Re: IPv6 End User Fee
Hi, On Aug 3, 2012, at 2:22 PM, Otis L. Surratt, Jr. o...@ocosa.com wrote: Anyone charging end users for IPv6 space yet? :p Just wondering, with so many IPv6 resources in a single allocation it would seem difficult to charge anything at all. 1. How are you making up loss of revenue on IPv4 assignments? If revenue from IPv4 assignments is an issue, then the solution is to adjust your business model to not depend on that revenue. As an ISP, the business is to ship bits around. 2. Are you charging anything? Haven't ever charged for IPv6 allocations... 3. Is the cost built into the service? The cost of IPv6 is so negligible (well unless you need advanced software licenses -- hi brocade), that I don't see any point in even accounting the cost of providing IPv6 into a service fee. 4. Do you assign IPv6 space to end user and charge admin fee? By assign, do you mean SWIP? Some places charge an admin fee to do a SWIP, but for setting up an allocation, I have never heard of an admin fee. William
Re: IPv6 End User Fee
Hi! On Aug 3, 2012, at 6:32 PM, Otis L. Surratt, Jr. o...@ocosa.com wrote: By end user I mean hosting clients (cloud, collocation, shared, dedicated, VPS, etc.) of any sort. For example you have clients that would needsay /24 for their dedicated server. If you charge a $1.00/IP which is typical then you would lose that revenue if they converted to IPv6. If you didn't charge for IPv4 then you have nothing to to lose. A possible revenue-recovery model would be to charge say $2 per IP for services below a certain resource threshold, for example 1gb vps or larger get free IPs and dedicated servers get free IPs. This helps to increase margin as some people will upgrade to more expensive plans to get the free IPv4s. In hosting you can just issue /128s on ipv6 and require upgrades to get larger allocations. William Otis From: Cutler James R [mailto:james.cut...@consultant.com] Sent: Fri 8/3/2012 3:48 PM To: Otis L. Surratt, Jr. Cc: NANOG list Subject: Re: IPv6 End User Fee On Aug 3, 2012, at 3:22 PM, Otis L. Surratt, Jr. o...@ocosa.com wrote: Anyone charging end users for IPv6 space yet? :p snip/ Otis I can't imagine that this would be anything but counterproductive. End users are not interested in IPv6 - most would not recognize IPv6 if it fell out of their screen. End users want working connectivity, not jargon. James R. Cutler james.cut...@consultant.com Sent from my Sprint iPhone
Re: Question about Martians on Vyatta
On Jun 28, 2012, at 10:42 AM, Eric Germann egerm...@limanews.com wrote: All, I'm trying to understand why a Vyatta 6.4 collection of routers is carping about the following as martian routes: 113.107.174.14 27.73.1.159 94.248.215.60 95.26.105.161 They don't look like they fall in the traditional martian space.I also wondered if they were addresses without a reverse route, but they have reverse paths in our routing tables (full routes from AS 10796 and 11530). Any thoughts? EKG Do you have routing-table entries which cover those IPs? Try ip route show ip as root. Linux NET/4 stack considers (as far as IPv4/IPv6 go) anything that is not in the routing table or an immediate neighbour as martian. William
Re: Question about Martians on Vyatta
Hi, On Jun 28, 2012, at 10:50 AM, Eric Germann egerm...@limanews.com wrote: Well, I did when I checked them shortly after I saw the log messages. Wondering now if the routes for those bounced and in the middle of the bounce, they're considered martian. Yes, that sounds reasonable. Anything that is returned on an interface which doesn't match what it should be in the routing table would also be considered martian if routing table entries apply to specific interfaces. Are you running BGP with a default route? That might be causing it as Linux network stack prefers more specific entries, so if you're getting a bounce over a different interface... William
Re: Request to lease IP space, or things that make you want to go hmmmmm..
Hi, On 3/8/2012 5:40 PM, Matthew Huff wrote: Just got an email today to our account associated with our legacy ARIN address space. A firm Precision Management of Texas is interested in subleasing some of our IP space for on-demand solutions for brand marketers and website promotion chiefly through email marketing. The one thing clear within the large amount of marketing-speach is they want As is the nature of this business PM seeks to obtain as much diversity in the allocated IP space as possible, however the most important thing is the Subnets need to have no abuse history. Anyone else get solicited? Yes, they have spammed me regarding some legacy space I control. They seem to be flexible We can take the IPs via GRE or BGP or other such tunneling solution to where you have them announced. Alternatively we can advertise them ourselves on our network, saving you the back-haul. As a third solution we can take a server on your network with the following specs:... To which my response was something along the lines of no thanks. These guys just want your IPs so they can get around whatever IP reputation problem they have. It will most probably infect the rest of your netblock, as that is standard MO for any anti-abuse DNSBL. What is odd is -- they solicit anyone with legacy space, even if it's just a /24 worth, this is odd because they want you to provide them with more than one subnet, which probably means they want IPs on different /24 boundaries since some mail filtering systems use the /24 boundary. William
Re: report botnet CC?
hi, On Feb 8, 2012, at 1:04 PM, Nicolai wrote: On Tue, Feb 07, 2012 at 10:20:07PM -0500, Ryan Rawdon wrote: Assuming it is not a futile/wasted effort, where is the current best place/resource to report an active botnet CC to? I don't know if there's a single best option, but there are several good ones. In addition to Cymru I'd mention abuse.ch, which runs several public botnet CC trackers. DroneBL does investigate and track CCs, or at least, did when I ran it. I would assume that it still does, so you may wish to contact them. William
Re: XSServer / Taking down a spam friendly provider
On Wed, 26 Oct 2011 13:47:03 -0400 Chris cal...@gmail.com wrote: For folks who do not understand, I'm trying to McColo XSServer so their lack of response in regards to abuse is gone rather than the suggestions of scripting (guess you didn't read the full text of the email) or you pushing a product on me because you work for the ISP that the product is hosted on. Everybody remembers McColo going down and being dropped from uplinks in 2008 then all the spam disappeared, right? McColo and Atrivo were disconnected for much larger sins than spamming someone's wordpress blog. William
Re: XSServer / Taking down a spam friendly provider
On Wed, 26 Oct 2011 20:22:53 -0400 Chris cal...@gmail.com wrote: McColo and Atrivo were disconnected for much larger sins than spamming someone's wordpress blog. Many of you do not understand the scope of just spamming a Wordpress blog. I do understand the scope of shady SEO companies. This is a huge business. Shady SEO companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his business page hosted with a company longer than a few weeks and I keep playing whack-a-mole with him. McColo and Atrivo were not terminated because of spam. If you believe they are, then you are simply misinformed. Atrivo and McColo were terminated over their network being used extensively for botnet control centers. Really! Not spam! Guess what? Innocent people's websites are being deranked on Google for hiring these guys with their shady backlink services and their money is being taken. Bummer. Indeed, it sucks to be them. Newsflash: only morons hire SEO companies. Perhaps Google is just working on increasing relevance quality by penalizing them for being morons. I would say it is a brilliant strategy, myself. Yes I know they got what they deserved, but it's so obvious with these backlink guys using cheap virtual private servers for a month, getting shutdown and getting a new IP address that something needs to be done. Ok, and when they go to another budget VPS provider other than XSServer? I am just wondering if you have a strategy for that scenario. Will you come and whine on NANOG about that provider too? XSServer could have simply amused me with a default auto reply to make it look like they are doing something. Wow, thanks for the pro tip. You're telling me that if I just replace my ab...@systeminplace.net contact with an autoresponder that most people will just assume that we are doing something and I can go and spend all my time on hookers and booze instead of terminating spammers? Shit. Why didn't anyone tell me earlier? Will your host allow you to block IP ranges? Not the solution I was looking for because blocking IP ranges and using scripts / services / etc like Akismet or others is simply ignoring the problem, not solving it. For folks who say hosting companies are not helpful: Linode, Amazon, BurstNET, Ubiquity Servers and others are extremely responsive to abuse complaints. William
