Folks, Any Global Crossing SOC folks here? We've had a simple DoS attack targeting one of our nodes connected to Global Crossing but have literally spent 3 hours on the phone with Global Crossing support attempting to get someone with a clue as to how to implement a simple ACL on their edge router to deal with this. If there's anyone here who can assist, please contact me off list. Regards, Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz
Sounds like you need to talk to the Global Crossing NCC. They're located in Phoenix however I don't have their number. On Wed, Dec 17, 2008 at 12:32 PM, Fouant, Stefan <Stefan.Fouant@neustar.biz>wrote:
Folks,
Any Global Crossing SOC folks here? We've had a simple DoS attack targeting one of our nodes connected to Global Crossing but have literally spent 3 hours on the phone with Global Crossing support attempting to get someone with a clue as to how to implement a simple ACL on their edge router to deal with this.
If there's anyone here who can assist, please contact me off list.
Regards,
Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz
-- Josh Potter
I’m good now, but it would be nice if the people on the front lines at Global Crossing were even aware what a “Denial of Service” attack was, or that they even have a SOC for incident handling. Once we got redirected into their SOC we were in good hands. Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz From: Josh Potter [mailto:joshpotter@gmail.com] Sent: Wednesday, December 17, 2008 2:45 PM To: Fouant, Stefan Cc: nanog@nanog.org; Brown, Chad Subject: Re: Global Crossing SOC Sounds like you need to talk to the Global Crossing NCC. They're located in Phoenix however I don't have their number. On Wed, Dec 17, 2008 at 12:32 PM, Fouant, Stefan <Stefan.Fouant@neustar.biz> wrote: Folks, Any Global Crossing SOC folks here? We've had a simple DoS attack targeting one of our nodes connected to Global Crossing but have literally spent 3 hours on the phone with Global Crossing support attempting to get someone with a clue as to how to implement a simple ACL on their edge router to deal with this. If there's anyone here who can assist, please contact me off list. Regards, Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz -- Josh Potter
Tier 1 is Tier 1. :/ On Wed, Dec 17, 2008 at 2:17 PM, Fouant, Stefan <Stefan.Fouant@neustar.biz>wrote:
I'm good now, but it would be nice if the people on the front lines at Global Crossing were even aware what a "Denial of Service" attack was, or that they even have a SOC for incident handling. Once we got redirected into their SOC we were in good hands.
*Stefan Fouant**:** **NeuStar, Inc.** *Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 *[ T ]** *+1 571 434 5656 *[ M ]** *+1 202 210 2075
*[ E ]* stefan.fouant@neustar.biz *[ W ]* www.neustar.biz
*From:* Josh Potter [mailto:joshpotter@gmail.com] *Sent:* Wednesday, December 17, 2008 2:45 PM *To:* Fouant, Stefan *Cc:* nanog@nanog.org; Brown, Chad *Subject:* Re: Global Crossing SOC
Sounds like you need to talk to the Global Crossing NCC. They're located in Phoenix however I don't have their number.
On Wed, Dec 17, 2008 at 12:32 PM, Fouant, Stefan < Stefan.Fouant@neustar.biz> wrote:
Folks,
Any Global Crossing SOC folks here? We've had a simple DoS attack targeting one of our nodes connected to Global Crossing but have literally spent 3 hours on the phone with Global Crossing support attempting to get someone with a clue as to how to implement a simple ACL on their edge router to deal with this.
If there's anyone here who can assist, please contact me off list.
Regards,
Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz
-- Josh Potter
-- Josh Potter
I'm good now, but it would be nice if the people on the front lines at Global Crossing were even aware what a "Denial of Service" attack was, or that they even have a SOC for incident handling. Once we got redirected into their SOC we were in good hands.
You're "assuming" (anyone remember the Benny Hill assume skit). How many companies - especially large "layered" companies can you name that would even be able to determine what a SOC is on their customer service level. I've seen companies with level2 and level3 layers that couldn't even understand what it was. Perhaps DNS lookups could include such information in the future. It would be nice to nslookup a netblock and get something "relevant" for the security ops as opposed to the standard "abuse" which was largely relevant for mail operations (spam). I'm sure I'm not the only one who has thought about this. Maybe NAP's and NSP's can place contact information somewhere for those with a specific need to contact those with direct knowledge. Then real world sinks in... Ticketing systems, accountability, engineers who would rather be on IRC then cleaning up their nets, etc. Happy holidays all ;) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
-----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Subject: Re: Global Crossing SOC
only one who has thought about this. Maybe NAP's and NSP's can place contact information somewhere for those with a specific need to contact those with direct knowledge.
I think it's a lovely idea, I just wonder how long such a system would last before people really start taking advantage of it, i.e. I have a really low priority, non-important issue I need resolved, let me get in touch with the MOST clueful person I can to get a really quick resolution... Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz
On Wed, 17 Dec 2008, Fouant, Stefan wrote:
-----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Subject: Re: Global Crossing SOC
only one who has thought about this. Maybe NAP's and NSP's can place contact information somewhere for those with a specific need to contact those with direct knowledge.
