Re: Windows 10 Release
From: Joe Greco jgr...@ns.sol.net Subject: Re: Windows 10 Release You can download an ISO and burn it to install... Guessing if your upgrading multiple machines, that would be the way to go... You don't even need to burn it to install. Just mount the ISO and run setup.exe I've searched, but have not found anything about it: Are you allowed to redistribute the .iso to the open public? If yes, this might save some smaller networks some bandwidth. Martin
RE: Windows 10 Release
From: STARNES, CURTIS [mailto:curtis.star...@granburyisd.org] https://www.microsoft.com/en-us/software-download/windows10 is the download URL. This site launches the Download Tool so the ISO can be downloaded from Microsoft. Yeah, I know. But is it allowed to redistribute the .iso File(s)? Might help to save downloading some GB ... martin
RE: Windows 10 Release
Not sure about distributing but I would think it would be ok since it is an ISO for upgrading and the site says if it is a new installation a product key would be needed. Curtis -Original Message- From: Martin Hotze [mailto:m.ho...@hotze.com] Sent: Thursday, July 30, 2015 8:17 AM To: STARNES, CURTIS curtis.star...@granburyisd.org; nanog@nanog.org Subject: RE: Windows 10 Release From: STARNES, CURTIS [mailto:curtis.star...@granburyisd.org] https://www.microsoft.com/en-us/software-download/windows10 is the download URL. This site launches the Download Tool so the ISO can be downloaded from Microsoft. Yeah, I know. But is it allowed to redistribute the .iso File(s)? Might help to save downloading some GB ... martin
Re: Working with Spamhaus
If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay Before we went SaaS with email we had lots of spam problems and we also went this route .. you must relay through us and authenticate .. postfix along with the dkim and policyd milters (and SPF in DNS). The policyd one would limit you to X messages in Y hours (per SASL credential), and we would override it for people that had a specific need. That was very effective at limiting the spam damage. I'm sure your needs are different as a commercial provider but we found that hardly anyone sends more than 100 messages a day, and 100 spammy messages isn't enough to get you in trouble, as long as it stops there. We have a /16 where most of our stuff lives and have moved things around a bit .. Spamhaus was pretty easy to deal with, as were the other major players (MS, Google, AOL, Yahoo) by just filling out their postmaster forms. Basically you just need to explain how you are fixing the problem and they usually answer you in less than 24hrs. The only IP addresses we have that I'd consider permanently tainted are the ones we've run TOR exit nodes on. We haven't run TOR in a couple years now but those IPs are still blacklisted so many places they are essentially unusable in any reliable capacity -- something to keep in mind while crafting your TOS. -Michael Holstein -Cleveland State University
Re: Windows 10 Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not sure about open public but you can use that ISO on whatever many machines your licensed to... - --Tiernan On 30/07/2015 13:11, Martin Hotze wrote: From: Joe Greco jgr...@ns.sol.net Subject: Re: Windows 10 Release You can download an ISO and burn it to install... Guessing if your upgrading multiple machines, that would be the way to go... You don't even need to burn it to install. Just mount the ISO and run setup.exe I've searched, but have not found anything about it: Are you allowed to redistribute the .iso to the open public? If yes, this might save some smaller networks some bandwidth. Martin -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVuiAWAAoJECWDUKjOk5r1bOgP/RVHQd5VpAUCEAG/7wzxZzzZ rEmt6AgZvo2RT3zfyuUyuim3QY5s+x9ZDTniHvEEmxnqHYnVRjcG3eg8uT/uddeF 4hF2QCU6I3bAF33Tm1K2uvBUOcBEMEnyEDOJumxNLlgMpIeEq0xcjemEoYIhG/QY abu6k6q3oQf4fWnaioArK78WApa9Yl1n6HfMl5OLYl3zbteyeyfBxyKG2FOAiTrc r0IhAYzM0ZUw7UC2F6sD3Tx2Hp5lFwvno5nJVXROZF9Hobtswy3dBWJjcEWA/pQ8 T8Jn07gWT3RDhVpcVQ+G1EcqWs/8925qVk4V49EkoOPTmuHPo3RRmmwZMfAgKF07 mvfyOHeh5ATwmRj2sJ+0hVt2/ASk9H94pmzUdxjWy3mSoni7ssR6rLKM1pooVRwP v3cDxFc4f0pVwU4ZFwmmkwVLPpijwDGTpeKCUjqY7XPuXj3lpQoJCK9jY7Vorncs XDHKHVJz/WawNi9CVg4nHIifNXR8qwgBe8bAu2aEmA4Rayx4UY5fVDd/iyskgDmj xkEqBusEWIlmX+LjWG+P2ktb5SSBziMOsZLY9mH5DVtdStpSGTnTSuJ5f1EQVYJg t85Ier8Y20LOB4ikVDb6vsr8NEoKpH9101j2QI+qs/f2BygMxxcZBbUFhk4SHpnO Cx8tGp5G6cCRt4XNbXe1 =lNWD -END PGP SIGNATURE-
RE: Windows 10 Release
https://www.microsoft.com/en-us/software-download/windows10 is the download URL. This site launches the Download Tool so the ISO can be downloaded from Microsoft. Curtis -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin Hotze Sent: Thursday, July 30, 2015 7:11 AM To: nanog@nanog.org Subject: Re: Windows 10 Release From: Joe Greco jgr...@ns.sol.net Subject: Re: Windows 10 Release You can download an ISO and burn it to install... Guessing if your upgrading multiple machines, that would be the way to go... You don't even need to burn it to install. Just mount the ISO and run setup.exe I've searched, but have not found anything about it: Are you allowed to redistribute the .iso to the open public? If yes, this might save some smaller networks some bandwidth. Martin
Re: Windows 10 Release
Then they might want to show an official MD5/SHA1 on their website for the media. Or maybe simply offer a torrent/magnet-link ... Kind regards, Stefan On 30.07.2015 15:19, STARNES, CURTIS wrote: Not sure about distributing but I would think it would be ok since it is an ISO for upgrading and the site says if it is a new installation a product key would be needed. Curtis -Original Message- From: Martin Hotze [mailto:m.ho...@hotze.com] Sent: Thursday, July 30, 2015 8:17 AM To: STARNES, CURTIS curtis.star...@granburyisd.org; nanog@nanog.org Subject: RE: Windows 10 Release From: STARNES, CURTIS [mailto:curtis.star...@granburyisd.org] https://www.microsoft.com/en-us/software-download/windows10 is the download URL. This site launches the Download Tool so the ISO can be downloaded from Microsoft. Yeah, I know. But is it allowed to redistribute the .iso File(s)? Might help to save downloading some GB ... martin
