5:24 p.m.
--=-TsLC1+TQtXJ+Qzkr5Z24
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le mardi 28 juin 2016 =C3=A0 10:14 -0400, Dave Neary a =C3=A9crit :
FYI.
----- Forwarded Message -----
From: Herv=C3=A9 Leclerc <herve.leclerc(a)alterway.fr>
To: Dave Neary <dneary(a)redhat.com>, Infra(a)ovirt.org
Cc: Arnaud CAZIN <arnaud.cazin(a)alterway.fr>, St=C3=A9phane Vincent <steph=
ane.vincent(a)alterway.fr>
Sent: Mon, 27 Jun 2016 13:06:17 -0400 (EDT)
Subject: Re: [oVirt-Infra] : New Gateway
=20
Hello,
=20
Did you made the changes asked ?
Can you please give us a status on your actions.
I stopped rpcbind, which sould solve the problem.
But I wonder why we didn't got the mail in the first time, it didn't
appear on the list, nor in moderation.=20
Regards
=20
=20
=20
Herv=C3=A9 Leclerc
CTO
Alter Way
227 Bureaux de la colline
1 rue Royale - B=C3=A2t. D
92210 Saint-Cloud
France
*+33 141168336*
+33 6 83979598
=20
=20
=20
`like a halo in reverse`
=20
=20
=20
On Sun, Jun 26, 2016 at 3:54 PM, Herv=C3=A9 Leclerc <herve.leclerc@alterw=
ay.fr>
wrote:
=20
> Hello
>
> Your vm alterway02.ovirt.org is participating in a ddos attack. Could
> please correct the problem rapidly !
> eg.
> iptables -A INPUT -p udp --dport 111 -j DROP
>
>
>
> Regards
>
> Original message
> A public-facing device on your network, running on IP address 89.31.
> 150.216, operates a RPC port mapping service responding on UDP port 111
> and participated in a large-scale attack against a customer of ours,
> generating responses to spoofed requests that claimed to be from the at=
tack
> target.
>
> Please consider reconfiguring this server in one or more of these ways:
>
> 1. Adding a firewall rule to block all access to this host's UDP port 1=
11
> at your network edge (it would continue to be available on TCP
port 111=
in
> this case).
> 2. Adding firewall rules to allow connections to this service (on UDP p=
ort
> 111) from authorized endpoints but block connections from all
other hos=
ts.
> 3. Disabling the port mapping service entirely (if it is not
needed).
>
> More information on this attack vector can be found at this third-party
> website (we did not create this content):
> http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper=
-an-early-warning-to-the-industry/
>
> Example responses from the host during this attack are given below.
> Date/timestamps (far left) are UTC.
>
> 2016-06-25 22:46:44.588895 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
> length 628
> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY=
...
> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37
J.9$.o.P.|.ee=
r.7
> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000
.............=
...
> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004
.............=
...
> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0
.......o.....=
...
> 0x0050: 0000 ..
> 2016-06-25 22:46:44.588939 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
> length 628
> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY=
...
> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37
J.9$.o.P.|.ee=
r.7
> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000
.............=
...
> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004
.............=
...
> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0
.......o.....=
...
> 0x0050: 0000 ..
> 2016-06-25 22:46:45.048914 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
> length 628
> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY=
...
> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37
J.9$.o.P.|.ee=
r.7
> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000
.............=
...
> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004
.............=
...
> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0
.......o.....=
...
> 0x0050: 0000 ..
> 2016-06-25 22:46:45.048963 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
> length 628
> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY=
...
> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37
J.9$.o.P.|.ee=
r.7
> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000
.............=
...
> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004
.............=
...
> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0
.......o.....=
...
> 0x0050: 0000 ..
>
> (The final octet of our customer's IP address is masked in the above
> output because some automatic parsers become confused when multiple IP
> addresses are included. The value of that octet is "36".)
>
> -John
> President
> Nuclearfallout, Enterprises, Inc. (NFOservers.com)
>
> (We're sending out so many of these notices, and seeing so many
> auto-responses, that we can't go through this email inbox effectively. =
If
> you have follow-up questions, please contact us at
noc(a)nfoe.net.)
