North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Interesting new spam technique - getting a lot more popular.
- From: Payam Chychi
- Date: Wed Jun 14 01:11:11 2006
That’s a very good question... I was also under the assumption that most
providers would have adopted new practices rather then simply dumping
customers on a single subnet/vlan... unless were going back in time :P
As far as the "special daemon program" goes.. any packet sniffer will
reveal all needed information to jack an ip.
I'm actually surprised that its taken spammers this long to figure out
and utilize such vulnerabilities in networks... seeing how spamming is a
multi billion $ industry...
few ways to limit ip jackings... keep your subnets small as possible,
force the use of private vlans, as a provider... you should provide a
way for your clients to be able to view their traffic patterns... in
case of a hijack, they would notice the increased traffic and could
bring it to the providers attention sooner then later... monitor your
switch ports (snmp?) for bursts of outbound traffic (bandwidth / pps)...
-- Payam Chychi
John van Oppen wrote:
It sure seems like this is a good demo of the best practice of having customers on their own VLANs with their own subnets. We have been doing this since we started offering colo services, is this less common than I thought?
Von: Christopher L. Morrow [mailto:firstname.lastname@example.org]
Gesendet: Tuesday, June 13, 2006 9:23 PM
An: Suresh Ramasubramanian
Betreff: Re: Interesting new spam technique - getting a lot more popular.
On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
That was not my advice btw - just forwarding on what I saw.
oh,. apologies, i did cut the message down quite a bit :( I understood you
were quoting from the spamdiaries website, I apologize to the other
listeners (readers?) if it confused the issue.
What you say does seem like a "must do" all right - but putting ARP
Atleast it'd trim down the 'problem' to the single customer subnet, I
filters in is actually a reasonable idea.
assume that dedicated hosting folks don't just drop machines behind a
switch on one big flat subnet? That's probably a naive assumption though
:( Perhaps this is clue #12 that that is a 'less than good' option? :)
On 6/14/06, Christopher L. Morrow
On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:--
http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.htmlhow about just mac security on switch ports? limit the number of mac's at
* Monitor your local network for interfaces transmitting ARP
responses they shouldn't be.
each port to 1 or some number 'valid' ?
Suresh Ramasubramanian (email@example.com)