NANOG 44 (Los Angeles): ISP Security BOF
Hi all, NANOG 44 is fast approaching and once again we are looking for topics for the ISP Security BOF. If you have any security related topics that you would like to hear about, not hear about, or (best of all) speak about, please let me know as soon as possible... This is your chance to air your views --- slides are welcome but not required. Danny McPherson and I are going to be moderating this year... W
I would love (though I'll miss it in person) to see a discussion, structured, of why the Intercage/Atrivo situation got to where it was. I believe that in many (this one in particular) cases the upstream networks do not: 1) get 2) have relevant information in a useful format about abuse/use of their downstream networks. When I was at AS701 there were consistently folks who'd say this or that customer is obviously bad, why hadn't we disconnected them? When looking through abuse tickets for issues we could bring to management as ammo for disconnection often a majority of complaints related to the customer in question were not complete, didn't have enough information, didn't have ANY information in them. How can we, as a community get better at providing complete and useful information (ip, timestamp+timezone, act-that-caused-ire) How can we, as a community, get better at tying together the bits and pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh) As an interesting aside, there were many occasions of the last 4 years where some horrible virus/trojan/malware thing got rolling on the internets, tracking it back was fairly simple (for the C&C or distribution site) to AS27595... often folks reporting the issue would say things like: "Oh, that's ukrtelecom, they are in the Ukraine, too bad we can't get hands on the server/router/code/subpoena them..." "Oh, that's something living in hostfresh, in ASPAC, gosh it'd be nice if the FBI/HTC-group could get there and give the provider some trouble..." oddly in many/all of these cases the IP space might have tracked back to somewhere not ARIN related, but an actual traceroute ended inside AS27595. So, tying together these incidents with more complete information would have potentially given the upstreams, or even 27595 if they are to be believed as being in the right and just framed by their bad customers (not my belief, but...), more actionable intelligence about their customer(s) and the ability to make an informed decision (at a management/legal level). -Chris (thanks) This is a set of topics I'd love to see handled in the SP Security BOF. On Mon, Sep 29, 2008 at 11:12 AM, Warren Kumari <warren@kumari.net> wrote:
Hi all,
NANOG 44 is fast approaching and once again we are looking for topics for the ISP Security BOF. If you have any security related topics that you would like to hear about, not hear about, or (best of all) speak about, please let me know as soon as possible...
This is your chance to air your views --- slides are welcome but not required.
Danny McPherson and I are going to be moderating this year...
W
On Oct 3, 2008, at 10:56 AM, Christopher Morrow wrote:
I would love (though I'll miss it in person) to see a discussion, structured, of why the Intercage/Atrivo situation got to where it was.
While I realize that this is not quite what you asked for, Esthost has requested some time on the agenda to be able to tell their side of the story... After some deliberations we have decided to give them 10 minutes for a presentation and 10 minutes for questions and answers[0]. We would also welcome any talks presenting the other viewpoint, but ask that they be kept civil and factual (as we have requested from Esthost). W [0]: We have not listed this talk yet as we are waiting for a title and abstract....
I believe that in many (this one in particular) cases the upstream networks do not: 1) get 2) have
relevant information in a useful format about abuse/use of their downstream networks. When I was at AS701 there were consistently folks who'd say this or that customer is obviously bad, why hadn't we disconnected them? When looking through abuse tickets for issues we could bring to management as ammo for disconnection often a majority of complaints related to the customer in question were not complete, didn't have enough information, didn't have ANY information in them.
How can we, as a community get better at providing complete and useful information (ip, timestamp+timezone, act-that-caused-ire) How can we, as a community, get better at tying together the bits and pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh)
As an interesting aside, there were many occasions of the last 4 years where some horrible virus/trojan/malware thing got rolling on the internets, tracking it back was fairly simple (for the C&C or distribution site) to AS27595... often folks reporting the issue would say things like:
"Oh, that's ukrtelecom, they are in the Ukraine, too bad we can't get hands on the server/router/code/subpoena them..." "Oh, that's something living in hostfresh, in ASPAC, gosh it'd be nice if the FBI/HTC-group could get there and give the provider some trouble..."
oddly in many/all of these cases the IP space might have tracked back to somewhere not ARIN related, but an actual traceroute ended inside AS27595. So, tying together these incidents with more complete information would have potentially given the upstreams, or even 27595 if they are to be believed as being in the right and just framed by their bad customers (not my belief, but...), more actionable intelligence about their customer(s) and the ability to make an informed decision (at a management/legal level).
-Chris (thanks)
This is a set of topics I'd love to see handled in the SP Security BOF.
On Mon, Sep 29, 2008 at 11:12 AM, Warren Kumari <warren@kumari.net> wrote:
Hi all,
NANOG 44 is fast approaching and once again we are looking for topics for the ISP Security BOF. If you have any security related topics that you would like to hear about, not hear about, or (best of all) speak about, please let me know as soon as possible...
This is your chance to air your views --- slides are welcome but not required.
Danny McPherson and I are going to be moderating this year...
W
On Fri, 3 Oct 2008, Christopher Morrow wrote:
relevant information in a useful format about abuse/use of their downstream networks. When I was at AS701 there were consistently folks who'd say this or that customer is obviously bad, why hadn't we disconnected them? When looking through abuse tickets for issues we could bring to management as ammo for disconnection often a majority of complaints related to the customer in question were not complete, didn't have enough information, didn't have ANY information in them.
