Re: Packet Kiddies Invade NANOG
You know how easy it is to fake IRC logs? Yes, I do. And I also know that these aren't fake. I've seen them before, from some respected sources in the ISP security community, and I've also seen Gregory's manifesto sent to the EFNet admins list admitting to having launched DDoS attacks against the servers, and attempting to rationalize his behavior. Are you denying that, too? I don't know why you people seem to think I'm involved with all of this stuff. Because you're friends of Andrew Kirch (aka trelane), who's Mr. Gregory OseK Taylor's right hand man. Guilt by association, and all that. If you want to show evidence, do it offlist and among yourselves, because I don't think people give a crap about your little spats between one another - especially not based on IRC logs. Sorry Brian, but I'm not going to play these games. If you can publicly dispute the claims that you and your friends are packet kiddies, I have just as much of a right to post to the list attempting to prove them, or at the least, pointing out the hyprocisy of your ways. Hopefully some prospective employer will find this thread when googling for info on you and your friends, and think twice about hiring you for security work. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427
Re: Fw: Packet Kiddies Invade NANOG
I was talking more along the lines of disclosing personal information without permission Since when was re-pasting entries from the phonebook considered illegal? slander is another one as well... I suggest you read a legal dictionary, and turn to the definitions of slander and libel. One involves speech, the other involves print. And it's never slander or libel if it's all factually accurate. Unless, of course, you're disputing the accuracy of the phone book. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427
Re: Packet Kiddies Invade NANOG
Matthew (yes I know it is you) No, my name is Albert. I have not attacked any Internet Service Provider or IRC server in several years. I am and have been retired from the underground for a long while now, despite the constant comments made to the contrary by people who do not represent me in any manner. Yeah, I bet. Guess that explains this exploit you contributed to recently: http://www.l33 (tsecurity.com/get.php?file=13 Furthermore, thanks for admitting to commiting felonies on this list. In case you were unaware, your statute of limitations has not yet expired. Signed, Albert Public (firstname lastname) Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427
network or not? Re: Platinum accounts for the Internet (was Re: who offers cheap (personal) 1U colo?)
On Mon, 15 Mar 2004, Alexei Roudnev wrote: First, let me say that I appreciate your s wrt the s2n ratio here. I don't want to indicate otherwise. But, to get into the circle with everyone else and shoot some marbles... :) : Ok - is name resoluution issue network issue or not? if it is, how can you : answer anything without knowing, for example, of existing Windows DNS : client with internal cache, and difference between 'ping' and 'nslookup' : name resolution on Solaris? : : Is ARP problem - network one or not? if it is, how can you determine, what : happen, if some crazy server became ARP proxy and sends wrong : information to everyone? Loopback plug, sniffer or some similar geek thingie. Not the network; hand the ticket off. I guess it means defining what we mean by the network. : For tier-2 - I agree. For real tier-3 - I can not. Those friends, who are : excellent network engineers (much better than me, with CCIE : and other _really good_ experience), knows Windows and Unix on a very good : level. (of course, if some HR asks them 'where is configuration file for : SAMBA on Solaris - no one answer, but it does not mean that they do not know : Solaris; and you can always met religious people 'my god is MS / my god is : Linux'). I never said a good netgeek didn't know these things. I only said, you don't HAVE to know them to be a good escalation network engineer for a big ass network with specialized folks. : Is it bad, If they (your sysadmins) understand your backbone : infrastructure and understand such things, as MTU MTU discovery, knows : about ACL filters (without extra details) and existing limitations? They : are not required to know about VPN mode or T3 card configuration, but : they must understand basic things. This is what makes good network/system engineers on both sides of the fence. When the ticket is tossed over the fence, the crapwork is done. Person that gets the ticket is happy and returns the favor when tossing a ticket your way. Get both sides caring about tossing tickets properly and you gotta kick-ass team going on. damn, i miss the days... : Else, everything ends up in a long delays and 10 person technical : meetings (by the phone, of course) - which is the best way of wasting : anyone's time. OUCH!!! The pain in my brain from absorbing that idea!! :-) scott : : - Original Message - : From: Scott Weeks [EMAIL PROTECTED] : To: [EMAIL PROTECTED] : Sent: Monday, March 15, 2004 1:32 PM : Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap : (personal) 1U colo?) : : : : : : On Mon, 15 Mar 2004, Alexei Roudnev wrote: : : : I expect, that good (tier-3, to say) network engineer MUST know Windows : and : : Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will : not : : be able to troubleshout his _network problem_ (because they are more : likely : : complex Network + System + Application + Cable problem). : : : : So, it is not a good answer. : : No true in many cases. All I have to prove is it's not the network and : then I hand it off to the windows/*nix/whatever sysadmins. To prove : it's not the network, I don't need to know the end systems in any sort of : detail. : : scott : : : : : : : - Original Message - : : From: Pete Templin [EMAIL PROTECTED] : : To: [EMAIL PROTECTED] : : Sent: Monday, March 15, 2004 7:16 AM : : Subject: Re: Platinum accounts for the Internet (was Re: who offers : cheap : : (personal) 1U colo?) : : : : : : : : Laurence F. Sheldon, Jr. wrote: : : : : Pete Templin wrote: : : There's a reason I've gotten out of small ISP consulting - I don't : do : : Windows, and I'm getting overrun by Linux corrosion slowly. I : route, : : I switch, I help with securing networks. And I do wear a lot of : hats : : at my day job, but I remind them that they hired a specialist, and : : promised lots of server support all along the way. Granted, the : : Windows guy is overloaded and the UNIX/Linux guy would snore in : front : : of his PHB... : : : : If you are in Nebraska I can help you with the Unemploy^WWorkforce : : Development paperwork. : : : : I didn't suggest saying I'm not gonna do it. I just suggested You : : hired me to deploy dynamic routing on your statically-routed network. : : What prompted you to think that I could configure site-wide anti-virus : : services such that no one ever reports a virus leak from our : enterprise, : : without training, time to test and develop such a critical solution, : or : : both? : : : : pt : : : : : : :
Re: Packet Kiddies Invade NANOG
Hello, I just thought I should chime in here. Below you will find OseK's (Greg Taylor) manifesto sent to EFnet admins during an event last year where OseK was attacking most EFnet servers. Additionally, I can tell you that Greg was attacking my network at some point in the last year, and readily admitted to it at the time. Signed, J. Quincy Taxpayer - Forwarded message from Don Crossman [EMAIL PROTECTED] - DO NOT INCLUDE MY EMAIL ADDRESS IN THIS LETTER OR MY NAME KEEP ME ANONYMOUS MINUS MY NICKNAME - - -- To whom it may concern, I got by the nickname of OseK on the Eris Free Network, EFNet. I am sending this e-mail in response to certain claims and accusations being made by a few people in an attempt to clear up the situation for those who are both confused and aggitated. I will start off by giving you the reasons for my actions and what my intentions are and why I am taking the actions that I am taking. EFNet, throughout the existance of the network, has seen its good days and its bad. EFNet has had to deal with corrupt, abusive, egotistical opers who work contrary to the best interests of this network, and use their position of power to satisfy whatever ego they have. Unfortunately, for this network it has come to the point where the Network Administrators of certain servers have created an ironfist autocracy so to speak, where they can do whatever they want and answer to nobody. I myself, have put up with this constant abuse for several years. All of these years, every time I'm /killed, I do nothing, every time I'm /klined I do nothing, but most recently, a channel that I run that had no bots, only people, was taken over, mass /killed and set as a TROLL channel on #chanfix over a matter that didn't involve us to begin with. The person who committed this act was Darryl Williams, also known as shi on EFNet. Former torix admin and currently opered on NAC, Mindspring, Easynews, and Security Support. His abusive record extends much farther than even the most notorious criminals. He has run banned