Re: Request Spamhaus contact
On Mon, Jan 17, 2011 at 11:59 PM, JC Dill jcdill.li...@gmail.com wrote: On 17/01/11 5:40 PM, Jeffrey Lyon wrote: I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last 72 hours. I'm not exactally ROKSO material. Jeff On Mon, Jan 17, 2011 at 8:07 PM, Chris Owenow...@hubris.net wrote: On Jan 17, 2011, at 6:42 PM, Jeffrey Lyon wrote: I fat fingered the netmask, try now. I've asked privately but would it really be too much to take this off NANOG? Spammer complaining he is on a RBL is hardly relevant. Chris Sigh. First, please quit with the top posting Jeff. (I refer you to the NANOG FAQ for elaboration on why this is not an acceptable format for posting to this list.) Second, this entire thread IS OFF TOPIC for NANOG. Which you would know if you had bothered to read the FAQ before posting. There are many discussion forums for talking about spam and RBLs, and NANOG is not one of them. http://www.nanog.org/mailinglist/listfaqs/otherlists.php Third, you are not doing your reputation any good with this thread. Your entire tone is one of I'm so important that the rules don't apply to me. They need to stop blocking me right now. Even when I'm wrong (when spammer's sites are still active because I don't know how to properly null-route their IPs, or shut down their server, or I fat fingered the fix and didn't bother to double check that it's really blocked now. They still need to stop blocking me Right Now. You may not be aware that this list is publicly archived on the web in several different locations. Anyone who bothers to google your name (e.g. a future employer) is likely to discover this thread and be less than impressed. Any future posts are only going to add to the problem, not help fix it. jc JC, It was blocked and I did verify it. A very small amount of our traffic comes in on PCCW and *they* were not honoring a tag that they've contractually agreed to honor. I can understand why it may be fun to make this look like a product of my own incompetence, and perhaps it is something I would have noticed if I wasn't busy responding to flames. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Request Spamhaus contact
On 17/01/11 5:40 PM, Jeffrey Lyon wrote: I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last 72 hours. I'm not exactally ROKSO material. Jeff http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:32421 Safe Browsing Diagnostic page for AS32421 (BLCC) What happened when Google visited sites hosted on this network? Of the 837 site(s) we tested on this network over the past 90 days, 13 site(s), including, for example, temagay.com/, inndir.com/, ivbux.com/, served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2011-01-17, and the last time suspicious content was found was on 2011-01-17. Has this network hosted sites acting as intermediaries for further malware distribution? Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites. Has this network hosted sites that have distributed malware? Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, aresdownload.net/, xvid.com/, that infected 74 other site(s), including, for example, just4cruisers.com/, filmindirsene.tk/, skootterini.com/.
RE: Request Spamhaus contact
It was blocked and I did verify it. A very small amount of our traffic comes in on PCCW and *they* were not honoring a tag that they've contractually agreed to honor. I can understand why it may be fun to make this look like a product of my own incompetence, and perhaps it is something I would have noticed if I wasn't busy responding to flames. It may be a good policy going forward to do your own null-routes. I realize that for a DDOS protection company, the ability to tag nullroutes upstream is handy, but you also need to nullroute the traffic on your own gear, or shut down the switch port. Something that is completely independent of another organization, regardless of their contractual obligations to you. If you were my employee, I would find the fact that you fat-fingered a nullroute to be highly concerning. I would recommend that in addition to changing the way you do nullroutes, you also implement a change control policy which screens commands for approval before making configuration changes upon which your public declarations, and your reputation as a decent operator, rely. Nathan Eisenberg
Re: Request Spamhaus contact
On 18 January 2011 10:00, Michael Painter tvhaw...@shaka.com wrote: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:32421 I'm completely neutral in all of this but to be fair to BL - Here's the well respected Level3's results: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:3356 (who also actually provide bandwidth for google) 231 malicious sites, 14 infection intermediaries and has hosted 29 sites that have infected 111 other sites. Then we have Global Crossing http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:3549. Should we all stop using these ISPs because they have hosted some bad guys? Obviously they know about them because google has the information. Does this mean they don't have proper monitoring or control of their network? (FTR those are rhetorical questions) I used to work for a company that had some mailing lists that users explicitly and knowingly signed up for, and lazy people used to click the Spam button on AOL and other providers - either because it was right beside delete or because they were too lazy to click the unsubscribe link. As a result, Level 3 used to forward on the automated spam compaints to our abuse department and we would usually act on them by unsubscribing the person ourselves (although they usually tried to munge most of the complainants identifiable credentials from the forwarded emails). They were very responsive and demanded respect (in the sense that they don't like spammers), yet they are hosting hundreds of malicious sites. Had they shut us down due to a few spam complaints (which were never actually unsolicited) I have no doubt they would be immediately encountering severe legal action. Black Lotus are pretty much in the same boat but are in a bit of a worse situation since people rely on them for protection so they are more exposed to the transparency limelight. They provide clean pipe bandwidth for some sites but might not always know what is on those sites. Regards, Ken
Re: Request Spamhaus contact
On Tuesday 18 January 2011 11:46:53 Ken Gilmour wrote: Obviously they know about them because google has the information. I'm not sure this is a reasonable deduction.
Re: Request Spamhaus contact
On 18 January 2011 13:10, Simon Waters sim...@zynet.net wrote: Obviously they know about them because google has the information. I'm not sure this is a reasonable deduction. Correct - It is completely unreasonable. I was using it as an example in reference to a larger, well known provider since earlier someone had mentioned that obviously since google had this information that BL's monitoring was inadequate as they didn't know about it themselves. Google knows about lots of things that people in general probably don't know about themselves. FTR - I have no doubt that Level 3 have amazing monitoring and infrastructure, and think I understand why it might be hard to find 231 bad apples in a basket of over 292492.
Re: Request Spamhaus contact
We don't *care* if you got this issue with Spamhaus resolved. You turned it into a much *larger* problem than that. Really? Problem solved: % cat - sendmail-access From:jeffrey.l...@gmail.com 550 Mail refused From:jeffrey.l...@blacklotus.net550 Mail refused Connect:199.59.160 550 Mail refused Connect:199.59.161 550 Mail refused Connect:199.59.162 550 Mail refused Connect:199.59.163 550 Mail refused Connect:199.59.164 550 Mail refused Connect:199.59.165 550 Mail refused Connect:199.59.166 550 Mail refused Connect:199.59.167 550 Mail refused Connect:208.64.120 550 Mail refused Connect:208.64.121 550 Mail refused Connect:208.64.122 550 Mail refused Connect:208.64.123 550 Mail refused Connect:208.64.124 550 Mail refused Connect:208.64.125 550 Mail refused Connect:208.64.126 550 Mail refused Connect:208.64.127 550 Mail refused ^D % sh update-mxers % Life simplification through automation / shell scripting. (Which reminds me, I really need a tool to add an ASN to the Sendmail access file automatically.) ... Oh, wait, you meant a problem for *Jeffrey.* Yes, that could be. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
AW: Nexus 5000 with 4G FC module - initialization ?
