nanog mailing list archives
RE: DoS attacks, NSPs unresponsiveness (fwd)
From: Hank Nussbacher <hank () att net il>
Date: Wed, 8 Nov 2000 09:37:39 +0200 (IST)
On Wed, 8 Nov 2000, Jeff Barrows wrote: No. Please do not take it offline. The fact that major Tier-1s can't contact each other to handle DoS attacks is of interest to NANOG, IMHO. There is much to be learned here. -Hank
this is pathetic. take it offline. ...you might also try a bit of professionalism. - jsb On Tue, 7 Nov 2000, Christopher L. Morrow wrote:Jim, I'm sure glad C&W is 24/7 could you publish a phone number that atleast other providers could use to get intouch with the proper security element in your org? I spent 4 hours today trying to get to an engineer who could help me track an attack through corerouter1.blookington.cw.net and got bounced throughyour NOC, your leased line crew, your contact at MCI (yeah, that was fun), your managed firewall services crew, two other engineers I had to explain what a Syn Attack was and finally got hung up on by someone who has yet to call me back... Perhapsyou can call me to get this track finished? (Since it's still going strong at over 5kpps?) --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### On Tue, 7 Nov 2000, Jim Farrar wrote:Christopher, I'm sure other providers will find your comments equally interesting. http://www.security.cw.net/ 7x24 Naturally. /jim -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of Christopher L. Morrow Sent: Tuesday, November 07, 2000 9:09 PM To: nanog () merit edu Subject: Re: DoS attacks, NSPs unresponsiveness (fwd) Having seen Ariel's message today, and NOT seeing my original response to his post (sent to him directly, did you NOT get this email Ariel?). I've reposted this message.. my original response to Ariel and Rubens. As to the others today, Steve Sobol, you too are not a UUNET direct customer, BUT if you are under attack and your Upstream tracks this traffic to UUNET have them follow the procedures outlined below and I will track the attack. UUNET DOES pay 4 people (six actually) to do nothing but stop and track DoS attacks on its backbone... and we are quite good at it. --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### ---------- Forwarded message ---------- Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST) From: Christopher L. Morrow <cmorrow () uu net> To: Ariel Biener <ariel () fireball tau ac il>, rkuhljr () uol com br Cc: nanog () merit edu, amos rosenboim <slick () xchange wan inter net il> Subject: Re: DoS attacks, NSPs unresponsiveness Ariel and Rubens, I'd like to address your concerns about UUNET NOT getting involved when you networks (both downstreams of UUNET customers) are under attack. In both of your cases I have personally, on more than one occasion, contacted your upstream providers to inform them of proper contact procedures for Live Attacks. To clarify those procedures for the 10th time in a public forum, if you are under attack and your upstream is either UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET Call the UUNET Security/Fraud/Abuse Department and ask for a Rotuer Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for those that live outside the USA: 1-703-206-5440 options 2,3,1. If you no one calls there can be no action taken... in the case of Rubens, your upstream (Embratel, correct?) has been emailing attack notifications and null routing your addresses. Theyhave been told by me personally (I spoke to an individual named 'Jorge' I believe) several times to call us so we can stop and track the attack. I have 4 engineers dedicated to dealing with DoS attacks on UUNET customers. We track several attacks per day and are available 24/7. I will not be held accountable for people's issues when they do NOT follow the appropriate contact procedures. If you would like to talk with me personally about this I invite you to call or email me directly as I'd be more than happy to clarify anything I've written in this message, my contact information is included for your convenience. For the others on this list, if you are a UUNET customeryou can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio. --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### On Thu, 2 Nov 2000, Ariel Biener wrote:Hi, This e-mail comes to describe a common problem among a largenumber ofISPs, mostly foreign, when dealing with US network serviceproviders. Idon't want to talk about anyone I don't know of, so I will limitthisinitial e-mail to talking about UUnet. As most of you know, some ISPs run irc servers, and provide anIRCservice to the community. The service is free, and maintenance andcost ofnetworking/hardware/human hours is on the ISPs expense. Irc tends to be a volatile medium, like interpersonalrelationships inreal life. Thus, many times arguements turn into heated disputes,andsometimes, some people pick up arms, and attack. The attacks usuallytakeout whole ISPs for hours, or days. The problem is that when trying to get help from the upstreamprovider(UUnet in this example), you either receive a negative answer, oryou'rejust ignored completely. Thus, by terrorism, people get what theywant,and hold you at a threat of force, without any ability to defendyourself.Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed sources) are just a number of these weapons. The problem with alotofnetworking entities, be it ISPs, enterprises, and such, is that theyallowspoofed packets to leave their network (i.e. do not check if thepacketsoriginate from within their netblocks before letting them leavetheirrouters). The question is, how can we defend ourselves, and why do thelarge NSPsturn a blind eye, and act as if it's not their concern ? Is there a chance that by helping one another, and byimplementingInternet RFCs corrctly (rfc 1918 for example), we can contribute totheelimination of this kind of electronic terrorism ? Any chance a UUnet person might answer ? best regards, --Ariel -- Ariel Biener e-mail: ariel () post tau ac il Work phone: 03-6406086 fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
Hank Nussbacher
Current thread:
- legacy root servers missing domains again ?, (continued)
- legacy root servers missing domains again ? Philippe Landau (Nov 07)
- Message not available
- Re: legacy root servers missing domains again ? Philippe Landau (Nov 07)
- Message not available
- Re: legacy root servers missing domains again ? Philippe Landau (Nov 07)
- legacy root servers missing domains again ? Philippe Landau (Nov 07)
- Re: DoS attacks, NSPs unresponsiveness (fwd) John Payne (Nov 07)
- Re: DoS attacks, NSPs unresponsiveness (fwd) Jeff Workman (Nov 07)
- Re: DoS attacks, NSPs unresponsiveness (fwd) Christopher L. Morrow (Nov 08)
- Re: DoS attacks, NSPs unresponsiveness (fwd) Ariel Biener (Nov 08)
- Re: DoS attacks, NSPs unresponsiveness (fwd) Christopher L. Morrow (Nov 08)
- RE: DoS attacks, NSPs unresponsiveness (fwd) Jeff Barrows (Nov 07)
- RE: DoS attacks, NSPs unresponsiveness (fwd) Hank Nussbacher (Nov 07)