hacks on TorIX, has committed countless acts of abuse against users and then taunted those users into attempting to packet torix, which he thought, was invincible. After over 15 warnings to him to watch his actions, after constant emails to [EMAIL PROTECTED] which were either pasted back to me and laughed at, or thrown into the trash bin, and after attempting to talk to various opers on that server to complain, I decided to take matters into my own hands. Either Torix was going to remove his O: line or it would be dropped indefinately. Neither of which happened. I was approached by the admin of torix asking why this was going on and I posted him legit and authentic logs (despite what shi may try to say). The TorIX admin decided because the logs showed too much incriminating evidence against shi, that he would suspend shi's O: line for further review of his future on that server. shi meanwhile utilized a backdoor in the IRCD itself to re-add his O: line and try to hide as a TCM bot. That is the direct reason he was permanently removed from TorIX. For adding himself back without permission from the other admins. Now we will talk about Qeast and what their big deal is. Qeast is WELL KNOWN for being the home of abusive admins in .CA EFNet. xyst and atomix have run server hacks, and have committed various forms of abuse including channel take overs, packeting of other .ca servers in order to reduce those servers max clients, and nickname juping. xyst also sees any potential future hub as a threat to qeast and utilizes his 2 of 4 votes to deny links to such servers. I will bring up irc.magic.ca and irc.total.net which were servers on efnet for many years, who even sponsored qeast's link to efnet, but xyst utilized his 2 votes per server to deny them links. For the record, xyst and shi are friends, they say they aren't but they are. IRCD/HUB IP addresses: These IPs were obtained through several confidential sources, some of which are operlist users, operwall viewers, and opers themselves. I will let you know that the HUB IP I had gotten for Qeast in the 192.77.73.* block which was broadcasting multiple IPs on various ports. I decided to drop the router which is what is currently under attack. Servers that will not be attacked: Servers that will NOT be attacked are those that the admins of said servers and opers, have shown countless times that they are truly here for the network and not for their ego. Opers who work hard every day to provide users with the most comfortable atmosphere to chat in. Opers who follow their own policies and will not allow abusive admins to push them around. These servers include all of .EU EFNet. irc.aloha.net, irc.vrfx.com, irc.nac.net, irc.limelight.us, irc.xo, and more. Take
Re: Packet Kiddies Invade NANOG (retry)
Sorry about the last post, my client's linewrap seems to not work properly, I'll try again. Hello, I just thought I should chime in here. Below you will find OseK's (Greg Taylor) manifesto sent to EFnet admins during an event last year where OseK was attacking most EFnet servers. Additionally, I can tell you that Greg was attacking my network at some point in the last year, and readily admitted to it at the time. Signed, J. Quincy Taxpayer - Forwarded message from Don Crossman [EMAIL PROTECTED] - DO NOT INCLUDE MY EMAIL ADDRESS IN THIS LETTER OR MY NAME KEEP ME ANONYMOUS MINUS MY NICKNAME - - -- To whom it may concern, I got by the nickname of OseK on the Eris Free Network, EFNet. I am sending this e-mail in response to certain claims and accusations being made by a few people in an attempt to clear up the situation for those who are both confused and aggitated. I will start off by giving you the reasons for my actions and what my intentions are and why I am taking the actions that I am taking. EFNet, throughout the existance of the network, has seen its good days and its bad. EFNet has had to deal with corrupt, abusive, egotistical opers who work contrary to the best interests of this network, and use their position of power to satisfy whatever ego they have. Unfortunately, for this network it has come to the point where the Network Administrators of certain servers have created an ironfist autocracy so to speak, where they can do whatever they want and answer to nobody. I myself, have put up with this constant abuse for several years. All of these years, every time I'm /killed, I do nothing, every time I'm /klined I do nothing, but most recently, a channel that I run that had no bots, only people, was taken over, mass /killed and set as a TROLL channel on #chanfix over a matter that didn't involve us to begin with. The person who committed this act was Darryl Williams, also known as shi on EFNet. Former torix admin and currently opered on NAC, Mindspring, Easynews, and Security Support. His abusive record extends much farther than even the most notorious criminals. He has run banned hacks on TorIX, has committed countless acts of abuse against users and then taunted those users into attempting to packet torix, which he thought, was invincible. After over 15 warnings to him to watch his actions, after constant emails to [EMAIL PROTECTED] which were either pasted back to me and laughed at, or thrown into the trash bin, and after attempting to talk to various opers on that server to complain, I decided to take matters into my own hands. Either Torix was going to remove his O: line or it would be dropped indefinately. Neither of which happened. I was approached by the admin of torix asking why this was going on and I posted him legit and authentic logs (despite what shi may try to say). The TorIX admin decided because the logs showed too much incriminating evidence against shi, that he would suspend shi's O: line for further review of his future on that server. shi meanwhile utilized a backdoor in the IRCD itself to re-add his O: line and try to hide as a TCM bot. That is the direct reason he was permanently removed from TorIX. For adding himself back without permission from the other admins. Now we will talk about Qeast and what their big deal is. Qeast is WELL KNOWN for being the home of abusive admins in .CA EFNet. xyst and atomix have run server hacks, and have committed various forms of abuse including channel take overs, packeting of other .ca servers in order to reduce those servers max clients, and nickname juping. xyst also sees any potential future hub as a threat to qeast and utilizes his 2 of 4 votes to deny links to such servers. I will bring up irc.magic.ca and irc.total.net which were servers on efnet for many years, who even sponsored qeast's link to efnet, but xyst utilized his 2 votes per server to deny them links. For the record, xyst and shi are friends, they say they aren't but they are. IRCD/HUB IP addresses: These IPs were obtained through several confidential sources, some of which are operlist users, operwall viewers, and opers themselves. I will let you know that the HUB IP I had gotten for Qeast in the 192.77.73.* block which was broadcasting multiple IPs on various ports. I decided to drop the router which is what is currently under attack. Servers that will not be attacked: Servers that will NOT be attacked are those that the admins of said servers and opers, have shown countless times that they are truly here for the network and not for their ego. Opers who work hard every day to provide users with the most comfortable atmosphere to chat in. Opers who follow their own policies and will not allow abusive admins to push them around. These servers include all of .EU EFNet. irc.aloha.net, irc.vrfx.com,
Re: Packet Kiddies Invade NANOG
People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers? (08:48:02) #sigdie!OseK_ i just collapsed banetele's BGP announcement (08:48:43) #sigdie!p i dunno banetele looks dead (08:48:48) #sigdie!p or maybe im just lagging (08:49:00) #sigdie!OseK_ ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) #sigdie!OseK_ ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) #sigdie!p bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) #sigdie!p Trying 213.239.111.2... (08:49:16) #sigdie!OseK_ thats cuz I collapsed their BGP announcement by nailing their router head on(08:49:26) #sigdie!OseK_ but they have a secondary route to efnet (08:49:30) #sigdie!_mre|42o BGP announcement? (08:49:31) #sigdie!OseK_ thru their multihomed connection (08:49:32) #sigdie!OseK_ yeah (08:49:37) #sigdie!OseK_ they have a collapsable route (08:49:44) #sigdie!OseK_ using the border gateway protocl (08:49:54) #sigdie!OseK_ hey have to announce to a pool (08:49:58) #sigdie!OseK_ in order to establish their route (08:50:07) #sigdie!OseK_ but if thye get hit enough their router drops the announcements (08:50:10) #sigdie!OseK_ and they lose their routes (08:50:14) #sigdie!OseK_ its wierd (08:50:21) #sigdie!OseK_ i dont quite understand how it works myself
Re: who offers cheap (personal) 1U colo?
Too bad I can't automate the web logins. Huh!? http://curl.haxx.se/ And then there are all those Windows macro recorder programs http://www.tucows.com/macros95_default.html --Michael Dillon
Re: A TCP Replacement protocol 6000 times faster than DSL?
