DNS Amplification Attacks
In this paper we address in detail how the recent DNS DDoS attacks work. How they abuse name servers, EDNS, the recursive feature and UDP packet spoofing, as well as how the amplification effect works. Our study is based on packet captures (we provide with samples) and logs from attacks on different networks reported to have a volume of 2.8Gbps. One of these networks indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In the conclusions we also discuss some remediation suggestions. Given recent events, we have been encouraged to make this text available at this time. URL: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf Please note that this version of this paper is prior to submission for publication and that the final version may see significant revisions. Thanks, Randy Vaughn and Gadi Evron.
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing. Done closer to the ingress edge this filtering shouldnt be that expensive. Not everyone will do it, but atleast it will limit the places from where source address spoofing attacks originate. The administrative burden arguments dont fly - a list of routes and IP address assignments per customer is already maintained both by ISPs and the customers -and route filters access lists are routinely automated. So beyond laziness - are there any technical reasons why this causes problems for anyone ? Gadi Evron <ge@linuxbox.org> wrote: In this paper we address in detail how the recent DNS DDoS attacks work. How they abuse name servers, EDNS, the recursive feature and UDP packet spoofing, as well as how the amplification effect works. Our study is based on packet captures (we provide with samples) and logs from attacks on different networks reported to have a volume of 2.8Gbps. One of these networks indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In the conclusions we also discuss some remediation suggestions. Given recent events, we have been encouraged to make this text available at this time. URL: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf Please note that this version of this paper is prior to submission for publication and that the final version may see significant revisions. Thanks, Randy Vaughn and Gadi Evron.
On Fri, 17 Mar 2006 ennova2005-nanog@yahoo.com wrote:
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing.
Heck, some people still can't get reverse DNS setup correctly for their IP addresses. And in-addr.arpa has been around for decades.
host 66.201.54.61 Host 61.54.201.66.in-addr.arpa not found: 3(NXDOMAIN)
The problem with relying on address anti-spoofing is it doesn't matter how many ISPs prevent spoofing because it only requires one opening (plus a bad guy, plus bad computers, plus uncontrolled reflectors). While its a good idea to make the spoofing openings as small as possible, within your own network anti-spoofing is very useful, you also need other management controls. This goes beyond an individual protocol such as DNS. You can generate blowback with many different protocols. Technology can take you only so far, you also have to address the human element too. 1. Bad guys 2. Compromised computers (a few are really "owned" by the bad guys too) 3. Spoofable source addresses (the bad guys "own" their own ISPs too) 4. Open reflectors without rate limits
Sean Donelan wrote:
This goes beyond an individual protocol such as DNS. You can generate blowback with many different protocols. Technology can take you only so far, you also have to address the human element too.
1. Bad guys 2. Compromised computers (a few are really "owned" by the bad guys too) 3. Spoofable source addresses (the bad guys "own" their own ISPs too) 4. Open reflectors without rate limits
Each of these is a sound suggestion, some are in debate. The main point is though that although spoofing is to blame for this latest attack *vector* and indeed is an hazard on the Internet with many other possible vectors, it is *not* to blame for this attack. _Not_alone_. Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world. Fixing the one does not mean we shouldn't fix the other. Going after recursive servers is whack-a-mole all over again, going after how it all works and set may take a roll-back effect of a few years, but is worth it as a scalable solution. One possible such solution is turning the default recursion "on" to "off". As these things take time, starting is a good first step. :) Attacks such as this one have been happening for a long time now, non of us should be surprised. Two new things in the *recent* attacks are: 1. Wide exploitation in the wild, which draws attention. After all, until recently most active NANOGers saw no reason to even work on fixing spoofing. 2. Abusing EDNS for a larger amplification factor. Yes, smaller amplification factors work too and their rates can be increased, but if you can send a whole lot more for less, it's obviously more dangerous. How many pings would you rather get back from a broadcast address in a Smurf attack. 30 or 200? The reason we released the text at this time (before we were ready, we were planning on making it academic-worthy) is that because of the lack of actual data out there and increasing FUD, we were encouraged to do so for the community. That is why in the paper we cover events that happened to ISP's rather than just theoretical case studies. Gadi.
Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world.
Fixing the one does not mean we shouldn't fix the other.
But fixing recursion also fixes the internet (fixes as in how you fix a dog) in that he who controls the DNS controls the net. Fixing DNS is going to hand over strict control to governments because now they can prevent you from resolving anything they don't want you to resolve. It also severely cuts into redundancy functions on the net. I realize even if we eliminate spoofing completely, dns can still be used to flood, but so can any other shared function on the net. We closed relay but I can still flood you with emails by doing a joe-job is a good example. At some point we really need to look at this and ask ourselves is it worth what we must give up in order to eliminate some attack vector and isn't there a better way that doesn't involve us giving up so much. I think in this case the answer is maybe there is a better way, eliminate spoofing or eliminate udp use in recursive dns queries are valid options. So in answer to the last part of the above quote, maybe we shouldn't fix the other. (just something to consider) George Roettger Netlink Services
Geo. wrote:
Recursion the way it is set now with most DNS implementations, is the problem being exploited by spoofing. It is true spoofing is bad for our health, but that does not mean we should ignore what actually gets exploited, which is recursive name servers open to the world.
Fixing the one does not mean we shouldn't fix the other.
But fixing recursion also fixes the internet (fixes as in how you fix a dog) in that he who controls the DNS controls the net. Fixing DNS is going to hand over strict control to governments because now they can prevent you from resolving anything they don't want you to resolve.
Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies.
On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote: ...
Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies. ...
Then leave governments out of it, and re-phrase the question in this way. If one can not run one's own DNS server on the public Internet, but must rely on a DNS service supplier for your DNS, and at some point you start to wonder about the technical competence or correct configura- tion of the DNS service supplier whose DNS you are configured to use, and all other DNS servers out there are configured to refuse recursive service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what "the world" should be seeing? -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Joseph S D Yao wrote:
On Mon, Mar 20, 2006 at 11:30:46PM +0200, Gadi Evron wrote: ...
Where did that come from? I respect you but please, let's have a technical discussion. This is important enough for us all to avoid the flame-wars for now. Don't move this thread to politics or lunacies.
...
Then leave governments out of it, and re-phrase the question in this way. If one can not run one's own DNS server on the public Internet, but must rely on a DNS service supplier for your DNS, and at some point you start to wonder about the technical competence or correct configura- tion of the DNS service supplier whose DNS you are configured to use, and all other DNS servers out there are configured to refuse recursive service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what "the world" should be seeing?
That is exactly what worries me. In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools. Corrupt people use it to play tricks on their "friends". How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." already. You must use alternative roots to exchange emails with people living in those domains. Banning open resolvers means censoring for a lot of people, at least if they cannot run their own servers. Regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
On Mon, 20 Mar 2006, Peter Dambier wrote:
How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." already. You must use alternative roots to exchange emails with people living in those domains.
Stop with the bull$**+ (self-censored), trying to recast the "censorship" light on the issue of alternate roots. ICANN is censoring nothing; it's "alternative" roots that are taking it upon themselves not to go through a standardization process by creating nonstandard naming trees. I encourage you to look up the English definition of "censor" sometime. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
* Peter Dambier:
In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools.
This is not true. There has been some questionable advice by a regulatory body, though. Most damage is done by ISPs which simply do not adjust the filters to the moving target and run them as-is since 2001 or so. Null routes tend to filter a different customer after such a long time.
How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." already. You must use alternative roots to exchange emails with people living in those domains.
Unfortunately, they also censor "ENYO.".
Florian Weimer wrote:
* Peter Dambier:
In germany censoring is commonplace. You have to use foraign resolvers to escape it. There is a lot collateral dammage too - governement has provided the tools.
This is not true. There has been some questionable advice by a regulatory body, though. Most damage is done by ISPs which simply do not adjust the filters to the moving target and run them as-is since 2001 or so. Null routes tend to filter a different customer after such a long time.