Steve Fischer sfischer1...@gmail.com wrote: If I'm not mistaken, there is an additional license needed to activate Fibre- Channel services on the Nexus family of switches. Dantzig, Brian bdant...@medline.com wrote: You need to turn on fcoe support with the configuration command feature fcoe. You will also need the appropriate license for fabric services. But even without the license you should be able to enter fc commands. They just won't work until you add the license. Without thefeature fcoe, the interface type won't even show up in command help. There are other storage fabric related services that you may want to turn on with the feature command as well. This did the trick. After enabling feature FCOE the ports show up! It might be important for some others. With the regular show interface the Nexus only show the Ethernet-ports. You have to do a show interface brief to see the FC-ports aswell. Anyways.. it is still a question for me if everybody wants to have FCoE when FC only is needed? Thanks for your fast help Thomas
Looking for fiber
We are looking for fiber in the Port St Lucie/Stuart area of Florida, Maybe as north as Fort Pierce. Anyone have, Or know who has fiber in this area? Feel free to hit me on or offlist. Thanks. Nick Olsen Network Operations (855) FLSPEED x106
Software DNS hghi availability and load balancer solution
Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot.
Re: Software DNS hghi availability and load balancer solution
On 1/18/2011 11:42 AM, Sergey Voropaev wrote: I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. I think powerdns is more flexible in this regard. Not sure about a friendly interface, though. Jack
Dual Homed BGP for failover
Hi, I'm looking at a setup where we use BGP to announce PI space to two upstream ISPs. ISP A provides a 30Mb/s connection and ISP B provides a 10Mb/s. Originally the plan was to use ISP B's link as a backup and local pref traffic outbound via ISP A and pref inbound using AS prepend via ISP A. It has now been requested to be able to distribute traffic across both links rather than preference traffic to the higher speed link. We are going to be using Juniper SRX210s to do this. I have some questions: - Is this really a good idea, as the BGP process won't care what the utilisation of the links are and you will see situations where the lower speed link gets used even though the high speed link utilisation is 0? - If we are doing this, I don't want to take a full routing table, I would rather just take the ISPs routes and perhaps their connected customers. One ISP has said they will only provide full routing table or default. I really don't want to take a full table, is receiving default only going to be a problem for my setup? - Any advice on how to avoid situations where the low bandwidth link is being used even though there is 0 utilisation on the high bandwidth link? Thanks Ahmed
Re: Dual Homed BGP for failover
You can just accept directly-connected peers from each network (or within 2 AS's, etc) then point a default at each one with different preferences. You can do with with two edges if you like also: iBGP between the edges, and push default into OSPF from both. WRT dynamic load balancing... generally if your network is large enough for two upstreams you'll have a pretty good distribution of flows so once you get the prefs and prepends setup the way you like, thing won't shift that rapidly. In my experience at least... -Jack Carrozzo On Tue, Jan 18, 2011 at 1:32 PM, Ahmed Yousuf ayousuf0...@gmail.com wrote: Hi, I'm looking at a setup where we use BGP to announce PI space to two upstream ISPs. ISP A provides a 30Mb/s connection and ISP B provides a 10Mb/s. Originally the plan was to use ISP B's link as a backup and local pref traffic outbound via ISP A and pref inbound using AS prepend via ISP A. It has now been requested to be able to distribute traffic across both links rather than preference traffic to the higher speed link. We are going to be using Juniper SRX210s to do this. I have some questions: - Is this really a good idea, as the BGP process won't care what the utilisation of the links are and you will see situations where the lower speed link gets used even though the high speed link utilisation is 0? - If we are doing this, I don't want to take a full routing table, I would rather just take the ISPs routes and perhaps their connected customers. One ISP has said they will only provide full routing table or default. I really don't want to take a full table, is receiving default only going to be a problem for my setup? - Any advice on how to avoid situations where the low bandwidth link is being used even though there is 0 utilisation on the high bandwidth link? Thanks Ahmed
Re: Software DNS hghi availability and load balancer solution
On Tue, Jan 18, 2011 at 12:42 PM, Sergey Voropaev serge.devo...@gmail.com wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. Sergey, I have no suggestions that directly answer your question. I'd write a script against bind myself. But if you're trying to fail over a web server, you're walking into a nasty trap. DNS pinning obstructs web browsers from finding a server on an alternate IP address regardless of the DNS TTL. The core issue is that allowing a browser running javascript to connect to a server other than the one from which the script came is a gigantic security hole. Someone realized you could do that by changing the IP address the host name pointed to, so now there's a convoluted and not entirely standardized set of rules for when and whether the browser allows it. Net result is that in some cases a user's long-running browser will indefinitely ignore the change you made to the DNS. I've seen such things persist for months. For better or for worse, the way you -reliably- fail over a web server is with routing and middleboxes like a load balancer. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Dual Homed BGP for failover
You really limit yourself when you just take a default from a provider. If you take 2 default's (one from each provider) for whatever reason, once you change the local pref on one of them, it's all your traffic outbound or none. I always request a full table + default, so you can filter to best suit your needs. This way, you can just accept /8's and get some sort of balancing at least (even if you just say all even /8's pref'd on one gateway and all odd /8's from the other provider, etc). Of course this won't be symmetrical, but thats the nature eBGP on the internet. You'll have to watch it and adjust as needed so that you won't saturate your slower link. Max On Tue, Jan 18, 2011 at 12:32 PM, Ahmed Yousuf ayousuf0...@gmail.comwrote: Hi, I'm looking at a setup where we use BGP to announce PI space to two upstream ISPs. ISP A provides a 30Mb/s connection and ISP B provides a 10Mb/s. Originally the plan was to use ISP B's link as a backup and local pref traffic outbound via ISP A and pref inbound using AS prepend via ISP A. It has now been requested to be able to distribute traffic across both links rather than preference traffic to the higher speed link. We are going to be using Juniper SRX210s to do this. I have some questions: - Is this really a good idea, as the BGP process won't care what the utilisation of the links are and you will see situations where the lower speed link gets used even though the high speed link utilisation is 0? - If we are doing this, I don't want to take a full routing table, I would rather just take the ISPs routes and perhaps their connected customers. One ISP has said they will only provide full routing table or default. I really don't want to take a full table, is receiving default only going to be a problem for my setup? - Any advice on how to avoid situations where the low bandwidth link is being used even though there is 0 utilisation on the high bandwidth link? Thanks Ahmed
