South Carolina attempts to repeal Rule 34
Break out the popcorn. http://www.charlotteobserver.com/news/local/article121673402.html -- -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Recent NTP pool traffic increase
If anything comes from this, I'd love to hear about it. As a student in the field, this is the kind of stuff I live for! ;) Pretty awesome to see the chain of events after seeing a post on the [pool] list! Laurent On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote: replying off list. Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown wrote: Quoting David : On 2016-12-19 1:55 PM, Jan Tore Morken wrote: On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic. [1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 That would make sense - I see a lot of iCloud related lookups from these hosts as well. Also, app.snapchat.com generally seems to follow just after the NTP pool DNS lookups. I don't have an iPhone to test that though. Confirmed - starting up the iOS Snapchat app does a lookup to the domains you listed, and then sends NTP to every unique IP. Around 35-60 different IPs. Anyone have a contact at Snapchat?
Re: Google Global Cache Contact
Jason, In case you haven't already heard from the good people at Google: http://bit.ly/2hTJOhX Best, -M< On Mon, Dec 19, 2016 at 4:15 PM, Jason Rokeach wrote: > Hi folks, could a contact for GGC contact me off-list? > > Thank you! > - Jason R. Rokeach
Google Global Cache Contact
Hi folks, could a contact for GGC contact me off-list? Thank you! - Jason R. Rokeach
Re: Recent NTP pool traffic increase
On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: > I found devices doing lookups for all of these at the same time > {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org > and then it proceeds to use everything returned, which explains why > everyone is seeing an increase. Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic. [1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 -- Jan Tore Morken
Re: Recent NTP pool traffic increase
replying off list. Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown wrote: > Quoting David : >> >> On 2016-12-19 1:55 PM, Jan Tore Morken wrote: >>> >>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. >>> >>> >>> Thanks, David. That perfectly matches the list of servers used by >>> older versions of the ios-ntp library[1][2], which would point toward >>> some iPhone app being the source of the traffic. >>> >>> [1] >>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts >>> [2] >>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 >>> >> >> That would make sense - I see a lot of iCloud related lookups from these >> hosts as well. >> >> Also, app.snapchat.com generally seems to follow just after the NTP pool >> DNS lookups. I don't have an iPhone to test that though. > > > Confirmed - starting up the iOS Snapchat app does a lookup to the domains > you listed, and then sends NTP to every unique IP. Around 35-60 different > IPs. > > Anyone have a contact at Snapchat?
Re: Recent NTP pool traffic increase
Quoting David : On 2016-12-19 1:55 PM, Jan Tore Morken wrote: On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic. [1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 That would make sense - I see a lot of iCloud related lookups from these hosts as well. Also, app.snapchat.com generally seems to follow just after the NTP pool DNS lookups. I don't have an iPhone to test that though. Confirmed - starting up the iOS Snapchat app does a lookup to the domains you listed, and then sends NTP to every unique IP. Around 35-60 different IPs. Anyone have a contact at Snapchat?
Re: Recent NTP pool traffic increase
the new Mario app perhaps? :) Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Mon, Dec 19, 2016 at 1:12 PM, David wrote: > On 2016-12-19 1:55 PM, Jan Tore Morken wrote: >> >> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: >>> >>> I found devices doing lookups for all of these at the same time >>> >>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org >>> and then it proceeds to use everything returned, which explains why >>> everyone is seeing an increase. >> >> >> Thanks, David. That perfectly matches the list of servers used by >> older versions of the ios-ntp library[1][2], which would point toward >> some iPhone app being the source of the traffic. >> >> [1] >> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts >> [2] >> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 >> > > That would make sense - I see a lot of iCloud related lookups from these > hosts as well. > > Also, app.snapchat.com generally seems to follow just after the NTP pool DNS > lookups. I don't have an iPhone to test that though. > > Thanks, >
Re: Recent NTP pool traffic increase
On 2016-12-19 1:55 PM, Jan Tore Morken wrote: On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote: I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic. [1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122 That would make sense - I see a lot of iCloud related lookups from these hosts as well. Also, app.snapchat.com generally seems to follow just after the NTP pool DNS lookups. I don't have an iPhone to test that though. Thanks,
Re: Recent NTP pool traffic increase
> On Dec 15, 2016, at 14:45, Jose Gerardo Perales Soto > wrote: > > We've recently experienced a traffic increase on the NTP queries to NTP pool > project (pool.ntp.org) servers. One theory is that some service provider NTP > infraestructure failed approximately 2 days ago and traffic is now being > redirected to servers belonging to the NTP pool project. Hi Jose, It’s more widespread than a particular service provider, so it seems more likely it’s a software update for some “IoT” device or similar. The increase in DNS queries was on the “non-vendor” names, so it’s difficult to know who it is without being on a local network with one of the bad device The increase in DNS queries is much smaller than the increase in NTP queries that are being seen, so it’s not just more clients, but badly behaving ones. :-( https://status.ntppool.org/incidents/vps6y4mm0m69 If you have NTP servers that can be added to the pool. it’d be greatly appreciated. http://www.pool.ntp.org/join.html Ask
Re: Recent NTP pool traffic increase
Quoting David : I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase. I'm very interested to find out what devices these are. This would explain why places like New Zealand are getting massive amounts of NTP traffic from North America.
