Re: Problems connectivity GE on Foundry BigIron to Cisco 2950T
- Original Message - From: Farrell,Bob [EMAIL PROTECTED] To: Randy Bush [EMAIL PROTECTED]; David Hubbard [EMAIL PROTECTED] Cc: Sam Stickland [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, January 15, 2006 4:45 PM Subject: RE: Problems connectivity GE on Foundry BigIron to Cisco 2950T Cisco commands- speed 1000 duplex full the bigiron wants (iirc): spe 1000-full i strongly suggest you peruse the cli reference for both devices. -p
Re: IPv6 daydreams
- Original Message - From: Peter Dambier [EMAIL PROTECTED] To: Jeroen Massar [EMAIL PROTECTED] Cc: Suresh Ramasubramanian [EMAIL PROTECTED]; Tony Li [EMAIL PROTECTED]; Daniel Roesen [EMAIL PROTECTED]; Christoper L. Morrow [EMAIL PROTECTED]; nanog@merit.edu Sent: Monday, October 17, 2005 5:43 AM Subject: Re: IPv6 daydreams --- snip --- Sorry I have to stop now. Some policemen want to talk with me about a major fraud done with my IPv6 tunnel. See you later :) no, they're just there to help out the guys in the white lab coats holding an odd-looking jacket. better late than never, i guess. we'll come visit (not really). ;) --- paul galynin
Re: IOS exploit
- Original Message - From: J. Oquendo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 19, 2005 10:23 AM Subject: IOS exploit Supposedly/Allegedly/Theoretically, rumor mill has it that a worm exploit of sorts has been published. My Russian is so so, not good enough to make sense it a majority of what was posted. A translation made me want to yank my hair out. i'll help with the translation :) On Sept 9, Andrey Vladimirov (aka dr_nicodimus), known as a co-author of the book 'Wi-Foo: The Secrets of Wireless Hacking', published information about the end [result] of a brainstorm session aimed at [developing ways of] exploiting vulnerabilities in software running on Cisco products. This research has led to the development of techniques which can be used to inject executable code into Cisco IOS as well as to write exploits and shellcode for this platform. Methods of implementing a cross-platform worm targetting IOS have also been developed. A plethora of vulnerabilities have been discovered in the firmware implementation of the routing protocol EIGRP. As a demonstration, an attack from one Cisco aimed at another was successful in launching an irc server on the target. --- not translating the rest, since it's largely non-technical and contains a derogatory reference to coders in a certain asian country. --- -p --- paul galynin
Re: image stream routers
- Original Message - From: tony sarendal [EMAIL PROTECTED] To: nanog@merit.edu Sent: Saturday, September 17, 2005 2:25 PM Subject: Re: image stream routers --- snip --- It sounds to me like a software based machine can be plenty fast with good code under the hood. In my experience a datacenter pumping out 1Gbps is usually doing 200-250kpps in that direction. Considering this a box capable of around 1Mpps is plenty fast. ... until you get an inbound ddos over that shiny gige at 1.44 Mpps. in today's world, planning for normal circumstances is woefully insufficient, you have to spec based on worst case numbers because you're almost guaranteed they will hit your network upside the head in the future. -p --- paul galynin
Re: Calling all NANOG'ers - idea for national hardware price quote registry
- Original Message - From: Marshall Eubanks [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Matt Bazan [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 16, 2005 7:36 PM Subject: Re: Calling all NANOG'ers - idea for national hardware price quote registry Am I the only one who feels that an NDA, even an NDA with a vendor, is an agreement that should be honored ? I know they are silly in many case, but still... yes, they are silly and, imo, highly unethical. with certain types of equipment an individual vendor or a pair of vendors have a virtual monopoly, so their actions and policies should be viewed in that light. with that said, two wrongs don't make a right. if you try to make something happen to change their behaviour, such as persuading them to act differently or compelling them to do so through regulation or legislation - great and many thanks. however, giving someone your word (this is what signing an agreement means) - at least for me - means i'm going to keep it. if you are not prepared to do so, don't give it/sign it. morality is about *your* behaviour first and foremost, since you can't be held responsible for that of others. -p --- paul galynin
Re: OT - Vint Cerf joins Google
- Original Message - From: JORDI PALET MARTINEZ [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 12, 2005 12:30 AM Subject: Re: OT - Vint Cerf joins Google The last figure that I remember, very impressive, was in April 2004, when the estimated number of hosts using 6to4 on Windows hosts was calculated as 100.000.000 (extrapolated from measurements). This is not including hosts with have native support or use other transition mechanism such as configured tunnels, ISATAP, 6over4, or Teredo (behind NAT). this figure seems to be completely over the top. i would be interested in seeing those 'measurements', an explanation of why they are statistically representative and the method of extrapolation. perhaps it was a typo and, instead of 'extrapolation', they really meant 'exaggeration'? that would make more sense ;] We notice in our web servers (which are dual stack), incredible amounts of IPv6 traffic, increasing month by month. please define incredible using a non-subjective measurement system - absolute counts and percentages of total traffic will do. as stated above, i would likewise be interested in knowing how representative your traffic is of general internet usage. as an example, i would expect web servers for an incredibly popular site discussing v6 to have a disproportionate amount of v6 traffic. Do you want to guess what will happen with Vista, which comes with IPv6 enabled by default ? i don't like guessing, but if i were pressed, drunk or otherwise intoxicated, i'd say default support in client software is not the single bottleneck - being able to purchase v6 transit and have your v6 work as well as your v4 is another one that you can't really get around. i'm not up to date on these things, has someone figured out how we're multihoming with v6 yet and, more importantly, got vendors to agree on and implement it? -p --- paul galynin
Re: Phone networks struggle in Hurricane Katrina's wake
- Original Message - From: Fergie (Paul Ferguson) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, August 30, 2005 9:22 PM Subject: Re: Phone networks struggle in Hurricane Katrina's wake I'll file that comment where it belongs -- in file 13. If a major catastrophe, albeit more human than network-related (although lots of network-related issues here, too), isn't on-topic, than I fail to see what is. operational material maybe? nah, i'm just a confused lurker, haven't seen any of it here for a while. -p --- paul galynin
Re: OT? Device to limit simultaneous connections per host?
