RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN
I'd like to apologise in advance for SOCA. Frankly, I am surprised that they are even aware of RIPE or its role in life. They have done so poorly since subsuming the old National Hi-Tech Crime Unit that the other police forces want NHTCU back. It ought to be superfluous to point out that the only effective action taken against RBN was by the Internet community in getting all their upstreams to null route them. As is blindingly obvious, SOCA would never have been granted a warrant by the Russians. Pathetic to take it out on RIPE. -original message- Subject: RE: Interesting Point of view - Russian police and RIPE accused of aiding RBN From: "Martin, Paul" Date: 24/10/2009 9:23 am So considering they're widely regarded as a criminal network hosting the more dodgy/dangerous stuff on the net, surely we could 'protect' our customers by blocking the 91.202.60.0/22 range? Consider that can of worms opened :o) Paul -Original Message- From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] Sent: 24 October 2009 08:18 To: Suresh Ramasubramanian Cc: nanog@nanog.org Subject: Re: Interesting Point of view - Russian police and RIPE accused of aiding RBN Since we're on the subject, here is where RBN went: inetnum: 91.202.60.0 - 91.202.63.255 netname: AKRINO-NET descr: Akrino Inc country: VG org: ORG-AI38-RIPE admin-c: IVM27-RIPE tech-c: IVM27-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: MNT-AKRINO mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: MNT-AKRINO mnt-domains: MNT-AKRINO source: RIPE # Filtered organisation:ORG-AI38-RIPE org-name:Akrino Inc org-type:OTHER address: Akrino Inc. address: P.O.Box 146 Trident Chambers address: Road Town, Tortola address: BVI e-mail: noc.akr...@gmail.com mnt-ref: MNT-AKRINO mnt-by: MNT-AKRINO source: RIPE # Filtered person: Igoren V Murzak address: Akrino Inc address: P.O.Box 146 Trident Chambers address: Road Town, Tortola address: BVI phone: +1 914 5952753 e-mail: noc.akr...@gmail.com nic-hdl: IVM27-RIPE mnt-by: MNT-AKRINO source: RIPE # Filtered % Information related to '91.202.60.0/22AS44571' route: 91.202.60.0/22 descr: AKRINO BLOCK origin: AS44571 mnt-by: MNT-AKRINO source: RIPE # Filtered On Sat, Oct 24, 2009 at 3:00 AM, Suresh Ramasubramanian wrote: > http://www.eweekeurope.co.uk/news/russian-police-and-internet-registry-a ccused-of-aiding-cybercrime-2165 > > Some quotes from the article - > > Internet registry RIPE NCC turned a blind eye to cybercrime, and Russian police > corruption helped the perpetrators get away with it, according to the UK > Serious Organised Crime Agency > > [...] > > "RIPE was being paid by RBN for that service, for its IP allocation," he said. > "Essentially what you have - and I make no apologies for saying this is - if > you were going to interpret this very harshly RIPE as the IP allocation body > was receiving criminal funds and therefore RIPE was involved in money > laundering offences," said Auld. > > [...] > > "All we could get there was a disruption, we weren't able to get a prosecution > in Russia," admitted Auld. "Our biggest concern is where did RBN go? Our > information suggests that RBN is back in business but now pursuing a slightly > different business model which is bad news." > > [...] > > "Where you have got LIRs (Local Internet Registries) set up to run a criminal > business- that is criminal actvity being taken by the regional internet > registries themselves. "So what we are trying to do is work with them to make > internet governance a somewhat less permissive environment for criminals and > make it more about protecting consumers and individuals," added Auld. > RBN looked legitimate, says RIPE NCC > > In response to the comments that it could be accused of being involved in > criminal activity, Paul Rendek, head of external relations and communications > at RIPE NCC said that the organisation has very strict guidelines for dealing > with LIRs. > > "The RBN was accepted as an LIR based on our checklists," he said." Our > checklists include the provision of proof that a prospective LIR has the > necessary legal documentation, which proves that a business is bona fide." > > etc > > -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty." For more information about the Viatel Group, please visit www.viatel.com VTL (UK) Limited Registered in England and Wales Registered Address: Inbucon House, Wick Road, Egham, Surrey TW20 0HR Company Registration No: 04287100 VAT R