Re: Recent NTP pool traffic increase
On Mon, 19 Dec 2016 12:52:59 -0700, David said: > From a source network point of view we see devices come online and hit > ~35 unique NTP servers within a few seconds. Am I the only one who read that and started wondering if some engineer writing CPE code read a recommendation someplace to "query 3-5 different servers" and managed to miss the "-"? pgpLj_BNMzrsW.pgp Description: PGP signature
Re: Recent NTP pool traffic increase (update)
I'm not sure if this issue relevant to discussed topic, Tenda routers here for a while on market, and i think i noticed this issue just now, because NTP servers they are using supposedly for healthcheck went down (or NTP owners blocked ISP's i support, due such routers). At least after checking numerous users, i believe Tenda hardcoded those NTP IPs. What worsen issue, that in Lebanon several times per day, for example at 18pm - short electricity cutoff, and majority of users routers will reboot and surely reconnect, so it will look like a countrywide spike in NTP traffic. I checked for a 10min also this NTP ips in dns responses, none of thousands of users tried to resolve any name with them over any DNS server, so i conclude they are hardcoded somewhere in firmware. Here is traffic of Tenda router after reconnecting (but not full powercycle, i dont have it in my hands). But as you can see, no DNS resolution attempts: 20:15:59.305739 PPPoE [ses 0x1483] CHAP, Success (0x03), id 1, Msg S=XX M=Authentication succeeded 20:15:59.306100 PPPoE [ses 0x1483] IPCP, Conf-Request (0x01), id 1, length 12 20:15:59.317840 PPPoE [ses 0x1483] IPCP, Conf-Request (0x01), id 1, length 24 20:15:59.317841 PPPoE [ses 0x1483] IPCP, Conf-Ack (0x02), id 1, length 12 20:15:59.317867 PPPoE [ses 0x1483] IPCP, Conf-Nack (0x03), id 1, length 18 20:15:59.325253 PPPoE [ses 0x1483] IPCP, Conf-Request (0x01), id 2, length 24 20:15:59.325273 PPPoE [ses 0x1483] IPCP, Conf-Ack (0x02), id 2, length 24 20:15:59.335589 PPPoE [ses 0x1483] IP 172.17.49.245.123 > 133.100.9.2.123: NTPv3, Client, length 48 20:15:59.335588 PPPoE [ses 0x1483] IP 172.17.49.245.123 > 192.5.41.41.123: NTPv3, Client, length 48 20:15:59.335588 PPPoE [ses 0x1483] IP 172.17.49.245.123 > 192.5.41.40.123: NTPv3, Client, length 48 Here is example of Tenda traffic if it is unable to reach destination, it repeats request each 10 seconds endlessly, my guess they are using ntp to show status of internet connection. So, now that NTP servers getting quite significant DDoS such way. 19:57:52.162863 IP (tos 0x0, ttl 64, id 38515, offset 0, flags [none], proto UDP (17), length 76) 172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) 19:57:52.163277 IP (tos 0x0, ttl 64, id 38516, offset 0, flags [none], proto UDP (17), length 76) 172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) 19:57:52.164435 IP (tos 0x0, ttl 64, id 38517, offset 0, flags [none], proto UDP (17), length 76) 172.16.31.67.123 > 133.100.9.2.123: [udp sum ok] NTPv3, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 22:57:43) 19:58:02.164781 IP (tos 0x0, ttl 64, id 38518, offset 0, flags [none], proto UDP (17), length 76) 172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 0.0 Receive Timestamp:0.0 Transmit Timestamp: 3691177073.0 (2016/12/19 22:57:53) Originator - Receive Timestamp: 0.0 Originator - Transmit Timestamp: 3691177073.0 (2016/12/19 22:57:53) 19:58:02.164884 IP (tos 0x0, ttl 64, id 38519, offset 0, flags [none], proto UDP (17), length 76) 172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length 48 Client, Leap indicator: (
Re: Recent NTP pool traffic increase
On 2016-12-19 12:52 PM, David wrote: On 2016-12-19 11:29 AM, Laurent Dumont wrote: I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a few things in order to deal with the increased traffic. I can clearly see a date around the 14-15 where my traffic increases to 3-4 times the usual amounts. From a source network point of view we see devices come online and hit ~35 unique NTP servers within a few seconds. I'll try to see if I can track down what type of devices they are. I found devices doing lookups for all of these at the same time {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase.
