Global Crossing SOC

Fouant_Stefan · December 17, 2008, 6:32pm

Folks,

Any Global Crossing SOC folks here? We've had a simple DoS attack
targeting one of our nodes connected to Global Crossing but have
literally spent 3 hours on the phone with Global Crossing support
attempting to get someone with a clue as to how to implement a simple
ACL on their edge router to deal with this.

If there's anyone here who can assist, please contact me off list.

Regards,

Stefan Fouant: NeuStar, Inc.
Principal Network Engineer
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075

[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz

Josh_Potter · December 17, 2008, 7:45pm

Sounds like you need to talk to the Global Crossing NCC. They're located in
Phoenix however I don't have their number.

Fouant_Stefan · December 17, 2008, 8:17pm

I’m good now, but it would be nice if the people on the front lines at Global Crossing were even aware what a “Denial of Service” attack was, or that they even have a SOC for incident handling. Once we got redirected into their SOC we were in good hands.

Stefan Fouant: NeuStar, Inc.
Principal Network Engineer
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075

[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz

Josh_Potter · December 17, 2008, 8:19pm

Tier 1 is Tier 1.

J_Oquendo2 · December 17, 2008, 8:29pm

I'm good now, but it would be nice if the people on the front lines at
Global Crossing were even aware what a "Denial of Service" attack was, or
that they even have a SOC for incident handling. Once we got redirected
into their SOC we were in good hands.

You're "assuming" (anyone remember the Benny Hill assume skit). How
many companies - especially large "layered" companies can you name
that would even be able to determine what a SOC is on their customer
service level. I've seen companies with level2 and level3 layers
that couldn't even understand what it was.

Perhaps DNS lookups could include such information in the future.
It would be nice to nslookup a netblock and get something "relevant"
for the security ops as opposed to the standard "abuse" which was
largely relevant for mail operations (spam). I'm sure I'm not the
only one who has thought about this. Maybe NAP's and NSP's can
place contact information somewhere for those with a specific
need to contact those with direct knowledge.

Then real world sinks in... Ticketing systems, accountability,
engineers who would rather be on IRC then cleaning up their nets,
etc.

Happy holidays all

Fouant_Stefan · December 17, 2008, 8:50pm

I think it's a lovely idea, I just wonder how long such a system would
last before people really start taking advantage of it, i.e. I have a
really low priority, non-important issue I need resolved, let me get in
touch with the MOST clueful person I can to get a really quick
resolution...

Stefan Fouant: NeuStar, Inc.
Principal Network Engineer
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz

J_Oquendo2 · December 17, 2008, 9:01pm

I thought I had made it clear about the cons. Obviously the con would
be someone contacting say Global or Level3 or someone else with: "OMFG
like... Some virus!", the cost of doing business. That doesn't stop
them NOW from Googling "security" +"Global", they're not doing an nslookup
for contact information. I would like to believe that the majority of
people doing nslookup's for contact information usually have a higher
grasp of what they're looking for. Ask any "Average Joe" to perform an
nslookup and compare those results to deer on the highways looking at
those high-beams.

You can't expect someone with a less than mission critical reason to
contact someone in a higher position, there is no guarantee someone
wouldn't be clueful enough to just Google "SOC" +"Global Crossing"
+SOC

(http://www.google.com/search?q="global+crossing"+%2B"SOC"+%2Bcontact)

What I infer from you is "right... Buddy go ahead and do it... Then
the whole world will be screaming about not-so-important shtuff!"
If this is the case, what's to stop them from using Google. For the
most part, we can infer a large portion of users outside of those
with *some* form of networking concepts/experience, can use and know
what nslookup is for. Placing relevant information is not going to
"cripple SOC" no more than Google would.

Fouant_Stefan · December 17, 2008, 9:49pm

While I understand where you are coming from and I completely agree, I
think I should point out that the search pattern you generated actually
produced an Press Release about Global Crossing's SOC implementing some
ISO 9001:2000 certification. At the bottom of the article it had Press
"Contacts" within Global Crossing. It didn't actually contain any
useful contact information for any SOC personnel whatsoever...

It's a moot point however, because I happen to agree with you that
obtaining that information via nslookup is a more effective barrier at
weeding out the less clueful.

Stefan Fouant: NeuStar, Inc.
Principal Network Engineer
46000 Center Oak Plaza Sterling, VA 20166
[ T ] +1 571 434 5656 [ M ] +1 202 210 2075
[ E ] stefan.fouant@neustar.biz [ W ] www.neustar.biz

From: J. Oquendo [mailto:sil@infiltrated.net]
Sent: Wednesday, December 17, 2008 4:01 PM
To: nanog@nanog.org
Subject: Re: Global Crossing SOC

> > From: J. Oquendo [mailto:sil@infiltrated.net]
> > Subject: Re: Global Crossing SOC
> >
> > only one who has thought about this. Maybe NAP's and NSP's can
> > place contact information somewhere for those with a specific
> > need to contact those with direct knowledge.
>
> I think it's a lovely idea, I just wonder how long such a system
would
> last before people really start taking advantage of it, i.e. I have

a

> really low priority, non-important issue I need resolved, let me get
in
> touch with the MOST clueful person I can to get a really quick
> resolution...
>

I thought I had made it clear about the cons. Obviously the con would
be someone contacting say Global or Level3 or someone else with: "OMFG
like... Some virus!", the cost of doing business. That doesn't stop
them NOW from Googling "security" +"Global", they're not doing an
nslookup
for contact information. I would like to believe that the majority of
people doing nslookup's for contact information usually have a higher
grasp of what they're looking for. Ask any "Average Joe" to perform an
nslookup and compare those results to deer on the highways looking at
those high-beams.

You can't expect someone with a less than mission critical reason to
contact someone in a higher position, there is no guarantee someone
wouldn't be clueful enough to just Google "SOC" +"Global Crossing"
+SOC

("global crossing" +"SOC" +c - Google Search

J_Oquendo2 · December 17, 2008, 10:02pm

I didn't want to spend too much time sorting out Google
searches Anyhow, how do we get others to understand
the need for something like this (information via say
whois trickled from an nslookup on a netblock). That
would definitely be more productive than someone having
to contact abuse - which is highly likely going to
ignored/not remedied appropriately.

Would definitely be a plus for me if say I had someone
directly contact my SOC team for a security related
issue. Would save time for me and the caller. I see it
as a no brainer... Others will likely see it as "that's
what abuse is for"

Maybe Jared should start a SOC contact page or something
similar.