September 1999 - lir-wg - mailman.ripe.net

Re: Tracking stealth portscan/pepsi attacks
by Berislav Todorovic 06 Sep '99

06 Sep '99

Dear collagues, The traffic on this list has increased rapidly since we started to discuss various security details. Regrettably, almost no persons from various CERTs are subscribed to this list, while they deal with day-to-day requests for intrusion and attack coordination. Therefore, a security-related RIPE WG might really be needed. Its aims would be to: * enhance incident coordination among ISPs; * ensure exchange of ideas and experiences in network and systems security; * issue security-related recommendations and BCP documents; * establish tighter relatioship between the ISPs and the CERTs. The group should be open to any interested party. The group should also elect a representative who would participate in activities of the CERT and IRT community (meetings, workshops, mailing lists etc.) and/or provide continuous input from various CERTs and IRTs. Few days ago, I received an interesting message from Karel Vietsch, Secretary General of TERENA, related to the subject we're talking about. I'm forwarding it, hoping it would be interesting for wider community (NOTE: the meeting, mentioned in Mr Vietsch's message is closed - only CERT community memebers can participate, but if we find time to create the Security-WG, a representative of the WG can apply to attend it): -------------------------- Begin included message -------------------------- Date: Fri, 03 Sep 1999 22:43:51 +0200 From: Karel Vietsch <vietsch(a)terena.nl> Subject: European collaboration between CERTs To: Berislav Todorovic <BERI(a)etf.bg.ac.yu> Cc: B.Gilmore(a)ed.ac.uk, dyer(a)terena.nl, demchenko(a)terena.nl Dear Mr. Todorovic, A colleague drew my attention to your message below. Indeed, almost three years ago Daniel Karrenberg posted a proposal for a SIRCE service to be provided by the RIPE NCC but he could not realise this plan due to lack of financial commitments. Perhaps you are not aware that Daniel's initiative was actually a proposed response to a call for tender for the SIRCE pilot service, organised by TERENA. As mentioned above, the RIPE NCC was not able to put forward a proposal, but some other organisations did, the best proposal was selected and the SIRCE pilot service started in May 1997. It is currently being provided by UKERNA. See the SIRCE Web site <www.sirce.net> for further details on the current pilot service. The pilot will come to an end later this month, and a meeting has been organised to discuss plans for future collaboration between CERTs in Europe, following on from the SIRCE pilot. This meeting will take place in Amsterdam on Friday 24 September 1999, immediately following the next RIPE meeting. See the invitation below. If you are interested in attending this meeting, please let me know. Best regards, Karel Vietsch TERENA Secretary General +++++++++++++++++++++++++++ Dear colleagues, It is my pleasure to invite you to a meeting to discuss the future collaboration of CERTs in Europe. The meeting will be held on Friday 24 September 1999, 11:00 - 15:00 hours, at the TERENA Secretariat in Amsterdam. Background Collaboration and co-ordination between CERTs in Europe has been under discussion at least since 1992. The report of the TERENA Task Force "CERTs in Europe" (1995) led to a pilot ("SIRCE") for a European CERT co-ordination service. This pilot, which started in May 1997 and is currently being provided by UKERNA, will come to an end later this month. In general the responses to the pilot service have been positive, and many have expressed their appreciation for the work done and the experiences gained during the past 2.5 years. Nevertheless, it has become clear that it will not be possible to establish a permanent operational European CERT co-ordination service at the end of the pilot phase. This is mainly because the needs of the various networks in Europe and their CERTs are so different that it is not possible to collect a sufficient critical mass to provide the (substantial) funds that would be needed to fund such a professional permanent service. Still there is a clear need for and willingness of CERTs in Europe to collaborate on issues of common interest. Such collaboration can take the form of exchange of information, limited work provided by one or more CERTs for the entire European CERT community and joint activities of CERTs who are interested in jointly solving a particular common problem. Rather than a model of a centrally provided service, one would then adopt a model of collaborative activities in one or more working groups, task forces and/or small projects. This thought has been put forward by a number of CERTs in the final discussions on SIRCE, and several examples of possible joint activities have been given. Now that the SIRCE pilot is being completed this month, the time seems ripe to discuss these suggestions in more detail and to agree on future activities. Purpose of the meeting The purpose of the meeting on 24 September 1999 is to identify issues that can be addressed, (information) services that can be provided, activities that can be undertaken and problems that can be jointly solved, through collaborative actions of CERTs in Europe. It is the intention to identify for each of these: which CERTs (and possibly other parties) are interested in the issue, how they feel the issue should be addressed and what they can commit (in manpower or other resources) to joint work on the issue. Agreements should then be reached as to when and how to start such work, and how to organize it. We would hope that the meeting will lead to one or more joint working groups, task forces and/or projects that can be started very soon. Who should attend the meeting? The envisaged participants in the meeting will be the (leading) staff members of CERTs in Europe. Many of the current active CERTs in Europe are attached to Research and Education Networks (NRENs), but representatives of other CERTs who are interested in collaboration with the NREN CERTs are most welcome to participate in the meeting. The host Having been instrumental in European CERT collaboration in recent years (e.g. through the TERENA Task Forces and by making the arrangements for the SIRCE pilot), TERENA feels it as its responsibility to facilitate the best possible future collaboration between CERTs in Europe now that the SIRCE pilot is nearing its completion. Hence TERENA , in consultation with the contributors to the SIRCE pilot, has taken the initiative to organize and host the meeting on 24 September to discuss future plans. The meeting will be chaired by Brian Gilmore, member of TERENA's Executive Committee. Meeting preparation An agenda and other documents for the meeting will be sent out during the next two weeks. Obviously it will help people to prepare for the meeting if those who have specific suggestions for collaborative activities of CERTs in the coming years, could briefly describe their ideas and circulate them to the other meeting participants. Please send your suggestions by e-mail to me at <vietsch(a)terena.nl>. Logistics The address of the TERENA Secretariat is: Singel 468, 1017 AW Amsterdam, The Netherlands. Phone: +31 20 5304488. Please see http://www.terena.nl/info/secretariat/location.html for a description of how to reach our office. The meeting on 24 September is scheduled to follow immediately on a RIPE meeting which will take place in Amsterdam during the preceding days, for the convenience of those who would be interested to attend both meetings. For others it is important to note that with the meeting starting at 11:00 and finishing before 15:00 hours it will be possible for most people in Europe to make this a one-day trip, travelling to Amsterdam early in the morning and back in the late afternoon. In case you will nevertheless need to spend one or more nights in Amsterdam, TERENA's Secretary Ms. Carol de Groot <secretariat(a)terena.nl> can help you find suitable accommodation. Since hotels in Amsterdam are extremely full, you are urged to make your hotel arrangements (either directly with the hotel or via Carol de Groot) ** as soon as possible **. Finally, in order to help us prepare for the meeting, please let me know as soon as possible whether you will be able to attend the meeting. My e-mail address is: <vietsch(a)terena.nl>. We will then include you in further mailings and send you the documents for the meeting. I am looking forward to seeing you in Amsterdam on Friday 24 September and I hope that we will have a very fruitful meeting! Best regards, Karel Vietsch TERENA Secretary General PS. : In case not you yourself but one of your colleagues will be the appropriate person to participate in the meeting: please pass on this invitation! ++++++++++++++++++++++++++++++++++++++++++++++ Karel Vietsch TERENA Secretary General Singel 468, 1017 AW Amsterdam, The Netherlands phone: +31 20 5304488 fax: +31 20 5304499 e-mail: <vietsch(a)terena.nl> WWW: http://www.terena.nl .-------. | --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI(a)etf.bg.ac.yu | /|\ Hostmaster of the YU TLD | |-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419 | \|/ Bulevar Revolucije 73 | 3218-350 | --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681 `-------' --------------------------------------------------------------------

