Re: news from Google

[Scott Weeks]

j...@thejof.com

: 6.6.6.6 belongs to the US Army

look at AS 666.  At least they know their position in the universe.
---


andrey.gor...@gmail.com

: IMHO that's where we are heading with google taking over every service 
imaginable

Only if you let them.  DBS (don't be sheep)
---



At the most basic minimum manage your cookies. Just a quick search (not with 
google) gives:
google.com/support/urchin45/bin/answer.py?answer=28710  (you'll see a LOT of 
_utm type cookies as soon as you start watching them)

There are many other companies out there that know more about you than you 
think possible.  Small example: Do you allow third party cookies unfettered 
access to what you do?

scott

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Matthew Moyle-Croft]

DHCPv6 PD is pretty crucial.  


I'd love to see the code in an ADSL box (hint hint hint DLINK).

MMC

Frank Bulk wrote:

Give their emulator a try:
http://support.dlink.com/emulators/dir615_revC/310NA/login.htm

Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are
"other" large service providers rolling out IPv6 for their cable broadband,
xDSL, BWA, and FTTH customers?  100% SLAAC?

Frank

-Original Message-
From: jason.w...@cox.com [mailto:jason.w...@cox.com] 
Sent: Thursday, December 03, 2009 8:54 PM

To: jba...@brightok.net; new...@internode.com.au
Cc: nanog@nanog.org
Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls.

One of the better/only decent implementations I have run across in the
retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert
emblem (found this on an encap at Fry's and nobody in the department knew
what IPv6 was) on the front of the box for easy recognition although there
are other modems with RevC (think Rev_B works as well) firmware that don't
have the label but work as well. The major feature missing is DHCPv6 IA_PD
but you won't find this on any retail router that I am aware of today. What
you will find though is WAN interface config via static, stateful or
stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a
DHCPv6 server for your LAN interfaces to boot.

I am not sure if this product was built for the Japanese market and is now
being released here to determine interest from the retail sector but it is
useful for a trial lab or for testing at home. The major caveat of course is
that all the IPv6 configs are done in Advanced Config mode and hence not
designed for plug-and-play for your average home user.

Jason

From: Jack Bates [jba...@brightok.net]
Sent: Thursday, December 03, 2009 7:06 PM
To: Mark Newton
Cc: nanog@nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.

Mark Newton wrote:
  

The fact that someone got OpenWRT working in less than a week of spare
time makes it totally clear why the commercial vendors haven't done
anything:  They're just simply not interested, nothing more, nothing
less.



I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues
with the dhcp client that comes with it in the past, though I've had an
ubuntu box acting as a router with wide-dhcp doing -PD. It works okay,
although the devs really should look at better support on the automatic
address assignment model and support for PD issued from PD. Of course, I
suspect there's just not enough interest in the linux dev community to
bother.

Finally, one of the home router firmware companies (which I believe
linksys used when they didn't use linux) has had IPv6 support in their
codebase for a year now. See nanog history. The manufacturers that use
their code don't seem to have implemented the new IPv6 code.


Jack (sick, so if it doesn't make sense, sorry)





  

Re: news from Google

[Hank Nussbacher]

On Thu, 3 Dec 2009, Jorge Amodio wrote:


now Google DNS, anything more?


GoogleNation.


Google Opt-out Village:

http://www.theonion.com/content/video/google_opt_out_feature_lets_users

-Hank

Sr. Net Eng needed.

[Joe Hamelin]

Lots of travel, 6 month contract, 4G  build-out.  Contact Voshte at
vgustaf...@kforce.com.


-- 
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

RE: Consumer Grade - IPV6 Enabled Router Firewalls.

[Frank Bulk]

Give their emulator a try:
http://support.dlink.com/emulators/dir615_revC/310NA/login.htm

Perhaps this is a dumb question, but without DHCPv6 IA_PD support, how are
"other" large service providers rolling out IPv6 for their cable broadband,
xDSL, BWA, and FTTH customers?  100% SLAAC?

Frank

-Original Message-
From: jason.w...@cox.com [mailto:jason.w...@cox.com] 
Sent: Thursday, December 03, 2009 8:54 PM
To: jba...@brightok.net; new...@internode.com.au
Cc: nanog@nanog.org
Subject: RE: Consumer Grade - IPV6 Enabled Router Firewalls.

One of the better/only decent implementations I have run across in the
retail world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert
emblem (found this on an encap at Fry's and nobody in the department knew
what IPv6 was) on the front of the box for easy recognition although there
are other modems with RevC (think Rev_B works as well) firmware that don't
have the label but work as well. The major feature missing is DHCPv6 IA_PD
but you won't find this on any retail router that I am aware of today. What
you will find though is WAN interface config via static, stateful or
stateless DHCPv6 as well as stateful and stateless PPPoEv6. It even offers a
DHCPv6 server for your LAN interfaces to boot.

I am not sure if this product was built for the Japanese market and is now
being released here to determine interest from the retail sector but it is
useful for a trial lab or for testing at home. The major caveat of course is
that all the IPv6 configs are done in Advanced Config mode and hence not
designed for plug-and-play for your average home user.

Jason

From: Jack Bates [jba...@brightok.net]
Sent: Thursday, December 03, 2009 7:06 PM
To: Mark Newton
Cc: nanog@nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.

Mark Newton wrote:
> The fact that someone got OpenWRT working in less than a week of spare
> time makes it totally clear why the commercial vendors haven't done
> anything:  They're just simply not interested, nothing more, nothing
> less.

I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues
with the dhcp client that comes with it in the past, though I've had an
ubuntu box acting as a router with wide-dhcp doing -PD. It works okay,
although the devs really should look at better support on the automatic
address assignment model and support for PD issued from PD. Of course, I
suspect there's just not enough interest in the linux dev community to
bother.

Finally, one of the home router firmware companies (which I believe
linksys used when they didn't use linux) has had IPv6 support in their
codebase for a year now. See nanog history. The manufacturers that use
their code don't seem to have implemented the new IPv6 code.


Jack (sick, so if it doesn't make sense, sorry)

Re: news from Google

[Charles Wyble]

That is an Akami error. 


On Dec 3, 2009, at 6:57 PM, Jorge Amodio wrote:

> talking about evil http://www.bing.com/ :
> 
>> Oops
>> This isn't the page you wanted!
>> 
>> Try this
>> Refresh the page. If you get this message again, please check back later.
>> 
>> Ref A: 7d09ba2186d4448a8dd2b99ad2c12b3a Ref B: 
>> B498C04FE4F5DC107DF8FC65998D9838 >Ref >C: Thu Dec 03 18:54:06 2009 PST
> 

Re: news from Google

[Jorge Amodio]

talking about evil http://www.bing.com/ :

>Oops
>This isn't the page you wanted!
>
>Try this
>Refresh the page. If you get this message again, please check back later.
>
>Ref A: 7d09ba2186d4448a8dd2b99ad2c12b3a Ref B: 
>B498C04FE4F5DC107DF8FC65998D9838 >Ref >C: Thu Dec 03 18:54:06 2009 PST

While the younger evil keeps trying to provide better and faster
services the oldest one seems
to be doing their best effort to screw them.

PS. SANS is reporting the service down http://isc.sans.org/diary.html

Cheers
Jorge

RE: Consumer Grade - IPV6 Enabled Router Firewalls.

[Jason.Weil]

One of the better/only decent implementations I have run across in the retail 
world so far is the D-Link 615SW. Look for the IPv6_Ready Gold cert emblem 
(found this on an encap at Fry's and nobody in the department knew what IPv6 
was) on the front of the box for easy recognition although there are other 
modems with RevC (think Rev_B works as well) firmware that don't have the label 
but work as well. The major feature missing is DHCPv6 IA_PD but you won't find 
this on any retail router that I am aware of today. What you will find though 
is WAN interface config via static, stateful or stateless DHCPv6 as well as 
stateful and stateless PPPoEv6. It even offers a DHCPv6 server for your LAN 
interfaces to boot.