Re: ISP port blocking practice
-original message- Subject: Re: ISP port blocking practice From: Owen DeLong Date: 24/10/2009 4:00 am Yes. Owen On Oct 23, 2009, at 2:19 PM, Lee Riemer wrote: > Isn't blocking any port against the idea of Net Neutrality? > Only if you take a legalistic view of it. Too much of the NN debate is about the futile search for an infallible legal argument with no corner cases. This is silly. Take an empirical, practical view instead. Obviously there is no objection to blocking spam going out; after all, the spam comes from machines that are no longer under the control of their owners, so the only free speech that is affected is that of the spammer, and hasn't that already been litigated? Free speech doesn't include the freedom to shout fire in a crowded theatre. Neither does it include the freedom to carry out a DDOS on the fire brigade control room. You aren't allowed to levy a toll on the roads and except your mates - roads are neutral. But that doesn't invalidate the speed limit or the obligation to drive on the left. > Justin Shore wrote: >> Owen DeLong wrote: >>> Blocking ports that the end user has not asked for is bad. >> >> I was going to ask for a clarification to make sure I read your >> statement correctly but then again it's short enough I really don't >> see any room to misinterpret it. Do you seriously think that a >> typical residential user has the required level of knowledge to >> call their SP and ask for them to block tcp/25, tcp & udp/1433 and >> 1434, and a whole list of common open proxy ports? While they're >> at it they might ask the SP to block the C&C ports for Bobax and >> Kraken. I'm sure all residential users know that they use ports >> 447 and 13789. If so then send me some of your users. You must be >> serving users around the MIT campus. >> >>> Doing it and refusing to unblock is worse. >> >> How you you propose we pull a customer's dynamically-assigned IP >> out of a DHCP pool so we can treat it differently? Not all SPs use >> customer-facing AUTH. I can think of none that do for CATV though >> I'm sure someone will now point an oddball SP that I've never heard >> of before. >> >>> Some ISPs have the even worse practice of blocking 587 and a few >>> even >>> go to the horrible length to block 465. >> >> I would call that a very bad practice. I haven't personally seen a >> mis-configured MTA listening on the MSP port so I don't think they >> can make he claim that the MSP port is a common security risk. I >> would call tcp/587 a very safe port to have traverse my network. I >> think those ISPs are either demonstrating willful ignorance or >> marketing malice. >> >>> A few hotel gateways I have encountered are dumb enough to think >>> they can block TCP/53 >>> which is always fun. >> >> The hotel I stayed in 2 weeks ago that housed a GK class I took had >> just such a proxy. It screwed up DNS but even worse it completely >> hosed anything trying to tunnel over HTTP. OCS was dead in the >> water. My RPC-over-HTTP Outlook client couldn't work either. >> Fortunately they didn't mess with IPSec VPN or SSH. Either way it >> didn't matter much since the network was unusable (12 visible APs >> from room, all on overlapping 802.11b/g channels). The average >> throughput was .02Mbps. >> >>> Lovely for you, but, not particularly helpful to your customers >>> who may actually want to use some of those services. >> >> I take a hard line on this. I will not let the technical ignorance >> of the average residential user harm my other customers. There is >> absolutely no excuse for using Netbios or MS-SQL over the Internet >> outside of an encrypted tunnel. Any user smart enough to use a >> proxy is smart enough to pick a non-default port. Any residential >> user running a proxy server locally is in violation of our AUP >> anyway and will get warned and then terminated. My filtering helps >> 99.99% of my userbase. The .001% that find this basic security >> filter intolerable can speak with their wallets. They can find >> themselves another provider if they want to use those ports or pay >> for a business circuit where we filter very little on the >> assumption they as a business have the technical competence to >> handle basic security on their own. (The actual percentage of >> users that have raised concerns in the past 3 years is .0008%. I >> spoke with each of them and none decided to leave our service.) >> >> We've been down the road of no customer-facing ingress ACLs. We've >> fought the battles of getting large swaths of IPs blacklisted >> because of a few users' technical incompetence. We've had large >> portions of our network null-routed in large SPs. Then we got our >> act together and stopped acting like those ISPs who we all love to >> bitch about, that do not manage their customer traffic, and are >> poor netizens of this shared resource we cal