Here it is documented. Sorry it is in german only: http://odem.org/informationsfreiheit/ http://www.ccc.de/censorship/?language=de http://www.netzzensur.de/demo/ http://www.politik-digital.de/edemocracy/netzrecht/dorf.shtml http://www.zdnet.de/news/software/0,39023144,2124117,00.htm A local city chieftain could claim ownership of an internet site located in the USA and even capture their emails. As far as I am informed the censorship at some ISPs is still active but they claim no longer to be their mailhost. I was informed of this DNS forgery because of the collateral damage done. Several sites where censored and could only escape by changeing providers. At least one of the providers is bankrupt today. I dont know if censoring was the reason why.
How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." already. You must use alternative roots to exchange emails with people living in those domains.
Unfortunately, they also censor "ENYO.".
That is the reason why :) Nevertheless I could see the site "http://www.enyo/" after adding "212.9.189.164 www.enyo enyo" to my /etc/hosts Maybe even could send you emails? Kind regards Peter and Karin Dambier -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
* Peter Dambier:
This is not true. There has been some questionable advice by a regulatory body, though. Most damage is done by ISPs which simply do not adjust the filters to the moving target and run them as-is since 2001 or so. Null routes tend to filter a different customer after such a long time.
Here it is documented. Sorry it is in german only:
Yeah, sure, but your summary is misleading (convenient it's "german only", is it?). The actual damage was done by ISPs, that body only gave questionable advice. Afterwards, most ISPs simply didn't care, in the sense that they didn't maintain the filters.
Several sites where censored and could only escape by changeing providers.
It's more interesting if you can't do this. A null route on a router in Frankfurt sometimes does wonders. It's also fairly effective to null-route what is logically a downstream customer, even if it's outside your network (by a few AS hops) and somewhere in Asia. Such things happen all the time, and not just for DDoS prevention purposes or malware containment. Some of the filters are clearly targeted at specific content which is deemed unsuitable for consumption by Germans. Such cases are not well-publicized. Often, you can't tell them from genuine routing problems (and if you've got insider information, you typically can't publish). I don't think this is just a German or Chinese problem, by the way.
Nevertheless I could see the site "http://www.enyo/" after adding "212.9.189.164 www.enyo enyo" to my /etc/hosts Maybe even could send you emails?
No, because I don't actually use ENYO. 8->
On Wed, Mar 22, 2006 at 08:33:55PM +0100, Florian Weimer wrote:
* Peter Dambier: ...
How about alternative roots? ICANN does censor "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." already. You must use alternative roots to exchange emails with people living in those domains.
Unfortunately, they also censor "ENYO.".
"You keep using that word. I do not think it means what you think it means." The English-language dictionary does not contain the words willkommen or verstehen. But that is NOT censorship. It is simply because those words are not defined in that language. The current root name servers - the REAL ones - have a limited set of domains that are defined in them. They are not censoring any others. The others are simply not (yet?) defined. I am sure that some have been submitted and rejected. I believe that most of them have not even been submitted. Please drop this word "censor", since you hopefully now have a better understanding of what it does NOT mean. And, as someone else pointed out, you can always use your "hosts" file if you want to have your own set of defined names that are not part of shared DNS. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry! Joseph S D Yao wrote:
"You keep using that word. I do not think it means what you think it means."