Oops: This Account Has Been Suspended Please contact the billing/support department as soon as possible. How fast is DSL? I think mine is 64k min, so 6000x64k=384Mb .. hmm, I can transfer files currently via Gig for faster than that. But anyway, yeah they've done a bunch of benchmarks with stuff like this. Basically you hack the TCP protocol stack at either end and it flows faster, the downside is you might break a whole bunch of things by doing so and you need to change the whole worlds' tcp stacks if you want to roll this out. Steve On Mon, 15 Mar 2004, Scott Call wrote: Found on slashdot: http://www.scienceblog.com/community/article2473.html Any idea what they're trying to say/sell? The article is so vague as to be mostly useless, but it seems to indicate the usual stuff like sliding windows. -S
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004, [EMAIL PROTECTED] wrote: People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. Can anyone from Banetele/who knows Banetele confirm this attack took place? Steve Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers? (08:48:02) #sigdie!OseK_ i just collapsed banetele's BGP announcement (08:48:43) #sigdie!p i dunno banetele looks dead (08:48:48) #sigdie!p or maybe im just lagging (08:49:00) #sigdie!OseK_ ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) #sigdie!OseK_ ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) #sigdie!p bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) #sigdie!p Trying 213.239.111.2... (08:49:16) #sigdie!OseK_ thats cuz I collapsed their BGP announcement by nailing their router head on(08:49:26) #sigdie!OseK_ but they have a secondary route to efnet (08:49:30) #sigdie!_mre|42o BGP announcement? (08:49:31) #sigdie!OseK_ thru their multihomed connection (08:49:32) #sigdie!OseK_ yeah (08:49:37) #sigdie!OseK_ they have a collapsable route (08:49:44) #sigdie!OseK_ using the border gateway protocl (08:49:54) #sigdie!OseK_ hey have to announce to a pool (08:49:58) #sigdie!OseK_ in order to establish their route (08:50:07) #sigdie!OseK_ but if thye get hit enough their router drops the announcements (08:50:10) #sigdie!OseK_ and they lose their routes (08:50:14) #sigdie!OseK_ its wierd (08:50:21) #sigdie!OseK_ i dont quite understand how it works myself
Re: Packet Kiddies Invade NANOG
People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. Can anyone from Banetele/who knows Banetele confirm this attack took place? According to the people I spoke to, they had not noticed such an attack on the date specified. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] (who used to work for BaneTele, and was intimately involved with getting suitable BGP filters in place)
2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [cc: to [EMAIL PROTECTED], maybe now it will get their attention instead of going into /dev/null] Hi, Here is some operational content, instead of Packet Kiddies trying to rape each other verbally ;) According to Toshikazu Saito (Powerdcom): I know both ASs, 4436 and 4474 are yours, so nlayer should resolve this problem or respond to this. But: OrgName:Global Village Communication, Inc. OrgID: GVC-8 Address:1144 East Arques Avenue City: Sunnyvale StateProv: CA PostalCode: 94086 Country:US ASNumber: 4474 ASName: GVIL1 ASHandle: AS4474 Comment:The information for this ASN has been reported to Comment:be invalid. ARIN has attempted to obtain updated data, but has Comment:been unsuccessful. To provide current contact information, Comment:please e-mail [EMAIL PROTECTED] RegDate:1995-03-08 Updated:2003-07-31 The reason for the above was that we are currently seeing 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village Communication) but apparently this is the same company and apparently they are using the bogus ASN. Bogus as it has no valid contact information See telnet://grh.sixxs.net or http://www.sixxs.net/tools/grh/lg/?find=2001:590::/32 for the odd routes and who it goes over. As nLayer seems to be able to only send ticket responses but there seems to be no real user alive maybe it is time to start letting their peers ask them what to do with this and if they can't contact them to just start depeering? Unresponsive NOC's is a real nightmare. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFb4WAAAoTsAniiZQnM0LhXbVJD7keZCNu6f CM2OAKCPs2tdOfwt49m8/xLnugqyGRMnGA== =ePKi -END PGP SIGNATURE-
Re: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004 23:17:27 -0500 (EST) Andrew Dorsett [EMAIL PROTECTED] wrote: I'm not referring to the time required to implement. I'm talking about the time it takes for the user. On the user end. Lets do some simple math. Lets say I turn on my laptop before I shower, I power it down during the day while I'm in class and I turn it back on when I get home in the evening. This means two logins per day. Lets say that the login The systems I've my familiar with require only a single login per quarter, semester or school year unless there is a manual de-registration, which is most often due to a AUP violation or system compromise. John
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
[cc: to [EMAIL PROTECTED], maybe now it will get their attention instead of going into /dev/null] This is an odd thing to do because you don't say what action you would like ARIN to take. What do you think ARIN should do? ASHandle: AS4474 Comment:The information for this ASN has been reported to Comment:be invalid. ARIN has attempted to obtain updated data, but has Comment:been unsuccessful. Clearly ARIN has already done something about AS4474. So what else do you think they should do? Note that you might want to take this type of discussion onto the ARIN Public Policy mailing list which is open to anyone whether they are an ARIN member or not. http://www.arin.net/mailing_lists/index.html#ppml --Michael Dillon
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jordan Lowe [mailto:[EMAIL PROTECTED] wrote: Who are you to start publicly trying to deeper people? Nlayer has a great noc, I am a customer, and know many more. They are currently migrating from 4474 to 4436 due to the asn issue, and its not illegal to source a route from two asn's. AS4474 is not theirs, for that matter it currently doesn't belong to anyone as there is not valid contact information registered in the ARIN database. They're almost done with the migration, I didn't see any emails from you when cogent was renumbering from 16631 to 174 asking for a depeering. Because I am not watching IPv4 tables and cogent announced it. Also both those ASN's are properly registered in the registries. Next to that Cogent does respond to inquiries. If you just emailed or called they would have glady resolved your issue. Can you explain the operational problem with this dual announcement? I seem to be missing it. I am a user of the internet who asked for a answer at their NOC from which I got *no* reply, except for ticket numbers, even after sending 2 messages the last two weeks. Which then caused me to inquire NANOG which is a correct list to do so as nLayer is a US based (North American) ISP. Next to that mentioning nLayer to abuse-tracking people seems to also get a response that there is quite a lot of abuse in the forms of spam from them. Is that the reason they are 'migrating' to hide their paths from the spam aware people? Maybe you, as a perfect customer, can ask them to update their objects in the ARIN registry or stop hijacking internet resources? Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFb/hgAA5fkAn0vQ8ShpW7djG0i9rYD0eGgy Lg90AKCveqh1xoaJWhMGAkwo+TuHoUUXXw== =X7/h -END PGP SIGNATURE-
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: [cc: to [EMAIL PROTECTED], maybe now it will get their attention instead of going into /dev/null] This is an odd thing to do because you don't say what action you would like ARIN to take. What do you think ARIN should do? Maybe not clear from the message I sent to NANOG, but which should be clear to ARIN: Update the AS4474 contact information. Apparently nLayer is using it, thus they should be listed there. Then again it doesn't help as they are not reachable through the contact address ([EMAIL PROTECTED]) provided in the AS4436 object. One does get a XML ticket number back though. But no response whatsoever, except now from a customer of theirs. ASHandle: AS4474 Comment:The information for this ASN has been reported to Comment:be invalid. ARIN has attempted to obtain updated data, but has Comment:been unsuccessful. Clearly ARIN has already done something about AS4474. Yup, stating that the ASN is in a completely uncontactable state, which is what I mentioned. RegDate:1995-03-08 Updated:2003-07-31 Thus from those two dates we can say that it has not been contactable for over almost a year. So what else do you think they should do? Contact nLayer and see what they are now doing with this ASN. Note that you might want to take this type of discussion onto the ARIN Public Policy mailing list which is open to anyone whether they are an ARIN member or not. http://www.arin.net/mailing_lists/index.html#ppml Yes, I am aware of this list and also saw your proposal for making sure that objects that are in the ARIN registry also contain valid and contactable information. For people not having seen the petion for the proposal: http://www.arin.net/mailing_lists/ppml/2593.html The above case makes your point clear very well as nLayer seems not to be available to comments on their [EMAIL PROTECTED] address _and_ they are using an ASN which is shown to be not contactable at all. I would add to the proposal that resources, thus ASN's/inet[6]num's and others that have been allocated at one point and when trying to verify the contacts for those addresses seem to be unreachable should be giving a month to respond and if not a public message should be sent out that the resource has been revoked tracing the origins of that resource to find organisations that are peering/accepting that resource and contact them to see if they have a contact for that resource. If a company is unable to respond in a month it is in a very very bad shape and should not be seen as a responsible entity on the internet. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFcCzwAA7O0An279t7H4xDPUE/gyOzIgB8Yq 26awAJ40P8OEatMPI/hutAiLGcZSgI6lqA== =TL53 -END PGP SIGNATURE-
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
Before you started a rant on [EMAIL PROTECTED] about this inconsistent-as problem on an inet6 route, did you think about posting a polite, Please, someone from nlayer, contact me off-list, message; or how about an email to the inet6 carrier(s) from which you learnt the routes? It seems to me that you've taken an issue which could've been handled in a polite manner, and turned it into an nlayer-bashing thread. You have: 1) encouraged nlayer's peers to depeer them 2) accused nlayer of being spammers 3) forwarded private corrospondence you received from third parties in response to your original post back to [EMAIL PROTECTED] as well as the [EMAIL PROTECTED] role account, as if the ARIN staff have nothing better to do than read your complaint about an AS# they have already marked as having invalid contact information. I think I prefer reading about the IRC packet kiddies. If OseK would care to lend his unique perspective and considerable insight to this thread, I would be most grateful. -- Jeff S Wheeler
Re: Packet Kiddies Invade NANOG
