SBC / Yahoo Mail Admin
Hello - I am looking for someone with the SBC/Yahoo email group that might be able to assist me in tracking down a couple of issues. I have pretty much exhausted most of the known publicly listed resources. Feel free to contact me off list. Thanks in advance. - Max Dixon
RE: Register.com DNS outages
-Original Message- From: esanb...@tsd-inc.com [mailto:esanb...@tsd-inc.com] Sent: Monday, November 15, 2010 7:09 AM To: m...@kenweb.org; nanog@nanog.org Subject: RE: Register.com DNS outages Possibly, although register.com does not allow this. Maybe other DNS hosting companies do... -Original Message- From: ML [mailto:m...@kenweb.org] Sent: Sunday, November 14, 2010 10:59 PM To: nanog@nanog.org Subject: Re: Register.com DNS outages On 11/14/2010 10:20 PM, John Lightfoot wrote: My company uses register.com for DNS hosting and we were hit by its troubles this weekend. I know there are companies that offer backup DNS services, but those seem to be aimed at companies that host their own DNS, which we're not really interested in doing at this time. Are there mainstream DNS hosting companies that allow customers to use a second company for their backup DNS? Does register.com allow this? DYNDNS.com is a company that does what you are looking for, to a degree. They provide a back-up DNS service but under the assumption that they are backing up your server. I should not be that difficult to setup delegation with your primary DNS provider. Why not just add multiple Names servers from multiple providers under your Domain Registration? - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990
RE: Anyone notice strange announcements for 174.128.31.0/24
Interesting - So as a cyber criminal - I could setup a router, start announcing AS 16733, 18872, and maybe 6966 for good measure and their routers would ignore my announcements and IP ranges that I siphoned from searching IANA? Hm... Would that also prevent them from accessing my rogue network from their network? - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Simon Lockhart [mailto:si...@slimey.org] Sent: Wednesday, January 14, 2009 2:07 AM To: Hank Nussbacher Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote: What if, by doing some research experiment, the researcher discovers some unknown and latent bug in IOS or JunOS that causes much of the Internet to go belly up? 1 in a billion chance, but nonetheless, a headsup would have been in order. Say we had a customer who connected to us over BGP, and they used some new experimental BGP daemon. Their announcement was odd in some way, but appeared clean to us (a Cisco house). Once their announcement hit the a Foundry router, it tickled a bug which caused the router to propogate the announcement, but also start to blackhole traffic. Oh dear, large chunks of the Internet have just gone belly up. Should we have given a heads up to the Internet at large that we were turning up this customer? Simon (Yes, I'm in the minority that thinks that Randy hasn't done anything bad) -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: i...@bogons.net *
RE: Anyone notice strange announcements for 174.128.31.0/24
Like Paul said below - On the surface it looked legit. I received a notice indicating my AS had done some wrong and that I should correct the issue. Of course I am going to investigate - Maybe I fat fingered something or one of my tech had done something like not clearing the code of a lab router when connecting it to the production network. OrMaybe there was something nefarious going. When I attempted to contact the source of the notice and inform them that I was not hijacking IP space the message bounced. I did look up the owner of the netblock. I saw that it was an experimental range. I sent an email to Randy (sorry for the fire storm that followed) but did not receive a response. Being the reformed juvenile delinquent I am, my line of thought went to Hm...Someone could be up to no-good. I better find out more. I could have chosen to ignore it and say WTF, I'm not doing anything wrong. Why should I care?. Instead I chose to ask my peers, many of whom are much more knowledgeable than I am, because I feel as network engineers, administrators, and router-jocks, it is our responsibility to safe-guard internet traffic and insure reliable communication when we can. /My $.02 - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Paul Stewart [mailto:pstew...@nexicomgroup.net] Sent: Tuesday, January 13, 2009 2:52 PM To: Joe Abley; Patrick W. Gilmore Cc: NANOG list Subject: RE: Anyone notice strange announcements for 174.128.31.0/24 Um.. no. I can't speak for the others on this list who were effected like us - but we take this stuff very seriously and respectively you would too *if* you had a previous legit issue that appeared to the same **on the surface**. A cautious and indepth look at this was taken upon us hoping that history wasn't repeating itself (previously explained) and thankfully it wasn't ... but until the time is spent to make absolutely sure how do you know?? At the end of the day, it wasn't a serious operational issue but raised a number of concerns I believe Paul
RE: Anyone notice strange announcements for 174.128.31.0/24
Well, if you really want to pick knits you are welcome to. If I meant prepending, I would have said that. The example that I listed was setting up a router, advertising the ASNs listed and the random IP ranges gleaned from IANA. Sorry if I confused you. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: John Payne [mailto:j...@sackheads.org] Sent: Wednesday, January 14, 2009 3:57 PM To: Michienne Dixon Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On Jan 14, 2009, at 10:50 AM, Michienne Dixon wrote: Interesting - So as a cyber criminal - I could setup a router, start announcing AS 16733, 18872, and maybe 6966 for good measure and their routers would ignore my announcements and IP ranges that I siphoned from searching IANA? Hm... Would that also prevent them from accessing my rogue network from their network? What do you mean announcing AS 16733... ? Putting 16733 in an AS PATH is not announcing it. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Simon Lockhart [mailto:si...@slimey.org] Sent: Wednesday, January 14, 2009 2:07 AM To: Hank Nussbacher Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote: What if, by doing some research experiment, the researcher discovers some unknown and latent bug in IOS or JunOS that causes much of the Internet to go belly up? 1 in a billion chance, but nonetheless, a headsup would have been in order. Say we had a customer who connected to us over BGP, and they used some new experimental BGP daemon. Their announcement was odd in some way, but appeared clean to us (a Cisco house). Once their announcement hit the a Foundry router, it tickled a bug which caused the router to propogate the announcement, but also start to blackhole traffic. Oh dear, large chunks of the Internet have just gone belly up. Should we have given a heads up to the Internet at large that we were turning up this customer? Simon (Yes, I'm in the minority that thinks that Randy hasn't done anything bad) -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: i...@bogons.net *
Anyone notice strange announcements for 174.128.31.0/24
I'm not entirely certain what is going on but has anyone noticed some strange announcements for 174.128.31.0/24? I received a hijack notice that my AS (AS11708) was announcing the above IP range. I verified that I was not when I started noticing some strange announcements for that range. Around 10 Am CST AS11911 was announcing it (AS_PATH: 1239 2914 3130 11911) then around 11:30 AM CST I observed AS12083 announcing it (AS_PATH: 1239 2914 3130 12083). Interestingly enough, ARIN indicates this is a part of range they have assigned for reachability testing. http://ws.arin.net/whois/?queryinput=174.128.31.0 This was from this AM around 10 AM CST: tel...@mlx4ap3#sho ip bgp route 174.128.31.0/24 Number of BGP Routes matching display condition : 1 Prefix Next HopMetric LocPrf Weight Status 1 174.128.31.0/24160.81.151.109 88 200100 BE AS_PATH: 1239 2914 3130 11911 Last update to IP routing table: 2h24m33s, 1 path(s) installed: This was from this AM around 11:30 AM CST: Number of BGP Routes matching display condition : 1 Prefix Next HopMetric LocPrf Weight Status 1 174.128.31.0/24160.81.151.109 88 200100 BE AS_PATH: 1239 2914 3130 12083 Last update to IP routing table: 0h0m43s, 1 path(s) installed: - Michienne Dixon liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990
RE: Anyone notice strange announcements for 174.128.31.0/24
The IAR was the source of my notice as well and is what started me down this path of cat herding. I would think that it would only be polite to notify people about what is going on so that other people do not waste their time looking for phantom issues. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org http://www.linkcity.org/ (816) 412-7990 From: karli...@gmail.com [mailto:karli...@gmail.com] On Behalf Of Josh Karlin Sent: Monday, January 12, 2009 12:57 PM To: Paul Stewart Cc: Majdi S. Abbas; Michienne Dixon; nanog@nanog.org Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 At some point 3130 announced these prefixes, and is now prepending other ASes to them. Pretty Good BGP (and hence the IAR) sees them as prefix hijacks. If you'd like to see the entire list of prefixes, check out: http://iar.cs.unm.edu/search.php and enter in 3130 as the Victim AS Josh On Mon, Jan 12, 2009 at 11:52 AM, Paul Stewart pstew...@nexicomgroup.net wrote: Same here.. got a notice this morning and while it's false, I still have no response from Randy neither on this matter... If they are going to involve our AS numbers and trigger alarms it would be nice to notify us first... especially on something as major as a prefix hijacking (potentially) Paul
RE: Anyone notice strange announcements for 174.128.31.0/24
My apologizes for jumping the gun. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Monday, January 12, 2009 1:42 PM To: Paul Stewart Cc: Majdi S. Abbas; Michienne Dixon; nanog@nanog.org Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On 09.01.13 03:52, Paul Stewart wrote: Same here.. got a notice this morning and while it's false, I still have no response from Randy neither on this matter.. guy's gotta sleep some time. it's 04:40 here. if you wrote me directly, you would have a response by now. almost to the bottom of my mailbox. part of the experiment is to measure the difference between the amount of nanog mail lorenzo drew in 2005 by pre-announcing with the amount we get in 2009 while not pre-announcing. :) randy
RE: Anyone notice strange announcements for 174.128.31.0/24
The only exception I took with this morning's exercise is that had I known that Mr. Bush was doing legitimate testing I would have allocated my time differently. I would consider this analogous to a customer testing their home alarm system and not letting the alarm company know about the test. The alarm company is going to investigate and I would hope even attempt to call the customer. Upon not being able to reach the customer they decide to err on the side of caution and dispatch someone to investigate. As Mr. Bush said, tools can be used for good or bad. If someone was using my AS to hijack IP space that belonged someone else, I would want to know about it. Would that not be akin to using a stolen identity to commit a crime? Mr. Bush - I'm not trying to beat a dead horse here. (Un)fortunately, you have given a lot of us something to discuss today. ;) - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Joe Abley [mailto:jab...@hopcount.ca] Sent: Monday, January 12, 2009 3:52 PM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On 2009-01-12, at 16:16, Patrick W. Gilmore wrote: People have been doing it forever. However, it has been considered sketchy at best. This all seems highly subjective. Considered that way by some, sure (including you, it seems). In my experience prepending someone else's AS to a prefix has only been useful operationally only as a short-term, emergency measure (e.g. when trying to avoid a black-hole between two remote ASes, neither of whom shows any signs of fixing the problem). Randy's application, and Lorenzo's before him also seem like short- term applications designed to explore answering operational questions. Just because something is generally not used, or even if it's only worth using in an emergency, doesn't make it sketchy. Most knee-jerk reactions to AS_PATH manipulation sound to me like fear of the unusual. Joe
RE: Anyone notice strange announcements for 174.128.31.0/24
But isn't this method kind of related to how an network from the Mediterranean/Mid-east went about blocking what they felt was undesirable/offensive content from entering their network? - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Monday, January 12, 2009 4:47 PM To: Paul Stewart Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On 09.01.13 07:42, Paul Stewart wrote: For us, it was annoying - we look for prefix hijackings or what appear to be. i think herein lies the rub. it is not prefix hijacking and in no way should it appear that way to you. i suggest tuning your detectors. i am told that path poisoning is used (futilely, we hope to show) in day to day ops by folk to try to avert dos attacks. randy
RE: Anyone notice strange announcements for 174.128.31.0/24
I sit corrected. I thought they had started announcing someone else's AS and network range. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Patrick W. Gilmore [mailto:patr...@ianai.net] Sent: Monday, January 12, 2009 5:00 PM To: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 On Jan 12, 2009, at 5:55 PM, Michienne Dixon wrote: But isn't this method kind of related to how an network from the Mediterranean/Mid-east went about blocking what they felt was undesirable/offensive content from entering their network? No. -- TTFN, patrick
RE: Anyone notice strange announcements for 174.128.31.0/24
snip Now that doesn't mean other operators can't put in a lightning talk about the impact or 'event' this triggered in their own NOC environments along with what they recommend operators do to reduce the spun cycles G snip Easy - Refer all anomalies that do not the result of a direct outage to Randy. :D - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990
RE: Some odd harvesting going on?
snip I too think C-R spam 'prevention' is the lazy-mans approach at filtering spam. People can easily create their own whitelists based on their maillogs or mailhistory. snip Unfortunately, I feel the majority of the solutions offered cater to the non-technical. The process of simplifying often results in a product that requires the least amount of hands-on from the end-user. Coupled with the fact that the average end-user is not interested in learning a process that takes more then 5 paragraphs to explain and more than 10 minutes to implement (without some sort of wizard) and I think we have a good idea why the layman's approach is so prevalent. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990
RE: Replacement for Avaya CNA/RouteScience
Have you considered any of the options from Vyatta? Aside from the roll your own community offerings they also have a precompiled virtual appliance as well as a physical appliance you can use. - Michienne Dixon Network Administrator liNKCity 312 Armour Rd. North Kansas City, MO 64116 www.linkcity.org (816) 412-7990 -Original Message- From: Drew Weaver [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2008 6:51 AM To: nanog@nanog.org Subject: Replacement for Avaya CNA/RouteScience Howdy for reasons it might be inappropriate to discuss on this list we've decided that we're going to replace our Avaya/RouteScience box and we're looking for recommendations on different solutions for 'BGP management appliances'. We're aware of the Internap FCP product, but is there anything else out there besides 'oy, hire a BGP admin ya tool!' that anyone can offer? As always, comments are appreciated. -Drew