My dictionary says censor is from latin. A magistrate, lets call him a polititian like http://odem.org/akteure/juergen-buessow.de.html http://www.wdr.de/themen/politik/nrw/demo_internetzensur/index.jhtml http://www.heise.de/tp/r4/artikel/12/12733/1.html Sorry I have this guy only in german. This guy odered some local ISPs to making sites unavailable mostly by forging DNS entries kept in their local resolvers. I was told by peoply unvolontarily working for him that more than 6000 sites were involved. Quite a lot of them collateral damage. The latin version says this guy is taking things out of books so the ordinary roman was not annoyed by distateful things. I guess you see the irony. Büssow ment to keep journalists from seeing sites in the USA and Canada that would be prosecuted in Germany. His helpers felt invited to do a lot more good and played some tricks on their "friends". In Germany we do not pick a leave from a tree. We cut the tree and dig out the root. If you have to live with a resolver that is answering as slowly as this one ; <<>> DiG 9.1.3 <<>> www.peter-dambier.de @www-proxy.UL1.srv.t-online.de ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.peter-dambier.de. IN A ;; ANSWER SECTION: www.peter-dambier.de. 6000 IN A 82.165.62.90 ;; Query time: 2118 msec ;; SERVER: 217.237.150.141#53(www-proxy.UL1.srv.t-online.de) ;; WHEN: Thu Mar 23 13:59:57 2006 ;; MSG SIZE rcvd: 54 my local ISP, then you feel tempted to use a foraign resolver. So for me running my own independent resolver was a must. But many of my colleages are not computerscience people. Many of the poor buggers are running some flavour of windows. For them it is life behind the big chinese firewall if they cannot find an open resolver. Please excuse if I overreact a bit on this matter. Cheers Peter and Karin (Karin is a writer too, but she is not the computer woman :) -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
On Thu, Mar 23, 2006 at 02:07:36PM +0100, Peter Dambier wrote:
Please dont take ICANN censoring "XN--55QX5D.", "XN--FIQS8S." and "XN--IO0A7I." serious. Ment as a joke. Did not make it. Sorry!
I see. Thanks for the info. My observation of human senses of humor is that humor is a mutual rejection of information that shared experience says is not credible in the shared frame of reality. Jokes that tend not to be understood tend to be because the recipient of the joke does not share sufficient frame of reality with the transmitter to ascertain that this is in fact believed by both to be contrary to that frame of reality. Or maybe that's just my own warped way of seeing it. But, no, I'm sorry but I didn't realize it was a joke. ;-)
Joseph S D Yao wrote:
"You keep using that word. I do not think it means what you think it means."
This was a quote from the movie, "The Princess Bride", which a number of people - some of whom surprise me by this - seem to like to quote a lot.
My dictionary says censor is from latin. A magistrate, lets call him a polititian like
http://odem.org/akteure/juergen-buessow.de.html http://www.wdr.de/themen/politik/nrw/demo_internetzensur/index.jhtml http://www.heise.de/tp/r4/artikel/12/12733/1.html
Quite apt. This is exactly right. He removed things that were, shall we say, difficult to reconcile with the official Roman reality. Too many people still try to do this.
Sorry I have this guy only in german.
This guy odered some local ISPs to making sites unavailable mostly by forging DNS entries kept in their local resolvers. I was told by peoply unvolontarily working for him that more than 6000 sites were involved. Quite a lot of them collateral damage.
The latin version says this guy is taking things out of books so the ordinary roman was not annoyed by distateful things. I guess you see the irony.
In reference to the German politician, it is more than irony, it fits. In reference to ICANN, not so good a fit. It was to that, that I had been reacting.
B?ssow ment to keep journalists from seeing sites in the USA and Canada that would be prosecuted in Germany.
His helpers felt invited to do a lot more good and played some tricks on their "friends". In Germany we do not pick a leave from a tree. We cut the tree and dig out the root.
;-] That trait has been observed by other national observers, yes, although I don't think I've seen that fine analogy before.
If you have to live with a resolver that is answering as slowly as this one
; <<>> DiG 9.1.3 <<>> www.peter-dambier.de @www-proxy.UL1.srv.t-online.de ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.peter-dambier.de. IN A
;; ANSWER SECTION: www.peter-dambier.de. 6000 IN A 82.165.62.90
;; Query time: 2118 msec ;; SERVER: 217.237.150.141#53(www-proxy.UL1.srv.t-online.de) ;; WHEN: Thu Mar 23 13:59:57 2006 ;; MSG SIZE rcvd: 54
my local ISP, then you feel tempted to use a foraign resolver. So for me running my own independent resolver was a must.
Considering how often DNS is called in the background for many simple transactions, a 2.118-second lookup is unconscionable. I agree with your analysis.
But many of my colleages are not computerscience people. Many of the poor buggers are running some flavour of windows. For them it is life behind the big chinese firewall if they cannot find an open resolver.
