<br>
(they weren't kidding about lightning!! ^_^;; )<br>
<br>
2006.02.15 Lightning Talks:<br>
Infrastructure (DNS and Routing) Security - <br>
Status and Update by Sandra Murphy<br>
<br>
Need for Speed: What's next after 10GE?<br>
by Mike Hughes<br>
<br>
A Brief Look at Some DNS Query Data<br>
by John Kristoff<br>
<br>
The impact of fiber access to ISP backbones in .jp<br>
by Kenjiro Cho<br>
<br>
New Network Monitoring Interest Group<br>
by Mike Caudill<br>
<br>
Understanding the Network-Level Behavior of Spammers<br>
by Nick Feamster (presented by Randy Bush)<br>
<br>
12:20-12:30 Closing Remarks<br>
Steve Feldman, CNET, Susan Harris, Merit<br>
<br>
Reload your agenda for the slides!!<br>
<br>
Fun with gnuplot, DNS query data, John Kristoff<br>
X asis, source port of client query to DNS server;<br>
Y axis, how many times that port was used.<br>
Looking at recursive server for an institution<br>
open to inside and outside on 2005.11.22<br>
starting at 1024, lots of clients use that port,<br>
then declining to the right; 1025 is most popular<br>
port; wraps at 5000, windows starts over.<br>
to the right, UNIX boxes start with high ports.<br>
Port 137, windows stuff, all bogus windows lookups<br>
Port 5353, is multicast DNS, MACs use it, also bogus<br>
Some very interesting outliers, either misconfigured<br>
or poorly thought out OS/stacks.<br>
Graphs are similar at different institutions, and at<br>
large ISPs.<br>
If you take out the external queries, points below<br>
1024 (except 53) seem to be machines behind PAT boxes.<br>
Port 1900 is plug and play port, so windows can't use<br>
it, so it's a low outlier.<br>
external queries show more outliers in low range.<br>
looking at PTR queries internally; no elbow at 1025.<br>
5353 standout is still there, multicast PTR queries,<br>
all bogus.<br>
MX queries, same thing.<br>
AAAA stuff, not many outliers, very clean; possibly<br>
bogus, though.<br>
A windows box trying to contact IRC server (neutered<br>
bot box); keep using same source port over again until<br>
firewall/virus software moved it.<br>
UNIX box used port range constantly across the range,<br>
more normal (trojaned box)<br>
Normal UNIX box shows more normal rows of different<br>
ports.<br>
looking at source ports, what other useful info and<br>
patterns can you start to discern? Look at TTL, dest<br>
ports, all sorts of fun you can start to discover.<br>
<br>
<br>
Sandra Murphy<br>
sandy at <a href="http://spart.com">spart.com</a> sandy at <a href="http://tislabs.com">tislabs.com</a><br>
DNS and routing security<br>
DNSsec is live, sweden has signed top level zone,<br>
RIPE signing reverse zones, some reverse delegations.<br>
<a href="http://www.dnssec-deployment.org/">http://www.dnssec-deployment.org/</a><br>
open working grope, dnssec deployment initiative<br>
focused on deployment issues, active mailing list, regular<br>
telecons.<br>
organizes workshops at conferences, etc.<br>
screenshot of the site; has roadmaps, working group<br>
signups, mailing lists, operator guidelines, links<br>
to NIST, etc., events, and actions.<br>
DNSSEC-tools project<br>
create tools/patches for web browsers and such.<br>
<a href="http://www.dnssec-tools.org/">http://www.dnssec-tools.org/</a><br>
current release is v0.9 from 2/10/2006<br>
Firefox 1.5RPM to check DNS sec records back<br>
Shot of tools being released..<br>
zonesigner tool is how you sign and maintain a signed<br>
zone.<br>
Some very detailed documents on how you sign and<br>
maintain a signed zone, as well as mailing lists.<br>
sourceforge link for dnssec-tools bundle<br>
Securing the routing infrastructure:<br>
big problem, no traction on deployable solutions<br>
3 workshops with a wide net of interested parties.<br>
operators, iSP, access, content providers, vendors, security<br>
DHS hosted, anxious to find a solution<br>
<a href="http:///www.hsrpacyber.com/public/">http:///www.hsrpacyber.com/public/</a><br>
Operators' emphasis<br>
a strong call from the operators for an authenticated<br>
list of authorized prefix originations (accurate, complete<br>
secure)<br>
respond to customr requests to route prefixes<br>
useful in debugging routing difficulties<br>
NEW ARIN policy suggestion<br>
recommendation<br>
new field in address templates (direct and subdelegations)<br>
for list of permitted ASes<br>
Benefits<br>
inhereits self-discipline of completign form (IRR entries<br>
aren't always done)<br>
inherits scrutiny of ARIN process on creation<br>