Re: Software DNS hghi availability and load balancer solution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Am 18.01.11 19:31, schrieb Jack Bates: On 1/18/2011 11:42 AM, Sergey Voropaev wrote: I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. I think powerdns is more flexible in this regard. Not sure about a friendly interface, though. Jack for powerdns exists also an user interface poweradmin. Marco -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNNeLeAAoJEN9yMHEBd2HnQ4MIAKJNX1jKpU+ps3GpXee6IUcH 1TlPlfGHVFK89P/y3LFBC85QYM/71aRW/KlmxehpwluOUDl0BzqqElweqQOT9+nz 8nDQVYRpLQQ1OogAVqKoBE4Ij2mtNzTd2ulaATxnWuwPA23lnUxzWMFo2xjqE+30 poUhKLWQIcYcoW2zgjizN6n+llylOLfcrTx/enCMxiVXr/vBIWFue+AiTanGPBGZ W0lAH0Fr9wx40Ys4ls4cykQ23RUEvrSS5Gj3s5u6m6XJfn/AspE74afCi7FVETgI BBAMnkpqJYcRwdfhw9zhU6cTZM3pzHdJIS77lFGKYGNUZ3FzjsEo7tIG3sEn8Ls= =vwpM -END PGP SIGNATURE-
RE: Dual Homed BGP for failover
From: Ahmed Yousuf Sent: Tuesday, January 18, 2011 10:32 AM To: nanog@nanog.org Subject: Dual Homed BGP for failover - Is this really a good idea, as the BGP process won't care what the utilisation of the links are and you will see situations where the lower speed link gets used even though the high speed link utilisation is 0? It is possible. But one thing, and I know it is a semantics nit but it is really important. There is no difference in the speed of the links. There is a difference in the capacity of the two but the traffic flows at the same speed across both. That said, have you actually tried seeing what the natural breakdown of the traffic is? Without any AS prepend or local pref adjustment, what is the natural ratio of traffic on the two links? Generally different ISPs have different connectivity and some destinations will be favored via one path and others via the other path. It might be useful to determine how BGP naturally routes things first and then you can get an idea of what needs adjusting. - If we are doing this, I don't want to take a full routing table, I would rather just take the ISPs routes and perhaps their connected customers. One ISP has said they will only provide full routing table or default. I really don't want to take a full table, is receiving default only going to be a problem for my setup? Interesting. Most ISPs offer default, full, or customer routes. You can take a full table but simply filter out any that aren't from your ISPs ASN or within one hop of it and only install the routes that meet those criteria. In addition to using AS prepending, your providers might offer communities that allow you to control redistribution of your routing information to their peers. You might want to tell the ISP on the smaller link not to announce your routes to a major peer. That major peer will now find its path to you via the larger pipe. - Any advice on how to avoid situations where the low bandwidth link is being used even though there is 0 utilisation on the high bandwidth link? If that happens, it would mean that the world does not see your path via the high bandwidth pipe as being an attractive path. As mentioned above, you might be able to append communities to your routes to the lower bandwidth ISP that control how they redistribute your routes. One example might be something like don't redistribute my routes if you see them coming from another source in which case that ISP only redistributes your routes when they don't see the announcement via the high bandwidth provider and effectively acts as a backup outside of their own AS but you would still receive traffic originated within their AS over the low bandwidth connection. Ahmed G
Re: Dual Homed BGP for failover
On Tue, Jan 18, 2011 at 1:32 PM, Ahmed Yousuf ayousuf0...@gmail.com wrote: It has now been requested to be able to distribute traffic across both links rather than preference traffic to the higher speed link. - Is this really a good idea, as the BGP process won't care what the utilisation of the links are and you will see situations where the lower speed link gets used even though the high speed link utilisation is 0? Hi Ahmed, This really isn't an either/or situation. You can prefer the higher speed link without excluding the lower speed link. One common way to do this (there are better ones but this one is easy) is to prepend the AS path you send and receive on the lower speed link so that it's longer. - If we are doing this, I don't want to take a full routing table, I would rather just take the ISPs routes and perhaps their connected customers. One ISP has said they will only provide full routing table or default. I really don't want to take a full table, is receiving default only going to be a problem for my setup? IMO, that would be a mistake. Taking significantly less than a full table severely limits your options for balancing traffic between the links. - Any advice on how to avoid situations where the low bandwidth link is being used even though there is 0 utilisation on the high bandwidth link? Any particular communication is either going to go through one link or the other. I'm generalizing here, ignoring some subtleties, but if packets between two particular hosts have picked the low speed link, they will take that one instead of the high speed link. So in a sense it isn't possible to prevent that situation. However, you can adjust the preferences for one path versus the other so that you're not leaving either circuit underused overall and the disparity between your circuits (30 and 10) is not enough to cause major performance issues in and of itself. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Software DNS hghi availability and load balancer solution
Having hit these issues myself, I heavily recommend a real frontend proxy like nginx or varnish. On 01/18/2011 12:45 PM, William Herrin wrote: On Tue, Jan 18, 2011 at 12:42 PM, Sergey Voropaev serge.devo...@gmail.com wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. Sergey, I have no suggestions that directly answer your question. I'd write a script against bind myself. But if you're trying to fail over a web server, you're walking into a nasty trap. DNS pinning obstructs web browsers from finding a server on an alternate IP address regardless of the DNS TTL. The core issue is that allowing a browser running javascript to connect to a server other than the one from which the script came is a gigantic security hole. Someone realized you could do that by changing the IP address the host name pointed to, so now there's a convoluted and not entirely standardized set of rules for when and whether the browser allows it. Net result is that in some cases a user's long-running browser will indefinitely ignore the change you made to the DNS. I've seen such things persist for months. For better or for worse, the way you -reliably- fail over a web server is with routing and middleboxes like a load balancer. Regards, Bill Herrin
Auto ACL blocker
We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Re: Software DNS hghi availability and load balancer solution
Message: 7 Date: Tue, 18 Jan 2011 12:31:32 -0600 From: Jack Bates jba...@brightok.net Subject: Re: Software DNS hghi availability and load balancer solution To: Sergey Voropaev serge.devo...@gmail.com Cc: NANOG list nanog@nanog.org Message-ID: 4d35dc84.8020...@brightok.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 1/18/2011 11:42 AM, Sergey Voropaev wrote: I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. I think powerdns is more flexible in this regard. Not sure about a friendly interface, though. Jack I find Poweradmin quite usable. See https://www.poweradmin.org/trac/ for details. -Christopher Hunt
Re: Dual Homed BGP for failover
