Re: Solutions for DoS DDoS

2012-12-07 Thread Yuri Slobodyanyuk 
I can think of few options here (basically restating what has been said
already) :
- Black hole routing on ISP side - just makes the client unreachable
outside ISP , available everywhere,
 free. Not really a protection as aids the attacker in achieving his goal -
shutting down the client
- Managed DDOS As a Service on ISP side - ISP has a dedicated solution to
stop attacks on ISP premises (by dedicated I mean some hardware installed)
. Vendors vary (Arbor/Radware/etc..) and actually are not of much
importance to the end client - only SLA should be in place. Costs money,
advisable when undergoing non-stop/frequent attacks of moderate severity.
If an attack reaches gigabits bandwidth consumption the ISP may revert back
to Black Hole to protect its backbone and other clients.
- If speaking of web/email services - hosted solution is viable to some
degree (e..g Amazon AWS Cloudfront, Google Apps, CDNs etc) . IT is not a
DEDICATED hosted solution against DDOS, so be prepared for the provider to
shut down the client if the attack gets heavy enough
- Hosted web/email solutions WITH dedicated DDOS protection included,
including insurance that client will not be shut down on heavy load attack
(Prolexic etc) . Costs money (not cheap at all)  and if your site is not to
be attacked like krebsonsecurity.com or fbi.gov probably an overkill.

 HTH

 --

Taking challenges one by one.
http://yurisk.info

Re: Check Point Firewall Appliances

2012-12-20 Thread Yuri Slobodyanyuk 
Having a love-and-hate relationship with Checkpoint firewalls after working
for 6 years daily with them I am
probably biased :), but will say they are great firewalls once you know to
work with them .
If you are completely new to it I'd recommend Checkpoint CCSA/CCSE from
accredited APT course as the shortest path ,
Alternatives:
- CBT Nuggets CCSA course , but last time I checked it was for NGX R65 that
is substantially
  different from current versions, only if you can get it really cheap
- Documentation from Checkpoint site (freely available to everyone) is the
start-all end-all source (I did it
this way) takes time but in the end you will have a through understanding
of the product
- Online is a good place once you know the basics. If, on the other hand,
you don't know to do manual port-forwarding , Google will only suck your
time. But for problems/inconsistencies/debug :
   http://cpug.org - Independent forum where you can always find advice
from many knowledgeable and helpful folks ;
   http://www.cpshared.com/forums/ Same goes here - people who can
configure route-based VPNs with policy-based routing with closed eyes hang
around here
   https://forums.checkpoint.com/ Official support forums from Checkpoint,
less active than 2 above

HTH
Yuri

On Wed, Dec 19, 2012 at 9:35 PM, Blake Pfankuch bl...@pfankuch.me wrote:

 Howdy,
 I am just getting into an environment with a large Check
 Point deployment and I am looking for a little bit of feedback from other
 real world admins.  Looking for what people like, what people don't (why
 hopefully).  Also for those of you who might run Check Point devices in
 your environments what to dig into first as far as getting more experience
 on the devices and a better understanding of how not to break them.  I am
 slowly going through all of the official documentation, but would also like
 to hear a real world opinion.

 Thanks in advance!

 Blake




-- 
Taking challenges one by one.
http://yurisk.info

Re: BGP Security Research Question

2014-11-04 Thread Yuri Slobodyanyuk 
Having seen few hundreds BGP peerings with internal clients as well as with
uplink providers cannot
recall anyone ever even trying to use such features. And given that both
were created back in late 90s early 2000s we can safely assume these
technologies (S-BGP/soBGP) will stay just that - blue-sky academic research
(but who can tell the future on the other hand ...)
In real life people use - bgp ttl security, md5 passwords, control plane
protection of 179 port, inbound/outbound routes filters. So far this has
been enough.


On Tue, Nov 4, 2014 at 5:57 AM, Anthony Weems amlwe...@gmail.com wrote:

 I'm a student in college learning about networking and, specifically, BGP.
 Does anyone have any statistics on the use of S-BGP or soBGP in the wild?
 I've read a few papers / RFCs on the subject (from Cisco and the like), but
 I haven't been able to find any information about actual usage.

 Additionally, do people scan BGP speakers in the same sense that
 researchers perform scans of the Internet (e.g. zmap)?

 --
 Anthony Weems




-- 
Taking challenges one by one.
http://yurisk.info

Re: BGP Security Research Question

2014-11-04 Thread Yuri Slobodyanyuk 
Let me disagree - Pakistan Youtube was possible only because their uplink
provider did NOT implement inbound route filters . As always the weakest
link is human factor - and no super-duper newest technology is ever to help
here .
As regards to S-bgp/soBGP from technical point of view , wait for the day
when the vulnerability gets published (SSL-heartbleed style) that
invalidates all this PKI stuff ...
Yuri

On Tue, Nov 4, 2014 at 2:38 PM, sth...@nethelp.no wrote:

  In real life people use - bgp ttl security, md5 passwords, control plane
  protection of 179 port, inbound/outbound routes filters. So far this has
  been enough.

 These mechanisms do little or nothing to protect against unauthorized
 origination of routing information. There are plenty of examples which
 say it has *not* been enough, see for instance the Pakistan Telecom -
 Youtube incident in 2008.

 Steinar Haug, Nethelp consulting, sth...@nethelp.no




-- 
Taking challenges one by one.
http://yurisk.info

Re: Fwd: [cooperation-wg] Massive IP blockings in Russia

2018-04-19 Thread Yuri Slobodyanyuk 
Thanks for sharing,
Note of caution - there is a mess going on with this blocking so if some IP
range/domain is not in any list it doesn't necessary mean it is not
blocked. Lists are created/updated pretty sporadically (e.g. the list does
not say so but there are reports of blocked DigitalOCean nets 167.99.0.0/16
& 206.189.0.0/16 https://www.securitylab.ru/news/492749.php) .
My 2 cents - once Russian Internet authorities get tired of chasing their
own tail (any sysadmin knows you can't block ain't nothing by IP addresses
today) they will stop this fruitless effort (but of course they cannot do
it right now and lose the face) and things will be back to normal.

On Thu, Apr 19, 2018 at 9:39 PM, Bryan Fields  wrote:

> On 4/19/18 1:36 PM, Sandra Murphy wrote:
>
> > Russian ISPs MUST fully block all traffic to such networks. The list is
> > frequently updated and gets automatically propagated to ISP every once
> in a
> > while, failure to block any address may result in 1500eur fine.
>
> Per day?  That's a cost of doing business.  Can we donate to pay it
> somewhere?
>
> > The
> > infrastructure listed above is being added to the blocklist under
> > “counter-terrorist and counter-extremist” order of the General Prosecutor
> > Office, #27-31-2015/Id4082-15, issued in 2015 and often used for blocking
> > an arbitrary unwanted content. The real reason for such blocking is an
> > attempt to cut access to Telegram messenger, which refused to provide
> > end-to-end encryption keys to the Federal Security Service (previously
> > known as KGB).
>
> Necessity is the plea for every infringement of human liberty.
> It is the argument of tyrants; it is the creed of slaves.
> -- William Pitt
> --
> Bryan Fields
>
> 727-409-1194 - Voice
> http://bryanfields.net
>



-- 
Taking challenges one by one.
http://yurisk.info