I wasn't there but based on the details above which are extensive there is something that I would have done very quickly that would have saved you grief at least in some of your network. Even if you did what I'm about to mention, its worth posting as its also good advice for anyone else getting DDOS'd (or aleast its a starting point).
DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.
This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a/20 or/19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.
This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.
I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.
BTW, while I'm here, anyone want to give me a job?
Nice idea but I'll give you the first problem:
With DDOS the source address of the packets are forged so you have no valid source address.
Second problem:
These attacks are distributed hence packets come from many different places, more than one source.
Third problem:
There are many different types of DOS attack, so you can't just filter on packet types.
The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).
What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.
Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.
I have no hope of ever having sex (with a human) but I have hardly ever used IRC. I find these kind of sterotypes offensive to the "no chance of getting shagged league".
I think its great that you have a resource like this however, this isn't for everyone. You state: "although it is AMAZING the number of people that absolutely refuse to do it!"
Maybe there is a good reason why people refuse to do it? You are running a very small network, what about ISP that have multiple stm16 lines? This long extended access-list would be a performance hit, netflow switching could help a bit but I would never impliment such a list on border routers. If there was a magic bullet my friend we'd all be using it. However, to refine your point there are many ISPs that don't have the skilled staff or the strong management to think security is a risk. Then I feel they deserve to be put out of business (hint to an old employeer) *cough* Colt *cough*. No decent ISP would refuse to impliment security.
Although giving acces-list advice is nice, I'd be wary about pre-made configs, every network is different, you state on your page: "Finally, don't use this access list as is. Be sure to alter it for your network.". If someone had the knowledge to do this they could very easily build this access list themselves. Cut & pasting configs is never a good idea unless you fully understand them.
Also from your web page:
"acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.255 255.255.255.0
acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.0"
Maybe:
"no ip directed-broadcast" on the interfaces would be easier? Its default on IOS 12 and above anyway. Remove ICMP redirects on the interfaces "no ip redirects" plus "ip verify unicast rpf" could very useful for anti-spoof (must be running CEF + doesn't work with symmetric routing).
I think there is one thing any Cisco admin working in an ISP should do and that is read this:
Carr certainly puts across vaild reasoning and I tend to agree completely with the humans to bio strorage machines.
I work in networking and I've seen a trend where network engineers are not so much gaining knowledge but more remembering books and reciting them when required. Kind of like having a walking Docu CD really but given a simple problem they don't have the skill to use the information they have gained to fix it.
On the other hand the net also spawns some great ideas and free thinking, Linux might be a good example? Maybe I'm just working with idiots that learnt what they know by passing memory test exams.
Although this isn't a great comfort there something that everybody seems to have overlooked: The changes are to the ATA spec only. What about SCSI devices?
OK, so if CPRM takes off on IDE no doubt SCSI disks will get it implimented at some point but I just can't see the M$ insisting on a CPRM device until 99.9% of users have them and with a lot of power users running SCSI it might take a while to get massive coverage of CPRM.
I hate the idea of CPRM but I just though I'd post something a little possitive.
"Wouldn't be a good move for some hard drive company to specialize in selling "non" copy protected hard disks, then?"
Common sense lesson number one: Who's making the specs? Well, IBM for one and they have quite a vested interest in HD sales, do you think they'd leave the door open like this?
Problem number one is that to make hard disks that are compatible with the new specs you will have to license the technology. In that License there will be a little clause that states the whole spec must be implimented which will of course mean you have to include all of the digital rights managements features.
Put this another way: When the price of DVD burners falls there will be a market for blank DVDs that don't have the key code portion of the disk already written, this will enable backups of films. However to produce blank DVDs you need to license the technology, I'll give you one guess on what the license says you're not allowed to do.
"There's no way that HD copy protection will survive, AFAIK. Once you sell the user the hardware, you can basically kiss it goodbye."
From what I've read, its not that simple and if Alan Cox is worried about it, it will not be easy to defeat. This ain't no MP3 watermarking scheme.
