Can anyone else get to ripe.net ? I cannot seem to access the whois or any other service (my ripe traffic goes through Sprint). When I ping peach.ripe.net, I get 90%+ missing packets + "destination host unreachable" from inside Sprint. Regards Marshall Eubanks
From: "Marshall Eubanks"
Can anyone else get to ripe.net ? I cannot seem to access the whois or any other service (my ripe traffic goes through Sprint). When I ping peach.ripe.net, I get 90%+ missing packets + "destination host unreachable" from inside Sprint.
The same goes for me via qwest/Level3. ----peach.ripe.net PING Statistics---- 24 packets transmitted, 3 packets received, 87% packet loss round-trip (ms) min/avg/max = 127/127/127 -Jack
Same here on packet loss.. I see issues @level3 in Amsterdam, and this is going out a tranist link from Qwest. # ping peach.ripe.net PING peach.ripe.net (193.0.0.203): 56 octets data 64 octets from 193.0.0.203: icmp_seq=2 ttl=241 time=86.2 ms 64 octets from 193.0.0.203: icmp_seq=4 ttl=241 time=86.1 ms 64 octets from 193.0.0.203: icmp_seq=5 ttl=241 time=86.2 ms 64 octets from 193.0.0.203: icmp_seq=6 ttl=241 time=86.4 ms --- peach.ripe.net ping statistics --- 9 packets transmitted, 4 packets received, 55% packet loss round-trip min/avg/max = 86.1/86.2/86.4 ms ----- Original Message ----- From: "Marshall Eubanks" <tme@multicasttech.com> To: <nanog@merit.edu> Sent: Thursday, February 27, 2003 10:04 AM Subject: RIPE Down or DOSed ?
Can anyone else get to ripe.net ? I cannot seem to access the whois or any other service (my ripe traffic goes through Sprint). When I ping peach.ripe.net, I get 90%+ missing packets + "destination host unreachable" from inside Sprint.
Regards Marshall Eubanks
same here. both for 193.0.0.203 and 193.0.0.193 the buck stops at the KPN Internet Operator at 195.190.227.37 - Bert
And on a related topic (whois.ripe.net almost unreachable, along with the rest of RIPE): rwhois.level3.net:4321 as been MIA or AWOL for about 4 days: Level3 was informed, but seems to have some good reasons of their own not to fix this.... $ telnet rwhois.level3.net 4321 Trying 209.244.1.179... telnet: Unable to connect to remote host: Connection refused
On Thu, Feb 27, 2003 at 11:09:19AM -0500, kai@pac-rim.net wrote:
And on a related topic (whois.ripe.net almost unreachable, along with the rest of RIPE): rwhois.level3.net:4321 as been MIA or AWOL for about 4 days: Level3 was informed, but seems to have some good reasons of their own not to fix this....
$ telnet rwhois.level3.net 4321 Trying 209.244.1.179... telnet: Unable to connect to remote host: Connection refused
There is no public access to rwhois.level3.net (it worked at one point, but, accurding to Level3, not intentionally). They say that they don't have to make this information available to anyone except ARIN. I was always under the impression that delegations had to be publicly visible, but looking at ARIN's policy more closely, it seems that the information only has to be available to ARIN. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On 2/27/2003 at 1:44 PM, william+nanog@hq.dreamhost.com (Will Yardley) wrote:
There is no public access to rwhois.level3.net (it worked at one point, but, accurding to Level3, not intentionally). They say that they don't have to make this information available to anyone except ARIN. I was always under the impression that delegations had to be publicly visible, but looking at ARIN's policy more closely, it seems that the information only has to be available to ARIN.
Secrecy over a public resource = no oversight = facilitator of abuse. It has worked as long as I can remember, and them intentionally shutting it off is completely against letter and spirit of ARIN's allocation policy: rwhois, or SWIP delegations, but not "none of the above". 7018 Realized this for 12.0.0.0/8 at some point. Why do I get the distinct feeling that this "move" by Level3 is aimed not at creating greater customer privacy (it never served POC email addresses), or protecting themselves from getting their customer base poached by other providers, but at preventing people from identifying spamming Level3 customers (of which they seem to have 100's) by organization name and being able to correlate activity from different netblocks of theirs. So instead of select prefixes, most longer than /24 appearing in the various DNSBLs that do manual listing "by organization" (Spamhaus SBL, SPEWS, Wirehub), Level3 customers can now look forward to /24 to /17 knock-outs that should absolutely positive cover the hiding criminal scum they so willingly receive money from. And then some. If you are a Level3 customer using Level3 IP space, you might want to expediously insist that your IP space delegation appears at whois.arin.net properly, or else consider a new network provider or buying yourself your own /16 on the grey market^W^W^W^Wacquire a defunct company with a mostly unused /16. What did Randy once say? "I welcome my competitors running their networks this way".... (paraphrased)
On Thu, 27 Feb 2003, Kai Schlichting wrote:
Secrecy over a public resource = no oversight = facilitator of abuse.