>
> Herv=C3=A9 Leclerc
> CTO
> Alter Way
> 227 Bureaux de la colline
> 1 rue Royale - B=C3=A2t. D
> 92210 Saint-Cloud
> France
> *+33 141168336 <%2B33%20141168336>*
> +33 6 83979598
>
>
>
> `like a halo in reverse`
>
>
>
> On Wed, Feb 19, 2014 at 10:46 AM, Herv=C3=A9 Leclerc <herve.leclerc@alt=
erway.fr
> > wrote:
>
>> Hello,
>>
>> Our Internet gateway is changing.
>> Could you please change your actual gateway (*89.31.150.249*) on your
>> machines (89.31.150.215 and 216) and vms to *89.31.150.253*
>> Thanks
>>
>> Let us know when this modification is done.
>>
>> Cheers
>>
>> Herv=C3=A9 Leclerc
>> CTO
>> Alter Way
>> 1, rue royale
>> 9 =C3=A8me =C3=A9tage
>> 92210 St Cloud
>> *+33 1 41 16 83 36 <%2B33%201%2041%2016%2083%2036>*
>> +33 6 83979598
>>
>>
>>
>>
>> <http://www.alterway.fr/signatures/url/1>
>>
>>
>>
>>
>
=20
--=20
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
--=-TsLC1+TQtXJ+Qzkr5Z24
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJXcoiiAAoJEE89Wa+PrSK9nKAP/2yufHdT4ISBe/IuaJttfu7H
wLT/a6KLRGJ2y7Ifs11OxS/PJOrV4Z9T4Wtn/3oG87xsNMShNUZlvWSEF/TCQcR0
Hr6BQTimIRbCWbZ9xdvO9ieaNPiv3EF6VEw4jKToH2Vgwy/xkQAOZZGFt7Wyp6Kd
IuABhhM/vaJ6vBeyFx5pNZPbXTqEOy/D2KMhwJFLLXk4UlzpZlMVBHDtQQ1WS6fN
XoJQwqG/KecqiiebwYIIHfirGA7H+ufF7vvnjlgRKiyVuPzS8N5/0q3PDIfWRIol
VImUJj8FY9gupzkizAWqI8X570Hmzwfedb6V9S/E2XTzi6XqfpBsM2sAp7DGATBl
q3AT7UuScq0Y33mqYkeVrSvq9sfhAP1ZxBK8Emj2NKmiAthB1sEmvjcT5FHUp0F2
K+trprkEBoodvVcD9+HiefC8xuuBgHAnNdYXAglBLoOdYzD6eQyVCz823VfWn9+E
sS0pWIXFjssKr9Qpigb2y55FmuIaSPfCjekCQyg5AwKJYsgT/50OkR+ab1eSfjEY
NJ12TKyMOpWXfZAskeQ5DFVXgYe5hbohmSs3vrfeqnFIuXsamn3lzKW6EVK3IE6z
3RyX6lDKq1yVHZTK7J2EPZ4o+mx7NNHR7dE2Fp8mMapTLMEWjIh6D2wFkRp2x+hO
VEevgXHkCTXrCYXfo5yi
=OVh1
-----END PGP SIGNATURE-----
--=-TsLC1+TQtXJ+Qzkr5Z24--
7:38 p.m.
New subject: Fwd: Re: [oVirt-Infra] : New Gateway
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Quack,
> Subject: Re: [oVirt-Infra] : New Gateway
This is not a subject I can see in the whole 2016 archive. So wonder
where this comes from.
