RE: DoS attacks, NSPs unresponsiveness (fwd)

North American Network Operators Group
RE: DoS attacks, NSPs unresponsiveness (fwd)

From: Christopher L. Morrow
Date: Tue Nov 07 23:54:11 2000
Jim,
I'm sure glad C&W is 24/7 could you publish a phone number that atleast
other providers could use to get intouch with the proper security element
in your org? I spent 4 hours today trying to get to an engineer who could
help me track an attack through corerouter1.blookington.cw.net and got
bounced through  your NOC, your leased line crew, your contact at MCI
(yeah, that was fun), your managed firewall services crew, two other
engineers I had to explain what a Syn Attack was and finally got hung up
on by someone who has yet to call me back... 

Perhaps you can call me to get this track finished? (Since it's still
going strong at over 5kpps?)

--Chris

#######################################################
## UUNET Technologies, Inc.                          ##
## Manager					     ##
## Customer Router Security Engineering Team         ##
## (W)703-289-8479 (C)703-283-3734 		     ##
#######################################################

On Tue, 7 Nov 2000, Jim Farrar wrote:

> 
> Christopher,
> 
> I'm sure other providers will find your comments equally interesting.
> 
> http://www.security.cw.net/
> 
> 7x24 Naturally.
> 
> 
> /jim
> 
> 
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]On Behalf Of
> Christopher L. Morrow
> Sent: Tuesday, November 07, 2000 9:09 PM
> To: [email protected]
> Subject: Re: DoS attacks, NSPs unresponsiveness (fwd)
> 
> 
> 
> Having seen Ariel's message today, and NOT seeing my original response
> to
> his post (sent to him directly, did you NOT get this email Ariel?).
> I've
> reposted this message.. my original response to Ariel and Rubens.
> 
> As to the others today, Steve Sobol, you too are not a UUNET direct
> customer, BUT if you are under attack and your Upstream tracks this
> traffic to UUNET have them follow the procedures outlined below and I
> will
> track the attack.
> 
> UUNET DOES pay 4 people (six actually) to do nothing but stop and
> track
> DoS attacks on its backbone... and we are quite good at it.
> 
> --Chris
> 
> #######################################################
> ## UUNET Technologies, Inc.                          ##
> ## Manager					     ##
> ## Customer Router Security Engineering Team         ##
> ## (W)703-289-8479 (C)703-283-3734 		     ##
> #######################################################
> 
> ---------- Forwarded message ----------
> Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST)
> From: Christopher L. Morrow <[email protected]>
> To: Ariel Biener <[email protected]>, [email protected]
> Cc: [email protected], amos rosenboim <[email protected]>
> Subject: Re: DoS attacks, NSPs unresponsiveness
> 
> Ariel and Rubens,
> I'd like to address your concerns about UUNET NOT getting involved
> when
> you networks (both downstreams of UUNET customers) are under attack.
> 
> In both of your cases I have personally, on more than one occasion,
> contacted your upstream providers to inform them of proper contact
> procedures for Live Attacks. To clarify those procedures for the 10th
> time
> in a public forum, if you are under attack and your upstream is either
> UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET
> Call
> the UUNET Security/Fraud/Abuse Department and ask for a Rotuer
> Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for
> those
> that live outside the USA: 1-703-206-5440 options 2,3,1.
> 
> If you no one calls there can be no action taken... in the case of
> Rubens,
> your upstream (Embratel, correct?) has been emailing attack
> notifications
> and null routing your addresses. They have been told by me personally
> (I
> spoke to an individual named 'Jorge' I believe) several times to call
> us
> so we can stop and track the attack. I have 4 engineers dedicated to
> dealing with DoS attacks on UUNET customers. We track several attacks
> per
> day and are available 24/7.
> 
> I will not be held accountable for people's issues when they do NOT
> follow
> the appropriate contact procedures. If you would like to talk with me
> personally about this I invite you to call or email me directly as I'd
> be
> more than happy to clarify anything I've written in this message, my
> contact information is included for your convenience.
> 
> For the others on this list, if you are a UUNET customer you can call
> our
> Security Department if you ever have any issues with security, DoS,
> fraud,
> spam, or the like. If you are under DoS attack either one of my
> engineers
> will stop and track the attack, or I will do it... it's what we get
> paid
> to do. If you are NOT a UUNET customer you know that other ISP's (Tier
> 1's
> atleast) do NOT filter attack traffic, and they do NOT track attacks.
> The
> ONLY exceptions to this are: Genuity, Global Crossing and at one time
> Verio.
> 
> --Chris
> 
> #######################################################
> ## UUNET Technologies, Inc.                          ##
> ## Manager					     ##
> ## Customer Router Security Engineering Team         ##
> ## (W)703-289-8479 (C)703-283-3734 		     ##
> #######################################################
> 
> On Thu, 2 Nov 2000, Ariel Biener wrote:
> 
> >
> >
> >
> >
> >   Hi,
> >
> >
> >
> >    This e-mail comes to describe a common problem among a large
> number of
> > ISPs, mostly foreign, when dealing with US network service
> providers. I
> > don't want to talk about anyone I don't know of, so I will limit
> this
> > initial e-mail to talking about UUnet.
> >
> >    As most of you know, some ISPs run irc servers, and provide an
> IRC
> > service to the community. The service is free, and maintenance and
> cost of
> > networking/hardware/human hours is on the ISPs expense.
> >
> >    Irc tends to be a volatile medium, like interpersonal
> relationships in
> > real life. Thus, many times arguements turn into heated disputes,
> and
> > sometimes, some people pick up arms, and attack. The attacks usually
> take
> > out whole ISPs for hours, or days.
> >
> >    The problem is that when trying to get help from the upstream
> provider
> > (UUnet in this example), you either receive a negative answer, or
> you're
> > just ignored completely. Thus, by terrorism, people get what they
> want,
> > and hold you at a threat of force, without any ability to defend
> yourself.
> >
> >    Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed
> > sources) are just a number of these weapons. The problem with alot
> of
> > networking entities, be it ISPs, enterprises, and such, is that they
> allow
> > spoofed packets to leave their network (i.e. do not check if the
> packets
> > originate from within their netblocks before letting them leave
> their
> > routers).
> >
> >    The question is, how can we defend ourselves, and why do the
> large NSPs
> > turn a blind eye, and act as if it's not their concern ?
> >
> >    Is there a chance that by helping one another, and by
> implementing
> > Internet RFCs corrctly (rfc 1918 for example), we can contribute to
> the
> > elimination of this kind of electronic terrorism ?
> >
> >    Any chance a UUnet person might answer ?
> >
> >
> > best regards,
> >
> > --Ariel
> >
> > --
> > Ariel Biener
> > e-mail: [email protected]           Work phone: 03-6406086
> > fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC
> >
> >
> 
> 
> 
> 
> 
>
Follow-Ups:
- RE: DoS attacks, NSPs unresponsiveness (fwd) Jeff Barrows
Prev by Date: Re: DoS issue, conclusion
Next by Date: Re: legacy root servers missing domains again ?
Date Index
Thread Index
Author Index
Historical