3 2

Re: Tracking stealth portscan/pepsi attacks
by Berislav Todorovic 03 Sep '99

03 Sep '99

>> How do you manage large BGP customers with lots of networks? One idea is to generate access lists automatically from the data in the route registry. However, that may have some significant drawbacks. First, there are many inconsistences between the IRR and reality, so some connectivity problems may arise. Aside of that, the amount of access lists might affect router perfomance. Regards, Beri .-------. | --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI(a)etf.bg.ac.yu | /|\ Hostmaster of the YU TLD | |-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419 | \|/ Bulevar Revolucije 73 | 3218-350 | --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681 `-------' --------------------------------------------------------------------

1 0

Re: Tracking stealth portscan/pepsi attacks
by Berislav Todorovic 02 Sep '99

02 Sep '99

>> I'd vote for a WG focussing on these things. IIRC there have been >> plans on a RIPE-Security WG around RIPE-29 or 30. If there's a bigger >> interest on this topics what about a Security-BOF next RIPE? In >> general, net-abuse has become one of the major problems these days, >> included but not limited to attacks, scans, mailbombs, a.s.o. Three years ago, Daniel Karrenberg posted a proposal for creation of a pilot incident response team, called Security Incident Response and Coordination in Europe (SIRCE). The team should have been operating under the RIPE NCC umbrella. Everyone was pretty happy with the proposal itself, but when it came to finances - only a small number of ISPs agreed to participate in funding. Therefore, as far as I remember, the RIPE NCC had to widthdraw the proposal. That, however, doesn't mean we can't think about resurrection of SIRCE. At least, we can start with a WG, but a central IRT that will coordinate the incidents is really needed. Regards, Beri .-------. | --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI(a)etf.bg.ac.yu | /|\ Hostmaster of the YU TLD | |-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419 | \|/ Bulevar Revolucije 73 | 3218-350 | --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681 `-------' --------------------------------------------------------------------

1 0

Re: Tracking stealth portscan/pepsi attacks
by Berislav Todorovic 02 Sep '99

02 Sep '99

>> As a side note, does anybody use anything to prevent address spoofing in >> their network? That would at prevent a lot of attacks completly and make >> tracing the rest much easier. RFC 2267 describes most of the measures that should be taken at the router level. I'm not sure how many ISPs implemented everything recommended in that document. Regards, Beri .-------. | --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI(a)etf.bg.ac.yu | /|\ Hostmaster of the YU TLD | |-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419 | \|/ Bulevar Revolucije 73 | 3218-350 | --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681 `-------' --------------------------------------------------------------------

2 1