Hi! Could someone please point me to BCP documents or products that permit an ISP to better interact with its peers/upstreams in case of DoS and worm attacks that cross ISP network boundaries? The approach I have seen so far involves a judicious combination of abuse@isp emails and frantic phone calls to NOC contacts. Thanks! Rajesh.
On Mon, 16 Sep 2002, Rajesh Talpade wrote:
Could someone please point me to BCP documents or products that permit an ISP to better interact with its peers/upstreams in case of DoS and worm attacks that cross ISP network boundaries?
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers. I haven't seen a better description of the process.
On Mon, 16 Sep 2002 11:24:35 EDT, Sean Donelan <sean@donelan.com> said:
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers.
I haven't seen a better description of the process.
It's sad we've not gotten any better at it in the 15 years since then.
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers. I haven't seen a better description of the process.
And there were, what?, three US ISPs back then? And when Stanford was getting hacked, where was BBN... Answer: right on the Stanford campus, in Stanford buildings! We don't have the same Internet architecture as we had during The Cuckoo's Egg era. -mark
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers. I haven't seen a better description of the process.
And there were, what?, three US ISPs back then?
And when Stanford was getting hacked, where was BBN... Answer: right on the Stanford campus, in Stanford buildings!
We don't have the same Internet architecture as we had during The Cuckoo's Egg era.
I was sort of wondering how long it would take for someone to send this kind of a response. I suppose my question should have included the phrase "current solutions" or equivalent. Still hoping for some good answers.... Thanks. Rajesh.
On Mon, 16 Sep 2002, Mark Kent wrote:
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers. I haven't seen a better description of the process.
And there were, what?, three US ISPs back then?
And when Stanford was getting hacked, where was BBN... Answer: right on the Stanford campus, in Stanford buildings!
We don't have the same Internet architecture as we had during The Cuckoo's Egg era.
Funny thing is there seem to be about the same number if internet security folks working at the isp's now as at the time of the book's writing :) Most times our procedures fail back to: 1) do a whois on the domain name if the ISP in question 2) call the noc number listed 3) try to work your way around to a security-type person 4) end up emailing logs of the incident to noc@ 5) wait and hope they respond quickly with something helpful :) Depending on the carrier things can be good, or very bad.
On Mon, 16 Sep 2002, Mark Kent wrote:
Please see Clifford Stoll's book The Cuckoo's Egg for a description of tracking an intruder across various PSTN, PSDN and Internet providers. I haven't seen a better description of the process.
And there were, what?, three US ISPs back then?
And when Stanford was getting hacked, where was BBN... Answer: right on the Stanford campus, in Stanford buildings!
We don't have the same Internet architecture as we had during The Cuckoo's Egg era.
I would love to become educated on today's process. Please share how the inter-ISP security procedures have changed.
I would love to become educated on today's process. Please share how the inter-ISP security procedures have changed.
Oh, I get it now. Your initial comment was a subtle dig at how the inter-ISP security procedures haven't changed, despite the considerable change in the complexity of the network, number of organizations involved, etc. However, I think it was too subtle... I didn't get it, and I think chris@uu.net and Valdis.Kletnieks@vt.edu also didn't get it. I don't think they would have posted messages saying the same thing as your hidden meaning. So, Sean, I think you need to be more blunt. It's hard enough wading through spoof messages without having to search for hidden sarcastic meaning :-) -mark
On Mon, 16 Sep 2002 10:48:38 PDT, Mark Kent said:
However, I think it was too subtle... I didn't get it, and I think chris@uu.net and Valdis.Kletnieks@vt.edu also didn't get it. I don't think they would have posted messages saying the same thing as your hidden meaning.
Hmm.. and here I *thought* I got it... or did I? On Mon, 16 Sep 2002 11:38:29 PDT, Mark Kent said:
OK, so there is my point. Back in those days the network security folks would often find themselves in the same lunch line as the "ISP" security folks. And they were available by phone with just a four digit extension.
In the 1980's, finding the four digit extension, the exchange it was in, and the area code to use could be *quite* interesting if you were *NOT* one of the anointed people in the lunch line. Cliff Stoll didn't have any easy time finding people in 1987. Further, consider the two attached messages, which Dave Mills apparently posted because he couldn't find phone numbers or email addresses for the culprits(*). Then consider the weekly "can a security guy with a clue from XYZnet please call me?" postings, and ask if we *have* learned anything.... /Valdis (*) OK - I admit it. One of the offending boxes was one of mine - it was a Gould PN/9808, and at 12MIPS it noticed a few packets/sec a lot less than a Fuzzball did. That, and at the time I was busy moving to a new job and not paying as close attention. It got fixed as soon as I saw the postings...
