". They
>> want payment in BC to not attack us again. The attack was a volume attack
>> to our DNS and URL fetch from our webserver.
>>
>>
>>
>> I am interested in any experience in fighting back against these guys.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Baldur
>>
>>
>>
>>
>>
>

-- 
Matt Erculiani
ERCUL-ARIN

Re: DDoS attack with blackmail

[jim deleskie]

While I have no design to engage in over email argument over how much
latency people can actually tolerate, I will simply state that most people
have a very poor understanding of it and how much additional latency is
really introduced by DDoS mitigation.

As for implying that DDoS mitigation companies are complicit or involved in
attacks, while not the first time i heard that crap it's pretty offensive
to those that work long hours for years dealing with the garbage.  If you
honestly believe anyone your dealing with is involved with launching
attacks you clearly have not done your research into potential partners.



On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
nanog@nanog.org> wrote:

> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>
>
>
> The video game industry is one of them and there might be others that
> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>
>
>
> As a side note, my former employer in video game was bidding for these
> vendors offering DDoS protection. While bidding, we were hit with abnormal
> patterns. As soon as we chose one vendors those very tricky DDoS patterns
> stopped.
>
> I am not saying they are working on both side, but still the coincidence
> was interesting. In the end, we never used them because they were not able
> to perfectly block the threat without impacting all the others projects.
>
>
>
> I think these mitigators are nice to have as a very last resort. I believe
> what is more important for Network Operators is: to be aware of this, to be
> able to detect it, mitigate it and/or minimize the impact. It’s like magic,
> where did that rabbit go?
>
>
>
> The art of war taught me everything there is to know about DDoS attacks
> even if it was written some 2500 years ago.
>
>
>
> I suspect that the attack that impacted Baldur’s assets was a very easy
> DDoS to detect and block, but can’t confirm.
>
>
>
> @Baldur: do you care to share some metrics?
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Jean
> St-Laurent via NANOG
> *Sent:* May 21, 2021 10:52 AM
> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
> Norddahl' 
> *Cc:* 'NANOG Operators' Group' 
> *Subject:* RE: DDoS attack with blackmail
>
>
>
> I also recommend book Art of War from Sun Tzu.
>
>
>
> All the answers to your questions are in that book.
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Lady
> Benjamin Cannon of Glencoe, ASCE
> *Sent:* May 20, 2021 7:18 PM
> *To:* Baldur Norddahl 
> *Cc:* NANOG Operators' Group 
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> 20 years ago I wrote an automatic teardrop attack.  If your IP spammed us
> 5 times, then a script would run, knocking the remote host off the internet
> entirely.
>
>
>
> Later I modified it to launch 1000 teardrop attacks/second…
>
>
>
> Today,  contact the FBI.
>
>
>
> And get a mitigation service above your borders if you can.
>
>
>
>
>
> —L.B.
>
>
>
> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>
> 6x7 Networks & 6x7 Telecom, LLC
>
> CEO
>
> l...@6by7.net
>
> "The only fully end-to-end encrypted global telecommunications company in
> the world.”
>
> FCC License KJ6FJJ
>
>
>
>
> On May 20, 2021, at 12:26 PM, Baldur Norddahl 
> wrote:
>
>
>
> Hello
>
>
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
>
>
> I am interested in any experience in fighting back against these guys.
>
>
>
> Thanks,
>
>
>
> Baldur
>
>
>
>
>

Re: DDoS attack with blackmail

[Barry Greene]

DDoS Attack Preparation Workbook
https://www.senki.org/ddos-attack-preparation-workbook/ 



> On May 20, 2021, at 12:26 PM, Baldur Norddahl  > wrote:
> 
> Hello
> 
> We got attacked by a group that calls themselves "Fancy Lazarus". They want 
> payment in BC to not attack us again. The attack was a volume attack to our 
> DNS and URL fetch from our webserver.
> 
> I am interested in any experience in fighting back against these guys.
> 
> Thanks,
> 
> Baldur
>