At 14:21 19/09/2001, Juha Saarinen wrote:

:: :: Thats not many at all... :: :: Match: protocol http url "*cmd.exe*" (1583) :: 1029 packets, 137739 bytes :: 5 minute rate 4000 bps :: Match: protocol http url "*root.exe*" (1587) :: 250 packets, 27846 bytes :: 5 minute rate 1000 bps :: :: Last couple of mins... (just cleared the counters)

# grep -c cmd.exe error_log 1039

Hmmm...

Is there any chance of ISPs introducing port filtering to protect customers from these things?

yep

Ideally, I'd like an HTTPS Web page so that you could turn it on and off...

er.. no

-- Juha

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

-- Steve Systems Admin, Asia Online (NZ) --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Sure. Get yourself a router, and turn on its http server... :-) Probably won't stay up long though. I believe the web exploit is still current on Cisco. I suppose you could get a blue router and compile secure web on that.... Junipers aren't exactly cheap though...

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Juha Saarinen Sent: Wednesday, 19 September 2001 14:33 To: 'Steve Phillips'; 'Gordon Smith'; nznog(a)list.waikato.ac.nz Subject: RE: [jim(a)cyberjunkees.com: Re: FW: Worm probes]

:: er.. no

Even if I ask nicely?

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Wed, 19 Sep 2001, Dean Pemberton wrote:

ObJoke But God DAMN they are good =) =)

Ohhhh Yeahh

Seriously though - Juniper does not support you compiling your own services on their routers. That includes but is not limited to Apache, Bind, Quake, CounterStrike etc =)

nope, but I think I've got an Olive I could experiment with ;) -- Brendan Black - Evil Engineer Extraordinaire - ratfink(a)xtra.co.nz UK mobile: +44 7941 647890 Linux User# 44680 "You know, it's at times like this when I'm trapped in a Vogon airlock with a man from Betelgeuse and about to die of asphyxiation in deep space that I really wish I'd listened to what my mother told me when I was young!" "Why, what did she tell you?" "I don't know, I didn't listen!" -- Douglas Adams, "Hitchhiker's Guide to the Galaxy" --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:: I sure as hell wouldn't allow control of my core routers to :: be done via a :: web server... :-) :: I doubt that anyone would. It would introduce a security :: risk thats not :: necessary, and creating and applying adaptive access lists would be :: horrible. No, that's not what I was asking for (although it would be fun!). Just some way of communicating requests to block / filter certain ports (or even traffic from certain IP addresses), without having to go through Help Desk Hell. :: The end user should still have a firewall. And a virus :: killer. Too many use :: neither. Sure, but at the end of the day, without filtering, the end user has one option only -- turn off the modem. -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:: Unfortuntly, (as far as i'm aware, and i've never really :: played with this :: stuff that much), its pretty much limited to port/address/protocol :: matching... so you're not really going to be able to block :: these worms. I'd be happy with that -- I need to have the ADSL modem going to receive email, but http on port 80 isn't crucial. So, I'd be most pleased if I could just ask my ISP to filter traffic to TCP 80, e.g. through a Web page form. Then when the infections / attempts die down, I could just go to the same Web form and click to have the filtering taken off. Of course, this could be done by email and a script that parses the message body for commands, but I think a Web page would be easier. -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Of course, a far better way to go would be to NAT the DSL users on RFC 1918 addresses.

-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Thursday, 20 September 2001 12:17 To: 'Matt Camp' Cc: 'Gordon Smith'; nznog(a)list.waikato.ac.nz Subject: RE: [jim(a)cyberjunkees.com: Re: FW: Worm probes]

:: Unfortuntly, (as far as i'm aware, and i've never really :: played with this :: stuff that much), its pretty much limited to port/address/protocol :: matching... so you're not really going to be able to block :: these worms.

I'd be happy with that -- I need to have the ADSL modem going to receive email, but http on port 80 isn't crucial. So, I'd be most pleased if I could just ask my ISP to filter traffic to TCP 80, e.g. through a Web page form. Then when the infections / attempts die down, I could just go to the same Web form and click to have the filtering taken off.