--- [EMAIL PROTECTED] wrote: Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers? Even better is to seperate the control plane from the forwarding plane, and ensure that the control plane of a given router cannot be spoken to by anyone who is not either internal or a direct BGP peer. Why permit garbage to touch your network? -David Barak -Fully RFC 1925 Compliant- = David Barak -fully RFC 1925 compliant- __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474(Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff S Wheeler wrote: Before you started a rant on [EMAIL PROTECTED] about this inconsistent-as problem on an inet6 route, did you think about posting a polite, Please, someone from nlayer, contact me off-list, message; or how about an email to the inet6 carrier(s) from which you learnt the routes? Which has been done already last year on this very list when it was already pointed out that they where not contactable. Yes, I checked the archives. As for the 'inet6 carrier' I learn the routes from, which of the 42? See http://www.sixxs.net/tools/grh/ for more information. Indeed we monitor the IPv6 routes to find fix these anomalies where possible. Someone has to do the dirty job. Like I mentioned on the list Powerdcom, one of their upstreams, confirmed that nLayer was sending them the prefiix using AS4474. Just to be sure, it is also visible in RIS (http://ris.ripe.net) and on RouteViews. It seems to me that you've taken an issue which could've been handled in a polite manner, and turned it into an nlayer-bashing thread. If they would simply respond to inquiries that are sent to the contact address given in the whois for their ASN it wouldn't need to come to that. Also I have no intention on any bashing whatsoever as that is totally uncalled for and doesn't do any good either. They haven't responded to this inquiry yet either. This was the North American Network Operators Group list wasn't it? You have: 1) encouraged nlayer's peers to depeer them You mean that sentence at the bottom of the message clearly explaining the situation asking their peers to consider trying to contact them and if not possible to depeer? Which *IS* a normal action that ISP's should take when they cannot even reach a peer. Or do you simply let them linger away? You sound like I can force everyone to decide their network policy for them. I don't think so, I don't even want that. 2) accused nlayer of being spammers Which they have proven to be, see last years NANOG threads. 3) forwarded private corrospondence you received from third parties Which is indeed not such a polite thing to do, but was neccesary to be able to point out that their 'customers' do know about nLayer using an ASN that has been marked as a spam source since last year. response to your original post back to [EMAIL PROTECTED] as well as the [EMAIL PROTECTED] role account, as if the ARIN staff have nothing better to do than read your complaint about an AS# they have already marked as having invalid contact information. For which they can now fill in the blanks as at least their customers and one of their upstream peers have mentioned that they are using it. I think I prefer reading about the IRC packet kiddies. Then use your blacklist and block message from me ([EMAIL PROTECTED]) or using this subject. Quite easy isn't it? If OseK would care to lend his unique perspective and considerable insight to this thread, I would be most grateful. Sorry, but I guess you are confusing the humor list with NANOG. Apparently I hit quite a hot spot seeing some of the 'nice' 'private' replies being sent to me by 'customers' of nLayer. I wonder why there even is an internet if one can't even make a notice of some weird usage of Internet resources. But this subject is about why an ASN that is marked as uncontactable which also has been seen as a big spam source is being used by a entity which seems to be uncontactable, I am still waiting for their response and I am quite sure these messages have reached them by now. Or are they still 'migrating' from their spam/hijacked ASN to their own? Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFcRvAAAgxwAnRGWAgzZSmtaRVjZnVXZskrF fmGOAJ9lA43+u9Z768FOAgAZ++o2eGs5IQ== =rqS+ -END PGP SIGNATURE-
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
Why would nlayer be now using AS4436? It is listed as scruz.net, but as far as I remember scruz was taken overy by DSL.NET (I think that even included their peering agreements) and some of their ip block such as 204.139.8.0/21, 204.147.224.0/20 and others certainly seem to confirm that. As far as AS4474, it has been well known to have been original ASN nlayer used, but it turned out to have been hijacked (done through domain reregistration), the real 'global village' is long ago gone - they were making modems and taken over by Boca Research and now I think its all part of Zoom, the only modem company that survived the .bomb. This ASN was discussed on hijacked-l about year ago and somebody thereafter reported it to ARIN (or ARIN may have done it on their own having been present there) and marked it as invalid. I thought that after this incident Nlayer would not try to go after another low-number ASN and would actually use their real arin assigned AS30371, but even 9 months after the ASN was marked invalid, they still continue to use it... [whois.arin.net] OrgName:Santa Cruz Community Internei (scruz-net) OrgID: SCCI Address:324 Encinal Street City: Santa Cmuz StateProv: CA PostalCode: 95060 Country:US ReferralServer: rwhois://rwhois.scruz.net:4321/ ASNumber: 4436 ASName: AS-SCRUZ-NET ASHandle: AS4436 Comment: RegDate:1995-02-17 Updated:2004-02-24 On Tue, 16 Mar 2004, Jeroen Massar wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [cc: to [EMAIL PROTECTED], maybe now it will get their attention instead of going into /dev/null] Hi, Here is some operational content, instead of Packet Kiddies trying to rape each other verbally ;) According to Toshikazu Saito (Powerdcom): I know both ASs, 4436 and 4474 are yours, so nlayer should resolve this problem or respond to this. But: OrgName:Global Village Communication, Inc. OrgID: GVC-8 Address:1144 East Arques Avenue City: Sunnyvale StateProv: CA PostalCode: 94086 Country:US ASNumber: 4474 ASName: GVIL1 ASHandle: AS4474 Comment:The information for this ASN has been reported to Comment:be invalid. ARIN has attempted to obtain updated data, but has Comment:been unsuccessful. To provide current contact information, Comment:please e-mail [EMAIL PROTECTED] RegDate:1995-03-08 Updated:2003-07-31 The reason for the above was that we are currently seeing 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village Communication) but apparently this is the same company and apparently they are using the bogus ASN. Bogus as it has no valid contact information See telnet://grh.sixxs.net or http://www.sixxs.net/tools/grh/lg/?find=2001:590::/32 for the odd routes and who it goes over. As nLayer seems to be able to only send ticket responses but there seems to be no real user alive maybe it is time to start letting their peers ask them what to do with this and if they can't contact them to just start depeering? Unresponsive NOC's is a real nightmare. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFb4WAAAoTsAniiZQnM0LhXbVJD7keZCNu6f CM2OAKCPs2tdOfwt49m8/xLnugqyGRMnGA== =ePKi -END PGP SIGNATURE-
Re: Replacement for a Extreme Black Diamond 6808
On Tue, 2004-03-16 at 04:59, Tom (UnitedLayer) wrote: Are you using it for L2 only, or L2+L3? I hear decent things about using them for L2 only, and using J or C boxes for the L3 portion. Yep...that's the way we do it as well, L2 on the BD6808's and L3 on J boxes although we started out using the BD's for part of our Layer3 traffic as well. They just gave too many problems, so if you can do your L3 on a router and use them strictly for L2 traffic. We also run Foundry switches, and if you absolutely need to do some L3 (OSPF/iBGP) on your switches your better of using Foundry switches with an M4 blade, their L3 code is much more mature than Extreme's, but when it comes to raw performance try to avoid those scenarios and just let the BD do Layer2. Their L3 might be crap, but they scream at L2. Cheers, -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
Re: Load Balancing Multiple DS3s (outgoing) on a 7500
Hi Drew - We have 6 backbones distributed across two 7507s and we messed around with a lot of different ways to make this happen. MEDs, Weights, manual BGP configurations every time one of the connections would get overloaded (even at 2am), you name it - we tried it, and in the end we determined that we needed something that could keep an eye on everything and do it automatically within guidelines I had set. In the end, we headed the route of performance-based routing optimization hardware. After testing many different vendors, we choose the RouteScience PathControl box to make my life (as well as the life of my lead backbone engineer) much, much simpler. About a month or two ago, there was quite a discussion on route-optimization hardware on the list including a lot of different ideas. If you do a search on the list for RouteScience or route optimization, you should hit the core of the discussion around the different platforms. If you need more info, feel free to contact me off-list. On Fri, 12 Mar 2004 22:39:16 -0500 Drew Weaver [EMAIL PROTECTED] wrote: Does anyone know of an article, or documentation regarding load balancing the traffic on 3 or more FastEthernet interfaces on the outgoing direction? Right now we're running BGP internally, and the routes that are being chosen based upon the final BGP decision step or what I like to call the 'IP address tie breaker' which is not always optimal. We have a cisco 7500 that is connected to 4 other Cisco 7500s which each have 45Mbps ds3s to the Internet, we would like to load balance the outgoing traffic across all 4 of these 7500s, can anyone shine any advice my way? I noticed that there are instructions on Cisco's site regarding doing LB on 12000s. Anyways thanks in advance ;-) -Drew ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax I fly because it releases my mind from the tyranny of petty things . . Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching.
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004 04:14:01 -0800 [EMAIL PROTECTED] wrote: According to the people I spoke to, they had not noticed such an attack on the date specified. And, while not knowing the specifics of this situation, if you were being attacked, and it hurt your network, would you continue to piss the attacker off by validating it? You'll have a problem finding anyone that crazy, I think. On Tue, 16 Mar 2004 02:54:43 -0800 [EMAIL PROTECTED] wrote: People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. I don't know anything about the banetele attack mentioned specifically, other than to say, this matches his M.O. entirely, and, he isn't the only kiddie who figured out that attacking routers is sometimes more effective than attacking the intended victim. John Quincy Taxpayer Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
--On Tuesday, March 16, 2004 7:52 AM -0800 william(at)elan.net [EMAIL PROTECTED] wrote: Why would nlayer be now using AS4436? It is listed as scruz.net, but as far as I remember scruz was taken overy by DSL.NET (I think that even included their peering agreements) and some of their ip block such as 204.139.8.0/21, 204.147.224.0/20 and others certainly seem to confirm that. Because they acquired dsl.net's peering infrastructure, and announced such to their peers?
