There have been reports of DDoS and new targeted malware attacks. There were questions in the media about cutting off the Internet. Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks. Would it improve Internet health to refuse Russian ASN announcements? What is our community doing to assist Ukraine against these attacks?
On Thu, Feb 24, 2022 at 4:42 PM William Allen Simpson <william.allen.simpson@gmail.com> wrote:
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
If we're smart, waiting to see what our respective governments ask of us so that we don't get in their way. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
I would suggest keeping the free flow of outside information to Russia would be the best thing we can do. -----Original Message----- What is our community doing to assist Ukraine against these attacks?
There are reports of bgp hijacks and ddos targeted at Ukrainian asns watch for and mitigate those? --srs ________________________________ From: NANOG <nanog-bounces+ops.lists=gmail.com@nanog.org> on behalf of Tony Wicks <tony@wicks.co.nz> Sent: Friday, February 25, 2022 6:55:23 AM To: 'William Allen Simpson' <william.allen.simpson@gmail.com> Cc: 'North American Network Operators Group' <nanog@nanog.org> Subject: RE: Russian aligned ASNs? I would suggest keeping the free flow of outside information to Russia would be the best thing we can do. -----Original Message----- What is our community doing to assist Ukraine against these attacks?
On Thu, Feb 24, 2022 at 07:40:54PM -0500, William Allen Simpson wrote:
Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks.
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
Keeping the free flow of information going seems to be the best way to counter a history of isolationist tendencies by authoritarian governments and represssive regimes. Countries that have dabbled with the idea of firewalls, content filters, alternative DNS or even network, etc., are given encouragement if you cut them off. It may be best to focus on things that are less IP-centric and more of a problem-solving variety. Running a good Tor node, by any chance? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
I also imagine (without data) that most DoS attacks continue to be performed by botnets, using other people's connections, rather than directly by their ultimate perpetrators. So, the most effective and meaningful mitigation would be trying to clean up bots, and prevent ongoing bot infections, rather than cutting off suspected or actual perpetrators. I realize that's much easier said than done!
On Thu, Feb 24, 2022 at 05:59:08PM -0800, Seth David Schoen wrote:
I also imagine (without data) that most DoS attacks continue to be performed by botnets, using other people's connections, rather than directly by their ultimate perpetrators. So, the most effective and meaningful mitigation would be trying to clean up bots, and prevent ongoing bot infections, rather than cutting off suspected or actual perpetrators.
I realize that's much easier said than done!
It is, and it isn't. There was a time when we mostly all had staffed abuse desks and took action on complaints. Some of us still do. If we took the security of the Internet seriously, we could at least make a reasonable effort to develop ways to cope with the growing problems that are only exacerbated by stuff like the explosive growth of IoT, and the resulting IoT malware. But this has to include service providers giving a damn about what they let their customers spew out onto the network, and it's been many years since it became clear that profit margin won out over being a decent netizen. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
*nods* Not only cleaning up the infections, but also implementing BCP 38 and 84 to keep things you miss from leaking. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Seth David Schoen" <schoen@loyalty.org> To: "Joe Greco" <jgreco@ns.sol.net> Cc: "North American Network Operators Group" <nanog@nanog.org> Sent: Thursday, February 24, 2022 7:59:08 PM Subject: Re: Russian aligned ASNs? I also imagine (without data) that most DoS attacks continue to be performed by botnets, using other people's connections, rather than directly by their ultimate perpetrators. So, the most effective and meaningful mitigation would be trying to clean up bots, and prevent ongoing bot infections, rather than cutting off suspected or actual perpetrators. I realize that's much easier said than done!
I don’t think that refusing Russian ASNs will do much to stop any kind of attacks. They are going to attack from botnets that are global so that’s not going to stop them. If anything blocking Russian ASNs will stop the flow of information going into Russia. I think we’re better off doing what we can to take down any machines that are participating in attacks if they live on machines that are downstream from you. One of the biggest issues I face in my daily tasks is getting other provers to take down machines. I’m talking to you Microsoft, Amazon, Digital Ocean and the likes….. -richey From: NANOG <nanog-bounces+richey.goldberg=gmail.com@nanog.org> on behalf of William Allen Simpson <william.allen.simpson@gmail.com> Date: Thursday, February 24, 2022 at 7:41 PM To: North American Network Operators Group <nanog@nanog.org> Subject: Russian aligned ASNs? There have been reports of DDoS and new targeted malware attacks. There were questions in the media about cutting off the Internet. Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks. Would it improve Internet health to refuse Russian ASN announcements? What is our community doing to assist Ukraine against these attacks?
