Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Inter-ISP/Telco/X.25 security procedures?

  • From: Valdis.Kletnieks
  • Date: Tue Sep 17 02:04:40 2002

On Mon, 16 Sep 2002 10:48:38 PDT, Mark Kent said:
> However, I think it was too subtle... I didn't get it, and I think
> chris@uu.net and Valdis.Kletnieks@vt.edu also didn't get it.  I don't
> think they would have posted messages saying the same thing as your
> hidden meaning.

Hmm.. and here I *thought* I got it...  or did I?

On Mon, 16 Sep 2002 11:38:29 PDT, Mark Kent said:
> OK, so there is my point.  Back in those days the network security
> folks would often find themselves in the same lunch line as the "ISP"
> security folks.  And they were available by phone with just a four
> digit extension.

In the 1980's, finding the four digit extension, the exchange it was in, and
the area code to use could be *quite* interesting if you were *NOT*
one of the anointed people in the lunch line.

Cliff Stoll didn't have any easy time finding people in 1987. Further,
consider the two attached messages, which Dave Mills apparently posted because
he couldn't find phone numbers or email addresses for the culprits(*).

Then consider the weekly "can a security guy with a clue from XYZnet
please call me?" postings, and ask if we *have* learned anything....

/Valdis

(*) OK - I admit it.  One of the offending boxes was one of mine - it
was a Gould PN/9808, and at 12MIPS it noticed a few packets/sec a lot less
than a Fuzzball did.  That, and at the time I was busy moving to a new
job and not paying as close attention.  It got fixed as soon as I saw the
postings...
--- Begin Message ---
SKYKING SKYKING THIS IS DROPKICK DROPKICK DO NOT ANSWER BREAK BREAK
TIMESERVERS DCN1 AND DCN5 UNDER ATTACK NTP MODE 3 MISSILEGRAMS HIGH
FREQUENCY ABOUT ONE PER SECOND BREAK MISSLES BELIEVED LAUNCHED
FROM GRID COORDINATES 129.63.224.1 AND 128.153.8.17 BREAK ATTACKS
INTERMITTENT COULD BE DUE TO TESTING OR PROTOCOL MACHINE BUG BREAK
REQUEST YOU CHECK OPERATIONS MODE 3/4 IN LATEST NTPD FOR POSSIBLE
OSCILLATION BREAK REPORT RESULTS BREAK BREAK MESSAGE ENDS AUTHENTICATION
LATERN CHIEF BREAK SILVER DOLLAR SENDS OUT
--- End Message ---
--- Begin Message ---
Folks,

In the last 240 hours dcn5 has processed 462K NTP messages, or a flux of
0.53 messages per second, which would seem it has 120 peers all
poking at the minimum polling interval and thus presumably synchronized
to it. It happens to have about 30 symmetric-mode peers plus a handful
of client peers. The discrepancy in rate is probably due to the problem
pointed out by previous Emergency Action Messages (EAM). That's bad,
but livable.

In the last 32 hours the problem has grown much worse and very serious
at dcn1. In this interval dcn1 processed 261K messages, or a flux of 2.26
messages per second. However, the critter is DES-limited at something
between 3 and 6 messages per second! The load has become so bad that I
can no longer monitor it with NETSPY, the Fuzzball monitoring protocol of
choice. It, too, has only about 30 symmetric-mode peers plus a handful of
client peers, so whatever is gouging dcn5 is slashing great holes in 
dcn1 flesh. Clearly the machine-gun bursts from the hosts listed in
pevious EAMs is threatening disaster, especially since dcn1 is the 
gateway to ARPANET here. 

Now, were I to resist the urge to authenticate at least the non-Fuzzball
peers, the throughput limit would probably rise to something reasonable,
like 20-40 messages per second. However, I am much concerned that not only
dcn1 is taking hits but all the other Fuzzballs out in the swamps. Therefore,
I am asking the timecallers on nets 128.143 and 128.153 in particular to
investigate and upgrade to the latest version post-haste. Not the least of
my concerns is that the present traffic levels has become most visible
relative to the rest of the campus traffic combined. Properly operating
NTP peers should be pinging at 1020-second intervals, not one-second
intervals. Those one-second honkers are thus 30 decibels above the noise
level.

You should know the following:
Circuit QUEBEC: frequency 6761 upper-sideband, common SAC broadcast
ELECTRIC: US airborne command post, formerly SILVERDOLLAR
SKYKING: collective identifier for any SAC aircraft aloft
CROWN: White House Communications Agency
ACROBAT: Andrews AFB (near WashDC)
CAPSULE: collective identifier for any Military Airlift Command (MAC)
aircraft aloft
COVEREDWAGON: confirmed hostile act
DROPKICK: SAC Heaquarters Offut AFB NE
DULLSWORD: nuclear incident
GOLDCOIN: MacDill AFB, FL, Strike Command Control (also overheard directing
drug-intercept missions)
SENTRY: AWACS aircraft (E3A) from Tinker AFB, OK
CRITIC: highest communications priority
EAM: Emergency Action Message

Toss that in your trivia bucket. My next lesson will be in Navy communications
COMSLANT and send torpedoes.

Dave
--- End Message ---

Attachment: pgp00012.pgp
Description: PGP signature




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.