Of course, this could be done by email and a script that parses the message body for commands, but I think a Web page would be easier.

-- Juha

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

hehe. You want it both ways... If NAT was used, DoS attacks, etc, wouldn't affect you, since an RFC1918 destination won't be routed. But how many really *NEED* to run real world services. For the majority of DSL users, NAT would be OK, and there wouldn't be any billing surprises because of things like DoS attacks.

-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Thursday, 20 September 2001 12:28 To: 'Gordon Smith' Cc: nznog(a)list.waikato.ac.nz Subject: RE: [jim(a)cyberjunkees.com: Re: FW: Worm probes]

:: Of course, a far better way to go would be to NAT the DSL :: users on RFC 1918 :: addresses.

Ah, but would ISPs give DSL users any control over the NAT'ing? And wouldn't it make the service far less valuable to DSL users?

I wouldn't be prepared to pay what I do now for a "neutered" DSL service that wouldn't let me run the odd service.

-- Juha

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

The sticky point is wanting to run services. That means real world IP. At that point, how much traffic filtering should the ISP do? We would be intercepting *content*, a big can of worms. For the situation you describe, there isn't really a need for a real world address. A combination of NAT and tunneling back into work would suit admirably. That would also allow you to appear to the rest of the world as originating from your office, thus allowing you to make use of the facilities there. It may not be an ideal solution, but its certainly a very practical one. AFAIK, ADSL is across the IPNet network, and I think that getting anyone to introduce filtering there would be difficult :-) If you can manage to get them to do that, I'm sure a lot of us would like SNMP access to the IPNet NAS's we use...

No; it's not wanting to have your cake and eat it at all. Internet worms such as Code Red and NIMDA are a new phenomenon that probably wasn't planned for when Jetstream was developed (correct me if I'm wrong on this). Ditto DoS attacks.

What I'm asking for is simple: I want to have a useful DSL service, as I work from home a lot. However, I need some kind of defence against massive amounts of unwanted traffic. I can see that it is technically possible to provide me and other DSL users with a solution that keeps the service useful, yet helps us avoid billing nasties due to worms and DoS attacks.

In that light, to say that your options range from "tough shit, pay up" to "turn off your modem" or "settle for a neutered" DSL service, doesn't really cut it.

I'm a bit disappointed in the attitude here... what happened to listening to your customers?

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:: The sticky point is wanting to run services. That means real :: world IP. :: At that point, how much traffic filtering should the ISP do? :: We would be intercepting *content*, a big can of worms. I don't see the problem here -- just a basic on/off filter for some of the common services would be a great starting point. :: For the situation you describe, there isn't really a need :: for a real world :: address. :: A combination of NAT and tunneling back into work would suit :: admirably. That :: would also allow you to appear to the rest of the world as :: originating from :: your office, thus allowing you to make use of the facilities there. :: :: It may not be an ideal solution, but its certainly a very :: practical one. Sort of, if I only worked for one place. Too limited for my needs, unfortunately. :: AFAIK, ADSL is across the IPNet network, and I think that :: getting anyone to :: introduce filtering there would be difficult :-) :: :: If you can manage to get them to do that, I'm sure a lot of :: us would like :: SNMP access to the IPNet NAS's we use... :-) I feel a story coming on... -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:: I don't think you realize how hard this sort of thing is to :: impliment. At :: the minimum it's and extra serive for your account, associated :: documentation, advertising and training for staff. Then it's :: some sort of :: firewall that has to be triggered when you login (or when :: your ip changes :: due to dhcp lease expiring) which means it much be tied into :: the customer :: database and radius servers. I have a static IP, and I suspect that customers like me would be the prime target for such a service, not customers with a dynamic IP (for obvious reasons). :: Then it's an online options page for you to select exactly :: what you want :: plus some ducumentation. :: :: At a minimum it would be a few thousand worth of staff time :: to setup (lots :: more for someone big like Xtra) which you then have to trade :: off against :: projected income, costs etc. Yeah, well, what would ISPs prefer? That extra effort, or customers leaving in droves because they can't afford huge ADSL bills? The Internet worms aren't going to go away, ditto DoS attacks. If I thought they would, I'd sit tight and wait (with my modem turned off ;-)). :: Remember, the traffic is already going to your ip so your :: ISP is paying :: for it. So, it would appear to be in the ISP's interest to limit unwarranted traffic as well, but this is a separate issue. :: Small aside, how much traffic do these worms do to machine :: that are not :: listening on port 80 anyway? I would have only thought a :: couple of packets :: when they request a new connection and get connection refused ? Good point. :: Please don't go around threating people, you are on the Internet and :: paying for traffic that you do. This includes Code Red scans :: and when you :: get flooded for anoying people on IRC. Threat? How is this a threat? Who have I threatened? I think this is an issue that needs to be talked about. Give me a reason why it's not important to DSL customers, and I'll listen as always. -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Thu, 20 Sep 2001, Juha Saarinen wrote:

Threat? How is this a threat? Who have I threatened? I think this is an issue that needs to be talked about. Give me a reason why it's not important to DSL customers, and I'll listen as always.

I think that the costs of Jetstream are a problem still, but the problem with your proposed solution, as I see it is: These worms are really only using up a measurable amount of your bandwidth if they find something on port 80 or 25 to talk to and carry on a conversation. On my M11, all I have to do is remove the pinhole mappings for those ports and the problem of being probed (almost) goes away. At the expense of now not being able to run my little web and mail servers, which were the whole reason I have Jetstream with a static IP in the first place. DoS type flooding is another matter, of course, but since they tend to be generated with random port numbers, etc. to try and avoid filters, I don't think your 'per service selector' that you suggested the ISPs implement is going to do much to prevent them. --Colin. ** Colin Palmer, Systems and Development Group, University of Waikato, NZ ** --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

On Thu, 20 Sep 2001, J S Russell wrote:

But not two. [1]

I was going to add a footnote here with an analysis of the bizarre, moneygrubbing structure of ADSL charging by a certain large NZ telco, but I realised I was preaching to the choir by doing so in _this_ mailing list, so I deleted it. Forgot to delete the reference. Sorry. :) JSR -- John S Russell | "Every normal man must be tempted, at times, to Operations Manager | spit on his hands, hoist the black flag, and Attica/Callplus NZ | begin slitting throats." jsr(a)jsr.com | - H. L. Mencken --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

At 12:36 PM 20/09/01 +1200, Gordon Smith wrote:

hehe. You want it both ways... If NAT was used, DoS attacks, etc, wouldn't affect you, since an RFC1918 destination won't be routed.

But how many really *NEED* to run real world services. For the majority of DSL users, NAT would be OK, and there wouldn't be any billing surprises because of things like DoS attacks.