Re: Working with Spamhaus
If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay their mail through something you control, and show them you are serious about stopping the spam they may work with you then. Otherwise, they just assume you're a spam house.
Re: Windows 10 Release
Nope. For the upgrade the only piece of information MSFT needed was your email if you chose email notification once the upgrade was ready for you. After it's installed it will ask to finish up the install the 'Express' method which enabled a bunch of things like WIFI password sharing to friends and whatever else or if you chose the manual option like I did you can disable everything. It will also inherit your existing user settings, so if your user is a local one instead of a cloud one it will continue to be that way. It does install One Drive but again, if you never configured it or used it then you'll simply see it in your task bar with the welcome or signup screen. -justin On Jul 30, 2015, at 10:19 AM, Scott Helms khe...@zcorum.com wrote: Since the requirement is that users are upgrading from Win 7, 8, or 8.1 they've already had to create at least a minimal MS ID which means either creating an email account on Outlook.com or providing an existing email address and a password for MS. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:15 AM, Matthew Black matthew.bl...@csulb.edu wrote: Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach smime.p7s Description: S/MIME cryptographic signature
Re: Windows 10 Release
I was just thinking about my remaining Win 7 box _after_ I hit send and I believe you're correct (I have one still to upgrade). Which means users upgrading from 7 to 10 will need to create an ID, but users of 8 and 8.1 will use the one they already have. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:23 AM, Brooks Bridges bro...@firestormnetworks.net wrote: Just as a point of debate, I've been using Windows 7 for quite some time and I do not, nor have I ever, given MS any email information or have I created a Live account. On 7/30/2015 7:19 AM, Scott Helms wrote: Since the requirement is that users are upgrading from Win 7, 8, or 8.1 they've already had to create at least a minimal MS ID which means either creating an email account on Outlook.com or providing an existing email address and a password for MS. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:15 AM, Matthew Black matthew.bl...@csulb.edu wrote: Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
Re: Windows 10 Release
Justin, That's true, but it takes effort for people to either set up a local account or change to one, and very few consumers will do that or have. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:28 AM, Justin Mckillican jus...@mckill.ca wrote: Nope. For the upgrade the only piece of information MSFT needed was your email if you chose email notification once the upgrade was ready for you. After it's installed it will ask to finish up the install the 'Express' method which enabled a bunch of things like WIFI password sharing to friends and whatever else or if you chose the manual option like I did you can disable everything. It will also inherit your existing user settings, so if your user is a local one instead of a cloud one it will continue to be that way. It does install One Drive but again, if you never configured it or used it then you'll simply see it in your task bar with the welcome or signup screen. -justin On Jul 30, 2015, at 10:19 AM, Scott Helms khe...@zcorum.com wrote: Since the requirement is that users are upgrading from Win 7, 8, or 8.1 they've already had to create at least a minimal MS ID which means either creating an email account on Outlook.com or providing an existing email address and a password for MS. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:15 AM, Matthew Black matthew.bl...@csulb.edu wrote: Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
RE: Windows 10 Release
Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
Re: Windows 10 Release
Since the requirement is that users are upgrading from Win 7, 8, or 8.1 they've already had to create at least a minimal MS ID which means either creating an email account on Outlook.com or providing an existing email address and a password for MS. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:15 AM, Matthew Black matthew.bl...@csulb.edu wrote: Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
Re: Windows 10 Release
Just as a point of debate, I've been using Windows 7 for quite some time and I do not, nor have I ever, given MS any email information or have I created a Live account. On 7/30/2015 7:19 AM, Scott Helms wrote: Since the requirement is that users are upgrading from Win 7, 8, or 8.1 they've already had to create at least a minimal MS ID which means either creating an email account on Outlook.com or providing an existing email address and a password for MS. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Thu, Jul 30, 2015 at 10:15 AM, Matthew Black matthew.bl...@csulb.edu wrote: Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
RE: Windows 10 Release