ARIN is authority for who is allocated prefixes<br>
Any IRR would have to check prefix with RIR<br>
Authentication and currency in IRRs<br>
authentication IRR objects<br>
RIR run IRRS have internal access to authentication for<br>
prefix holders<br>
non-RIR run IRRS would have to find a way to get that<br>
authentication from the RIRs<br>
samee is true for RIR IRR objec referring to nonmember<br>
resoureces<br>
Currency for IRR objects<br>
reclaimed resources have to result in IRR purges<br>
why not a TTL in IRR objects? Handles non-RIR IRRs<br>
This solicits requests and feedback. Try the DNSSec tools,<br>
try signing a zone, see how it works. Try the client<br>
system that does the DNSsec validation.<br>
Participate in ARIN ppml list on routing security, etc.<br>
<br>
<br>
Mike Hughes, what's next after 10GE<br>
mike at <a href="http://linx.net">linx.net</a><br>
Channels geoff huston for scary graph.<br>
curve of traffic growth. By end of 2006,<br>
he'll be at 150Gb; if he takes last 3<br>
months, he'll be at 300Gb in one metro.<br>
where is it coming from?<br>
ADSL2, Wimax, FTTx, skype, voip, p2p, etc.<br>
consolidation<br>
fewer people with bigger pipes.<br>
think back to seattle<br>
chap from force10 came and asked what do you<br>
want, 40g or 100g?<br>
we can do 40g now<br>
expensive at oc768<br>
cheap at 4x10GE<br>
can't we just do 8x10GE<br>
rate limit/transfer cap users<br>
implment QoS<br>
thorttle p2p apps<br>
either doesn't scale, isn't an option, is costly and complex<br>
We either build and scale, or spend money to not scale.<br>
It's easier to overprovide, actually.<br>
Gary Bachula, VP Internet2<br>
Research came to conclusion that it was far more cost<br>
effective to simply provide more bandwidth.<br>
We already need something faster than 10GE and 40GE<br>
we're already building 8x10GE link agg bundles on a single<br>
spans anyhow.<br>
common engineering sense says that your backbone has<br>
to be some multiple larger than your largest customer<br>
connection.<br>
Selling 10G transit means backbone needs to be multiples<br>
of that!<br>
Your vendor needs you!<br>
Probably--even if they don't realize it yet!<br>
Stand up Ted Seely!<br>
Some vendors are saying the next ethernet standard is <br>
5 years out. Too late!<br>
Apparently, the IEEE 802.3 HSSG isn't convinced that it<br>
needs to start working on the next ethernet standard<br>
is it only going to happen if we drive it?<br>
answer seems to be yes! So let's start beating up<br>
our vendors!!<br>
<br>
<br>
Kenjiro Cho<br>
Impact of fiber access to ISP backbones in .jp<br>
IIJ/WIDE<br>
yes, we DO need 100G!<br>
residential broadband<br>
21 million broadband subcriber<br>
15 mllion for DSL<br>
3 million for CATv<br>
4 million fo rFTTH<br>
100mb bidir fiber is 40USD/month<br>
4% of heavy hitters account for 75% of inbound volume<br>
fiber users account for 86% of inbound volume<br>
DSL is only 14%<br>
no clear boundry between heavy hitters and normal users<br>
data set<br>
sampled netflow data from japanese ISP<br>
ratio of ifber and DSL unique users in dataset<br>
heavy-hitters denote users who send more than 2.5GB/day.<br>
graphs.<br>
heavy hitters statistically follows power law<br>
up to 200GB/day, 19Mbps sustained!<br>
no clear boundry between heavy-hitters and normal users<br>
lines at 2.5GB/day and the top 4% heavy hitters<br>
4% in total uses, 10% in fiber, 2% in DSL<br>
CDF of traffic volume of heavy-hitters<br>
top 4% use 75% of inbound, and 60% of outbound<br>
correlation of inbound and outbound volumes per user<br>
fiber and DSL graphs<br>
2 clusters one below unity line, another in high volume<br>
more heavy hitters in fiber, more lightweight users in DSL<br>
no differences between DSL and fiber except heavy hitters.<br>
fairly constant in heavy hitter usage<br>
fiber peak is 80% of combined peak. inbound much larger<br>
for heavy hitters, reversed for others?<br>
protocols/ports<br>
83% is TCP dynamic ports<br>
RBB home users, DOM, other domestic, INTL<br>
both ends are clssified by commercial geo-IP dbs<br>
62% of residential traffic is user-to-user<br>
90% is inside Japan among RBB and DOM<br>
possible language, cultural barriers<br>
p2p super-nodes among bandwidth rich domestic fiber users<br>
count peer numbers for 50th percentile traffic<br>
expected 2 types; downloads, video (few streams),<br>
other with MANY peers (p2p). <br>
but couldn't find such a split.<br>
implications:<br>
