Re: Great Suggestion for the DNS problem...?

2008-08-28 Thread Mikael Abrahamsson
On Thu, 28 Aug 2008, Brian Dickson wrote: However, if *AS-path* filtering is done based on IRR data, specifically on the as-sets of customers and customers' customers etc., then the attack *can* be prevented. Yes, but I can't do this for everybody else. Doing AS-path and prefix filtering (ma

Generic network agreement template

2008-08-28 Thread Frank Bulk
I need to supply a network agreement to a friendly customer so that they can obtain an ASN from ARIN. Some of you will mutter that we should have executed one already, but we still shake on things around here. Does anyone have a simple, even one-page template of a network agreement that they can

Re: Great Suggestion for the DNS problem...?

2008-08-28 Thread Brian Dickson
Alex Pilosov wrote: On Thu, 28 Aug 2008, Brian Dickson wrote: However, if *AS-path* filtering is done based on IRR data, specifically on the as-sets of customers and customers' customers etc., then the attack *can* be prevented. The as-path prepending depends on upstreams and their peers ac

Re: Great Suggestion for the DNS problem...?

2008-08-28 Thread Alex Pilosov
On Thu, 28 Aug 2008, Brian Dickson wrote: > However, if *AS-path* filtering is done based on IRR data, specifically > on the as-sets of customers and customers' customers etc., then the > attack *can* be prevented. > > The as-path prepending depends on upstreams and their peers accepting > the pr

Re: IP Fragmentation

2008-08-28 Thread Glen Kent
I understand, but the question is what if they dont? Or let me rephrase the question. What do standard implementations do if they send a regular IP packet (no DF bit set) and receive an ICMP dest unreachable - Fragmentation reqd message back? Do they fragment this packet and then send it out agai

RE: IP Fragmentation

2008-08-28 Thread Tony Li
|OK, so what happens if a transit router does not support IP |fragmentation All IPv4 routers are supposed to support fragmentation per RFC 1812 (Router Requirements), section 4.2.2.7. Tony

Re: IP Fragmentation

2008-08-28 Thread Fernando Gont
At 08:44 p.m. 28/08/2008, Glen Kent wrote: I understand that routers usually must send this error only when a fragmentation is required and they recieve a packet with DF bit set. However, in this case this router would drop the packet (for it doesnt support fragmentation) and sending an ICMP err

Re: IP Fragmentation

2008-08-28 Thread Glen Kent
> > > I'm not sure how to address the above points since there appear to be some > incorrect assumptions at play. It all depends on whether the Don't Fragment > (DF) bit is set in IPv4 and how the source application responds to any > resulting ICMP error responses (if the DF is set and one of the r

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Danny McPherson
On Aug 28, 2008, at 3:47 PM, Deepak Jain wrote: We can go into lots of reasons why the Internet runs this way. I think we can all agree 1) Its amazing it runs as well as it does, and 2) No one has clearly articulated a financial reason for any large organizations to significantly change t

Re: Revealed: The Internet's well known

2008-08-28 Thread Brian Dickson
(Sorry - repost with fixed Subject line. My bad. -briand) Alex P wrote: *) There is no currently deployable solution to this problem yet. *) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hij

Re: Great Suggestion for the DNS problem...?

2008-08-28 Thread Brian Dickson
Alex P wrote: *) There is no currently deployable solution to this problem yet. *) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hijacked in IRR. RIRs need to integrate the allocation data wi

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Deepak Jain
*) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hijacked in IRR. RIRs need to integrate the allocation data with their IRR data. further clarification... [if this is obvious, just skip over

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Randy Bush
Steven M. Bellovin wrote: > On Thu, 28 Aug 2008 10:16:16 -0500 > "Anton Kapela" <[EMAIL PROTECTED]> wrote: > >> I thought I'd toss in a few comments, considering it's my fault that >> few people are understanding this thing yet. >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Alex Pilosov
On Thu, 28 Aug 2008, Anton Kapela wrote: > I thought I'd toss in a few comments, considering it's my fault that > few people are understanding this thing yet. > > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > >>> > >>> People (especially spammers) have been hijacking

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Gadi Evron
Thank you for making your presentation. Gadi. On Thu, 28 Aug 2008, Anton Kapela wrote: I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: People (e

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Joe Greco
> To quote Bruce Schneier quoting an NSA maxim, attacks only get better; > they never get worse. We now have running code of one way to do this. > I think most NANOG readers can see many more ways to do it. A real > solution will take years to deploy, but it will never happen if we > don't start.