Please excuse if I overreact a bit on this matter.
Whatever our disagreements on other matters, on this one I am in full sympathy with you. ;-) ;-( -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Joseph S D Yao wrote: [...]
service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what "the world" should be seeing?
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
On Tue, Mar 21, 2006 at 07:09:49AM +0000, Andy Davidson wrote:
Joseph S D Yao wrote: [...]
service except perhaps to their own population, than against what can you compare the DNS service that you are getting, to see whether it is giving you what "the world" should be seeing?
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
Yes, I think I wrote one of those. ;-) It would have to become a common service to allow folks to trust the service [by comparing outputs]. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
* Andy Davidson:
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state of DNS, and we are campaigning against them. You can't have it both ways. 8-(
Florian Weimer wrote:
* Andy Davidson:
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state of DNS, and we are campaigning against them. You can't have it both ways. 8-(
It is not as good as an open resolver but maybe IEN116 nameservers (the old port 42 nameserver) could do too but maybe some windows boxes would break. Originally the port 42 nameserver was left for dying but with AXFR gone and open resolvers gone it might be a good idea to give them a revival. Cheers Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state of DNS, and we are campaigning against them. You can't have it both ways. 8-(
What is the definition of "DNS Looking Glass"? If it is a PERL CGI script then I would agree with you. If it is a DNS proxy that applies rate limiting and damping then I disagree with you. --Michael Dillon
On Thu, Mar 23, 2006 at 09:35:34AM +0000, Michael.Dillon@btradianz.com wrote:
DNS looking glasses, in much the same way that we use web-form based BGP or traceroute looking glasses today.
Open resolvers are far better then looking glasses to assess the state of DNS, and we are campaigning against them. You can't have it both ways. 8-(
What is the definition of "DNS Looking Glass"? If it is a PERL CGI script then I would agree with you. If it is a DNS proxy that applies rate limiting and damping then I disagree with you.
I believe he's talking about things like the Looking Glass Web sites. The one I wrote was a simple hardened shell script that called local resources to do its thing. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3". Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
On Tue, Mar 21, 2006 at 09:17:44PM -0500, Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Not sure how preferring things like rectangles stops you from using Visio, but *shrug*
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
If you're doing diagrams for internal use and know the chances of them being used with external parties is slim-to-none, go ahead, play with toys like dia. Omnigraffle looks hopeful, but haven't personally used. On the other hand, if you are doing professional business communications I'd seriously condsider getting vmware and Visio. I might be a little backward to many here, as I work for a consulting company and 95% of what we do is client-facing. Maybe, more accurately, if you never expect anybody other than you to edit your work, Visio's not a necessity. PDFs are almost 100% acceptable, with a few losers left who won't install a reader. Not trying to start a Visio religious war, just saying there's a reason enterprises use it. Random thought - think Visio's capabilities are about as underused as Excel's... John
On Tue, 21 Mar 2006, John Kinsella wrote: > If you're doing diagrams for internal use and know the chances of them > being used with external parties is slim-to-none, go ahead, play with > toys like dia. Omnigraffle looks hopeful, but haven't personally used. Omnigraffle can read/write Visio XML format, .vdx It's not Visio's default file format, but it does give you 100% compatibility. -Bill
An entity claiming to be John Kinsella (jlk@thrashyour.com) wrote: : : Not trying to start a Visio religious war, just saying there's a reason : enterprises use it. : And it's not just that they think that having thousands of open stencil windows is impressive when you open a single diagram? Mark -- [] | I once saw a page that said, "This page best viewed [] Mark Rogaski | by coming over to my office and looking at it on my [] wendigo@pobox.com | monitor." You don't often see honesty like that. [] mrogaski@cpan.org | -- Jamie Zawinsky [] |
On Tue, 21 Mar 2006, Mark Rogaski wrote:
An entity claiming to be John Kinsella (jlk@thrashyour.com) wrote: : : Not trying to start a Visio religious war, just saying there's a reason : enterprises use it. :
And it's not just that they think that having thousands of open stencil windows is impressive when you open a single diagram?
