September 2003 Archives

Thank you very much spammers. You are doing a great job by DDoSing blacklists, and no one can stop you.
Bad news for all anti-spam activists is that SORBS (Spam and Open Relay Blocking System) is out of order. The very same thing happened to OpenRBL. Their website reads:

503 - website unavailable due to ddos
Update 2003-09-17: flooding continues, periodically morphing
Update 2003-09-19: setup of new server delayed until monday
some testing planned for tuesday, relaunch on wednesday

The website will be unavailable for at least a couple of days until
everything has been reconfigured to reliably resist such future attacks.
For dnsbl-lookups please use http://moensted.dk/spam/ instead.

Many mail servers were using these services for a long time, but now that they are DDoSed to death, no one cares. The only thing people do is removing dead DNSBLs from their list.
Maybe Jon Lasser was right.

I am happily running BIND 9.2.3rc4 on four DNS servers around the world, blocking DNS wildcards on .net and .com zones. delegation-only feature worked fine out of the box. The only tricky part of the process was installing BIND9 on FreeBSD which has bind8 installed as part of operating system.
Installation from ports tree only installs binaries and documents. So you should perform all configurations manually.

Sad news.
After Osirusoft RBL server, it is the second time that spammers are shutting down a RBL server with DDoS attacks. This time the target was monkeys.com.

From NANOG:

-------- Original Message --------
From: Jon R. Kibler <Jon.Kibler.multi@ng.aset.com>
Newsgroups: news.admin.net-abuse.email
Subject: monkeys.dom UPL DNSBL being DDOSed to death
Date: Tue, 23 Sep 2003 14:26:47 -0400

Greetings to all:

I have some really sad news. I just got off the telephone with Ron Guilmette
who runs the monkeys.com Unsecured Proxies List DNSBL. I hate to say it, but
monkeys.com has been killed. It has been DDOSed to death.

Ron says that every aspect of his network is undergoing a massive DDOS
attack from thousands of IPs -- apparently many/all spoofed. He has tried to
get law enforcement to investigate, but to no avail. He indicated that this
is probably the end of his service.

This makes two DNSBLs that have been DDOSed to death recently. Which one is
next? NJABL? ORDB?

The computer security industry really needs to figure out how to get law
enforcement to take these attacks seriously. It would only take a few good
prosecutions to put an end to these types of attacks. Any thoughts/suggestions?

This is really a dark day for those of us fighting spam. It looks like the
spammers have won a BIG battle. The only question now is who will be the
causality in this war?

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC USA

And no one is taking any action against those spammers. :-(

Technical Advisory:

Remove *.monkeys.com from your DNSBL lookup list. Keeping it in your list may cause losing emails or other kinds of unforseen damages to your email system.

FreeBSDForums.org is the de facto home for all *BSD freaks. There is answer for all of your questions. Just ask it in a forum (of course do not forget to RTFM) and get the answer.
The least thing you can do is to contribute to community by answering others questions.

Perhaps, you can guess what is that. This is about new Verisign policy which affects overall internet infrastructure. ISC has released a patch for BIND9 users which disables this new wildcard issue.
This is a serious threat to all internet users. Verisign can catch all emails that are sent to unknown domains (by typing mistakes) which may contain sensitive data), and can gather many statistical information which will be held private. This will also disable reverse-lookup antispam method that many mailservers are using around the world.
Ask Verisign to stop dns wildcard answers by signing this petition.

This is ridiculous. They are completely disappeared from the internet. Their website and our collocated server are not reachable. AT&T Route server says:

route-server>sh ip bgp 69.13.64.0
% Network not in table

I guess they are experiencing serious network difficulties. If you are going to choose a host, I strongly recommend Hostway. They are simply great, and always reachable! Their only negative point is that they do not offer any FreeBSD server.

eWeek article:

Why turn to a BSD base as the basis for a commercial open Unix? BSD has been around, it's been proven, it's stable and has a broad groundswell of development. BSD-based Unix systems have been around for multiple decades now. There's sufficient documentation, standardization and educational resources to promote their development. BSD systems have been implemented on such a wide range of hardware platforms and operating environments that their value is accepted almost without question.

Read the whole article: eWeek: Why a SCO Win Could Be Good for Unix

Here is my system uptime information:

[farrokhi@server www]$ uptime
  2:52pm  up 263 days, 11:33,  1 user,  load average: 0.10, 0.09, 0.02

This server is colocated in Chicago. The reason that I haven't rebooted this for past 9 months is that I am afraid I lose it if it restarts. I am really not sure it survives after rebooting with all those patches and softwares I installed on it.