Re: Recent NTP pool traffic increase
On 2016-12-19 11:29 AM, Laurent Dumont wrote: I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a few things in order to deal with the increased traffic. I can clearly see a date around the 14-15 where my traffic increases to 3-4 times the usual amounts. From a source network point of view we see devices come online and hit ~35 unique NTP servers within a few seconds. I'll try to see if I can track down what type of devices they are. I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs http://i.imgur.com/mygYINk.png Weird stuff Laurent On 12/17/2016 10:25 PM, Gary E. Miller wrote: Yo All! On Sat, 17 Dec 2016 17:54:55 -0800 "Gary E. Miller" wrote: # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" And I do indeed get odd results. Some on my local network... To follow up on my own post, so this can be promply laid to rest. After some discussion at NTPsec. It seems that chronyd takes a lot of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, just 'odd', and not new. So, nothing see here, back to the hunt for the real cause of the new NTP traffic. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588
Re: Recent NTP pool traffic increase (update)
Many sorry! Update, seems illiterate in english (worse than me, hehe) customer was not precise about model of router, while he reported issue. I noticed now many customers using specific models of routers reported issues with internet connection. Analyzing internet traffic, i noticed that this routers seems excessively requesting ntp from those ip addresses, and not trying others: > 192.5.41.40.123: NTPv3, Client, length 48 > 192.5.41.41.123: NTPv3, Client, length 48 > 133.100.9.2.123: NTPv3, Client, length 48 I'm asking customer to make photo of device, to retrieve model and revision, and checking other customers as well, if they are abusing same servers. There is definitely pattern, that all of them are using just this 3 hardcoded servers. Problem is that many customers are changing mac of router, so i cannot clearly identify vendor by first mac nibbles. He sent me 2 photos, one of them LB-Link (mac vendor lookup 20:f4:1b says Shenzhen Bilian electronic CO.,LTD), another is Tenda (c8:3a:35 is Tenda). If it is necessary i can investigate further. On 2016-12-19 20:33, Ca By wrote: My WAG is that the one plus updated firmeware on that day and they baked in the pool. Complete WAG, but time and distributed sources including wireless networks On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont wrote: I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a few things in order to deal with the increased traffic. I can clearly see a date around the 14-15 where my traffic increases to 3-4 times the usual amounts. I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs http://i.imgur.com/mygYINk.png Weird stuff Laurent On 12/17/2016 10:25 PM, Gary E. Miller wrote: > Yo All! > > On Sat, 17 Dec 2016 17:54:55 -0800 > "Gary E. Miller" wrote: > >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" >> >> And I do indeed get odd results. Some on my local network... > To follow up on my own post, so this can be promply laid to rest. > > After some discussion at NTPsec. It seems that chronyd takes a lot > of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, > just 'odd', and not new. > > So, nothing see here, back to the hunt for the real cause of the new > NTP traffic. > > RGDS > GARY > --- > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 > g...@rellim.com Tel:+1 541 382 8588
Re: Recent NTP pool traffic increase
I noticed now many customers using tp-links reported issues with internet connection. Analyzing internet traffic, i noticed that tp-link seems excessively requesting ntp from those ip addresses, and not trying others: > 192.5.41.40.123: NTPv3, Client, length 48 > 192.5.41.41.123: NTPv3, Client, length 48 > 133.100.9.2.123: NTPv3, Client, length 48 I'm asking customer to make photo of device, to retrieve model and revision, and checking other customers as well, if they are abusing same servers. On 2016-12-19 20:33, Ca By wrote: My WAG is that the one plus updated firmeware on that day and they baked in the pool. Complete WAG, but time and distributed sources including wireless networks On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont wrote: I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a few things in order to deal with the increased traffic. I can clearly see a date around the 14-15 where my traffic increases to 3-4 times the usual amounts. I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs http://i.imgur.com/mygYINk.png Weird stuff Laurent On 12/17/2016 10:25 PM, Gary E. Miller wrote: > Yo All! > > On Sat, 17 Dec 2016 17:54:55 -0800 > "Gary E. Miller" wrote: > >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" >> >> And I do indeed get odd results. Some on my local network... > To follow up on my own post, so this can be promply laid to rest. > > After some discussion at NTPsec. It seems that chronyd takes a lot > of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, > just 'odd', and not new. > > So, nothing see here, back to the hunt for the real cause of the new > NTP traffic. > > RGDS > GARY > --- > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 > g...@rellim.com Tel:+1 541 382 8588