If you save the document without any surplus stencil windows open, that doesn't happen. In my experience it simply remembers how many were open the last time it was saved, and reopens all the same ones again assuming theyre available. And this is rapidly moving OT ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Howard! On Tue, Mar 21, 2006 at 09:17:44PM -0500, Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
I am surprised no one has mentioned Open Office 2. It's drawing function can do a lot of Visio like things. I like it a lot better than dia and it does all the network drawing that I need. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEINmp8KZibdeR3qURAg2UAKCF6M1AN9CYWRvHgkPWSfjvxBrKVgCg6bJj CXgt4PcQfea+5EkKPZ4kgUk= =zmju -----END PGP SIGNATURE-----
If you're doing diagrams for internal use and know the chances of them being used with external parties is slim-to-none, go ahead, play with toys like dia.
Rather strong opinion...
PDFs are almost 100% acceptable, with a few losers left who won't install a reader.
Hey, wait a minute! DIA can export as Postscript and ghostscript can turn those into PDFs. Therefore, you have contradicted your earlier assertion. By the way, there are other possibilities with DIA as well. It is scriptable with Python so you can do useful things like validate a diagram against the network. http://www.gnome.org/projects/dia/python.html There is also diacanvas2 which allows you to integrate the DIA drawing canvas into your application. http://diacanvas.sourceforge.net/ With diacanvas and python, you make an interactive network diagram and bundle it into a Windows .exe file to distribute to the sales force so they can do stuff like zoom in and out. Fact is, that the availability of reasonably featured and stable Open Source software has mushroomed over the past few years. --Michael Dillon
On Tue, 21 Mar 2006 16:20:19 -1000, Randy Bush <randy@psg.com> wrote:
xfig
And something I learned only recently -- xfig comes with a large library of clip art. Here are the categories on my system: $ ls /usr/pkg/lib/X11/xfig/Libraries/ Arrows Electronic Labels Optics Audiovisual Examples Logic Origami Buildings Flags Maps ProcessFlowsheet Charts Flowchart Mechanical_DIN Structural_Analysis Computers Furniture Miscellaneous UML DSP GUI Music Welding ERD Hospital Networks Electrical Knitting OfficeEquip And if you must, Networks/router3.fig is a hockey puck.... --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
On Mar 21, 2006, at 6:17 PM, Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
I use OmniGraffle Pro for OS/X: http://www.omnigroup.com/applications/omnigraffle/pro/ It can import and export Visio XML format, as well. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck
KDE has a "Visio-like" tool called kivio It was pretty much useless last I looked, but looks like it has some potential. Think I heard that you would be able to use the visio format at some point too, probably not yet though. http://www.koffice.org/kivio/ I've used dia a bit, seems reasonable. http://www.gnome.org/projects/dia/ -Wil Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
On Tue, 21 Mar 2006, Howard C. Berkowitz wrote: > Much of the enterprise market seems wedded to Visio as their network > graphics tool, which locks them into Windows. Personally, I hate both > little pictures of equipment and Cisco hockey-puck icons; I much prefer > things like rectangles saying "7507 STL-1" or "M160 NYC-3". > Assuming you use *NIX platforms (including BSD under Mac OS X), what are > your preferred tools for network drawings, both for internal and external > use? I'd hate to be driven to Windows only because I need Visio. Omnigraffle! http://www.omnigroup.com/applications/omnigraffle/ -Bill
On Tue, 21 Mar 2006, Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ That's exactly what my network diagrams in dia look like. You can get dia for *NIX and Blows (if you want it). ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
http://www.nethack.net/software/netmapr/ is an alternative as well. I personally use Dia, and it seems fine in both OS types, and exports various types of files that [OOo/MS-office] can deal with easily. You can download shapes for a variety of presenters/office/visio/etc from the cisco website (as well as others). Cheers, andy
Mechanical pencil, a sheet of paper for a straight edge, and a penny when you want to make a proffesional looking round object. I publish to Flickr using macro mode on my Fuji Finepix 5100 to make the picture. No little Cisco hockey puck stencils, but last year when I sketched a steaming pile o' poo all parties involved understood this to be the Cisco ICS 7750 we were scheduled to replace. Howard C. Berkowitz wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
-- mailto:Neal@Layer3Arts.com // IM:layer3arts voice: 402 408 5951 cell : 402 301 9555 fax : 402 408 6902
I've had pretty good luck with OmniGraffle Professional, and, it's fairly cheap, too. Has many of the features Visio has, and, is gaining more on a regular basis. It lacks the Visio silly pictures (although you could create your own easily enough), but, it does understand connections between objects and has some more advanced metadata features I haven't yet learned to use. It's also got half-way decent auto-layout capabilities. http://www.omnigroup.com Owen --On March 21, 2006 9:17:44 PM -0500 "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
-- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
Hi Howard, On Tue, 21 Mar 2006 21:17:44 -0500 "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
Much of the enterprise market seems wedded to Visio as their network graphics tool, which locks them into Windows. Personally, I hate both little pictures of equipment and Cisco hockey-puck icons; I much prefer things like rectangles saying "7507 STL-1" or "M160 NYC-3".