I am not sure if this product was built for the Japanese market and is now 
being released here to determine interest from the retail sector but it is 
useful for a trial lab or for testing at home. The major caveat of course is 
that all the IPv6 configs are done in Advanced Config mode and hence not 
designed for plug-and-play for your average home user.

Jason

From: Jack Bates [jba...@brightok.net]
Sent: Thursday, December 03, 2009 7:06 PM
To: Mark Newton
Cc: nanog@nanog.org
Subject: Re: Consumer Grade - IPV6 Enabled Router Firewalls.

Mark Newton wrote:
> The fact that someone got OpenWRT working in less than a week of spare
> time makes it totally clear why the commercial vendors haven't done
> anything:  They're just simply not interested, nothing more, nothing
> less.

I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues
with the dhcp client that comes with it in the past, though I've had an
ubuntu box acting as a router with wide-dhcp doing -PD. It works okay,
although the devs really should look at better support on the automatic
address assignment model and support for PD issued from PD. Of course, I
suspect there's just not enough interest in the linux dev community to
bother.

Finally, one of the home router firmware companies (which I believe
linksys used when they didn't use linux) has had IPv6 support in their
codebase for a year now. See nanog history. The manufacturers that use
their code don't seem to have implemented the new IPv6 code.


Jack (sick, so if it doesn't make sense, sorry)

Re: news from Google

[Charles Wyble]

LOL.

One place I worked at hosted a bunch of websites and called them by business 
unit. so xxx_nnn

One business unit was particularly problematic and frequently returned 500 
errors. The version in production was xxx_4xx  when the next major rev came 
out we skipped 5xx and went to 6xx. :) 


On Dec 3, 2009, at 12:36 PM, Matthew Petach wrote:

> On Thu, Dec 3, 2009 at 12:09 PM, Scott Berkman  wrote:
>> Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
>> 
>>-Scott
>> 
> 
> I suppose I've been too brainwashed by HTTP...I looked at that, and
> thought that it would amusing to have a DNS server in the 4.0.2 range.  ^_^;
> 
> (for reference... http://en.wikipedia.org/wiki/HTTP_402#4xx_Client_Error
> 
> 402 Payment Required
> 
> :D
> 
> Matt
> 

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Jack Bates]

Mark Newton wrote:

The fact that someone got OpenWRT working in less than a week of spare
time makes it totally clear why the commercial vendors haven't done
anything:  They're just simply not interested, nothing more, nothing
less.


I suspect they didn't use DHCPv6-PD with that OpenWRT. I've had issues 
with the dhcp client that comes with it in the past, though I've had an 
ubuntu box acting as a router with wide-dhcp doing -PD. It works okay, 
although the devs really should look at better support on the automatic 
address assignment model and support for PD issued from PD. Of course, I 
suspect there's just not enough interest in the linux dev community to 
bother.


Finally, one of the home router firmware companies (which I believe 
linksys used when they didn't use linux) has had IPv6 support in their 
codebase for a year now. See nanog history. The manufacturers that use 
their code don't seem to have implemented the new IPv6 code.



Jack (sick, so if it doesn't make sense, sorry)

RE: news from Google

[Deepak Jain]

Or the whole turning over records from Youtube... 

Nothing prevents them from changing policies in the future when it becomes more 
difficult for millions of users to change away... (vis-à-vis the uproar when FB 
was going to change its privacy policy and more as it continues to do so).



> -Original Message-
> From: Ken Chase [mailto:m...@sizone.org]
> Sent: Thursday, December 03, 2009 5:29 PM
> To: nanog@nanog.org
> Subject: Re: news from Google
> 
> You mean like this?
> 
> http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-
> data-to-leos-over-8-million-
> times.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
> 
> and this?
> 
> http://almartinraw.com/public/column417.html
> 
> just wait til google sews up all voice communications.
> 
> On Thu, Dec 03, 2009 at 04:49:39PM -0500, Andrey Gordon's said:
>   >sometimes google makes me think of all those futuristic movies where
> there
>   >is a single corporation running the world, everyone is 'tagged' and
> tracked
>   >24/7 and everyone who works for that corporation are happy campers
> and live
>   >in clean and modern neighborhoods and the rest of the people are
> scam of the
>   >earth and live in the sewer.
>   >IMHO that's where we are heading with google taking over every
> service
>   >imaginable. That's the feeling I get from google.
> 
> /kc
> --
> Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
> Heavy Computing - Clued bandwidth, colocation and managed linux VPS
> @151 Front St. W.

Re: news from Google

[Ken Chase]

Thanks for the updates Paul, good to see such policies in place at Google.

I still personally hope for the great benevolent open-source-trumpeting
/privacy-protecting giant to exist and operate exactly as it does in geeks'
wildest fantasies. Really I do.

However, I suppose you can make few admissions regarding law enforcement or
other govt surveillance queries regarding those 24 or 48 hours of log
retention. (It's likely illegal for you to comment, if you do know
anything.)

I'd love to know what google's policies are there (if any?) - and what kind of
latitude google really has over refusing certain types of request, or even
refusing to build in certain features that would be useful to law enforcement.
But again, you might not be allowed to comment.

While google does not do the cross referencing, can law enforcement request
logs from various google services seperately and do their own cross referencing
based on IP and timestamp?

Of course for some obscure site (say ostensibly containing 'typical terrorist
profile ideological writings' for a cliched example), those 24-48 hours of
logs would positively tie an IP address to at least looking up the site
hosting such materials, strengthening evidence that the user visited that
site. This is a more wide ranging collection of information than google's
search engine (which has its own privacy safeguards im not mentioning right
now) as using google dns would log EVERY transaction (other than by raw IP)
that the user did on the internet (not just google searches or using the web).
This makes an extrordinarily attractive target for law enforcement.

Even with strong policies in effect now, Im not sure that anything that 
currently
stops law enforcement wont be challenged or secretly overridden sometime in the
future.

"Build it and they will come."

/kc


On Thu, Dec 03, 2009 at 05:20:38PM -0500, Paul S. R. Chisholm's said:
  >Ken, this was addressed in the announcement:
  >
  >http://code.google.com/speed/public-dns/privacy.html
  >
  >We built Google Public DNS to make the web faster and to retain as
  >little information about usage as we could, while still being able to
  >detect and fix problems. Google Public DNS does not permanently store
  >personally identifiable information.
  >
  >http://code.google.com/speed/public-dns/faq.html#account
  >http://code.google.com/speed/public-dns/faq.html#shared
  >http://code.google.com/speed/public-dns/faq.html#info

-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: Historical traceroute logging

[Brandon Galbraith]

On Thu, Dec 3, 2009 at 4:26 PM, John Souvestre  wrote:

> Hello Jeroen.
>
> I very much like Ping Plotter.  http://www.pingplotter.com/
>
> John
>
>
We've used Ping Plotter before as well. Some shortcomings, but works well
for what it's supposed to do.

-- 
Brandon Galbraith
Mobile: 630.400.6992
FNAL: 630.840.2141

Re: news from Google

[Ken Chase]

You mean like this? 

http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

and this?

http://almartinraw.com/public/column417.html

just wait til google sews up all voice communications.

On Thu, Dec 03, 2009 at 04:49:39PM -0500, Andrey Gordon's said:
  >sometimes google makes me think of all those futuristic movies where there
  >is a single corporation running the world, everyone is 'tagged' and tracked
  >24/7 and everyone who works for that corporation are happy campers and live
  >in clean and modern neighborhoods and the rest of the people are scam of the
  >earth and live in the sewer.
  >IMHO that's where we are heading with google taking over every service
  >imaginable. That's the feeling I get from google.