Why do I get the distinct feeling that this "move" by Level3 is aimed not at creating greater customer privacy (it never served POC email addresses), or protecting themselves from getting their customer base poached by other providers, but at preventing people from identifying spamming Level3 customers (of which they seem to have 100's) by organization name and being able to correlate activity from different netblocks of theirs.
Though I agree, Level3 seems to host a good number of spammers, they're by no means the only guilty party. Pulled at random from recent spams I've submitted to NJABL are 69.6.4.104, 69.6.4.114, and 69.6.4.156. whois @arin.net yields the following: ... NetRange: 69.6.0.0 - 69.6.63.255 CIDR: 69.6.0.0/18 NetName: WHOLE-2 NetHandle: NET-69-6-0-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS1.WHOLESALEBANDWIDTH.COM NameServer: NS2.WHOLESALEBANDWIDTH.COM ... Where are the swips? The rest of that record makes no mention of an rwhois server. Doing a bunch of whois requests for IPs in that block, I found only one swip (for a /21). I realize the ARIN regs don't seem to require that reassignment info be made available to the public (just to ARIN), but using your innocent customers (if there are any) as a shield to hide your spammer customers is just wrong. Should I block 69.6.4.0/24 from sending email into my systems? 69.6.0.0/18? http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.104 http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.114 http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.156 ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 2/27/2003 at 9:58 PM, jlewis@lewis.org wrote:
... NetRange: 69.6.0.0 - 69.6.63.255 CIDR: 69.6.0.0/18 NetName: WHOLE-2 NetHandle: NET-69-6-0-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: NS1.WHOLESALEBANDWIDTH.COM NameServer: NS2.WHOLESALEBANDWIDTH.COM ...
Where are the swips? The rest of that record makes no mention of an rwhois server. Doing a bunch of whois requests for IPs in that block, I found only one swip (for a /21). I realize the ARIN regs don't seem to require that reassignment info be made available to the public (just to ARIN), but using your innocent customers (if there are any) as a shield to hide your spammer customers is just wrong. Should I block 69.6.4.0/24 from sending email into my systems? 69.6.0.0/18?
Correct answer: the /18, and then some. Oh, how you wished you hadn't posted this to the list (and Cc:'d wholesalebandwidth.com on it), but chosen reply-to-poster :) Random example from this block appearing in my rejects: http://www.openrbl.org/lookup?i=69.6.4.153 or: "I see red!" Extended answer directly from my auto-complaint override map: 'as:26956' => 'as:17054,isp:cogent', # netfreeinc.com/wholesalebandwidth.com - rogue AS 'as:11938' => 'abuse@yipes.com,isp:verio', # wholesalebandwidth.com - rogue AS 'as:17054' => 'abuse@e-xpedient.com,isp:genuity,abuse@yipes.com,isp:gblx', # e-xpedient.com - rogue AS? Anything announced out of 26956 and 11938 goes straight to the sendmail access file here, and given the various pointers from OTHER rogues back to 17054, e-xpedient.com routes will be there RSN, too. And if you thought /18 is a big block in spammer-hand, go check out various DNSBLs for listings and the history of AS's announcing portions of: 142.105.0.0/16 162.73.0.0/16 160.122.0.0/16 157.156.0.0/16 138.121.0.0/16 160.116.0.0/16 144.176.0.0/16 146.100.0.0/16
We (Atlantic.Net) have gotten a flurry of abuse complaints from people who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL hosted on our network). I'm hoping the new PTR record will head off many complaints now. For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. Just over a week ago, NJABL added open proxy testing to its relay testing software. The proxy testing checks for a variety of common proxy software/protocols on about 20 different ports simultaneously. This is apparently setting off some IDS/firewall alarms. We do not consider what NJABL does abuse, and we reply to all the complaints explaining that the complainant should go have a look at http://njabl.org/ and hopefully they'll understand why their system was scanned. This sort of activity is becoming more common / mainstream, so people ought to just get used to it. Road Runner is doing the same thing (according to http://sec.rr.com/probing.htm) which is pretty ironic given how their security department has gotten along with (or not) various DNSBLs in the past. BTW...in the week that NJABL has been testing for open proxies, more than 18000 have been detected, pretty much all of which are actively being abused by spammers, else mail would not have come through them. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
From: <jlewis@lewis.org>
We (Atlantic.Net) have gotten a flurry of abuse complaints from people who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL hosted on our network). I'm hoping the new PTR record will head off many complaints now.
For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. Just over a week ago, NJABL added open proxy testing to its relay testing software. The proxy testing checks for a variety of common proxy software/protocols on about 20 different ports simultaneously. This is apparently setting off some IDS/firewall alarms.