In message <200209161541.g8GFfbWI037093@noc.mainstreet.net>, Mark Kent writes:
And when Stanford was getting hacked, where was BBN... Answer: right on the Stanford campus, in Stanford buildings!
In the interests of getting the history right. Cliff published his book in 1989 (reporting events, I think from 1987 but I can't find my copy of the book). BBN acquired BARNET and began operating parts of its network from Stanford buildings no sooner than 1991 (I personally delivered the bid from BBN Planet [now Genuity] to the BARNET offices and I didn't move to California until September 1991). Craig ***** Craig Partridge Chief Scientist, BBN Technologies (a Verizon Company) craig@bbn.com
BBN acquired BARNET and began operating parts of its network from Stanford buildings no sooner than 1991 (I personally delivered the bid from BBN Planet [now Genuity] to the BARNET offices and I didn't move to California until September 1991).
Oh yeah, I should have typed BARRNET, not BBN. Wasn't BARRNET operating on the Stanford campus prior to 1991? -mark
In message <200209161811.g8GIBf7N075220@noc.mainstreet.net>, Mark Kent writes:
Oh yeah, I should have typed BARRNET, not BBN. Wasn't BARRNET operating on the Stanford campus prior to 1991?
Absolutely. NSFNET kicked off in 1986/1987 and BARRNET was one of the early regional networks along with NYSERNET (from which PSI was spun off), NEARNET (which was operated by the team that became BBN Planet/Genuity), and a handful of others. Craig
Date: Mon, 16 Sep 2002 14:16:24 -0400 From: Craig Partridge <craig@aland.bbn.com> Sender: owner-nanog@merit.edu
In message <200209161811.g8GIBf7N075220@noc.mainstreet.net>, Mark Kent writes:
Oh yeah, I should have typed BARRNET, not BBN. Wasn't BARRNET operating on the Stanford campus prior to 1991?
Absolutely. NSFNET kicked off in 1986/1987 and BARRNET was one of the early regional networks along with NYSERNET (from which PSI was spun off), NEARNET (which was operated by the team that became BBN Planet/Genuity), and a handful of others.
Certainly SURANET and CICNET were around. I also remember MIDNET, NORTHWESTNET, SESQUINET and maybe OARNET as being NSF regionals. CERFnet was around, but not a regional. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Wasn't BARRNET operating on the Stanford campus prior to 1991?
Absolutely.
OK, so there is my point. Back in those days the network security folks would often find themselves in the same lunch line as the "ISP" security folks. And they were available by phone with just a four digit extension. Everybody who was anybody knew everyone else who was anybody. (*) -mark (*) The term "every" is used for dramatic effect and not meant in an absolute sense.
In message <200209161838.g8GIcTMT079274@noc.mainstreet.net>, Mark Kent writes:
OK, so there is my point. Back in those days the network security folks would often find themselves in the same lunch line as the "ISP" security folks. And they were available by phone with just a four digit extension.
Oh it's worse than that :-). At least as late as 1987, we knew each other's phone numbers (and in some cases, network maps) by heart. My favorite personal stories of this ilk are: * c. 1986 I went into Dennis Rockwell's office (he worked down the hall from me on CSNET) trying to track down a TCP performance problem to another site. He pulled out a network map, pinged the intermediate routers (no traceroute in those days), sent a few specialized test packets, then called up the guy who managed the router (at another company) and told him his router was misbehaving and which bug was causing the misbehavior. * c. 1984 I was writing a UNIX kernel implementation of HMP (the network monitoring protocol before SNMP). I'd just gotten the kernel to start sending packets, so I sent a poll (GET) message to a local router. I got no reply, so I sent the packet again. 10 seconds later my phone rang. It was Mike Brescia at the BBN NOC. He said "Craig, are you trying to HMP poll 128.89.0.1?" Me "Yes". Mike: "You've got the bytes swapped in the HMP password field." Craig
participants (7)
-
Christopher L. Morrow -
Craig Partridge -
Kevin Oberman -
Mark Kent -
Rajesh Talpade -
Sean Donelan -
Valdis.Kletnieks@vt.edu