The fact that this has gotten this far pisses me off a great deal, if I buy a HD I should be able to do as I please with it. Its bad enough with DeCSS bullshit, if this gets anywhere near HDs we'll have the same battle: "Sorry Linux, you don't have a licence to read the new HDs and even if a benevolent stranger were to donate a license, you can not write drivers and open the source".
What's that you say? It's only for selective content such as films and music, for now maybe but once the spread of the technology is wide enough, who knows? This is fat cat corporate heaven.
We are no longer living in interesting times but very worrying times. George Orwell seems to have only missed the date by 20 years, maybe he misjudged human nature and thought we would rollover quicker but regardless if "inititives" like this HD shit get implimented I'd say we're half way on our backs already.
Noo, not Chello. I use to work their and I totally agree, the company has a Senior Vice President (plain old vice president wasn't good enough) for everything, I when I was their, there must be over 30 Senior VPs for a company with less than 150 staff.
I wonder if Linux is still a banned OS, even the unix admins had to use a locked down version of NT as the *cough* IT department *cough* even went as far as to try and impliment secure card readers for the LAN to remove Linux.
Where can I get more info on FB in QT and KDE? I'm having a little problem understanding you got KDE compiled with just qt-em when KDE requires X includes. Maybe you just mean Konqy embedded? Or you have X installed but don't start it?
Is 2.2.4 QT released already or are you on a CVS version?
Anyway, I'd certainly like to play around with qt-em on the desktop but I'm a bit lost on where to look.
There is a CD image of a bootable netbsd for the DC at:
www.hh.iij4u.or.jp/~bsh/netbsd-dc/netbsd-dc-001.ta r.gz
Burning instructions are at: http://mc.pp.se/dc/cdr.html
However, the image only has serial support (set to 56,6Kb 8N1. There is a ramdisk which the kernel will boot that has sh and a few other basic bits and rouge is installed under/usr/local or maybe/usr/games. You'll need to set TERM and do `stty nl' to play rouge.
Re:Will GTK become Yet Another X?
on
GTK+ without X!
·
· Score: 1
I think this is one more example of false ideas that somewhat became mainstream and keep being repeated in a drone fashion.
Thank you! I'm typing this running X over my wireless network, I love X's remote capabilities. Furthermore, Xfree is certainly going in the right direction and isn't as bloated as is made out, anyone that hasn't really investigated xfree's efforts and is stating such anti X feelings certainly hasn't seen the progress thats been made.
For sure, X could be better in the speed department but what couldn't? It will always have to do things that a games console for example doesn't have to do (e.g. remote displays) but it's certainly NOT painful to use.
Just a very simple question. What stops someone making an xbox compatible machine? All it would take is Nvidia to sell their north / south bridge parts to anyone and a little reverse engineering of the very small OS? Everything else is availible on the open market.
I guess M$ has this covered already + they will no doubt make a loss on the hardware anyway which isn't going to attract clone makers.
What about jabber, that can interface with AIM, ICQ and most other instant messager systems. Its open source and it's native protocol is also an open standard. There are different frontend availible and it supports most platforms (Linux - various i.e. KDE, Gnome..., Windows, Newton, mozilla, MAC, JAVA, BeOS, CE etc..). Most of these clients are released under the GPL however, some are under closed licenses.
There also working on secure communications by the way of PGP/GPG and a web interface. Some clients already support encrytion though.
There is also a commercial server avilable with more features than the open source version but at least this project has an Open source server that didn't have to be reverse engineered.
Its seriously worth a look if you currently have to run different IM clients to keep in contact with people on the various networks. One place to keep all your contacts and the server make communicating between them transparent.
www.jabber.org is the opensource part and sponsored by www.jabber.com, these guys sell the comercial server.
I really don't have time, space or the woodworking skill to build a goog looking and functional arcade cabinet. Is there anywhere that sells them with the idea of using mame?