DNS requests for 1918 space
Can anyone point me at any papers that talk about security issues raised by private networks passing dns requests for RFC 1918 private address space out to their ISP's dns servers? I'm aware of the issues involved with an ISP passing the requests on to the root servers but was looking specifically for security type issues relating to a private network passing the requests out to their ISP's dns servers. Geo.
Re: Packet Kiddies Invade NANOG
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. - Original Message - From: Stephen J. Wilcox [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 3:54 AM Subject: Re: Packet Kiddies Invade NANOG On Tue, 16 Mar 2004, [EMAIL PROTECTED] wrote: People should be worried about stuff like this. Banetele is a facilities-based network operator in Norway and these guys are directly attacking their BGP sessions to put them off the air. Can anyone from Banetele/who knows Banetele confirm this attack took place? Steve Assuming that they are not sourcing the attacks in Banetele's AS, then you, the peer of Banetele are delivering the packet stream that kills the BGP session. How long before peering agreements require ACLs in border routers so that only BGP peering routers can source traffic destined to your BGP speaking routers? (08:48:02) #sigdie!OseK_ i just collapsed banetele's BGP announcement (08:48:43) #sigdie!p i dunno banetele looks dead (08:48:48) #sigdie!p or maybe im just lagging (08:49:00) #sigdie!OseK_ ... BitchX: Sent server ping to [irc.banetele.no] (08:49:00) #sigdie!OseK_ ... Server pong from irc.banetele.no 0.8224 seconds (08:49:12) #sigdie!p bash-2.05a$ telnetirc.banetele.no 6667 (08:49:13) #sigdie!p Trying 213.239.111.2... (08:49:16) #sigdie!OseK_ thats cuz I collapsed their BGP announcement by nailing their router head on(08:49:26) #sigdie!OseK_ but they have a secondary route to efnet (08:49:30) #sigdie!_mre|42o BGP announcement? (08:49:31) #sigdie!OseK_ thru their multihomed connection (08:49:32) #sigdie!OseK_ yeah (08:49:37) #sigdie!OseK_ they have a collapsable route (08:49:44) #sigdie!OseK_ using the border gateway protocl (08:49:54) #sigdie!OseK_ hey have to announce to a pool (08:49:58) #sigdie!OseK_ in order to establish their route (08:50:07) #sigdie!OseK_ but if thye get hit enough their router drops the announcements (08:50:10) #sigdie!OseK_ and they lose their routes (08:50:14) #sigdie!OseK_ its wierd (08:50:21) #sigdie!OseK_ i dont quite understand how it works myself
Re: Packet Kiddies Invade NANOG
Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. BaneTele hosts an EFnet IRC server. Caused no significant problems while I was working at BaneTele. That's probably because we *expected* DoS attacks on the IRC server, and engineered the network accordingly. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
so... the subject is somewhat disingenious. there is no problem with a prefix being announced by more than one ASN. Per the original subject, this seemed to be your gripe. however, the thread has devolved into someone using network resources w/o registration... which is different. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [cc: to [EMAIL PROTECTED], maybe now it will get their attention instead of going into /dev/null] Hi, Here is some operational content, instead of Packet Kiddies trying to rape each other verbally ;) According to Toshikazu Saito (Powerdcom): I know both ASs, 4436 and 4474 are yours, so nlayer should resolve this problem or respond to this. But: OrgName:Global Village Communication, Inc. OrgID: GVC-8 Address:1144 East Arques Avenue City: Sunnyvale StateProv: CA PostalCode: 94086 Country:US ASNumber: 4474 ASName: GVIL1 ASHandle: AS4474 Comment:The information for this ASN has been reported to Comment:be invalid. ARIN has attempted to obtain updated data, but has Comment:been unsuccessful. To provide current contact information, Comment:please e-mail [EMAIL PROTECTED] RegDate:1995-03-08 Updated:2003-07-31 The reason for the above was that we are currently seeing 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village Communication) but apparently this is the same company and apparently they are using the bogus ASN. Bogus as it has no valid contact information See telnet://grh.sixxs.net or http://www.sixxs.net/tools/grh/lg/?find=2001:590::/32 for the odd routes and who it goes over. As nLayer seems to be able to only send ticket responses but there seems to be no real user alive maybe it is time to start letting their peers ask them what to do with this and if they can't contact them to just start depeering? Unresponsive NOC's is a real nightmare. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFb4WAAAoTsAniiZQnM0LhXbVJD7keZCNu6f CM2OAKCPs2tdOfwt49m8/xLnugqyGRMnGA== =ePKi -END PGP SIGNATURE-
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004, Alexei Roudnev wrote: Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. What about undernet? A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a kick me/flood me sign on your network, and it's probably not going to be worth the pain pages. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bill [mailto:[EMAIL PROTECTED] wrote: so... the subject is somewhat disingenious. there is no problem with a prefix being announced by more than one ASN. 2001:590::/32 _is_ being announced by both AS4436 *and* AS4474. Trying to contact these ASN's to inquire why that is happening and maybe finding out if it was an erronous configuration I tried to find the contacts which lead to AS4474 not having any contact information available per ARIN registry. Thus who do you call then when AS4436 doesn't seem home? Indeed: ARIN, which also didn't seem home thus: NANOG. Per the original subject, this seemed to be your gripe. however, the thread has devolved into someone using network resources w/o registration... which is different. It then turned into this indeed. I have contacted quite a number of ISP's who had misconfigurations and most, except AS10318 and this one, replied and thanked for notifying them of this and they resolved the issue of which they where not aware. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFc1dgAAnAEAn1Z0I3N/N42uBJW6E7woBTJN rT+2AJ411vJQIaq4u0OoKjt/ayonOZ448A== =dZCB -END PGP SIGNATURE-
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004 [EMAIL PROTECTED] wrote: On Tue, 16 Mar 2004, Alexei Roudnev wrote: Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. What about undernet? A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a kick me/flood me sign on your network, and it's probably not going to be worth the pain pages. It probably depends how much money is involved and if they are willing to pay for all the network tech's time such server brings in. My own dealings with people wanting to run IRC servers and services is that they may have some fixed amount of money for the server but whatever they are expecting to generate from such irc-related services does not happen and they ran out of money and most end-up having to be canceled for non-pay (usually after first 4 or 6 months) and you end-up having to decide if your company want to sponsor this server for the long term... Some other things that you end-up having to consider if the server is run by the customer what are their policies and how white/black/grey are their admins and people they allow to be operators. Operators way too often end-up being targets of attacks on the servers ... As far as Undernet is probably not as bad as Efnet as attack target, but you'll still see some attacks for sure. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: DNS requests for 1918 space
On Tue, 16 Mar 2004 11:22:55 EST, Geo. [EMAIL PROTECTED] said: I'm aware of the issues involved with an ISP passing the requests on to the root servers but was looking specifically for security type issues relating to a private network passing the requests out to their ISP's dns servers. Hint: Every such DNS request that escapes will either time out or get an error. The admin is unwilling or unable to fix the resulting breakage. The fact that it isn't being fixed should tell you a lot about the site pgp0.pgp Description: PGP signature
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
On 16 Mar 2004, at 12:03, bill wrote: there is no problem with a prefix being announced by more than one ASN. I am fairly sure that I have seen real-life issues with at least one vendor's BGP implementation which led a valid route object with one origin to be masked by another valid route object with a different origin which was learnt earlier, a masking effect that continued even after the original masking route was withdrawn. I don't have any solid documentation or results of experiments to support this, although it seemed very real at the time. It has always led me to promote the conservative practice of advertising routes with a consistent origin AS. Bill: have you done any measurement exercises to determine whether this is, in fact, an issue? Or was your comment above based on the protocol, rather than deployed implementations of the protocol? Joe
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
On 16 Mar 2004, at 12:03, bill wrote: there is no problem with a prefix being announced by more than one ASN. Bill: have you done any measurement exercises to determine whether this is, in fact, an issue? Or was your comment above based on the protocol, rather than deployed implementations of the protocol? based on the protocol, not any specific implementation thereof. Joe
Re: DNS requests for 1918 space
Geo. wrote: Can anyone point me at any papers that talk about security issues raised by private networks passing dns requests for RFC 1918 private address space out to their ISP's dns servers? I've never seen the whole paper on the topic. Leaking the fact that you use 10.10.10.0/24 or whatever internally is not a big deal. It's security by obscurity of the very weak kind. Anyone with half of a clue will drop traffic with a source or destination address of their internal RFC1918 networks at the border, (and even if one uses registered addresses internally, you would be dropping traffic with a souce address of the internal network from entering at the border). That's the real security. I'm aware of the issues involved with an ISP passing the requests on to the root servers but was looking specifically for security type issues relating to a private network passing the requests out to their ISP's dns servers. These requests will not go to the root servers any more than any other reverse lookups ISP's DNS, $ dig -x 10 ns ; DiG 8.3 -x ns ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUERY SECTION: ;; 10.in-addr.arpa, type = NS, class = IN ;; ANSWER SECTION: 10.in-addr.arpa.1W IN NSblackhole-1.iana.org. 10.in-addr.arpa.1W IN NSblackhole-2.iana.org. ;; ADDITIONAL SECTION: blackhole-1.iana.org. 16m43s IN A 192.175.48.6 blackhole-2.iana.org. 16m43s IN A 192.175.48.42 ;; Total query time: 53 msec ;; FROM: sec-tools.corp.globalstar.com to SERVER: default -- 207.88.152.10 ;; WHEN: Tue Mar 16 09:53:44 2004 The IN-ADDR.ARPA delegations for RFC1918 space are just like any other block. You'll just end up hitting IANA's blackhole servers, and not all that much, the cache times are one week. Of course, the obvious fix is to run your own internal DNS which is authorative for your RFC1918 addresses. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
Re: DNS requests for 1918 space
Can anyone point me at any papers that talk about security issues raised by private networks passing dns requests for RFC 1918 private address space out to their ISP's dns servers? I'm aware of the issues involved with an ISP passing the requests on to the root servers but was looking specifically for security type issues relating to a private network passing the requests out to their ISP's dns servers. Geo. http://www.nanog.org/mtg-0210/wessels.html has some very good information about some of the problems w/ leaked queries. http://as112.net/ has some mitigation stratagies. --bill
RE: who offers cheap (personal) 1U colo?