This is a good example of the "internet is just web browsing and email" mentality. (And no, I'm not picking on you in particular, you just happened to bring it up just now) There are plenty of legitimate reasons for wanting to avoid going through NAT, or at the very least avoid going through NAT which is done outside your control (eg upstream at the ISP) other than just wanting to run "services". What about games ? I suppose the "majority" of DSL users don't need or want to be able to play online games without hassles with NAT. (I'm thinking in particular the Microsoft direct play type games which seem to be very NAT unfriendly) Some games can be made to work with pinholes, but often to only one machine at a time, and _only_ if you have access to the NAT device to administer those pinholes...I would wager a good proportion of the early adopters of residential Jetstream were game freaks, who certainly wouldn't buy your argument. Remember, Jetstream users (particularly home users) are typically not your average joe-schmoe internet user, they're often power users who are prepared to pay a lot more money for a faster connection, and are likely to do things more "exotic" than Web browsing and Email. How about instant messenging software like Microsoft Messenger and ICQ ? Seems like pretty commonly used software to me. Anyone reading this list will know that file transfers through NAT with Microsoft messenger are more or less impossible at this point. ICQ is a bit more flexible, with pinholes and a bit of configuration it is possible to get file transfers working, but again only if you have control of the NAT device, and the file transfers wont work (reliably) without the pinholing and configuration. How about Audio/Visual chat programs like Microsoft Netmeeting ? I wonder how many people who had tried programs like that on a modem and decided they would be much better over a broadband connection, only to discover they wouldn't work at all through a NAT device like their shiny new M1122 ? Yes, the H323 protocol is horrific and nearly impossible to NAT, but thats not the point. Peer to peer file sharing ? Of course nobody with a fast connection would ever want to use *that*. ;-) I could go on, but I think you get the point. Never _assume_ what people want to do with their internet connection, and place arbitrary restrictions on whats technically possible thinking "oh, they'll never need to be able to do *that*". Already, Jetst* connections through an external NAT device are functionally restricted compared to a dialup connection, lets not make it any worse by doing the NAT at the ISP....:) Regards, Simon --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

At 01:42 PM 20/09/01 +1200, Gordon Smith wrote:

You have confused port filtering with network address translation.

Umm, where did I mention port filtering ? My message was a follow up to the thread where you suggested the possibility of NAT'ing DSL users at the ISP rather than giving them a real IP.

I am aware of some MS products not functioning correctly. If they conformed to accepted standards, they probably would.

I'm the first to agree that many of Microsoft's products use dysfunctional protocols, things like Age of Empires (or any other Direct Play game) need ports 1024-65535 pinholed to work. (Yeah, now THATS secure! ;) Many other games even peer to peer like Starcraft manage to work fully with just a single pinhole, and server based games like Quake1/2/3 usually don't need anything special, so why Direct Play networking is so arcane is beyond me.

H323 doesn't work? See Cisco's articles on NAT support of IP-Phone.

Ah, but now we're talking about a "protocol helper" here to support it. It's not inherantly supported by all NAT devices. FTP is about the only protocol you can (almost) guarentee will be supported by all NAT implementations. Helper support for other protocols (which need it) varies from device to device, and has to be considered on a case by case basis.

What does break are things like IPSec, because the packet is altered (see RFC3027)

Which is a good reason not to force NAT on somebody. (Which already happens to anyone with an external ADSL modem, albeit at the customer end of the link, and the NAT device is somewhat under their control) My argument is not that NAT is evil, I actually thinks its very useful, as long as it is under the control of the end user, and they are aware of, and accept its limitations. But doing the NAT at the ISP is a whole different proposition. (Would you like to share the same ip address with your neighbour ?) Regards, Simon --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Why? It wouldn't be visible to the rest of the world, and would provide the protection asked for, albeit with a reduction in functionality. That would even hide the IPNet RFC1918 addresses currently visible to the world :-)

-----Original Message----- From: Joe Abley [mailto:jabley(a)automagic.org] Sent: Thursday, 20 September 2001 14:51 To: Gordon Smith Cc: Juha Saarinen; nznog(a)list.waikato.ac.nz Subject: Re: [jim(a)cyberjunkees.com: Re: FW: Worm probes]

On Thu, Sep 20, 2001 at 12:23:29PM +1200, Gordon Smith wrote:

...

Of course, a far better way to go would be to NAT the DSL users on RFC 1918 addresses.

As long as "better" is compatible with "in direct violation of RFC1918" in your world.

Joe

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Fair enough :-) I know its not ideal, and it does break a lot of things e.g. IKE, etc. I really don't think there is a good answer to the DSL filtering question. Should the ISP do policy routing, and just sell filtered access as a product? Or should common exploit filtering be done even further upstream, on the backbones? If the ISP provides the filtering, will TCNZ policy route Jetstream (as opposed to Jetstart) users through those filters? Although possible, I guess it really comes down to who's going to pay for it. Cheers, Gordon

-----Original Message----- From: Joe Abley [mailto:jabley(a)automagic.org] Sent: Thursday, 20 September 2001 15:07 To: Gordon Smith Cc: Nznog Subject: Re: [jim(a)cyberjunkees.com: Re: FW: Worm probes]

...