You do not have to create or use a Microsoft account to use Windows 10 or any of the apps (other than the MS Store.) You can continue to log in to Windows using a local account. Aaron Childs Associate Director, Infrastructure Services Information Technology Services Wilson Hall - 577 Western Ave. Westfield MA 01086 -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Black Sent: Thursday, July 30, 2015 10:16 AM To: North American Network Operators' Group (nanog@nanog.org) nanog@nanog.org Subject: RE: Windows 10 Release Are users required to create any type of Microsoft cloud account (e.g., OneDrive, Office365, et alil) in order to install and use Windows 10? Of Office? Is it possible to simply use Windows 10 without any Microsoft or Google or Yahoo accounts? Is the unique identifier available to advertisers only through IE (or its successor) OR will it also be available through Firefox/Chrome? matthew black california state university, long beach
Re: UDP clamped on service provider links
On Thu, Jul 30, 2015 at 1:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Hmmm. The WebRTC stack has a pretty explicit form of getting and then maintaining consent; it also rides on top of UDP (SRTP/UDP for media and SCTP/DTLS/UDP for data channels). Because both media and data channels go from peer to peer, it has no preset group of server addresses to white list (the only way I can see to do that would be to force the use of TURN and white list the TURN server, but that would be problematic for performance). How will you support it if the default is to throttle UDP? Clue welcome, Ted
NANOG isn't for desktop OS licensing support, was: Windows 10 Release
I hate to be that guy, but this is getting really outside the scope of NANOG. Chuck -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joe Greco Sent: Thursday, July 30, 2015 12:58 PM To: Scott Helms khe...@zcorum.com Cc: NANOG nanog@nanog.org Subject: Re: Windows 10 Release I was just thinking about my remaining Win 7 box _after_ I hit send and I believe you're correct (I have one still to upgrade). Which means users upgrading from 7 to 10 will need to create an ID, but users of 8 and 8.1 will use the one they already have. This is incorrect. While the Win 8{,.1} install process makes it appear as though you need a Microsoft ID, you can actually go into the create a new Microsoft ID option and there's a way to proceed without creating a Microsoft ID, which leaves you with all local accounts. It does appear to be designed to make you THINK you need a Microsoft account however. I have a freshly installed Windows 8.1 box here (no Microsoft ID) that I then upgraded to Windows 10, and it also does not have any Microsoft ID attached to it. Activation shows as Windows 10 Home and Windows is activated. There's a beggy-screen on the user account page saying something like Windows is better when your settings and files automatically sync. Switch to a Microsoft Account now! So, again, totally optional, but admittedly the path of least resistance has users creating a Microsoft Account or linking to their existing one. You have to trawl around a little to get the better (IMHO) behaviour. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: UDP clamped on service provider links
On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: UDP clamped on service provider links
On Thu, Jul 30, 2015 at 2:04 PM, Ted Hardie ted.i...@gmail.com wrote: On Thu, Jul 30, 2015 at 1:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Hmmm. The WebRTC stack has a pretty explicit form of getting and then maintaining consent; it also rides on top of UDP (SRTP/UDP for media and SCTP/DTLS/UDP for data channels). Because both media and data channels go from peer to peer, it has no preset group of server addresses to white list (the only way I can see to do that would be to force the use of TURN and white list the TURN server, but that would be problematic for performance). How will you support it if the default is to throttle UDP? Clue welcome, Ted We will install a middlebox to strip off the UDP and expose the SCTP natively as the transport protocol ! Patent pending! RTCweb made a series of trade offs. Encapsulating SCTP in UDP is one of them... the idea at the time was the this is only WebRTC 1.0, so we'll do a few silly things to ship it early. As i am sure you know :)
Re: UDP clamped on service provider links
On 27 Jul 2015, at 21:12, Glen Kent wrote: Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? https://app.box.com/s/r7an1moswtc7ce58f8gg --- Roland Dobbins rdobb...@arbor.net
Re: ATT U-Verse Data Setup Convention
“Forever” is a long time. We’re shooting for not having to change people’s address multiple times per week while still trying to help them save costs by not paying extra for “official static IPs. Changing every 6 months as some have pointed out as their experience is perfectly acceptable to us. On Jul 30, 2015, at 11:51 AM, James Hartig fastest...@gmail.commailto:fastest...@gmail.com wrote: I've had ATT UVerse for 3 years now and it has changed at least twice since I got it. The DHCP address has an expiration of ~7 days and it usually keeps the same address upon renewal but a few times I have noticed that it's changed. I wouldn't trust it to be static forever. -- James Hartig --- Keith Stokes
Re: ATT U-Verse Data Setup Convention
On Thu, 30 Jul 2015 12:02:06 -0400, Keith Stokes kei...@neilltech.com wrote: 1. Is it really accurate that the customer’s address is tied to the modem/router? To the 802.1x identity of the device, yes. That's the unit serial number, which (partial) contains the MAC. 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? No. It's just plain DHCP. Until the pool is depleted, addresses don't get recycled. So, even if your address were released, it would take days before it would be assigned to someone else. (which DOES happen, btw) Addresses are *NOT* hard coded. You can order (and pay for) a static subnet that is routed to whatever dynamic link address you get. That's the only static they offer. 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit. Yes. This is a fundamental part of the network. If you *do* manage to side-step their PoS hardware, your own router will experience the same addressing scheme.