I think it's a lovely idea, I just wonder how long such a system would last before people really start taking advantage of it, i.e. I have a really low priority, non-important issue I need resolved, let me get in touch with the MOST clueful person I can to get a really quick resolution...
I thought I had made it clear about the cons. Obviously the con would be someone contacting say Global or Level3 or someone else with: "OMFG like... Some virus!", the cost of doing business. That doesn't stop them NOW from Googling "security" +"Global", they're not doing an nslookup for contact information. I would like to believe that the majority of people doing nslookup's for contact information usually have a higher grasp of what they're looking for. Ask any "Average Joe" to perform an nslookup and compare those results to deer on the highways looking at those high-beams. You can't expect someone with a less than mission critical reason to contact someone in a higher position, there is no guarantee someone wouldn't be clueful enough to just Google "SOC" +"Global Crossing" +SOC (http://www.google.com/search?q=%22global+crossing%22+%2B%22SOC%22+%2Bcontact) What I infer from you is "right... Buddy go ahead and do it... Then the whole world will be screaming about not-so-important shtuff!" If this is the case, what's to stop them from using Google. For the most part, we can infer a large portion of users outside of those with *some* form of networking concepts/experience, can use and know what nslookup is for. Placing relevant information is not going to "cripple SOC" no more than Google would. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
While I understand where you are coming from and I completely agree, I think I should point out that the search pattern you generated actually produced an Press Release about Global Crossing's SOC implementing some ISO 9001:2000 certification. At the bottom of the article it had Press "Contacts" within Global Crossing. It didn't actually contain any useful contact information for any SOC personnel whatsoever... It's a moot point however, because I happen to agree with you that obtaining that information via nslookup is a more effective barrier at weeding out the less clueful. Stefan Fouant: NeuStar, Inc. Principal Network Engineer 46000 Center Oak Plaza Sterling, VA 20166 [ T ] +1 571 434 5656 [ M ] +1 202 210 2075 [ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz
-----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Sent: Wednesday, December 17, 2008 4:01 PM To: nanog@nanog.org Subject: Re: Global Crossing SOC
On Wed, 17 Dec 2008, Fouant, Stefan wrote:
-----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Subject: Re: Global Crossing SOC
only one who has thought about this. Maybe NAP's and NSP's can place contact information somewhere for those with a specific need to contact those with direct knowledge.
I think it's a lovely idea, I just wonder how long such a system would last before people really start taking advantage of it, i.e. I have a really low priority, non-important issue I need resolved, let me get in touch with the MOST clueful person I can to get a really quick resolution...
I thought I had made it clear about the cons. Obviously the con would be someone contacting say Global or Level3 or someone else with: "OMFG like... Some virus!", the cost of doing business. That doesn't stop them NOW from Googling "security" +"Global", they're not doing an nslookup for contact information. I would like to believe that the majority of people doing nslookup's for contact information usually have a higher grasp of what they're looking for. Ask any "Average Joe" to perform an nslookup and compare those results to deer on the highways looking at those high-beams.
You can't expect someone with a less than mission critical reason to contact someone in a higher position, there is no guarantee someone wouldn't be clueful enough to just Google "SOC" +"Global Crossing" +SOC
(http://www.google.com/search?q=%22global+crossing%22+%2B%22SOC%22+%2Bc
ontact)
What I infer from you is "right... Buddy go ahead and do it... Then the whole world will be screaming about not-so-important shtuff!" If this is the case, what's to stop them from using Google. For the most part, we can infer a large portion of users outside of those with *some* form of networking concepts/experience, can use and know what nslookup is for. Placing relevant information is not going to "cripple SOC" no more than Google would.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"Enough research will tend to support your conclusions." - Arthur Bloch
"A conclusion is the place where you got tired of thinking" - Arthur Bloch
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On Wed, 17 Dec 2008, Fouant, Stefan wrote:
While I understand where you are coming from and I completely agree, I think I should point out that the search pattern you generated actually produced an Press Release about Global Crossing's SOC implementing some ISO 9001:2000 certification. At the bottom of the article it had Press "Contacts" within Global Crossing. It didn't actually contain any useful contact information for any SOC personnel whatsoever...
It's a moot point however, because I happen to agree with you that obtaining that information via nslookup is a more effective barrier at weeding out the less clueful.
I didn't want to spend too much time sorting out Google searches ;) Anyhow, how do we get others to understand the need for something like this (information via say whois trickled from an nslookup on a netblock). That would definitely be more productive than someone having to contact abuse - which is highly likely going to ignored/not remedied appropriately. Would definitely be a plus for me if say I had someone directly contact my SOC team for a security related issue. Would save time for me and the caller. I see it as a no brainer... Others will likely see it as "that's what abuse is for" Maybe Jared should start a SOC contact page or something similar. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
participants (3)
-
Fouant, Stefan
-
J. Oquendo
-
Josh Potter