\_o<
--s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXcqf7AAoJEFXp+fesHEQ/po0QAISB+1+cGTPc9kmxU1UbdPxQ
NYOEKdxWXbhC76B+TN2JXh29dJmcpEjm6gQC3fIhmsRkn4fE8kwybB9lF4uhoWbX
Z/79kxRysx1rZTWGNRSuOszXyaBxKhggtvmiy8R+OOP5CiEFvPsqfFhS/tb8arxy
QI900BRJXOfydlBN5vn0GV5s58zOMS59m7ud2HLdpwMMMdYNQJ5HA6uQGSCHJVlI
3x1/Ks3FHpN0bdUWhOJmPDaX0UD4WWfMBMCqVE2GJrcI2qE+Z9j8a+PpevOH092x
le7YXqW8GoDb+sEuGTBMEn4icOjKIFZi4eZmtsRN0FKrH/uRi8aWBUkvjUW2j0BI
1tz/NEI4puWQqEvQaON5BQB1/J4ZzkSaxa/7mX2o6QKJqv0leLO6YXcye5AQvPqt
tO53vLbaoLwWHMkJ5VSFY93QK8OvU9K51SpN28iYRcKclihaW12LccLYMadGoPKc
zGzMfuriTtZQncOvRb7IVmvq8u06utT4kkJlIf+efmSFnXVjQZ7HJ+YpXX6BV7se
dOLwTnzmFH+0Vx9g0wTnPeegaHxptLM9Uvv/roy8OYzxQiLz/Q4/DruA62RYrfmE
OPYe0bCHaaJfE9LdrX6YhTtz3oTgo7e81cnXiPzmdFBVbwLbs65AGvcjNa4YUsaI
A7uEAJufx0wQmboLvyUD
=drAr
-----END PGP SIGNATURE-----
--s7CTwlmkHREHQ3If7hFa7l8CiNrtsh8xQ--
12:11 p.m.
New subject: Fwd: Re: [oVirt-Infra] : New Gateway
Content preview: On Wed, Jun 29, 2016 at 01:38:16AM +0900, Marc Dequènes (Duck)
wrote: > >> Subject: Re: [oVirt-Infra] : New Gateway > > This is not a
subject
I can see in the whole 2016 archive. So wonder > where this comes from. [...]
Content analysis details: (-1.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: ovirt.org]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-SA-Exim-Connect-IP: 2a02:1398:804::199
X-SA-Exim-Mail-From: ewoud+ovirt(a)kohlvanwijngaarden.nl
X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false
X-BeenThere: infra(a)ovirt.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org>
List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>;,
<mailto:infra-request@ovirt.org?subject=unsubscribe>
List-Archive: <http://lists.ovirt.org/pipermail/infra/>
List-Post: <mailto:infra@ovirt.org>
List-Help: <mailto:infra-request@ovirt.org?subject=help>
List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>;,
<mailto:infra-request@ovirt.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 09:46:00 -0000
On Wed, Jun 29, 2016 at 01:38:16AM +0900, Marc Dequènes (Duck) wrote:
>> Subject: Re: [oVirt-Infra] : New Gateway
This is not a subject I can see in the whole 2016 archive. So wonder
where this comes from.
http://lists.ovirt.org/pipermail/infra/2014-February/005468.html
is the mail you're looking for.
12:15 a.m.
New subject: Fwd: Re: [oVirt-Infra] : New Gateway
Is the ovirt-infra list set to reject email from non-members? That would
result in the behaviour you describe (and would be an error that would
need to be fixed).
Thanks,
Dave.
On 06/28/2016 10:24 AM, Michael Scherer wrote:
Le mardi 28 juin 2016 à 10:14 -0400, Dave Neary a écrit :
> FYI.
> ----- Forwarded Message -----
> From: Hervé Leclerc <herve.leclerc(a)alterway.fr>
> To: Dave Neary <dneary(a)redhat.com>, Infra(a)ovirt.org
> Cc: Arnaud CAZIN <arnaud.cazin(a)alterway.fr>, Stéphane Vincent
<stephane.vincent(a)alterway.fr>
> Sent: Mon, 27 Jun 2016 13:06:17 -0400 (EDT)
> Subject: Re: [oVirt-Infra] : New Gateway
>
> Hello,
>
> Did you made the changes asked ?
> Can you please give us a status on your actions.
I stopped rpcbind, which sould solve the problem.
But I wonder why we didn't got the mail in the first time, it didn't
appear on the list, nor in moderation.
> Regards
>
>
>
> Hervé Leclerc
> CTO
> Alter Way
> 227 Bureaux de la colline
> 1 rue Royale - Bât. D
> 92210 Saint-Cloud
> France
> *+33 141168336*
> +33 6 83979598
>
>
>
> `like a halo in reverse`
>
>
>
> On Sun, Jun 26, 2016 at 3:54 PM, Hervé Leclerc <herve.leclerc(a)alterway.fr>
> wrote:
>
>> Hello
>>
>> Your vm alterway02.ovirt.org is participating in a ddos attack. Could
>> please correct the problem rapidly !
>> eg.
>> iptables -A INPUT -p udp --dport 111 -j DROP
>>
>>
>>
>> Regards
>>
>> Original message
>> A public-facing device on your network, running on IP address 89.31.
