RE: RBL-type BGP service for known rogue networks?
At Friday 04:28 AM 7/7/00, Joe Shaw wrote:
UUNet's abuse department used to be the same way, especially during the weekend. If you wanted to annoy the piss out of a UUNet dedicated line customer, the weekend was the time to do it. I don't know if that's changed now.
Winds are shifting. One of the original spam floods that trigggered the creation of SpamShield, was from an Alternet dialup, and it took them a mere 10 minutes to shut that account off. That must have been a different department at the time: Try being on the receiving end of a spoofed/randomized SYN/anything flood that doesn't exceed, say: 1Mbps and doesn't load UUnet's network so much. They won't even lift a damn finger and TRY to trace this back, supposedly because they can't trace it back through their ATM PVCs (an argument that has been backed up by other people I spoke to). They will happily charge you for the traffic though. A network design that doesn't allow tracing back spoofed traffic? Way to go, UUnet. And yes, I remember CenterTrack: http://www.nanog.org/mtg-9910/robert.html , it just wasn't in production at the time - and I have no idea if it was ever deployed successfully. Now, lets watch Vijay rush to the defense of his, uhm, stock options.
That is funny C&W has never had problems tracing attacks through there ATM PVCs. Sounds to me like UUnet just doesn't want to. ----- Original Message ----- From: "Kai Schlichting" <kai@pac-rim.net> To: <nanog@merit.edu> Sent: Friday, July 07, 2000 11:22 AM Subject: RE: RBL-type BGP service for known rogue networks?
At Friday 04:28 AM 7/7/00, Joe Shaw wrote:
UUNet's abuse department used to be the same way, especially during the weekend. If you wanted to annoy the piss out of a UUNet dedicated line customer, the weekend was the time to do it. I don't know if that's changed now.
Winds are shifting. One of the original spam floods that trigggered the creation of SpamShield, was from an Alternet dialup, and it took them a mere 10 minutes to shut that account off. That must have been a
different
department at the time:
Try being on the receiving end of a spoofed/randomized SYN/anything flood that doesn't exceed, say: 1Mbps and doesn't load UUnet's network so much. They won't even lift a damn finger and TRY to trace this back, supposedly because they can't trace it back through their ATM PVCs (an argument that has been backed up by other people I spoke to). They will happily charge you for the traffic though. A network design that doesn't allow tracing back spoofed traffic? Way to go, UUnet.
And yes, I remember CenterTrack: http://www.nanog.org/mtg-9910/robert.html , it just wasn't in production at the time - and I have no idea if it was ever deployed successfully.
Now, lets watch Vijay rush to the defense of his, uhm, stock options.
On Fri, 7 Jul 2000, Kai Schlichting wrote:
A network design that doesn't allow tracing back spoofed traffic? Way to go, UUnet.
It is fairly clear to anyone with a smidgen of technical competence that this is not a network design issue per se, it is an equipment issue (and a router one at that). It is trivially easy to throw stones at other peoples design while sitting behind the helm of your very own multi-terabit ISP of comparable size, I'm sure.
Now, lets watch Vijay rush to the defense of his, uhm, stock options.
What options would these be? /vijay
On Fri, Jul 07, 2000 at 05:00:34PM -0400, Vijay Gill wrote:
On Fri, 7 Jul 2000, Kai Schlichting wrote:
A network design that doesn't allow tracing back spoofed traffic? Way to go, UUnet.
It is fairly clear to anyone with a smidgen of technical competence that this is not a network design issue per se, it is an equipment issue (and a router one at that).
Since I was recently tracking back a 4Mb/s attack coming from UUNet and had a chance to deal with their security department, I think I should comment. a.) The UUNet security department was amazingly helpful and clueful b.) They tracked the attack through their network and down to the customer it was coming from. c.) They were constantly in contact with me durring the tracing to let me know that they were working on it. d.) Once they found it, they put up a filter and contacted me back to check that the attack was over. e.) They then informed me that it was ok to give out UUNet's contact information to any stubborn people who were complaining about the traffic they saw due to their networks being spoofed in the attack. UUNet would be happy to talk to them and discuss what was going on. I've always been impressed with UUNet's ability to handle their customers even with such a large network. They have -never- refused to track an attack for me, and have always been more then helpful.
It is trivially easy to throw stones at other peoples design while sitting behind the helm of your very own multi-terabit ISP of comparable size, I'm sure.
I've dealt with much smaller ISP's with no clue or no want to trace attacks size does not matter in this case.
Now, lets watch Vijay rush to the defense of his, uhm, stock options.
What options would these be?
Obviously a troll :) -- ------------------------------------------------------------------------------- : Steven Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : -------------------------------------------------------------------------------
Steve Noble wrote:
Since I was recently tracking back a 4Mb/s attack coming from UUNet and had a chance to deal with their security department, I think I should comment.
a.) The UUNet security department was amazingly helpful and clueful
Having actually visited the UUNet NOC when I was in DC in May, courtesy of an acquaintance of mine who works in UUNet Abuse[0], I will say the following: 1. There are a lot of people working there. 33, to be exact. 2. The half-dozen that I talked to that were there on that day (Saturday) impressed me as people who know what they're doing and actually *do* give a damn.
I've always been impressed with UUNet's ability to handle their customers even with such a large network. They have -never- refused to track an attack for me, and have always been more then helpful.
They still have some issues with spamhandling, but that's gotten MUCH better, according to the data I see in my Inbox. And of course, DoS attacks must always be given a higher priority than junk e-mail. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Pictures of two of my 'children': http://www.WrinkleDogs.com About Spamfighters: "We're not net nazis. We're dot communists." - W. Arnold
participants (5)
-
Chris -
Kai Schlichting -
Steve Noble -
Steve Sobol -
Vijay Gill