Re: NANOG List Update - Moving Forward
On Tue, 12 Jul 2011 10:50:38 +0100 (BST) Tim Franklin t...@pelican.org wrote: Thankfully, the current test has been a success. Including stopping non-members from posting to the list, and other anti-spam? I've got a sudden influx this morning of spam addressed to nanog@nanog.org :( Ditto. Getting lots of crap here. William
Re: VPN tunnels between US and China dropping/slow
On Tue, 10 May 2011 10:12:57 -0400 Thomas York strate...@fuhell.com wrote: At my current place of business, we have several manufacturing plants in China as well as the United States. All of the plants have an OVPN tunnel to a datacenter here in Indianapolis which connect all of the plants. Our China plants pay for the basic 3mbit/3mbit fiber internet connections. I've had a hell of a time keeping their tunnels up. They're running on port 443 over TCP now, but every month or so the tunnel degrades so badly I have to switch the port. I've recently tried tunneling OVPN (UDP) over a GRE tunnel and that has worked for a few months..but even now is degrading. The interesting thing is that ONLY the tunnel traffic gets degraded. I've replaced all of the equipment on both ends of all of the VPN tunnels, which changed nothing. This is actually caused by the Chinese firewall trying to reset the VPN connection. The reason why they are doing this is because people are buying VPN services to get around the firewall. As of late, they have become a lot more clever about VPN blocking. Currently, we're talking to Time Warner and some of our customers who have plants in China to see what solutions they're using to get around this kind of issue. One thing we are hearing quite often is that they're using a MPLS based connection to Hong Kong, then going to the USA from there. We're happy to try this, but due to cost issues we're (management mostly) considering this a last resort option. Are there any other options maybe some of you have to fixing this issue? Thanks The only option is to get transport to an endpoint outside China, e.g. in Hong Kong. William
Re: 23,000 IP addresses
On Tue, 10 May 2011 10:22:03 -0400 Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, May 10, 2011 at 10:15 AM, Scott Brim scott.b...@gmail.com wrote: On Tue, May 10, 2011 at 09:42, Leigh Porter leigh.por...@ukbroadband.com wrote: So are they basing this on you downloading it or on making it available for others? Without knowing the details, I wouldn't assume any such level of competence or integrity. It could just be a broad witch hunt. I know of a decent sized global ISP that ran (runs?) a large darknet that was the equivalent of a few /16's routed to a fbsd host running 'tcpdump' (a tad more complex, but essentially this). BayTSP (one of the 'make legal threats for the mpaa/riaa' firms) sent ~2k notes to the ISP about downloaders on these ips. Looking at netflow data (sample 1:1 on that interface) they had portscanned (from ip space registered in their name) each address in the range and sent subpoena-material to all ips that they thought they got a response from. At least baytsp got theirs? (money I mean) Do you have any links to evidence of this? I would love to just be able to automatically throw BayTSP mails in the garbage, but I can't just blindly do it if there is any chance of them being legitimate. William
Re: Cent OS migration
On Mon, 9 May 2011 17:14:06 -0400 Lamar Owen lo...@pari.edu wrote: On Monday, May 09, 2011 04:45:36 PM Kevin Oberman wrote: Depends on what he is doing. BSDs tend to be far more mature than any Linux. They are poor systems for desktops or anything like that. They are heavily used as servers by many vary large providers and as the basis for many products like Ironport (Cisco) and JunOS (Juniper). Cisco had an RHEL rebuild (internal) at one time, called, refreshingly enough, Cisco Enterprise Linux. Cisco also uses/used a Linux base for their Content Engines and subsequent ACNS-running boxen. The rather high-priced ADVA-sourced Cisco Metro 1500 DWDM boxes used a 486 ISA single-board computer running off of DiskOnChip SSD for control and SNMP. Having said that, I'd be just about as comfortable with a BSD as with a Linux. And I do, and will continue to, run CentOS in production. I'd rather run Scientific Linux over CentOS. Infact, I'd rather this so much that we run SL instead of CentOS even on our cPanel boxes now. Mind, for anything where we *don't* have to run CentOS, we use Debian or Alpine. Anyway, I was just wondering what the general consensus of NANOG is regarding CentOS vs Scientific Linux. SL generally has faster security updates and people are *paid* to work on it fulltime. CentOS on the other hand is supported out-of-the-box by most software. William
Re: Contact for City of Panama City Beach, FL?
On Thu, 14 Apr 2011 15:02:36 -0700 Dan Dill d...@harsch.com wrote: http://www.pcbgov.com/city_directory.htm Seems like it wouldn't be hard to track down that information... Can you identify where on that page it lists a contact for the IT department of the Panama City government? I can't, because it does not list such a contact. William
Re: IPv6 SEO implecations?
On Mon, 28 Mar 2011 15:18:30 -0700 Wil Schultz wschu...@bsdboy.com wrote: I'm attempting to find out information on the SEO implications of testing ipv6 out. A couple of concerns that come to mind are: 1) www.domain.com and ipv6.domain.com are serving the exact same content. Typical SEO standards are to only serve good content from a single domain so information isn't watered down and so that the larger search engines won't penalize. So a big concern is having search results take a hit because content is duplicated through two different domains, even though one domain is ipv4 only and the other is ipv6 only. 2) Not running ipv6 natively, or using 6to4. This (potentially) increases hop count and will put content on a slower GRE tunnel and add some additional time for page load times. 3) ??? Any others that I haven't thought of ??? If you are so concerned about SEO, just dual-stack your site. It works well for me. William
Re: Why does abuse handling take so long ?
On Sun, 13 Mar 2011 05:39:02 -0700 (PDT) goe...@anime.net wrote: On Sun, 13 Mar 2011, Alexander Maassen wrote: Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? they don't act like they do not care. they really *don't* care. no acting. well, they should care. if a customer is compromised and ddosing, it costs the provider money (additional traffic being pushed bringing your 95% closer to your commit levels or possibly causing an overage to be incurred.) by doing nothing it may wind up costing them something - even if they can make the money back by passing the overage onto the customer, there is a high likelyhood that the customer will just jump ship and not pay the invoice and go elsewhere. william
Re: [BEWARE] David J. Moore
On Thu, 03 Mar 2011 09:03:18 -0500 Leon Kaiser litera...@gmail.com wrote: This is the man who poisoned DroneBL. He is a bad man. Keep your children safe. http://raged.tittybang.org/ How, exactly, has kunwon1 poisoned DroneBL when he has had no RPC key for over a year? William
Re: Ranges announced by Level3 without permitions.
On Thu, 03 Mar 2011 15:34:11 +0100 Alfa Telecom r...@alfatelecom.cz wrote: On 03/03/2011 03:25 PM, Brandon Ross wrote: On Thu, 3 Mar 2011, Alfa Telecom wrote: Both ranges are from RIPE region and couldn't be announced from ARIN ASN at all. Your premise is incorrect. Any block from any RIR can be announced by any ASN. 1) All routing data must be present at the RIPE DB. If you work with RIPE DB you could see that webtools don't allow you to create route to ASN not from RIPE region. 2) RIPE IP Usage policy don't allow to route RIPE IPs from non-RIPE region. This is not true, I have seen several instances of IPs from RIPE being used in the US, by people in Europe. William
Re: What vexes VoIP users?
