a few matters about security and consistency
Hi, There are two matters I want to discuss, which are related from my point of view. Yesterday, ons of our hosts was attacked (Denial of Service). The attacker was using the DNS DOS described in http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for this. The used attack in short: Small DNS queries are sent from the attacker to each of the DNS servers. These queries contain the spoofed IP address of the target. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity. This morning, we took our tcpdump logs of the attacks, and built a script which queried the Ripe database for the admins of the abused ('man-in-the-middle') networks. We got almost 900 unique email adresses out of this, to whom we sent a clear email describing what happened and asking for any logs or other usable information to find out who the attacker is. We we astonished how many people reacted with usefull information, we are still investigating right now. It pointed out we were not the only one attacked, it now looks like the attacker (or attackers ofcourse) is abusing most of the 194.x network to amplify the DNS requests pointing at a lot of Dutch hosts and even some in the USA. Ok, that was the scary part ;-) If you operate 1 or more DNS servers, please read the AUSCERT document and apply the workarounds they mention there (only allow your nameserver(s) to answer to queries from trusted hosts and/or zones you are authoritive for). If will really help from people abusing your network and filling up your pipe(s). Matter 1: What scared me was the great amount of bounced mail we got back from the 900 mails we sent. I think at least 10% did not exist. Besides that we got a lot of replies like 'hey don't bother me, I don't work there anymore'. Why doesn't RIPE test periodically if email adresses still work? Matter 2: Like I said, we got a lot of useful replies and they all more or less contained the same information. People had full, non-working internet links for days because of the attacks and were very happy that we pointed them to the 'Auscert workaround' because now they've closed their DNS'es the traffic (and business!) goes back to normal. Because of the info we got, we are -while I write this- trying to trace back to the origin of the spoofed packets. I think it would be very helpful if there was a mailinglist where European operators could discuss this kind of incidents, like the USA people do at the Securityfocus mailinglist (http://www.securityfocus.com/templates/archive.pike?list=75). I think the introduction at http://www.securityfocus.com/forums/incidents/intro.html would describe the use of such a list very well. Incidents like this DOS which affect a lot of European networks could be stopped much quicker, and if you can contact your fellow operators you don't have to waste expensive time trying to track down those stupid scriptkids (believe me.. it takes a lot of time ;-)). Ofcourse things like virii, talk about used exploits etc. are on-topic and interesting too. Like I said: time is money, so we set up the list euro-incidents@security.nl already. Anybody can subscribe at http://www.security.nl/mailman/listinfo/euro-incidents. Thanks for your time, Mark Lastdrager Pine Internet -- email: mark@lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010 http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011 PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl Today's excuse: We only support a 28000 bps connection.
At 10:52 PM 7/5/00, Mark Lastdrager wrote:
Matter 1:
What scared me was the great amount of bounced mail we got back from the 900 mails we sent. I think at least 10% did not exist. Besides that we got a lot of replies like 'hey don't bother me, I don't work there anymore'. Why doesn't RIPE test periodically if email adresses still work?
This idea has come up before. It boils down to whether the RIPE NCC members want to commit the resources necessary to do this properly. Looking at it carefully one discovers quickly that this would require a lot of humanpower for the followup actions necessary. Remember that we cannot just change or delete data in the database. Thus we would have to follow up any problems with someone who can. While much of this could be automated, still a great deal of it would require humam (naturally intelligent) intervention. All of this can be done if there are enough members who want this and are willing to pay the price. Daniel PS: As to the other matters I think that a functioning European CERT is what is needed here.
At Thu, 6 Jul 2000, Daniel Karrenberg wrote:
PS: As to the other matters I think that a functioning European CERT is what is needed here.
Partially agree with that. History has learned that CERTs not always respond as quick as we all want to, and besides that I think people with a business to protect are more eager to help eachother. Mark Lastdrager Pine Internet -- email: mark@lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010 http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011 PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl Today's excuse: Feature was not beta tested
In message <Pine.GSO.4.21.0007060953200.942-100000@atro.pine.nl>, Mark Lastdrag er writes:
At Thu, 6 Jul 2000, Daniel Karrenberg wrote:
PS: As to the other matters I think that a functioning European CERT is what is needed here.
Partially agree with that. History has learned that CERTs not always respond as quick as we all want to, and besides that I think people with a business to protect are more eager to help eachother.
I think we need a NANOG more than a CERT. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Hi, On Thu, Jul 06, 2000 at 01:07:44PM +0200, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
Agreed! Gert Doering -- NetMaster -- SpaceNet GmbH Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I definately agree. What about ENOG ? ;) -tb -- Torsten Blum, Network Engineer Tel: +49.89.92699.0 Cable & Wireless ECRC GmbH Fax: +49.89.92699.225 Arabellastr. 17 E-Mail: tblum@ecrc.de D-81925 Munich, Germany
In message <200007061222.OAA18539@turon.ecrc.de>, Torsten Blum writes:
Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I definately agree. What about ENOG ? ;)
Who's the first to find the best expansion of the acronym EGGNOG ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
European General Groans Network Operations Group European Gigabit Gurus Network Operations Group - Soren On Thu, 6 Jul 2000, Poul-Henning Kamp wrote:
In message <200007061222.OAA18539@turon.ecrc.de>, Torsten Blum writes:
Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I definately agree. What about ENOG ? ;)
Who's the first to find the best expansion of the acronym EGGNOG ?
-- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
----------------------------------------------------------------------- - sp@DK.net - Backbone Manager @ Tele Danmark Internet - +45 35279000 - -----------------------------------------------------------------------
On Thu, 6 Jul 2000, Poul-Henning Kamp wrote: PK> Who's the first to find the best expansion of the acronym EGGNOG ? European Giant Gang? ;-))) Sincerely, D.Marck [DM5020, DM268-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------
Torsten Blum wrote:
Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I definately agree. What about ENOG ? ;)
Or even better EGGNOG! ;) Sorry could not resist. But i totally agree with Daniel RIPE/RIPE NCC should be the equivalent org in Europe.
-tb -- Torsten Blum, Network Engineer Tel: +49.89.92699.0 Cable & Wireless ECRC GmbH Fax: +49.89.92699.225 Arabellastr. 17 E-Mail: tblum@ecrc.de D-81925 Munich, Germany
-- ------------------------------------------------------------------------ Stephen Burley "If patience is a virtue, and ignorance is bliss, UUNET EMEA Hostmaster you can have a pretty good life Stephenb@uk.uu.net if you're stupid and willing to wait" ------------------------------------------------------------------------
At 01:07 PM 7/6/00, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought we had RIPE for that. What does NANOG do that you need and RIPE does not do? A mailing list with a high S/N ratio ? Seriously: RIPE or the RIPE NCC should be doing what you need. Tell us. Daniel
Hi, On Thu, Jul 06, 2000 at 02:23:07PM +0200, Daniel Karrenberg wrote:
At 01:07 PM 7/6/00, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought we had RIPE for that. What does NANOG do that you need and RIPE does not do? A mailing list with a high S/N ratio ?
Hmmm, there is no real "Network OPerators" list at RIPE, afaik. By that I mean, technical discussion about BGP issues, router configuration issues, ongoing attacks, etc. - local-ir etc. is more for less technical issues (as I see it). I wouldn't object to having that list hosted at the RIPE NCC, though :-) Gert Doering -- NetMaster -- SpaceNet GmbH Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
At 02:47 PM 7/6/00, Gert Doering, Netmaster wrote:
Hi,
On Thu, Jul 06, 2000 at 02:23:07PM +0200, Daniel Karrenberg wrote:
At 01:07 PM 7/6/00, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought we had RIPE for that. What does NANOG do that you need and RIPE does not do? A mailing list with a high S/N ratio ?
Hmmm, there is no real "Network OPerators" list at RIPE, afaik. By that I mean, technical discussion about BGP issues, router configuration issues, ongoing attacks, etc. - local-ir etc. is more for less technical issues (as I see it).
The list is there: ripe-op@ripe.net. It has not been used for some time and not even received any SPAM lately. Look at http://www.ripe.net/ripe/mail-archives/ripe-op/index.html for some historical jewels! Maybe time to revive that list? Daniel
I wouldn't object to having that list hosted at the RIPE NCC, though :-)
Gert Doering -- NetMaster -- SpaceNet GmbH Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
On Thu, Jul 06, 2000 at 02:23:07PM +0200, Daniel Karrenberg wrote:
At 01:07 PM 7/6/00, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought we had RIPE for that. What does NANOG do that you need and RIPE does not do? A mailing list with a high S/N ratio ?
Hmmm, there is no real "Network OPerators" list at RIPE, afaik. By that I mean, technical discussion about BGP issues, router configuration issues, ongoing attacks, etc. - local-ir etc. is more for less technical issues (as I see it).
What about EOF - European Operators Forum ? The European Operators Forum deals with the operational issues of networks in Europe, such as new backbones and Internet Exchange Points. -hph
In message <4.3.2.7.2.20000706142134.00d02a80@localhost.ripe.net>, Daniel Karre nberg writes:
At 01:07 PM 7/6/00, Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought we had RIPE for that. What does NANOG do that you need and RIPE does not do? A mailing list with a high S/N ratio ?
Seriously: RIPE or the RIPE NCC should be doing what you need. Tell us.
I think the main issues facing us are DoS attacks, portscans and outages, so I think a mailing list dedicated to abnormal operational issues would be a good idea. It will require a concensus about the exact charter but that can probably be found. It would also be nice if we had a field in the database which made it possible to lookup the email+phone of the person to contact for cert/abuse issues by IP number. As it is now the database is less useful than simply mailing abuse@domain, root@domain and cert@domain. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
I think we need a NANOG more than a CERT.
I thought that was what RIPE was for? The NANOG list is used to discuss all manor of ops/engineering matters, is there a similar RIPE list? YEah NANOG gets busy sometimes and full of crud, but it's nice to have a list where you can do that kind of thing. -- Leigh Porter INS
Hi, I'll follow up on one of your points, and partly echo what Daniel Karrenberg said in his reply:
What scared me was the great amount of bounced mail we got back from the 900 mails we sent. I think at least 10% did not exist. Besides that we got a lot of replies like 'hey don't bother me, I don't work there anymore'. Why doesn't RIPE test periodically if email adresses still work?
10%? That's better than I had feared... It's possible you meant "RIPE NCC" when you said "RIPE". If so, that is probably because it's not the RIPE NCC which maintains the data in the RIPE database, and they have a long-standing policy of not modifying the real data in the database (IMHO a wise decision). So, doing the checks would make it necessary to hunt down who to contact about the contents of the database objects, something which can be troublesome for objects which are not marked with "mnt-by". Regards, - Håvard
participants (11)
-
Daniel Karrenberg -
Dmitry Morozovsky -
Gert Doering, Netmaster -
Hans Petter Holen -
Havard.Eidnes@runit.sintef.no -
Leigh Porter -
Mark Lastdrager -
Poul-Henning Kamp -
Soren Petersen -
Stephen Burley -
Torsten Blum