People should be worried about stuff like this.
Banetele is a facilities-based network operator
in Norway and these guys are directly attacking
their BGP sessions to put them off the air.
Assuming that they are not sourcing the attacks
in Banetele's AS, then you, the peer of Banetele
are delivering the packet stream that kills the
BGP session. How long before peering agreements
require ACLs in border routers so that only BGP
peering routers can source traffic destined to
your BGP speaking routers?
(08:48:02) <#sigdie!OseK_> i just collapsed banetele's BGP announcement
(08:48:43) <#sigdie!p> i dunno banetele looks dead
(08:48:48) <#sigdie!p> or maybe im just lagging
(08:49:00) <#sigdie!OseK_> ... BitchX: Sent server ping to
[irc.banetele.no]
(08:49:00) <#sigdie!OseK_> ... Server pong from irc.banetele.no 0.8224
seconds
(08:49:12) <#sigdie!p> bash-2.05a$ telnetirc.banetele.no 6667
(08:49:13) <#sigdie!p> Trying 213.239.111.2...
(08:49:16) <#sigdie!OseK_> thats cuz I collapsed their BGP announcement by
nailing their router head on(08:49:26) <#sigdie!OseK_> but they have a
secondary route to efnet
(08:49:30) <#sigdie!_mre|42o> BGP announcement?
(08:49:31) <#sigdie!OseK_> thru their multihomed connection
(08:49:32) <#sigdie!OseK_> yeah
(08:49:37) <#sigdie!OseK_> they have a collapsable route
(08:49:44) <#sigdie!OseK_> using the border gateway protocl
(08:49:54) <#sigdie!OseK_> hey have to announce to a pool
(08:49:58) <#sigdie!OseK_> in order to establish their route
(08:50:07) <#sigdie!OseK_> but if thye get hit enough their router drops
the
announcements
(08:50:10) <#sigdie!OseK_> and they lose their routes
(08:50:14) <#sigdie!OseK_> its wierd
(08:50:21) <#sigdie!OseK_> i dont quite understand how it works myself
People should be worried about stuff like this. Banetele is a
facilities-based network operator in Norway and these guys are directly
attacking their BGP sessions to put them off the air.
Can anyone from Banetele/who knows Banetele confirm this attack took place?
> People should be worried about stuff like this. Banetele is a
> facilities-based network operator in Norway and these guys are directly
> attacking their BGP sessions to put them off the air.
Can anyone from Banetele/who knows Banetele confirm this attack took place?
According to the people I spoke to, they had not noticed such an attack
on the date specified.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
(who used to work for BaneTele, and was intimately involved with getting
suitable BGP filters in place)
Even better is to seperate the control plane from the
forwarding plane, and ensure that the control plane of
a given router cannot be spoken to by anyone who is
not either internal or a direct BGP peer. Why permit
garbage to touch your network?
Hmm, if someone (except masochists and security vendiors) still hosts
efnet... I can only send them my condoleences.
I saw sthe same dialogs 6 years ago. Nothing changes.
BaneTele hosts an EFnet IRC server. Caused no significant problems while
I was working at BaneTele. That's probably because we *expected* DoS
attacks on the IRC server, and engineered the network accordingly.
What about undernet? A customer wants us to help him setup an undernet
IRC server. My gut feeling is, hosting IRC servers (especially on the
well known networks) is like wearing a "kick me/flood me" sign on your
network, and it's probably not going to be worth the pain & pages.
It probably depends how much money is involved and if they are willing to
pay for all the network tech's time such server brings in. My own dealings
with people wanting to run IRC servers and services is that they may have
some fixed amount of money for the server but whatever they are expecting
to generate from such irc-related services does not happen and they ran
out of money and most end-up having to be canceled for non-pay (usually
after first 4 or 6 months) and you end-up having to decide if your company
want to sponsor this server for the long term...
Some other things that you end-up having to consider if the server is
run by the customer what are their policies and how white/black/grey are
their admins and people they allow to be operators. Operators way too
often end-up being targets of attacks on the servers ...
As far as Undernet is probably not as bad as Efnet as attack target, but
you'll still see some attacks for sure.
> Hmm, if someone (except masochists and security vendiors) still hosts
> efnet... I can only send them my condoleences.
>
> I saw sthe same dialogs 6 years ago. Nothing changes.
What about undernet?
Thats even worse
A customer wants us to help him setup an undernet IRC server. My gut
feeling is, hosting IRC servers (especially on the well known networks)
is like wearing a "kick me/flood me" sign on your network, and it's
probably not going to be worth the pain & pages.
Sounds about right.
Unless you feel like charging someone several thousands of dollars per
month to host an EFNet server, don't do it unless you have a personal
interest.