Hi, On Tue, 1 Mar 2011 09:25:23 + (GMT) Tim Franklin t...@pelican.org wrote: I do not live over there, I have never seen a Vonage or Magic jack or any other VoIP service ad on TV in the UK, ever. Vonage *are* advertising on UK TV. Hardly the carpet-bombing the OP suggests is the case in the US, but they are doing something. It is quite a different market here. I can get POTS services over the same copper from, I'd say, about 5 different companies. Maybe more, I have not counted. I guess the competition already available on the copper would largely preclude anything but the cheapest VoIP service. For UK national calls, which pretty much all the POTS providers are offering for free (read bundled), I tend to agree - especially given that the POTS providers who *aren't* BT (Residential) are largely having to lease at least the last mile copper from BT (OpenReach). The Vonage TV ads that I've seen in the UK are pitched at offering cheap / free / bundled international calls, and the target market for that I believe is both different and smaller. That is the same market Vonage is now targeting in the US, basically. National calling in the US is basically bundled with most calling plans now. I'm not convinced that many people use Vonage in the US - my experience with it was that it was not as reliable as the VOIP products offered through the various broadband providers I have had. William
Re: Contact for APEWS.org?
Hi, On Mon, 21 Feb 2011 12:41:57 -0800 Kate Gerry k...@quadranet.com wrote: We've been advised by a client that they're incorrectly listing a /15. The listing is: (E-431420) 96.44.0.0/15 According to their FAQ they only take delistings via newsgroups and Google News isn't co-operating with me in regards to them. Meanwhilst we're affected with our range 96.44.128.0/18. Nobody in their right mind uses APEWS when there are more legitimate DNSBLs around like Spamhaus, AHBL, DroneBL, etc. Your client is unlikely having any problem with this listing. But, if you really want to bother, my advice is get a Supernews account and go for it. William
Re: Leasing of space via non-connectivity providers
Hi, On Sat, 5 Feb 2011 17:12:40 -0600 Aaron Wendel aa...@wholesaleinternet.net wrote: How can someone steal something from you that you don’t own? Legacy space. The best example I can think of was Choopa's hijacking of Erie Forge and Steel's legacy space. In this case, it was theft as it was a legacy allocation and therefore owned by EFS. EFS however, did not notice because they were not using the legacy allocation for anything. William
nlayer contact
Hi, Could an nLayer network engineer contact me offlist regarding a service or core router at I'm guessing One Wilshire that is having serious problems? Thanks. William
Re: You Tube Problems
On Fri, 4 Feb 2011 16:37:55 +1300 (FJST) Franck Martin fra...@genius.com wrote: Any relation? http://mobile.slashdot.org/story/11/02/04/0043234/Verizon-To-Throttle-High-Bandwidth-Users No, that has to do with wireless users, not DSL. Wireless is an entirely different part of the Verizon empire. William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 17:09:07 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is the site is pharmacy which means its part of a criminal spammer gang, regardless of whether or not that is true. Please stop pretending that you're not hosting e-trash. 208.64.122.114 is still hosting an active SEO poisoning site (myspace-codes.com). I think, frankly, it would make your life a lot simpler if you just accepted the fact that BlackLotus sells to e-trash, just like the rest of the ddos-protected hosting solutions companies do. My initial reply to sbl-removals@ was rather civil, my second reply not so much. At this point I just need them to check their e-mail and answer a few questions. I need intelligence to work with if they expect me to cooperate with them. I have no problem removing customers that need to be removed but I need to have all of the details to act on the request. You have all the intelligence you need. You host e-trash script kiddies and SEO poisoners. Just go get some wirecutters and snip the wires coming out of that busted up 6509 you used to tout on WHT and the problem will be solved. I have a slogan by the way, Blacklotus AKA The IRC Company - making EFnet more trashy since FooNet got raided. William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 18:35:22 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: William, I'm not certain that any Black Lotus IP's are even connected to EFnet. Maybe not presently, but your company has a history in the IRC community. And it's not a history I would define as good. A history of selling protection which was in reality not a technical measure (infact, we know this because back then your employees said outright that DDoS mitigation was being done after the point, so no fancy IntruGuard-like stuff going on there.) but instead an intimidation measure. As in, DDoS wars, mutually-assured DoS, so on. Kinda like FooNet/Atrivo/etc. Actually, *exactly* like FooNet/Atrivo/etc. Secondly, we're more than happy to act on any data presented to us if they actually care to present it to us before listing the entire ISP. When you keep in mind that many people involved in the anti-abuse community originate from the IRC community, then it should be no surprise that they would not wish to waste their time dealing with people who were part of the protection racket of olden days. I'm not sure what non-spam related e-trash has to do this any of this. The fact that you willingly pollute the internet as a whole with SEO optimization pages says a lot about your company. In my opinion SEO optimization pages like myspace-codes.com *are* spam. That is the same opinion held by many others. Do not expect any pity from the rest of us who bust our proverbial asses to keep our netspace clean. William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 18:54:37 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: William, Our company is primarily focused on the filtering of DDoS traffic. A significant amount of our IP space is routed elsewhere via proxy or GRE. If a customer pollutes, they pollute and thats their own business. If they abuse, we take action. If Spamhaus contacts us before ruining the business of others, we still take action (believe it or not). Maybe that is the case now. It was not the case 8 years ago with IRCCo. We don't actively decide to host any of this content. It sprouts up and really is not a concern of ours until it becomes an actual problem. Comparing us to FOONET and especially Atrivo is ignorant and short sighted. Perhaps you would understand if you were targeted by attacks. I used to operate DroneBL. DroneBL's DNSBL servers are basically under permanent DDoS attack, which is why Cisco/IronPort and other providers have to sponsor them now. While I understand the current aspect of your operation, you must understand that IRCCo did not make you many friends in the anti-abuse community. Sorry, that's just how it is. We look at BL/IRCCo and it does not make us feel warm and fuzzy. Being proactive by say, checking out your customers before lighting them up would go a long way toward improving the fuzziness perception in the anti-abuse community. But you don't do that. It's clear you don't do that. William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 19:11:37 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: William, You're quite right, we don't. We presume that our customers are honorable until proven otherwise. We're a legitimate U.S. based corporation and we make ourselves available to the pertinent RBL's and authorities as appropriate. We take action where action needs to be taken. How does refusing service to known spammers/spam operations make you any less of a legitimate U.S. corporation? How come all of the resources mentioned in this thread are still online? I take offense, however, to the assumption that our entire company is bad and that all of our customers should suffer because of the actions of a few. I've given Larry @ Spamhaus a direct link to myself and our VP of Ops. If he choose to use it all of these problems can be nipped in the bud. I do not assume your company is bad. I assume that trying to get anything shut down at BL is a waste of my time. A majority of the people posting on this thread seem to also attest to this point. Just because you're proxying to other networks does not make you unresponsible for their activity. You're quite fortunate to be under the protection of a major corporation, most do not have that luxury. I am not under anyone's protection. DroneBL is, but I no longer operate it due to it being a timesink. Nor should my opinions reflect them in any way. I just wanted to make it clear that I am aware of what it is like to be under permanent DDoS attack. William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 19:13:16 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Bill, I'm getting 72.215.225.9 for that host. The nameservers just changed to ns2/ns4.codiz.net. ns2 is a bogon, the real deal is ns4 hosted at corbina.ru, which has an abuse@ that goes to /dev/null so whatever. Man. Hosting Yandex. Really? How did you manage to not catch that? William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 19:21:19 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: William, It depends, we have criteria. You can't just e-mail ab...@blacklotus.net and expect any given web site to be immediately shut down. There is due process and we need to make a decision on the matter and serve it to our customer. If a customer is listed at Spamhaus this is sufficient. In other words, your abuse policy is strictly designed to avoid RBL listings and nothing else. Being a legitimate corporation means that we're accountable for maintaining certain standards. Everyone assumes that because we mitigate DDoS that we're no better than some offshore spam haven. No, we think that you're no better than some offshore spam haven because you're hosting spammers with an abuse policy strictly designed to avoid getting listed in spamhaus with nothing going above and beyond that. Most abuse contacts I e-mail will shut down a customer after looking at Netflow data. But you're not doing that. So you get classified as such. It is really simple. William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 19:42:22 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: I fat fingered the netmask, try now. $ wget -S www.vertrouwdeapotheek.nl --2011-01-17 19:07:59-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:07:46 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-17 19:08:00-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=bcs4bluvt3dqdfqd1udupey3; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:07:47 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: `Home.aspx' 100%[==] 126,007 364K/s in 0.3s 2011-01-17 19:08:01 (364 KB/s) - `Home.aspx' saved [126007/126007] How hard is it really to type in ip route 208.64.120.197 255.255.255.255 Null0 on your busted up 6509? Don't forget to conf t! William Thanks, Jeff On Mon, Jan 17, 2011 at 7:39 PM, Raymond Dijkxhoorn raym...@prolocation.net wrote: Hi! We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer. Either you place strange nullroutes or you did not at all. [root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ = `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx = `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... Does this look as its nullrouted? P.S. Someone at Spamhaus PLEASE remove the /21 listing? I highly doubt. There is much more to clean on your network before i hope they would even reconsider. Bye, Raymond.
