Re: Packet Kiddies Invade NANOG
People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers? (08:48:02) <#sigdie!OseK_> i just collapsed banetele's BGP announcement (08:48:43) <#sigdie!p> i dunno banetele looks dead (08:48:48) <#sigdie!p> or maybe im just lagging (08:49:00) <#sigdie!OseK_> ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) <#sigdie!OseK_> ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) <#sigdie!p> bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) <#sigdie!p> Trying 213.239.111.2... (08:49:16) <#sigdie!OseK_> thats cuz I collapsed their BGP announcement by nailing their router head on(08:49:26) <#sigdie!OseK_> but they have a secondary route to efnet (08:49:30) <#sigdie!_mre|42o> BGP announcement? (08:49:31) <#sigdie!OseK_> thru their multihomed connection (08:49:32) <#sigdie!OseK_> yeah (08:49:37) <#sigdie!OseK_> they have a collapsable route (08:49:44) <#sigdie!OseK_> using the border gateway protocl (08:49:54) <#sigdie!OseK_> hey have to announce to a pool (08:49:58) <#sigdie!OseK_> in order to establish their route (08:50:07) <#sigdie!OseK_> but if thye get hit enough their router drops the announcements (08:50:10) <#sigdie!OseK_> and they lose their routes (08:50:14) <#sigdie!OseK_> its wierd (08:50:21) <#sigdie!OseK_> i dont quite understand how it works myself
On Tue, 16 Mar 2004, Michael.Dillon@radianz.com wrote:
People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air.
Can anyone from Banetele/who knows Banetele confirm this attack took place? Steve
Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers?
(08:48:02) <#sigdie!OseK_> i just collapsed banetele's BGP announcement (08:48:43) <#sigdie!p> i dunno banetele looks dead (08:48:48) <#sigdie!p> or maybe im just lagging (08:49:00) <#sigdie!OseK_> ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) <#sigdie!OseK_> ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) <#sigdie!p> bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) <#sigdie!p> Trying 213.239.111.2... (08:49:16) <#sigdie!OseK_> thats cuz I collapsed their BGP announcement by
nailing their router head on(08:49:26) <#sigdie!OseK_> but they have a secondary route to efnet (08:49:30) <#sigdie!_mre|42o> BGP announcement? (08:49:31) <#sigdie!OseK_> thru their multihomed connection (08:49:32) <#sigdie!OseK_> yeah (08:49:37) <#sigdie!OseK_> they have a collapsable route (08:49:44) <#sigdie!OseK_> using the border gateway protocl (08:49:54) <#sigdie!OseK_> hey have to announce to a pool (08:49:58) <#sigdie!OseK_> in order to establish their route (08:50:07) <#sigdie!OseK_> but if thye get hit enough their router drops the announcements (08:50:10) <#sigdie!OseK_> and they lose their routes (08:50:14) <#sigdie!OseK_> its wierd (08:50:21) <#sigdie!OseK_> i dont quite understand how it works myself
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. ----- Original Message ----- From: "Stephen J. Wilcox" <steve@telecomplete.co.uk> To: <Michael.Dillon@radianz.com> Cc: <nanog@merit.edu> Sent: Tuesday, March 16, 2004 3:54 AM Subject: Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004, Michael.Dillon@radianz.com wrote:
People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air.
Can anyone from Banetele/who knows Banetele confirm this attack took
place?
Steve
Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers?
(08:48:02) <#sigdie!OseK_> i just collapsed banetele's BGP announcement (08:48:43) <#sigdie!p> i dunno banetele looks dead (08:48:48) <#sigdie!p> or maybe im just lagging (08:49:00) <#sigdie!OseK_> ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) <#sigdie!OseK_> ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) <#sigdie!p> bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) <#sigdie!p> Trying 213.239.111.2... (08:49:16) <#sigdie!OseK_> thats cuz I collapsed their BGP announcement
by
nailing their router head on(08:49:26) <#sigdie!OseK_> but they have a secondary route to efnet (08:49:30) <#sigdie!_mre|42o> BGP announcement? (08:49:31) <#sigdie!OseK_> thru their multihomed connection (08:49:32) <#sigdie!OseK_> yeah (08:49:37) <#sigdie!OseK_> they have a collapsable route (08:49:44) <#sigdie!OseK_> using the border gateway protocl (08:49:54) <#sigdie!OseK_> hey have to announce to a pool (08:49:58) <#sigdie!OseK_> in order to establish their route (08:50:07) <#sigdie!OseK_> but if thye get hit enough their router drops the announcements (08:50:10) <#sigdie!OseK_> and they lose their routes (08:50:14) <#sigdie!OseK_> its wierd (08:50:21) <#sigdie!OseK_> i dont quite understand how it works myself
On Tue, 16 Mar 2004, Alexei Roudnev wrote:
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences.
I saw sthe same dialogs 6 years ago. Nothing changes.
What about undernet? A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a "kick me/flood me" sign on your network, and it's probably not going to be worth the pain & pages. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 16 Mar 2004 jlewis@lewis.org wrote:
On Tue, 16 Mar 2004, Alexei Roudnev wrote:
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences.
I saw sthe same dialogs 6 years ago. Nothing changes.
What about undernet? A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a "kick me/flood me" sign on your network, and it's probably not going to be worth the pain & pages.
It probably depends how much money is involved and if they are willing to pay for all the network tech's time such server brings in. My own dealings with people wanting to run IRC servers and services is that they may have some fixed amount of money for the server but whatever they are expecting to generate from such irc-related services does not happen and they ran out of money and most end-up having to be canceled for non-pay (usually after first 4 or 6 months) and you end-up having to decide if your company want to sponsor this server for the long term... Some other things that you end-up having to consider if the server is run by the customer what are their policies and how white/black/grey are their admins and people they allow to be operators. Operators way too often end-up being targets of attacks on the servers ... As far as Undernet is probably not as bad as Efnet as attack target, but you'll still see some attacks for sure. -- William Leibzon Elan Networks william@elan.net
On Tue, 16 Mar 2004 jlewis@lewis.org wrote:
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences.
I saw sthe same dialogs 6 years ago. Nothing changes.
What about undernet?
Thats even worse :)
A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a "kick me/flood me" sign on your network, and it's probably not going to be worth the pain & pages.
Sounds about right. Unless you feel like charging someone several thousands of dollars per month to host an EFNet server, don't do it unless you have a personal interest.
--- Michael.Dillon@radianz.com wrote:
Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers?
Even better is to seperate the control plane from the forwarding plane, and ensure that the control plane of a given router cannot be spoken to by anyone who is not either internal or a direct BGP peer. Why permit garbage to touch your network? -David Barak -Fully RFC 1925 Compliant- ===== David Barak -fully RFC 1925 compliant- __________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
participants (7)
-
Alexei Roudnev
-
David Barak
-
jlewis@lewis.org
-
Michael.Dillon@radianz.com
-
Stephen J. Wilcox
-
Tom (UnitedLayer)
-
william(at)elan.net