Re: DDOS Simulation
hi roland - yup... agreed on most all of your points ... - good referral to prev ddos discussions - i'm just saying .. if one cannot defend and know that their ddos mitigation is working on the low level free script kiddie ddos attacks, they should not worry about scaling to gigabit/s, 1terabit/sec or even 100 terabit/s ddos attacks ... one has to start somewhere and grow their ddos mitigation and ddos attacks knowledge ... i happen to need to know how to defend my customers in between the free script kiddies and the types of attacks that make the papers/new start with free (thousands) of ddos attack tools and (hundreds) of free ddos mitigaton tools - i'm fairly certain i can fill any pipe with jibberish data where ddos mitigation might not work as expected but when the cops come knocking, the ddos attackers are in deeep kah kah, thus requiring prior legal paperwork of all those directly and indirectly involved have fun alvin On 07/30/15 at 03:05am, Roland Dobbins wrote: On 30 Jul 2015, at 2:38, alvin nanog wrote: there is no need to pay people to attack your servers ... Unless you don't have the expertise to do it yourself. Again, I advocate an organic defense capability and an organic testing capability, but there are many organizations which unfortunately don't have these, and they must start somewhere. - tcpdump and wireshark will tell you everything the attackers are doing to your network right now that needs to be defended against On small, single-homed networks, sure. On networks of any size, this doesn't scale. Flow telemetry scales. if a mid-level wanna be attacker wants to target your servers, they're just as equally easy to mitigate and prevent and probably sending you 100,000 ddos packets per second because they can ( bigger zombie network :-) 100kpps is nothing. Of course, so many servers/services are so brittle, fragile, and non-scalable that most DDoS attacks are overkill by orders of magnitude. if you are being targeted by masters of deception you have no solution other than get local law enforcement involved to track down the originating attackers I'm not sure who or what 'masters of deception' are in this context, but attribution has nothing to do with DDoS defense. Defending against serious attackers with lots of resources is taking place every minute of every hour of every day. There are many techniques and tools available, most of which have been discussed multiple times on this list over the years. Here's one such example: http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html all ddos mitigations is almost 100% guaranteed to fail a volumetric DDoS attacks This is incorrect. the DDoS attackrs probably have access to a bigger zombie network than most major corp ... This is true, in many cases - and is also not an issue for properly-provisioned, coordinated DDoS defense mechanisms and methodologies. the attackers job is not to get caught and is not ez to be hiding if law enforcement wanted to catch them :-) Again, attribution is a completely separate issue. nping send 100,000 packets/sec x 65,000byte/packet 192.168.0.0/16 FYI, 'line-rate' for 64-byte packets at 10gb/sec is ~14.8mpps. by the same premise, if i had to pick ONE ddos mitigation strategy, i'd tarpit all incoming TCP-based ddos attacks which should crash the attacking zombie server under sustained tcp-based ddos attacks There is no one tactic (this is not a strategy) which can be picked, as any kind of traffic can be used for DDoS attacks. With regards to TCP-based attacks, it's a subset of those which are connection-oriented and are thus susceptible to tarpitting-type techniques. --- Roland Dobbins rdobb...@arbor.net
Re: UDP clamped on service provider links
To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: UDP clamped on service provider links
Oh, I'm aware of the function of an NNI. I even accept that a carrier might feel the need to filter bad traffic. I've certainly done so for things like the Moon exploit. What I don't like is arbitrary filtering of traffic and the denial of such filtering by the carrier. On Thu, Jul 30, 2015 at 10:51 PM, Ca By cb.li...@gmail.com wrote: On Thursday, July 30, 2015, Jason Baugher ja...@thebaughers.com wrote: Several months ago we had an issue with a customer whose IPSEC tunnels we manage. One of the tunnels dropped, and after troubleshooting we were able to prove that only udp/500 was being blocked in one direction for one specific source and destination IP. Level3 resolved the issue, but claimed it was due to a mis-configured NNI between themselves and Charter. Seems odd that an NNI mis-config could cause something that specific, doesn't it? NNI is a peering link. Peering links blow up during ddos since they act as a narrow funnel of traffic between networks. So NNI is exactly where udp ddos filters show up most, at least that is my guess On Thu, Jul 30, 2015 at 9:44 PM, Tom Sands tsa...@rackspace.com wrote: We have similar problems with UDP 500 and being able to keep IPSEC tunnels up over Level3. It happens quite a bit when there are no signs of TCP or ICMP packet loss. Sent from my iPhone On Jul 30, 2015, at 9:14 PM, Jason Baugher ja...@thebaughers.com wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to
Re: UDP clamped on service provider links
In one case, when we were having an issue with a SIP trunk, we re-numbered our end to another IP in the same subnet. Same path from A to Z, but the packet loss mysteriously disappeared using the new IP. lag hash put you on a congested fiber?