We do not consider what NJABL does abuse, and we reply to all the
Ahh, yes. The age old debate. So long as you, their provider, doesn't consider it abuse, they should be relatively safe. Obviously, there are some net blocks up to stop the probes. There always are and always will be. Networks don't like scans. One thing I'll say about NJABL, it's probably the most accurate list for what it does. With the added proxy testing, they'll get more people using the list, along with more complaints. I'll be adding my log IP's to that list soon enough. -Jack
On Thu, 27 Feb 2003 22:36:37 -0500 (EST), jlewis@lewis.org wrote:
This sort of activity is becoming more common / mainstream, so people ought to just get used to it. Road Runner is doing the same thing (according to http://sec.rr.com/probing.htm) which is pretty ironic given how their security department has gotten along with (or not) various DNSBLs in the past.
It has always been my opinion that if somebody connects to you, they are implicitly granting you the right to connect back to them on well-known ports. I have discussed this opinion with several dozen people and have yet to find one who disagrees. (Though I'm sure they're probably out there.) I've dealt with any number of abuse complaints, many from governmental and quasi-governmental group. They've all accepted my cut/pasted explanation and we've been whitelisted by several such organizations. I often use the following as the 'meat' paragraph of my reply: "In accord with our terms of service, when someone makes a connection to one of our machines, we make connections back to them to ensure they're not connecting through an open proxy. These connections are to each of the ports on which such proxies commonly run and some ports may require more than one connection to test multiple protocols. We never do such a probe except as a response to a connection made to us." -- David Schwartz <davids@webmaster.com>
I haven not checked NJABL but some of the other other open relay testers use scenarios that are illegal (actually criminal) in California. Roy jlewis@lewis.org wrote:
We (Atlantic.Net) have gotten a flurry of abuse complaints from people who's systems have been scanned by 209.208.0.15 (rt.njabl.org...a DNSBL hosted on our network). I'm hoping the new PTR record will head off many complaints now.
For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. Just over a week ago, NJABL added open proxy testing to its relay testing software. The proxy testing checks for a variety of common proxy software/protocols on about 20 different ports simultaneously. This is apparently setting off some IDS/firewall alarms.
We do not consider what NJABL does abuse, and we reply to all the complaints explaining that the complainant should go have a look at http://njabl.org/ and hopefully they'll understand why their system was scanned.
This sort of activity is becoming more common / mainstream, so people ought to just get used to it. Road Runner is doing the same thing (according to http://sec.rr.com/probing.htm) which is pretty ironic given how their security department has gotten along with (or not) various DNSBLs in the past.
BTW...in the week that NJABL has been testing for open proxies, more than 18000 have been detected, pretty much all of which are actively being abused by spammers, else mail would not have come through them.
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. ...
We do not consider what NJABL does abuse, ...
Jon, If "they" are indeed only testing systems who connect to them, it's not abuse, and I would not have complained. However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California, and I was shocked that you "allowed" "them" to behave that way. Hopefully my inference is correct and "they" are now scanning only the hosts which connect to participating SMTP servers. Paul
At 12:56 PM 2/28/2003, Paul Vixie wrote:
For the past 15 months, NJABL has reactively tested systems that have connected to participating SMTP servers to see if those systems are open relays. ...
We do not consider what NJABL does abuse, ...
Jon,
If "they" are indeed only testing systems who connect to them, it's not abuse, and I would not have complained. However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California, and I was shocked that you "allowed" "them" to behave that way. Hopefully my inference is correct and "they" are now scanning only the hosts which connect to participating SMTP servers.
Paul raises good questions about the level of response to incoming SMTP traffic. If contacted for transmission of SMTP, do you have the right to go probe the sending system for all possible vulnerabilities, or only ones that relate directly to email? Clearly there are concerns about email coming from open relays, and from open proxies. The degree of scanning could easily cross the line from warranted to abusive, and potentially illegal. Scanning machines "in the neighborhood" sure seems far over the line. This is further complicated by the difficulty in determining the size of the "neighborhood" (read: netblock assigned to a customer). While we would all like to find some solution to the spam problem before email is rendered useless, measures which themselves threaten the network with denial of service attacks and other measures can be considered just as damaging.
Yo Paul! On Fri, 28 Feb 2003, Paul Vixie wrote:
However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California,
Could you please provide a citation from the CA law for this? Better yet, do you have any case law? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Fri, 28 Feb 2003, Gary E. Miller wrote:
On Fri, 28 Feb 2003, Paul Vixie wrote:
However, they scanned every address in every netblock I own, looking for SMTP servers. That was abuse, that was illegal in California,
Could you please provide a citation from the CA law for this? Better yet, do you have any case law?
