rd this from me
before, so I'll spare you the rave. :)
What percentage of all Internet traffic is DoS? Unclear. Until the
data is gathered, it can not be analyzed, and the data is rarely
collected.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);
in the very active
underground economy).
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);
s about the mad fast honeypot residing within
your prefixes. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);
hand you could say "serves 'em right for being
hacked!" On the other hand, you could wonder why it is that the
non-geek broadband users must be system, network, and firewall
administrators.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);
ttack types as the bots.
On the receiving end, upwards of 80% of all the woe I track is not TCP.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com/~robt
ASSERT(coffee != empty);
Hi, Kevin.
] Does anyone know of a source for a reliable bogon list? The best I know if
] is from Rob Thomas, but his last template update was 10/01, and IANA's
] made allocations since then.
Actually, the mistake is that I've updated my template yet failed to change
the date. D
ties. If the
server(s) now part of the warez network have popular things on them, you
will take quite a beating on bandwidth.
By the way, several of the warez bots are also flooders, e.g. can be
used to packet victims.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
! Be the first in your ASN to
join the CREDITS section. :)
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
I already have. My social life is proof of that. :)
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, all.
] Define "lots". I see about 500 inconsistent routes in BGP, have seen them
I see a few more than that:
http://www.cymru.com/BGP/incon01.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, all.
Aside from the restaurants, how's Toronto? :)
] http://www.cymru.com/BGP/incon01.html
The list can be found here:
http://www.cymru.com/BGP/incon01-list.txt
This is the output of a very beta script. Comments welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(c
ml
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
00 - 18000 bots, it isn't all that
necessary to mask the source IPs. :/
Just my $.02, of course.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
nt in social engineering? :-)
No, an experiment in not-enough-coffee-and-making-mods-late-at-night. :)
Thanks and apologies!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
wever. It seems this prefix would
best be used internally. What do others think?
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
. To whomever you are - thanks. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, Rob.
] How big is the global BGP table running these days?
I'm seeing an average of around 115K prefixes. The delta isn't very
high. You can see some data here:
http://www.cymru.com/BGP
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
reate first.
Suggestions are welcome and encouraged. :)
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
have moved
here:
http://www.cymru.com/DNS/dns.html
My thanks to the authors of the lamers.sh script, which I modified to
suit my purposes. Comments and feedback are always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
- <http://www.cymru.com/Bogons/index.html#dns>
Monitoring
Bogon prefix monitoring
- <http://www.cymru.com/BGP/robbgp-bogon.html>
Bogus ASN monitoring
- <http://www.cymru.com/BGP/asnbogusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> wit
resses prior to announcing the test prefixes.
74.63.1.2
75.127.1.2
76.191.1.2
Sorry those weren't announced sooner!
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
] and statistical reliability. presumably that is coming and just
] hasn't been discussed or carried out yet.
Yep, that's being done since we announced the prefixes.
More details to come shortly. :)
Todd, thanks for checking on these prefixes and sharing what you
see!
Thanks,
Ro
EMAIL PROTECTED]
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
Cymru do all the work.
Fire up a peering session to the Bogon route-servers today!
<http://www.cymru.com/BGP/bogon-rs.html>
As always, if you are having difficulty reaching the three test IP
addresses, please drop us a note at [EMAIL PROTECTED]
Thanks!
Rob.
--
Rob Thomas
http://www.
ardent Cubs fan, cursing the Sox. ;)
We continue to debug it with our peers. Stay tuned!
Apologies for the inconvenience.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
r own, I should probably ask
them to change that.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
While IPv6 obviously presents a huge address space, the miscreants
don't have to scan all of it, or compromise much more than a few
devices on it, to reap a reward. Just enough is good enough.
I'll take a pina colada anyway. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com
>
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
ore. Take it
with a grain of salt. :)
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);
Hi, NANOGers.
Just a FYI - we at Team Cymru are upgrading some of our infrastructure
today. This will result in partial and complete outages for most of
the day. We will be back online, new and improved, by the end of the
day.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
Team Cymru
http
work to earn your
trust with each project. I think we've done a fair job of
that.
Suggestions and feedback (along with coffee) are always welcome!
Thanks,
Rob, not the only member of Team Cymru. :)
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
deploy more
if necessary.
By the way we recommend that folks peer with at least two of the
Bogon route-servers.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
prefix-list that would permit you to filter on a prefix
and anything more specific. Stay tuned!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the RIB clean. That means the
use of filtering. We and others provide those as well:
<http://www.cymru.com/Documents/secure-bgp-template.html>
<http://www.cymru.com/gillsr/documents/junos-bgp-template.htm>
<ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates
us why. Suggestions
are always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
.