Re: UDP clamped on service provider links
Several months ago we had an issue with a customer whose IPSEC tunnels we manage. One of the tunnels dropped, and after troubleshooting we were able to prove that only udp/500 was being blocked in one direction for one specific source and destination IP. Level3 resolved the issue, but claimed it was due to a mis-configured NNI between themselves and Charter. Seems odd that an NNI mis-config could cause something that specific, doesn't it? On Thu, Jul 30, 2015 at 9:44 PM, Tom Sands tsa...@rackspace.com wrote: We have similar problems with UDP 500 and being able to keep IPSEC tunnels up over Level3. It happens quite a bit when there are no signs of TCP or ICMP packet loss. Sent from my iPhone On Jul 30, 2015, at 9:14 PM, Jason Baugher ja...@thebaughers.com wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: UDP clamped on service provider links
On Thursday, July 30, 2015, Jason Baugher ja...@thebaughers.com wrote: Several months ago we had an issue with a customer whose IPSEC tunnels we manage. One of the tunnels dropped, and after troubleshooting we were able to prove that only udp/500 was being blocked in one direction for one specific source and destination IP. Level3 resolved the issue, but claimed it was due to a mis-configured NNI between themselves and Charter. Seems odd that an NNI mis-config could cause something that specific, doesn't it? NNI is a peering link. Peering links blow up during ddos since they act as a narrow funnel of traffic between networks. So NNI is exactly where udp ddos filters show up most, at least that is my guess On Thu, Jul 30, 2015 at 9:44 PM, Tom Sands tsa...@rackspace.com javascript:; wrote: We have similar problems with UDP 500 and being able to keep IPSEC tunnels up over Level3. It happens quite a bit when there are no signs of TCP or ICMP packet loss. Sent from my iPhone On Jul 30, 2015, at 9:14 PM, Jason Baugher ja...@thebaughers.com javascript:; wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com javascript:; wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com javascript:; wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: UDP clamped on service provider links
In one case, when we were having an issue with a SIP trunk, we re-numbered our end to another IP in the same subnet. Same path from A to Z, but the packet loss mysteriously disappeared using the new IP. It sure seems like they are throttling somewhere. On Thu, Jul 30, 2015 at 9:15 PM, Matt Hoppes mhop...@indigowireless.com wrote: No. But I've seen Level3 just have really bad packet loss. On Jul 30, 2015, at 22:12, Jason Baugher ja...@thebaughers.com wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
ATT U-Verse Data Setup Convention
I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. Normally we tell the customer to request a “Static IP” from their provider. That term makes sense to most ISPs. However, we’ve recently worked with an ATT higher-up tech who told us that every U-Verse modem is locked to an address even when set to DHCP and will not change unless the unit is changed. Ordering a “Static IP” from them means your devices will individually get public addresses, which isn’t a requirement for us, isn’t quite as easy to add multiple devices and costs our customers more money. Here are my questions: 1. Is it really accurate that the customer’s address is tied to the modem/router? 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit. --- Keith Stokes
Re: ATT U-Verse Data Setup Convention
On Thu, Jul 30, 2015 at 9:02 AM, Keith Stokes kei...@neilltech.com wrote: I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. That is probably a problematic practice. Normally we tell the customer to request a “Static IP” from their provider. That term makes sense to most ISPs. However, we’ve recently worked with an ATT higher-up tech who told us that every U-Verse modem is locked to an address even when set to DHCP and will not change unless the unit is changed. Ordering a “Static IP” from them means your devices will individually get public addresses, which isn’t a requirement for us, isn’t quite as easy to add multiple devices and costs our customers more money. Here are my questions: 1. Is it really accurate that the customer’s address is tied to the modem/router? 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit. --- Keith Stokes ATT addressing has been detailed here in some ways. I am not sure how accurate it is or at what state this has been deployed http://www.networkworld.com/article/2188898/lan-wan/at-t-demands-we-change-our-networks.html But, it is possible that ATT does not have IPv4 static addresses to assign.
