North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Inter-ISP/Telco/X.25 security procedures?
On Mon, 16 Sep 2002 10:48:38 PDT, Mark Kent said: > However, I think it was too subtle... I didn't get it, and I think > [email protected] and [email protected] also didn't get it. I don't > think they would have posted messages saying the same thing as your > hidden meaning. Hmm.. and here I *thought* I got it... or did I? On Mon, 16 Sep 2002 11:38:29 PDT, Mark Kent said: > OK, so there is my point. Back in those days the network security > folks would often find themselves in the same lunch line as the "ISP" > security folks. And they were available by phone with just a four > digit extension. In the 1980's, finding the four digit extension, the exchange it was in, and the area code to use could be *quite* interesting if you were *NOT* one of the anointed people in the lunch line. Cliff Stoll didn't have any easy time finding people in 1987. Further, consider the two attached messages, which Dave Mills apparently posted because he couldn't find phone numbers or email addresses for the culprits(*). Then consider the weekly "can a security guy with a clue from XYZnet please call me?" postings, and ask if we *have* learned anything.... /Valdis (*) OK - I admit it. One of the offending boxes was one of mine - it was a Gould PN/9808, and at 12MIPS it noticed a few packets/sec a lot less than a Fuzzball did. That, and at the time I was busy moving to a new job and not paying as close attention. It got fixed as soon as I saw the postings... --- Begin Message ---SKYKING SKYKING THIS IS DROPKICK DROPKICK DO NOT ANSWER BREAK BREAK TIMESERVERS DCN1 AND DCN5 UNDER ATTACK NTP MODE 3 MISSILEGRAMS HIGH FREQUENCY ABOUT ONE PER SECOND BREAK MISSLES BELIEVED LAUNCHED FROM GRID COORDINATES 129.63.224.1 AND 128.153.8.17 BREAK ATTACKS INTERMITTENT COULD BE DUE TO TESTING OR PROTOCOL MACHINE BUG BREAK REQUEST YOU CHECK OPERATIONS MODE 3/4 IN LATEST NTPD FOR POSSIBLE OSCILLATION BREAK REPORT RESULTS BREAK BREAK MESSAGE ENDS AUTHENTICATION LATERN CHIEF BREAK SILVER DOLLAR SENDS OUT--- End Message --- --- Begin Message ---Folks, In the last 240 hours dcn5 has processed 462K NTP messages, or a flux of 0.53 messages per second, which would seem it has 120 peers all poking at the minimum polling interval and thus presumably synchronized to it. It happens to have about 30 symmetric-mode peers plus a handful of client peers. The discrepancy in rate is probably due to the problem pointed out by previous Emergency Action Messages (EAM). That's bad, but livable. In the last 32 hours the problem has grown much worse and very serious at dcn1. In this interval dcn1 processed 261K messages, or a flux of 2.26 messages per second. However, the critter is DES-limited at something between 3 and 6 messages per second! The load has become so bad that I can no longer monitor it with NETSPY, the Fuzzball monitoring protocol of choice. It, too, has only about 30 symmetric-mode peers plus a handful of client peers, so whatever is gouging dcn5 is slashing great holes in dcn1 flesh. Clearly the machine-gun bursts from the hosts listed in pevious EAMs is threatening disaster, especially since dcn1 is the gateway to ARPANET here. Now, were I to resist the urge to authenticate at least the non-Fuzzball peers, the throughput limit would probably rise to something reasonable, like 20-40 messages per second. However, I am much concerned that not only dcn1 is taking hits but all the other Fuzzballs out in the swamps. Therefore, I am asking the timecallers on nets 128.143 and 128.153 in particular to investigate and upgrade to the latest version post-haste. Not the least of my concerns is that the present traffic levels has become most visible relative to the rest of the campus traffic combined. Properly operating NTP peers should be pinging at 1020-second intervals, not one-second intervals. Those one-second honkers are thus 30 decibels above the noise level. You should know the following: Circuit QUEBEC: frequency 6761 upper-sideband, common SAC broadcast ELECTRIC: US airborne command post, formerly SILVERDOLLAR SKYKING: collective identifier for any SAC aircraft aloft CROWN: White House Communications Agency ACROBAT: Andrews AFB (near WashDC) CAPSULE: collective identifier for any Military Airlift Command (MAC) aircraft aloft COVEREDWAGON: confirmed hostile act DROPKICK: SAC Heaquarters Offut AFB NE DULLSWORD: nuclear incident GOLDCOIN: MacDill AFB, FL, Strike Command Control (also overheard directing drug-intercept missions) SENTRY: AWACS aircraft (E3A) from Tinker AFB, OK CRITIC: highest communications priority EAM: Emergency Action Message Toss that in your trivia bucket. My next lesson will be in Navy communications COMSLANT and send torpedoes. Dave--- End Message --- Attachment:
pgp00012.pgp
|