On Mon, 15 Mar 2004, Andrew Dorsett wrote: On Mon, 15 Mar 2004, Vivien M. wrote: Yes I am... I am referring to a system which an unmentionable university has in place. It requires the user to enter their username and password each time the link state changes before they are allowed outside of the local lan. This is also similar to the new port authentication system on the Extreme Networks switches. It automatically delves out an address to the user so they can access a login portal and then it reissues them a legitimate address once they have been authenticated. This is a pretty slick setup for mobile users who connect in temporarily to public portals but it makes little sense in a fixed network environment of a dorm room or office. Its the same type of system used for hotspots. Curtis -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com
Re: DNS requests for 1918 space
On 16 Mar 2004, at 13:07, Crist Clark wrote: The IN-ADDR.ARPA delegations for RFC1918 space are just like any other block. You'll just end up hitting IANA's blackhole servers, and not all that much, the cache times are one week. Also, those blackhole servers are anycast, so they might even be answered relatively locally. See http://www.as112.net/. Of course, the obvious fix is to run your own internal DNS which is authorative for your RFC1918 addresses. Joe
Re: DNS requests for 1918 space
On 16.03 11:22, Geo. wrote: Can anyone point me at any papers that talk about security issues raised by private networks passing dns requests for RFC 1918 private address space out to their ISP's dns servers? RFC1918
Re: DNS requests for 1918 space
The IN-ADDR.ARPA delegations for RFC1918 space are just like any other block. You'll just end up hitting IANA's blackhole servers, and not all that much, the cache times are one week. In theory, yes. In reality there are quite a few resolvers that, apparently, do not receive the delegation response and continue to hit the roots with PTR queries for RFC1918 space. Recent measurements at a single instance of an anycasted root server show that at least 250 such resolvers generate between 60-120 RFC1918 PTR queries/sec. Duane W.
Re: who offers cheap (personal) 1U colo?
Curtis Maurand wrote: Then anyone can walk up to the machine and get onto the network simply by turning on the machine. The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well. It must be dreadful to work in a place where everybody is The Enemy. In case I every get another job at a University, how do you separate student areas from administration areas? In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas? -- Requiescas in pace o email
Re: DNS requests for 1918 space
On Tue, 16 Mar 2004 10:08:28 PST, bill said: http://www.nanog.org/mtg-0210/wessels.html has some very good information about some of the problems w/ leaked queries. http://as112.net/ has some mitigation stratagies. That mitigates the issue, but fails to deal with the root cause. One has to wonder - if a network is spewing enough broken DNS packets that it's noticable, and it's not getting fixed, what *else* is wrong with the network. Remember - every packet you see is a timeout happening back at the misconfigured site. It's like a car with one headlight out - yes, it still works, but whenever I see one on the road, I wonder what ELSE is marginal (like brake pads) pgp0.pgp Description: PGP signature
Re: who offers cheap (personal) 1U colo?
Painting with a broad brush the differentiation between student and administrative networks is based on location,role and ownership A public ethernet port in a library is a student network even though administrative computers may be connected from time to time. The librarian's machine is attached to a administrative network. This is a fluid definition since the students often work on administrative computers. The real differentiator is the student networks are comprised of machines the university does not own or have direct administrative control over and securing these machines is up to the owner. An administrative network is a network of machines owned and controlled by the university hence the security policy is defined, implemented and enforced by the responsible parties within the university. Scott C. McGrath On Tue, 16 Mar 2004, Laurence F. Sheldon, Jr. wrote: Curtis Maurand wrote: Then anyone can walk up to the machine and get onto the network simply by turning on the machine. The system you're looking for involve biometrics or smartcards. Firewalls between student and administration areas would be a good idea as well. It must be dreadful to work in a place where everybody is The Enemy. In case I every get another job at a University, how do you separate student areas from administration areas? In my limited experience, we had students in labs, classrooms, and offices in the Administration Building, administrators (RA'a, residents, offices) in the Residence Halls, all kinds of creepy people in the libraries, classrooms, offices, dining rooms, and recreational and exercise facilities. Do you use armed guards to keep everybody in their proper areas? -- Requiescas in pace o email
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
On Tue, Mar 16, 2004 at 09:03:21AM -0800, bill wrote: so... the subject is somewhat disingenious. there is no problem with a prefix being announced by more than one ASN. Per the original subject, this seemed to be your gripe. Using local-as to migrate sessions individually results in the appearence of inconsistant origin ASs on locally originated routes. Who would have thought local-as would bring down the wrath of the net k00ks. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: who offers cheap (personal) 1U colo?
In case I every get another job at a University, how do you separate student areas from administration areas? When we disable the network in a particular area, if a non-student calls then its a non-student area ;) Eric :)
Re: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
On Tue, Mar 16, 2004 at 06:12:22PM +0100, Jeroen Massar wrote: 2001:590::/32 _is_ being announced by both AS4436 *and* AS4474. Trying to contact these ASN's to inquire why that is happening and maybe finding out if it was an erronous configuration I tried to find the contacts which lead to AS4474 not having any contact information available per ARIN registry. Thus who do you call then when AS4436 doesn't seem home? Indeed: ARIN, which also didn't seem home thus: NANOG. Next time you want to contact a noc, you might want to try not doing it as a cc: to an e-mail encouraging random peers to depeer someone because of an inconsistant origin AS caused by the use of local-as. Actions like that (and these for that matter) tend to get one branded a net kook... And feedings the kooks is never productive. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: DNS requests for 1918 space
Duane Wessels wrote: The IN-ADDR.ARPA delegations for RFC1918 space are just like any other block. You'll just end up hitting IANA's blackhole servers, and not all that much, the cache times are one week. In theory, yes. In reality there are quite a few resolvers that, apparently, do not receive the delegation response and continue to hit the roots with PTR queries for RFC1918 space. Is there something special about RFC1918 in this respect? Wouldn't these resolvers not work for all of the IN-ADDR.ARPA space? Wouldn't they be hitting the roots with all kinds of PTR queries? Recent measurements at a single instance of an anycasted root server show that at least 250 such resolvers generate between 60-120 RFC1918 PTR queries/sec. I assume (and no idea really if it is a good assumption or not) that the bulk of these broken resolvers do not belong to ISPs. The original recipient said specficially that he was using his ISP's nameservers. If he has broken resolvers, but the ISP servers are sane, he'll obviously end up pounding the ISP servers and perhaps the IANA blackhole servers if the queries are unique, but not the root servers. But yes there are plenty of broken resolvers out there. One of my current favorites is something in Novell print services that likes to do A queries on a single printer name several dozen times per second, wait a few seconds or minutes, then do a query storm on another printer name. These account for over 90% of the queries on some internal DNS servers. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Stateful Ethernet Bridging and it's effect on overall Internet topology.