- Original Message - From: David Hubbard [EMAIL PROTECTED] To: nanog@merit.edu Sent: Wednesday, August 17, 2005 5:50 PM Subject: OT? Device to limit simultaneous connections per host? Hello everyone, I'm curious if anyone knows of a device that can throttle or limit a remote host's simultaneous connections or requests per second for web traffic on a per-IP basis. --- snip --- not exactly what you want, but mod_throttle will do (some of) this if you are using apache. however, keep in mind that mod_throttle had an integer underflow bug affecting its concurrent connection counter last time i used it. it's fairly trivial to find and fix and i still have the patch somewhere i think. it was also forwarded to the author, who regrettably expressed little interest in applying it for reasons best known to him (and no longer remembered by me). on a more general note, it is important to think carefully about what it is that you really want to throttle. throttling connections is easy (or easier at least) in comparison to throttling requests, since the latter can be done only if a) you are doing this throttling within the webserver (you already have a request sequence) or b) if you parse individual requests out of a pipelined request stream yourself. you should likewise consider how said throttling should take place - do you want to 'shape' (block for a period of time) or 'rate limit' (drop on the floor)? if it is the former, doing it after it hits your webserver is significantly less useful than preventing it from hitting it in the first place. not sure how on-topic this is (wrt nanog *or* the op's question), so i've kept it to a few assorted thoughts. hth. -p --- paul galynin
Re: On the-record - another off-topic post
- Original Message - From: Randy Bush [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, May 03, 2005 4:42 PM Subject: Re: On the-record - another off-topic post Where are our brand new and shiny moderators? why? what damage is dean actually doing other than to himself? and some would contend, and i tend to agree, that it is not possible for him to further damage himself. don't create or invoke forces that are not needed lest you are willing to regret it forever. bingo. he's already procmail'ed off by anyone who cares. reserve moderation for cases where such doesn't work (eg when the person in question deliberately evades filtering). -p --- paul galynin
Re: [dnsop] DNS Anycast revisited (fwd)
- Original Message - From: Dean Anderson [EMAIL PROTECTED] To: Mark Boolootian [EMAIL PROTECTED] Cc: Nanog@merit.edu Sent: Tuesday, May 03, 2005 6:33 PM Subject: Re: [dnsop] DNS Anycast revisited (fwd) On Tue, 3 May 2005, Mark Boolootian wrote: Note the nonsense about anycast being completely coherent. If you check, I think you'll see that he actually said ultradns's anycast for .ORG is completely coherent. There seems to be no possibility for anycast to be completely coherent, so ultradns' anycast couldn't be completely coherent either. But Vixie mentions it to respond to comments by others about Ultradns' particularly pervasive use of anycast. it may not be possible to make every service *consistent*, but it is perfectly possible to make it coherent (i'm talking about coherency of copies of a shared resource). i'm curious to see how you can substantiate this claim, since any backend which supports distributed transaction semantics will give you this. i can't comment on the veracity of paul's statement comme applique ultradns, since i'm not familiar with how they do things, but that doesn't change the fact that you've just made a statement which appears blatantly false to anyone with any distributed systems experience. -p --- paul galynin
Re: [dnsop] DNS Anycast revisited (fwd)
- Original Message - From: Dean Anderson [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, May 03, 2005 8:35 PM Subject: Re: [dnsop] DNS Anycast revisited (fwd) On Tue, 3 May 2005, Paul G wrote: There seems to be no possibility for anycast to be completely coherent, so ultradns' anycast couldn't be completely coherent either. But Vixie mentions it to respond to comments by others about Ultradns' particularly pervasive use of anycast. it may not be possible to make every service *consistent*, but it is perfectly possible to make it coherent (i'm talking about coherency of copies of a shared resource). This seems to be a trivial interpretation of coherent. It is assumed that the copies of DNS _zones_ are kept in sync regardless of whether the servers are to traditional replicas or to anycasted replicas. No one ever claimed that zone transfers between the copies would be affected by anycast. The in-sync-ness of the zone data is competely orthogonal to anycast. Roots are updated via back channels on non-anycast addresses, and not with AXFR. i'm terribly sorry, but i'm unable to extract any meaning at all from these statements. when i parse them, they make no sense at all (not in terms of being wrong, just not understandable). could you rephrase them? coherency and consistency are well-defined terms in systems engineering. we are talking about dns queries and hence coherency of zone data (the shared resource). i fail to see how this is open to any interpretation at all. i snipped the rest for obvious reasons. -p
Re: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations
- Original Message - From: Erik Amundson [EMAIL PROTECTED] To: nanog@merit.edu Sent: Monday, April 18, 2005 1:45 PM Subject: RE: Jonathan Yarden @ TechRepublic: Disable DNS caching on workstations Windows definitely caches DNS entries...but as far as I've seen, it does honor TTLs... from what i've seen, at least in xp, it will cache for 30 minutes and *then* obey the ttl. bad microsoft. -p --- paul galynin
Re: Clearwire May Block VoIP Competitors
- Original Message - From: Eric Gauthier [EMAIL PROTECTED] To: Fergie (Paul Ferguson) [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Saturday, March 26, 2005 1:35 PM Subject: Re: Clearwire May Block VoIP Competitors Hrm... Isn't a VoIP call realtively low bandwidth? I haven't studied this, but Vonage's site seems to imply that the maximum data rate is 90Kbps (http://www.vonage.com/help_knowledgeBase_article.php?article=190). I typically see speeds greater than this from my web browser... Are they saying that anything that might consume over 100Kbps isn't going to be allowed? it's not about bandwidth, it's about pps. namely, radios don't very much like a lot of pps ;] -p --- paul galynin
Re: Bandwidth Advisors - www.bandwidthadvisors.com
- Original Message - From: Tim Pozar [EMAIL PROTECTED] To: Hannigan, Martin [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Thursday, March 24, 2005 7:29 PM Subject: Re: Bandwidth Advisors - www.bandwidthadvisors.com --- snip --- I know a bunch of consultants out there (me being one, Bill Woodcock, etc.) that do not take money from vendors they recommend. How can a client of a consultant really know they have the best deal when the consultant will not investigate all of the options out there? how do you know that a consultant that you pay will investigate all the options out there? they may not be aware of all the options or may not want to take up so much time working on your deal, for example. good agents have the same reasons to find you a good deal as good consultants do - repeat business and good reputation in the industry. both bad consultants and agents exist who see it differently. comparing a well-respected consultant such as bill to a hypothetical bad agent is an excercise devoid of meaning. Even if I did pay the fee, that means that their clients can't get the best deal as I need to raise my fees to client to cover the small residual payment going to Bandwidth Advisors. no, you pay their fee out of the same pot you use to pay your sales guys, your marketing guys (if you have any), your advertising/marketing expenses etc. they bring the deal to you, meaning you've spent $0 to acquire the lead up to that point. unless you operate on word of mouth only and do sales yourself (and pay yourself $0/hr), $0 $your_avg_customer_acquisition_cost. in short, it's the customer's choice whether they'd like to do the legwork themselves, hire a consultant or use an agent who is paid by the seller. a consultant may find you the best deal, but if you're not buying much the overall cost per meg may be higher than list when you factor in the consulting fees, for example. using an agent in this case may make sense. some agents offer direct ports and do their own billing, so you can get a better price by taking advantage of the volume pricing they enjoy. the world is not black and white. For those that don't know... I am now the COO of UnitedLayer. It sounds like, since I am not going to pay the extortion fee to Bandwidth Advisors, that their consultants won't know about our pricing and services. i'm curious to see by what feat of logic you managed to classify what they do as extortion. they have leads which you may (or may not, as the case may be) want access to and are asking for compensation for access thereto. if you don't agree with the compensation, you don't have to do the deal. assuming an agent's clients are not intelligent enough to understand how agency works and further assuming that the agent is misleading their customers in this respect, i can see how it would be unethical from a somewhat idealistic point of view (which i happen to share). however, i posit that those two assumptions are rarely correct at the same time and are definitely not correct in this case as the quote from their website demonstrates. i think this has gone sufficiently off-topic at this point (assuming it was ever on-topic), so i'd like to request that replies be sent off-list. -p --- paul galynin