Assuming you use *NIX platforms (including BSD under Mac OS X), what are your preferred tools for network drawings, both for internal and external use? I'd hate to be driven to Windows only because I need Visio.
I've been using inkscape (http://www.inkscape.org/) a bit recently, and haven't found it too bad for basic box network drawings. It's native format is SVG, although make sure you save your working diagrams in the Inkscape SVG format. If you save it as "normal" SVG, all the objects get merged into a single one - annoying if you want to go back and edit it later. I haven't tried it, however there is a probability that Firefox 1.5 can view the .SVGs Inkscape produces natively. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
On Wed, 22 Mar 2006 19:07:59 +1030, Mark Smith <random@72616e646f6d20323030342d30342d31360a.nosense.org> wrote:
I haven't tried it, however there is a probability that Firefox 1.5 can view the .SVGs Inkscape produces natively.
In general, I don't know; however, the copy on my laptop (Firefox 1.5.0.1 on NetBSD-current) can display .svg files that happen to be on my laptop. I haven't tried retrieving any over the net, where MIME types are important. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Attacks such as this one have been happening for a long time now, non of us should be surprised. Two new things in the *recent* attacks are:
1. Wide exploitation in the wild, which draws attention.
that the press has been told about it this time, is new. the scope of the attack, either in breadth or intensity, is not new in these recent attacks.
2. Abusing EDNS for a larger amplification factor.
the use of EDNS is not new in these recent attacks, either.
The reason we released the text at this time (before we were ready, we were planning on making it academic-worthy) is that because of the lack of actual data out there and increasing FUD, we were encouraged to do so for the community.
any blame-putting on DNS or EDNS that fails to also mention amplification that's possible via NTP or the fact that refector attacks based on ICMP are still common and practical even without smurf amplification, is itself FUD.
That is why in the paper we cover events that happened to ISP's rather than just theoretical case studies.
in the paper i reviewed, the practical case studies were useful. -- Paul Vixie
On Fri, Mar 17, 2006 at 03:27:03PM -0800, ennova2005-nanog@yahoo.com wrote:
That ISPs still do not filter inbound traffic from their customers to prevent source spoofing is amazing.
The fact that there are vendors out there that do not support RPF filtering is even more amazing. --- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
participants (27)
-
Andrew Burnette
-
Andy Davidson
-
Bill Woodcock
-
ennova2005-nanog@yahoo.com
-
Florian Weimer
-
Gadi Evron
-
Gary E. Miller
-
Geo.
-
Howard C. Berkowitz
-
John Kinsella
-
Jon Lewis
-
Joseph S D Yao
-
Mark Foster
-
Mark Rogaski
-
Mark Smith
-
Michael.Dillon@btradianz.com
-
neal rauhauser
-
Owen DeLong
-
Paul Vixie
-
Peter Dambier
-
Randy Bush
-
Roland Dobbins
-
Sean Donelan
-
Steven M. Bellovin
-
Todd Vierling
-
Wayne E. Bouchard
-
Wil Schultz