Jim, I'm sure glad C&W is 24/7 could you publish a phone number that atleast other providers could use to get intouch with the proper security element in your org? I spent 4 hours today trying to get to an engineer who could help me track an attack through corerouter1.blookington.cw.net and got bounced through your NOC, your leased line crew, your contact at MCI (yeah, that was fun), your managed firewall services crew, two other engineers I had to explain what a Syn Attack was and finally got hung up on by someone who has yet to call me back... Perhaps you can call me to get this track finished? (Since it's still going strong at over 5kpps?) --Chris ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## ####################################################### On Tue, 7 Nov 2000, Jim Farrar wrote:
Christopher,
I'm sure other providers will find your comments equally interesting.
7x24 Naturally.
/jim
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Christopher L. Morrow Sent: Tuesday, November 07, 2000 9:09 PM To: nanog@merit.edu Subject: Re: DoS attacks, NSPs unresponsiveness (fwd)
Having seen Ariel's message today, and NOT seeing my original response to his post (sent to him directly, did you NOT get this email Ariel?). I've reposted this message.. my original response to Ariel and Rubens.
As to the others today, Steve Sobol, you too are not a UUNET direct customer, BUT if you are under attack and your Upstream tracks this traffic to UUNET have them follow the procedures outlined below and I will track the attack.
UUNET DOES pay 4 people (six actually) to do nothing but stop and track DoS attacks on its backbone... and we are quite good at it.
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
---------- Forwarded message ---------- Date: Thu, 2 Nov 2000 20:02:48 -0500 (EST) From: Christopher L. Morrow <cmorrow@uu.net> To: Ariel Biener <ariel@fireball.tau.ac.il>, rkuhljr@uol.com.br Cc: nanog@merit.edu, amos rosenboim <slick@xchange.wan.inter.net.il> Subject: Re: DoS attacks, NSPs unresponsiveness
Ariel and Rubens, I'd like to address your concerns about UUNET NOT getting involved when you networks (both downstreams of UUNET customers) are under attack.
In both of your cases I have personally, on more than one occasion, contacted your upstream providers to inform them of proper contact procedures for Live Attacks. To clarify those procedures for the 10th time in a public forum, if you are under attack and your upstream is either UUNET, or it's a customer of UUNET have the DIRECT CUSTOMER of UUNET Call the UUNET Security/Fraud/Abuse Department and ask for a Rotuer Engineer. The phone number is: 1-800-900-0241 options 2,3,1 or for those that live outside the USA: 1-703-206-5440 options 2,3,1.
If you no one calls there can be no action taken... in the case of Rubens, your upstream (Embratel, correct?) has been emailing attack notifications and null routing your addresses. They have been told by me personally (I spoke to an individual named 'Jorge' I believe) several times to call us so we can stop and track the attack. I have 4 engineers dedicated to dealing with DoS attacks on UUNET customers. We track several attacks per day and are available 24/7.
I will not be held accountable for people's issues when they do NOT follow the appropriate contact procedures. If you would like to talk with me personally about this I invite you to call or email me directly as I'd be more than happy to clarify anything I've written in this message, my contact information is included for your convenience.
For the others on this list, if you are a UUNET customer you can call our Security Department if you ever have any issues with security, DoS, fraud, spam, or the like. If you are under DoS attack either one of my engineers will stop and track the attack, or I will do it... it's what we get paid to do. If you are NOT a UUNET customer you know that other ISP's (Tier 1's atleast) do NOT filter attack traffic, and they do NOT track attacks. The ONLY exceptions to this are: Genuity, Global Crossing and at one time Verio.
--Chris
####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-283-3734 ## #######################################################
On Thu, 2 Nov 2000, Ariel Biener wrote:
Hi,
This e-mail comes to describe a common problem among a large
ISPs, mostly foreign, when dealing with US network service
don't want to talk about anyone I don't know of, so I will limit
initial e-mail to talking about UUnet.
As most of you know, some ISPs run irc servers, and provide an IRC service to the community. The service is free, and maintenance and cost of networking/hardware/human hours is on the ISPs expense.
Irc tends to be a volatile medium, like interpersonal relationships in real life. Thus, many times arguements turn into heated disputes, and sometimes, some people pick up arms, and attack. The attacks usually take out whole ISPs for hours, or days.
The problem is that when trying to get help from the upstream
(UUnet in this example), you either receive a negative answer, or you're just ignored completely. Thus, by terrorism, people get what they want, and hold you at a threat of force, without any ability to defend yourself.
Smurfing, icmp attacks, udp attacks, tcp synflooding (spoofed sources) are just a number of these weapons. The problem with alot of networking entities, be it ISPs, enterprises, and such, is that they allow spoofed packets to leave their network (i.e. do not check if the
originate from within their netblocks before letting them leave
routers).
The question is, how can we defend ourselves, and why do the large NSPs turn a blind eye, and act as if it's not their concern ?
Is there a chance that by helping one another, and by implementing Internet RFCs corrctly (rfc 1918 for example), we can contribute to
number of providers. I this provider packets their the
elimination of this kind of electronic terrorism ?
Any chance a UUnet person might answer ?
best regards,
--Ariel
-- Ariel Biener e-mail: ariel@post.tau.ac.il Work phone: 03-6406086 fingerprint = 07 D1 E5 3E EF 6D E5 82 0B E9 21 D4 3C 7D 8B BC