Domain: cymru.com
Stories and comments across the archive that link to cymru.com.
Comments · 18
-
Re:Naughty Country IP list
Where can one get a list of IP addresses for countries like China and India so that server admins like myself can block these countries entirely?
Google can tell you within minutes what IPs ranges correspond to non-US locations. Here's one such list that's reasonably close. http://www.experts-exchange.com/Networking/Misc/Q_21787352.html. You should also be blocking bogons (address that you shouldn't see on the internet such as unassigned ranges) http://www.cymru.com/Documents/bogon-list.html.
Keep in mind that blocking all foreign IPs isn't foolproof as some US clients may still end up going through a foreign relay or some sort of proxy. Also systems compromised by foreign adversaries or foreign controlled botnets will be seen coming from within the US. I block all non-US addresses, bogons, a few problematic US ISP ranges, and a select list of other subnets based on previous attacks. The company I work for also maintains a very large list of addresses to black-hole (both in and out) based on other information such as previous attacks or IPs controlled by foreign companies. Outgoing traffic to specific addresses triggers red flags for potentially compromised systems.
-
Re:Why is anyone surprised?
That's not research, suggest you buy and read this: http://www.ciscopress.com/bookstore/product.asp?isbn=158705115X
Here's an extract, because I'm not lending you my copy, to get you started: http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4
Also, if you're configuring Cisco kit, as I do, consider adapting Rob's access-list, found here: http://www.cymru.com/Documents/icmp-messages.html
Now refund my cluepon please. -
Re:Still lots of IPs available?
No, those IPs ARE available. All the solid blue blocks should be on the bogon list http://www.cymru.com/Documents/bogon-dd.html and not even be routable anywhere.
-
Re:Altruistic?
If that scares the crap out of you, just wait until you see their photo.
-
Re:Who wants to eat crow?
Tell me, how is an IP address any different than a hostname in terms of control? Where a particular address ends up is determined by your next router alone.
Every heard how IP address spaces are hijacked or address spaces that shouldn't even be in use are actually used in the wild and are globally reachable?
Some links: http://www.completewhois.com/bogons/, http://www.cymru.com/Bogons/ -
Re:OT: e.root-servers.net
This page shows that all root servers a up...
-
I though a darknet.....
Im confused, i always understood a darknet to be a segment of ip addresses with no services on it that captures all packets to a monitoring computer. They use them to track malware attacks. see http://www.cymru.com/Darknet/ Now they are using it to describe covert channels, whats the deal?
-
And a third definition
http://www.cymru.com/Darknet/
"A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.
A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.
Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want. " -
Additional Bind 9 security
Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template for how to best configure bind.
-
Re:I'm not a very good network admin
There's nothing you as an individual company / organization can really do, for all the reasons you've listed.
However, if there was a concerted effort among ISPs to implement proper filtering of packets, then at least DDoS attacks that used spoofed sources would be impacted. This can't solve all types of attacks, and it requires significant cooperation and motivation because currently there is little incentive to do so. Basically you configure your border routers not to pass packets that you know are invalid -- those with RFC1918 addresses, bogon addresses, and addresses outside of your AS. This is all documented in BCP38.
So basically, tell your boss that to prevent attacks like this you can have him mandate that whatever company you decide to buy connectivity from must implement BCP38. If ISPs have an actual incentive to do this, instead of just a bunch of grey-bearded admins saying it would be a good idea, then perhaps it would be implemented more widely. Essentially, tell him to make his purchasing decisions based on "good network stewardship" and not just lowest price. If more companies did this then as a whole the DDoS landscape would clean up just a little bit.
There was recently a long thread on nanog about this. It's good reading as it shows from the operator side of the fence how the situation is known to be improveable but there's no financial (and thus managerial) reason to do it. -
Re:Most people don't care about IPv6
The entire world (including the U.S.) is predicted to run out of IP addresses by next year.
Sorry to disappoint you, but that's unlikely to happen for another 35 years. Looks like there's plenty left to me.
-
Am I the only one
who saw their web site and was transported back to 1996? I half expected a looping MIDI background song, and a request for some obscure, obsolete plugin, or maybe a Netscape 3 Now! button.
Seriously, if anyone from there is reading this, ditch the ugly background image, and get some up to date design!. Sheesh. Just like a Welshman to have an ugly webpage. -
There is one possible benefit
I find the whole notion presented in this article deplorable. What ISP is going to want to self-inflict a barrel customer rage? Where does all this money go? Who's in charge of verifying claims? What's to stop malicious users from filing false reports, or clandistinely installing software to incriminate an enemy's PC? How are all these ignorant customers supposed to be educated that they're suddenly liable for tens or hundreds of dollars in fines? If you just start arbitralily fining people, I don't care how little it is, you will bring down a boatloat of wrath and ire. People -hate- fees they don't know of in advance.
But one good thing would come of such a plan: egress filtering by all ISPs. This means that source-spoofed packets would be dropped before they get very far. It would make it significantly harder to spoof anything. No more RFC1918 packets on the public internet. If you ever run a public server on the internet, sometime try adding firewall rules to log and then drop all Bogon packets: those from unrouteable IP space, reserved or unallocated space, etc. You will be surprised how much of that stuff is floating around on the public internet, just soaking up legitimate bandwidth. Egress filtering would cause a much higher level of net-hygeine, in my opinion. -
Re:All major ISPs do filtering on their BGP Sessio
Seconded.
Have a look at these documents on the subject:
- BGP Security Update - Is the Sky Falling?
- IP Backbone Security
- BGP Risk Assesment
This should shed some more light on this (non) "issue".
--
N -
Zzzzz... wake me up if it's something important...Firstly, if you use one of the 13 legacy root servers, you may have noticed a problem. Chances are you didn't. Plus, if you use another root system (ORSC, OpenNIC, etc.), or you cache the glue for all the TLDs in your DNS servers, then you would not have noticed a thing.
Secondly, Rob Thomas has made an excellent template for securing BIND against all sorts of "stupid user tricks" which can be found here:
http://www.cymru.com/Documents/secure-bind-templa
t e.htmlThirdly, quoting Louis Touton saying "We're not aware of any users that were in any way affected." was a serious mistake. ICANN haven't taken any notice of internet users up until now, so why should they start now?
The article went on to say "VeriSign expects that these sort of attacks will happen and VeriSign was prepared," company spokesman Brian O'Shaughnessy said. If you want a likely suspect, try this one - brought to you, of course, by Verisign:
http://www.arabtrust.com/training/courses/hacking
/ index.html -
mrtg chartsLinks courtesy of Sean Donelan.
Root-servers.net
The legendary cymru.com data.
I haven't looked yet but LINX mrtg charts might show something interesting.
Of course, even if someone could knock all the root servers over, the net as we know it wouldn't stop working instantly. That's what the time to live value is for
:)
-
Re:And...?
Err, replying to myself.. Anyway, look at this: ICMP filtered during the attack for some, and it doesn't look as bad as it sounds.
-
Moderators?
Why do I never have moderator points when I can be helpful? sigh.
also, note that this isn't a bad read either: Secure IOS Template