filtering whitehouse.gov?
Hi all, A couple of days ago I mentioned here that I have nullrouted the IP which whitehouse.gov resolves to. After that I received some mail in private mentioning not only the fact that I filtered the wrong IP (that's fixt now) but also the dangers of posting about such a thing here. "Hey, he nullroutes them, let's do it too!". My decision to nullroute whitehouse.gov was based on the following: - the traceroute from my net to whitehouse.gov goes through AT&T which means that any DoS packets originating from our network will affect that network too; - my customerbase is not that type that would visit whitehouse.gov frequently nor would whitehouse.gov (if coming from that IP as a source) be interested in any of my customers; - most of the boxes in our network have a 100mbit/s nic in their box. Our main uplink is a STM-1 at the moment so if a colocated NT box would be compromised, that would give a huge effect. Imagine what would happen if 2 or three boxes are infected. After careful consideration we (our engineering team and the CEO) decided we would not want to be a part of any attacks against the US government or any other network. If you have any reasons to believe you need to blackhole whitehouse.gov please do so, but don't blackhole just because others do it as well. -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */
I understand your need to do something like this, but you are essentially causing the worm to fulfill it's goal and censoring your customers. I worried that many people would do this. Why not just use outbound Cisco ACLs on your CPE, Core, and Border routers to permit and log the traffic to the one IP address being attacked and them contact the people who have hacked machines? Or, if you must use the ACLs to deny the packets with the goal of identifing machines and getting them fixed. Here is another email: CAUTION: Misused ACLs can blow up your hardare. This could fill your syslog server with logged packets. This ACL will have to be applied on an interface in an outbound direction. So, to permit the traffic and log it do this: interface s0/0 ip access-group 199 out access-list 199 permit tcp any host 198.137.240.91 eq 80 log access-list 199 permit tcp any host 198.137.240.92 eq 80 log You should already be logging packets to a syslog server. To make deny rules just change the permit to deny. However, this is kind of drastic and almost amounts to censorship. On 22-Jul-2001, Sabri Berisha wrote:
Hi all,
A couple of days ago I mentioned here that I have nullrouted the IP which whitehouse.gov resolves to. After that I received some mail in private mentioning not only the fact that I filtered the wrong IP (that's fixt now) but also the dangers of posting about such a thing here. "Hey, he nullroutes them, let's do it too!".
My decision to nullroute whitehouse.gov was based on the following:
- the traceroute from my net to whitehouse.gov goes through AT&T which means that any DoS packets originating from our network will affect that network too;
- my customerbase is not that type that would visit whitehouse.gov frequently nor would whitehouse.gov (if coming from that IP as a source) be interested in any of my customers;
- most of the boxes in our network have a 100mbit/s nic in their box. Our main uplink is a STM-1 at the moment so if a colocated NT box would be compromised, that would give a huge effect. Imagine what would happen if 2 or three boxes are infected.
After careful consideration we (our engineering team and the CEO) decided we would not want to be a part of any attacks against the US government or any other network.
If you have any reasons to believe you need to blackhole whitehouse.gov please do so, but don't blackhole just because others do it as well.
-- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */
On Sat, Jul 21, 2001 at 03:43:48PM -0700, Jon O . wrote:
A couple of days ago I mentioned here that I have nullrouted the IP which whitehouse.gov resolves to. After that I received some mail in private mentioning not only the fact that I filtered the wrong IP (that's fixt now) but also the dangers of posting about such a thing here. "Hey, he nullroutes them, let's do it too!".
I understand your need to do something like this, but you are essentially causing the worm to fulfill it's goal and censoring your customers. I worried that many people would do this.
No, since it is known that the provider hosting www1 and www2.whitehouse.gov has already blackholed www1, and www.whitehouse.gov only resolves to www2 now. And then there's the big difference between operational stability and poltical stability, of which operational is the primary concern to me at least. -- Med venlig hilsen / Sincerely Andreas Plesner Jacobsen (Network Engineer) / Tiscali A/S (World Online) Peter Bangs Vej 26, DK-2000 Frederiksberg - http://www.tiscali.dk Tlf. +45 3814 7000 - Fax +45 3814 7007
On 22-Jul-2001, Andreas Plesner Jacobsen - Tiscali wrote:
On Sat, Jul 21, 2001 at 03:43:48PM -0700, Jon O . wrote:
A couple of days ago I mentioned here that I have nullrouted the IP which whitehouse.gov resolves to. After that I received some mail in private mentioning not only the fact that I filtered the wrong IP (that's fixt now) but also the dangers of posting about such a thing here. "Hey, he nullroutes them, let's do it too!".