So the providers most likely to have the skills and capabilities to automate abuse mitigation are the least likely to do anything about it, even when asked? </sarcasm> ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "richey goldberg" <richey.goldberg@gmail.com> To: "North American Network Operators Group" <nanog@nanog.org> Sent: Thursday, February 24, 2022 9:16:13 PM Subject: Re: Russian aligned ASNs? I don’t think that refusing Russian ASNs will do much to stop any kind of attacks. They are going to attack from botnets that are global so that’s not going to stop them. If anything blocking Russian ASNs will stop the flow of information going into Russia. I think we’re better off doing what we can to take down any machines that are participating in attacks if they live on machines that are downstream from you. One of the biggest issues I face in my daily tasks is getting other provers to take down machines. I’m talking to you Microsoft, Amazon, Digital Ocean and the likes….. -richey From: NANOG <nanog-bounces+richey.goldberg=gmail.com@nanog.org> on behalf of William Allen Simpson <william.allen.simpson@gmail.com> Date: Thursday, February 24, 2022 at 7:41 PM To: North American Network Operators Group <nanog@nanog.org> Subject: Russian aligned ASNs? There have been reports of DDoS and new targeted malware attacks. There were questions in the media about cutting off the Internet. Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks. Would it improve Internet health to refuse Russian ASN announcements? What is our community doing to assist Ukraine against these attacks?
They have the skills and the ability to stop it but the people who report the traffic represent 0% of their revenue so they could care less. It’s the same actors every single day. Microsoft, Amazon, Google, Phychz Networks, Digital Ocean, etc. that spew garbage from their networks. For a while we would send abuse reports because management felt it would do nothing even though we told them it wouldn’t. Out all of the reports sent I only ever saw one response that wasn’t a canned response and it was from Microsoft that basically said “Yea, we know it’s an issue but they pay us and you don’t so block it yourself”. Of course it it’s your customer that’s sending them crap traffic they will go nuclear if you don’t remove the offending traffic in .1337 seconds. -richey From: Mike Hammett <nanog@ics-il.net> Date: Monday, February 28, 2022 at 10:43 AM To: richey goldberg <richey.goldberg@gmail.com> Cc: North American Network Operators Group <nanog@nanog.org> Subject: Re: Russian aligned ASNs? So the providers most likely to have the skills and capabilities to automate abuse mitigation are the least likely to do anything about it, even when asked? </sarcasm> ----- Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ________________________________ From: "richey goldberg" <richey.goldberg@gmail.com> To: "North American Network Operators Group" <nanog@nanog.org> Sent: Thursday, February 24, 2022 9:16:13 PM Subject: Re: Russian aligned ASNs? I don’t think that refusing Russian ASNs will do much to stop any kind of attacks. They are going to attack from botnets that are global so that’s not going to stop them. If anything blocking Russian ASNs will stop the flow of information going into Russia. I think we’re better off doing what we can to take down any machines that are participating in attacks if they live on machines that are downstream from you. One of the biggest issues I face in my daily tasks is getting other provers to take down machines. I’m talking to you Microsoft, Amazon, Digital Ocean and the likes….. -richey From: NANOG <nanog-bounces+richey.goldberg=gmail.com@nanog.org> on behalf of William Allen Simpson <william.allen.simpson@gmail.com> Date: Thursday, February 24, 2022 at 7:41 PM To: North American Network Operators Group <nanog@nanog.org> Subject: Russian aligned ASNs? There have been reports of DDoS and new targeted malware attacks. There were questions in the media about cutting off the Internet. Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks. Would it improve Internet health to refuse Russian ASN announcements? What is our community doing to assist Ukraine against these attacks?
On 2/24/2022 2:40 PM, William Allen Simpson wrote:
There have been reports of DDoS and new targeted malware attacks.
There were questions in the media about cutting off the Internet.
Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks.
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
------------------------------------------------------------ I think everyone should keep all networks up and functional as long as possible and let information flow. The big issue, of course, will be the filling of the media with so much crap that no one knows what to believe. Apparently, they are attacking the Ukraine government. Regular people that are not being targeted, except for those unfortunate folks that are 'collateral damage". Russian and Ukraine folks are family and friends for the most part. No one on either side wants to see each other targeted. AFAIK, cell phones and internet in Ukraine are working. Someone I know called their friend in Ukraine who was on a cell. That person said Ukrainians generally are scared, but not panicking. Good call. scott
On 2/24/2022 6:01 PM, scott wrote:
There were questions in the media about cutting off the Internet.
One brief update not from the media. My Russian friend just called her Russian friend in Russia who just finished talking to a friend in Ukraine that said the cell phones and internet are up. -------------------------------------------------------------------
My friend just got a phone call. Electricity, cell phones and internet are all functional at this time. scott
My friend just got a phone call. Electricity, cell phones and internet are all functional at this time.
---------------------------------------------- Just imagine what it must be like trying to keep those IP networks functional at a time like this. Configuring routers while under fire... Those engineers should get some kind of award... scott
Haha, we are like the underground cables we service. No one (apart from other engineers) notices or cares how much effort it takes to keep the packets flowing until it stops. ---------------------------------------------- Just imagine what it must be like trying to keep those IP networks functional at a time like this. Configuring routers while under fire... Those engineers should get some kind of award... scott
On 2/25/22 22:36, Tony Wicks wrote:
Haha, we are like the underground cables we service. No one (apart from other engineers) notices or cares how much effort it takes to keep the packets flowing until it stops.
