a few matters about security and consistency

Dear All,

Issue 1 is of interest to anyone involved with RIPE database. It must be in
the RIPE communities interest to keep data as up to date and accurate as
possible. Auditing is a resource hungry task and a pain in the asynchronous
port, but is necessary to maintain and improve the quality of the data
within the database.

Is it acceptable for RIPE database to periodically, say once a year, to
contact via e-mail each person and role object? The objective would be to
ensure the person / role object are up to date. If there was no response,
perhaps within a 4 week period, any associated maintainer object could be
used to identify other people who could up date the records. If there is no
maintainer, then a RIPE Hostmaster maintainer or notify attribute could be
added to the record - and mark the record as out of date as appropriate .

This would be a small overhead to everyone who is on the RIPE database that
would ensure and improve the integrity of data within the database, for a
piece of work on the database. From below, there is a possibility of up to
10 % of records on the database being inaccurate. That can not be an
acceptable situation.

Issue 2 is beyond the direct scope of the LIR-WG. However, I recollect that
at RIPE 35 there was a suggestion of adding a new database record to the
RIPE database, to clearly identify those networks which had a CERT team -
has any progress been made? 

Regards,

Adrian F Pauling
:-)NEL2C Internet Protocol Manager
acd Information Systems Engineering Technical Architecture
AFP1-RIPE / AFP-ARIN / AFP25-InterNIC
* adrian.pauling at bt.com
* +44 19 2685 1992 / +44 78 0290 4877
	British Telecommunications plc
	Registered Office 81 Newgate Street London EC1A 7AJ
	Registered in England no 1800000


> -----Original Message-----
> From:	Mark Lastdrager [SMTP:mark at pine.nl]
> Sent:	05 July 2000 21:53
> To:	lir-wg at ripe.net
> Cc:	cert at pine.nl
> Subject:	a few matters about security and consistency
> 
> Hi,
> 
> There are two matters I want to discuss, which are related from my point
> of view.
> 
> Yesterday, ons of our hosts was attacked (Denial of Service). The attacker
> was using the DNS DOS described in
> http://www.ciac.org/ciac/bulletins/j-063.shtml (AUSCERT AL-1999.004) for
> this.
> 
> The used attack in short: Small DNS queries are sent from the attacker
> to each of the DNS servers.  These queries contain the spoofed IP address
> of the target.  The DNS servers respond to the small query with a large
> response.  These responses are routed to the target, causing link
> congestion and possible denial of Internet connectivity.
> 
> This morning, we took our tcpdump logs of the attacks, and built a script
> which queried the Ripe database for the admins of the abused
> ('man-in-the-middle') networks. We got almost 900 unique email adresses
> out of this, to whom we sent a clear email describing what happened and
> asking for any logs or other usable information to find out who the
> attacker is. We we astonished how many people reacted with usefull
> information, we are still investigating right now.
> 
> It pointed out we were not the only one attacked, it now looks like the
> attacker (or attackers ofcourse) is abusing most of the 194.x network to
> amplify the DNS requests pointing at a lot of Dutch hosts and even some
> in the USA.
> 
> Ok, that was the scary part ;-) If you operate 1 or more DNS servers,
> please read the AUSCERT document and apply the workarounds they mention
> there (only allow your nameserver(s) to answer to queries from trusted
> hosts and/or zones you are authoritive for). If will really help from
> people abusing your network and filling up your pipe(s).
> 
> Matter 1:
> 
> What scared me was the great amount of bounced mail we got back from the
> 900 mails we sent. I think at least 10% did not exist. Besides that we got
> a lot of replies like 'hey don't bother me, I don't work there
> anymore'. Why doesn't RIPE test periodically if email adresses still work?
> 
> 
> Matter 2:
> 
> Like I said, we got a lot of useful replies and they all more or less
> contained the same information. People had full, non-working internet
> links for days because of the attacks and were very happy that we pointed
> them to the 'Auscert workaround' because now they've closed their DNS'es
> the traffic (and business!) goes back to normal. Because of the info we
> got, we are -while I write this- trying to trace back to the origin of the
> spoofed packets.
> 
> I think it would be very helpful if there was a mailinglist where European
> operators could discuss this kind of incidents, like the USA people do at
> the Securityfocus mailinglist
> (http://www.securityfocus.com/templates/archive.pike?list=75). I think the
> introduction at http://www.securityfocus.com/forums/incidents/intro.html
> would describe the use of such a list very well. Incidents like this DOS
> which affect a lot of European networks could be stopped much quicker, and
> if you can contact your fellow operators you don't have to waste expensive
> time trying to track down those stupid scriptkids (believe me.. it takes a
> lot of time ;-)). Ofcourse things like virii, talk about used exploits
> etc. are on-topic and interesting too.
> 
> Like I said: time is money, so we set up the list
> euro-incidents at security.nl already. Anybody can subscribe at
> http://www.security.nl/mailman/listinfo/euro-incidents.
> 
> Thanks for your time,
> 
> Mark Lastdrager
> Pine Internet
> 
> -- 
> email: mark at lastdrager.nl :: ML1400-RIPE :: tel. +31-70-3111010
> http://www.pine.nl :: RIPE RegID nl.pine :: fax. +31-70-3111011
> PGP key ID 92BB81D1 :: Dutch security news @ http://security.nl
> Today's excuse: We only support a 28000 bps connection.
> 
> 
> 
> 
>