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 19:46:55 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Raymond, I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP. I call bollocks. It's alive and kicking via BGP here. edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...] And I can reach it from my house. William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 20:23:17 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: On Mon, Jan 17, 2011 at 8:21 PM, William Pitcock neno...@systeminplace.net wrote: Hi, On Mon, 17 Jan 2011 19:46:55 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Raymond, I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP. I call bollocks. It's alive and kicking via BGP here. edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...] And I can reach it from my house. William So it's dead on Cox Cable and the L3 Looking Glass but not at your house? How is that possible? Because you haven't nullrouted shit. You're just tagging the IP with a specific BGP community and not all networks will respect your tagging. The ones that don't allow the traffic to pass right on through to your network, and due to BGP convergence that there will always be a working route this way. Again, I ask: how hard is it to type ip route 208.64.120.197 255.255.255.255 Null0? For someone who is first and leading in DDoS Protection Solutions you sure seem to not be able to effectively nullroute, no offense. William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 20:28:55 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: Rhetorical question. Probably PCCW isn't accepting the null routes. Why not blacklist them for having messed up communities? Why not actually nullroute the IPs instead of depending on BGP tagging? Again: ip route 208.64.120.197 255.255.255.255 Null0 William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 20:38:54 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: It's a problem with PCCW not accepting the tags, we've had this issue with them occasionally and will need to address it with them directly. The machine itself has also been shut down so there should not be any further heartache. $ wget -S yourdrugsdiscount.com --2011-01-17 19:46:57-- http://yourdrugsdiscount.com/ Resolving yourdrugsdiscount.com... 208.64.122.10 Connecting to yourdrugsdiscount.com|208.64.122.10|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 18 Jan 2011 01:47:10 GMT Server: Apache/2.2.17 (CentOS) X-Powered-By: PHP/5.2.17 P3P: CP=IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA ETag: PUB1295315230 Last-Modified: Wed, 03 Nov 2010 13:01:01 GMT Expires: Tue, 18 Jan 2011 04:47:10 GMT Pragma: no-cache Cache-Control: public, max-age=10800 Set-Cookie: __store_sid=66ofgeqrfa51nt20nc63j9o003; path=/ Set-Cookie: token=7d010443693eec253a121e2aa2ba177c; expires=Wed, 19-Jan-2011 01:47:11 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Length: unspecified [text/html] Saving to: `index.html' [ = ] 57,377 225K/s in 0.2s 2011-01-17 19:46:59 (225 KB/s) - `index.html' saved [57377] Wow you managed to sure clean up your spam problem. One box down, hundreds to go? William
Re: Request Spamhaus contact
On Mon, 17 Jan 2011 21:34:49 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: We were offering a privacy protected domain registration service at one point which we have since discontinued for obvious reasons. Ah yes! That *was* you guys. Did you know that you're still being recommended on 4chan /b/ for no-questions-asked fully-anonymous bullet-proof hosting? Is there a reason why /b/ seems to be recommending you still? I would figure they wouldn't be recommending something you're no longer doing. William
Re: Request Spamhaus contact
Hi, On Mon, 17 Jan 2011 21:45:40 -0500 Jeffrey Lyon jeffrey.l...@blacklotus.net wrote: All, I would like to extend a special thanks to one of the Spamhaus team members for reaching out to me and offering dialogue on this matter. He was quite polite and understanding of the situation and we came to terms on what needed to occur on both sides. I didn't catch his name as the connection was bad but I would like to say Thank You and express my gratitude that we can potentially resolve future issues on more familiar terms. Thanks, Still waiting on clarification on your abuse policy. Is a spamhaus SBL listing mandatory for you to shutdown cyber-criminals or have you learned *anything* at all from this? We don't *care* if you got this issue with Spamhaus resolved. You turned it into a much *larger* problem than that. William
Re: IPv6 prefix lengths
Hi, On Wed, 12 Jan 2011 22:49:15 -0500 Richard Barnes richard.bar...@gmail.com wrote: Hi all, What IPv6 prefix lengths are people accepting in BGP from peers/customers? My employer just got a /48 allocation from ARIN, and we're trying to figure out how to support multiple end sites out of this (probably around 10). I was thinking about assigning a /56 per site, but looking at the BGP table stats on potaroo.net [1], it looks like this is not too common (only .29% of prefixes). Thoughts? Traditionally, /48s are per-site. You should get a /48 for each site, in reality something like a /44 will do nicely giving you two additional /48 for growth. William
Why do ISPs still not do packet source verification in 2010?