More importantly, could somebody provide some sort of moral basis for this law? (I'm not sure if Paul feels the way he wrote, or if there was a bit of tongue-in-cheeck...I suspect and hope the latter.) Why is probing networks wrong? I would agree exploiting vulnerabilities discovered from probing networks is wrong. But I don't agree that probing is inherently wrong. People probe networks for great reasons. Likewise, people have the ability to prevent other people from probing their networks. Should we outlaw a potentially beneficial practice due to its abuse by criminals? Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Why is probing networks wrong?
I would agree exploiting vulnerabilities discovered from probing networks is wrong. But I don't agree that probing is inherently wrong.
People probe networks for great reasons. Likewise, people have the ability to prevent other people from probing their networks.
Should we outlaw a potentially beneficial practice due to its abuse by criminals?
Okay. What happens if you make a mistake and overload one of my devices costing my company money. I guarantee you, the law will look favorably on damages. That is the problem with probing. Sometimes the probe itself can be the damage. Programmers are human. Humans make mistakes. Programmers are perfect. -Jack
On Fri, Feb 28, 2003 at 03:11:00PM -0600, Jack Bates quacked:
Should we outlaw a potentially beneficial practice due to its abuse by criminals?
Okay. What happens if you make a mistake and overload one of my devices costing my company money. I guarantee you, the law will look favorably on damages. That is the problem with probing. Sometimes the probe itself can be the damage. Programmers are human. Humans make mistakes. Programmers are perfect.
That wasn't the question. There are plenty of circumstances in which it's legal to do something once -- say, make a phone call to you and ask how you're doing -- and illegal to do it one hundred million times. You don't outlaw telephones because people can and have used them to harass other people, you outlaw the harassing behavior and make it subject to damages. ... which is exactly what you described. Probing can be knocking on your door, or it can be taking a sledgehammer to your garage. These are so quantitatively different that there is a qualitative shift between the behaviors. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
There is NO legal advice in this post. Jack Bates wrote:(SNIPO)
Should we outlaw a potentially beneficial practice due to its abuse by criminals?
Okay. What happens if you make a mistake and overload one of my devices costing my company money.
That is usually a civil issue, not criminal. (.edu, .mil and .gov can be exceptions to the rule) [ Older laws protecting the internet, prior to it being public were allowed to linger.... for just that effect....FWIW] And Vixie isn't unique in quoting these California Statutes.... Does anyone have an actual pointer to these things, please ? I realize they don't apply to anywhere but California, but it would make interesting reading...
I guarantee you, the law will look favorably on damages. That is the problem with probing.
See above, that remains a Civil issue, in most cases.
Sometimes the probe itself can be the damage. Programmers are human. Humans make mistakes.
Sometime probes can provide great benefits to all involved, as well. How about the case of the MAPS "test for email relay" function, available to the public ?
Programmers are perfect.
Absolutely NOT True... It is just relative to the rest of the world, we just APPEAR to be perfect. :* :P
-Jack
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing. If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you? Where this thread got started, the scenario was around if I connect to your SMTP server to attempt to relay mail, is it then right to probe me for open relays and so forth. In that case, I can see the reasoning, as I initiated the connection, so you're checking to see if I'm sane or not. The line gets drawn though as to how much probing is reasonable ... can you probe my system for ALL open ports/exploits just because I tried to send mail through you, or can you probe all machines that fit in my address range (and how do you determine my address range?) ... that's where the larger debate comes in. I have servers hosted at shared colo facilities. If you were to scan the entire netblock for my colo provider because a different customer at the same facility tried to send mail through you, how am I to determine your cause, or determine that it was not a scan for a vulnerability? Just my opinions ... Charlie -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPl/RFKvEtUU05riwEQJV8gCaAkCTqzaB2BtbAqrcG2IGf4O/tfoAoKEd NSQGE2TuArNzErLNXHacGPmS =hndb -----END PGP SIGNATURE-----
On Fri, 28 Feb 2003, Charlie Clemmer wrote:
At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing.
If so, why outlaw the act of probing? Why not outlaw "probing for the purposes of..."?
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
This is different. Metaphors applying networking concepts to real world scenarios are tenuous at best. In this case, your door being unlocked cannot cause me harm. However, an "unlocked proxy" can. Legit probes are an attempt to mitigate network abuse, not increase it. If there was a sanctioned body who was trusted to scan for such things, maybe this wouldn't be an issue. But there's not, so it's a vigilante effort.
Where this thread got started, the scenario was around if I connect to your SMTP server to attempt to relay mail, is it then right to probe me for open relays and so forth. In that case, I can see the reasoning, as I initiated the connection, so you're checking to see if I'm sane or not. The line gets drawn though as to how much probing is reasonable ... can you probe my system for ALL open ports/exploits just because I tried to send mail through you, or can you probe all machines that fit in my address range (and how do you determine my address range?) ... that's where the larger debate comes in.