Re: Bandwidth Advisors - www.bandwidthadvisors.com
- Original Message - From: Tim Pozar [EMAIL PROTECTED] To: nanog@merit.edu Sent: Thursday, March 24, 2005 6:57 PM Subject: Bandwidth Advisors - www.bandwidthadvisors.com Just got a call from Tosten of a company called Bandwidth Advisors. They represent themselves as a Independent Telco Colo Consultants (see web page). Seems that they are calling around ISPs and asking them if they have an agent program. After talking to him a bit I find out that they will only recommend a company if they are getting a kick-back from the company. Sounds like a company to avoid if one really wants an Independent Consultant. i'm unsure how this is operationally relevant, but to humour you a bit: from the looks of it, they are agents. they bring the business and collect commission, presumably out of the money they saved you by bringing the business to you (ie customer acquisition cost). i don't see anything wrong with that and would like to point out that a relationship with a good agent (ie one who knows his stuff, brings good clients to the table and doesn't waste your time) is worth it's weight in gold. if it's not your cup of tea, fair enough - you're entitled to your opinion. however, billing them as the root of all evil on an unrelated list because you don't like/understand their business model and/or don't want to work with them isn't on, imo. -p --- paul galynin
Re: Utah governor signs Net-porn bill
- Original Message - From: Scott Weeks [EMAIL PROTECTED] To: nanog@merit.edu Sent: Tuesday, March 22, 2005 11:18 AM Subject: Re: Utah governor signs Net-porn bill On Tue, 22 Mar 2005, Fergie (Paul Ferguson) wrote: : : Utah's governor signed a bill on Monday that would : require Internet providers to block Web sites deemed : pornographic and could also target e-mail providers : and search engines. : : http://news.com.com/Utah+governor+signs+Net-porn+bill/2100-1028_3-5629067.html?tag=nefd.top Politician lip flappage for votes. It has no chance of passing. perhaps i'm missing something, but it's passed the state legislature and was signed by the governor. what else would it have to pass, then? -p --- paul galynin
Re: Utah governor signs Net-porn bill
- Original Message - From: Roy [EMAIL PROTECTED] To: Fergie (Paul Ferguson) [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, March 22, 2005 12:03 PM Subject: Re: Utah governor signs Net-porn bill CNET's extract is wrong. The article states The measure, SB 260, says: Upon request by a consumer, a service provider may not transmit material from a content provider site listed on the adult content registry. Its entirely voluntary on the part of the consumer. does pulling the plug on the user's connection count? g your honor, we were just making sure our sinners^H^H^H^H^H^H^Husers couldn't access lecherous content that hasn't made it onto the registry! -p --- paul galynin
Re: Utah governor signs Net-porn bill
- Original Message - From: Kathryn Kessey [EMAIL PROTECTED] To: nanog@merit.edu Sent: Tuesday, March 22, 2005 1:29 PM Subject: RE: Utah governor signs Net-porn bill They are going to create publicly accessible, highly available database service of the all the world's porn sites and maintain it with up to the minute data... with 100K. Right. if they made it publically accessible, added user ratings and thumbnails for entries and stuck a few affiliate banners for some of the popular sites up top, i'd bet they'd be *making* money. oh wait, someone's already done that.. -p --- paul galynin
Re: Utah governor signs Net-porn bill
- Original Message - From: Steve Gibbard [EMAIL PROTECTED] To: nanog@merit.edu Sent: Tuesday, March 22, 2005 2:57 PM Subject: Re: Utah governor signs Net-porn bill --- snip --- Regardless of the legal and technical merits of the plan, requiring a watered down web doesn't seem inconsistent. i think i remember hearing about a municipal fast-e man and ftth deployment in salt lake city. who needs 100meg for dictionary.com lookups? ;] -p --- paul galynin
Re: sorbs.net
- Original Message - From: Gadi Evron [EMAIL PROTECTED] To: Hannigan, Martin [EMAIL PROTECTED] Cc: Micah McNelly [EMAIL PROTECTED]; nanog@merit.edu Sent: Tuesday, March 15, 2005 1:15 PM Subject: Re: sorbs.net From http://www.us.sorbs.net/faq/spamdb.shtml Third and finally, if you are really not a spammer, or you are truly reformed, de-listing is relatively easy. You donate US$50 to a charity or trust approved by, and not connected with, SORBS for each spam received relating to the listing (This is known and refered to as the SORBS 'fine'). That doesn't make a lot of sense. It's an interesting answer to the BotNet spamming problem, but not really a solution, IMHO. It's just cynicism at it's best. I like people who can be smartasses without being asses, but this is ridiculous if they want to be a serious service, and cute if they are looking to make jokes. ... and perfect if they want to become sentimental favourites with the nanas/nanae crowd/mob, which is what they're shooting for imo. how about they buy me a lollipop if i'm a service provider who just booted a spam source and needs ip space delisted? -p --- paul galynin
Re: sorbs.net
- Original Message - From: Rich Kulawiec [EMAIL PROTECTED] To: nanog@merit.edu Sent: Tuesday, March 15, 2005 5:43 PM Subject: Re: sorbs.net On Tue, Mar 15, 2005 at 11:21:35AM -0800, Randy Bush wrote: o could this be used as a dos and then become extortion? Unlikely. Blocklists are used by choice, and blocklists which either aren't effective or don't have sane policies don't get chosen often. (See BLARS, which even blars was recommending that you don't use the last time I checked.) unfortunately, that *still* didn't stop people from using it, which translated into an unresolvable headache for me as a sp. if you don't consider a blacklist to be usable by the public, don't publish it. however, publishing a draconian blacklist seems to get you a 'hardcore' label/clout in certain circles and is thus irresistible for some. -p
Re: sorbs.net
- Original Message - From: Matthew Sullivan [EMAIL PROTECTED] To: Robert Bonomi [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Tuesday, March 15, 2005 6:07 PM Subject: Re: sorbs.net The original poster has already noted a contact has been made, and I will watch it with interest - and the poster may note at least one of the entries has probably been resolved already. how do you justify asking me, a colo shop for example, to pay (it matters not whom) to get address space delisted? i caused the spam source to be shut down as soon as i learned of the incident, a shared hosting customer on one of my customers' machines for example, and had no practical way of preventing it from happening. in all respects, i've done all that could be practically and realistically expected of me to deal with the problem, but i can't pay $50xmessages to every blacklist operator's and their dog's chosen beneficiary every time someone dodgy signs up with one of my customers. your blacklists' 'customers' may not be aware of this issue, but you surely are, so how is this not a violation of the public trust? -p
Re: High volume WHOIS queries