I have a question and would like all of your opinions on this matter, as I research heavily into stateful ethernet bridging, packet mangling and their advantages and disadvantages to local and wide area network topologies. Deployed in large volumes, what negative effects, if any, would ethernet and fiber bridges have on the Internet as a whole. Lets say I was to build a bridge designed to intercept and manipulate traffic coming in from an outside network into my 'colo site' to do traffic shaping, packet filtering, and ethernet frames manipulation. And I deployed 100s of these into the facility as a means to control overall traffic. Would these transparent bridges be detrimental in any way to the rest of the internet. I understand that since they are re-transmitting data that the possibility of their MAC addresses popping up every time a machine behind it pops up could be an issue when doing network monitoring. But I'd just like to know what everyone thinks about such products. (Excuse me if my statements seem a little incoherent, I just woke up) Greg
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard A Steenbergen [mailto:[EMAIL PROTECTED] wrote: On Tue, Mar 16, 2004 at 06:12:22PM +0100, Jeroen Massar wrote: 2001:590::/32 _is_ being announced by both AS4436 *and* AS4474. Trying to contact these ASN's to inquire why that is happening and maybe finding out if it was an erronous configuration I tried to find the contacts which lead to AS4474 not having any contact information available per ARIN registry. Thus who do you call then when AS4436 doesn't seem home? Indeed: ARIN, which also didn't seem home thus: NANOG. Next time you want to contact a noc, you might want to try not doing it as a cc: to an e-mail encouraging random peers to depeer someone because of an inconsistant origin AS caused by the use of local-as. I wonder why many people are acting so hard about that small mention of it, apparently that did take enough attention while the subject at hand didn't get taken a look at at all. For your pleasure below is the complete detailed message I sent to them. If you still think that I am a 'kook' or other odd insults then please keep them to yourself. I thought NANOG was for Network Operators and not for flame wars and tidbits. Actions like that (and these for that matter) tend to get one branded a net kook... And feedings the kooks is never productive. :) Thank you very much for yet another insult, at least you are polite enough to do it on a public mailinglist instead of trying to mailbomb me. I still wonder why that is happening as I was and still am trying to be friendly and hoping to figure out why it is happening. FYI there are only 2 prefixes that have this currently in the entire routing table but alas. Greets, Jeroen - From: Jeroen Massar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois) Hi, We are currently seeing 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village Communication) As 2001:590::/32 is assigned to nLayer I assume that AS4474 is in error. AS4474 information is apparently invalid according to ARIN whois, thus emailing their 'upstream' AS4716/Powerdcom ([EMAIL PROTECTED]). From grh.sixxs.net, see http://www.sixxs.net/tools/grh/ or directly: http://www.sixxs.net/tools/grh/lg/?find=2001:590::/32, see formatted output below. It might be interresting for you to setup a peering with GRH so these bugs are better traceable and we can easily see that they are or are not originating from your systems. Greets, Jeroen Originated from AS4436: 2001:590::/32 2001:668:0:1:34:49:6900:40 1980 3257 4436 2001:590::/32 2001:468:ff:121d::211537 7660 2500 2497 3257 4436 2001:590::/32 2001:610:25:5062::62 1103 11537 7660 2500 2497 3257 4436 2001:590::/32 2001:688:0:1::1 5511 2500 2497 3257 4436 2001:590::/32 2001:690::10 1930 20965 11537 7660 2500 2497 3257 4436 2001:590::/32 2001:770:8:: 1213 20965 11537 7660 2500 2497 3257 4436 2001:590::/32 2001:1418:1:400::1 12779 6175 2497 3257 4436 2001:590::/32 2001:14e0::f 12931 8472 6830 4589 3257 4436 2001:590::/32 2001:6f8:800::244589 3257 4436 2001:590::/32 2001:7f8:1::a500:6830:1 6830 4589 3257 4436 2001:590::/32 2001:890:600:4f0::11 8447 6830 4589 3257 4436 2001:590::/32 2001:608:0:fff::6 5539 3257 4436 2001:590::/32 2001:470:1fff:3::3 6939 3257 4436 2001:590::/32 3ffe:c00:0:1::1109 6939 3257 4436 2001:590::/32 2001:610:ff:c::2 1888 1103 3425 293 109 6939 3257 4436 2001:590::/32 2001:728:0:1000::f000227 2914 6939 3257 4436 2001:590::/32 2001:ad0:fe:0:205:32ff:fe03:c650 3327 6939 3257 4436 2001:590::/32 3ffe:8150::19044 5424 6939 3257 4436 2001:590::/32 3ffe:1d00::3 5623 6939 3257 4436 2001:590::/32 2001:1888:: 6435 6939 3257 4436 2001:590::/32 3ffe:401c:0:3:20c:ceff:fe05:da0e 29657 10566 6939 3257 4436 2001:590::/32 2001:15a8:1:1::6 29449 6939 3257 4436 2001:590::/32 3ffe:401d:f00::1 30071 6939 3257 4436 2001:590::/32 3ffe:401d:f00::5 30071 6939 3257 4436 2001:590::/32 3ffe:401d:f00::9 30071 6939 3257 4436 2001:590::/32 2001:8e0:0:::4 8758 3257 4436 2001:590::/32 2001:780:0:2::612337 3257 4436
Re: Stateful Ethernet Bridging and it's effect on overall Internet topology.
I agree, however there are some implementations of this type of bridging that 'routing' would not be a good substitute for. Say mangling traffic going outbound for compression purposes (A La Redline (Yes I know redline does proxying and not bridging)). I guess my best question would be, is there a solution to the problem. Maybe a possible way of bridging the traffic without polluting the world with unnecessary broadcasts of MAC addresses and over-head ethernet frames. (Is there a way to strip that garbage from the outbound traffic generated by the bridge). Greg -- Original Message -- From: Wayne E. Bouchard [EMAIL PROTECTED] Date: Tue, 16 Mar 2004 12:49:38 -0700 This goes back to traditional bridging issues. The problems include: loops and ineffective or broken STP implementations arp and broadcast storms mac address collisions which version of bridging to use and their associated advantages and disatvantages. I can't see that adding the capacity to do traffic shaping or filtering changes any of these issues. It just adds to the complexity. It still holds that, generally speaking, if you can route instead of bridging, it's a better option. On Tue, Mar 16, 2004 at 01:36:48PM -0600, Gregory Taylor wrote: I have a question and would like all of your opinions on this matter, as I research heavily into stateful ethernet bridging, packet mangling and their advantages and disadvantages to local and wide area network topologies. Deployed in large volumes, what negative effects, if any, would ethernet and fiber bridges have on the Internet as a whole. Lets say I was to build a bridge designed to intercept and manipulate traffic coming in from an outside network into my 'colo site' to do traffic shaping, packet filtering, and ethernet frames manipulation. And I deployed 100s of these into the facility as a means to control overall traffic. Would these transparent bridges be detrimental in any way to the rest of the internet. I understand that since they are re-transmitting data that the possibility of their MAC addresses popping up every time a machine behind it pops up could be an issue when doing network monitoring. But I'd just like to know what everyone thinks about such products. (Excuse me if my statements seem a little incoherent, I just woke up) Greg --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/
RE: 2001:590::/32 announced by both AS4436 (nLayer) and AS4474 (Global Village, no contact in whois, but seems to be nLayer...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard A Steenbergen [mailto:[EMAIL PROTECTED] wrote: On Tue, Mar 16, 2004 at 06:12:22PM +0100, Jeroen Massar wrote: 2001:590::/32 _is_ being announced by both AS4436 *and* AS4474. Trying to contact these ASN's to inquire why that is happening and maybe finding out if it was an erronous configuration I tried to find the contacts which lead to AS4474 not having any contact information available per ARIN registry. Thus who do you call then when AS4436 doesn't seem home? Indeed: ARIN, which also didn't seem home thus: NANOG. Next time you want to contact a noc, you might want to try not doing it as a cc: to an e-mail encouraging random peers to depeer someone because of an inconsistant origin AS caused by the use of local-as. Actions like that (and these for that matter) tend to get one branded a net kook... And feedings the kooks is never productive. :) The issue has been explained by a certain 'representative' in a seperate mail. Apparently they have acquired a number of networks amongst which they also AS4474 to/from which they are migrating requiring the above setup. Now let's hope that they will finish this migration soon without problems and update the registry objects in question so that in the future there can be no doubt about this even when you are on the other side of the world and nothing about such a migration is documented anywhere. Greets, Jeroen -BEGIN PGP SIGNATURE- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFd8VgAADnoAnRGvrYWKggDeZndSak1Pp38y SWnAAJ4x/yhN6Mf6SF7iG6mdzfTsKL16Ig== =1REM -END PGP SIGNATURE-
Firewall opinions wanted please
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page
Re: Cisco website www.cisco.com 403 forbidden?
At 04:04 PM 3/16/2004, Petri Helenius wrote: No. It´s self defending network. It was the little girl with the really cool game! :) R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: Firewall opinions wanted please
PIX firewalls are great if you configure them correctly for the application. 40 or less servers may not require something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best solution. Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT access point. But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying to firewall your web servers and whatnot. As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through. The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application. Greg -- Original Message -- From: Nicole [EMAIL PROTECTED] Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST) Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page
RE: Firewall opinions wanted please - clarification
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole
verisignmail.com RBL Contact
If anyone on here is from the powers-that-be behind the verisignmail.com RBL - or infact anyone from Verisign Security - could they please contact me offlist regarding an ongoing (2 month!) issue regarding mail delivery. Thanks, and sorry for the noise (again!). Mark.
RE: Firewall opinions wanted please
Depends on many aspects; performance, management, and logging features. I personally recommend Checkpoint FW-1 Express for a smaller site if you want easy configuration and a great logging interface; though the pricing may not be what you are looking for. Cisco PIX is also great but the management and logging aspects in my opinion are not up to par with Checkpoint on the lower price end (i.e. Without investment in other management tools). It goes back to what you and anyone supporting the platform will be comfortable with. Chris Burton Network Engineer Walt Disney Internet Group: Network Services The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact Walt Disney Internet Group at 206-664-4000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicole Sent: Tuesday, March 16, 2004 2:27 PM To: [EMAIL PROTECTED] Subject: Firewall opinions wanted please Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page
Re: Firewall opinions wanted please - clarification
Sonicwall makes a great product that can run in STANDARD (Proxy) mode. Their prices are pretty good as well, espicially if you buy them through a reseller. We deploy many of these firewalls every year and they are great! Thanks, Brandon On Tue, 16 Mar 2004 15:07:26 -0800 (PST) Nicole [EMAIL PROTECTED] wrote: As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole
Re: Packet Kiddies Invade NANOG
On Tue, 16 Mar 2004 [EMAIL PROTECTED] wrote: Hmm, if someone (except masochists and security vendiors) still hosts efnet... I can only send them my condoleences. I saw sthe same dialogs 6 years ago. Nothing changes. What about undernet? Thats even worse :) A customer wants us to help him setup an undernet IRC server. My gut feeling is, hosting IRC servers (especially on the well known networks) is like wearing a kick me/flood me sign on your network, and it's probably not going to be worth the pain pages. Sounds about right. Unless you feel like charging someone several thousands of dollars per month to host an EFNet server, don't do it unless you have a personal interest.
Assymetric Routing / Statefull Inspection Firewall
Hello Everyone, I am currently looking for a statefull inspection firewall that support asymmetric routing is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated! Thanks, Mike
Re: Firewall opinions wanted please
On Tue, 16 Mar 2004 14:27:16 PST, Nicole [EMAIL PROTECTED] said: From what I have heard a proxy firewall would be best? I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do. It can let you know when somebody's poking at your site. But it can't do it on its own, somebody *will* have to read the logs (even if you use a good log-filtering package to trim out all the true noise). It can't automagically secure your site. All it takes is *one* laptop or VPN connection to the inside from a compromised machine and you're history. The most successful firewall installs I've encountered have invariably considered the firewall not as a prevention device but as an IDS with a bad attitude. A firewall is *never* an acceptable substitute for proper end-host security procedures - the end host *must* be fully prepared to deal with a total breach of the firewall (remember - a firewall will never stop a disgruntled employee). pgp0.pgp Description: PGP signature
GigE High-Availability + Link Aggregation
Hello all, I'm trying to price and buy a network setup for a high-availability GigE situation that requires link aggregation. In a simplistic example, my need is to have, Host A with 2 GigE NICs (copper) that are link aggregated with 802.3ad but each side is run to a different switch with a host Host B on the other side configured in the same manner. For example: ++ /--| GigE Switch 1 |--\ | ++ | / \ NIC1-/ \-NIC1 HOST A -= =- Host B NIC2-\ /-NIC2 \ / | ++ | \--| GigE Switch 2 |--/ ++ In this example, Host A would have an IP of 10.0.0.1 that would be aggregated on both NIC1 and NIC2 to provide 2Gbps through put and Host B would have 10.0.0.2 with link aggregation. The theory to this being that I can kill two birds with one stone and provide 2Gbps throughput while having the high-availability. If Switch1 dies, throughput drops to 1Gbps but the endpoints are still available and vise-versa. If I'm understanding 802.3ad properly, the aggregates have to be on the same switch or at least in the same stack and can't be passed along on-wire in the same way that other tagged protocols can (such as VLAN tags). Maybe I'm wrong on this? As usual, cost is a MAJOR constraint (when isn't it?!?) and I'm looking for the cheapest possible solution. Can anyone recommend a product/products that would accomplish this for me? I'm trying to keep the price $6000 if possible. If you feel this is off-topic, please feel free to reply to me personally. Thanks a lot in advance! -- Jason McCormick [EMAIL PROTECTED] GPG Key ID: 96D6CF63
Re: GigE High-Availability + Link Aggregation
On Tuesday 16 March 2004 10:08 pm, you wrote:
I'm trying to price and buy a network setup for a high-availability
GigE situation that requires link aggregation.
{SNIP}
Thanks for the reponse to far. To clarify several things based on the
feedback... For the implementation Host A side is going to be N
number of servers that are pointing at a NAS filer device that is on
the Host B side of my example so the interconnection needs to be
switches and can't be direct-connects. Also, the targeted quantifiable
throughput will need to be 1Gbps so I need always-on link
aggregation.
Thanks for the responses so far!
--
Jason McCormick
[EMAIL PROTECTED]
GPG Key ID: 96D6CF63
Re: Assymetric Routing / Statefull Inspection Firewall
If you are asking for stateful filtering for a firewall that sees only one-way conversation, it does not exist and cannot exist, by definition. If you are asking for some way for firewall A that sees only inbound packets and firewall B that sees only outbound packets to communicate said information - I suggest mirror port on a switch. Otherwise, as long as firewall sees both incoming and outgoing packets, why would it care what happens later at your border routers? -- Alex Pilosov| DSL, Colocation, Hosting Services President | [EMAIL PROTECTED](800) 710-7031 Pilosoft, Inc. | http://www.pilosoft.com On Tue, 16 Mar 2004, Mike Turner wrote: Hello Everyone, I am currently looking for a statefull inspection firewall that support asymmetric routing - is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated! Thanks, Mike
Re: Firewall opinions wanted please
In message [EMAIL PROTECTED], Valdis.Kletni [EMAIL PROTECTED] writes: --==_Exmh_2134986584P Content-Type: text/plain; charset=us-ascii On Tue, 16 Mar 2004 14:27:16 PST, Nicole [EMAIL PROTECTED] said: From what I have heard a proxy firewall would be best? I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do. You're not going out on a limb; you're absolutely right, and I've been saying that for years. I'll quote myself: Although firewalls are a useful part of a network security program, they are not a panacea. When managed properly, they are useful, but they will not do everything. If firewalls are used improperly, the only thing they buy you is a false sense of security. Beyond that, different security policies have a much greater impact than different brands or types of firewalls. --Steve Bellovin, http://www.research.att.com/~smb
Re: Firewall opinions wanted please - clarification
You mean _PROTOCL HANDELING_, I believe. I do not know, why people are paying so much attention to it. Important questions are: - which services are you providing for the public? - who will handle all your SSL sessions, if any (may be, Load Balancers? Then you do not bother about FW proxy for them); - who will handle all http requests (yes, proxy can help here, but it is not the only way); - who will inspect mail content (not SMTP protocol, but attachments etc)? - who will handle your ssh sessions, if you have inbound shh? - who will handle your inbound VPN or PPTP, if you use it? - are DDOS attacks dangerous for you (you host SCO, for example) or not (you provide specific servic for 100 companies, not for wide public); - do you use host level IDS / change control? PIX is excellent firewall... for many purposes, but not for others (and not as a proxy, of course). It is impossible to select anything without knowing answers on this questions... AlexeiRoudnev As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole
Re: Assymetric Routing / Statefull Inspection Firewall
I went to reply, but my e-mail client filled this in: On Mar 16, 2004, at 9:27 PM, Mike Turner wrote: mime-attachment :) Back on topic On Mar 16, 2004, at 9:27 PM, Mike Turner wrote: I am currently looking for a statefull inspection firewall that support asymmetric routing is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated! How can a firewall perform a statefull inspection of packets coming in when it did not see the packets going out (or vice versa)? If you have two links and need redundancy, get two firewalls which NAT and have eat NAT IP only one provider. As each packet goes out, it can only come back through the provider it left through, giving that firewall knowledge of both incoming and outgoing packets. The firewalls will have to speak some type of routing protocol with your border routers, perhaps just listening to default. If ISP1 dies, Firewall1 will either have to send packets out a different NAT interface, or perhaps through Firewall2. And you'll have to make sure the border routers don't accidentally send NAT1 IP out ISP2's link. But these are all solvable problems. Getting a firewall to do stateful inspection of one-sided conversations is not. -- TTFN, patrick
