RE: [MLUG] morenet today (was "Your thoughts on this")

["Brent Deterding" <EMAIL:PROTECTED>]

Hrm . . . back in the day you probably could. . . Now THAT would've been a cool
ebay DoS!

How about NIMDA/CR type worm exploiting an unknown vulnerability that DoS' the
root name servers and spews routing changes like EBGP at core internet routers?
In the meantime DoS the major anti-virus vendors and major security sites. The
internet would sound and feel like a big bag hitting the ground - THUD. Start
changing all your bookmarks to IP addresses!

-- Brent

-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Rick Buford
Sent: Tuesday, October 02, 2001 2:11 PM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


could you combine an ICMP redirect with a smurf style attack? Direct the
redirect to broadcast?

Rick
Kudos to the poor <fool> brave enough to try this. They will have their
kernel recompiled in Valhalla. Slashdot, Saint Aardvark

-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
Sent: Tuesday, October 02, 2001 1:46 PM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


Ah, ICMP redirects. I forgot about those. Not surprising, since my brain
feels like putty right now. ICMP redirects don't normally affect the
complete routing tables, I don't believe. It would be way silly to allow
ICMP messages to rearrange your routing tables. Well, that would almost be
as silly as building a web browser or e-mail client that automatically
executed attachments..... Oh.
:-)
Yes, it will cause a DOS, but it's not going to work on a whole network, is
it? I don't think it will. Updates are normally made by some other
mechanism, although not all that secure, they are secure enough that it
requires a little more effort than some kid spoofing ICMP packets.


Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
From: Brent Deterding [mailto:EMAIL:PROTECTED]
Sent: Tuesday, October 02, 2001 1:42 PM
To: EMAIL:PROTECTED
Cc: Justin M. McNutt
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


Justin? Multiple spanning trees.

We used them in 3 different zones if I recall that somewhat overlapped with
our
OSPF areas. No idea what's going on now though and I'm not 100% on whether
I'm
right in the first place.

As for ICMP . . . yes it is used for route changes

ICMP Redirects that were spoofed as coming from the router was my original
theory. Basically you go that way and a router tells you another way is
faster.
If a machine listens to these then you can tell it "to get to 0.0.0.0 use
127.0.0.1" and you've DoSd it. So in this case it really wouldn't apply at
all
but hey I don't know the details.

-- Brent

-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
Sent: Tuesday, October 02, 2001 1:13 PM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


multiple spanning trees? Why would any one want to do that? One should be
enough to identify any possible loops.
ISIS, or some people write it IS-IS, it means intermediate system to
intermediate system. It's a link state routing protocol, kind of like OSPF,
but without an area 0. We have area's but no area zero, so OSPF did not fit
our network at all. We were using EIGRP a long time ago, but the number of
connections was overloading it.
ICMP isn't used in sending update messages. BGP uses TCP, and ISIS... I'm
not sure off the top of my head what ISIS uses. you might spoof a bunch of
ICMP host unreachable messages, but I'm not sure what that would get you.

Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
From: Brent Deterding [mailto:EMAIL:PROTECTED]
Sent: Tuesday, October 02, 2001 12:53 PM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


ICMP Route Changes spoofed to a router perhaps?

Right, got the IGMP part (ISIS sounds cool - what is it?)
Ahh - got it. I thought IGMP was responsible for passing it to EBGP directly
-
didn't know there was a IBGP. thanks!

I always like knowing a little more than the average joe about networking.
Although I tried talking to a Cisco guy about multiple spanning trees and
you
would have thought I was speaking an Eskimo dialect. Evidently Cisco doesn't
use
multiple spanning trees; just one?

-- Brent


-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
Sent: Tuesday, October 02, 2001 11:41 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


Not NIMDA. ICMP. Someone must have gotten on someone else's bad side. There
was something funny about the ICMP, because that stuff should have just
passed through.
The idea here is there are layers to the routing tables. When you are
routing internally, you use the IGMP (We use ISIS). When you have something
not in your network, you use IBGP to determine the nearest egress circuit,
and then route to it using the IGMP. Once you get to the boarder, EBGP will
point the packet out to the next autonomous system. The latency was because
the IBGP was having trouble converging, because of the ICMP packets, as near
as we can figure.
Just say no to flaming on IRC, you don't know how much you really pissed
them off. (That's just speculation on my part.:-))

Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
From: Brent Deterding [mailto:EMAIL:PROTECTED]
Sent: Tuesday, October 02, 2001 11:00 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


Ahhh - same problems everyone had with NIMDA. Routers were dropping off and
on
causing tables to update. Setting an update threshold works much better.

Internally shouldn't you use IGMP? Been a while since my network days so go
easy
on me . . .

-- Brent

-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
Sent: Tuesday, October 02, 2001 10:28 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


Okay, no names though. Here is the official statement:

The network congestion and latency problem that affected all MOREnet
customers this afternoon has been identified and resolved as of 5:45pm this
evening.  The MOREnet Security Group helped identify the origin of the
network latency as an attack on a workstation within one of MOREnet's
customer's networks.  This attack was being inadvertently redistributed via
iBGP routing methods and forcing constant updates of the MOREnet routing
tables creating an unusually high level of latency throughout the MOREnet
network.  Adjustments in the Core network filtering configuration have been
made to prevent similar attacks in the future.

Christopher Kilbride
MOREnet
Network Services, Core Group Supervisor
(573)882-5444




Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
From: Brent Deterding [mailto:EMAIL:PROTECTED]
Sent: Tuesday, October 02, 2001 10:30 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


OK now I'm curious. What happened? Security concern? Someone plug a router
into
itself? Chancellor plug up the pipe looking at pigsex.com? (wonder if that
is
really a site?)

Do tell!

-- Brent

-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of Spurling, Shannon
Sent: Tuesday, October 02, 2001 9:52 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] morenet today (was "Your thoughts on this")


There was no "connectivity" problem really. It was more of a traffic
issue.... Let's just leave it at that. And that it wasn't really our
fault...


Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 Le Mone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED

-----Original Message-----
X-Sybari-Space: 00000000 00000000 00000000 00000000
From: Aaron Littich [mailto:EMAIL:PROTECTED]
Sent: Monday, October 01, 2001 10:15 PM
To: EMAIL:PROTECTED
Subject: Re: [MLUG] morenet today (was "Your thoughts on this")


Yea,
all of us down here at umr have been wondering whats up... just picture a
bunch of geek engineers without internet connection, or a slow one! Pure
Havoc!


----- Original Message -----
From: "Jeremy Norris" <EMAIL:PROTECTED>
To: <EMAIL:PROTECTED>
Sent: Monday, October 01, 2001 6:08 PM
Subject: Re: [MLUG] morenet today (was "Your thoughts on this")


> I have been told by my boss that more.net was/is having a connectivity
problem
> of late.
>
> Jeremy
> (Public School technician)
>
> On Mon, Oct 01, 2001 at 06:06:39PM -0500, Ian Monroe wrote:
> > The internet connection using the school district connection (which uses
> > MoreNet) at the Career Center was slow this afternoon. This doesn't mean
> > it was morenet's fault.
> >
> > Ian
> >
> > On Mon, 1 Oct 2001, Mike Miller wrote:
> >
> > > On Mon, 1 Oct 2001, Aaron Littich wrote:
> > >
> > > > PS, is there something wrong with morenet connection today?
> > >
> > > Nothing too bad because I've been connected by ssh from umn.edu to
> > > missouri.edu all day without any slowness that I could detect.
> > >
> > > Mike
> > >
> > > --
> > > To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
> > >
> > > Archives are available at http://mlug.missouri.edu/list-archives/
> > >
> >
> > --
> > To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
> >
> > Archives are available at http://mlug.missouri.edu/list-archives/
> --
> To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
>
> Archives are available at http://mlug.missouri.edu/list-archives/
>

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/