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

RE: Historical traceroute logging

[John Souvestre]

Hello Jeroen.

I very much like Ping Plotter.  http://www.pingplotter.com/

John

John Souvestre - New Orleans LA

 > -Original Message-
 > From: Jeroen Massar [mailto:jer...@unfix.org]
 > Sent: Thursday, December 03, 2009 3:16 PM
 > To: Justin Shore
 > Cc: NANOG list
 > Subject: Re: Historical traceroute logging
 > 
 > Justin Shore wrote:
 > > Does anyone know of any tools that can do repeated traceroutes over time
 > > to a remote IP and log the results for later viewing/comparison?
 > 
 > RIPE TTM @ http://www.ripe.net/ttm/
 > 
 > Greets,
 >  Jeroen

Re: news from Google

[Paul S. R. Chisholm]

On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase  wrote:
> We all know that google is leveraging cross-referenceable information from all
> of its services for its profit/advantage ...
>
> /kc
> --
> Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
> Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 
> Front St. W.

Ken, this was addressed in the announcement:

http://code.google.com/speed/public-dns/privacy.html

We built Google Public DNS to make the web faster and to retain as
little information about usage as we could, while still being able to
detect and fix problems. Google Public DNS does not permanently store
personally identifiable information.

http://code.google.com/speed/public-dns/faq.html#account
http://code.google.com/speed/public-dns/faq.html#shared
http://code.google.com/speed/public-dns/faq.html#info

Is any of the information collected stored with my Google account?
No.
Does Google share the information it collects from the Google Public
DNS service with anyone else?
No.
Is information about my queries to Google Public DNS shared with other
Google properties, such as Search, Gmail, ads networks, etc.?
No.

Hope this helps.  --PSRC

Re: news from Google

[Bret Clark]

Brielle Bruns wrote:
Why is it that people start cracking out at the thought of Google 
offering a free service that people might have an actual use for and 
that is completely optional and used by choice?


It's a free service people!  No different then Hotmail, or Yahoo Mail, 
or Gmail, AOL Instant Messenger, MSN Messenger...  Use it if you want, 
but if you don't, so be it.  They're not holding a gun to your head.
Can you make that same statement when Google Chrome OS is released or 
future versions of Android are released?  It would be naive to think 
that Google wouldn't try to default the DNS to there services with those 
OS'...no "for profit" company does something for free without an 
underlying motive.


I don't think people have problems necessarily with Google getting into 
all this stuff, but at some point, if whatever users are doing always 
has Google as an initial destination, it becomes a concern and I think 
that is the underlying argument for most people


Just my 2 cents,
Bret

Re: news from Google

[Ken Chase]

On Thu, Dec 03, 2009 at 02:04:55PM -0700, Brielle Bruns's said:
  >Why is it that people start cracking out at the thought of Google 
  >offering a free service that people might have an actual use for and 
  >that is completely optional and used by choice?
  >
  >It's a free service people!  No different then Hotmail, or Yahoo Mail, 
  >or Gmail, AOL Instant Messenger, MSN Messenger...  Use it if you want, 
  >but if you don't, so be it.  They're not holding a gun to your head.

What happened to the free but private fire brigades (as popularized in the
movie Gangs of...) - how did they get under the aegis of municipal govts?
(Those damn socialist fire depts! :)

Things that become essential services need quality management and control to
ensure equal access to all and reduce abuses.

Just because its free doesnt mean it's being done right or should continue as
it is without oversight or regulation. In fact, Canada's privacy commissioner
recently ruled on Facebook's policies and asked them to change significant
things about the way the handle personal information and allow opt-ins and
outs. "It's free, so why should anyone have any say in it, least of all the
govt?" is your argument here.

Access to internet/Email has been ruled as an essential service in (parts?) of
the EU FWIG. The Canadian govt also has programs to help fund access to remote/
rural/isolated communities for eg.

We all know that google is leveraging cross-referenceable information from all
of its services for its profit/advantage, to the detriment of people's privacy
and choice. Concentrating that much of internet services into one organization
puts alot of power into one pair of hands. Information is power, and absolute
power corrupts... and if it doesnt corrupt you, then at least the NSA would like
to have tea and a conversation with you.

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: FW: news from Google

[Joel Jaeggli]

Kain, Becki (B.) wrote:

> No kiddng. I must be the only one who is getting tired of seeing Google
> take over literally everything.

Nobody as far as I can tell has a Monoploy on bad ideas...

joel

Re: news from Google

[Brielle Bruns]

On 12/3/09 2:44 PM, Seth Mattinen wrote:


I take it you've never been on the receiving end of a "the whole
internet is down it's your fault cuz google never breaks" call when
google hiccups?


Actually, I have.  I used to have to deal with gems like 'Your DNS 
server is attacking my machine in port 53 UDP!' all the time.  End users 
will always do what they want without needing help from anyone but 
themselves.


My position has, and always will be, you are on your own if you deviate 
from the standard configuration we provide.  My current users understand 
that, and have gotten to the point where they'll admit up front if they 
changed something, without me needing to ask.


Considering our messing up something costs them $0 vs. a service call 
from us that starts at $50 and goes up, the economics of playing with 
settings that work fine gets expensive, and they know this.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: news from Google

[Andrey Gordon]

I generally like goog's services and the fact that they are free, but
sometimes google makes me think of all those futuristic movies where there
is a single corporation running the world, everyone is 'tagged' and tracked
24/7 and everyone who works for that corporation are happy campers and live
in clean and modern neighborhoods and the rest of the people are scam of the
earth and live in the sewer.
IMHO that's where we are heading with google taking over every service
imaginable. That's the feeling I get from google.

-
Andrey Gordon [andrey.gor...@gmail.com]


On Thu, Dec 3, 2009 at 4:44 PM, Seth Mattinen  wrote:

> Brielle Bruns wrote:
>
>>
>> Why is it that people start cracking out at the thought of Google offering
>> a free service that people might have an actual use for and that is
>> completely optional and used by choice?
>>
>>
> I take it you've never been on the receiving end of a "the whole internet
> is down it's your fault cuz google never breaks" call when google hiccups?
>
> ~Seth
>
>

Re: news from Google

[Seth Mattinen]

Brielle Bruns wrote:


Why is it that people start cracking out at the thought of Google 
offering a free service that people might have an actual use for and 
that is completely optional and used by choice?




I take it you've never been on the receiving end of a "the whole 
internet is down it's your fault cuz google never breaks" call when 
google hiccups?


~Seth

Re: Historical traceroute logging

[Jeroen Massar]

Justin Shore wrote:
> Does anyone know of any tools that can do repeated traceroutes over time
> to a remote IP and log the results for later viewing/comparison?

RIPE TTM @ http://www.ripe.net/ttm/

Greets,
 Jeroen



signature.asc
Description: OpenPGP digital signature

Re: news from Google

[Brielle Bruns]

On 12/3/09 11:48 AM, Seth Mattinen wrote:

Jorge Amodio wrote:

now Google DNS, anything more?


GoogleNation.



No kiddng. I must be the only one who is getting tired of seeing Google
take over literally everything.

~Seth



Why is it that people start cracking out at the thought of Google 
offering a free service that people might have an actual use for and 
that is completely optional and used by choice?


It's a free service people!  No different then Hotmail, or Yahoo Mail, 
or Gmail, AOL Instant Messenger, MSN Messenger...  Use it if you want, 
but if you don't, so be it.  They're not holding a gun to your head.


It would be one thing if installing Google Chrome or similar changed 
your DNS settings without your knowledge.  MS in the past forced MSN 
Messenger onto people by default in most Windows installs, and the world 
didn't end.