>> 150.216, operates a RPC port mapping service responding on UDP port 111
>> and participated in a large-scale attack against a customer of ours,
>> generating responses to spoofed requests that claimed to be from the attack
>> target.
>>
>> Please consider reconfiguring this server in one or more of these ways:
>>
>> 1. Adding a firewall rule to block all access to this host's UDP port 111
>> at your network edge (it would continue to be available on TCP port 111 in
>> this case).
>> 2. Adding firewall rules to allow connections to this service (on UDP port
>> 111) from authorized endpoints but block connections from all other hosts.
>> 3. Disabling the port mapping service entirely (if it is not needed).
>>
>> More information on this attack vector can be found at this third-party
>> website (we did not create this content):
>>
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-a...
>>
>> Example responses from the host during this attack are given below.
>> Date/timestamps (far left) are UTC.
>>
>> 2016-06-25 22:46:44.588895 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
>> length 628
>> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY...
>> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7
>> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................
>> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................
>> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........
>> 0x0050: 0000 ..
>> 2016-06-25 22:46:44.588939 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
>> length 628
>> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY...
>> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7
>> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................
>> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................
>> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........
>> 0x0050: 0000 ..
>> 2016-06-25 22:46:45.048914 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
>> length 628
>> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY...
>> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7
>> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................
>> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................
>> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........
>> 0x0050: 0000 ..
>> 2016-06-25 22:46:45.048963 IP 89.31.150.216.111 > 74.201.57.x.80: UDP,
>> length 628
>> 0x0000: 4500 0290 0000 4000 3111 d378 591f 96d8 E.....@.1..xY...
>> 0x0010: 4ac9 3924 006f 0050 027c dc65 6572 0a37 J.9$.o.P.|.eer.7
>> 0x0020: 0000 0001 0000 0000 0000 0000 0000 0000 ................
>> 0x0030: 0000 0000 0000 0001 0001 86a0 0000 0004 ................
>> 0x0040: 0000 0006 0000 006f 0000 0001 0001 86a0 .......o........
>> 0x0050: 0000 ..
>>
>> (The final octet of our customer's IP address is masked in the above
>> output because some automatic parsers become confused when multiple IP
>> addresses are included. The value of that octet is "36".)
>>
>> -John
>> President
>> Nuclearfallout, Enterprises, Inc. (NFOservers.com)
>>
>> (We're sending out so many of these notices, and seeing so many
>> auto-responses, that we can't go through this email inbox effectively. If
>> you have follow-up questions, please contact us at noc(a)nfoe.net.)
>>
>> Hervé Leclerc
>> CTO
>> Alter Way
>> 227 Bureaux de la colline
>> 1 rue Royale - Bât. D
>> 92210 Saint-Cloud
>> France
>> *+33 141168336 <%2B33%20141168336>*
>> +33 6 83979598
>>
>>
>>
>> `like a halo in reverse`
>>
>>
>>
>> On Wed, Feb 19, 2014 at 10:46 AM, Hervé Leclerc <herve.leclerc(a)alterway.fr
>>> wrote:
>>
>>> Hello,
>>>
>>> Our Internet gateway is changing.
>>> Could you please change your actual gateway (*89.31.150.249*) on your
>>> machines (89.31.150.215 and 216) and vms to *89.31.150.253*
>>> Thanks
>>>
>>> Let us know when this modification is done.
>>>
>>> Cheers
>>>
>>> Hervé Leclerc
>>> CTO
>>> Alter Way
>>> 1, rue royale
>>> 9 ème étage
>>> 92210 St Cloud
>>> *+33 1 41 16 83 36 <%2B33%201%2041%2016%2083%2036>*
>>> +33 6 83979598
>>>
>>>
>>>
>>>
>>> <http://www.alterway.fr/signatures/url/1>
>>>
>>>
>>>
>>>
>>
>
--
Dave Neary - NFV/SDN Community Strategy
Open Source and Standards, Red Hat - http://community.redhat.com
Ph: +1-978-399-2182 / Cell: +1-978-799-3338
3062
days inactive
3069
days old
3 comments
4 participants
participants (4)
-
Dave Neary -
Ewoud Kohl van Wijngaarden -
Marc Dequènes (Duck) -
Michael Scherer