Hi, I am wondering why it seems that many ISPs still do not do packet source verification in 2010? Just last night I had to deal with a DoS attack that would have been impossible if more ISPs did packet source verification. I mean, it's 2010. We can do IP-level ACLs in hardware on most of the current routing platforms on the market. I know it can be done on Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500 series chassis can do IP-level ACL in hardware. The ACLs aren't hard either, you set an ACL forbidding traffic from anything other than an access-list containing their allocated IP ranges... Grumble. (on the other hand, it's not like spoofing does any good anyway... if you're willing to work the netflow data and call your upstreams to get at their netflow data you can easily trace each bot in the botnet to it's origination network which can then look at their traffic flow data and shut it down...) William
Re: Mastercard problems
On Thu, 2010-12-09 at 18:34 +1100, Ben McGinnes wrote: On 9/12/10 8:04 AM, Christopher Morrow wrote: On Wed, Dec 8, 2010 at 3:06 PM, Philip Dorr tagn...@gmail.com wrote: The problem is that they were also slashdotted. The logs would also have a large number of unrelated. pro-tip: the tool has a pretty easy to spot signature. What is that signature? The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests. William
Re: Want to move to all 208V for server racks
Hi, On Thu, 2010-12-02 at 10:58 -0500, Jay Nakamura wrote: I really want to move all newly installed internal and customer racks over to all 208v power instead of 120v. As far as I can remember, I can't remember any server/switch/router or any other equipment that didn't run on 208v AC. (Other than you may need a different cable) Anyone have any experience where some oddball equipment that couldn't do 208v and regret going 208v? We won't have any TDM or SONET equipment, all Ethernet switches, routers and servers. I have control over internal equipment but sometimes customers surprises you. In one colo I helped manage, we had some crappy netgear switches which couldn't handle 208v. Provided you have proper equipment, you should be fine though. This was a non-profit though, so we were trying to get by with whatever was the most cost-efficient option. William
Re: Level 3 Communications Issues Statement Concerning Comcast's Actions
On Mon, 2010-11-29 at 20:02 -0500, Bret Clark wrote: On 11/29/2010 07:55 PM, Ren Provo wrote: http://blog.comcast.com/2010/11/comcast-comments-on-level-3.html On Mon, Nov 29, 2010 at 7:51 PM, Dave CROCKERd...@dcrocker.net wrote: Okay's let's say L3 gives in to Comcast and pays them. L3 gave into Comcast and paid them already according to a press release they issued. William.
Re: wikileaks unreachable
On Sun, 2010-11-28 at 16:43 -0500, Jeffrey Lyon wrote: I'm surprised it took this long for the DDoS train to pull into the station. Wikileaks gets DDoSed all the time. My understanding is that PRQ nullrouted the IP because the DDoS is much larger this time. William
Re: wikileaks unreachable
On Sun, 2010-11-28 at 17:07 -0500, Jeffrey Lyon wrote: I wouldn't have thought that PRQ would have any significant protection in place. They used to host thepiratebay. I would figure that site probably got a lot of ddos attacks... William
Re: Introducing draft-denog-v6ops-addresspartnaming
On Fri, 2010-11-19 at 17:06 +0100, Richard Hartmann wrote: On Fri, Nov 19, 2010 at 14:14, Scott Morris s...@emanon.com wrote: If 8 bits is a byte, then 16 bits should be a mouthful. When does it become a meal and, more importantly, do you want to supper (sic) size? The supersize option offered by e.g. McDonalds is not much larger than the normal meal size in my experience. So I guess, 8 bits = small, 16 bits = meal, 24 bits = supersize or something, but that doesn't fit well with IPv6 since each segment between colons is only 16 bits. We could call the :: part the 'liposection' though. William
Re: Extra latency at ATT exchange for UVerse
On Thu, 2010-11-11 at 15:39 -0500, Srikanth Sundaresan wrote: Can anyone explain why ATT's UVerse adds significant delay to packets compared to their ADSL service? U-Verse is actually the name of two entirely different services - VDSL and FTTP. This is a typical symptom of stupidity on behalf of marketing people. The VDSL service uses interleaving, but since they use actual fibre in my neighbourhood (I have an ONT on the side of my house and everything) I can't really tell you what impact the interleaving has. Friends of mine on VDSL say it's about an additional 20ms penalty or so. Perhaps it's the interleaving? If you log into your RG, it will tell you if you are on VDSL or are connected to an ONT. I think what your case is, is that you are on VDSL and very close to an IX as far as ATT's network is concerned. William
Re: What must one do to avoid Gmail's retarded non-spam filtering?
Hi, Have you checked the IronPort reputation scores for your mailserver IPs? Google uses this data as part of it's spam detection method. William On Tue, 2010-09-28 at 16:15 -0400, Erik L wrote: I realize that this is somewhat OT, but I'm sure that others on the list encounter the same issues and that at least some folks might have useful comments. An increasingly large number of our customers are using Gmail or Google Apps and almost all of our OSS/BSS mail is getting spam filtered by Google. Among others, these e-mails include invoices, order confirmations, payment notifications, customer portal logins, and tickets. Almost anything we send to customers on Google ends up in their spam folder. This results in a lot of calls and makes much of our automation pointless, never mind all the lost sales. The problem is compounded by those who use mail clients and do not log in to the webmail at all, since they would never see the contents of the Google spam folder. We have proper A+PTR records on the edge MTAs, proper SPF records for the originating domain, proper Return-Path and other headers, and so on. There isn't anything that I can think of other than the content itself which would be abnormal, and obviously the content is repetitive and can't be changed much. Is there something obvious which we've missed? Aside from the following clearly impractical solutions, what can we do? 1. Asking everyone (including those we don't even know yet) to whitelist all of our addresses, to check their spam folders, and to click on this is not spam 2. Providing our own free e-mail service to everyone (including those we don't even know yet) and putting up don't use Google ads on all of our customer-facing systems At least this isn't Hotmail where mail is just silently deleted with no NDR after it's accepted by their MTAs. The call volume has been going up instead of down lately and it's gotten to the point where we're sending MTA log extracts to people to prove to them that we really did e-mail them. Would greatly appreciate any advice. Erik
Re: Road Runner Abuse Contact
On Thu, 2010-09-02 at 16:29 -0700, J.D. Falk wrote: On Sep 2, 2010, at 1:43 PM, Brad Fleming wrote: Any Road Runner abuse reps on the list? http://postmaster.rr.com/ is a good place to start. Quoting that website: | The Postmaster team is part of the Road Runner Mail Operations | team, and we are responsible for blocking and filtering mail | that transits our servers; however, while we have an active | Abuse organization and work closely with them, this is not the | place to report incidents of spam or abuse coming from Road | Runner's mail servers or from our network in general, as Abuse | is a separate organization here. William
Re: PacketShader
Vyatta's commercial products (the bundles with OS+Hardware) come with adequate support in my experience. William (Sorry for topposting. The android email experience is depressingly lacking.) Andrew Kirch trel...@trelane.net wrote: On 8/23/2010 1:17 PM, Joel Jaeggli wrote: What it really comes down to is packets per watt or packets per dollar, if it's cheaper to do it this way then people will, if not BFD. I disagree here. Core routing isn't purchased based on cost, it's purchased based on support. People have not adopted Vayetta, or Mikrotik or many of the other small routing platforms which are in fact MUCH cheaper than the bridge or the tree (cisco or juniper), and the reason is simply support. If my router breaks beyond my ability to fix it I have a certified engineer (of some value or other) at my site with parts to fix it within 4 hours. This is why people go with Cisco and Juniper. It's also a mechanism of CYA. Would we rather tell our boss that the company has responded and dropped the replacement part in the mail, or that a technician from the router supplier is on their way and will be here very shortly, and ooh, by the way, you did recommend redundant hardware when the piece that broke was purchased, and it was available at a discount. Andrew
RE: Lightly used IP addresses
On Fri, 2010-08-13 at 18:49 +, Nathan Eisenberg wrote: Isn't this a little bit like an SSL daemon? no. One which refuses to process a revocation list on the basis of the function of the certificate is useless. no, it's not. ssl as a form of identity assurance itself is what is useless. The revocation list only has authority if the agent asks for and processes it. most don't do this, because: - most SSL daemons don't serve the revocation lists; - most SSL agents don't know how to download the revocation lists from another source. see previous note about SSL being worthless for identity assurance. Would you use this SSL daemon, knowing that it had this bug? i wouldn't care - see above points. I would consider a transit provider who subverted an ARIN revocation to be disreputable, and seek other sources of transit. how do you know if the ARIN revocation is proper? with the IPv4 exhaustion becoming very close to happening now, it is possible that ARIN could go rogue. following a corporation (yes, ARIN is a corporation) as if you were a sheep will empower them to do precisely this in the future. william
Re: net-neutrality
On Wed, 2010-08-11 at 11:29 +, Sven Olaf Kamphuis wrote: hmm funny, it had the piratebay on it, if you think that is a good sales point... do you actually have any legitimate customers? william
Re: I slogged through it so you don't have to -- ICANN Vertical Integration WG for dummies
On Mon, 2010-07-26 at 14:42 -0400, Eric Brunner-Williams wrote: But I do take your point about .co/.com, and in all fairness, it is a decade delayed favor returned by NeuStar to Verisign for the .bz/.biz collaborative marketing ploy of 2001. Or eNom's .cc/.com ploy from 1999-present. Don't you remember the television ad buy they did on all of the networks? Rednecks dancing around playing fiddles singing about .cc. On the other hand, at least they weren't showing soft porn like GoDaddy does. William
Re: 33-Bit Addressing via ONE bit or TWO bits ? does NANOG care?
On Sat, 2010-07-24 at 15:50 -0400, Steven King wrote: I am very curious to see how this would play with networks that wouldn't support such a technology. How would you ensure communication between a network that supported 33-Bit addressing and one that doesn't? 33-bit is a fucking retarded choice for any addressing scheme as it's neither byte nor nibble-aligned. Infact, the 33rd bit would ensure that an IPv4 header had to have 5 byte addresses. William
Re: Virbl: The First IPv6 enabled dnsbl?
On Sun, 2010-01-17 at 19:16 +, Andy Davidson wrote: On 16 Jan 2010, at 05:30, Tammy A. Wisdom wrote: Mark Schouten ma...@bit.nl wrote: http://virbl.bit.nl/index.php#ipv6 Comments on the listing method are appreciated. wow bind? thats gonna get slower and slower and slower. I hope you have a TON of ram for that box. for example if we loaded the current contents of the ahbl from rbldnsd to bind it would take up a TON of ram. bind would take forever to load and and would be screaming for its dear life. These problems tend to have a way of solving themselves... This dnsbl is trying to get experience handling v6 data in an anti-spam environment. We do not know how to do that today - and this is a problem which only reduces with experience. The problems of how to scale it, to me seem like a smaller challenge. There are enough clever people who understand how to scale specific dns issues. :-) Good luck to the team at Virbl ! Yes we do. We do it the same way we do it for IPv4... IP radix trees. The main thing required is to modify rbldnsd to make heads or tails of ipv6 dnsbl queries and build it into a prefix for looking up in the radix tree. The actual radix code of rbldnsd is AFAIK based on the BSD-licensed stuff Merit put out in the day. Pretty much everything uses that code... William
Re: Micro-allocation needed?
On Mon, 2010-06-21 at 23:32 +0200, Ask Bjørn Hansen wrote: Hi everyone, We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? No, you can split up allocations as you want, provided you can prove you own them. Some providers however, won't announce anything smaller than a /24. William
Re: Micro-allocation needed?
On Mon, 2010-06-21 at 23:42 +0200, Ask Bjørn Hansen wrote: On Jun 21, 2010, at 23:34, William Pitcock wrote: On Mon, 2010-06-21 at 23:32 +0200, Ask Bjørn Hansen wrote: Hi everyone, We're going to anycast a /24 for some DNS servers (and possibly another UDP based service)[1]. I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html the smallest allocations from each prefix. Will we have trouble getting a /24 announced if we take it from a regular /20? No, you can split up allocations as you want, provided you can prove you own them. Some providers however, won't announce anything smaller than a /24. I guess to rephrase my question: Are there (a significant number of) providers that will filter a /24 announcement from an ARIN prefix not in the list of prefixes where they allocate /24 blocks. I have yet to encounter any. They are your IPs as far as they are concerned, so they'll typically announce whatever you ask as long as they are your IPs. William
Re: Experience with the Dell PowerConnect 8024F - compare to the Cisco Nexus 5010
Hi, On Fri, 2010-06-18 at 11:57 -0400, Steven Fischer wrote: Does anyone have any experience with the Dell PowerConnect 8024F 10-gig switch that they'd be willing to share? How does it perform? How reliable is it? My experiences with the Dell switches have been less than favorable to this point, but I am willing to concede that some of that may be colored by my Cisco bias. Would you trust this Dell switch in a high-performance computing environment, where the ability to move data for sustained durations at rates close to line speed is paramount, along with high-reliability/high-availability? Any feedback is welcomed. Dell switches are usually Foundry gear relabeled, so it should be ok. We are using Dell switches alongside actual Foundry gear in a cloud environment and have had no problems. Foundry's firmwares have some bugs though as far as SNMP goes. For example, our traffic utilization graphs start missing data after about 120 days and we have to reboot them. This happens on both actual Foundry gear and the rebranded Dell stuff. If you're just using the switches as an interconnect (MPI?), this probably isn't a big deal for you. I have heard that newer firmware fixes that problem, but we haven't had time to test out upgrading so it hasn't been done yet. The Nexus switch line is also very good, but too expensive for my blood. I have to eat... The management is very well done, but the Nexus OS is feature-lacking in comparison to traditional Cisco IOS. So, right now, the Foundry gear is probably a better option. William
Re: Advice regarding Cisco/Juniper/HP
On Thu, 2010-06-17 at 11:07 -0700, Seth Mattinen wrote: On 6/17/2010 11:01, Sandone, Nick wrote: I would also add Brocade/Foundry to the mix as well. We've been deploying these switches with great results. Since the IOS is very similar to Cisco's, the transition has been quite easy. Do you still have to pay them to read the manual? We have plenty of Foundry gear and we've never had to pay anything to read the manuals for them. Then again, we bought it all new, so it came with printed manuals. There's a 1000+ page manual on the management software itself. William
Re: SCO UNIX Errors
On Wed, 2010-06-09 at 23:40 -0700, jacob miller wrote: Hi, Am getting the following error from my SCO UNIX box. They mean use an operating system not made by crackheads. There's a reason why SCO switched from UNIX sales to Intellectual Property trolling after all. William
Re: Latency between GCI Anchorage and VZB in NY
Hi, On Wed, 2010-05-26 at 11:27 -0400, Brad Beck wrote: All, I've been working diligently to improve performance of interactive applications (Citrix, terminal) that are run by users in our office located in Anchorage, and are served by a managed Internet connection provided by GCI. Our applications reside in the Buffalo, NY area. The interactivity problem probably has more to do with your Citrix setup. What specs are your Citrix server(s)? I doubt it is virtualized, but just in case, is it? I ask because it sounds more like iowait. Process Explorer (sysinternals) can be useful for listing CPU and I/O hungry applications on the Citrix server(s). Via MTR, I've seen no or almost-no lost packets, whereas RTT averages around 124ms and at times is as high as 328ms. I'm looking for feedback from others regarding this RTT, hopefully from customers of GCI. 328ms RTT is high as far as I'm concerned, and it seems like this could be controlled a little better. Spikes in RTT are likely normal. Your managed internet connection is probably provided over an MPLS private network, which means that it still has to share packet queues with other customers. William
Re: any bring your own bandwidth IPv4 over IPv4 tunnel merchants?
On Mon, 2010-05-03 at 14:12 -0400, Bill Bogstad wrote: Like many people, I can't justify the expense of commercial IP connectivity for my residence. As a result, I deal with dynamic IP addresses; dns issues; and limitations on the services that I can host at my residence. It just struck me that in the same way that IPv6 connectivity can be done via tunneling over IPv4 (Hurricane Electric, etc.), that static IPv4 addressability could be offered in a similar fashion. Some my question is: Does anyone offer (probably bandwidth restricted) IPv4 over IPv4 tunneling (with static IPs) commercially? I realize that making use of such a service MIGHT violate Terms of Service agreements, but that is going to vary from provider to provider and doesn't make offering such a service inherently wrong. Other possible reasons such services might be desired include wanting access to Internet services which are regionally restricted. (Again TOS violation possibilities MAY or MAY NOT apply.) In the (very?) long term, IPv4 over IPv6 tunneling could end up being one way that organizations can get IPv4 connectivity when the default changes from only-IPv4 to only-IPv6. (Yeah, I know that day may never come...) Thanks, Bill Bogstad You could do this with a VPS. Make sure they run Xen or KVM or VMware though, so you have control over the routing table. William
Re: Terry Childs conviction
On Thu, 2010-04-29 at 15:11 -0500, Olsen, Jason wrote: I'm a bit surprised that after the furor here on NANOG when the story first broke (in 2008) that there's been no discussion about the recent outcome of his trial (convicted, one count of felony network tampering). Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I fail to see the operational relevance to this conviction; it's basic common sense. William
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. William
Re: Terry Childs conviction
On Thu, 2010-04-29 at 21:23 -0500, Larry Sheldon wrote: On 4/29/2010 21:05, William Pitcock wrote: On Thu, 2010-04-29 at 21:48 -0400, David Krider wrote: On Thu, 2010-04-29 at 16:47 -0500, William Pitcock wrote: Surely even at DeVry they teach that if you refuse to hand over passwords for property that is not legally yours, that you are committing a crime. I mean, think about it, it's effectively theft, in the same sense that if you refuse to hand over the keys for a car that you don't own, you're committing theft of an automobile. I've seen a dismissed employee withhold a password. The owner of the company threatened legal action, considering it, like you, theft. My father-in-law is an attorney, so I asked him about the situation. He said that it wouldn't be called theft, rather illegal control. Same difference, he still committed a crime and anyone who is defending him seems to not understand this. Whatever we want to call that crime, it's still a crime, and he got the appropriate penalty. I beg to differ (the archives may reflect my objection last time around). I agree that a crime was committed. It was committed by the management that allowed this situation to exist. It is a pretty easy matter to maintain controls that make the passwords secure but still available to management when they need it. The simplest system was one of sealed envelopes in several different District Managers locked desks. Every now and again a manager would take his or her envelope out and test the passwords to see if they worked (usually just before the scheduled password change each month). I don't disagree, but he should not have withheld passwords to devices that were not his direct property when asked by a superior. William
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 2010-04-28 at 14:54 -0700, David Conrad wrote: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? DHCPv6 solves that issue if implemented correctly in the CPE firewall/router appliance. William
Re: Tracking down reverse for ip
On Thu, 2010-04-15 at 15:07 -0500, Dennis Burgess wrote: I have a customer that has an IP of 12.43.95.126. Currently, I can not get any reverse on this IP. What is the best way to find out the responciable servers for this? Thanx in advance. neno...@petrie:~$ dig -x 12.43.95.126 +trace @4.2.2.1 ; DiG 9.6.1-P2 -x 12.43.95.126 +trace @4.2.2.1 ;; global options: +cmd . 26412 IN NS j.root-servers.net. . 26412 IN NS a.root-servers.net. . 26412 IN NS l.root-servers.net. . 26412 IN NS e.root-servers.net. . 26412 IN NS g.root-servers.net. . 26412 IN NS k.root-servers.net. . 26412 IN NS d.root-servers.net. . 26412 IN NS h.root-servers.net. . 26412 IN NS i.root-servers.net. . 26412 IN NS c.root-servers.net. . 26412 IN NS m.root-servers.net. . 26412 IN NS f.root-servers.net. . 26412 IN NS b.root-servers.net. ;; Received 228 bytes from 4.2.2.1#53(4.2.2.1) in 34 ms arpa. 172800 IN NS A.ROOT-SERVERS.NET. arpa. 172800 IN NS H.ROOT-SERVERS.NET. arpa. 172800 IN NS C.ROOT-SERVERS.NET. arpa. 172800 IN NS L.ROOT-SERVERS.NET. arpa. 172800 IN NS F.ROOT-SERVERS.NET. arpa. 172800 IN NS M.ROOT-SERVERS.NET. arpa. 172800 IN NS G.ROOT-SERVERS.NET. arpa. 172800 IN NS E.ROOT-SERVERS.NET. arpa. 172800 IN NS D.ROOT-SERVERS.NET. arpa. 172800 IN NS I.ROOT-SERVERS.NET. arpa. 172800 IN NS B.ROOT-SERVERS.NET. arpa. 172800 IN NS K.ROOT-SERVERS.NET. ;; Received 495 bytes from 192.58.128.30#53(j.root-servers.net) in 28 ms 12.in-addr.arpa.86400 IN NS DMTU.MT.NS.ELS-GMS.ATT.NET. 12.in-addr.arpa.86400 IN NS CMTU.MT.NS.ELS-GMS.ATT.NET. 12.in-addr.arpa.86400 IN NS CBRU.BR.NS.ELS-GMS.ATT.NET. 12.in-addr.arpa.86400 IN NS DBRU.BR.NS.ELS-GMS.ATT.NET. ;; Received 143 bytes from 192.36.148.17#53(I.ROOT-SERVERS.NET) in 153 ms 126.95.43.12.in-addr.arpa. 172800 INCNAME 126.112-28.95.43.12.in-addr.arpa. 112-28.95.43.12.in-addr.arpa. 172800 IN NS ns2.nightowl.net. 112-28.95.43.12.in-addr.arpa. 172800 IN NS mail.nightowl.net. ;; Received 117 bytes from 12.127.16.69#53(CMTU.MT.NS.ELS-GMS.ATT.NET) in 60 ms ns2.nightowl.net/mail.nightowl.net is broken (missing 128-28.95.43.12.in-addr.arpa) zone. For someone who is a CCNA, Mikrotik Certified Whatever, etc, etc, etc, you really should know how to use dig(1). William
Re: Carrier class email security recommendation
On Mon, 2010-04-12 at 07:09 -0700, todd glassey wrote: On 4/12/2010 2:49 AM, Alex Kamiru wrote: I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP. On the other hand installing a FreeBSD system with QMail/Procmail and/or PostFIX for the other stuff is a no-brainer especially with a Webmin Management front end. Webmin? Are you serious? William
Re: Fwd: [c-nsp] capirca : Google Network Filtering Management
On Fri, 2010-04-09 at 22:10 -0400, Steve Bertrand wrote: Would someone from Google kindly confirm/deny this claim? I'm as patient as any other, but I'm beginning to feel for those who have yet (but are ready to) to trigger the filters... Thankfully, my 'reasonable' regex knowledge has me ready to list a heaping pile of filth into the ether, if the community consensus is that the person contained in the 'From:' below has never contributed anything worth value to our community. ...give the word. It is a legitimate Google product, but I don't work at Google. William
Re: ARIN IP6 policy for those with legacy IP4 Space