Why? It wouldn't be visible to the rest of the world, and would

On Thu, Sep 20, 2001 at 03:01:23PM +1200, Gordon Smith wrote: provide the

...

protection asked for, albeit with a reduction in functionality. That would even hide the IPNet RFC1918 addresses currently visible to the world :-)

I agree, that would be a bonus :)

Actually, I guess it could be done in a way that looked reasonable from the outside, even given Jetstream's wholesaleness. My mail was mainly a knee-jerk reaction to the idea of handing out RFC1918 addresses for public internet access, ever, tempered with a healthy loathing of NAT.

Joe

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

From: "Joe Abley" Sure there is. Buy an aggregation router that has some features, and/or knuckle down and write some code instead of complaining about project plans, implementation schedules and documentation standards :)

We already supply most of the functionality being discussed in this thread - via tunneling. That is, we tunnel all default gateway LAN traffic through the DSL connection to a virtual firewall at the ISP. That firewall does all the "translation" stuff e.g. NAT for some LAN systems, Real world IPs for others and NAPT for the rest. And yes we can give each LAN system different access rights/ports, port forward from real world IP addresses to LAN systems, log usage by port/LAN IP address, route subnets to the LAN and all that stuff. But that doesn't solve Juha's issue, we can't prevent someone dumping 10gig of garbage traffic on the Jetstream connection as it is Layer 3 addressable within IPNet. Only Telecom can solve that issue. Cheers BG. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

From: "Juha Saarinen" Actually, it wouldn't provide that much more protection, would it? There'd still be a public IP in front of the NAT, which presumably would send all the crap to your systems (unless of course you had control over the NAT or the RFC 1918 allocations). Yes?

Do you mean... Dish out an RFC 1918 address to the DSL device via the ISPs Radius server and then run NAT or a proxy at the ISP to a real world IP. That would work under FastIP, assuming Telecom allowed it. However you still have the issue that the traffic from RAN to CAR to ISP is L3 routed. If one of your users gets infected with "a worm" that user is going to start dumping data inside IPNet, on another RFC 1918 address user, these worms love to DOS their own subnet. Policy routes in the CAR? These routers are having enough trouble with normal routing as it is. The only solution: Move the PPP termination point from RAN to ISP. Cheers BG. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

these worms love to DOS their own subnet.

Policy routes in the CAR? These routers are having enough trouble with normal routing as it is.

The only solution: Move the PPP termination point from RAN to ISP.

This would be great (IMHO).. Its just some ISP's would have to purpose some more gear to do it. (Most larger ISP's have gear which can do this already I think)

Cheers

BG.

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:: Couple of Linux boxes surely =) :: Seriously though - large scalable pppoe/a termination boxes :: are not cheap So how much are the Juniper ones? And what features do they have? ;->>>> -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

No Sales Spiel here. I get my finger nails pulled off whenever I do that. But no - we don't have anything that does PPPoE termination out of the box ObBait Thats not to say that throwing enough Junipers at the problem might not solve it =) On Thu, Sep 20, 2001 at 06:04:58PM +1200, Craig Whitmore wrote:

...

:: are not cheap

So how much are the Juniper ones? And what features do they have?

I was just going to ask this from Dean :-) But I don't think Junipers do RAS/NAS type stuff..

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

:

...

This would be great (IMHO).. Its just some ISP's would have to purpose

some

...

more gear to do it. (Most larger ISP's have gear which can do this already I think)

Couple of Linux boxes surely =)

Yes a Linux box could do it ok :-) (and does work) I've tried it @ home and have set up a PPPoE server which works a PPPoA is easy as wel (except I dont't have ATM @ Home to test it (yes I know DSL is ATM basically)

Seriously though - large scalable pppoe/a termination boxes are not cheap --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog