Re: de-peering for security sake

[Colin Johnston]

> On 25 Dec 2015, at 00:48, valdis.kletni...@vt.edu wrote:
> 
> On Thu, 24 Dec 2015 23:44:10 +, Colin Johnston said:
>> We really need to ask if China and Russia for that matter will not take abuse
>> reports seriously why allow them to network to the internet ?
> 
> Well, first off, it isn't like China or Russia are just one ASN.  You'd have
> to de-peer a bunch of ASN's - and also eliminate any paid transit connections.
> 
> Note that even North Korea has managed to land at least a small presence on
> the Internet.  Are you going to ban them too?
> 
> While we're banning countries, how about the country that's known for
> widespread surveillance both foreign and domestic, has one of the strongest
> cyber warfare arsenals around, and has been caught multiple times diverting 
> and
> backdooring routers sold to foreign countries?
> 
> Oh wait, that's the US. Maybe we better rethink this?
> 
> Obviously, there's a lot of organizations that think that being able to
> communicate with China and Russia outweighs the security issues.  You are
> of course welcome to make a list of all Russian and Chinese ASNs and block
> their prefixes at your border.

So therefore we must somehow engage and enforce best practice for abuse alerts 
and action issues

Colin

Re: de-peering for security sake

[Daniel Corbe]

> On Dec 25, 2015, at 7:14 AM, Nick Hilliard  wrote:
> 
> Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> 
> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
> 
>> https://en.wikipedia.org/wiki/Third_World
> 
> What an enormously silly idea.
> 
> Seasons greetings to all,
> 
> Nick
> 

It was a stupid idea even before you corrected me.

Re: IPv4 shutdown in mobile

[Ca By]

On Friday, December 25, 2015, Mark Tinka  wrote:

>
>
> On 22/Dec/15 14:45, Ca By wrote:
> >
> > At least in mobile, the change to ipv6 has been quick and the pace is
> > increasing -- not just on ipv6 deployment but also on ipv4 shutdown. I
> know
> > many people liken ipv6 to "the boy who cried wolf", so be it, the
> > data shows the ipv6 wolf is here.  Or perhapsin hind   sight, we will see
> > the right metaphor was "the tortoise and the hare" or "the little engine
> > that could"... Or even better IPv4 is John Henry.  It was the best in its
> > time, but times have changed.
>
> Mobile in Africa has done nothing on IPv6. South East Asia was the same
> last time I was there (2012).
>
> It would be nice to hear about Europe, the Middle East Latin America and
> Canada as well, if anyone has any stories.
>
> Mark.
>

SK Telecom has deployed 464xlat at a large scale  in Korea
http://slidehot.us/resources/applying-ipv6-to-lte-networks.482671/

Re: de-peering for security sake

[Stephen Satchell]

On 12/25/2015 06:18 AM, Mike Hammett wrote:

To the thread, not necessarily Daniel, if blocking
countries\continents is a bad thing (not saying I disagree), how do
you deal with the flood of trash? Just take it on the chin?

The degree of splash damage by blocking this way will vary based
uponwhat kind of network you are. Residential eyeballs? You could
probably block most of a lot of things and people wouldn't notice
or care, as long as it wasn't Google, Facebook, Netflix, etc.


In my networks, different users have different requirements.  So I have 
to be careful in my ACLs to allow what they need, while reducing access 
by those who view the Internet as a sewer, and not as a privilege. (Used 
to be a BOFH in the NSF days.)


So my blocking list has grown, as I have identified bad actors from the 
information in my logs.  Keeping in mind that people with one bad habit 
will most likely have other bad habits as well, I keep it simple: if you 
don't play nice, you are blocked at the demarc.


For of the majority of my users, I provide access behind a router with 
the block list shown below.  For those customers who want an unblocked 
feed, I provide that by having the edge bypass the filtering router. (No 
one has asked yet for custom filters -- 1841s are cheap and easy, and 
don't take much power.)


I don't intend to provide this list for others to use.  I provide this 
list as an example of how I exercise my right of Internet Freedom of 
Assocation, and keep my own network safe from intruders.  Abuse reports? 
 I've given up on them, frankly.  My logs don't include enough 
information for some admins, so they drop my reports without further 
comment.  When there is an admin listed.


The nice thing about IPTABLES is that I can pull a report, if I want to, 
of which of these blocks are still generating traffic.  As we go farther 
down the IPv4-split road, I may just set up a database of the blocks, 
and monitor the traffic to see which ones have gone silent and thus can 
be removed.  Or not -- that's a lot of work and time, both of which I 
can direct to activities that bring in revenue.



1.93.34.222/32  china ssh abuser2014 August
5.79.75.0/24netherlands spam2015 January
8.27.235.155Microsoft   2015 September
14.139.172.0/24 india ssh abuser2015 April
23.19.26.250ubiquityservers.com ssh 2015 January
23.90.39.0/24   eonix.net   spam2014 October
23.90.51.0/24   eonix.net   spam2014 October
23.227.196.0/24 Swiftway.comspammer 2014 October
23.228.74.0/24  globalfrag.com  spam2015 January
23.228.78.0/24  Blanckeart (NY) spam2014 September
23.228.96.0/24  globalfrag.com  spam2015 January
23.228.103.0/24 spam2015 April
23.229.2.0/24   servermania.com spam2015 January
23.229.97.0/24  servermania.com spam2015 January
23.247.12.0/24  globalfrag.com  spam2015 January
23.254.59.0/24  spam2015 April
31.184.194.114  russia  ssh 2015 January
36.72.228.0/24  India ssh abuser2014 October
38.113.188.0/24 cogent.net  spam2015 January
41.186.0.0/16   Rwanda  ssh 2015 May
43.229.52.0/24  unknown ssh 2015 May
43.229.53.0/24  unknown ssh 2015 September
43.255.189.0/24 unknown ssh 2015 June
46.166.136.0/24 spam2015 April
46.166.189.0/24 spam2015 April
50.2.0.0/15 eonix.net spam  2014 October
50.7.38.0/24fdcservers.net  spam2015 January
50.162.224.109  comcast.net ssh 2015 January
52.28.227.79amazonaws   ssh 2015 September
58.208.0.0/12   china ssh abuser2015 May
58.217.106.0/24 china ssh   2014 November
58.218.166.241/24   china ssh abuser2015 April
58.218.204.241/24   china ssh abuser2015 April
60.173.8.0/24   china shellshock2014 September
60.173.9.0/24   china shellshock2014 September
60.173.10.0/24  china shellshock2014 September
60.173.11.0/24  china shellshock2014 September
60.173.14.0/24  china shellshock2014 September
60.173.26.0/24  china shellshock2014 September
60.174.233.0/24 china shellshock2014 September
60.184.82.0/24  china spam  2014 October
61.153.105.0/24 china ssh abuser2014 August
61.153.110.0/24 china ssh abuser2014 August
61.174.49.0/24  china smtp abuser   2014 August
61.174.50.0/24  china ssh abuser2014 August
61.174.51.0/24  china ssh abuser2014 August
61.168.229.114/24   china ssh abuser2015 February

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG,
SAFNOG, PaNOG, SdNOG, BJNOG, CaribNOG and the RIPE Routing WG.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 26 Dec, 2015

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  576265
Prefixes after maximum aggregation (per Origin AS):  213285
Deaggregation factor:  2.70
Unique aggregates announced (without unneeded subnets):  280854
Total ASes present in the Internet Routing Table: 52365
Prefixes per ASN: 11.00
Origin-only ASes present in the Internet Routing Table:   36632
Origin ASes announcing only one prefix:   15883
Transit ASes present in the Internet Routing Table:6400
Transit-only ASes present in the Internet Routing Table:169
Average AS path length visible in the Internet Routing Table:   4.4
Max AS path length visible:  37
Max AS path prepend of ASN ( 40285)  34
Prefixes from unregistered ASNs in the Routing Table:  1012
Unregistered ASNs in the Routing Table: 362
Number of 32-bit ASNs allocated by the RIRs:  12218
Number of 32-bit ASNs visible in the Routing Table:9333
Prefixes from 32-bit ASNs in the Routing Table:   35630
Number of bogon 32-bit ASNs visible in the Routing Table:16
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:393
Number of addresses announced to Internet:   2802731460
Equivalent to 167 /8s, 14 /16s and 73 /24s
Percentage of available address space announced:   75.7
Percentage of allocated address space announced:   75.7
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   97.9
Total number of prefixes smaller than registry allocations:  189204

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   146560
Total APNIC prefixes after maximum aggregation:   40490
APNIC Deaggregation factor:3.62
Prefixes being announced from the APNIC address blocks:  155240
Unique aggregates announced from the APNIC address blocks:62692
APNIC Region origin ASes present in the Internet Routing Table:5125
APNIC Prefixes per ASN:   30.29
APNIC Region origin ASes announcing only one prefix:   1198
APNIC Region transit ASes present in the Internet Routing Table:890
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 34
Number of APNIC region 32-bit ASNs visible in the Routing Table:   1770
Number of APNIC addresses announced to Internet:  756202372
Equivalent to 45 /8s, 18 /16s and 187 /24s
Percentage of available APNIC address space announced: 88.4

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 131072-135580
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:181143
Total ARIN prefixes after maximum aggregation:88980
ARIN Deaggregation factor: 2.04
Prefixes being announced from the ARIN address blocks:   184603
Unique aggregates announced from the ARIN address blocks: 86550
ARIN Region origin ASes present in the Internet Routing Table:16470

Re: de-peering for security sake

[Max Tulyev]

Come on, keep calm and wait a year: Russia and China will de-peer with
all the world for their security (AKA censorship) reasons! ;)

On 25.12.15 01:44, Colin Johnston wrote:
> see
> http://map.norsecorp.com
> 
> We really need to ask if China and Russia for that matter will not take abuse 
> reports seriously why allow them to network to the internet ?
> 
> Colin
> 
> 

Re: de-peering for security sake

[Mike Hammett]

To the thread, not necessarily Daniel, if blocking countries\continents is a 
bad thing (not saying I disagree), how do you deal with the flood of trash? 
Just take it on the chin? 

The degree of splash damage by blocking this way will vary based upon what kind 
of network you are. Residential eyeballs? You could probably block most of a 
lot of things and people wouldn't notice or care, as long as it wasn't Google, 
Facebook, Netflix, etc. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: "Daniel Corbe"  
To: "Nick Hilliard"  
Cc: "NANOG"  
Sent: Friday, December 25, 2015 8:11:55 AM 
Subject: Re: de-peering for security sake 


> On Dec 25, 2015, at 7:14 AM, Nick Hilliard  wrote: 
> 
> Daniel Corbe wrote: 
>> Let’s just cut off the entirety of the third world instead of having 
>> a tangible mitigation plan in place. 
> 
> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? 
> 
>> https://en.wikipedia.org/wiki/Third_World 
> 
> What an enormously silly idea. 
> 
> Seasons greetings to all, 
> 
> Nick 
> 

It was a stupid idea even before you corrected me. 

Re: de-peering for security sake

[Daniel Corbe]

> On Dec 25, 2015, at 9:18 AM, Mike Hammett  wrote:
> 
> To the thread, not necessarily Daniel, if blocking countries\continents is a 
> bad thing (not saying I disagree), how do you deal with the flood of trash? 
> Just take it on the chin? 

If you as an end user want to be the cyber-equivalent of a xenophobe because 
OMG BAD INTERNETS then be my guest.  On the other hand, I’m a network operator 
so I don’t have the luxury of dictating to my users what they can and cannot 
reach.  

> 
> The degree of splash damage by blocking this way will vary based upon what 
> kind of network you are. Residential eyeballs? You could probably block most 
> of a lot of things and people wouldn't notice or care, as long as it wasn't 
> Google, Facebook, Netflix, etc. 

As a residential ISP with many first and second generation American immigrants 
in my service footprint I can assure you this notion is patently false.  People 
will definitely notice and care if they can’t communicate with their relatives 
and consume content in their home countries.  

> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> 
> 
> Midwest Internet Exchange 
> http://www.midwest-ix.com 
> 
> 
> - Original Message -
> 
> From: "Daniel Corbe"  
> To: "Nick Hilliard"  
> Cc: "NANOG"  
> Sent: Friday, December 25, 2015 8:11:55 AM 
> Subject: Re: de-peering for security sake 
> 
> 
>> On Dec 25, 2015, at 7:14 AM, Nick Hilliard  wrote: 
>> 
>> Daniel Corbe wrote: 
>>> Let’s just cut off the entirety of the third world instead of having 
>>> a tangible mitigation plan in place. 
>> 
>> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? 
>> 
>>> https://en.wikipedia.org/wiki/Third_World 
>> 
>> What an enormously silly idea. 
>> 
>> Seasons greetings to all, 
>> 
>> Nick 
>> 
> 
> It was a stupid idea even before you corrected me. 
> 
> 

Re: de-peering for security sake

[Owen DeLong]

> On Dec 25, 2015, at 06:18 , Mike Hammett  wrote:
> 
> To the thread, not necessarily Daniel, if blocking countries\continents is a 
> bad thing (not saying I disagree), how do you deal with the flood of trash? 
> Just take it on the chin? 

Allowing hate speech is the price of having free speech. I will decry, 
denounce, and object to all of the statements promoting racism or banning entry 
of people based on religion, or other forms of discrimination, but I will not 
claim that any person has no right to make those statements. In fact, I will 
strongly defend the right of those people to make fools of themselves in public 
every bit as strongly as I will defend my right to make opposing statements. 
Unless we tolerate unpopular speech, we risk a tyranny of the majority which is 
both detrimental to society overall and antithetical to freedom of speech, the 
principles of democracy, and the entire concept of a free society.

To some extent, some of the trash we take on the chin on the internet is the 
price of having a free and open internet.

I’m not opposed to localized depeering or blockage when warranted, but it is 
important to keep such actions as granular as practicable. Otherwise, the 
collateral damage to the free and open internet becomes greater than the damage 
done by the miscreants we are attempting to block.

Surely blocking an entire nation is well beyond “as granular as practicable”.

I realize that reactionary overreach has become fashionable in the US since 
9/11. Some great examples include the U.S.A.P.A.T.R.I.O.T. act, warrantless 
wiretapping and the associated unconstitutional laws of ex post facto granting 
retroactive immunity to the phone companies that lacked the will to say no. 
Examples abound even today in the surveillance bill that got buried in the 
recent budget act.

> The degree of splash damage by blocking this way will vary based upon what 
> kind of network you are. Residential eyeballs? You could probably block most 
> of a lot of things and people wouldn't notice or care, as long as it wasn't 
> Google, Facebook, Netflix, etc. 

That may be true, but even if it is, it still doesn’t make broad censorship a 
concept we should support or accept in practice.

The extent to which it is true reminds me of the story (apocryphal as it is) of 
the frog in a pot of water with the temperature being raised slowly.

Merely because people are asleep at the switch does not give those of us in a 
position to understand the consequences license to abuse our position.

Owen

Re: de-peering for security sake

[Nick Hilliard]

Daniel Corbe wrote:
> Let’s just cut off the entirety of the third world instead of having
> a tangible mitigation plan in place.

You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?

> https://en.wikipedia.org/wiki/Third_World

What an enormously silly idea.

Seasons greetings to all,

Nick

Re: de-peering for security sake

[Daniel Corbe]

You know, without actually looking I’m willing to lay money down that the 
people beating the blocklist drum are the same people who scream the loudest 
about net neutrality when they can’t actually get to the content they want. 

> On Dec 25, 2015, at 11:25 AM, Daniel Corbe  wrote:
> 
> 
>> On Dec 25, 2015, at 9:18 AM, Mike Hammett  wrote:
>> 
>> To the thread, not necessarily Daniel, if blocking countries\continents is a 
>> bad thing (not saying I disagree), how do you deal with the flood of trash? 
>> Just take it on the chin? 
> 
> If you as an end user want to be the cyber-equivalent of a xenophobe because 
> OMG BAD INTERNETS then be my guest.  On the other hand, I’m a network 
> operator so I don’t have the luxury of dictating to my users what they can 
> and cannot reach.  
> 
>> 
>> The degree of splash damage by blocking this way will vary based upon what 
>> kind of network you are. Residential eyeballs? You could probably block most 
>> of a lot of things and people wouldn't notice or care, as long as it wasn't 
>> Google, Facebook, Netflix, etc. 
> 
> As a residential ISP with many first and second generation American 
> immigrants in my service footprint I can assure you this notion is patently 
> false.  People will definitely notice and care if they can’t communicate with 
> their relatives and consume content in their home countries.  
> 
>> 
>> 
>> 
>> 
>> - 
>> Mike Hammett 
>> Intelligent Computing Solutions 
>> http://www.ics-il.com 
>> 
>> 
>> 
>> Midwest Internet Exchange 
>> http://www.midwest-ix.com 
>> 
>> 
>> - Original Message -
>> 
>> From: "Daniel Corbe"  
>> To: "Nick Hilliard"  
>> Cc: "NANOG"  
>> Sent: Friday, December 25, 2015 8:11:55 AM 
>> Subject: Re: de-peering for security sake 
>> 
>> 
>>> On Dec 25, 2015, at 7:14 AM, Nick Hilliard  wrote: 
>>> 
>>> Daniel Corbe wrote: 
 Let’s just cut off the entirety of the third world instead of having 
 a tangible mitigation plan in place. 
>>> 
>>> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel? 
>>> 
 https://en.wikipedia.org/wiki/Third_World 
>>> 
>>> What an enormously silly idea. 
>>> 
>>> Seasons greetings to all, 
>>> 
>>> Nick 
>>> 
>> 
>> It was a stupid idea even before you corrected me. 
>> 
>> 
> 

Re: announcement of freerouter

[mate csaba]

it's free and as far as i know the only sw router with working evpn/pbb, 
evpn/vxlan, and evpn/cmac data plane, just to name one...

regards,
cs


On 12/25/2015 07:27 AM, Gabriel Marais wrote:


And very well priced for the rich feature list.

On 25 Dec 2015 6:25 AM, "Josh Reynolds" > wrote:


RouterOS is an existing product by MikroTik.
On Dec 24, 2015 9:46 PM, "mate csaba" > wrote:

> hi,
> pleased to announce a stable release of freerouter.
> this is a routing daemon that does packet handling itself
> so it can do bridging, routing ipv4/ipv6 unicast/multicast,
> mpls, vpls, evpn, mpls te, mldp, segment routing, and so on...
> speaks a lot of routing protocols like rip, ospf, isis, eigrp, bgp,
> babel...
> does a lot of tunneling like gre, ipip, ipsec, l2tp, geneve, vxlan,
> nvgre...
> have a lot of built in servers like dns, http(s), smtp, pop3,
telnet,
> tacacs, radius, ssh...
> it can start external images which could be connected, so
various lab
> topolgies can be easily created.
> our nren uses if as primary fullbgp rr for more than a year for
about
> hundred routers.
> here is the homepage: http://freerouter.nop.hu/
> feel free to try it out and send suggestions/bug reports...:)
> thanks in advance,
> csaba mate
> niif/hungarnet
>
>

Re: de-peering for security sake

[Clayton Zekelman]

Just an off the cuff thought but if the format of the abuse messages could be 
standardized so handling them would be semi-automated somewhat like ACNS 
notices, it might improve response.

Maybe such a format already exists and just isn't widely used.

Sent from my iPhone

> On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson  wrote:
> 
>> On Fri, 25 Dec 2015, Colin Johnston wrote:
>> 
>> why do the chinese network folks never reply and action abuse reports, 
>> normal slow speed network abuse is tolerated, but not high speed deliberate 
>> abuse albeit compromised machines
> 
> This is not a chinese problem, this is a general ISP problem. Most ISPs do 
> not respond to abuse reports.
> 
> -- 
> Mikael Abrahamssonemail: swm...@swm.pp.se

Re: de-peering for security sake

[Owen DeLong]

> On Dec 25, 2015, at 22:16 , Dan Hollis  wrote:
> 
> On Fri, 25 Dec 2015, Owen DeLong wrote:
>> Merely because people are asleep at the switch does not give those of us in 
>> a position to understand the consequences license to abuse our position.
> 
> At what point do you cut the wire? How abusive is acceptable?

IMHO, you never cut the wire. You may filter selectively, but cutting the wire 
comes with far more collateral damage than actual useful effect.

Owen

Re: announcement of freerouter

[Gabriel Marais]

And very well priced for the rich feature list.
On 25 Dec 2015 6:25 AM, "Josh Reynolds"  wrote:

> RouterOS is an existing product by MikroTik.
> On Dec 24, 2015 9:46 PM, "mate csaba"  wrote:
>
> > hi,
> > pleased to announce a stable release of freerouter.
> > this is a routing daemon that does packet handling itself
> > so it can do bridging, routing ipv4/ipv6 unicast/multicast,
> > mpls, vpls, evpn, mpls te, mldp, segment routing, and so on...
> > speaks a lot of routing protocols like rip, ospf, isis, eigrp, bgp,
> > babel...
> > does a lot of tunneling like gre, ipip, ipsec, l2tp, geneve, vxlan,
> > nvgre...
> > have a lot of built in servers like dns, http(s), smtp, pop3, telnet,
> > tacacs, radius, ssh...
> > it can start external images which could be connected, so various lab
> > topolgies can be easily created.
> > our nren uses if as primary fullbgp rr for more than a year for about
> > hundred routers.
> > here is the homepage: http://freerouter.nop.hu/
> > feel free to try it out and send suggestions/bug reports...:)
> > thanks in advance,
> > csaba mate
> > niif/hungarnet
> >
> >
>

Re: de-peering for security sake

[Baldur Norddahl]

On 25 December 2015 at 21:10, Colin Johnston  wrote:

> why do the chinese network folks never reply and action abuse reports,
> normal slow speed network abuse is tolerated, but not high speed deliberate
> abuse albeit compromised machine
>

They do not speak the same language as you. They barely understand your
complaint and you would not understand their reply (in chinese!) - or do
you expect everyone to know english?

Why does everyone expect the chinese to use Google Translate? Try it
yourself before sending off your complaint in Mandarin...

Regards,

Baldur

Re: de-peering for security sake

[Mark Tinka]

On 25/Dec/15 14:14, Nick Hilliard wrote:

> You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?

And watch the transit per-Mbps price go up? Who do we think funds the
low bandwidth costs of the "first world"?

Mark.

Re: de-peering for security sake

[Colin Johnston]

been there, done that
网络滥用 fix you ntp reflection servers :)

Sent from my iPhone

> On 25 Dec 2015, at 20:29, Baldur Norddahl  wrote:
> 
>> On 25 December 2015 at 21:10, Colin Johnston  wrote:
>> 
>> why do the chinese network folks never reply and action abuse reports,
>> normal slow speed network abuse is tolerated, but not high speed deliberate
>> abuse albeit compromised machine
> 
> They do not speak the same language as you. They barely understand your
> complaint and you would not understand their reply (in chinese!) - or do
> you expect everyone to know english?
> 
> Why does everyone expect the chinese to use Google Translate? Try it
> yourself before sending off your complaint in Mandarin...
> 
> Regards,
> 
> Baldur

Re: de-peering for security sake

[Baldur Norddahl]

On 25 December 2015 at 20:06, Lee  wrote:

> Enable IPv6 for your users.  1) it's not going to have any "history" &
> 2) ipv6 probably isn't blocked.
>

I am not aware of just one single government site in this country (Denmark)
that is IPv6 enabled. There are zero danish news sites that are IPv6
enabled. In fact, nothing here is IPv6 enabled - with the exception of all
major ISP sites. For some strange reason all ISPs have IPv6 on their
websites (but they do not provide IPv6 to their customers). It is sad
really.


>
> > So now my users can not access government sites because the IP ranges
> were
> > owned by a company in a different country two years ago.
>
> Find one of your users that's a citizen of said gov't & forward their
> complaint to the gov't sites.  Non-citizen complaints are much easier
> to ignore..
>

I am a citizen and yes, they do ignore us. If you can manage to find the
right guy, he can probably fix it in a few minutes. It is just that there
is no way to get to that guy. The front desk has no clue what you are
talking about. To these people we should just stop sending traffic from
Romania and it would all be fixed, no?

To make it worse it is a really boring game of whack a mole. The users are
constantly finding new sites that are either blocking us or are showing the
site in the wrong language. Each time we open up a new IP series, it all
starts over again. We do not have enough cash on hand to simply buy a real
large chunk of IPv4, so we have multiple smaller blocks.

With regards to this thread, I am finding a worrying trend for websites to
block out of country IP-addresses at the firewall. In the past you could
expect that some content would not play or that your credit card payment
would be blocked. But now you never get to that stage because sites are
dropping the packets at the firewall.

Regards,

Baldur

Re: de-peering for security sake

[TR Shaw]

ARF (http://www.rfc-editor.org/rfc/rfc5965.txt 
, 
https://www.rfc-editor.org/rfc/rfc6650.txt) and X-ARF 
(http://www.x-arf.org/index.html ) are used 
quite alot and many, like Yahoo, only accept ARF reports on abusive emails.

you might want to read MAAWG’s BCP: 
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Feedback_Reporting_Recommendation_BP-2014-02.pdf
 


Tom

> On Dec 25, 2015, at 5:12 PM, Clayton Zekelman  wrote:
> 
> Just an off the cuff thought but if the format of the abuse messages could be 
> standardized so handling them would be semi-automated somewhat like ACNS 
> notices, it might improve response.
> 
> Maybe such a format already exists and just isn't widely used.
> 
> Sent from my iPhone
> 
>> On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson  wrote:
>> 
>>> On Fri, 25 Dec 2015, Colin Johnston wrote:
>>> 
>>> why do the chinese network folks never reply and action abuse reports, 
>>> normal slow speed network abuse is tolerated, but not high speed deliberate 
>>> abuse albeit compromised machines
>> 
>> This is not a chinese problem, this is a general ISP problem. Most ISPs do 
>> not respond to abuse reports.
>> 
>> -- 
>> Mikael Abrahamssonemail: swm...@swm.pp.se

Re: de-peering for security sake

[Lee]

On 12/24/15, Baldur Norddahl  wrote:
> I am afraid people are already doing this. Every time I bring a new IP
> series into production, my users will complain that they are locked out
> from sites including many government sites. This is because people will
> load IP location lists into their firewall and drop packets at the border.
> Of course they will not update said lists and load year old lists into
> their firewalls.

Enable IPv6 for your users.  1) it's not going to have any "history" &
2) ipv6 probably isn't blocked.

> So now my users can not access government sites because the IP ranges were
> owned by a company in a different country two years ago.

Find one of your users that's a citizen of said gov't & forward their
complaint to the gov't sites.  Non-citizen complaints are much easier
to ignore..

Regards,
Lee


> Take a guess on how responsive site owners are when we complain about their
> firewall. Most refuse to acknowledge they do any blocking and insist the
> problem is at our end. That is if they respond at all.
>
> Regards,
>
> Baldur
>
>
> On 25 December 2015 at 02:25, Stephen Satchell  wrote:
>
>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>>
>>> Let’s just cut off the entirety of the third world instead of having
>>> a tangible mitigation plan in place.
>>>
>>
>> While you thing you are making a snarky response, it would be handy for
>> end users to be able to turn on and off access to other countries retail.
>> If *they* don't need access to certain third world countries, it would be
>> their decision, not the operator's decision.
>>
>> For example, here on my little network we have no need for connectivity
>> to
>> much of Asia, Africa, or India.  We do have need to talk to Europe,
>> Australia, and some countries in South America.
>>
>>
>

Re: de-peering for security sake

[Colin Johnston]

why do the chinese network folks never reply and action abuse reports, normal 
slow speed network abuse is tolerated, but not high speed deliberate abuse 
albeit compromised machines

Sent from my iPhone

> On 25 Dec 2015, at 19:43, Baldur Norddahl  wrote:
> 
>> On 25 December 2015 at 20:06, Lee  wrote:
>> 
>> Enable IPv6 for your users.  1) it's not going to have any "history" &
>> 2) ipv6 probably isn't blocked.
>> 
> 
> I am not aware of just one single government site in this country (Denmark)
> that is IPv6 enabled. There are zero danish news sites that are IPv6
> enabled. In fact, nothing here is IPv6 enabled - with the exception of all
> major ISP sites. For some strange reason all ISPs have IPv6 on their
> websites (but they do not provide IPv6 to their customers). It is sad
> really.
> 
> 
>> 
>>> So now my users can not access government sites because the IP ranges
>> were
>>> owned by a company in a different country two years ago.
>> 
>> Find one of your users that's a citizen of said gov't & forward their
>> complaint to the gov't sites.  Non-citizen complaints are much easier
>> to ignore..
>> 
> 
> I am a citizen and yes, they do ignore us. If you can manage to find the
> right guy, he can probably fix it in a few minutes. It is just that there
> is no way to get to that guy. The front desk has no clue what you are
> talking about. To these people we should just stop sending traffic from
> Romania and it would all be fixed, no?
> 
> To make it worse it is a really boring game of whack a mole. The users are
> constantly finding new sites that are either blocking us or are showing the
> site in the wrong language. Each time we open up a new IP series, it all
> starts over again. We do not have enough cash on hand to simply buy a real
> large chunk of IPv4, so we have multiple smaller blocks.
> 
> With regards to this thread, I am finding a worrying trend for websites to
> block out of country IP-addresses at the firewall. In the past you could
> expect that some content would not play or that your credit card payment
> would be blocked. But now you never get to that stage because sites are
> dropping the packets at the firewall.
> 
> Regards,
> 
> Baldur

Re: de-peering for security sake

[Mikael Abrahamsson]

On Fri, 25 Dec 2015, Colin Johnston wrote:

why do the chinese network folks never reply and action abuse reports, 
normal slow speed network abuse is tolerated, but not high speed 
deliberate abuse albeit compromised machines


This is not a chinese problem, this is a general ISP problem. Most ISPs do 
not respond to abuse reports.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: de-peering for security sake

[Andrew Kirch]

Speaking as a former DNSBL operator, NANOG has a poor history of
dealing with those who report abuse as well.

On Fri, Dec 25, 2015 at 4:52 PM, Mikael Abrahamsson  wrote:
> On Fri, 25 Dec 2015, Colin Johnston wrote:
>
>> why do the chinese network folks never reply and action abuse reports,
>> normal slow speed network abuse is tolerated, but not high speed deliberate
>> abuse albeit compromised machines
>
>
> This is not a chinese problem, this is a general ISP problem. Most ISPs do
> not respond to abuse reports.
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se

Re: de-peering for security sake

[Owen DeLong]

I think that even in the US, a provider would want a more specific complaint 
than “The network abuses”.

Owen

> On Dec 25, 2015, at 12:40 , Colin Johnston  wrote:
> 
> been there, done that
> 网络滥用 fix you ntp reflection servers :)
> 
> Sent from my iPhone
> 
>> On 25 Dec 2015, at 20:29, Baldur Norddahl  wrote:
>> 
>>> On 25 December 2015 at 21:10, Colin Johnston  wrote:
>>> 
>>> why do the chinese network folks never reply and action abuse reports,
>>> normal slow speed network abuse is tolerated, but not high speed deliberate
>>> abuse albeit compromised machine
>> 
>> They do not speak the same language as you. They barely understand your
>> complaint and you would not understand their reply (in chinese!) - or do
>> you expect everyone to know english?
>> 
>> Why does everyone expect the chinese to use Google Translate? Try it
>> yourself before sending off your complaint in Mandarin...
>> 
>> Regards,
>> 
>> Baldur

Re: de-peering for security sake

[Hugo Slabbert]

Just in case I missed the /s on there:

> Maybe such a format already exists and just isn't widely used.

It does and it isn't.

http://www.x-arf.org/

--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal

 From: Clayton Zekelman  -- Sent: 2015-12-25 - 14:12 

> Just an off the cuff thought but if the format of the abuse messages could be 
> standardized so handling them would be semi-automated somewhat like ACNS 
> notices, it might improve response.
>
> Maybe such a format already exists and just isn't widely used.
>
> Sent from my iPhone
>
>> On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson  wrote:
>>
>>> On Fri, 25 Dec 2015, Colin Johnston wrote:
>>>
>>> why do the chinese network folks never reply and action abuse reports, 
>>> normal slow speed network abuse is tolerated, but not high speed deliberate 
>>> abuse albeit compromised machines
>>
>> This is not a chinese problem, this is a general ISP problem. Most ISPs do 
>> not respond to abuse reports.
>>
>> --
>> Mikael Abrahamssonemail: swm...@swm.pp.se
>




signature.asc
Description: PGP/MIME digital signature