- Original Message - From: Stephen J. Wilcox [EMAIL PROTECTED] To: joe mcguckin [EMAIL PROTECTED] Cc: Dan Lockwood [EMAIL PROTECTED]; NANOG nanog@merit.edu Sent: Tuesday, March 01, 2005 4:53 AM Subject: Re: High volume WHOIS queries altho arguably its not up to arin to provide processing power for all these deployments. if you can get a local copy why not have your clients resolve back to that? that is the point of his post actually - arin told him that he can't do that without pointing out where this is prohibited in the aup. i can see their point - they're trying to restrict the practicality of attempting to harvest the data and an open to the public whois server with no access restrictions would defeat that. perhaps asking arin if they would consent to you running a server open to registered users of your app behind authentication of some sort is worth a try? -p --- paul galynin
Re: High volume WHOIS queries
- Original Message - From: Hannigan, Martin [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED]; nanog@merit.edu Sent: Tuesday, March 01, 2005 9:17 AM Subject: RE: High volume WHOIS queries -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul G Sent: Tuesday, March 01, 2005 5:03 AM To: nanog@merit.edu Subject: Re: High volume WHOIS queries --- snip --- point - they're trying to restrict the practicality of attempting to harvest the data and an open to the public whois server with no access restrictions would defeat that. I don't know that this is the case, I suspect it's resource management. If the database is getting slaughtered by applications on uncontrolled auto pilot, it's unusable for the rest of us. well, the OP quoted a portion of the aup that requires bulk whois data recipients to take measures to prevent harvesting, so i presume that arin does care about that and, in fact, that consideration is likely the reason they declined to permit the OP to run *his own* whoisd off of his *local* copy of the data. -p --- paul galynin
Re: Symantec AV may execute viruses
- Original Message - From: Jeff Wheeler [EMAIL PROTECTED] To: Colin Johnston [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Thursday, February 10, 2005 1:18 PM Subject: Re: Symantec AV may execute viruses Also, it doesn't appear that this issue effects the Mac software (at least, I didn't see the Mac products in the Symantec vulnerability list), only Windows products. if this is a heap overflow and if osx uses a bsd-derived libc (with phy malloc implementation), the vulnerability would not be exploitable. this seems like a probable explanation. -p --- paul galynin
Re: Gtld transfer process
- Original Message - From: Alexei Roudnev [EMAIL PROTECTED] To: Bruce Tonkin [EMAIL PROTECTED]; nanog@merit.edu Sent: Tuesday, January 18, 2005 3:45 AM Subject: Re: Gtld transfer process Problem - you are talking about changing registrar, but in reality you describe changing of domain owner. conceptually, you are correct. Why (what for) is it allowed to transfer from one registrar to another with changing NS records and other owner information? Why don't separate this 2 events - changing registrar, and changing domain owner/information? Is it any need in reality changing registrar with simultaneous changing domain information? yes, every day. a lot of people register their domain through their shared hosting company, so when they decide to switch to a competitor, they switch both. it is irrelevant whether the losing and gaining registrar reseller use the same registrar, in this case. -p --- paul galynin
Re: panix.com hijacked (VeriSign refuses to help)
- Original Message - From: Alexei Roudnev [EMAIL PROTECTED] To: William Allen Simpson [EMAIL PROTECTED]; nanog@merit.edu Sent: Sunday, January 16, 2005 4:07 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and so on to resolve a problem. agreed. but then proverbially, common sense isn't. What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? with due respect to panix (i knew of panix before i ever knew of aol, even living in europe), i imagine another bigger 'behemoth', as you so deftly put it, has a better way of liaising with verisign than you, me or panix. -p --- paul galynin
Re: panix hijack press
- Original Message - From: William Allen Simpson [EMAIL PROTECTED] To: North American Network Operators Group nanog@merit.edu Sent: Sunday, January 16, 2005 4:33 PM Subject: panix hijack press Nothing like staying on the subject That's way I started a new thread. Let's keep this separate, please. i sent in a hastily worded summary with some quotes from the list to theregister.com/co.uk. ime, a lot of print media use them to source stories. with any luck, we'll see it up there tomorrow. -p --- paul galynin
Re: The entire mechanism is Wrong!
- Original Message - From: Steven J. Sobol [EMAIL PROTECTED] To: Jim Shankland [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED]; nanog@merit.edu Sent: Monday, January 17, 2005 1:33 AM Subject: Re: The entire mechanism is Wrong! On Sun, 16 Jan 2005, Jim Shankland wrote: Of course it's unreasonable to expect a registrar to have to put up with such a burden during off hours: God only knows what kind of silly calls would come in. Emergencies are best handled in a batch during the regular work week. For the stuff that really won't wait, you just put a lawyer on retainer, who can fax off a letter telling the complainant to sod off until Monday morning, or until the moon is in the seventh house and Jupiter aligns with Mars, whichever comes first. I mean, if we can't be on the golf course by 3:00, what are we in this business for, anyway -- right? The registrar DOES need to define Emergency. Emergency does not mean page on-call staffers because I forgot to renew my domain and it's fallen out of the roots, and Customer Service is closed Saturday. Such an event is defined as being My Own Fault, Not Due to Catastrophic Conditions and doesn't warrant bugging the person on-call. As long as the registrar defines what constitutes a page-able emergency, they should be ok. (Or is this overly simplistic?) ime, the act of defining 'emergency' does not provoke compliance therewith. -p --- paul galynin
Re: panix.com hijacked (VeriSign refuses to help)
- Original Message - From: Thor Lancelot Simon [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Sunday, January 16, 2005 2:40 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) --- snip --- I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping. And so it goes. i know people from verisign (used to?) read nanog-l. perhaps some sort of a deus ex machina intervention may be forthcoming? one can hope. -p --- paul galynin
Re: Sanity worm defaces websites using php bug
- Original Message - From: cw [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 3:47 PM Subject: Re: Sanity worm defaces websites using php bug Gonna be a nightmare for server ops to ensure that all client copies of phpBB are patched.. it is as simple as find /$dir_where_your_vhosts_live -name viewtopic.php and a very straightforward sed on the results. -p
Re: verizon.net and other email grief
- Original Message - From: Roy [EMAIL PROTECTED] To: Rich Kulawiec [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, December 10, 2004 2:23 PM Subject: RE: verizon.net and other email grief While I can't speak to what Verizon is using, Both Exim and Postfix have the very same feature called address verification. Its in use at a number of ISPs. My systems reject 1000's of messages every day because of verification failures. i've never seen this done with postfix, but i know that exim's default 'address verification' for non-local addresses just checks that the domain in the from is valid and that an mx record exists for it. they also have what they call 'callout verification', which is equivalent to what is being discussed, but the documentation makes the drawbacks painfully clear and suggests that it only be used against hosts within the same organization. i'm not a fan of exim, but it appears that although they've given users the rope, they've been diligent enough to label it appropriately. -p --- paul galyinin
Re: verizon.net and other email grief
- Original Message - From: Paul Trebilco [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 10, 2004 3:30 PM Subject: Re: verizon.net and other email grief How so? Are you maybe confusing reject with bounce? If address verification takes place while the SMTP connection is still up, no forged adresses get messaged, at least not by the server doing the rejecting. oh, so you would be ok with someone joe-jobbing you on their 1 million messages/day spam run and getting 1 million 'verification' connections to your mailserver farm? -p --- paul galynin
Re: [Fwd: zone transfers, a spammer's dream?]
