Stories related to Cisco and their products

Internet Security Operations and Intelligence II

isoi 2 is finalized. the schedule and agenda can be found here:

i am going to do my best to release some of these presentation publically after the event (if the authors agree), but it is not likely.

some public feedback will be relayed from the workshop.

gadi evron,

QoS and bot traffic

i am starting a discussion in the relevant groups on this subject, to try and come up with some suggestions and to-do items we can follow up on, or maybe even better – find another solution.

networks require a means by which they can control their botnet population. yes, “curing” the problem is great, but it won’t happen in the near future.

obviously, having isp’s call even one customer to remove infections doesn’t work (costs significantly more than the subscription fee per attempt) and people just get re-infected.

i am looking to utilize proven technology to be able to reduce the cost of what a botnet can do.

if botnet traffic is detected, even by not very sophisticated technologies such as simply checking for email sent from dynamic ranges or netflow data, it should be possible to use routing technology to “mitigate”.

qos can limit the traffic these bots can utilize much like it would p2p users in most isp’s today. these users are already of limited traffic due to the effects of the bot.

how can this be done using today’s technology? does it require re-design of hardware or new systems to be designed? i hope to find out and get a proposal ready,

gadi evron,

ISOI II – a DA Workshop (announcement and CFP)

the second internet security operations and intelligence (isoi) da workshop will take place on the 25th and 26th of january, 2007. it will be hosted by the microsoft corporation, in redmond wa. an after-party dinner will be hosted by trendmicro.

this workshop’s main topic is botmaster operational tactics – the use of vulnerabilities and 0day exploits in the wild. (by spyware, phishing and botnets for their businesses).
secondary subjects include ddos, phishing and general botnet subjects.

Internet Worms and BGP Storms

i surfed the web today, and reached jose’s blog. he covered a paper called:
“is bgp update storm a sign of trouble: observing the internet control and data planes during internetworms”
matthew roughan, jun li, randy bush, zhuoqing mao and timothy griffin.

you can find it here:

the paper’s abstract:

there are considerable reasons to wish to understand the relationship between the internet’s control and data planes in times for stress. for example, the much publicized internet worms—code red, nimda and sql slammer—caused bgp storms, but there has been comparatively little study of whether the storms impacted network performance. in this paper, we study these worm events and see whether the bgp storms observed during the worms actually corresponded to problems in the internet’s data plane. by processing and analyzing
two datasets from ripe, we have found that while bgp update storms occurred in all three worms, the performance of the data plane degraded during the slammer worm but did not during the code red and the nimda. no direct correlation should be drawn between the degradation of the internet data plane and the occurrence of a bgp update storm—it may not be a sign of trouble but a sign of the internet control plane doing its job.

Cisco Systems IOS GRE Decapsulation Fault

i would like to draw your urgent attention to a couple of securiteam articles:
the advisory, released by fx:

“cisco systems ios contains a bug when parsing gre packets with gre source routing information. a specially crafter gre packet can cause the router to reuse packet packet data from unrelated ring buffer memory. the resulting packet is reinjected in the routing queues”.

this is the cisco response:
original url:

if you are not into routing, this is what gre is:

gadi evron,

Courtney Love explains BGP

it is not often we get to have some fun while dealing with the realm of bgp. that said, you can get a good rotfl and learn from this surprisingly informative post:

if you like, look for other posts there, such as “don king on ip access lists” or “gary coleman on priority queuing”. whatever you do, read this. :)

have fun. :)

thank to twi for this link.

gadi evron,

Internet Security Operations and Intelligence – a DA Workshop

the da workshop will be mostly on the subject of botnets, while touching phishing and ddos.

it will take place on august 10th, hosted by cisco in san jose with a dinner, sponsored by the isc.
participation is open only to members of closed and vetted mitigation and security operations groups.

main lineup:

“bot, botnets, sandbox, impact”
righard j. zwienenberg (norman)

“msrc malware/exploit zero day response – case studies”
greg galford (microsoft)

“the rough road around us in botnet tracking”
jose nazarijo (arbor)

“malcode toolkit profiteering:feeding the trend in m.o. from fame to fortune”
hubbard dan (websense)

case study: ***
levi gundert (us secret service)

“recent bots detection information from microsoft security products”
ziv mador (microsoft)

“security inside the router:how network gear handles ddos attacks”
barry raveendran greene (cisco)

“what keeps us up at night:
new & advanced difficult to mitigate ddos attacks”
darrel lewis (cisco)

“the global infection rate”
rick wesson (alice’s registry)

“phishing and botnets organized crime:
globalization and tehnology intelligence update”
gadi evron (beyond security)

“fast-flux botnet c&c servers – detection & mitigation”
randy vaughn (baylor)

david ulevitch (everydns / opendns)

jerry dixon (dhs – us-cert)

paul vixie (isc)

the web site for the workshop is:

gadi evron,