Anton Kapela on what the BGP attack *really* means

2008-08-28 Thread Jay R. Ashworth
[ I'm unthreading this, because Anton didn't think to, and I wouldn't want anyone who canned the other thread to miss it. --jra ] On Thu, Aug 28, 2008 at 11:56:30AM -0400, Steven M. Bellovin wrote: > On Thu, 28 Aug 2008 10:16:16 -0500 > "Anton Kapela" <[EMAIL PROTECTED]> wrote: > > > I thought I

Re: Revealed: The Internet's Biggest Security Hole

2008-08-28 Thread Joel Jaeggli
Hank Nussbacher wrote: > At 09:40 PM 27-08-08 -0400, [EMAIL PROTECTED] wrote: > > I beg to differ. What will change is a serious uptick in the number of > prefixes (279K) in the routing tables as everyone rushes to deaggregate > to /24 size. A year ago we were at 230K, how much you wanna bet we

RE: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Jon Lewis
Do you utilize the IRR, have an as-set, and put all customer AS/CIDR's into the IRR? I've honestly never heard from LVL3 about our advertisements. Other providers have varied from just needing a web form, email, phone call, or those combined with faxed LOAs. The latter gets very annoying...b

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Steven M. Bellovin
On Thu, 28 Aug 2008 10:16:16 -0500 "Anton Kapela" <[EMAIL PROTECTED]> wrote: > I thought I'd toss in a few comments, considering it's my fault that > few people are understanding this thing yet. > > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> > >> wrote: > >>> > >>> People

RE: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Bogdanov, Oleg (IT)
First, thank you all for the usually intelligent/enlightening discussion. My first post to this list and apologies in advance if discussion of end point (customer) networks is off-topic: I haven't seen the presentation that some of you have referred to. If someone can provide a link that would b

RE: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Boyd, Benjamin R
We've encountered the same diligence with LVL3, especially after acquisitions where records haven't been updated yet. Although a little annoying it's quite refreshing. >-Original Message- >From: Eric Spaeth [mailto:[EMAIL PROTECTED] >Sent: Thursday, August 28, 2008 1:41 AM >To: Jon Lew

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Anton Kapela
I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: >>> >>> People (especially spammers) have been hijacking networks for a while I'd like to 'clear the air' her

Re: Service Outage in Indiana

2008-08-28 Thread Elijah Savage
- "Elijah Savage" <[EMAIL PROTECTED]> wrote: > Anyone know what is going on there. > > Sprint Verizon data and voice circuits affected in the Fort Wayne > area. Ok I have some data now. It seems the local LEC has multiple DS3's down in the area. I asked here as a last resort because I have

Service Outage in Indiana

2008-08-28 Thread Elijah Savage
Anyone know what is going on there. Sprint Verizon data and voice circuits affected in the Fort Wayne area.

Re: interger to I P address

2008-08-28 Thread Mohacsi Janos
On Wed, 27 Aug 2008, Simon Lockhart wrote: On Wed Aug 27, 2008 at 07:11:41AM -0400, kcc wrote: ls it possible t convert the interger to ip Yes. Simon Yes. But be aware whether you are using IPv6 or IPv4... Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and

reviving the botnets@ mailing list: a new statregy in fighting cyber crime

2008-08-28 Thread Gadi Evron
The public botnets@ mailing list, where malicious activity on the Internet can be openly shared, has been revived, and boy is it active. Warning: live samples and malicious URLs are openly shared there. NANOG relevance: These can be operationally used by ISP security operators not of those "in

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Patrick W. Gilmore
On Aug 28, 2008, at 6:25 AM, Suresh Ramasubramanian wrote: Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those "barely lega

RE: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread michael.dillon
> I stand by my assertion that most people do not run > traceroutes all day and watch for it to change. > > That some people are diligent does not change the fact the > overwhelming majority of people are not. > > Or the fact that with the right placement of equipment (read > "luck") and coo

RE: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread michael.dillon
> Lastly, can you show me a single inter-AS MPLS deployment? When you > can, then you can use that as a method to avoid this h4x0r. Just some quick googling found this from back in 2006. "Sprint has expanded its global MPLS network capabi

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Suresh Ramasubramanian
Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those "barely legal" teen mags. srs On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evro

Re: interger to I P address

2008-08-28 Thread Beat Vontobel
"Anything concerning an "end network" is not relevant to this list. " lol I am however, very interested in the content/replies thus far. Very entertaining. Yes, while certainly off topic, also for me it's probably been one of the most entertaining threads of this kind. So just one more sol

Re: Revealed: The Internet's well known BGP behavior

2008-08-28 Thread Gadi Evron
On Wed, 27 Aug 2008, Patrick W. Gilmore wrote: On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more