- Original Message - From: Alex Bligh [EMAIL PROTECTED] To: Rich Kulawiec [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Alex Bligh [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 11:59 AM Subject: Re: [Fwd: zone transfers, a spammer's dream?] --On 09 December 2004 10:24 -0500 Rich Kulawiec [EMAIL PROTECTED] wrote: The irony of all this is that spammers already have all this information -- yet registrars have gone out of their way to make it as difficult as possible for everyone else to get it (rate-limiting queries and so on). They clearly don't already have this information, or they wouldn't agreed. also of note is that at least from here, the .ca folks have fixed the issue. -p --- paul galynin
Re: [OT] Re: Banned on NANOG
- Original Message - From: Patrick W Gilmore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Patrick W Gilmore [EMAIL PROTECTED] Sent: Saturday, December 04, 2004 8:50 AM Subject: Re: [OT] Re: Banned on NANOG On Dec 3, 2004, at 8:41 PM, Paul Vixie wrote: [EMAIL PROTECTED] (Alex Rubenstein) writes: ... I think we all agree that RAS and Randy don't fall into the above category of having to be gotten ridden of. ... nope. Perhaps the fact that even some of the longest standing, most respected, clueful members of the list cannot agree on such things proves that a non-technical administrator with no operational experience has no chance of correctly concluding which people fall into the above category? or that regardless of who makes the conclusion, it is likely to be subjective and meet disagreement from some folks on the list. p --- paul galynin
Re: Make love, not spam....
- Original Message - From: Miller, Mark [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 10:27 AM Subject: RE: Make love, not spam Although I have traditionally been in favor of low bandwidth fixes, this kind of appeals to my sense of poetic justice. spammer buys hosting account, pays with fraudulent credit card, spams, provider gets ddos'ed and ends up paying for all the bandwidth because you can't well charge some unsuspecting grandma in alabama for it. i don't like this kind of justice. -p --- paul galynin
Re: Make love, not spam....
- Original Message - From: Erik Haagsman [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 4:30 PM Subject: Re: Make love, not spam I agree and I'm surprised you even mentioned the wordt justice...since when is retaliating bad practices with more bad practises that are hardly likely to take out the real target considered a good idea..? 'justice' was mentioned in the message i quoted. it appears i was not remiss - i got an email from a guy running a small town isp telling me, essentially, that: 1. if i get hit with cc fraud, it is my own darn fault for not asking every single $9.99/mo customer to fax me their retina scan. 2. incurring a humongous bandwidth bill instead of being out said $9.99 is adequate punishment for my 'stupidity' 3. he likes the kind of justice where a provider gets harmed instead of the abusive customer, because Good ISPs Recognize Bad Guys On Sight. i've got news for you: 1. when you run a sufficiently large operation, credit card fraud is approached as a risk mitigation excercise - you find a golden middle in terms of verification which is cost-effective, ie reduces the incidence of fraud to an acceptable level while not costing an arm and a leg in terms of labour costs and encumbrance to the very large majority of legitimate customers placing an order. the problem with getting ddosed is that this cost-effectiveness calculation goes out the window because your risk is no longer a measure of the price a customer is paying for the service, but rather a measure of how much traffic lycos' botnet can direct at you. for you, it may be bounded by the single t1 termed in your basement, while for me it may be bounded by a gig-e feed i get from my upstream. 2. cc fraud was just an example, and probably a bad example at that, since you can come up with a holier than thou argument against the example rather than the practice of shoving traffic my way that neither i nor my clients asked for. let's try again. customer pays for a dedicated server with a valid credit card. we charge them the monthly fee and keep the credit card on file. customer proceeds to spam, or better yet installs an insecure formmail script, or his box gets owned. he gets ddosed by lycos, racks up large overage bill and gets terminated by us for breach of AUP. we notify the customer and try to bill him for the overage charges. lo and behold, customer put a Do Not Honor request on transactions initiated by us. we're stuck with the bw bill. alternatively, customer charges back and their issuing bank is braindead and we lose the chargeback. or customer was paying by check. whatever. see the point? while we may be willing to risk the monthly charge because we won't ask customers paying by check for a large security deposit, we aren't willing to risk an arbitrarily high bw bill from folks who think they're doing the 'net a favour by ddosing For Our Own Good. consumption is equivalent to denial, the only difference being in the reason the service will no longer be available - administrative (ie financial) and technical respectively. while we all would like to see spam-related services not being available, there exist means to that end that are not acceptable, such as hunting spammers with shotguns or ddosing their (in many cases unknowing) providers. -p --- paul galynin
Re: More thefts from CO/colo in New York
- Original Message - From: Sean Donelan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 26, 2004 11:08 PM Subject: More thefts from CO/colo in New York On Wednesday night burglars attempted to steal line cards from the co-location area of a central office in White Plains, NY. Police responded to the Verizon building after trouble reports affecting the 911 system, and found two men carrying line cards from the building. http://www.nytimes.com/2004/11/27/nyregion/27theft.html Apparently there is a black market for the cards. ... it's called ebay. p --- paul galynin
Re: Goofle/Sprint having problems?