Re: Recent NTP pool traffic increase
My WAG is that the one plus updated firmeware on that day and they baked in the pool. Complete WAG, but time and distributed sources including wireless networks On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont wrote: > I also have a similar experience with an increased load. > > > > I'm running a pretty basic Linode VPS and I had to fine tune a few > > things in order to deal with the increased traffic. I can clearly see a > > date around the 14-15 where my traffic increases to 3-4 times the usual > > amounts. > > > > I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs > > > > http://i.imgur.com/mygYINk.png > > > > Weird stuff > > > > Laurent > > > > > > On 12/17/2016 10:25 PM, Gary E. Miller wrote: > > > Yo All! > > > > > > On Sat, 17 Dec 2016 17:54:55 -0800 > > > "Gary E. Miller" wrote: > > > > > >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" > > >> > > >> And I do indeed get odd results. Some on my local network... > > > To follow up on my own post, so this can be promply laid to rest. > > > > > > After some discussion at NTPsec. It seems that chronyd takes a lot > > > of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, > > > just 'odd', and not new. > > > > > > So, nothing see here, back to the hunt for the real cause of the new > > > NTP traffic. > > > > > > RGDS > > > GARY > > > > --- > > > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 > > > g...@rellim.com Tel:+1 541 382 8588 > > > >
Re: Recent NTP pool traffic increase
I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a few things in order to deal with the increased traffic. I can clearly see a date around the 14-15 where my traffic increases to 3-4 times the usual amounts. I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs http://i.imgur.com/mygYINk.png Weird stuff Laurent On 12/17/2016 10:25 PM, Gary E. Miller wrote: Yo All! On Sat, 17 Dec 2016 17:54:55 -0800 "Gary E. Miller" wrote: # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" And I do indeed get odd results. Some on my local network... To follow up on my own post, so this can be promply laid to rest. After some discussion at NTPsec. It seems that chronyd takes a lot of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, just 'odd', and not new. So, nothing see here, back to the hunt for the real cause of the new NTP traffic. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588
Re: Not a representative of gmx.com but their emails are being blocked by those who subscribe to the SORBS RBL.
Sorbs is a pretty good list. And I've been on the listed-side too. I personally would not use it to block, but I would give it 3 of the 5 points. The anti-spam gang is never going to be perfect. But since (self)regulation is not working, we need them. I value them at the moment. The only thing you can do about it, is figuring a way to solve this security issue (called spam). Met vriendelijke groet, David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) - Oorspronkelijk bericht - Van: "Tom Beecher" Aan: "Ken O'Driscoll" , nanog@nanog.org Verzonden: Zondag 18 december 2016 20:08:05 Onderwerp: Re: Not a representative of gmx.com but their emails are being blocked by those who subscribe to the SORBS RBL. I tend to scratch my head at anyone still using SORBS at this point. On Sun, Dec 18, 2016 at 8:27 AM Ken O'Driscoll wrote: > On Sat, 2016-12-17 at 20:15 -0800, Large Hadron Collider wrote: > > > Does anyone have information on why this is, and if you represent SORBS > > > and/or GMX and/or both, would you please trouble yourself with > > > contacting me off-list? > > > > You can find out why an IP was listed via their lookup facility: > > http://www. > > sorbs.net/lookup.shtml > > > > You can request de-listing by opening a support request: > > http://www.sorbs.net/cgi-bin/support > > > > You don't need to be an IP block owner to request de-listing but you do > need to be empowered to stop whatever caused the listing in the first > place. Their support is very responsive. > > > > Ken. > > > > -- > > Ken O'Driscoll / We Monitor Email > > t: +353 1 254 9400 | w: www.wemonitoremail.com > > > >