On 1/18/2011 1:00 PM, William Herrin wrote: IMO, that would be a mistake. Taking significantly less than a full table severely limits your options for balancing traffic between the links. It should also be noted that taking a full table, doesn't mean you have to use the full table. Apply filters to smaller routes or long ASPATHs that you don't want, and then assign preferences, communities, prepends, etc as necessary for the routes you actually accept. This means your sync time is longer and you'll have more updates, but it will still keep the local routing table much lower. Jack
RE: Auto ACL blocker
Dionaea (nephentes successor) and Kippo (ssh honeypot) are a good start for the honeypot side. http://carnivore.it/ http://dionaea.carnivore.it/ http://code.google.com/p/kippo/ Watching the tty logs in kippo is great entertainment. Perfect way to collect the skiddies tools. As far as the automation of ACLs if you find a script out in the wild please share. I do know of the following SNORT to Cisco PIX perl script. Hope this helps. http://www.chaotic.org/guardian/ http://www.chaotic.org/guardian/scripts/pix-block.pl Regards, Ruben Guerra -Original Message- From: Brian R. Watters [mailto:brwatt...@absfoc.com] Sent: Tuesday, January 18, 2011 1:12 PM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Re: Auto ACL blocker
On Jan 18, 2011, at 1:12 PM, Brian R. Watters wrote: Any current solutions or ideas ?? This sort of thing can be gamed by attackers to cause DoS on your network/for your users/for others trying to access resources on your network. It's a Bad Idea. Set up S/RTBH and do it by hand. Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Re: Auto ACL blocker
send/expect? On Jan 18, 2011, at 2:12 PM, Brian R. Watters wrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Re: Auto ACL blocker
On Tue January 18 2011 13:12, Brian R. Watters wrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? Private BGP session with Zebra or Quagga on a linux box adding the selected IP to a null route. -- Larry Smith lesm...@ecsis.net
RE: Auto ACL blocker
I would consider doing it through BGP via quagga or such. Nullrouting with BGP is much cleaner than ACLs as your config stays static and only your routing table changes. I also imagine due to existing BGP blacklisting methods, that much of the work is already done and all you need is to get the honeypot to export the right format. -Original Message- From: Brian R. Watters [mailto:brwatt...@absfoc.com] Sent: Tuesday, January 18, 2011 11:12 AM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, William Herrin wrote: Net result is that in some cases a user's long-running browser will indefinitely ignore the change you made to the DNS. I've seen such things persist for months. Do you have any recent evidence to support this? The what-browsers-do-with-what world changes daily... and my understanding is that a lot of these things that used to be problems have been changed. For better or for worse, the way you -reliably- fail over a web server is with routing and middleboxes like a load balancer. Alas, sometimes that's just not possible - try doing that @ EC2, for example (which is why I've recently been on the hunt for GSLB solutions that don't involve appliances...). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Rhys Rhaven wrote: Having hit these issues myself, I heavily recommend a real frontend proxy like nginx or varnish. A frontend proxy (nginx, varnish, haproxy, or anything else) doesnt give you HA any more than any other loadbalancer solution does. You need a way to send traffic to another frontend server when the primary frontend server fails, or is overloaded, transparently. The tools we have available these days to do this are VRRP-like solutions (which all of the appliances use) that use multicast, some amount of NAT and routing magic (which I've often not seen done sanely), or DNS solutions (better known as GSLB) that dynamicly change the DNS responses depending on conditions (which could be source location, or could be server availability, or whatever). Normally, VRRP would be the way to go. But these days multicast isn't supported everywhere (major example - Amazon EC2), leaving DNS... -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: Dual Homed BGP for failover
Someone should advise him that if he wants to take in a full BGP routing table that he makes sure his router can handle it! I would hate for him to open the floodgates and his production router shuts down. LOL Date: Tue, 18 Jan 2011 13:12:18 -0600 From: jba...@brightok.net To: b...@herrin.us Subject: Re: Dual Homed BGP for failover CC: ayousuf0...@gmail.com; nanog@nanog.org On 1/18/2011 1:00 PM, William Herrin wrote: IMO, that would be a mistake. Taking significantly less than a full table severely limits your options for balancing traffic between the links. It should also be noted that taking a full table, doesn't mean you have to use the full table. Apply filters to smaller routes or long ASPATHs that you don't want, and then assign preferences, communities, prepends, etc as necessary for the routes you actually accept. This means your sync time is longer and you'll have more updates, but it will still keep the local routing table much lower. Jack
RE: Auto ACL blocker
Brian, Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? Ron -Original Message- From: Brian R. Watters [mailto:brwatt...@absfoc.com] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Re: Auto ACL blocker
Ron, I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct. - Original Message - From: Ronald Bonica rbon...@juniper.net To: Brian R. Watters brwatt...@absfoc.com, nanog@nanog.org Sent: Tuesday, January 18, 2011 11:55:28 AM Subject: RE: Auto ACL blocker Brian, Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? Ron -Original Message- From: Brian R. Watters [mailto:brwatt...@absfoc.com] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatt...@absfoc.com http://www.americanbroadbandservice.com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.
RE: Dual Homed BGP for failover
-Original Message- From: Brandon Kim Sent: Tuesday, January 18, 2011 11:57 AM To: jba...@brightok.net; b...@herrin.us Cc: ayousuf0...@gmail.com; nanog group Subject: RE: Dual Homed BGP for failover Someone should advise him that if he wants to take in a full BGP routing table that he makes sure his router can handle it! I would hate for him to open the floodgates and his production router shuts down. LOL One can take a full feed but filter so only a subset of the routes are actually installed. For example, filter all routes that are more than one AS away from the immediate upstream.
Re: Auto ACL blocker
On Tue, Jan 18, 2011 at 1:12 PM, Brian R. Watters brwatt...@absfoc.comwrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW A good start from the honeypot would be sshguard. I'm sure that it could be adapted to script out an ACL or such, as well in my usage of it it has timed values to release the block after X_amount_of_time . I'd be curious as to what other(s) you find for this. -Joe Blanchard
Re: Auto ACL blocker
We have used this solution for some time and find it works pretty well .. http://www.rfxn.com/projects/ However need to find a way to pass this info off to a router, this project used to hold promise however its dead now .. www.ipblocker.org - Original Message - From: Joe Blanchard jbfixu...@gmail.com To: Brian R. Watters brwatt...@absfoc.com Cc: nanog@nanog.org Sent: Tuesday, January 18, 2011 12:19:24 PM Subject: Re: Auto ACL blocker On Tue, Jan 18, 2011 at 1:12 PM, Brian R. Watters brwatt...@absfoc.com wrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW A good start from the honeypot would be sshguard. I'm sure that it could be adapted to script out an ACL or such, as well in my usage of it it has timed values to release the block after X_amount_of_time . I'd be curious as to what other(s) you find for this. -Joe Blanchard -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatt...@absfoc.com http://www.americanbroadbandservice.com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.