Arcade2000.com is the only place I found so far and what they offer looks great but are there any other places so I can make a comparison?
Slashdot Mirror
Weird, I always tend to do this the other way around or I thing I do anyway.
Weighted fair queueing (correct spelling) is only suitable for links of 2mb/s or below. Regardless queuing will not help this situation.
DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.
This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a /20 or /19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.
This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.
I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.
BTW, while I'm here, anyone want to give me a job?
Will configure routers for food.
Second problem: These attacks are distributed hence packets come from many different places, more than one source.
Third problem: There are many different types of DOS attack, so you can't just filter on packet types.
The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).
What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.
Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.
Two words: Difficult problem.
I have no hope of ever having sex (with a human) but I have hardly ever used IRC. I find these kind of sterotypes offensive to the "no chance of getting shagged league".
Maybe there is a good reason why people refuse to do it? You are running a very small network, what about ISP that have multiple stm16 lines? This long extended access-list would be a performance hit, netflow switching could help a bit but I would never impliment such a list on border routers. If there was a magic bullet my friend we'd all be using it. However, to refine your point there are many ISPs that don't have the skilled staff or the strong management to think security is a risk. Then I feel they deserve to be put out of business (hint to an old employeer) *cough* Colt *cough*. No decent ISP would refuse to impliment security.
Although giving acces-list advice is nice, I'd be wary about pre-made configs, every network is different, you state on your page: "Finally, don't use this access list as is. Be sure to alter it for your network.". If someone had the knowledge to do this they could very easily build this access list themselves. Cut & pasting configs is never a good idea unless you fully understand them.
Also from your web page: "acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.255 255.255.255.0 acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.0"
Maybe: "no ip directed-broadcast" on the interfaces would be easier? Its default on IOS 12 and above anyway. Remove ICMP redirects on the interfaces "no ip redirects" plus "ip verify unicast rpf" could very useful for anti-spoof (must be running CEF + doesn't work with symmetric routing).
I think there is one thing any Cisco admin working in an ISP should do and that is read this:
http://www.cisco.com/public/cons/isp/documents/IOS EssentialsPDF.zip.
and also this could be useful: http://www.cisco.com/warp/public/707/21.html
Hey, bat boy is real.
I also think that with the net, its far easiler to get conflicting views than with TV news etc.
I work in networking and I've seen a trend where network engineers are not so much gaining knowledge but more remembering books and reciting them when required. Kind of like having a walking Docu CD really but given a simple problem they don't have the skill to use the information they have gained to fix it.
On the other hand the net also spawns some great ideas and free thinking, Linux might be a good example? Maybe I'm just working with idiots that learnt what they know by passing memory test exams.
OK, so if CPRM takes off on IDE no doubt SCSI disks will get it implimented at some point but I just can't see the M$ insisting on a CPRM device until 99.9% of users have them and with a lot of power users running SCSI it might take a while to get massive coverage of CPRM.
I hate the idea of CPRM but I just though I'd post something a little possitive.
Common sense lesson number one: Who's making the specs? Well, IBM for one and they have quite a vested interest in HD sales, do you think they'd leave the door open like this?
Problem number one is that to make hard disks that are compatible with the new specs you will have to license the technology. In that License there will be a little clause that states the whole spec must be implimented which will of course mean you have to include all of the digital rights managements features.
Put this another way: When the price of DVD burners falls there will be a market for blank DVDs that don't have the key code portion of the disk already written, this will enable backups of films. However to produce blank DVDs you need to license the technology, I'll give you one guess on what the license says you're not allowed to do.
From what I've read, its not that simple and if Alan Cox is worried about it, it will not be easy to defeat. This ain't no MP3 watermarking scheme.
The fact that this has gotten this far pisses me off a great deal, if I buy a HD I should be able to do as I please with it. Its bad enough with DeCSS bullshit, if this gets anywhere near HDs we'll have the same battle: "Sorry Linux, you don't have a licence to read the new HDs and even if a benevolent stranger were to donate a license, you can not write drivers and open the source".