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: news from Google

[Martin Hannigan]

On Thu, Dec 3, 2009 at 3:29 PM, Jeroen Massar  wrote:

> Andrey Gordon wrote:
> > uf, another question I'll have ask my users now:
> >
> > User: I can't get to the intranet.mycompanydomain.local! What did you
> > break!?
> > Me: Hey, you can't to the intranet,domain.local? Did you make your laptop
> > use Google DNS?
>
> But it is s easy to just route 8.8.8.8 and 8.8.4.4 to ISP/enterprise
> internal ISP addresses, no more configuration who would have thought of
> that...
>
>
Forever? I think we're also seeing the first legacy space holder (that I'm
aware of, publicly) foray into commercial LIR services. Putting this service
into a legacy block was not a mistake or a stroke of luck. It's being
advertised by goog. Could mean nothing, but I think it's interesting amongst
the other interesting things.

Best,

-M<





-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Historical traceroute logging

[Justin Shore]

Does anyone know of any tools that can do repeated traceroutes over time 
to a remote IP and log the results for later viewing/comparison?  I'd 
like to do a traceroute several times a day and store the details in CVS 
or somewhere accessible down the road.  Alerting to major path changes 
would be nice but not critical.  The ability to compare traceroute 
output down the road would also be nice but also not critical.  I'm more 
interested in the path than the individual hops' RTTs.


What's prompting this is a major change in RTTs for several hours 
yesterday to an ITSP with a site in the south.  We share a common 
upstream (L3) and have in the past always transited that provider to get 
to each other.  I showed a route change for the specific /23 in question 
in my border routers' RIBs.  The adjacent /23 originating from the same 
ITSP but in a different part of the country did not change (and neither 
did RTTs to the hosts we monitor in that /23).  The site claimed nothing 
changed on their end and that they know of no changes upstream.  BGP 
Play shows a route change from Level3 to Internap during the time in 
question (thought the times don't line up exactly) which most likely 
caused the more than double RTTs we were seeing.  My Cacti Advanced Ping 
graphs caught the problem in all its glory.  Nagios alerted me to the 
high RTT times as well.  What I didn't get during that period of time 
was a traceroute to the site in question.


I'd like to run a traceroute several times a day and find some way to 
store the output and work with it later if needed.  I'd prefer OSS but 
commercial apps would be considered too.  I'm sure I'm not the first to 
have a need to check traceroutes like that.  How do the rest of you 
handle it?


Thanks
 Justin

Re: news from Google

[Matthew Petach]

On Thu, Dec 3, 2009 at 12:09 PM, Scott Berkman  wrote:
> Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.
>
>        -Scott
>

I suppose I've been too brainwashed by HTTP...I looked at that, and
thought that it would amusing to have a DNS server in the 4.0.2 range.  ^_^;

(for reference... http://en.wikipedia.org/wiki/HTTP_402#4xx_Client_Error

402 Payment Required

:D

Matt

Re: news from Google

[Jeroen Massar]

Andrey Gordon wrote:
> uf, another question I'll have ask my users now:
> 
> User: I can't get to the intranet.mycompanydomain.local! What did you
> break!?
> Me: Hey, you can't to the intranet,domain.local? Did you make your laptop
> use Google DNS?

But it is s easy to just route 8.8.8.8 and 8.8.4.4 to ISP/enterprise
internal ISP addresses, no more configuration who would have thought of
that...

Greets,
 Jeroen



signature.asc
Description: OpenPGP digital signature

Re: Calling Comcast Postmaster or whomever actually is responsible for Comcast RBL maintenance

[Griffiths, Chris]

On 12/3/09 12:10 PM, "Chris Stebner"  wrote:

> For over a month now I've been fighting with Comcast Customer Security
> Assurance regarding a simple BlackList issue. Apparently there is some
> disconnect between internal applications and their ability to report
> BlackList status accurately and the 'actual' BlackList rule-set. Supposedly
> the ticket has been escalated to 'admin' and 'engineering' multiple times to
> no avail. Currently we are waiting for engineering again to examine the
> issue.
> 
> The block is owned by us, a facilities based CLEC in business for over 10
> years. The /24 in question is used for business T1's.
> 
> If anyone has any contacts, ideas or the power to resolve the issue I'd be
> elated to hear from you.
> 
> 
> Thank you all for your time,
> 
> Chris Stebner
> 970-403-0102

I have send this issue on to the right team and you should hear back from
them shortly.

Thanks for posting.

-- 
Chris Griffiths
Comcast Cable Communications, Inc.
National Engineering and Technical Operations

Re: news from Google

[J. Oquendo]

Deepak Jain wrote:
> I think there are amazing opportunities to data mine and prevent fraud if you 
> can get a percentage of your users using this. 
>
> I'm really excited about the structured attacks that will be run against this 
> thing (cache poisoning... and nastier)... if (for example) when their (or 
> someone's) toolbar is installed, they ask if you'd like to use their 
> "improved" dns service [perhaps they have the whole universe cached to reduce 
> lookup times]. You'd sign up.
>   

I agree in a role-reversal method. I think there are amazing methods to
study the correlation and statistical rate of criminal groups and how
they're amassing so much data making things nTimes easier to steal,
spoof and create more frauds. Thanks Google! In fact, because they'd now
have one more tool to work against them, its only a matter of time
before they become smarter (those tinkerers!) That leaves forensics
experts with something to gripe about. Too much of a workload.

http://www.youtube.com/watch?v=pq3YdpB6N9M

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

RE: news from Google

[Scott Berkman]

Also reminds me of the Level 3 DNS servers in the 4.2.2.[1-8++] range.

-Scott

-Original Message-
From: Jonathan Lassoff [mailto:j...@thejof.com] 
Sent: Thursday, December 03, 2009 1:51 PM
To: nanog
Subject: Re: news from Google

Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
> 8.8.8.8  6.6.6.6 would have been really really funny. :) 

Nice IPs from Level 3, huh?

6.6.6.6 belongs to the US Army.

--j

Re: AT&T SMTP Admin contact?

[William Herrin]

On Thu, Dec 3, 2009 at 1:25 AM, Chris Owen  wrote:
> On Dec 2, 2009, at 9:52 PM, valdis.kletni...@vt.edu wrote:
>
>> It only stops forgery if the SPF record has a -all in it (as hubris.net 
>> does).
>> However, a lot of domains (mine included) have a ~all instead.
>
> I guess I've never really seen the point of publishing a SPF record if it
>ends in ~all.  What are people supposed to do with that info?
>
> Spamassassin assigns it a score of 0.6 but that is low enough it
>really doesn't have much since it doesn't assign any negative
>points for SPF_PASS.

Chris,

In addition to pushing the spam assassin score a little more towards
tagging it as a spam, I use SPF to suppress backscatter from my
confirmation system. When I receive a message whose spam probability
is ambiguous (spamassassin score between 3 and 8), I generate a
confirmation request to the sender. This allows the sender to put the
message in front of me anyway if it turns out to have been a false
positive, as it occasionally does.

If you publish SPF records (even with ~all) and the source doesn't
match, I won't generate that request. You've given me sufficient
forward knowledge to detect the forgery so that I can silently drop
the spam and still comply with RFC 2821's "must."

Regards,
Bill Herrin



-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: news from Google

[Curtis Maurand]

Eduardo A. Suárez wrote:

Hi,

now Google DNS, anything more?

http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns.html 



Eduardo.-

yawn.  So not interested. 

New European IXP customer tool

[Serge Radovcic]

Just wanted to announce that we published a handy little tool for those
either already, or interested in, peering at an European IXP(s).

The Euro-IX ASN filter allows one to make use of our IXP database that
contains more than 4.800 ASNs that peer at IXPs around Europe. You can see
which ASNs peer where and what the overlap is between multiple IXPs and,
well morejust try it out and see.

https://www.euro-ix.net/member/m/asnfilter

All feedback is welcome

Serge
Euro-ix

Re: news from Google

[Seth Mattinen]

Stefan wrote:
> 
> I think of this as an obvious (not necessarily beneficial for all, of
> course) step for a company which lives out of advertisement - i.e. what if
> they could capture your habits for browsing at the FQDN-to-IP time -
> wouldn't that add more to their knowledge base?
> 

I'm certain they will be gathering statistics.

~Seth

RE: news from Google

[Deepak Jain]

> I think of this as an obvious (not necessarily beneficial for all, of
> course) step for a company which lives out of advertisement - i.e. what
> if
> they could capture your habits for browsing at the FQDN-to-IP time -
> wouldn't that add more to their knowledge base?
> 

I think there are amazing opportunities to data mine and prevent fraud if you 
can get a percentage of your users using this. 

I'm really excited about the structured attacks that will be run against this 
thing (cache poisoning... and nastier)... if (for example) when their (or 
someone's) toolbar is installed, they ask if you'd like to use their "improved" 
dns service [perhaps they have the whole universe cached to reduce lookup 
times]. You'd sign up.

And as the wave of software updates proceeds... well, talk about all your eggs 
in one basket.

Smart ISPs will have an ACL ready to hijack external DNS requests for their 
whole network in the (inevitable) event something *bad* happens one day and you 
need to restore service to your customers faster than they can figure out how 
to fix it themselves. Just a thought.

Deepak

Re: news from Google

[Jorge Amodio]

> I think of this as an obvious (not necessarily beneficial for all, of
> course) step for a company which lives out of advertisement - i.e. what if
> they could capture your habits for browsing at the FQDN-to-IP time -
> wouldn't that add more to their knowledge base?

They have a lot of smart people there trying to provide a good service
and do smart
things, but as they are smart if a large number of users use their
resolvers that's
a lot of juicy statistics that can be monetized in some way.

They will find the way to do it. IMHO.

Jorge

Re: Leaving public peering?

[Serge Radovcic]

On Thu, 3 Dec 2009 10:53:46 -0500 Ken Chase  wrote:

>> Check out this report on the success of peering :
>> https://www.euro-ix.net/member/m/document/showDocument/id/158

> This seems to be a protected document behind login-only section of the
> site. Can anyone comment on wether the document should be publically
> accessible? Would love to spread it around.

This report is available to the public at:

http://www.euro-ix.net/resources/reports/

Serge

Re: news from Google

[bmanning]

http://www.collegehumor.com/article:1793643

--bill


On Thu, Dec 03, 2009 at 02:12:58PM -0500, Bret Clark wrote:
> For sure...everyone remembers the Bill Gates Borg picture, but at this
> rate, Google will soon become the new poster child for that picture (or
> something comparable).   
> 
> Bret
> 
> 
> On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
> 
> > No kiddng. I must be the only one who is getting tired of seeing
> > Google
> > take over literally everything.
> > 
> > ~Seth

Re: news from Google

[Stefan]

On Thu, Dec 3, 2009 at 1:12 PM, Bret Clark  wrote:

> For sure...everyone remembers the Bill Gates Borg picture, but at this
> rate, Google will soon become the new poster child for that picture (or
> something comparable).
>
> Bret
>
>
> On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
>
> > No kiddng. I must be the only one who is getting tired of seeing
> > Google
> > take over literally everything.
> >
> > ~Seth
>

I think of this as an obvious (not necessarily beneficial for all, of
course) step for a company which lives out of advertisement - i.e. what if
they could capture your habits for browsing at the FQDN-to-IP time -
wouldn't that add more to their knowledge base?

***Stefan Mititelu
http://twitter.com/netfortius
http://www.linkedin.com/in/netfortius

Re: FW: news from Google

[Joe Provo]

On Thu, Dec 03, 2009 at 01:51:05PM -0500, Kain, Becki (B.) wrote:
> 
>  when is the European Union going to sue them for anti-trust, ala
> Microsoft?

More optional anycasted resolvers are somehow bad? [well, for 
simpleminded geolocation maybe]  Just another pair to slot 
alongside L3's and OpenDNS.

-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Re: news from Google

[Peter Beckman]

On Thu, 3 Dec 2009, Seth Mattinen wrote:


Jorge Amodio wrote:

now Google DNS, anything more?


 I'm surprised that Google's new DNS service does not return better results
 for google.com than some local DNS resolvers do.  My server is in Fairfax,
 VA.  Does Google use Anycast'ed IPs or is it still a hybrid of
 split-horizon DNS and other things, as discussed previously:

http://www.merit.edu/mail.archives/nanog/2009-02/threads.html#00269

 Here's the results from some various DNS servers for Google.com.  I
 thought Google had a datacenter in Ashburn, VA, but I'm not getting there.
 Maybe it's gone.  Maybe the shortest route doesn't matter anymore.

--> dig +short google.com @208.67.222.222 # OpenDNS
74.125.53.100
74.125.67.100
74.125.45.100
--> dig +short google.com @8.8.8.8 # Google DNS
74.125.67.100
74.125.53.100
74.125.45.100
--> dig +short google.com @8.8.4.4 # Google DNS 2
74.125.67.100
74.125.53.100
74.125.45.100
--> dig +short google.com @198.6.1.1 # UUNET/Verizon Cache server 
(cache00.ns.uu.net)
74.125.53.100
74.125.67.100
74.125.45.100
--> dig +short google.com @198.6.1.2
74.125.45.100
74.125.53.100
74.125.67.100
--> dig +short google.com @198.6.1.3
74.125.45.100
74.125.67.100
74.125.53.100
--> dig +short google.com @198.6.1.4
74.125.45.100
74.125.53.100
74.125.67.100
--> dig +short google.com @198.6.1.5
74.125.67.100
74.125.45.100
74.125.53.100
  * --> dig +short google.com @70.164.18.41 # Nova.org (Small VA ISP) Caching 
DNS
74.125.45.100
74.125.53.100
74.125.67.100
  * --> dig +short google.com @208.94.147.150 # Tiggee DNS (VA company)
74.125.45.100
74.125.67.100
74.125.53.100

--> ping -c 10 74.125.45.100
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 18.079/20.522/25.272/2.200 ms

--> ping -c 10 74.125.53.100
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 97.721/101.267/107.770/2.856 ms

--> ping -c 10 74.125.67.100
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 97.531/99.238/101.206/1.420 ms

 Only the last two starred DNS records returned what _seems_ to be the best
 result for Google.com.  Then again, someone from Google might be able to
 explain the logic behind the results.

 And to rip off the bandaid on the "What DNS Is Not" discussion, Google's
 DNS does return the expected NXDOMAIN for the very small test I did.

---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: news from Google

[Patrick W. Gilmore]

Sent from my iPhone, please excuse any errors.

On Dec 3, 2009, at 13:08, Andrey Gordon  wrote:


uf, another question I'll have ask my users now:

User: I can't get to the intranet.mycompanydomain.local! What did you
break!?
Me: Hey, you can't to the intranet,domain.local? Did you make your  
laptop

use Google DNS?


1) If $COMPANY does not force their VPN client to disallow external  
DNS, shame on them.


2) You already have this issue.  Google is hardly the first, and no  
where near the biggest (nor will they be in all likelihood, despite  
their name).


3) I know, none of that matters.  You still get phone calls.

4) Welcome to the ISP business.

(Another reason I Am Not An Isp. :-)

--
TTFN,
patrick
 

Re: news from Google

[Brandon Galbraith]

On Thu, Dec 3, 2009 at 1:12 PM, Bret Clark  wrote:

> For sure...everyone remembers the Bill Gates Borg picture, but at this
> rate, Google will soon become the new poster child for that picture (or
> something comparable).
>
> Bret
>
>
I try to think of them as a benevolent dictator ;)

-brandon


>
> On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:
>
> > No kiddng. I must be the only one who is getting tired of seeing
> > Google
> > take over literally everything.
> >
> > ~Seth
>



-- 
Brandon Galbraith
Mobile: 630.400.6992
FNAL: 630.840.2141

Re: news from Google

[Bret Clark]

For sure...everyone remembers the Bill Gates Borg picture, but at this
rate, Google will soon become the new poster child for that picture (or
something comparable).   

Bret


On Thu, 2009-12-03 at 10:48 -0800, Seth Mattinen wrote:

> No kiddng. I must be the only one who is getting tired of seeing
> Google
> take over literally everything.
> 
> ~Seth

Re: news from Google

[Andrey Gordon]

uf, another question I'll have ask my users now:

User: I can't get to the intranet.mycompanydomain.local! What did you
break!?
Me: Hey, you can't to the intranet,domain.local? Did you make your laptop
use Google DNS?



-
Andrey Gordon [andrey.gor...@gmail.com]

Re: news from Google

[Jonathan Lassoff]

Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
> 8.8.8.8  6.6.6.6 would have been really really funny. :) 

Nice IPs from Level 3, huh?

6.6.6.6 belongs to the US Army.

--j

FW: news from Google

[Kain, Becki (B.)]

 when is the European Union going to sue them for anti-trust, ala
Microsoft?

-Original Message-
From: Seth Mattinen [mailto:se...@rollernet.us] 
Sent: Thursday, December 03, 2009 1:49 PM
To: nanog@nanog.org
Subject: Re: news from Google

Jorge Amodio wrote:
>> now Google DNS, anything more?
> 
> GoogleNation.
> 

No kiddng. I must be the only one who is getting tired of seeing Google
take over literally everything.

~Seth

RE: news from Google

[Xavier Banchon]

GoogleWave?

Regards,

Xavier

-Mensaje original-
De: Jorge Amodio [mailto:jmamo...@gmail.com] 
Enviado el: Jueves, 03 de Diciembre de 2009 13:21
Para: Eduardo A. Suárez
CC: nanog@nanog.org
Asunto: Re: news from Google

> now Google DNS, anything more?

GoogleNation.

Cheers
Jorge


smime.p7s
Description: S/MIME cryptographic signature

Re: news from Google

[Seth Mattinen]

Jorge Amodio wrote:
>> now Google DNS, anything more?
> 
> GoogleNation.
> 

No kiddng. I must be the only one who is getting tired of seeing Google
take over literally everything.

~Seth

Re: news from Google

[Charles Wyble]

8.8.8.8  6.6.6.6 would have been really really funny. :) 


On Dec 3, 2009, at 10:21 AM, Jorge Amodio wrote:

>> now Google DNS, anything more?
> 
> GoogleNation.
> 
> Cheers
> Jorge
> 

Re: AT&T SMTP Admin contact?

[Andre Engel]

> -Ursprüngliche Nachricht-
> Von: Chris Owen [mailto:ow...@hubris.net]
> Gesendet: Donnerstag, 3. Dezember 2009 07:25
> An: NANOG list
> Betreff: Re: AT&T SMTP Admin contact?
> 
> On Dec 2, 2009, at 9:52 PM, valdis.kletni...@vt.edu wrote:
> 
> > It only stops forgery if the SPF record has a -all in it (as
> hubris.net does).
> > However, a lot of domains (mine included) have a ~all instead.
> 
> I guess I've never really seen the point of publishing a SPF record if
> it ends in ~all.  What are people supposed to do with that info?

For instance some ISPs or Freemail providers give their customers the
possibility to use SPF as a value added service to decide if "senders
domain" should be dropped in theirs suspicious-folders or not .

I also learned that SPF is qualified for senders reputation :
http://www.ceas.cc/2006/19.pdf
  
> Spamassassin assigns it a score of 0.6 but that is low enough it really
> doesn't have much since it doesn't assign any negative points for
> SPF_PASS.
> > (And before anybody asks, yes ~all is what we want, and no you can't
> ask us
> > to try -all instead, unless we're allowed to send you all the
> helpdesk calls
> > about misconfigured migratory laptops".. ;)
> I certainly understand that you may not be able to lock down your
> domain.  We don't even try for customers for instance.However, if
> you can't, I guess I don't really see what good publishing a SPF record
> is if you tell people not to enforce it.


MAAWG published a document around : Trust in Email begins with
Authentication

http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Pap
er_2008-07.pdf
 
> Chris
> 
> ---
> --
> Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
> President  - Wichita (316) 858-3000 -A stupidity tax
> Hubris Communications Inc  www.hubris.net
> ---
> --
> 


Cheers

Andre 



 --
Andre Engel

Consulting Program Director, 
Email and Cyber Intelligence Services"..no ghost just a shell"



FHE3 GmbHP: +49 721 869  5907
Scheffelstr. 17a M: +49 160 962 44476 
76135 Karlsruhe


andre.en...@fhe3.com
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt


This message (including any attachments) is the property of FHE3 and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments. 

Re: Flash Media Servers as Open Proxies

[Marshall Eubanks]

On Dec 3, 2009, at 1:09 PM, Ray Sanders wrote:


Marshall,

Did you find out via published article, or your own research?
Either way I'd like (if you don't mind) more information on this so  
I can investigate what impact there may be on our systems.




Via a DMCA take-down letter for a Cricket match that was sent to  
AmericaFree.TV, and subsequent research into what was going on.


Regards
Marshall



Thanks!

Marshall Eubanks wrote:
I recently found out that the Adobe Flash Media Server (FMS) can  
operate "out of the box"
as an open proxy, enabling other people to steal server resources  
and bandwidth. Furthermore,
I also found that there is an ecosystem of pirates taking advantage  
of this "feature" to
illegally stream sports events (and maybe other stuff as well).  
Each event uses multiple (stolen)
servers and can amount to thousands of streams and Gbps of consumed  
bandwidth.


I believe but am not 100% sure that there are similar problems with  
Window Media Servers.


I would like to hear (off-list) from people who have experience  
fighting this so that we could

maybe pool techniques. I will try to write this up further later.

Regards
Marshall Eubanks





--
-"Prediction is very difficult, especially about the future."
-Niels Bohr
--
Ray Sanders
Linux Administrator
Village Voice Media
Office: 602-744-6547
Cell: 602-300-4344

Re: news from Google

[Jorge Amodio]

> now Google DNS, anything more?

GoogleNation.

Cheers
Jorge

news from Google

[Eduardo A. Suárez]

Hi,

now Google DNS, anything more?

http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns.html

Eduardo.-

--
Eduardo A. Suarez
Facultad de Ciencias Astronomicas y Geofisicas
Universidad Nacional de La Plata



This message was sent using IMP, the Internet Messaging Program.

Re: Flash Media Servers as Open Proxies

[Ray Sanders]

Marshall,

Did you find out via published article, or your own research? 

Either way I'd like (if you don't mind) more information on this so I 
can investigate what impact there may be on our systems.



Thanks!

Marshall Eubanks wrote:
I recently found out that the Adobe Flash Media Server (FMS) can 
operate "out of the box"
as an open proxy, enabling other people to steal server resources and 
bandwidth. Furthermore,
I also found that there is an ecosystem of pirates taking advantage of 
this "feature" to
illegally stream sports events (and maybe other stuff as well). Each 
event uses multiple (stolen)
servers and can amount to thousands of streams and Gbps of consumed 
bandwidth.


I believe but am not 100% sure that there are similar problems with 
Window Media Servers.


I would like to hear (off-list) from people who have experience 
fighting this so that we could

maybe pool techniques. I will try to write this up further later.

Regards
Marshall Eubanks





--
-"Prediction is very difficult, especially about the future."
-Niels Bohr
--
Ray Sanders
Linux Administrator
Village Voice Media
Office: 602-744-6547
Cell: 602-300-4344

Re: What DNS Is Not

[Jorge Amodio]

Preemptive action or smart move ?

http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns.html

Cool IP address to remember though (8.8.8.8)

Cheers
Jorge

RE: port scanning from spoofed addresses

[Matthew Huff]

I'm not at all concerned about door-knob twisting or network scanning. What 
concerns me is that the source addresses are spoofed from our address range and 
that our upstream providers aren't willing to even look at the problem. 


Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


-Original Message-
From: Charles Wyble [mailto:char...@thewybles.com] 
Sent: Thursday, December 03, 2009 1:01 PM
To: Matthew Huff
Cc: Florian Weimer; (nanog@nanog.org)
Subject: Re: port scanning from spoofed addresses


On Dec 3, 2009, at 9:53 AM, Matthew Huff wrote:

> The source address appears to be fixed as well as the source port (), 
> scanning different destinations and ports.
> 
> 


Some script kiddies found nmap and decided to target you for some reason. It 
happens. It's annoying. 

Re: port scanning from spoofed addresses

[Charles Wyble]

On Dec 3, 2009, at 9:53 AM, Matthew Huff wrote:

> The source address appears to be fixed as well as the source port (), 
> scanning different destinations and ports.
> 
> 


Some script kiddies found nmap and decided to target you for some reason. It 
happens. It's annoying. 

Re: Flash Media Servers as Open Proxies

[Charles Wyble]

H..

This is most interesting. Have you spoken with Adobe about the issue? I don't 
have an immediate handle on how they have reacted to security issues in the 
past. 
Sane defaults would be nice. :( 

You might want to ping Akami as they have substantial operational experience 
with flash media server. 

I look forward to a writeup on the topic. 


On Dec 3, 2009, at 9:45 AM, Marshall Eubanks wrote:

> I recently found out that the Adobe Flash Media Server (FMS) can operate "out 
> of the box"
> as an open proxy, enabling other people to steal server resources and 
> bandwidth. Furthermore,
> I also found that there is an ecosystem of pirates taking advantage of this 
> "feature" to
> illegally stream sports events (and maybe other stuff as well). Each event 
> uses multiple (stolen)
> servers and can amount to thousands of streams and Gbps of consumed bandwidth.
> 
> I believe but am not 100% sure that there are similar problems with Window 
> Media Servers.
> 
> I would like to hear (off-list) from people who have experience fighting this 
> so that we could
> maybe pool techniques. I will try to write this up further later.
> 
> Regards
> Marshall Eubanks
> 

RE: port scanning from spoofed addresses

[Matthew Huff]

The source address appears to be fixed as well as the source port (), 
scanning different destinations and ports.


Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


-Original Message-
From: Florian Weimer [mailto:fwei...@bfk.de] 
Sent: Thursday, December 03, 2009 12:35 PM
To: Matthew Huff
Cc: (nanog@nanog.org)
Subject: Re: port scanning from spoofed addresses

* Matthew Huff:

> We are seeing a large number of tcp connection attempts to ports
> known to have security issues. The source addresses are spoofed from
> our address range. They are easy to block at our border router
> obviously, but the number and volume is a bit worrisome. Our
> upstream providers appear to be uninterested in tracing or blocking
> them. Is this the new normal? One of my concerns is that if others
> are seeing probe attempts, they will see them from these addresses
> and of course, contact us.

What's the distribution of the source addresses and source ports?

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Flash Media Servers as Open Proxies

[Marshall Eubanks]

I recently found out that the Adobe Flash Media Server (FMS) can  
operate "out of the box"
as an open proxy, enabling other people to steal server resources and  
bandwidth. Furthermore,
I also found that there is an ecosystem of pirates taking advantage of  
this "feature" to
illegally stream sports events (and maybe other stuff as well). Each  
event uses multiple (stolen)
servers and can amount to thousands of streams and Gbps of consumed  
bandwidth.


I believe but am not 100% sure that there are similar problems with  
Window Media Servers.


I would like to hear (off-list) from people who have experience  
fighting this so that we could

maybe pool techniques. I will try to write this up further later.

Regards
Marshall Eubanks

RE: port scanning from spoofed addresses

[Stefan Fouant]

> -Original Message-
> From: Matthew Huff [mailto:mh...@ox.com]
> Sent: Thursday, December 03, 2009 12:05 PM
> 
> but the number and volume is a bit worrisome. Our upstream providers
> appear to be uninterested in tracing or blocking them. Is this the new
> normal?

Yes, it's the new norm... same as the old norm... I'm surprised they didn't
try to upsell you on some type of managed DDoS solution...

Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Re: port scanning from spoofed addresses

[Florian Weimer]

* Matthew Huff:

> We are seeing a large number of tcp connection attempts to ports
> known to have security issues. The source addresses are spoofed from
> our address range. They are easy to block at our border router
> obviously, but the number and volume is a bit worrisome. Our
> upstream providers appear to be uninterested in tracing or blocking
> them. Is this the new normal? One of my concerns is that if others
> are seeing probe attempts, they will see them from these addresses
> and of course, contact us.

What's the distribution of the source addresses and source ports?

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

Calling Comcast Postmaster or whomever actually is responsible for Comcast RBL maintenance

[Chris Stebner]

For over a month now I've been fighting with Comcast Customer Security
Assurance regarding a simple BlackList issue. Apparently there is some
disconnect between internal applications and their ability to report
BlackList status accurately and the 'actual' BlackList rule-set. Supposedly
the ticket has been escalated to 'admin' and 'engineering' multiple times to
no avail. Currently we are waiting for engineering again to examine the
issue.

The block is owned by us, a facilities based CLEC in business for over 10
years. The /24 in question is used for business T1's.

If anyone has any contacts, ideas or the power to resolve the issue I'd be
elated to hear from you.


Thank you all for your time,

Chris Stebner
970-403-0102

port scanning from spoofed addresses

[Matthew Huff]

We are seeing a large number of tcp connection attempts to ports known to have 
security issues. The source addresses are spoofed from our address range. They 
are easy to block at our border router obviously, but the number and volume is 
a bit worrisome. Our upstream providers appear to be uninterested in tracing or 
blocking them. Is this the new normal? One of my concerns is that if others are 
seeing probe attempts, they will see them from these addresses and of course, 
contact us.

Any suggestions on what to do next? Or just ignore.


Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139

Re: Leaving public peering?

[Ken Chase]

  >Check out this report on the success of peering :  
  >https://www.euro-ix.net/member/m/document/showDocument/id/158

This seems to be a protected document behind login-only section of the
site. Can anyone comment on wether the document should be publically
accessible? Would love to spread it around.

Thank you.

/kc
-- 
Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: Comcast outage in central NJ

[tvest]

There was a total outage for 6+ hours in at least one Richmond VA  
neighborhood yesterday, ending around 6:00PM.
Cable STB software had clearly been updated when everything came back  
up, but I have no idea whether the two events were related.


TV

On Dec 3, 2009, at 9:27 AM, Jeffrey Negro wrote:


Update - Comcast repaired the problem.  Not sure if there are other
areas still with problems though.

Jeffrey

-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com]
Sent: Thursday, December 03, 2009 8:04 AM
To: NANOG
Subject: Comcast outage in central NJ

There appears to be a Comcast outage in central NJ, more  
specifically in
the South Brunswick area.  Comcast appears to be aware of the outage  
as

per the message I got when I called them.  Anyone hear any details on
the issue, or an ETA for repair yet?



Jeffrey

Re: Leaving public peering?

[Andy Davidson]

On 2 Dec 2009, at 20:46, Lasher, Donn wrote:

This year I've been seeing what appears to be an increasing trend  
among

service providers.. making the decision to leave public peering.


Peering is often sold as 'cheaper than transit' - for everyone that is  
a gross generalisation, for many networks it is not true, but for some  
networks it is true.  But when managed properly peering should always  
lead to improved customer experience (speed of access, latency,  
availability) and access to a community of like minded operators with  
a common interest.