Re: Software DNS hghi availability and load balancer solution
On 1/18/2011 1:42 PM, david raistrick wrote: Normally, VRRP would be the way to go. But these days multicast isn't supported everywhere (major example - Amazon EC2), leaving DNS... Many HA environments use both, and F5 is designed to do both, supporting DNS tricks (of which, you could possibly run host based monitoring and dynamic updates to accomplish), anycast routing, and vrrp-like DSR/NAT load balancing. Jack
Re: Dual Homed BGP for failover
On 1/18/2011 2:05 PM, George Bonser wrote: One can take a full feed but filter so only a subset of the routes are actually installed. For example, filter all routes that are more than one AS away from the immediate upstream. You should still be careful, as most processors keep a copy of filtered routes as well, so while your forwarding table may not increase, your route processor memory most likely will. I haven't checked, but I presume IOS and Junos have a knob to disable this feature? Jack
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Jack Bates wrote: On 1/18/2011 1:42 PM, david raistrick wrote: Normally, VRRP would be the way to go. But these days multicast isn't supported everywhere (major example - Amazon EC2), leaving DNS... Many HA environments use both, and F5 is designed to do both, supporting DNS tricks (of which, you could possibly run host based monitoring and dynamic updates to accomplish), anycast routing, and vrrp-like DSR/NAT load balancing. Agreed. But sometimes you can't do both. ;) Now if F5 would sell me an appliance that runs their GSLB code I could run @ EC2. ;) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Dual Homed BGP for failover
On Tue, Jan 18, 2011 at 3:57 PM, Jack Bates jba...@brightok.net wrote: You should still be careful, as most processors keep a copy of filtered routes as well, so while your forwarding table may not increase, your route processor memory most likely will. I don't think this is the case, on IOS at least. Some years ago I was rocking some 7500s with $not_enough ram for multiple full tables, but with a prefix list to accept le 23 they worked fine. -Jack Carrozzo
Re: Auto ACL blocker
Agreed, time to live in the ACL is critical as well .. this is primary to be used to stop sweeps and penetration testing .. We have SNORT deployed now but the process is still manual on the back end and of course does not respond in the time required. - Original Message - From: Dorn Hetzel dorn @ hetzel .org To: Brian R. Watters brwatters @ absfoc .com Cc: nanog @ nanog .org, Ronald Bonica rbonica @juniper.net Sent: Tuesday, January 18, 2011 1:01:43 PM Subject: Re: Auto ACL blocker One suspects this sort of automated defense should only be used against attack styles that eliminate the likelihood of a forged source ip and that the acl needs to be pruned and compacted for size. Nearby bad ips can be collected into a larger mask but there is then risk of collateral damage (how many bad source ips in a /24 or whatever before you nuke the whole thing for a while? Does the length of a prefixes rap sheet change its treatment? Etc) On Jan 18, 2011 3:03 PM, Brian R. Watters brwatters @ absfoc .com wrote: Ron, I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct. - Original Message - From: Ronald Bonica rbonica @juniper.net To: Brian R. Watters brwatters @ absfoc .com , nanog @ nanog .org Sent: Tuesday, January 18, 2011 11:55:28 AM Subject: RE: Auto ACL blocker Brian, Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? Ron -Original Message- From: Brian R. Watters [ mailto : brwatters @ absfoc .com ] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog @ nanog .org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters @ absfoc .com http :// www . americanbroadbandservice .com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation. -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters @ absfoc .com http :// www . americanbroadbandservice .com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.
Authentication using Microsoft 2008 Active directory for Cisco RADIUS login
Hello all, I am having some trouble getting my Cisco routers to use Active directory to authenticate users. I have searched on Google and so far I am coming up dry on good documentation that will work. I have used these links. http://briandesmond.com/blog/how-to-authenticate-against-active-director y-from-cisco-ios/ http://filedb.experts-exchange.com/incoming/2008/12_w51/87700/TA0001-Win dows-2008-RADIUS-for-C.pdf When I am doing a debug against the AAA I am getting the Response (32) failed decrypt error. Any thoughts? Thank you in advance. M.A.R
Re: Dual Homed BGP for failover
On 1/18/2011 3:03 PM, Jack Carrozzo wrote: I don't think this is the case, on IOS at least. Some years ago I was rocking some 7500s with $not_enough ram for multiple full tables, but with a prefix list to accept le 23 they worked fine. On JunOS, I know I can view pre and post filtered bgp updates ingress and egress. I seem to recall seeing similar functionality introduced into IOS, though I'm less certain. It's still always advisable to be careful. :) Jack
RE: Auto ACL blocker
From: Brian R. Watters Sent: Tuesday, January 18, 2011 1:14 PM To: Dorn Hetzel Cc: nanog@nanog.org Subject: Re: Auto ACL blocker Agreed, time to live in the ACL is critical as well .. this is primary to be used to stop sweeps and penetration testing .. We have SNORT deployed now but the process is still manual on the back end and of course does not respond in the time required. I suppose you could use tcp wrappers to be creative and launch netcat to bend the connection right back to the originator so they spend all their time hacking themselves.
Re: Dual Homed BGP for failover
Yep, the great thing about IOS without 'commit confirmed' is when you remove a bgp filter, it runs out of memory, reboots, brings up peers, runs out of memory, reboots... meanwhile if you're trying to get in over a public interface you're cursing John Chamber's very existence. Not that that's ever happened to me of course... -Jack Carrozzo On Tue, Jan 18, 2011 at 4:19 PM, Jack Bates jba...@brightok.net wrote: On 1/18/2011 3:03 PM, Jack Carrozzo wrote: I don't think this is the case, on IOS at least. Some years ago I was rocking some 7500s with $not_enough ram for multiple full tables, but with a prefix list to accept le 23 they worked fine. On JunOS, I know I can view pre and post filtered bgp updates ingress and egress. I seem to recall seeing similar functionality introduced into IOS, though I'm less certain. It's still always advisable to be careful. :) Jack
Re: Dual Homed BGP for failover
Me 3's commit confirmed ... maybe someone from Cisco should be watching :) On Tue, Jan 18, 2011 at 3:21 PM, Jack Carrozzo j...@crepinc.com wrote: Yep, the great thing about IOS without 'commit confirmed' is when you remove a bgp filter, it runs out of memory, reboots, brings up peers, runs out of memory, reboots... meanwhile if you're trying to get in over a public interface you're cursing John Chamber's very existence. Not that that's ever happened to me of course... -Jack Carrozzo On Tue, Jan 18, 2011 at 4:19 PM, Jack Bates jba...@brightok.net wrote: On 1/18/2011 3:03 PM, Jack Carrozzo wrote: I don't think this is the case, on IOS at least. Some years ago I was rocking some 7500s with $not_enough ram for multiple full tables, but with a prefix list to accept le 23 they worked fine. On JunOS, I know I can view pre and post filtered bgp updates ingress and egress. I seem to recall seeing similar functionality introduced into IOS, though I'm less certain. It's still always advisable to be careful. :) Jack
Re: Software DNS hghi availability and load balancer solution
On Tue, Jan 18, 2011 at 3:49 PM, Dorn Hetzel d...@hetzel.org wrote: If it wouldn't be too ugly, could this be circumvented by having the web application continually do its next operation against an incrementing subhost name like syymmddhhmmss or snnn.www.foo.com in order to convince the local browser and client os to do a fresh lookup? Hi Dorn, There's an efficiency problem where you can no longer pipeline http requests and have to delay every http request while a DNS lookup happens. Also it'd probably crush your google pagerank. And you still wouldn't get around the javascript in your web 2.0 pages needing to go back to the same server name it came from in order to update the content on those pages. The custom name strategy does have some other really neat applications though. You can track a session without setting a cookie. And consider a large email system: suppose you encode the account name in the server name and then point that encoded name to the server which actually holds that user's account? You can eliminate the expensive front-end that multiplexes user access to the backend servers. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