Re: ATT U-Verse Data Setup Convention
Access is not the only reason we ask for non-changing source IP addresses. I’m not arguing the long-term sensibility of the approach. It’s arguably a legacy app and has 5000 endpoints that we have to still support until different solutions on our side are complete. That process is outside of my control. On Jul 30, 2015, at 11:20 AM, Chuck Anderson c...@wpi.edumailto:c...@wpi.edu wrote: People need to really stop using Source IP as an ACL mechanism whereever possible. Have you considered using SSL certs or SSH keys or some other sort of API key instead? I'm mean, do you really want to have to know how the technology of every ISP that every possible SaaS customer may use to access your service is set up? On Thu, Jul 30, 2015 at 04:02:06PM +, Keith Stokes wrote: I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. Normally we tell the customer to request a “Static IP” from their provider. That term makes sense to most ISPs. However, we’ve recently worked with an ATT higher-up tech who told us that every U-Verse modem is locked to an address even when set to DHCP and will not change unless the unit is changed. Ordering a “Static IP” from them means your devices will individually get public addresses, which isn’t a requirement for us, isn’t quite as easy to add multiple devices and costs our customers more money. Here are my questions: 1. Is it really accurate that the customer’s address is tied to the modem/router? 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit. --- Keith Stokes
Re: Verizon exiting California
Everything landline in your area is going. The enterprise and wireless businesses are staying Verizon. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: Matthew Black matthew.bl...@csulb.edu To: North American Network Operators' Group (nanog@nanog.org) nanog@nanog.org Sent: Thursday, July 30, 2015 11:26:21 AM Subject: Verizon exiting California Verizon sent me a letter the other day stating that they are selling their landline business to Frontier Communications. It was a very terse letter and as a customer I don't know if it affects me. While stating they aren't exiting the Wireless business, I want to know which parts are being sold off. Just the copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be great. I am a FIOS only customer. Can anyone recall if GTE was blocked from doing the same thing a few decades ago? matthew black california state university, long beach
Mac compatible SFP+/XFP programmer
Does anyone know where I might find a SFP+/XFP programmer with a Mac compatible programmer application? Thanks!
Re: ATT U-Verse Data Setup Convention
People need to really stop using Source IP as an ACL mechanism whereever possible. Have you considered using SSL certs or SSH keys or some other sort of API key instead? I'm mean, do you really want to have to know how the technology of every ISP that every possible SaaS customer may use to access your service is set up? On Thu, Jul 30, 2015 at 04:02:06PM +, Keith Stokes wrote: I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. Normally we tell the customer to request a “Static IP” from their provider. That term makes sense to most ISPs. However, we’ve recently worked with an ATT higher-up tech who told us that every U-Verse modem is locked to an address even when set to DHCP and will not change unless the unit is changed. Ordering a “Static IP” from them means your devices will individually get public addresses, which isn’t a requirement for us, isn’t quite as easy to add multiple devices and costs our customers more money. Here are my questions: 1. Is it really accurate that the customer’s address is tied to the modem/router? 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit.
Re: Windows 10 Release
I was just thinking about my remaining Win 7 box _after_ I hit send and I believe you're correct (I have one still to upgrade). Which means users upgrading from 7 to 10 will need to create an ID, but users of 8 and 8.1 will use the one they already have. This is incorrect. While the Win 8{,.1} install process makes it appear as though you need a Microsoft ID, you can actually go into the create a new Microsoft ID option and there's a way to proceed without creating a Microsoft ID, which leaves you with all local accounts. It does appear to be designed to make you THINK you need a Microsoft account however. I have a freshly installed Windows 8.1 box here (no Microsoft ID) that I then upgraded to Windows 10, and it also does not have any Microsoft ID attached to it. Activation shows as Windows 10 Home and Windows is activated. There's a beggy-screen on the user account page saying something like Windows is better when your settings and files automatically sync. Switch to a Microsoft Account now! So, again, totally optional, but admittedly the path of least resistance has users creating a Microsoft Account or linking to their existing one. You have to trawl around a little to get the better (IMHO) behaviour. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ATT U-Verse Data Setup Convention
I've had ATT UVerse for 3 years now and it has changed at least twice since I got it. The DHCP address has an expiration of ~7 days and it usually keeps the same address upon renewal but a few times I have noticed that it's changed. I wouldn't trust it to be static forever. -- James Hartig
Re: DDOS Simulation