What's that you say? It's only for selective content such as films and music, for now maybe but once the spread of the technology is wide enough, who knows? This is fat cat corporate heaven.
We are no longer living in interesting times but very worrying times. George Orwell seems to have only missed the date by 20 years, maybe he misjudged human nature and thought we would rollover quicker but regardless if "inititives" like this HD shit get implimented I'd say we're half way on our backs already.
I wonder if Linux is still a banned OS, even the unix admins had to use a locked down version of NT as the *cough* IT department *cough* even went as far as to try and impliment secure card readers for the LAN to remove Linux.
Where can I get more info on FB in QT and KDE? I'm having a little problem understanding you got KDE compiled with just qt-em when KDE requires X includes. Maybe you just mean Konqy embedded? Or you have X installed but don't start it?
Is 2.2.4 QT released already or are you on a CVS version?
Anyway, I'd certainly like to play around with qt-em on the desktop but I'm a bit lost on where to look.
The plan is to let 2.4 get rock stable before branching off 2.5. That's all. Relax
I'll say this to save someone else the trouble:
Just switch to Windows.
Better keep those pain killers around though.
There's an old saying that says "A camel was a horse designed by a committee".
There is a CD image of a bootable netbsd for the DC at: www.hh.iij4u.or.jp/~bsh/netbsd-dc/netbsd-dc-001.ta r.gz
Burning instructions are at: http://mc.pp.se/dc/cdr.html
However, the image only has serial support (set to 56,6Kb 8N1. There is a ramdisk which the kernel will boot that has sh and a few other basic bits and rouge is installed under /usr/local or maybe /usr/games. You'll need to set TERM and do `stty nl' to play rouge.
Thank you! I'm typing this running X over my wireless network, I love X's remote capabilities. Furthermore, Xfree is certainly going in the right direction and isn't as bloated as is made out, anyone that hasn't really investigated xfree's efforts and is stating such anti X feelings certainly hasn't seen the progress thats been made.
For sure, X could be better in the speed department but what couldn't? It will always have to do things that a games console for example doesn't have to do (e.g. remote displays) but it's certainly NOT painful to use.
Just a very simple question. What stops someone making an xbox compatible machine? All it would take is Nvidia to sell their north / south bridge parts to anyone and a little reverse engineering of the very small OS? Everything else is availible on the open market.
I guess M$ has this covered already + they will no doubt make a loss on the hardware anyway which isn't going to attract clone makers.
What about jabber, that can interface with AIM, ICQ and most other instant messager systems. Its open source and it's native protocol is also an open standard. There are different frontend availible and it supports most platforms (Linux - various i.e. KDE, Gnome..., Windows, Newton, mozilla, MAC, JAVA, BeOS, CE etc..). Most of these clients are released under the GPL however, some are under closed licenses.
There also working on secure communications by the way of PGP/GPG and a web interface. Some clients already support encrytion though.
There is also a commercial server avilable with more features than the open source version but at least this project has an Open source server that didn't have to be reverse engineered.
Its seriously worth a look if you currently have to run different IM clients to keep in contact with people on the various networks. One place to keep all your contacts and the server make communicating between them transparent.
www.jabber.org is the opensource part and sponsored by www.jabber.com, these guys sell the comercial server.
I guess he won't having been doing much of that though being on a web cam the whole time... Then again, I've seen a few sites like that.
I have a feeling this guy was sponsored by the .coms that were booming when he started his little experiment. Things a slightly different now.....
I really don't have time, space or the woodworking skill to build a goog looking and functional arcade cabinet. Is there anywhere that sells them with the idea of using mame?
Arcade2000.com is the only place I found so far and what they offer looks great but are there any other places so I can make a comparison?
HAAAAAAAAAAAAAHHHHHHHHHHHHHHAAAAAAAAAAAAAAAAA I'd go with the gay thing though, seems like a good chance otherwise, hookers.