Actually, I think the debate starts with Paul telling Jon that Jon isn't passively scanning connection hosts, he's actively trawling for open proxies, that Paul has the logs to prove it, and that since Paul is in California, Jon has broken the law. Paul has only indicated his point of view objectively; he hasn't yet indicated he wants to do something about it (or that he personally feels that he should do something about it).
I have servers hosted at shared colo facilities. If you were to scan the entire netblock for my colo provider because a different customer at the same facility tried to send mail through you, how am I to determine your cause, or determine that it was not a scan for a vulnerability?
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network." Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed. In my opinion there is no legitimate reason to scan a remote host or network without the permission of the owners. Otherwise it is in fact excessive behaviour. Andy Dills wrote: [alot of interesting points deleted]
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network." Andy Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net
Len Rose wrote:
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed.
See my other post. MAPS assists users in closing their "innocent" relay capable systems. And, FWIW, pro-active probing -can- provide a great service to the "less than clueful" end users. Scenario: MR. ISP A, we received over 300mbs from your network last week, as it participated in a 1500-bot attack of K ROOT SERVER... We have determined, via access list, that the following IP's appear to be the source of this attack, and we suspect have been compromised by the "koo-koo-ka-chooo" worm. We have not confirmed the identity of the worm, as the attack worm has yet to be identified, and isolated, conclusively. However, we have found all sources that participated in this attack had port 6667 and ports 7777 open. This lead us to hypothesize that it was the "koo-koo-ka-choo" worm... Several of these sites are under your Administration.... Attached, please find the list of infected servers.... Any information regarding this worm, and the servers subsequent sterilization, would be appreciated. Signed, The Admininstration of -=Your=- NSP.
In my opinion there is no legitimate reason to scan a remote host or network without the permission of the owners. Otherwise it is in fact excessive behaviour.
See above.
Hi.. That's the problem, Sir! Many (I daresay the majority) of people take my hardnosed position. I know that there are people and services with good intentions, but I respectfully suggest that those good intentions shall not pass my borders. If an anti-spam mail relay testing service proactively scans my mail servers for smtp related issues, I will not complain because spam friendly relays and proxies are evil and must be shut down. If my service provider wishes to scan my network and hosts they can do so after they get obtain my permission. Just because my networks happen to connect to the internet doesn't give up any dominion over those networks. If some unknown entity (whether it's a service or an individual) (for whatever reason) scans my networks and hosts proactively for whatever justificatiojn, I still find that to be excessive trespass. Just because you can reach my network does not give you grounds to play with my toys. More below: Richard Irving wrote:
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed.
See my other post. MAPS assists users in closing their "innocent" relay capable systems. And, FWIW, pro-active probing -can- provide a great service to the "less than clueful" end users.
I agree with all of your positive reasons why such a service is great but you should be dealing with it by blackingholing their ASN nstead and soon when everyone does so, they'll get their act together or be cut off. Since your network was victimized you should be proactive about contacting the people responsible. You can even scan their hosts at this point since you're engaged in defensive operations. If they're a responsible provider (it sounds like you're talking about some sort of hosting provider here) they'll have a NOC, and you can escalate it until you reach a clue. I don't see anything else as being more than busybodies poking where they don't beloong. Cheers! Len
Scenario:
[snip]
Hi, Why is it clearly untrue? Remember when researchers used to send announcements out beforehand? I do. Well, you're taking me too literally of course! Len On Fri, Feb 28, 2003 at 04:00:25PM -0800, Randy Bush wrote:
Scanning is always a precursor to an attack
this is clearly not true, as scans are done for research and other goals.
and conversely, all attacks are not preceded by scanning.
randy
Hi, NANOGers. ] and conversely, all attacks are not preceded by scanning. Very true. Most of the attack activity I monitor does not include scanning activity or any other reconnaissance. However, those who attack often enjoy monitoring their progress. This can be an interesting (albeit difficult) way to trace back the attack to the sources. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
At 05:05 PM 28-02-03 -0500, Len Rose wrote:
Scanning is always a precursor to an attack, or to determine if any obvious methodology can be used to attack. At least that's how it has been historically viewed.
When buying from Landsend or Amazon, I normally trust their ecommerce security. But when I am buying something online from "Bubba's Lasermax Imporium" in Nebraska, I will scan their site as well as "Dwyne's Glock Shop" in Arkansas and pick the one with the more secure ecommerce rather than the one with the cheaper price. Call me Joe consumer :-) -Hank
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 04:54 PM 2/28/2003 -0500, Andy Dills wrote:
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network."