One could say this about any service that its patrons aren't professionally attached to. Mark.
The four LTE (3GPP rev-whatever) based networks in Afghanistan are all still operational. Roshan, AWCC, MTN, Etisalat. In .AF the line between ISP and MNO is very blurry since 98% of internet using customers do not have fixed line service at home or office and use a mobile network instead. These have developed a great deal of institutional knowledge operating in very difficult conditions. The major change now is that the Taliban is no longer burning tower site cabinets/shelters. On Fri, 25 Feb 2022 at 12:20, scott <surfer@mauigateway.com> wrote:
My friend just got a phone call. Electricity, cell phones and internet are all functional at this time.
----------------------------------------------
Just imagine what it must be like trying to keep those IP networks functional at a time like this. Configuring routers while under fire... Those engineers should get some kind of award...
scott
AFAIK they don't do that just because they are not being droned. When they were killed, just because cell towers was used by coordinators and as a source of information. Which once again reminds that if telecom doesnt stay neutral as much as possible, or worse, they side with one of conflicting parties - they will become legitimate target. To some extent, it resembles the situation with medics. On 2022-02-25 23:33, Eric Kuhnke wrote:
The four LTE (3GPP rev-whatever) based networks in Afghanistan are all still operational. Roshan, AWCC, MTN, Etisalat.
In .AF the line between ISP and MNO is very blurry since 98% of internet using customers do not have fixed line service at home or office and use a mobile network instead.
These have developed a great deal of institutional knowledge operating in very difficult conditions. The major change now is that the Taliban is no longer burning tower site cabinets/shelters.
On Fri, 25 Feb 2022 at 12:20, scott <surfer@mauigateway.com> wrote:
My friend just got a phone call. Electricity, cell phones and internet are all functional at this time.
----------------------------------------------
Just imagine what it must be like trying to keep those IP networks functional at a time like this. Configuring routers while under fire... Those engineers should get some kind of award...
scott
Better just apply EU sanctions to RIPE NCC. Wait for some time. And see all Russians are NATed to several Chinese IPs ;) No ASN, no BGP, no hijacks, no DDoSes... 25.02.22 02:40, William Allen Simpson пише:
There have been reports of DDoS and new targeted malware attacks.
There were questions in the media about cutting off the Internet.
Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks.
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
I have always viewed our job has always been to keep the network running, no matter what. I just re-read this. https://craphound.com/overclocked/Cory_Doctorow_-_Overclocked_-_When_Sysadmi... On Fri, Feb 25, 2022 at 4:16 PM Max Tulyev <maxtul@netassist.ua> wrote:
Better just apply EU sanctions to RIPE NCC. Wait for some time. And see all Russians are NATed to several Chinese IPs ;) No ASN, no BGP, no hijacks, no DDoSes...
25.02.22 02:40, William Allen Simpson пише:
There have been reports of DDoS and new targeted malware attacks.
There were questions in the media about cutting off the Internet.
Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks.
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
-- I tried to build a better future, a few times: https://wayforward.archive.org/?site=https%3A%2F%2Fwww.icei.org Dave Täht CEO, TekLibre, LLC
Obligatory xkcd - https://xkcd.com/705/ On 2/25/2022 at 3:26 PM, "Dave Taht" <dave.taht@gmail.com> wrote:
I have always viewed our job has always been to keep the network running, no matter what.
Would it improve Internet health to refuse Russian ASN announcements?
This should never be a proposed solution. On Thu, Feb 24, 2022 at 7:42 PM William Allen Simpson < william.allen.simpson@gmail.com> wrote:
There have been reports of DDoS and new targeted malware attacks.
There were questions in the media about cutting off the Internet.
Apparently some Russian government sites have already cut themselves off, presumably to avoid counterattacks.
Would it improve Internet health to refuse Russian ASN announcements?
What is our community doing to assist Ukraine against these attacks?
On Fri, Feb 25, 2022 at 7:23 PM Tom Beecher <beecher@beecher.cc> wrote:
Would it improve Internet health to refuse Russian ASN announcements?
This should never be a proposed solution.
https://en.wikipedia.org/wiki/Usenet_Death_Penalty -- William Herrin bill@herrin.us https://bill.herrin.us/
participants (16)
-
Dave Taht
-
Denys Fedoryshchenko
-
Eric Kuhnke
-
Joe Greco
-
joenanog@nym.hush.com
-
Mark Tinka
-
Max Tulyev
-
Mike Hammett
-
richey goldberg
-
scott
-
Seth David Schoen
-
Suresh Ramasubramanian
-
Tom Beecher
-
Tony Wicks
-
William Allen Simpson
-
William Herrin