On Wed, 29 Jul 2015 12:38:18 -0700, alvin nanog said: On 07/29/15 at 05:47am, Roland Dobbins wrote: On 29 Jul 2015, at 5:19, alvin nanog wrote: and all the other ISP's routers along the way that had to transport those gigabyte/terabyte of useless ddos packets No company can provide a 'get out of jail card' for illegal activities, irrespective of how they arrange their paperwork. oopps, maybe a misunderstanding ... it's an old be careful euphomism(sp?) and not meant as literal get out of jail ( from monopoly game too ) You may indeed need a get out of jail card if one of those all the other ISPs along the way decides to make an issue of it. The company you're working with can only promise that *they* won't press charges. What their upstream decides to do is out of their control. if i had to pick only one command for the ddos tests i'd simply flood the wire .. everything is now offline ( should be un-responsive ) nping send 100,000 packets/sec x 65,000byte/packet 192.168.0.0/16 That will only send out packets as fast as your single pipe can send, which will probably *not* make everything unresponsive. Hint - only (roughly) one out of every 65,635 packets will be pointed at the host at 198.168.5.16, for example - and I would *hope* that said host can handle an added 65K packet every 0.6 seconds or so... Oh, and line speed for a 10G connection is 155K 64K packets per second, so your command won't even fill *one* computer's pipe. pgpxsv_iCFIgG.pgp Description: PGP signature
Verizon exiting California
Verizon sent me a letter the other day stating that they are selling their landline business to Frontier Communications. It was a very terse letter and as a customer I don't know if it affects me. While stating they aren't exiting the Wireless business, I want to know which parts are being sold off. Just the copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be great. I am a FIOS only customer. Can anyone recall if GTE was blocked from doing the same thing a few decades ago? matthew black california state university, long beach
Re: Verizon exiting California
I would love to see what a copy of the letter they sent out looks like. They are selling all wireline in CA, TX, and FL. So yes, all the products you described. On Thu, Jul 30, 2015 at 11:26 AM, Matthew Black matthew.bl...@csulb.edu wrote: Verizon sent me a letter the other day stating that they are selling their landline business to Frontier Communications. It was a very terse letter and as a customer I don't know if it affects me. While stating they aren't exiting the Wireless business, I want to know which parts are being sold off. Just the copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be great. I am a FIOS only customer. Can anyone recall if GTE was blocked from doing the same thing a few decades ago? matthew black california state university, long beach
Re: Windows 10 Release
Justin, That's true, but it takes effort for people to either set up a local account or change to one, and very few consumers will do that or have. Wow, then, problem solved, because it's at least twice as hard to get your Microsoft Account set up, configured, and verified. The sticky point is that very few consumers will KNOW that they can avoid the Microsoft account, and most won't take the time to explore the various options and possibilities. This isn't an effort thing. Setting up a local account is fairly effortless. It's a matter of the option being hidden away, because it is in Microsoft's interest to get everyone using the Windows cloud magic. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: Verizon exiting California
Nevermind. I found a February article detailing the plan. arstechnica: Verizon sells three-state territory, including 1.6 million FiOS users http://arstechnica.com/business/2015/02/verizon-sells-three-state-territory-including-1-6-million-fios-users/ matthew black california state university, long beach -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Black Sent: Thursday, July 30, 2015 9:26 AM To: North American Network Operators' Group (nanog@nanog.org) Subject: Verizon exiting California Verizon sent me a letter the other day stating that they are selling their landline business to Frontier Communications. It was a very terse letter and as a customer I don't know if it affects me. While stating they aren't exiting the Wireless business, I want to know which parts are being sold off. Just the copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be great. I am a FIOS only customer. Can anyone recall if GTE was blocked from doing the same thing a few decades ago? matthew black california state university, long beach
Re: ATT U-Verse Data Setup Convention
On Thu, Jul 30, 2015 at 12:14 PM, Ca By cb.li...@gmail.com wrote: On Thu, Jul 30, 2015 at 9:02 AM, Keith Stokes kei...@neilltech.com wrote: I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. That is probably a problematic practice. probably
Re: [BULK] Verizon exiting California
On 7/30/2015 9:26 AM, Matthew Black wrote: Verizon sent me a letter the other day stating that they are selling their landline business to Frontier Communications. It was a very terse letter and as a customer I don't know if it affects me. While stating they aren't exiting the Wireless business, I want to know which parts are being sold off. Just the copper lines, POTS, DSL, FIOS (TV, Internet, phone)? Some clarity would be great. I am a FIOS only customer. Can anyone recall if GTE was blocked from doing the same thing a few decades ago? matthew black california state university, long beach All wireline assets in the Verizon West footprint (California, Texas, and Tampa, FL area) are being aquired by Frontier Here's the Press Release from Frontier: http://investor.frontier.com/releasedetail.cfm?ReleaseID=895055 All wireless assets remain with Verizon.
