RE: Interesting new spam technique - getting a lot more popular.
It sure seems like this is a good demo of the best practice of having customers on their own VLANs with their own subnets. We have been doing this since we started offering colo services, is this less common than I thought? John -----Ursprüngliche Nachricht----- Von: Christopher L. Morrow [mailto:christopher.morrow@verizonbusiness.com] Gesendet: Tuesday, June 13, 2006 9:23 PM An: Suresh Ramasubramanian Cc: NANOG Betreff: Re: Interesting new spam technique - getting a lot more popular. On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
That was not my advice btw - just forwarding on what I saw.
oh,. apologies, i did cut the message down quite a bit :( I understood you were quoting from the spamdiaries website, I apologize to the other listeners (readers?) if it confused the issue.
What you say does seem like a "must do" all right - but putting ARP filters in is actually a reasonable idea.
Atleast it'd trim down the 'problem' to the single customer subnet, I assume that dedicated hosting folks don't just drop machines behind a switch on one big flat subnet? That's probably a naive assumption though :( Perhaps this is clue #12 that that is a 'less than good' option? :)
On 6/14/06, Christopher L. Morrow <christopher.morrow@verizonbusiness.com> wrote:
On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-...
* Monitor your local network for interfaces transmitting ARP responses they shouldn't be.
how about just mac security on switch ports? limit the number of mac's at each port to 1 or some number 'valid' ?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
That’s a very good question... I was also under the assumption that most providers would have adopted new practices rather then simply dumping customers on a single subnet/vlan... unless were going back in time :P As far as the "special daemon program" goes.. any packet sniffer will reveal all needed information to jack an ip. I'm actually surprised that its taken spammers this long to figure out and utilize such vulnerabilities in networks... seeing how spamming is a multi billion $ industry... few ways to limit ip jackings... keep your subnets small as possible, force the use of private vlans, as a provider... you should provide a way for your clients to be able to view their traffic patterns... in case of a hijack, they would notice the increased traffic and could bring it to the providers attention sooner then later... monitor your switch ports (snmp?) for bursts of outbound traffic (bandwidth / pps)... -- Payam Chychi John van Oppen wrote:
It sure seems like this is a good demo of the best practice of having customers on their own VLANs with their own subnets. We have been doing this since we started offering colo services, is this less common than I thought?
John
-----Ursprüngliche Nachricht----- Von: Christopher L. Morrow [mailto:christopher.morrow@verizonbusiness.com] Gesendet: Tuesday, June 13, 2006 9:23 PM An: Suresh Ramasubramanian Cc: NANOG Betreff: Re: Interesting new spam technique - getting a lot more popular.
On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
That was not my advice btw - just forwarding on what I saw.
oh,. apologies, i did cut the message down quite a bit :( I understood you were quoting from the spamdiaries website, I apologize to the other listeners (readers?) if it confused the issue.
What you say does seem like a "must do" all right - but putting ARP filters in is actually a reasonable idea.
Atleast it'd trim down the 'problem' to the single customer subnet, I assume that dedicated hosting folks don't just drop machines behind a switch on one big flat subnet? That's probably a naive assumption though :( Perhaps this is clue #12 that that is a 'less than good' option? :)
On 6/14/06, Christopher L. Morrow <christopher.morrow@verizonbusiness.com> wrote:
On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-...
* Monitor your local network for interfaces transmitting ARP responses they shouldn't be.
how about just mac security on switch ports? limit the number of mac's at each port to 1 or some number 'valid' ?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
JvO> Date: Tue, 13 Jun 2006 21:35:14 -0700 JvO> From: John van Oppen JvO> It sure seems like this is a good demo of the best practice of JvO> having customers on their own VLANs with their own subnets. We JvO> have been doing this since we started offering colo services, is We actually go so far as to isolate certain services on their own subnet/VLAN. JvO> this less common than I thought? I'm afraid so. I've worked on a good many networks where everything is in one VLAN; a common argument for the practice is IP assignment granularity. Rarely do I find MAC ACLs in place at the switch. (I'm actually trying to remember a specific installation that had MAC filtering set up by a prior engineer... I'm _sure_ I've encountered at least a couple.) Note that these observations are for small- and mid-sized networks. Maybe things are better in the larger networks. YMMV. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
participants (3)
-
Edward B. DREGER
-
John van Oppen
-
Payam Chychi