we tend to attribute the skews to divide between heavy hitters<br>
and rst of users<br>
buthere are diverese and widespread heavy hitters<br>
heavy-hitters are no longer exceptional extremes<br>
which came first--start on DSL, become heavy hitter, then<br>
move to fiber?<br>
or start with fiber, and then find uses for the fiber?<br>
is this specific to japan?<br>
need to find faster links, re-evaluate prices!!<br>
<br>
Mike Caudill<br>
mcaudill at <a href="http://cisco.com">cisco.com</a><br>
FIRST forum of incident response and security team<br>
some special interest groups<br>
Vendor SIG<br>
CVSS SIG common vunlernabilty scoring system.<br>
Abuse SIG<br>
Network Monitoring SIG<br>
it's a members-only grope, so SIGs are just focus<br>
groups within SIG<br>
Abuse SIG, formed out of ECOAT (european)<br>
aims to further the cooperation of internet abuse<br>
fighting teams of network/information service providers,<br>
and jointly produce tangible results that will benefit<br>
its constituency<br>
Network Monitoring SIG<br>
to discuss and collaborate on various issues, such as sensor<br>
detection methodology, common rule-sets for detection,<br>
data exchange formats<br>
2006 Conference<br>
June 25-30 2006 in Baltimore, Maryland<br>
<a href="http://www.first.org/">http://www.first.org/</a><br>
first-chair at <a href="http://first.org">first.org</a><br>
Still getting some chairs for the SIGs, just getting<br>
rolling.<br>
<br>
Randy Bush, IIJ<br>
Spamming with BGP spectrum agility<br>
Airudh Ramachandran, Nick Feamster<br>
Collection:<br>
two domains instrumented with mailavenger on same network<br>
sinkhole domain 1<br>
continuous spam collection since aug 2004<br>
no real email addresses--sink everything<br>
10 million+ pieces of spam<br>
sinkhole domain 2<br>
re<br>
monitors BGP as path and traceroute back to source upon<br>
receipt of every source.<br>
spamming techniques<br>
mostly botnets, of course<br>
DNS hijack of CanC to get botnet topology and geophgraphy<br>
Correlation with Bobax victims<br>
from georgia tech botnet sinkhole<br>
distance in IP space of client IP from mx record<br>
coordinate, low-banwidht sending<br>
BGP spectrum agility<br>
LOG IP address of SMTP relays<br>
join with BGP route advertisments seen at network<br>
where pam trap is col-located<br>
/8's are being announced.<br>
<a href="http://61.0.0.0/8">61.0.0.0/8</a> 4678<br>
<a href="http://66.0.0.0/8">66.0.0.0/8</a> 21562<br>
<a href="http://82.0.0.0/8">82.0.0.0/8</a> 8717<br>
they bring up the aggregate, send spam from inside<br>
the empty holes in the space!<br>
82.00/8; hit you with spam, bring it back down.<br>
Why such big prefixes?<br>
"Agility"<br>
Flexibility: client IPs can be scattered throughout<br>
dark space within a large /8<br>
same sender usually returns with different IP address<br>
Visibility: route typically won't be filtered (nice and short)<br>
Low dampening on the /8s, so they make ideal spam sources.<br>
They're using REAL /8s, not the bogons, so they escape those<br>
filters.<br>
IP addresses are widely distributed across the /8 space<br>
IP addresses typically used once only<br>
60-80% use...<br>
evidence that it's working: only about half of the IPs<br>
spamming from short-lived BGP are listed in any blacklist.<br>
mail to feamster within domain <a href="http://cc.gatech.edu">cc.gatech.edu</a><br>
for more info<br>
Length of short-lived BGP epochs<br>
10% of spam received is coming from short-lived<br>
announcements, then plateus and hits the sharp<br>
curve of...something?<br>
<br>
<br>
CLOSING:<br>
Steve Feldman wraps up with his closing words:<br>
many thanks to Brokaw and Yahoo! for hosting, and<br>
the party Monday night, thanks to Merit and the<br>
program committees, and steering committee.<br>
No Venue for next meeting yet, so keep your eyes<br>
on the website!<br>
Late may, early June.<br>
<br>
Susan Harris from Merit for her closing words.<br>
Thanks from Merit to Steve Feldman (PC chair)<br>
<br>
And Thanks to the Dallas Yahoo! Team<br>
Brokaw Price<br>
Brian, Vicki, Mike, Todd, Raj, Brad, Sharon,<br>
<br>
Meeting stats<br>
Attendance: 340 (515 in LA, 458 in Seattle)<br>
Only 6% women<br>
NAPS: 11<br>
NON-NA 41<br>
Colleges, Universites, 14<br>
<br>
Thanks to all the people from Merit who helped<br>
behind the scenes, thanks to all the presenters,<br>
and we'll see you in Spring (somewhere!).<br>
<br>
Meeting adjourns at 1216 hours Central Standard Time<br>
to the sounds of Jerry Lee Lewis on the piano.<br>
<br>
<br>