The Globe and Mail reports:

Linux, not Microsoft Windows, remains the most-attacked operating system, a British security company reports.

During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.

Just 360 — less than 2 per cent — of BSD Unix servers were successfully breached in August.

Read the complete article.

I signed up with O'Reilly Networks Safari Bookshelf last night. First two weeks are free, but you should pay 15$ per month for 10 slots. Each book you add to your bookshelf occupies one slot (or sometimes two slots). You can fill up to 10 slots simultaneously. I signed up for a "Small" library which has 10 slots, but you may choose a diffrent setup like Meduim (20 slots for 25$) or Large (30 slots for 30$).
Once your library filled with books, you have two options: Upgrade to a bigger library or swap an old book with a new book. But there are rules: The book you want to swap should have been kept for 30 days. Its fair.
But the books are really cool! I am currently reading Practical Unix & Internet Security, 3rd Edition ( occupied 2 slots) and Programming Perl, 3rd Edition (occupied one slot).
I am planning to add DNS and BIND, Fourth Edition and Incident Response soon.

Reading online books have many benefits for me. First of all, it is not easy for me to buy a hardcopy of this books since they are not available in local bookshops, and buying online from B&N will take 2-3 weeks to deliver. So This way I can read my favorite book online easily. It is also much cheaper than buying the hardcopy. You can even swap your old books with new one for the same price. Or easily copy & paste codes directly from the book into your favorite IDE, which reduces typing errors and makes life easier.

It is worth ginving it a try. A free 14 days trial is available.

I've made a short how-to on installing FreeBSD 5.0 on Fujitsu-Siemens LifeBook C1020 which might be useful for everyone trying to install FreeBSD on such laptop.
Permanent home for this article will be http://farrokhi.net/lifebook-freebsd/

I am not a linux guru, but if you are using linux as your network border router, you can block Nachi worm using netfilter (explained here).
But if you are running FreeBSD as your gateway, you should have IPFW2 (instead of standard ipfw in 4.x branch) in order to be able to filter 92 bytes ICMP packets.

pilot:~# ipfw add 50 deny icmp from any to any iplen 92
00050 deny icmp from any to any iplen 92

and then check if it works fine:

pilot:~# ipfw show
00050     10      920 deny icmp from any to any iplen 92
00100 300093 64940563 allow ip from any to any
65535      0        0 deny ip from any to any

So we caught 10 packets (920 bytes in total) after a short while.

iplen is only supported in IPFW2 which is enable by default in FreeBSD 5.x but you should enable it manually if you are using 4.x series.

ipfw man page explains more detailed information about new enhancements in ipfw2 and how to enable it in 4.x kernel:

ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld).

OpenBSD gurus may provide a solution to do the same using pf.

I just unsubscribed from SANS Portal Security Alert Consensus newsletter today, because I found that they are spamming me!

Here is how:

Steve Freidl has posted another useful tip to block spammers using Postfix.
It explains that many times spammers does not specify their real hostname in HELO or EHLO smtp commands, they use YOUR address instead! So you can easily block them using some simple rules in postfix to reject connections that identify theirself as you!
Read it here.

Portupgrade (by Akinori MUSHA) is simply the best reason to switch to FreeBSD. Ports collection itself is great, but without portupgrade, upgrading a port is a painful process.
Despite the man pages for portupgrade are the best source of information about it, but there are still many good resources on the net explaning how to use it effectively.
I do use it on a fixed basis for all workstations and servers to reduce administrative overhead of keep all my packages up to date.

Olivier Fourdan, creator of XFce says:

XFce is a lightweight desktop environment for various *NIX systems.
Designed for productivity, it loads and executes applications fast, while conserving system resources.

It is lightweight, fast and easy to use. It won't eat your memory like KDE or Gnome does. If you are a Solaris user, this will make a familiar environment as CDE, but for free.
I am evaluating version 4-beta on my laptop for a while and so far it performed very well.

After implementing the Nachi filter (blocking 92 bytes ICMP packets) , you may have noticed that traceroute from your local network no internet stops on your edge router. This is because traceroute uses 96 bytes ICMP packets (including header) to probe hosts, so filter drops the ICMP packets.
I have no solution for windows tracert command since it does not support altering ICMP packet size, and you should use third-party traceroute utilities that support changing ICMP packet size (i.e. PingPlotter). But in *nix workstation, the ICMP packet size in traceroute command is configurable. Choose a smaller packet size to bypass the filter.