I understand your need to do something like this, but you are essentially causing the worm to fulfill it's goal and censoring your customers. I worried that many people would do this.
No, since it is known that the provider hosting www1 and www2.whitehouse.gov has already blackholed www1, and www.whitehouse.gov only resolves to www2 now. And then there's the big difference between operational stability and poltical stability, of which operational is the primary concern to me at least.
Yes, because your fix is for this worm and luckily it only attacks www1. The next one might not be so benign and blackholing routes is not the answer. Also, it makes it harder to ID infected hosts so you can fix them.
At 04:29 PM 7/21/01 -0700, Jon O . wrote:
On 22-Jul-2001, Andreas Plesner Jacobsen - Tiscali wrote:
No, since it is known that the provider hosting www1 and www2.whitehouse.gov has already blackholed www1, and www.whitehouse.gov only resolves to www2 now. And then there's the big difference between operational stability and poltical stability, of which operational is the primary concern to me at least.
Yes, because your fix is for this worm and luckily it only attacks www1. The next one might not be so benign and blackholing routes is not the answer. Also, it makes it harder to ID infected hosts so you can fix them.
Blackholing routes doesn't prevent you from identifying possibility infected hosts. It simply means that you're not going to participate in the abuse of anothers network and/or host. You can still log the traffic destine for the target. jas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Moreover, bbn (whitehouse.gov's upstream) is blackholing it themselves, why would you NOT blackhole it and waste your bw when it's gonna get blackholed along the way anyway? Matt - -- Matt Levine @Home: matt@deliver3.com @Work: matt@eldosales.com ICQ : 17080004 PGP : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF - -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of John Starta Sent: Saturday, July 21, 2001 10:10 PM To: jono@networkcommand.com Cc: Andreas Plesner Jacobsen - Tiscali; nanog@nanog.org Subject: Re: filtering whitehouse.gov? At 04:29 PM 7/21/01 -0700, Jon O . wrote:
On 22-Jul-2001, Andreas Plesner Jacobsen - Tiscali wrote:
No, since it is known that the provider hosting www1 and www2.whitehouse.gov has already blackholed www1, and www.whitehouse.gov only resolves to www2 now. And then there's the big difference between operational stability and poltical stability, of which operational is the primary concern to me at least.
Yes, because your fix is for this worm and luckily it only attacks www1. The next one might not be so benign and blackholing routes is not the answer. Also, it makes it harder to ID infected hosts so you can fix them.
Blackholing routes doesn't prevent you from identifying possibility infected hosts. It simply means that you're not going to participate in the abuse of anothers network and/or host. You can still log the traffic destine for the target. jas -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1pVWcp0j1NsDQTPEQKQoACgzipHzlRlxWBkI+hbTcwaNbLeyUAAoNd0 UWLxY5wLzirdYfYQqzBj+Jzj =KEGb -----END PGP SIGNATURE-----
On Sat, 21 Jul 2001, Jon O . wrote:
I understand your need to do something like this, but you are essentially causing the worm to fulfill it's goal and censoring your customers. I worried that many people would do this.
Why not just use outbound Cisco ACLs on your CPE, Core, and Border routers to permit and log the traffic to the one IP address being attacked and them contact the people who have hacked machines? Or, if you must use the ACLs to deny the packets with the goal of identifing machines and getting them fixed.
Outbound ACL's are an option but then you would have to be sure that they are sending the packets to port 80.
access-list 199 permit tcp any host 198.137.240.91 eq 80 log access-list 199 permit tcp any host 198.137.240.92 eq 80 log
You should already be logging packets to a syslog server.
We already log every packet coming by on a machine which counts the traffic so any infected box will be identified soon.
To make deny rules just change the permit to deny. However, this is kind of drastic and almost amounts to censorship.
Censorship is a way to see it, I prefer to call it operational prevention of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire network is one I can explain to angry customers (if there are any). -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */
participants (5)
-
Andreas Plesner Jacobsen - Tiscali
-
John Starta
-
Jon O .
-
Matt Levine
-
Sabri Berisha