Re: Are we really this helpless? (Re: isprime DOS in progress)
-original message- Subject: Re: Are we really this helpless? (Re: isprime DOS in progress) From: Michael Dillon Date: 25/01/2009 10:16 pm > > I think each point above is true -- BCP38 is indeed a technique, but > failure to universally implement it defaults to (almost) a tragedy of the > commons. > > After ~10 years, it is surreal to me that we, as a community, are still > grappling with issues where it could be beneficial for the Internet > community at-large. I mean, it _is_ a BCP. > The community isn't grappling with the issue. For the most part the NANOG community has implemented BCP 38. The problem is that there are lots of ISPs that are not part of the community and I get the sense that the this number continues to grow. In a sense NANOG has a problem with dwindling market-share. A shrinking percentage of ISPs are part of the NANOG community, and NANOG participants have less and less influence on decisions in the ISPs that they work for, probably because most of them do not work for ISPs but work for telephone companies which have expanded into the ISP business. And yes, I too work for a telco that is now also a major ISP in its telco market area. p.s. Even when Dan Senie and I drafted RFC2827/BCP38, we were doing nothing more than documenting what everyone (well, maybe not everyone) already knew > anyway -- that we all need to bite the bullet and just do it. > Personally, I think that the network operations community represented in NANOG needs to do more outreach to forums where the telecoms community gather rather than ghettoizing Internet ops and engineering. It's all well and good to have NANOG lists and meetings, but once things like BCP-38 reach consensus, how many NANOG members would consider going to something like FutureNet Expo and presenting on the topic? --Michael Dillon Both to telcos and to non-NA operators. Remember that everything is going to IP. All the interesting voice applications seem to be based on Asterisk in the end, China Mobile is apparently building a flat-IP net with media servers. And there are plenty of clever innovative people outside NA.
Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations
-original message- Subject: Re: lawful intercept/IOS at BlackHat DC, bypassing and recommendations From: "andrew.wallace" Date: 04/02/2010 11:09 pm On Thu, Feb 4, 2010 at 8:19 PM, Gadi Evron wrote: > "That peer-review is the basic purpose of my Blackhat talk and the > associated paper. I plan to review Cisco’s architecture for lawful intercept > and explain the approach a bad guy would take to getting access without > authorization. I’ll identify several aspects of the design and > implementation of the Lawful Intercept (LI) and Simple Network Management > Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access > to the interface, and provide recommendations for mitigating those > vulnerabilities in design, implementation, and deployment." > > More here: > http://blogs.iss.net/archive/blackhatlitalk.html > >Gadi. For the sake of clarity and transparency, Gadi Evron has absolutely no connection to this research whatsoever. He is famous in the security community for piggybacking off other peoples research. We are frustrated with him as much as we are annoyed. Andrew Security consultant CITATION NEEDED
Re: Adopt‐an‐Haitian‐Interne t‐technician‐or‐facility
-original message- Subject: Re: Adopt‐an‐Haitian‐Internet‐technician‐or‐facility From: Steven Bellovin Date: 08/02/2010 5:47 pm As a matter of form, how might one check out the legitimacy of requests like this? (No, I don't think this one is fake...) As a start, web of trust. This one was introduced to the list by Eric Brunner-Williams originally, a member in good standing.
