Re: NSPs and filters

[Deepak Jain <deepak () jain com>]

The one or two times we have had interactions with UUNet's security 
guy/group have been very positive. Norm over there was especially helpful 
and in the case of an emergency their security types are on-call 
(directly, by pager if necessary). 

They are MUCH more likely to contact an offending provider and ask that 
the circuit be turned down rather than filter in their own network, which 
isn't always the quickest process in the world.

-Deepak.

On Sat, 12 Jul 1997, Jon Lewis wrote:

> On Sat, 12 Jul 1997, Phil Howard wrote:
>
> > It isn't, or shouldn't be, an issue of whether the customer wants this
> > kind of service.  This is protection FROM that customer.  The principle
> > reason to not do this is the load it causes on the router.
> >
> > Should it be discovered that source forged packets are coming from a given
> > customer, then you could apply this to that customer if they are not going
> > to just be summarily cut off.
>
> The trouble is, unless you are silly enough to attack your own provider,
> it seems unlikely that they will know you are spoofing.  i.e. In my
> current situation, I doubt UUNet's ability or willingness to track these
> packets to their source.  How are the source's provider supposed to find
> out?  The attack is now into its 3rd day and can be seen in our traffic
> graph at http://gnv.fdt.net/~fubar/cgi-bin/uunet.cgi
>
> The attacker seems to be taking short breaks every 30-90 minutes.
>
> I captured a few hundred packets last night for UUNet's security people to
> look at (so they will believe me) and of the 225 packets captured, all
> were from unique source addresses.
>
> Here's a breif snippit from just a minute ago:
>
> 12:19:13.494446 49.0.94.105.666 > 205.229.58.133.7: udp 1450 (ttl 244, id
> 31674)
> 12:19:13.504446 12.206.160.94.666 > 205.229.58.133.7: udp 1450 (ttl 244,
> id 31675)
> 12:19:13.524446 11.80.252.52.666 > 205.229.58.133.7: udp 1450 (ttl 244, id
> 31676)
> 12:19:13.544446 253.81.121.106.666 > 205.229.58.133.7: udp 1450 (ttl 244,
> id 31677)
> 12:19:13.564446 159.83.60.97.666 > 205.229.58.133.7: udp 1450 (ttl 244, id
> 31678)
> 12:19:13.594446 122.164.93.95.666 > 205.229.58.133.7: udp 1450 (ttl 244,
> id 31679)
> 12:19:13.604446 182.2.169.126.666 > 205.229.58.133.7: udp 1450 (ttl 244,
> id 31680)
> 12:19:13.624446 160.95.105.78.666 > 205.229.58.133.7: udp 1450 (ttl 244,
> id 31681)
> 12:19:13.644446 83.18.225.93.666 > 205.229.58.133.7: udp 1450 (ttl 244, id
> 31682)
>  
> ------------------------------------------------------------------
>  Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
>  Network Administrator       |  be proof-read for $199/message.
>  Florida Digital Turnpike    |  
> ________Finger jlewis () inorganic5 fdt net for PGP public key_______