PCCW Admin
Would a PCCW admin contact me off-list regarding one of your customers? Andrew
adaptec 5405 wedged
any adaptec bios-level fu out there? if so, please see http://archive.psg.com/110119.adaptec.pdf thanks randy
Re: Dual Homed BGP for failover
On Tue, Jan 18, 2011 at 12:05 PM, George Bonser gbon...@seven.com wrote: -Original Message- From: Brandon Kim Sent: Tuesday, January 18, 2011 11:57 AM To: jba...@brightok.net; b...@herrin.us Cc: ayousuf0...@gmail.com; nanog group Subject: RE: Dual Homed BGP for failover One can take a full feed but filter so only a subset of the routes are actually installed. For example, filter all routes that are more than one AS away from the immediate upstream. I remember in IOS the BGP config should not have soft-reconfiguration inbound for this uplink session, otherwise routing-engine will still keep one copy of full table in memory. -- Michel~
Re: Request Spamhaus contact
On 01/18/2011 06:21 AM, Ken Gilmour wrote: On 18 January 2011 13:10, Simon Waters sim...@zynet.net wrote: Obviously they know about them because google has the information. I'm not sure this is a reasonable deduction. Correct - It is completely unreasonable. I was using it as an example in reference to a larger, well known provider since earlier someone had mentioned that obviously since google had this information that BL's monitoring was inadequate as they didn't know about it themselves. Google knows about lots of things that people in general probably don't know about themselves. FTR - I have no doubt that Level 3 have amazing monitoring and infrastructure, and think I understand why it might be hard to find 231 bad apples in a basket of over 292492. I think it's important to point out that this statistic is over the past 90 days as well. It doesn't identify enough sites to make it possible to verify whether it's representative of current problems. The 231 sites may have been cleaned relatively quickly and still count in the statistic if Google ever found them to be doing something malicious. I do not think this report is a useful one unless the number is constantly growing and is a large percentage of sites Google has spidered on the network. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 signature.asc Description: OpenPGP digital signature
RE: Auto ACL blocker
From: Larry Smith [mailto:lesm...@ecsis.net] Sent: Tuesday, January 18, 2011 8:32 PM On Tue January 18 2011 13:12, Brian R. Watters wrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? Private BGP session with Zebra or Quagga on a linux box adding the selected IP to a null route. As we currently do it by putting new rules automatically in firewalls (iptables) it should be easy to change it a little bit I think. After the change it should be able to put rules in Zebra/Quagga (or something similar based on Linux/Unix). As long as telnet access is available it should also be doable to put it automatically in routers without the need of a setup with BGP and Zebra/Quagga. We are currently looking for ways to increase the list with abusive systems to block. If someone wants to work together with us on increasing the mentioned options feel free to contact me offlist. How we get the data currently (from multiple sources) or how the process currently work isn't something I can currently mention here (at least not the details). Regards, Mark
Re: adaptec 5405 wedged
On 19/01/2011, at 00.23, Randy Bush ra...@psg.com wrote: any adaptec bios-level fu out there? if so, please see http://archive.psg.com/110119.adaptec.pdf Hi Randy, Did you see this bit about transfer speed issues? http://ask.adaptec.com/scripts/adaptec_tic.cfg/php.exe/enduser/std_adp.php?p_faqid=16913 For those customers that are unable to update, or have a Series 2 (2045, 2405, 2405Q, 2805) or a low-port Series 5 (5405, 5405Z, 5445, 5805, 5805Z, 5085, 5805Z, 5805ZQ) controller, the Western Digital WD20EADS and WD2002FYPS drives will need to be jumpered down to 1.5Gb/sec in order to function properly (please refer to the specific jumper settings provided below).
RE: Auto ACL blocker
Also, have you considered just using the spamhaus DROP list? They even have code to have the list pushed to IOS available. You could simply substitute your file for their list if you only want to use IPs caught by your honeypot. http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ -Original Message- From: Brian R. Watters [mailto:brwatt...@absfoc.com] Sent: Tuesday, January 18, 2011 11:12 AM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Re: Software DNS hghi availability and load balancer solution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ha-proxy and linux virtual server are popular packages. On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNNiivAAoJEMvvG/TyLEAtnnIQAIYceJh4o1HdFqg0sEc7wBmH W6JejIsI/mrOXaODXLrLjsEuAqGMB9F0For8o3ZTXshnPFldbOcKedAgg0xvZNN6 YlKvvfrrqjRJbIa9ZgeJ9Tqe7/HMPDXWtfxWjzdVIlQE9xuIMIZVZ7F9HHyLfUwU eyWrfEWqjWFlDGSUOqQzlNGt0QoGSEataRNjQX4S4juEmPxN6L+owAvK3dbO61ff 74Nt+KNLBqycbGOcGdiyAIt18GDrR7T35S2hoJ/igcF22Ik76d3pJQNKPgR7dXY6 RPaEftL4W5Kyabhmi6KsBreyeIEqPKq1J9xLlsgujnqHwIw9M/dr+yuVwPGnxiqU f72TreyrLL2ctqX/VrlJWLUdSNQ8YaHmdUVWOrN8STc922AGc3gnpBWrc4GsR3pj d1839gYtgP5niqeMaEw+k/089G9YuIdDETW2a64AFYsa0p/DUy11Zco30ioDuymo UYtJ6X+arJuoD2QtO7onDb0kI3HnzR7xsGyV14KuglSlXF4D3PtveaETEHAWLefr L3uC+WhDZWkaZJKmA60UAiRP0tRbQYEzoCYKEOdS324odeLmnfvNQhzhiEfuABQq quHBhnHjNNr+V9AT10VSd3jXmOoa0oZnuJyD6v94MqzX/M8/TDgvCi8awxXapVpa 2/ldrIuwMeTJBrgamMmm =UzNz -END PGP SIGNATURE-
Re: Software DNS hghi availability and load balancer solution
On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. On Tue, 18 Jan 2011, Charles N Wyble wrote: Ha-proxy and linux virtual server are popular packages. Neither of these do DNS. He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
Hi Guys, First time post so please excuse. * * I think you can get a free Citrix NetScaler virtual applicance (VPX) that will do this with GSLB. other then that PowerDNS has a very good geolocation plugin, so they may also have an availabiliy plugin for checks... * * I am also looking for a combined open source geolocation and availability checking DNS Platform. * * Gary On 18 January 2011 23:56, Charles N Wyble char...@knownelement.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ha-proxy and linux virtual server are popular packages. On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNNiivAAoJEMvvG/TyLEAtnnIQAIYceJh4o1HdFqg0sEc7wBmH W6JejIsI/mrOXaODXLrLjsEuAqGMB9F0For8o3ZTXshnPFldbOcKedAgg0xvZNN6 YlKvvfrrqjRJbIa9ZgeJ9Tqe7/HMPDXWtfxWjzdVIlQE9xuIMIZVZ7F9HHyLfUwU eyWrfEWqjWFlDGSUOqQzlNGt0QoGSEataRNjQX4S4juEmPxN6L+owAvK3dbO61ff 74Nt+KNLBqycbGOcGdiyAIt18GDrR7T35S2hoJ/igcF22Ik76d3pJQNKPgR7dXY6 RPaEftL4W5Kyabhmi6KsBreyeIEqPKq1J9xLlsgujnqHwIw9M/dr+yuVwPGnxiqU f72TreyrLL2ctqX/VrlJWLUdSNQ8YaHmdUVWOrN8STc922AGc3gnpBWrc4GsR3pj d1839gYtgP5niqeMaEw+k/089G9YuIdDETW2a64AFYsa0p/DUy11Zco30ioDuymo UYtJ6X+arJuoD2QtO7onDb0kI3HnzR7xsGyV14KuglSlXF4D3PtveaETEHAWLefr L3uC+WhDZWkaZJKmA60UAiRP0tRbQYEzoCYKEOdS324odeLmnfvNQhzhiEfuABQq quHBhnHjNNr+V9AT10VSd3jXmOoa0oZnuJyD6v94MqzX/M8/TDgvCi8awxXapVpa 2/ldrIuwMeTJBrgamMmm =UzNz -END PGP SIGNATURE-
Re: adaptec 5405 wedged
Not sure, but I have seen issues with keyboard input on IPMI or serial-port console systems not working very well in controller BIOS screens. Has this worked before using the same method? Also, were you able to flash the BIOS of the WD drives with a hacked firmware that has TLER enabled? If not, I would highly suggest not using those drives in a RAID array. Stick with the RAID Edition drives for that. I have had a multitude of issues with drives (particularly Western Digital) that were not designed for RAID use. -Randy -- | Randy Carpenter | Vice President - IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (800)578-6381, Opt. 1 - Original Message - On 19/01/2011, at 00.23, Randy Bush ra...@psg.com wrote: any adaptec bios-level fu out there? if so, please see http://archive.psg.com/110119.adaptec.pdf Hi Randy, Did you see this bit about transfer speed issues? http://ask.adaptec.com/scripts/adaptec_tic.cfg/php.exe/enduser/std_adp.php?p_faqid=16913 For those customers that are unable to update, or have a Series 2 (2045, 2405, 2405Q, 2805) or a low-port Series 5 (5405, 5405Z, 5445, 5805, 5805Z, 5085, 5805Z, 5805ZQ) controller, the Western Digital WD20EADS and WD2002FYPS drives will need to be jumpered down to 1.5Gb/sec in order to function properly (please refer to the specific jumper settings provided below).