Therefore, certainly in Europe, we are seeing a growth in the number  
of networks peering - and from an ever increasingly wide section of  
the community (service providers, content, e-commerce, enterprise,  
gaming, education/research networks...).  And with a falling cost in  
long haul transmission we are seeing networks in Europe peer mode in  
the US, and networks from all over the world peering in Europe.


Check out this report on the success of peering :  
https://www.euro-ix.net/member/m/document/showDocument/id/158

  and then talk to exchange operators in the community about  
how you too can get involved. :-) 







--
Regards, Andy Davidson
Director, LONAP Ltd
http://www.lonap.net/

RE: Comcast outage in central NJ

[Jeffrey Negro]

Update - Comcast repaired the problem.  Not sure if there are other
areas still with problems though.

Jeffrey

-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com] 
Sent: Thursday, December 03, 2009 8:04 AM
To: NANOG
Subject: Comcast outage in central NJ

There appears to be a Comcast outage in central NJ, more specifically in
the South Brunswick area.  Comcast appears to be aware of the outage as
per the message I got when I called them.  Anyone hear any details on
the issue, or an ETA for repair yet?

 

Jeffrey

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Mark Newton]

On 03/12/2009, at 22:46, "TJ"  wrote:


From: Mark Newton [mailto:new...@internode.com.au]
On 03/12/2009, at 9:51 AM, Dave Temkin wrote:

You're correct, out of the box there aren't many.  The first  
couple that
come to mind are the Apple Airport Express and Airport Extreme,  
but I

don't

believe Linksys/Netgear/etc. have support out of the box.


The Apple products do 6to4 out of the box, but don't support v6  
natively.


FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same
amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the  
box, by

default.  In fact, I am not sure you can turn it off ..


Yep -- which is worse than useless in the presence of a service  
provider that's already offering dual-stack service.


"Here! Have a v6 address. We'll even give you a moderately large  
prefix if you run a DHCPv6-PD client... Oh, what? You're going to  
ignore all that and use a 6to4 gateway and pessimize the v6 routing  
decisions we've made? And live in one /64 even though every man and  
his dog reckons service providers ought to be handing out /56's or / 
48's? Gee, glad we went to the effort..."


Sadly the easiest way for residential subscribers to get IPv6 on PPPoE  
in 2009 is to put their CPE into "bridge" mode and run the PPPoE  
client on a PC.


The vendors have really dropped the ball on this.

(glares at Cisco/Linksys)

   - mark

Comcast outage in central NJ

[Jeffrey Negro]

There appears to be a Comcast outage in central NJ, more specifically in
the South Brunswick area.  Comcast appears to be aware of the outage as
per the message I got when I called them.  Anyone hear any details on
the issue, or an ETA for repair yet?

 

Jeffrey

RE: Consumer Grade - IPV6 Enabled Router Firewalls.

[TJ]

> From: Mark Newton [mailto:new...@internode.com.au]
> On 03/12/2009, at 9:51 AM, Dave Temkin wrote:
> 
> > You're correct, out of the box there aren't many.  The first couple that
> > come to mind are the Apple Airport Express and Airport Extreme, but I
don't
> > believe Linksys/Netgear/etc. have support out of the box.
> 
> The Apple products do 6to4 out of the box, but don't support v6 natively.

FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same
amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by
default.  In fact, I am not sure you can turn it off ...


/TJ

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Mohacsi Janos]

On Thu, 3 Dec 2009, Matthew Moyle-Croft wrote:




Mohacsi Janos wrote:



According to Apple the latest Apple Airport Extreme does support DHCPv6 
prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet.   I'm led to believe that they may in 
the future from my Apple friends but not yet.


It does in a limited extent:
http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00086.html

I will check soon the hardware.


Best Regards,
Janos Mohacsi

Re: AT&T SMTP Admin contact?

[Sean Donelan]

On Wed, 2 Dec 2009, valdis.kletni...@vt.edu wrote:

(And before anybody asks, yes ~all is what we want, and no you can't ask us
to try -all instead, unless we're allowed to send you all the helpdesk calls
about misconfigured migratory laptops".. ;)


While I'll remain neutral about the specifics of SPF (and all the other
solutions), the legacy problem comes up trying to secure any thing.  If 
it (and I deliberately leave "it" undefined) had never worked, no one 
would complain. Of course, there will always be someone who goes too one 
extreme or the other extreme.  People were dropping heavily spoofed 
domains before SPF anyway.


At what point do we consider legacy support not worth it?  It took 10+ 
years, but now almost no SMTP servers allow open relay by default.  Will 
it take another 10+ years to stop supporting misconfigured migratory 
laptops by default?

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Cesar Olvera]

A list of CPEs, routers, firewalls and other hardware and software are at
http://www.ipv6-to-standard.org/


César Olvera


-Original Message-
From: Wade Peacock [mailto:wade.peac...@sunwave.net] 
Sent: Wednesday, December 02, 2009 5:16 PM
To: nanog@nanog.org
Subject: Consumer Grade - IPV6 Enabled Router Firewalls.

We had a discussion today about IPv6 today. During our open thinking the
topic of client equipment came up.
We all commented that we have not seen any consumer grade IPv6 enable
internet gateways (routers/firewalls), a 
kin to the ever popular Linksys 54G series, DLinks , SMCs or Netgears.

Does anyone have any leads to information about such products (In production
or planned production)?

We are thinking that most vendors are going to wait until Ma and Pa home
user are screaming for them.

Thoughts?


-- 
Wade Peacock
Sun Country Cablevision Ltd





**
The IPv6 Portal: http://www.ipv6tf.org

Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Matthew Moyle-Croft]

Mohacsi Janos wrote:



According to Apple the latest Apple Airport Extreme does support 
DHCPv6 prefix delegation and native IPv6 uplink not only 6to4.
Airports don't support DHCPv6 PD yet.   I'm led to believe that they may 
in the future from my Apple friends but not yet.


MMC

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Joel Jaeggli]

Wade Peacock wrote:
> We had a discussion today about IPv6 today. During our open thinking the
> topic of client equipment came up.
> We all commented that we have not seen any consumer grade IPv6 enable
> internet gateways (routers/firewalls), a kin to the ever popular Linksys
> 54G series, DLinks , SMCs or Netgears.

Do you have an apple airport extreme or a linksys wrt610n? the WRTs of
the world all 40 or so of the variants of that thing that have ever
existed are rather old and in many cases bizarrely resource limited.

> Does anyone have any leads to information about such products (In
> production or planned production)?
> 
> We are thinking that most vendors are going to wait until Ma and Pa home
> user are screaming for them.

Vendors are in business of stimulating the replacement cycle by adding
features... right now the magic words are gigabit ethernet and 802.11n.

Chances are ma and pa won't even know they device they has ipv6 (do they
know it has ipv4?) unless it has a big-ass sticker on the outside of the
box.

like this i/o data ap from 2006...

http://akiba-pc.watch.impress.co.jp/hotline/20060923/image/m060920r34.html


> Thoughts?

you next wirelss ap has 2-6 radio phys an 800mhz mips processor and 64MB
 of ram, there's a lot of thing it can do that your old one can't
> 

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Mohacsi Janos]

On Thu, 3 Dec 2009, Mark Newton wrote:



On 03/12/2009, at 9:51 AM, Dave Temkin wrote:


You're correct, out of the box there aren't many.  The first couple that come 
to mind are the Apple Airport Express and Airport Extreme, but I don't believe 
Linksys/Netgear/etc. have support out of the box.


The Apple products do 6to4 out of the box, but don't support v6 natively.

Apple seems to have ideological objections to DHCPv6, so at the moment
there's little hope at all that prefix delegation will work on any of their
CPE products.



According to Apple the latest Apple Airport Extreme does support DHCPv6 
prefix delegation and native IPv6 uplink not only 6to4.


Best Regards,
Janos Mohacsi