I don't have to understand why you're probing my network? (using the term "your" loosely, not referring specifically to Andy's network/hosts) The actual probe may not have any affect on my network, but if you probe my network/hosts because someone iusing the same colo facilities as me sent you mail (not through me), there is no way for me to determine whether your intent is hostile or not, and you will likely set off my IDS alerts. There's two reasons to probe my hosts ... trying to protect your hosts or trying to violate mine, and if I've not initiated any type of communication to your host(s), I can only assume your intent is hostile since it was unprovoked. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPl/fbavEtUU05riwEQKRLgCg2b7p6ua04d1tOIBtAWYe034+tOAAoKER aiwfIt8uR557NG21FddezLQ8 =7hDv -----END PGP SIGNATURE-----
In this case, your door being unlocked cannot cause me harm. However, an "unlocked proxy" can. Legit probes are an attempt to mitigate network abuse, not increase it. If there was a sanctioned body who was trusted to scan for such things, maybe this wouldn't be an issue. But there's not, so it's a vigilante effort.
Not completely "Vigilante", many of the Network providers reserve the right to "manage" (including probe) any network block that they -=announce=-... if not, they simply won't announce it. (While I have experienced many a probe, I have neither heard of anyone actually being declined from announcement, nor have I been part of such an experience, FWIW, but the right is "reserved".) That activity is considered by many, proper administrative "due diligence", or "managed network service". Now, if Genuity were to start probing UUnet blocks, then that becomes a little more "Vigilante"... although, in most cases, not illegal. (AFAICT) [Any comments construed as legal advice, are purely do to an errant perception on the part of the reader... illigitimi non carborundum]
AD> Date: Fri, 28 Feb 2003 16:54:47 -0500 (EST) AD> From: Andy Dills AD> You don't have to. This is why I never understood why people AD> care so much about probing. If you do a good job with your AD> network, probing will have zero affect on you. All the person Actually, when one leaves honeypots and/or tarpits, getting probed can be rather fun... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
"E.B. Dreger" wrote:
Actually, when one leaves honeypots and/or tarpits, getting probed can be rather fun...
Second this ! :D Did you ever hear of the guy who wrote a C based 'bot trap and brought down both a big name search engine mining bot, and a providers (major) Unix server ? LOL! He apparently didn't like the idea that the bot had the right to mine his site for data.... and so, a few lines of C, and Tada! Deadlock, on endless nested directories. Dueling Servers at Dawn ! He had to write a letter of apology to his service provider, and to the search engine. I think it can still be found online somewhere.... :{
Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
It isn't the probing that is illegal in California, its the unauthorized use of a domain name especially in the from address. http://law.spamcon.org/us-laws/states/ca/pc_502.shtml 9.Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and .... Andy Dills wrote:
On Fri, 28 Feb 2003, Charlie Clemmer wrote:
At 03:52 PM 2/28/2003 -0500, Andy Dills wrote:
Why is probing networks wrong?
Depends on why you're doing the probing.
If so, why outlaw the act of probing? Why not outlaw "probing for the purposes of..."?
If you're randomly walk up to my house and check to see if the door is unlocked, you better be ready for a reaction. Same thing with unsolicited probes, in my opinion. Can I randomly walk up to your car to see if it's unlocked without getting a reaction out of you?
This is different. Metaphors applying networking concepts to real world scenarios are tenuous at best.
In this case, your door being unlocked cannot cause me harm. However, an "unlocked proxy" can. Legit probes are an attempt to mitigate network abuse, not increase it. If there was a sanctioned body who was trusted to scan for such things, maybe this wouldn't be an issue. But there's not, so it's a vigilante effort.
Where this thread got started, the scenario was around if I connect to your SMTP server to attempt to relay mail, is it then right to probe me for open relays and so forth. In that case, I can see the reasoning, as I initiated the connection, so you're checking to see if I'm sane or not. The line gets drawn though as to how much probing is reasonable ... can you probe my system for ALL open ports/exploits just because I tried to send mail through you, or can you probe all machines that fit in my address range (and how do you determine my address range?) ... that's where the larger debate comes in.
Actually, I think the debate starts with Paul telling Jon that Jon isn't passively scanning connection hosts, he's actively trawling for open proxies, that Paul has the logs to prove it, and that since Paul is in California, Jon has broken the law.
Paul has only indicated his point of view objectively; he hasn't yet indicated he wants to do something about it (or that he personally feels that he should do something about it).
I have servers hosted at shared colo facilities. If you were to scan the entire netblock for my colo provider because a different customer at the same facility tried to send mail through you, how am I to determine your cause, or determine that it was not a scan for a vulnerability?
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network."
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
On Fri, 28 Feb 2003, Andy Dills wrote:
Actually, I think the debate starts with Paul telling Jon that Jon isn't passively scanning connection hosts, he's actively trawling for open proxies, that Paul has the logs to prove it, and that since Paul is in California, Jon has broken the law.