So while a new approach to security with IPv6 may be warranted, many of
the same old threats await you there.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
ssume that encrypted packets
keep them safe. Encryption != security.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
Hi, Bryan.
] Rob T - this should be a periodic FAQ:
]
]http://www.cymru.com/Bogons/
That's a great idea! Everyone knows I don't send out nearly enough
email. :) Seriously, we'll try to be better about sending out
regular reminders.
Thanks!
Rob.
--
Rob Thomas
http://www.c
s would be rather
obvious, and they are, yet no one notices.
Most of these compromised routers are at the end of FR or
frac-T connections. I suspect a great many of them were
configured once, then left to rot with the same code and
configuration for years and years.
Thanks,
Rob.
--
Rob Thomas
htt
Hi, Hank.
] How would this scale for say 200K routers? 2M? -Hank
Dave Deitrich of Team Cymru will be presenting on this very
topic at the next NANOG. Short answer: We're ready when
you are. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
uses TFTP to update itself as well.
Please note that I am NOT advocating the blocking of TFTP.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
llowing URL.
<http://www.cymru.com/BGP/bogon-rs.html>
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
gusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thank you for your continued support.
Rob.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQl578Fk
free to contact Team Cymru <[EMAIL PROTECTED]> with any
comments, questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQk
ring
- <http://www.cymru.com/BGP/asnbogusrep.html>
Please feel free to contact Team Cymru <[EMAIL PROTECTED]> with any comments,
questions, or concerns.
Thank you for your continued support.
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
Shaving
ments, feedback, donated data, and peering sessions are always
welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
who are having difficulty viewing the site: I apologize,
and I'm trying to find a way to alleviate the paucity of available
bandwidth into my home lab. Stay tuned!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
is a great
community.
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
/dnsmirror/
I will shortly have an additional web server on a much faster set
of links, as well as another mirror. For the impatient, I
recommend the MIT site. Don't forget to check the Lame Report
while you're there. :)
Comments and feedback are always welcome!
Thanks,
Rob.
--
Rob T
/index.html
The bogus ASN page, complete with a colorful graph, can be found here:
http://www.cymru.com/BGP/asnbogusrep.html
Comments and feedback are always welcome! My thanks to those who donate
peering and gear to my monitoring efforts. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT
. You
can see the list of networks that leak bogus ASNs here:
http://www.cymru.com/BGP/asnbogusrep.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
log use spoofed
source addresses.
Does anti-spoofing help? Yes. It is but one of many mitigation
strategies.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
or me,
that would be welcome as well. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
to add to the Secure IOS Template. I need more
time and more coffee. :)
http://www.cymru.com/Documents/secure-ios-template.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
odify your
scripts. My own script claimed that several new allocations had been
made. It's fixed now. :)
http://www.iana.org/assignments/ipv4-address-space
My thanks to the IANA folks for this change!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
free
to send them to [EMAIL PROTECTED] Be the first on your block to fill my
lamer file system. :)
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
/Documents/bogon-list.html
Please take a few moments to read the list and adjust your filters
accordingly. The folks in 69.0.0.0/8 will thank you. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, Randy.
] what is the apnic equivalent of that document?
Is this close to what you require?
http://www.apnic.net/db/min-alloc.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
] None of the below events are related to network operations. Nordnog is.
Just a small point of order: FIRST is definitely related to network
operations, albeit with a focus on secure network operations. :)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
BGP Template (ported to Juniper by Steve Gill)
http://www.cymru.com/Documents/secure-bgp-template.html
http://www.qorbit.net/documents/junos-bgp-template.pdf
Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee
CREDITS section! :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
umber. :/ Watch out
for those TCP 1080, 3128, and 8080 flows.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] Why don't we all go bug Rob Thomas for a bogon update mailing list,
] and stop pissing and moaning on this one. :)
I (and Steve Gill) am more than happy to create such a list. Heck, you
don't even have to bug me! :) I've even pondered the idea of hosting
a WH
Hi, Eddy.
] Give Rob Thomas official authority, a paycheck, and the necessary
] bandwidth. ;-)
Hehe! I'll second that! :) No one would support it, though, once they
saw my lousy code. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
he task. That might be two
days, or two decades. I'm willing and happy to do it until that day
comes.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
, Barry
Greene, and Rob Thomas) update when such allocations are made. These
announcements will be made as we detect such allocations.
The list is moderated by Steve Gill, Barry Greene, Jared Mauch, and
Rob Thomas. It is open to anyone who wishes to subscribe. Aliases are
welcome to subscribe.
To
e
the full path and better tracking. The report is updated hourly, and
you will find it here:
http://www.cymru.com/BGP/asnbogusrep.html
Comments and feedback are always welcome!