- Original Message - From: Sean Donelan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 19, 2004 5:38 PM Subject: RE: Goofle/Sprint having problems? On Fri, 19 Nov 2004, Vandy Hamidi wrote: Yeah, a visual route just showed my trace going to AUS and then Singapore. Hmm... You think Google is going to be pissed when they find out their site was being routed to Asia? Heads will roll... (lawsuit?) NANOG recuring topic thread #4 Gee, maybe there should be a registry of authorized routes and who they belong too that ISPs could check. We could even call it the Internet Routing Registry. ... and we could then make fun of those few (sic/sar) that don't filter based on that data on a mailing list we could call nanog-l. paul --- paul galynin
Re: EFF whitepaper
- Original Message - From: Rich Kulawiec [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 8:10 AM Subject: Re: EFF whitepaper --- snip --- Collateral damage is unacceptable, period. Oh, I most certainly agree -- but then again, since nobody is being damaged in any way (something the EFF clearly doesn't understand), this is not a problem. Note: all instance of you which follow are rhetorical and not intended to apply to any individual. If you call me, and I do not accept your call, have I damaged you? No. I have merely declined to extend you a privilege. If you send me a letter, and I choose not to accept delivery, have I damaged you? No. I have merely declined to extend you a privilege. if i were being sent a letter or a call and my post office/telephone company decided to reject them because they were overworked and needed to filter to reduce costs, i'd have a lot to say about that, as i'm sure would you. with that said, this is quite possibly off-topic to nanog. i'd second the request earlier in the thread to move it to somewhere more appropriate. paul --- paul galynin
Re: Important IPv6 Policy Issue -- Your Input Requested
- Original Message - From: Jørgen Hovland [EMAIL PROTECTED] To: Network.Security [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 7:06 PM Subject: Re: Important IPv6 Policy Issue -- Your Input Requested - Original Message - From: Network.Security [EMAIL PROTECTED] On 2004-11-09-17:10:02, Network.Security [EMAIL PROTECTED] wrote: We receive a disturbingly large amount of traffic sourced from the 1918 space destined for our network coming from one of our normally respectable Tier 1 ISP's (three letter acronym, starts with 'M', ends with 'CI'). This is particularly irritating since we pay for burstable service; nice that we are paying for illegitimate traffic to come down our pipes. Hello. I felt I had to write a small comment to this. For the record, we use 1918 address range on several of our public routers meaning you will get legitimate traffic from this address space, atleast from us unless you are filtering it (which is of course all your decision). Filtering any type of traffic at all by a transit provider without the possibility to remove these filters _could_ be reason enough for us to terminate the contract with them since we would feel we were not paying for real internet connectivity. funny. you must be talking about a different internet. i hear there have been 'rumours out on the internets [sic]', maybe i'm just behind the times.. g all jokes aside, 1918 allows for use of 1918 space in a private network or a 'private internet [sic]' comprised of any such number of private networks as agree to interconnect and cooperate in routing traffic sourced from and destined to said space. it follows that any 1918-sourced traffic you send me is illegitimate. out of curiosity, what kind of 'legitimate traffic', considering i couldn't legitimately reply back, were you speaking of? p
Re: Important IPv6 Policy Issue -- Your Input Requested
- Original Message - From: Jørgen Hovland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 8:07 PM Subject: Re: Important IPv6 Policy Issue -- Your Input Requested - Original Message - From: Paul G [EMAIL PROTECTED] all jokes aside, 1918 allows for use of 1918 space in a private network or a 'private internet [sic]' comprised of any such number of private networks as agree to interconnect and cooperate in routing traffic sourced from and destined to said space. it follows that any 1918-sourced traffic you send me is illegitimate. out of curiosity, what kind of 'legitimate traffic', considering i couldn't legitimately reply back, were you speaking of? I see I almost started an argument here. This was not my intention. Data from unconnected sockets only: Udp and icmp messages (unreachable etc). that's great. on behalf of everyone who's ever had the joy of troubleshooting connectivity issues, i thank you, kind sir. jokes aside again, why would you even bother sending back diagnostic data when you've essentially halved the usefulness of it? p
Re: Important IPv6 Policy Issue -- Your Input Requested
- Original Message - From: Paul Vixie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 09, 2004 8:04 PM Subject: Re: Important IPv6 Policy Issue -- Your Input Requested [EMAIL PROTECTED] (Paul G) writes: all jokes aside, 1918 allows for use of 1918 space in a private network or a 'private internet [sic]' comprised of any such number of private networks as agree to interconnect and cooperate in routing traffic sourced from and destined to said space. it follows that any 1918-sourced traffic you send me is illegitimate. ... right, like this junk: --- snip --- seems like rfc1918's prohibitions are not effective (and are unenforceable). i hope that there will be no more ops-relevant specs with harmful potential side-effects and ineffective+unenforceable prohibitions against those. i tend to view it as a subclass of spoofing, more specifically spoofing through stupidity/misconfiguration. the only difference i see between someone fat-fingering an ip address and this is, as is to be (sadly) expected, that some folk abuse 1918 as a basis to argue correctness in such cases. while i'm sure we can all agree that we would have liked to have less implied trust engineered into designs when those rfcs were penned, this is probably one of the least damaging cases and i tend to think that enforcement of 1918 belongs elsewhere, ie ipv# and bcp38. and of course, see BCP38 (or if you're in management, SAC004). given the track record of bcp38 and fiery debate resulting from the mention thereof on nanog-l, i propose to tack it onto the local list of corollaries of godwin's law g p
Re: Cisco moves even more to china.
- Original Message - From: Erik Haagsman [EMAIL PROTECTED] To: Joseph [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 24, 2004 5:59 AM Subject: RE: Cisco moves even more to china. On Fri, 2004-09-24 at 03:53, Joseph wrote: Its time for all American Tech workers to stand up and let our voices be heard. Perhaps it's time instead to make sure you're good at what you do and try to be on the forefront of tech, rather than whining about how all those bad people from abroad are stealing your job. It's largely our own fault labour pricing in large outsourcing countries like India are so low, and now it's coming back to bite some of us. well said. for some reason (could be my wacky soviet upbringing), i've always felt that only people who have no confidence in their own abilities can feel threatened by those of others. somehow, when you're busy doing new and interesting stuff, you just don't have the time or the inclination to get up on that soapbox.. paul
Re: SkyCache/Cidera replacement?
- Original Message - From: Jon Lewis [EMAIL PROTECTED] To: J.A. Terranson [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, September 20, 2004 5:39 PM Subject: Re: SkyCache/Cidera replacement? Now...if there were napster for pr0n, then abpe would be unnecessary :) there is: it's called kazaa. up to a point where you can't search for a song (if you were so illegally inclined) without getting a bunch of ta in the search results. paul
Re: European Nanog?
- Original Message - From: Neil J. McRae [EMAIL PROTECTED] To: 'Nicolas DEFFAYET' [EMAIL PROTECTED]; 'Arnold Nipper' [EMAIL PROTECTED] Cc: 'Ken Gilmour' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, September 13, 2004 5:18 AM Subject: RE: European Nanog? Too many nogs- The RIPE NCC ran a Euro Operators forum that was probably the most useful. in europe, same as in the US, there is a limited number of people who are at least peripherally interested in participating. not everyone is interested in everything - based on nanog experiences, there are rather large (proportionally) groups of people who are only interested in discussing spam, gmail invites or bad analogies for example. in our case, all of this is merged into one discussion stream. in europe, with ripe running several more specific lists, there isn't enough traffic for an everything goes, including crap forum. /imho paul
force10 gear experiences/thoughts/comments
folks, looking to continue the week whichhas beengoing strong so far with no mention of gmail, verisign and bad analogies, i have these questions i'm hoping someone can chime in on: * any good/bad experiences with force10 gear in general? * thoughts on usage in a relatively simple multi-homed bgp environment? * general commercial experience with their sales, support etc? cheers, paul
Re: On the back of other security posts (well some over a year ago now)....
- Original Message - From: joe mcguckin [EMAIL PROTECTED] To: NANOG [EMAIL PROTECTED] Sent: Friday, August 27, 2004 1:36 PM Subject: Re: On the back of other security posts (well some over a year ago now) What strikes me as interesting is the fact that someone did hundreds of thousands of dollars worth of damage in exchange for -- a shell account?? you want to attract idiots - use a shell account as bait. just like flies and feces. paul
Re: OT - 3 Free Gmail invites
- Original Message - From: Randy Bush [EMAIL PROTECTED] To: Jonathan Nichols [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:04 PM Subject: Re: OT - 3 Free Gmail invites You know, I'm having trouble finding people that *don't* have gmail.com accounts already. :P i don't, mainly because i have no idea why i would want one. same for all these multiply.com invites. b-b-but they are invite [EMAIL PROTECTED]@$, that means it's exclusive!#@@#, you could finally Belong! /sarcasm paul
Re: Quick question.
- Original Message - From: Paul Jakma [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: Michel Py [EMAIL PROTECTED]; Nanog [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 2:39 AM Subject: Re: Quick question. --- snip --- Not really.. this is a resource exhaustion problem, and you can not cure this, given buggy apps, by throwing more CPUs at it. Let's say you have some multi-process or multi-threaded application which regularly spawns/forks new processes/threads, but it is buggy and prone to having individual processes/threads spin. So one spins, but you still have plenty of CPU time left cause you have two CPUs. Another spins, and the machine starts to crawl. So you solve this problem by upgrading to a quad-SMP machine. And guess what happens? :) the second cpu buys you time - it is unlikely you're going to be able to react in time on a busy single cpu box with a runaway process (it launches into a death sprial almost immediately), but you would usually have 10-15 mins on a dual cpu box at a minimum or maybe infinity if you enforce cpu affinity for apps that tend to misbehave. paul
Re: Quick question.
- Original Message - Cc: [EMAIL PROTECTED]From: Paul Jakma [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 3:09 AM Subject: Re: Quick question. On Wed, 4 Aug 2004, Paul G wrote: the second cpu buys you time - it is unlikely you're going to be able to react in time on a busy single cpu box with a runaway process (it launches into a death sprial almost immediately), but you would usually have 10-15 mins on a dual cpu box at a minimum or maybe infinity if you enforce cpu affinity for apps that tend to misbehave. Why do you have 10-15 mins? If the application is multi-threaded and has a reasonable workload, there are plenty of types of bugs that will result in one spinning thread after the other, you need far more than just 2 CPUs! Or maybe your application vendor has at least 10minutes between hitting bugs! on it's feature list? ;) these are observations, pertaining to software products we use a lot - apache, mysql, apache/suexec, various mtas etc. your point is well taken in general, but at least When Done Here(tm), dual cpu helps significantly empirically speaking. Really, what you to need do is (in the face of such buggy apps) is to set per-task CPU time resource limits appropriate to how much cpu-time a task needs and how much you can afford - be it a 1, 2 or n CPU system. agreed. however, this degrades performance in certain situations, is not practical in others and introduces additional complexity (always a bad thing). the tradeoff is significantly in favor of reactive measures (be they automatic or human intervantion), at least in most of our installations. paul
Re: The use of .0/.255 addresses.
- Original Message - From: Wayne E. Bouchard [EMAIL PROTECTED] To: Fergie (Paul Ferguson) [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, June 26, 2004 11:01 PM Subject: Re: The use of .0/.255 addresses. I can tell you that at least with my customers, the term class C is only used to clarify what is meant by slash 24 and always with the phrase is the equivilant to And a bit surprisingly, I'm having to explain this less and less. Even the sales team is learning to speak CIDR. So there is indeed hope. agreed. although, some customers are still dumb-founded when i tell them noone can give them a class C and offer a /24 instead =] paul
Re: Attn MCI/UUNet - Massive abuse from your network
- Original Message - From: Dr. Jeffrey Race [EMAIL PROTECTED] To: Robert E. Seastrom [EMAIL PROTECTED] Cc: Christopher L. Morrow [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 9:59 AM Subject: Re: Attn MCI/UUNet - Massive abuse from your network On 24 Jun 2004 09:26:15 -0400, Robert E. Seastrom wrote: Dr. Jeffrey Race [EMAIL PROTECTED] writes: -- snip -- We see this all the time on Spam-L. It shows up quickly in the numbers when there is a management decision. perhaps we can move this discussion there, then? paul
Re: Attn MCI/UUNet - Massive abuse from your network
- Original Message - From: Christopher L. Morrow [EMAIL PROTECTED] To: Ben Browning [EMAIL PROTECTED] Cc: Dr. Jeffrey Race [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 5:55 PM Subject: Re: Attn MCI/UUNet - Massive abuse from your network --- snipped --- this is not entirely true, a majority of these far-end customers are paying the same price regardless of utilization. Even the utilization charged customers are not having their 95th Percentile changed because of spam, or that'd be my guess. In the end there is no money for mci from spammers. agreed, in the majority of the cases. on the other had, implementing the FUSSP jrace proposed would cost mci (or any other carrier) revenue as they would be seen as frothing-at-the-mouth fanatics that present a business risk when used for upstream transit even for folks that run clean networks and deal with abuse complaints properly. and yes, it's time for this thread to die. paul
Re: Attn MCI/UUNet - Massive abuse from your network
- Original Message - From: Dr. Jeffrey Race [EMAIL PROTECTED] To: Jeffrey Race [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 11:20 PM Subject: Re: Attn MCI/UUNet - Massive abuse from your network On Thu, 24 Jun 2004 03:05:41 + (GMT), Christopher L. Morrow wrote: Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. This is too flagrant to let pass without comment. not specifically in response to jeffrey, but may i suggest we /dev/{nanae,null} ? paul
Re: Inside look at a spammer's business
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 5:49 AM Subject: Inside look at a spammer's business This site http://rejo.zenger.nl/abuse/1085493870.php has an interesting insider's account of running a spamming business and all the support business that exist to help spammer businesses to survive and thrive. having read the article, i must note that your definition of 'thrive' must be very different from mine. surely, his earnings barely covered his coffeeshop bills. p
Re: AV/FW Adoption Sudies
- Original Message - From: Eric Rescorla [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Sean Donelan [EMAIL PROTECTED]; 'Nanog' [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:37 PM Subject: Re: AV/FW Adoption Sudies -- snip --- If we assume that the black hats aren't vastly more capable than the white hats, then it seems reasonable to believe that the probability of the black hats having found any particular vulnerability is also relatively small. and yet, some of the most damaging vulns were kept secret for months before they got leaked and published. i won't pretend to have the answer, but fact remains fact. paul
Re: AV/FW Adoption Sudies
- Original Message - From: Eric Rescorla [EMAIL PROTECTED] Paul G [EMAIL PROTECTED] wrote: - Original Message - From: Eric Rescorla [EMAIL PROTECTED] -- snip --- If we assume that the black hats aren't vastly more capable than the white hats, then it seems reasonable to believe that the probability of the black hats having found any particular vulnerability is also relatively small. and yet, some of the most damaging vulns were kept secret for months before they got leaked and published. i won't pretend to have the answer, but fact remains fact. I don't think that this contradicts what I was saying. My hypothesis is that the sets of bugs independently found by white hats and black hats are basically disjoint. So, you'd definitely expect that there were bugs found by the black hats and then used as zero-days and eventually leaked to the white hats. So, what you describe above is pretty much what one would expect. there is a fair chance that the same bug will be found if several people audit the same piece of code, such as a very widespread, high profile piece of software. in fact, i know of at least one serious bug that was discovered independently by two different groups of people. in general, however, what you are saying makes complete sense. paul
Re: What HTTP exploit?