Re: Auto ACL blocker
On 1/18/2011 6:48 PM, Thomas Magill wrote: Also, have you considered just using the spamhaus DROP list? They even have code to have the list pushed to IOS available. You could simply substitute your file for their list if you only want to use IPs caught by your honeypot. http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution? There is a PHP script that pull the DROP list and make a Cisco ACL or IPtables rules. http://www.potato-people.com/code/misctools/spamhausdrop.phps
Re: Authentication using Microsoft 2008 Active directory for Cisco RADIUS login
On 1/18/2011 4:15 PM, Michael Ruiz wrote: Hello all, I am having some trouble getting my Cisco routers to use Active directory to authenticate users. I have searched on Google and so far I am coming up dry on good documentation that will work. I know $myemployer Uses Cisco ACS to hit AD for logins. Maybe use tac+ to then query AD.
Re: Authentication using Microsoft 2008 Active directory for Cisco RADIUS login
I've set it up on 2003 before, found this article... http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3/ http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3/it may be of use. Essentially on 2k3 it was a case of IAS and setting up the Cisco to use auth-port 1645 Looking at this you use NPS and change the port * * Gary * * On 19 January 2011 00:30, ML m...@kenweb.org wrote: On 1/18/2011 4:15 PM, Michael Ruiz wrote: Hello all, I am having some trouble getting my Cisco routers to use Active directory to authenticate users. I have searched on Google and so far I am coming up dry on good documentation that will work. I know $myemployer Uses Cisco ACS to hit AD for logins. Maybe use tac+ to then query AD.
Re: Software DNS hghi availability and load balancer solution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2011 04:01 PM, david raistrick wrote: On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. On Tue, 18 Jan 2011, Charles N Wyble wrote: Ha-proxy and linux virtual server are popular packages. Neither of these do DNS. What does that mean? Load balance DNS lookups across multiple servers? Or use DNS to load balance? I've never setup a load balancer for DNS before. Always just had one server and moved the VM in event of failure/maintenance. He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages Ah. DNS based load balancing. I've heard good things about powerdns for that. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNNjK6AAoJEMvvG/TyLEAtT1gQALYOb8mYK8llulRAikXo0Nij nTaBSq8Bj/DnTA85iZpa1MZ0WCQY6ofXnOjvvfUvqM3idFzQC4I5R/gPgPgZrfYg ZKZFuaEIiqT0zMzufzM4rAZk96zH/BkgcXK0M7foS1vLijxWCo06Ba2Srga1Uawo JpZXp2WZILZc1VRCdvxBioU3UHWSdjiDjVZ9p+uMXTDjh/O7VpPNh4LhP0fdfY/P K/WMpTTm8djCyTuzgnx0KXucjp7uqmdy+7LrvROQ67avqcooDzM7P8amw8OI+SyC Y2ipe7iHREenH1Cr9V8bABUn3qJuHwEgQxObu5SS+mZsCH3YpjCsog3j9TWpwNZd 34Jm+/viYCxEYvPM9j2r3ABJPGsQQcjbkE1mGqEKxsWSNIss9wTuqDDofc0JfnN/ GkZpZZLjpxdA7DCV1gioaVVhUNPELg/qSM/3DfVnW1EA24PIyfLOeZcwC9jHS0X/ DjgnjpktoFu1gVIZTKf4jOGEqdbympYabr/NhYRSKrA1uLJUOHAHN47QJonP5CkI YuEPM3uEmmO5/S2C1gKYKa3hHFQpfMcqjSwdGnCrcJ/G+j6PyU/YmTOy+2RMJI6A UKgP1IK7hYeBScPB/qibfkgNeakBjg+WIO3djps7lqxR2QSUzK6qIqQSGeK1euxt GqK3Q9I7rh+tDEtA3t4Y =PTkN -END PGP SIGNATURE-
Re: Routing Suggestions
Date: Fri, 14 Jan 2011 01:50:40 -0800 From: Randy Bush ra...@psg.com Subject: Re: Routing Suggestions i'm with jon and the static crew. brutal but simple. if you want no leakage, A can filter the prefix from it's upstreams, both can low-pref blackhole it, ... One late comment -- OP stated that the companies were exchanging 'sensitive' traffic. I suspect that they di *NOT* want this traffic to route over the public internet -if- he private point-to-point link goes down. if they're running any sort of a dynamic/active routing protocol then -that- route is going to disappear if/*WHEN* the private link goes down, and the packets will be subject to whatever other routing rules -- e.g. a 'default' route -- are in place. This would seem to be a compelling reason to use a static route -- insuring that traffic _fails_ to route, instead of failing over to a public internet route, in the event of a link failure.
