North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DoS attacks, NSPs unresponsiveness (fwd)
On Wed, 8 Nov 2000, Jeff Barrows wrote: No. Please do not take it offline. The fact that major Tier-1s can't contact each other to handle DoS attacks is of interest to NANOG, IMHO. There is much to be learned here. -Hank > > > this is pathetic. > > take it offline. > > ...you might also try a bit of professionalism. > > - jsb > > > > On Tue, 7 Nov 2000, Christopher L. Morrow wrote: > > > > Jim, > > I'm sure glad C&W is 24/7 could you publish a phone number that atleast > >other providers could use to get intouch with the proper security element > > in your org? I spent 4 hours today trying to get to an engineer who could > > help me track an attack through corerouter1.blookington.cw.net and got > > bounced throughyour NOC, your leased line crew, your contact at MCI > > (yeah, that was fun), your managed firewall services crew, two other > > engineers I had to explain what a Syn Attack was and finally got hung up > > on by someone who has yet to call me back... > > > > Perhapsyou can call me to get this track finished? (Since it's still > > going strong at over 5kpps?) > > > > --Chris > > > > ####################################################### > > ## UUNET Technologies, Inc. ## > > ## Manager ## > > ## Customer Router Security Engineering Team ## > > ## (W)703-289-8479 (C)703-283-3734 ## > > ####################################################### > > > > On Tue, 7 Nov 2000, Jim Farrar wrote: > > > > > > > > Christopher, > > > > > > I'm sure other providers will find your comments equally interesting. > > > > > > http://www.security.cw.net/ > > > > > > 7x24 Naturally. > > > > > > > > > /jim > > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]]On Behalf Of > > > Christopher L. Morrow > > > Sent: Tuesday, November 07, 2000 9:09 PM > > > To: [email protected] > > > Subject: Re: DoS attacks, NSPs unresponsiveness (fwd) > > > > > > > > > > > > Having seen Ariel's message today, and NOT seeing my original response > > > to > > > his post (sent to him directly, did you NOT get this email Ariel?). > > > I've > > > reposted this message.. my original response to Ariel and Rubens. > > > > > > As to the others today, Steve Sobol, you too are not a UUNET direct > > > customer, BUT if you are under attack and your Upstream tracks this > > > traffic to UUNET have them follow the procedures outlined below and I > > > will > > > track the attack. > > > > > > UUNET DOES pay 4 people (six actually) to do nothing but stop and > > > track > > > DoS attacks on its backbone... and we are quite good at it. > > > > > > --Chris > > > > > > ####################################################### > > > ## UUNET Technologies, Inc. ## > > > ## Manager ## > > > ## Customer Router Security Engineering Team ## > > > ## (W)703-289-8479 (C)703-283-3734 ## > > > ####################################################### > > > > > > ---------- Forwarded message ---------- > > > Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST) > > > From: Christopher L. Morrow <[email protected]> > > > To: Ariel Biener <[email protected]>, [email protected] > > > Cc: [email protected], amos rosenboim <[email protected]> > > > Subject: Re: DoS attacks, NSPs unresponsiveness > > > > > > Ariel and Rubens, > > > I'd like to address your concerns about UUNET NOT getting involved > > > when > > > you networks (both downstreams of UUNET customers) are under attack. > > > > > > In both of your cases I have personally, on more than one occasion, > > > contacted your upstream providers to inform them of proper contact > > > procedures for Live Attacks. To clarify those procedures for the 10th > > > time > > > in a public forum, if you are under attack and your upstream is either > > >UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET > > > Call > > > the UUNET Security/Fraud/Abuse Department and ask for a Rotuer > > > Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for > > > those > > > that live outside the USA: 1-703-206-5440 options 2,3,1. > > > > > > If you no one calls there can be no action taken... in the case of > > > Rubens, > > > your upstream (Embratel, correct?) has been emailing attack > > > notifications > > > and null routing your addresses. Theyhave been told by me personally > > > (I > > > spoke to an individual named 'Jorge' I believe) several times to call > > > us > > > so we can stop and track the attack. I have 4 engineers dedicated to > > > dealing with DoS attacks on UUNET customers. We track several attacks > > > per > > > day and are available 24/7. > > > > > > I will not be held accountable for people's issues when they do NOT > > > follow > > > the appropriate contact procedures. If you would like to talk with me > > > personally about this I invite you to call or email me directly as I'd > > > be > > > more than happy to clarify anything I've written in this message, my > > > contact information is included for your convenience. > > > > > > For the others on this list, if you are a UUNET customeryou can call > > > our > > > Security Department if you ever have any issues with security, DoS, > > > fraud, > > > spam, or the like. If you are under DoS attack either one of my > > > engineers > > > will stop and track the attack, or I will do it... it's what we get > > > paid > > > to do. If you are NOT a UUNET customer you know that other ISP's (Tier > > > 1's > > > atleast) do NOT filter attack traffic, and they do NOT track attacks. > > > The > > > ONLY exceptions to this are: Genuity, Global Crossing and at one time > > > Verio. > > > > > > --Chris > > > > > > ####################################################### > > > ## UUNET Technologies, Inc. ## > > > ## Manager ## > > > ## Customer Router Security Engineering Team ## > > > ## (W)703-289-8479 (C)703-283-3734 ## > > > ####################################################### > > > > > > On Thu, 2 Nov 2000, Ariel Biener wrote: > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > This e-mail comes to describe a common problem among a large > > > number of > > > > ISPs, mostly foreign, when dealing with US network service > > > providers. I > > > > don't want to talk about anyone I don't know of, so I will limit > > > this > > > > initial e-mail to talking about UUnet. > > > > > > > > As most of you know, some ISPs run irc servers, and provide an > > > IRC > > > > service to the community. The service is free, and maintenance and > > > cost of > > > > networking/hardware/human hours is on the ISPs expense. > > > > > > > > Irc tends to be a volatile medium, like interpersonal > > > relationships in > > > > real life. Thus, many times arguements turn into heated disputes, > > > and > > > > sometimes, some people pick up arms, and attack. The attacks usually > > > take > > > > out whole ISPs for hours, or days. > > > > > > > > The problem is that when trying to get help from the upstream > > > provider > > > > (UUnet in this example), you either receive a negative answer, or > > > you're > > > > just ignored completely. Thus, by terrorism, people get what they > > > want, > > > > and hold you at a threat of force, without any ability to defend > > > yourself. > > > > > > > > Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed > > > > sources) are just a number of these weapons. The problem with alot > > > of > > > > networking entities, be it ISPs, enterprises, and such, is that they > > > allow > > > > spoofed packets to leave their network (i.e. do not check if the > > > packets > > > > originate from within their netblocks before letting them leave > > > their > > > > routers). > > > > > > > > The question is, how can we defend ourselves, and why do the > > > large NSPs > > > > turn a blind eye, and act as if it's not their concern ? > > > > > > > > Is there a chance that by helping one another, and by > > > implementing > > > > Internet RFCs corrctly (rfc 1918 for example), we can contribute to > > > the > > > > elimination of this kind of electronic terrorism ? > > > > > > > > Any chance a UUnet person might answer ? > > > > > > > > > > > > best regards, > > > > > > > > --Ariel > > > > > > > > -- > > > > Ariel Biener > > > > e-mail: [email protected] Work phone: 03-6406086 > > > > fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hank Nussbacher
|