Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

Sean Donelan sean at donelan.com
Fri Aug 29 15:58:07 UTC 2003


On Fri, 29 Aug 2003, Christopher L. Morrow wrote:
> That was a ccourt order, not much any US based corporation can do about
> that, eh? Oh, yeah, and it didn't help stop any child pornographers, all
> it did was hide their tracks from the authorities :(

I suspect most ISPs in the US will follow lawful orders issued by
authorities with jurisdiction.  Some may try to also point out how
stupid or ineffective those orders are.

In the last month there have been several worms, viruses and activites
by law enforcement and other authorities related to those.  I think some
folks are confusing the various different requests, orders, subpoenaes,
etc.

NIPC/DHS issued an advisory about the RPC/DCOM vulnerability and worm
including suggested mitigation steps including filtering certain ports.
This was a suggestion.  Some ISPs followed the advice, some ISPs in
particular some cable modem providers have blocked NETBIOS ports for
a long time.

For the Sobig.F virus the FBI subpoened at least one ISP for records,
which the ISP turned over.  Other AHJ's tried to coordinate the shutdown
of the 20 or so IP addresses used by the Sobig.F "controller" which was
supposed to issue directions last Friday.  F-Secure also issued a press
release about their cooperating with the FBI to shutdown those systems
just in the "nick of time."  Some ISPs cooperated with the AHJ's to
shutdown access to those 20 IP addresses.  Since most of the 20 IP
addresses were on cable and dsl providers, the AHJs may have only
contacted those providers for assistance.

I have no idea if UUNET cooperated with the FBI, NICP, DHS or other AHJ
concerning any of the worms or viruses over the last month.




More information about the NANOG mailing list