Re: Software DNS hghi availability and load balancer solution
What does that mean? Load balance DNS lookups across multiple servers? Or use DNS to load balance? I've never setup a load balancer for DNS before. Always just had one server and moved the VM in event of failure/maintenance. * * I think using DNS to load balance is what was meant, PowerDNS can do this, but most DNS servers can to basic load balancing/round robin (it will just give out a different/multiple A Records each time. I've done this with bind and Microsoft before. PowerDNS has an awsome geolocation plugin, and that probably can be tied to a check to see if the IP is up so it's actually checking the status of IPs to make it more automated. Gary On 19 January 2011 00:39, Charles N Wyble char...@knownelement.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2011 04:01 PM, david raistrick wrote: On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. On Tue, 18 Jan 2011, Charles N Wyble wrote: Ha-proxy and linux virtual server are popular packages. Neither of these do DNS. What does that mean? Load balance DNS lookups across multiple servers? Or use DNS to load balance? I've never setup a load balancer for DNS before. Always just had one server and moved the VM in event of failure/maintenance. He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages Ah. DNS based load balancing. I've heard good things about powerdns for that. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNNjK6AAoJEMvvG/TyLEAtT1gQALYOb8mYK8llulRAikXo0Nij nTaBSq8Bj/DnTA85iZpa1MZ0WCQY6ofXnOjvvfUvqM3idFzQC4I5R/gPgPgZrfYg ZKZFuaEIiqT0zMzufzM4rAZk96zH/BkgcXK0M7foS1vLijxWCo06Ba2Srga1Uawo JpZXp2WZILZc1VRCdvxBioU3UHWSdjiDjVZ9p+uMXTDjh/O7VpPNh4LhP0fdfY/P K/WMpTTm8djCyTuzgnx0KXucjp7uqmdy+7LrvROQ67avqcooDzM7P8amw8OI+SyC Y2ipe7iHREenH1Cr9V8bABUn3qJuHwEgQxObu5SS+mZsCH3YpjCsog3j9TWpwNZd 34Jm+/viYCxEYvPM9j2r3ABJPGsQQcjbkE1mGqEKxsWSNIss9wTuqDDofc0JfnN/ GkZpZZLjpxdA7DCV1gioaVVhUNPELg/qSM/3DfVnW1EA24PIyfLOeZcwC9jHS0X/ DjgnjpktoFu1gVIZTKf4jOGEqdbympYabr/NhYRSKrA1uLJUOHAHN47QJonP5CkI YuEPM3uEmmO5/S2C1gKYKa3hHFQpfMcqjSwdGnCrcJ/G+j6PyU/YmTOy+2RMJI6A UKgP1IK7hYeBScPB/qibfkgNeakBjg+WIO3djps7lqxR2QSUzK6qIqQSGeK1euxt GqK3Q9I7rh+tDEtA3t4Y =PTkN -END PGP SIGNATURE-
RE: Auto ACL blocker
-Original Message- From: ML [mailto:m...@kenweb.org] Sent: Tuesday, January 18, 2011 4:28 PM To: nanog@nanog.org Subject: Re: Auto ACL blocker I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution? DROP is currently available only as a simple text list but may be available in the future by BGP, announced via an Autonomous System Number (ASN). DROP users could then choose to peer with that ASN to null those prefixes as being ranges for which they do not wish to route traffic. I considered giving it a shot until I read that. It doesn't seem very difficult but don't have the free time to work on things that someone else claims is coming. I also don’t have a spare ASN to share it externally which would be the ultimate goal, like the Cymru bogon peering.
RE: Auto ACL blocker
LOL.. oops.. I guess I could just use 65xxx. -Original Message- From: Thomas Magill [mailto:tmag...@providecommerce.com] Sent: Tuesday, January 18, 2011 5:23 PM To: m...@kenweb.org; nanog@nanog.org Subject: RE: Auto ACL blocker -Original Message- From: ML [mailto:m...@kenweb.org] Sent: Tuesday, January 18, 2011 4:28 PM To: nanog@nanog.org Subject: Re: Auto ACL blocker I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution? DROP is currently available only as a simple text list but may be available in the future by BGP, announced via an Autonomous System Number (ASN). DROP users could then choose to peer with that ASN to null those prefixes as being ranges for which they do not wish to route traffic. I considered giving it a shot until I read that. It doesn't seem very difficult but don't have the free time to work on things that someone else claims is coming. I also don’t have a spare ASN to share it externally which would be the ultimate goal, like the Cymru bogon peering.
Re: Routing Suggestions
On Jan 18, 2011, at 4:54 PM, Robert Bonomi wrote: Date: Fri, 14 Jan 2011 01:50:40 -0800 From: Randy Bush ra...@psg.com Subject: Re: Routing Suggestions i'm with jon and the static crew. brutal but simple. if you want no leakage, A can filter the prefix from it's upstreams, both can low-pref blackhole it, ... One late comment -- OP stated that the companies were exchanging 'sensitive' traffic. I suspect that they di *NOT* want this traffic to route over the public internet -if- he private point-to-point link goes down. if they're running any sort of a dynamic/active routing protocol then -that- route is going to disappear if/*WHEN* the private link goes down, and the packets will be subject to whatever other routing rules -- e.g. a 'default' route -- are in place. This would seem to be a compelling reason to use a static route -- insuring that traffic _fails_ to route, instead of failing over to a public internet route, in the event of a link failure. That's why I always prefer to put this traffic inside an IPSEC VPN. Then, you gain the advantage of being able to let the internet serve as a backup for your preferred private path while still protecting your sensitive information. Then I use dynamic routing and take advantage of the diverse path capabilities. Owen
Re: Software DNS hghi availability and load balancer solution
PowerDNS has an awsome geolocation plugin, and that probably can be tied to a check to see if the IP is up so it's actually checking the status of IPs to make it more automated. Gary gdnsd is very robust and fast and has an interface that a networking engineer won't mind. It comes with a geolocation plugin with health-check failover via HTTP. http://code.google.com/p/gdnsd/ j.
Re: Software DNS hghi availability and load balancer solution
On 01/18/2011 07:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. I know that it is possible by BIND with set of script. But we are trying to find more usable solution with frendly interface. Thanks a lot. If you want to get fancy you could try an Anycast DNS setup, using GNU's Zebra tool to automatically alter routing tables. http://www.netlinxinc.com/netlinx-blog/45-dns/118-introduction-to-anycast-dns.html Paul
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Charles N Wyble wrote: He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages Ah. DNS based load balancing. I've heard good things about powerdns for that. I assume the good things is that with powerdns and the gmysql backend, it's trivial to have a script do some SQL updates as often as you need to change the content and change_date of the records you're using for the DNS based load balancing. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Software DNS hghi availability and load balancer solution [SEC=UNCLASSIFIED]
0n Tue, Jan 18, 2011 at 02:42:57PM -0500, david raistrick wrote: On Tue, 18 Jan 2011, Rhys Rhaven wrote: Having hit these issues myself, I heavily recommend a real frontend proxy like nginx or varnish. A frontend proxy (nginx, varnish, haproxy, or anything else) doesnt give you HA any more than any other loadbalancer solution does. You need a way to send traffic to another frontend server when the primary frontend server fails, or is overloaded, transparently. freebsd + varnish + carp (http://www.openbsd.org/faq/pf/carp.html) -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
PacketExchange/Mzima
Need a PacketExchange/Mzima admin to contact me off list regarding an AS Number issue. Andrwe