Re: UDP clamped on service provider links
No. But I've seen Level3 just have really bad packet loss. On Jul 30, 2015, at 22:12, Jason Baugher ja...@thebaughers.com wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: UDP clamped on service provider links
We have similar problems with UDP 500 and being able to keep IPSEC tunnels up over Level3. It happens quite a bit when there are no signs of TCP or ICMP packet loss. Sent from my iPhone On Jul 30, 2015, at 9:14 PM, Jason Baugher ja...@thebaughers.com wrote: To bring this discussion to specifics, we've been fighting an issue where our customers are experiencing poor audio quality on SIP calls. The only carrier between our customers and the hosted VoIP provider is Level3. From multiple wiresharks, it appears that a certain percentage of UDP packets - in this case RTP - are getting lost in the Level3 network somewhere. We've got a ticket open with Level3, but haven't gotten far yet. Has anyone else seen Level3 or other carriers rate-limiting UDP and breaking these legitimate services? On Thu, Jul 30, 2015 at 3:45 PM, John Kristoff j...@cymru.com wrote: On Mon, 27 Jul 2015 19:42:46 +0530 Glen Kent glen.k...@gmail.com wrote: Is it true that UDP is often subjected to stiffer rate limits than TCP? Yes, although I'm not sure how widespread this is in most, if even many networks. Probably not very widely deployed today, but restrictions and limitations only seem to expand rather than recede. I've done this, and not just for UDP, in a university environment. I implemented this at time the Slammer worm came out on all the ingress interfaces of user-facing subnets. This was meant as a more general solution to capacity collapse rather than strictly as security issue, because we were also struggling with capacity filling apps like Napster at the time, but Slammer was the tipping point. To summarize what we did for aggregate rates from host subnets (these were generally 100 Mb/s IPv4 /24-/25 LANs): ICMP: 2 Mb/s UDP: 10 Mb/s MCAST: 10 Mb/s (separate UDP group) IGMP: 2 Mb/s IPSEC: 10 Mb/s (esp - can't ensure flow control of crypto traffic) GRE: 10 Mb/s Other: 10 Mb/s for everything else except for TCP If traffic was staying local within the campus network, limits did not apply. There were no limits for TCP traffic. We generally did not apply limits to well defined and generally well managed server subnets. We were aware that certain measurement tools might produce misleading results, a trade-off we were willing to accept. As far as I could tell, the limits generally worked well and helped minimize Slammer and more general problems. If ISPs could implement a similar mechanism, I think this could be a reasonable approach today still. Perhaps more necessary than ever before, but a big part of the problem is that the networks where you'd really want to see this sort of thing implemented, won't do it. Is there a reason why this is often done so? Is this because UDP is stateless and any script kiddie could launch a DOS attack with a UDP stream? State, some form of sender verification and that it and most other commonly used protocols besides TCP do not generally react to implicit congestion signals (drops usually). Given the state of affairs these days how difficult is it going to be for somebody to launch a DOS attack with some other protocol? There has been ICMP-based attacks and there are, at least in theory if not common in practice, others such as IGMP-based attacks. There have been numerous DoS (single D) attacks with TCP-based services precisely because of weaknesses or difficulties in managing unexpected TCP session behavior. The potential sending capacity of even a small set of hosts from around the globe, UDP, TCP or other protocol, could easily overwhelm many points of aggregation. All it takes is for an attacker to coerce that a sufficient subset of hosts to send the packets. John
Re: Mac compatible SFP+/XFP programmer
Hi, Flexoptics seems to do the trick but via a Web browser : https://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html From what I've heard, this thing does the Job. Best regards. Le 30 juil. 2015 à 20:28, Jason Lixfeld ja...@lixfeld.ca a écrit : Does anyone know where I might find a SFP+/XFP programmer with a Mac compatible programmer application? Thanks!
Re: ATT U-Verse Data Setup Convention
I have ATT u-verse small business connection at my office with a static IP setup, and my experience matches with the ATT tech said. We have a separate router behind the ATT router. The ATT router is an Arris (former Motorola) NVG595. Our router has a static IP out of our subnet and does NAT for the office network. As far as I can tell, the u-verse supplied router cannot be replaced with something less sucky. The problem is getting the 802.1x certificate needed to authenticate on the wan port. I dislike ATT's hardware as it has more limitations than just this, but some of those limitations can be worked around with an additional router downstream of it. Quoting Keith Stokes kei...@neilltech.com: I’m wondering if some can share their experiences or maybe there’s an ATT person here who can confirm policy. I work for SaaS provider who requires a source IP to access our system to businesses. Normally we tell the customer to request a “Static IP” from their provider. That term makes sense to most ISPs. However, we’ve recently worked with an ATT higher-up tech who told us that every U-Verse modem is locked to an address even when set to DHCP and will not change unless the unit is changed. Ordering a “Static IP” from them means your devices will individually get public addresses, which isn’t a requirement for us, isn’t quite as easy to add multiple devices and costs our customers more money. Here are my questions: 1. Is it really accurate that the customer’s address is tied to the modem/router? 2. For my curiosity, is this done through a DHCP reservation or is there a hard coded entry somewhere? 3. Do all U-Verse modem/routers behave the same way? This particular unit was a Motorola but the friends I’ve seen with U-Verse use a Cisco unit. --- Keith Stokes