RE: a few matters about security and consistency
Dear All, Issue 1 is of interest to anyone involved with RIPE database. It must be in the RIPE communities interest to keep data as up to date and accurate as possible. Auditing is a resource hungry task and a pain in the asynchronous port, but is necessary to maintain and improve the quality of the data within the database. Is it acceptable for RIPE database to periodically, say once a year, to contact via e-mail each person and role object? The objective would be to ensure the person / role object are up to date. If there was no response, perhaps within a 4 week period, any associated maintainer object could be used to identify other people who could up date the records. If there is no maintainer, then a RIPE Hostmaster maintainer or notify attribute could be added to the record - and mark the record as out of date as appropriate . This would be a small overhead to everyone who is on the RIPE database that would ensure and improve the integrity of data within the database, for a piece of work on the database. From below, there is a possibility of up to 10 % of records on the database being inaccurate. That can not be an acceptable situation. Issue 2 is beyond the direct scope of the LIR-WG. However, I recollect that at RIPE 35 there was a suggestion of adding a new database record to the RIPE database, to clearly identify those networks which had a CERT team - has any progress been made? Regards, Adrian F Pauling :-)NEL2C Internet Protocol Manager acd Information Systems Engineering Technical Architecture AFP1-RIPE / AFP-ARIN / AFP25-InterNIC * adrian.pauling@bt.com * +44 19 2685 1992 / +44 78 0290 4877 British Telecommunications plc Registered Office 81 Newgate Street London EC1A 7AJ Registered in England no 1800000
-----Original Message----- From: Mark Lastdrager [SMTP:mark@pine.nl] Sent: 05 July 2000 21:53 To: lir-wg@ripe.net Cc: cert@pine.nl Subject: a few matters about security and consistency
Hi,
There are two matters I want to discuss, which are related from my point of view.
Yesterday, ons of our hosts was attacked (Denial of Service). The attacker was using the DNS DOS described in http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for this.
The used attack in short: Small DNS queries are sent from the attacker to each of the DNS servers. These queries contain the spoofed IP address of the target. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity.
This morning, we took our tcpdump logs of the attacks, and built a script which queried the Ripe database for the admins of the abused ('man-in-the-middle') networks. We got almost 900 unique email adresses out of this, to whom we sent a clear email describing what happened and asking for any logs or other usable information to find out who the attacker is. We we astonished how many people reacted with usefull information, we are still investigating right now.
It pointed out we were not the only one attacked, it now looks like the attacker (or attackers ofcourse) is abusing most of the 194.x network to amplify the DNS requests pointing at a lot of Dutch hosts and even some in the USA.
Ok, that was the scary part ;-) If you operate 1 or more DNS servers, please read the AUSCERT document and apply the workarounds they mention there (only allow your nameserver(s) to answer to queries from trusted hosts and/or zones you are authoritive for). If will really help from people abusing your network and filling up your pipe(s).
Matter 1:
What scared me was the great amount of bounced mail we got back from the 900 mails we sent. I think at least 10% did not exist. Besides that we got a lot of replies like 'hey don't bother me, I don't work there anymore'. Why doesn't RIPE test periodically if email adresses still work?
Matter 2:
Like I said, we got a lot of useful replies and they all more or less contained the same information. People had full, non-working internet links for days because of the attacks and were very happy that we pointed them to the 'Auscert workaround' because now they've closed their DNS'es the traffic (and business!) goes back to normal. Because of the info we got, we are -while I write this- trying to trace back to the origin of the spoofed packets.
I think it would be very helpful if there was a mailinglist where European operators could discuss this kind of incidents, like the USA people do at the Securityfocus mailinglist (http://www.securityfocus.com/templates/archive.pike?list=75). I think the introduction at http://www.securityfocus.com/forums/incidents/intro.html would describe the use of such a list very well. Incidents like this DOS which affect a lot of European networks could be stopped much quicker, and if you can contact your fellow operators you don't have to waste expensive time trying to track down those stupid scriptkids (believe me.. it takes a lot of time ;-)). Ofcourse things like virii, talk about used exploits etc. are on-topic and interesting too.
Like I said: time is money, so we set up the list euro-incidents@security.nl already. Anybody can subscribe at http://www.security.nl/mailman/listinfo/euro-incidents.
Thanks for your time,
Mark Lastdrager Pine Internet
-- email: mark@lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010 http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011 PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl Today's excuse: We only support a 28000 bps connection.
participants (1)
-
adrian.pauling@bt.com