He was using considerable artistic license with the numbers when he said every IP on every net he owns had been checked by NJABL. The reality is more like 0.06% of the IPs on 3 networks he owns or manages were checked over the span of about 7 months. At that rate (if my math is correct), it would take almost 1000 years to scan all the IPs on those networks. Hopefully, someone will have solved this spam problem by then.
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network."
When I hooked up my first server on the internet back in 1993, I was kind of shocked that some far away stranger was trying to log into my POP3 server. Unwanted connections have been a fact of life on the internet probably since its beginning. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sat, 1 Mar 2003 jlewis@lewis.org wrote:
On Fri, 28 Feb 2003, Andy Dills wrote:
You don't have to. This is why I never understood why people care so much about probing. If you do a good job with your network, probing will have zero affect on you. All the person probing can do (regardless of their intent) is say "Gee, I guess there aren't any vulnerabilities with this network."
When I hooked up my first server on the internet back in 1993, I was kind of shocked that some far away stranger was trying to log into my POP3 server. Unwanted connections have been a fact of life on the internet probably since its beginning.
Maybe so, but I think any net admin should care if his hosts are being probed, even if he is under the mistaken assumtion that those hosts are invulnerable. If I see several ports being probed, I drop an email to abuse@. It may well be innocent (I do it myself for valid reasons at times), but it's good to let the respective abuse departments know what's going on, for two reasons: 1) It gives them a heads up to keep an eye out for other "suspicious" activity from that host/user. 2) it usually lets that user know you're alert. Call it "profiling", only based on "curiosity" instead of ethnicity :) James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
jlewis@lewis.org writes:
When I hooked up my first server on the internet back in 1993, I was kind of shocked that some far away stranger was trying to log into my POP3 server. Unwanted connections have been a fact of life on the internet probably since its beginning.
here's a sample of current SMTP activity in unused parts of ISC's netblocks:
[211.59.151.211] -> [204.152.191.97] hanmir.com <2247kocci1@hanmir.com> (136) <coscard02@hanmail.net> -- Message-ID: <90400-22003242705510905@hanmir.com> X-EM-Version: 6, 0, 0, 4 X-EM-Registration: #0010630410721500AB30 Reply-To: kocci1@hanmir.com From: "coscard01" <2247kocci1@hanmir.com> To: coscard02@hanmail.net Subject: 204.152.191.97 Date: Thu, 27 Feb 2003 09:55:10 +0900 MIME-Version: 1.0 Content-Type: text/html; charset=KS_C_5601-1987 Content-Transfer-Encoding: quoted-printable
[211.59.151.211] -> [204.152.191.98] hanmir.com <2249kocci1@hanmir.com> (136) <coscard02@hanmail.net> -- Message-ID: <226480-2200324270551115@hanmir.com> X-EM-Version: 6, 0, 0, 4 X-EM-Registration: #0010630410721500AB30 Reply-To: kocci1@hanmir.com From: "coscard01" <2249kocci1@hanmir.com> To: coscard02@hanmail.net Subject: 204.152.191.98 Date: Thu, 27 Feb 2003 09:55:11 +0900 MIME-Version: 1.0 Content-Type: text/html; charset=KS_C_5601-1987 Content-Transfer-Encoding: quoted-printable
[211.59.151.211] -> [204.152.191.99] hanmir.com <2249kocci1@hanmir.com> (136) <coscard02@hanmail.net> -- Message-ID: <67290-22003242705511155@hanmir.com> X-EM-Version: 6, 0, 0, 4 X-EM-Registration: #0010630410721500AB30 Reply-To: kocci1@hanmir.com From: "coscard01" <2249kocci1@hanmir.com> To: coscard02@hanmail.net Subject: 204.152.191.99 Date: Thu, 27 Feb 2003 09:55:11 +0900 MIME-Version: 1.0 Content-Type: text/html; charset=KS_C_5601-1987 Content-Transfer-Encoding: quoted-printable
here's the "sort | uniq -c | sort -nr" output from the last two weeks:
757266 210.218.176.100 126472 210.105.112.100 2032 211.59.151.211 1261 218.49.187.136 780 219.248.155.57 508 211.49.94.75 508 211.49.94.211 508 211.49.94.118 508 211.194.117.174 506 218.49.187.184 378 211.49.94.238 252 218.49.187.176 221 61.75.215.47 214 61.61.28.159 118 61.254.207.114 6 62.79.90.71 4 217.226.92.40 3 80.130.52.180 3 217.226.91.5 2 80.130.54.82 2 217.226.91.68 2 217.226.82.168 1 62.79.110.122 1 217.226.85.181 1 217.226.83.80
i don't think this is, ever was, or will be allowed to be, a fact of my life. -- Paul Vixie
Why is probing networks wrong?
i guess it's a last ditch scaling thing. i won't complain to an isp when their customer probes my host as a result of me sending them e-mail -- but i will drop in a local blackhole route so that i won't get any more traffic from or to the prober's network. (if the isp thinks this is too draconian they are welcome to contact me, which is how jon and i wound up talking a couple of months ago.) on the other hand if they probe my network looking for relays to see whether any of those relays are open, then i will complain to their isp. there's an active prober in asia right now who actually *is* an ISP, though, and so, there's really no basis for discussion. -- Paul Vixie
On Fri, 28 Feb 2003, Roy wrote:
I haven not checked NJABL but some of the other other open relay testers use scenarios that are illegal (actually criminal) in California.
If you mean the use of "incorrect" from addresses, I believe that law only applies if the message(s) sent with someone else's address results in damage. I'm not here to debate the issue, and I certainly didn't mean to start such a long thread here (the same post went to spam-l, where it was nearly ignored), but I don't think 1 test message sent every 4 weeks (or less frequently) will cause damage[1]. [1] yes...I am aware of one case where were ORBZ got in some hot water over an SMTP envelope that effectively broke an outdated version of Lotus Domino. NJABL takes precautions to not repeat that mishap. Just to be safe, mayby I'll avoid visiting the People's Republic of Kalifornia. That shouldn't be so hard. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
I'm a bit closer than yuo, we see multiple flaps on their routes. 25396 15703 12859 3333 193.109.219.130 from 193.109.219.130 (213.160.111.1) Origin IGP, localpref 150, valid, external Community: 6320:1004 6320:2002 6320:21238 15703:22001 25396:15703 Dampinfo: penalty 441, flapped 1 times in 00:02:46 7176 3333, (suppressed due to dampening) 195.66.224.74 from 195.66.224.74 (195.16.160.29) Origin IGP, metric 1090, localpref 100, valid, external Community: 6320:1004 6320:2003 6320:7176 Dampinfo: penalty 3298, flapped 14 times in 00:54:45, reuse in 00:32:00 1136 3333 195.66.224.163 from 195.66.224.163 (194.151.224.192) Origin IGP, metric 70, localpref 150, valid, external, best Community: 6320:1004 6320:2002 6320:5459 Dampinfo: penalty 1899, flapped 7 times in 01:02:51 6461 12859 3333 208.185.188.165 from 208.185.188.165 (207.126.96.50) Origin IGP, metric 721, localpref 150, valid, external Community: 6320:1004 6320:2002 6320:3000 6461 12859 3333 195.66.224.76 from 195.66.224.76 (209.249.254.202) Origin IGP, metric 741, localpref 150, valid, external Community: 6320:1004 6320:2002 6320:5459 13237 12859 3333 195.66.224.99 from 195.66.224.99 (80.245.35.6) Origin IGP, metric 20, localpref 150, valid, external Community: 6320:1004 6320:2002 6320:5459 12859:1000 12859:4000 Dampinfo: penalty 875, flapped 1 times in 00:02:54 3291 3333 (history entry) 195.66.224.14 from 195.66.224.14 (154.14.65.2) Origin IGP, metric 20, localpref 150, external Community: 6320:1004 6320:2002 6320:5459 Dampinfo: penalty 1001, flapped 5 times in 01:03:26 On Thu, 27 Feb 2003, Marshall Eubanks wrote:
Can anyone else get to ripe.net ? I cannot seem to access the whois or any other service (my ripe traffic goes through Sprint). When I ping peach.ripe.net, I get 90%+ missing packets + "destination host unreachable" from inside Sprint.
Regards Marshall Eubanks
Thursday, February 27, 2003, 3:04:55 PM, Marshall wrote: Got told by an insider they are under a very nasty icmp attack, I guess they're little busy to get the chance to reply. -Subhi
Can anyone else get to ripe.net ? I cannot seem to access the whois or any other service (my ripe traffic goes through Sprint). When I ping peach.ripe.net, I get 90%+ missing packets + "destination host unreachable" from inside Sprint.
Regards Marshall Eubanks
-- Best regards, Subhi S Hashwa mailto:subhi@thebigboss.com Operations Manager Electronic Corner Limited
participants (26)
-
Andy Dills
-
Charlie Clemmer
-
Dan Hollis
-
Daniel Senie
-
David G. Andersen
-
David Schwartz
-
E.B. Dreger
-
Gary E. Miller
-
Hank Nussbacher
-
hostmaster
-
Jack Bates
-
jlewis@lewis.org
-
K. Scott Bethke
-
Kai Schlichting
-
kai@pac-rim.net
-
Len Rose
-
Marshall Eubanks
-
Paul Vixie
-
Randy Bush
-
Richard Irving
-
Rob Thomas
-
Roy
-
Stephen J. Wilcox
-
Subhi S Hashwa
-
up@3.am
-
william+nanog@hq.dreamhost.com