How can we, as a community get better at providing complete and useful information (ip, timestamp+timezone, act-that-caused-ire) How can we, as a community, get better at tying together the bits and pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh)
Is it that time of the year again for our annual discussion? There is a large crowd of motivated people, but often they don't seem to know how to put together everything they've down into an actionable package. They get frustrated, and it usually declines into the ISP's suck debate. Even security vendors selling things don't understand what is needed to quickly process abuse complaints (e.g. many examples from useless logs generated by IDS/personal firewalls). Would some current (or former, since the lawyers get a bit antsy) abuse desk folks from ISPs like to talk about putting together a training session about how to build and present an effective network abuse case to an ISP/LEA?
Hello all, NANOG 44 is now less than a week away. Here is the current program for the ISP Security BOF (NANOG 44, October 13, 2008, 4:30 PM - 6:00 PM) -- as always, the program at this point is still somewhat fluid and subject to change. ------------------------------------ 16:30 - 16:45: "Stealing the Internet" -- Anton Kapela In "Stealing the Internet" Kapela will describe a method where an attacker exploits the BGP routing system to facilitate transparent interception of IP packets. The method will be shown to function at a scale previously thought by many as unavailable. The talk highlights a new twist in sub-prefix hijacking that he demonstrated at Defcon 16: using intrinsic BGP logic to hijack network traffic and simultaneously create a 'bgp shunt towards the target network. This method will be shown to preserve end-to-end reachability while creating a virtual 'wire tap' at the attackers network. He'll cover additive TTL modification and transparent-origin-AS as a means for the attacker to obscure the interception. There will not be a live demonstration of the hijack or interception methods. -------------------------------------- 16:45 - 17:00: "An interim solution to the threat of DNS cache poisoning while waiting for DNSSEC". -- Rodney Joffe -------------------------------------- 17:00 - 17:15: "Next steps in IRR/X509" --Barry Raveendran Greene, Jason Schiller. ------------------------------------- 17:15 - 17:30: "Esthost's response to the 'Hostexploit report'" -- Konstantin Poltev (Esthost, Inc). We are still waiting for the official title / abstract for this talk, so this is a temporary title.... ------------------------------------ 17:30 - 17:45: "Early Survey Results and Some Attack Statistics" -- Danny McPherson. ------------------------------------- There are 15 minutes left over at the end of the agenda as I'm sure some talks will run over their alloted time. Hopefully this agenda is interesting and you are looking forward to the BOF.... See you there, W
Hi all, Well, Esthost has decided that they no longer wish to present their side of the story, and so their talk has been removed from the agenda :-) This also means that that the more, erm, operational talks have been lengthened and so won't feel quite as rushed... The revised agenda is below: 4:30 - 4:50: "Stealing the Internet" -- Anton Kapela -------------------------------------- 4:50 - 5:10: "An interim solution to the threat of DNS cache poisoning while waiting for DNSSEC". -- Rodney Joffe -------------------------------------- 5:10 - 5:30: "Next steps in IRR/X509" --Barry Raveendran Greene, Jason Schiller. -------------------------------------- 5:30 - 5:50: "Early Survey Results and Some Attack Statistics" -- Danny McPherson. I will get this (with some abstracts) posted on the NANOG 44 site soon. Thanks to everyone who will be presenting, and I look forward to seeing y'all there! W On Oct 6, 2008, at 2:05 PM, Warren Kumari wrote:
Hello all,
NANOG 44 is now less than a week away. Here is the current program for the ISP Security BOF (NANOG 44, October 13, 2008, 4:30 PM - 6:00 PM) -- as always, the program at this point is still somewhat fluid and subject to change.
------------------------------------ 16:30 - 16:45: "Stealing the Internet" -- Anton Kapela
In "Stealing the Internet" Kapela will describe a method where an attacker exploits the BGP routing system to facilitate transparent interception of IP packets. The method will be shown to function at a scale previously thought by many as unavailable. The talk highlights a new twist in sub-prefix hijacking that he demonstrated at Defcon 16: using intrinsic BGP logic to hijack network traffic and simultaneously create a 'bgp shunt towards the target network. This method will be shown to preserve end-to-end reachability while creating a virtual 'wire tap' at the attackers network. He'll cover additive TTL modification and transparent-origin-AS as a means for the attacker to obscure the interception.
There will not be a live demonstration of the hijack or interception methods.
--------------------------------------
16:45 - 17:00: "An interim solution to the threat of DNS cache poisoning while waiting for DNSSEC". -- Rodney Joffe
--------------------------------------
17:00 - 17:15: "Next steps in IRR/X509" --Barry Raveendran Greene, Jason Schiller.
-------------------------------------
17:15 - 17:30: "Esthost's response to the 'Hostexploit report'" -- Konstantin Poltev (Esthost, Inc).
We are still waiting for the official title / abstract for this talk, so this is a temporary title....
------------------------------------
17:30 - 17:45: "Early Survey Results and Some Attack Statistics" -- Danny McPherson.
-------------------------------------
There are 15 minutes left over at the end of the agenda as I'm sure some talks will run over their alloted time.
Hopefully this agenda is interesting and you are looking forward to the BOF....
See you there, W
participants (3)
-
Christopher Morrow
-
Sean Donelan
-
Warren Kumari