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
Does anyone have a reliable contact at dns2go.com? I have tried all of
the usual aliases with no success. :(
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
able to send during a TCP amplification
attack is a bonus prize, but is not required for the attack to succeed.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the
login and password. This isn't limited to Cisco routers, however. I
collected an impressive list of broadband and other vendor routers as
well, for a total of just over 30K compromised routers in 2002. As
Chris points out, this is an issue that requires vigilance beyond
teams at ISPs.
] ad
ess support phonecalls.
I agree.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
the point of creating a DoS on the router.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
. They may be infected, and will fire up their
VPN tunnels Monday morning. This may introduce the worm into the chewy
center of many corporate networks. Hopefully folks have put the proper
filters in place on their VPN access points.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee
] Wait, but isn't your corporate network 'secure' cause its got a super kewl
] firewall infront of it??
HAHAHA! Would that be the stateful firewall that filled up and fell
over due to all the worm probes? ;)
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hey, Chris.
] or the one that steathily permitted udp 1434 from the outside world :(
Yeah. :(
This is yet another reason why I tell folks with firewalls NOT to allow
everything from the internal (often mistakenly labelled "trusted") net
to the external nets.
Thanks,
Rob.
--
Rob T
Hi, Adam.
] Anyone know anything about this? I can't find anything on ICANN's web site
] regarding a switch.
I noticed it on 8 Jan, and adjusted my monitoring accordingly.
http://www.cymru.com/DNS/gtlddns-o.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
This includes links to the Secure IOS Template, Secure Juniper
Template, bogon monitoring, and other associated references. Both
222/8 and 223/8 were withdrawn from the bogon route-server as of
13 FEB 02:01:00 US CST.
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee
Hi, NANOGers.
For those of you tracking the DHS threat level - The Homeland Security
threat level is very likely to be lowered one notch today, according
to Marcus Sachs.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
. However, raising the bar even a little can yield
impressive results.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
difficult) way to trace back the attack to the
sources.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
hosts. These are some of the warning signs.
] Who cares? If the other routers are configured correctly, they wont take
] tainted advertisements. If they are not configured correctly, any Super
] Secure BGP wont help.
Yep, thus my constant raving about prefix filtering. :)
Thanks,
Rob.
--
Rob
pain caused by the average scan and sploit crowd. Pick good
passwords, limit access, keep routing tables clean, etc.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
t Rob is considering setting up an LDAP server as an
Yep, it is high on my burgeoning to-do list. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
Hi, NANOGers.
] I bet for example we could get Rob Thomas to update his templates to
] include scarier warnings...
For the right amount of coffee, I just might. ;) Seriously, I'm all for
it. Here is what I have on the Bogon List page:
NOTE WELL! IANA allocations change over tim
is service, I'm happy to provide it for as long as there is a need.
This is a free service, and not at all cumbersome to the members of
Team Cymru.
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
nd comments
are always welcome!
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
about folks web surfing 10/8. :)
There are things that go wrong, however, and I firmly believe in
filtering both on ingress and egress (at the edge, to be clear).
This is an extra bit of protection in case something bad happens,
be it malware, fat fingers, etc.
Thanks,
Rob.
--
Rob Thomas
http://www.c
this change.
You should update any filters you have.
The bogus ASN report, which shows ASNs leaking private, unallocated,
and reserved ASNs, is located here:
<http://www.cymru.com/BGP/asnbogusrep.html>
Thanks,
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
tworks and
the flows on them. Comments, feedback, and coffee are always welcome! :)
Thanks!
Rob, for Team Cymru.
- --
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2
iQCVAwUBQL/W4VkX3QAo5sgJAQG3QQP9FT6jwkPbdLaCFBLds4ftjFaNGA
page at
the following URL.
<http://www.cymru.com/Darknet/>
We hope you find this of use. Comments and suggestions are always
welcome!
Thanks!
Rob, for Team Cymru.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
rnet garbage. :)
<http://www.cymru.com/Reach/garbage.html>
<http://www.cymru.com/Reach/darknet.html>
Thanks!
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
power issue, so we are looking for any "me too" incidents
we can find.
Is anyone else having issues down there?
Replies on or off list appreciated.
Alif Terranson
Savvis Communications
(314) 628-7602
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
me to buy a
cup of coffee for Rob at the SLC NANOG if you feel kindly. :)
You can read more about the project here:
<http://www.cymru.com/BGP/bogon-rs.html>
You can read more about bogon filtering and tracking here:
<http://www.cymru.com/Bogons/>
Thanks!
Rob, for Team Cymru.
--
st arrived, and I look pretty darn NANOGish if I do say so
myself. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
now
] mentality.
For those who herd bots, this in theory provides the capability to
get-it-done-right *AND* get-it-done-now. :/
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
1 - 100 of 179 matches
Mail list logo