- Original Message - From: Vinny Abello [EMAIL PROTECTED] To: Mike Nice [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, May 31, 2004 11:31 AM Subject: Re: What HTTP exploit? -- snip -- I thought if it can be crashed by cramming too much info into a buffer before it's truncated, that's considered a buffer overflow. I'm no programmer and may be off base here but it just struck me as odd also. it could also be a heap overflow (unless we are talking fbsd, for example). regardless, i would be very interested in having a look at that gentleman's apache setup to see if we can crash it reliably g paul
Re: Problems with .de abuse
- Original Message - From: Erik Haagsman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 10:55 AM Subject: Re: Problems with .de abuse I sent the abuse email 2 days ago and got no response. After 2 more days of this, I finally just tried to call that number, and it's bogus (or at least not working). Does anyone have a clue who this is and/or how to actually get ahold of someone there (preferably one who speaks or reads/writes English)? Try and reach them at [EMAIL PROTECTED] or try and contact their admin Jens Rosenboom at [EMAIL PROTECTED] I know it's not the regular channel, but and we peer with them at DE-CIX and had similar problems a while back with IP's from their range scanning and trying out SNMP communities on our boxes. They responded on an e-mail sent to their peering address and we haven't had any further scans since, although your complaint seems to disrepute them further. slightly OT, but it is a sad day when operators stop being responsible neighbours and start responding to abuse reports only when their {willy,peering} is on the line. paul
Re: who offers cheap (personal) 1U colo?
paul, - Original Message - From: Paul Vixie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 13, 2004 2:59 PM Subject: Re: who offers cheap (personal) 1U colo? -- snip -- $50/month at 40U rentable is $2000/rack/month if it's full. after paying for 60A of power and 50Mbits/sec of transit and whatever the rack rents for, the provider's gross margin will be between 25% and 50%, out of which they have to pay salaries. as a standalone business this makes no sense, but at scale or as part of another business, $50/month @1U is just about right. according to your calculations, 1U + 1.5 breakered amps + 1 Mb/s should cost us $25 to $37.50 to provide. care to share where that is? paul
Re: UUNet Offer New Protection Against DDoS
- Original Message - From: william(at)elan.net [EMAIL PROTECTED] To: John Obi [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:42 AM Subject: Re: UUNet Offer New Protection Against DDoS On Tue, 2 Mar 2004, John Obi wrote: Hello Nanogers! I'm happy to see this, and I hope CW, Verio, and Level3 will do the same! http://informationweek.securitypipeline.com/news/18201396 MCI/WorldCom Monday unveiled a new service level agreement (SLA) to help IP services customers thwart and defend against Internet viruses and threats. --- snippety snip --- Blah, blah, blah I would say this is a lot more like a self-ad then press-release of new service. UUNET already responded within 15 minutes or less to DoS attacks, at least this is what it was several years ago. Possibly this changed when they went ch11 and now they are just trying to get back to normal. But I would not say that this is anything special. Of course, I would be happy to see others say the same too in their SLA, but how about that they simply would just RESPOND in 15 minute to customer request. (And actually one of my upstreams does exactly that they respond and have that in their SLA. And they usually respond within 1-3 minutes and not only do I not have to call them, but they actually call me if the link is down or if there is serious congestion on it. Quite a a bit overzellous actually!) agreed, not very spectacular. in fact, i expect most ddos attack issues to be *resolved* within 15 minutes, for reasonable values of 'most' and 'resolved'. i would probably be very dissatisfied if i could not get to a warm, clueful and enabled body in under 10 minutes in an emergency, but then we are a reasonably large customer of a good smaller carrier so my expectations may be invalid in big boy customer land. paul
Re: UUNet Offer New Protection Against DDoS
- Original Message - From: Deepak Jain [EMAIL PROTECTED] To: william(at)elan.net [EMAIL PROTECTED] Cc: John Obi [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 2:56 AM Subject: Re: UUNet Offer New Protection Against DDoS william(at)elan.net wrote: On Tue, 2 Mar 2004, John Obi wrote: Hello Nanogers! I'm happy to see this, and I hope CW, Verio, and Level3 will do the same! http://informationweek.securitypipeline.com/news/18201396 And what kind of response to DOS are we talking about? Blackholing the target IP to allow your pipe to pass packets and so that your router is pingable (which is probably the measure for whether you are up or not?) cant speak for them, but this would be my preferred first step. next step is, of course, an attempt to filter on {source, unique characteristics, what have you} and removing the blackhole. paul
Re: UUNet Offer New Protection Against DDoS
erik, - Original Message - From: Erik Haagsman [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Cc: Deepak Jain [EMAIL PROTECTED]; william(at)elan.net [EMAIL PROTECTED]; John Obi [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 3:47 AM Subject: Re: UUNet Offer New Protection Against DDoS On Wed, 2004-03-03 at 09:26, Paul G wrote: cant speak for them, but this would be my preferred first step. next step is, of course, an attempt to filter on {source, unique characteristics, what have you} and removing the blackhole. What most people seem to forget is that neither of these steps actually counter the DoS...they merely make the DoS as invisible as possible to customers correct. from our pov, it is gone. given that 'solving the problem' is not always possible, this is almost as good as it gets in the real world. while the traffic keeps hitting the carrier in question. For the large carriers this is only a minor inconvenience. For smaller carriers or for co-location facilities/NSP's that are relying on not-so-clueful carriers (read: carriers not supporting any kind of communities with possible lack of pro-active network management and/or bad communications) this is a BIG problem. Even though they might take the heat off the targeted customer, they could be in for a rough ride themselves as the DoS keeps going and going. we tend to get small ddos (a few hundred megs) that are more of an annoyance than anything else, at least before they hit the customer-in-question 's faste handoff. I haven't seen any major press-releases on actually solving the problem instead of hiding it... (granted...I haven't put out one either :-) grin. in other news, noone has solved the perpetuum mobile problem either. as a carrier, your job is to solve the problem for the customer. this includes staying up afterwards. paul
Re: ISPs' willingness to take action
ken, ---snip--- 3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively. ---snip--- so what you are saying is that you would like to go back to the fidonet days, when site A had to agree to route site B's mail? a deny all, accept some rule for smtp would horribly break all that is good in humanity. am i missing something here? paul
Re: More news coverage
- Original Message - From: Vivien M. [EMAIL PROTECTED] To: 'ken emery' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 8:28 PM Subject: RE: More news coverage But isn't the SiteFinder service just VeriSign Marketing's name for the wildcard A record? What's the point of the search engine at sitefinder.verisign.com (which appears to be down) without the wildcard A record directing stuff to it? they could try to get some legitimate traffic as , say, google or yahoo do by providing a valuable service. if it is as valuable as they claim, users will keep coming back. pg