On Wed, 2010-04-07 at 15:31 -0500, Joe Greco wrote: On Apr 7, 2010, at 9:22 AM, William Herrin wrote: On Wed, Apr 7, 2010 at 12:09 PM, John Palmer (NANOG Acct) nan...@adns.net wrote: Was looking at the ARIN IP6 policy and cannot find any reference to those who have IP4 legacy space. Isn't there an automatic allocation for those of us who have legacy IP space. If not, is ARIN saying we have to pay them a fee to use IP6? Isn't this a disincentive for us to move up to IP6? Those with legacy IP4 space should have the equivalent IP6 space under the same terms. Or am I missing something? Hi John, The game is: Sign ARIN's Legacy RSA covering your legacy space. With the LRSA you retain more rights than folks who sign the regular RSA, but probably less rights than you have now. More accurately, you retain more rights than the standard RSA and you move from a situation where your exact rights are unknown and undetermined with no contractual relationship between you and ARIN to a situation where your rights are assured, enumerated, and a contractual relationship exists between you and ARIN governing the services you are receiving from ARIN. Pay your $100/year as an end-user. You now qualify for an IPv6 assignment under ARIN NRPM 6.5.8.1b regardless of the size of your network. Pay the $1250 IPv6 initial assignment fee. This is correct. I would like to see initial registration fee waivers for IPv6 end-user assignments. I've brought the subject up on arin-discuss. There was substantial opposition to the idea. If you would like to see that happen, I encourage you to voice your opinion there. It's not the initial assignment fee that's really an impediment, it's moving from a model where the address space is free (or nearly so) to a model where you're paying a significant annual fee for the space. We'd be doing IPv6 here if not for the annual fee. As it stands, there isn't that much reason to do IPv6, and a significant disincentive in the form of the fees. And when there are no eyeballs to look at your IPv4 content because your average comcast user is on IPv6? Will you have an incentive then? William
Re: NSP-SEC
On Sat, 2010-03-20 at 20:30 +0200, Hank Nussbacher wrote: On Fri, 19 Mar 2010, William Pitcock wrote: On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. How exactly would being transparent for the following help Internet security: I am seeing a new malware infection vector via port 91714 coming from the IP range of 32.0.0.0/8 that installs a rootkit after visiting the web page http://www.trythisoutnow.com/. In addition, it has credit card and pswd stealing capabilities and sends the details to a maildrop at trythisout...@gmail.com The only upside of being transparent is alerting the miscreant to change the vector and maildrop. That is not what I mean and you know it. What I mean is: why can't anyone contribute valuable information to the security community? It is next to impossible to meet so-called 'trusted people' if you're new to the game, which is counter-productive. If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it? William
Re: NSP-SEC
On Sat, 2010-03-20 at 22:12 +0200, Gadi Evron wrote: On 3/20/10 8:37 PM, William Pitcock wrote: That is not what I mean and you know it. What do you mean than? Hank made a good point on the type of traffic normally going through these groups. My point hasn't much to do with the NSP-SEC list, I know plenty well what traffic goes through there, but instead that the security community is not welcoming to new contributors. I do run a bloody DNSBL, after all. My point was also that there are people on the NSP-SEC list that can get things done faster than PSIRT/etc do on turnaround times. Many of those same people also exist on a certain irc channel that will remain unnamed, too. William
Re: NSP-SEC
On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote: An ongoing area of work is to build better closed, trusted communities without leaks. Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit. Just saying. William
Re: NSP-SEC
Hello, Few people actually care about nsp-sec so what exactly are you getting at? Guillaume FORTAINE gforta...@live.com wrote: Misses, Misters, I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper Arbor) [1] and operations contacts of the big ISPs [2] : 1) applies the Security through Obscurity paradigm that has been proven inefficient [3]. To quote [4] : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. First question : Why was I able to find this mail on the Internet if it should be kept secret ? 2) includes [5] a) Spammers (Rodney Joffe) [6] [7] b) Freelancers (Gadi Evron) [8] [9] Second question : Do you still ask yourself why the Internet is so insecure ? [10] Best Regards, Guillaume FORTAINE [0] http://puck.nether.net/mailman/listinfo/nsp-security [1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders [2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf [3] http://en.wikipedia.org/wiki/Security_through_obscurity [4] http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html [5] http://www.google.com/search?hl=ensource=hpq=nsp-sec+site:mailman.nanog.orgaq=faqi=aql=oq=gs_rfai=esrch=FT1 [6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html [7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html [8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html [9] http://il.linkedin.com/in/gadievron [10] http://caislab.kaist.ac.kr/77ddos/ -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: NSP-SEC
On Thu, 2010-03-18 at 23:52 -0400, Patrick W. Gilmore wrote: On Mar 18, 2010, at 11:46 PM, William Pitcock wrote: Few people actually care about nsp-sec so what exactly are you getting at? I might argue the few comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a few) will not be force to see them. I would say that, in general, more people care about NANOG than nsp-security, although nsp-security is a worthwhile resource for those who are dealing with backbone-level problems (which is a minority of the people on NANOG, who generally are managing single typically-not-multihomed sites for the most part). Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]? Ugh, that IADL guy. I blackholed his entire IP block at edge because I got tired of receiving his crap. :D And yeah, I'm surprised Guillaume can actually post here still. William
Re: OBESEUS - A new type of DDOS protector
On Tue, 2010-03-16 at 07:53 +, gordon b slater wrote: Hmm, the hey! it's open source! factor doesn't hold much sway in the network world, no-one will be amazed at that. Many observers are surprised at the amount of free software employed by ISPs and the like, but it's certainly no news to insiders. Not to mention that it is only open source for private non-commercial use only, and is crippled. Also, Obeseus doesn't seem to be any better then stuff I have made myself for my own usage and clients' usage. All it does it look at a pcap dump and analyze it. Obeseus is actually worse: it does not work in realtime, the data structures it uses are not suited to realtime detection, and in a DDoS, I think this could take several minutes to trigger appropriate events like IP nullroutes and ACLs etcetera. The best way to detect DDoS is to run a 30 second rolling average. If you're suddenly doing a gigabit inbound within 30 seconds of UDP traffic, you're probably being DDoSed ;). William
Re: YouTube AS36561 began announcing 1.0.0.0/8
On Thu, 2010-03-11 at 22:52 -0800, Nathan wrote: Hello, I'm hoping to alleviate the what's going on!? type messages here this time. :) stupid question Any IPs we can ping and get a response back from to verify everything is ok? 1.2.3.4 isn't pingable, for example. :( /stupid question William
Re: Future timestamps in /var/log/secure
On Fri, 2010-02-26 at 11:29 -0700, Brielle Bruns wrote: Isn't the timestamps inserted by syslog rather then the reporting program itself? The syslog message sent to the local unix socket (/dev/log or /dev/syslog) may contain a timestamp, in which case, that timestamp may be used instead of the local time. As the syslog protocol defines that timestamps are localtime, without any specification of what timezone localtime actually is, the TZ environment variable of the application calling syslog() will affect the timestamp placed in the log. William
Re: Future timestamps in /var/log/secure
On Fri, 2010-02-26 at 19:30 +, gordon b slater wrote: On Fri, 2010-02-26 at 13:17 -0600, William Pitcock wrote: The syslog message sent to the local unix socket (/dev/log or /dev/syslog) may contain a timestamp, in which case, that timestamp may be used instead of the local time. As the syslog protocol defines that timestamps are localtime, without any specification of what timezone localtime actually is, the TZ environment variable of the application calling syslog() will affect the timestamp placed in the log. aha! there you go, mine doesn't but maybe yours does? The specification for the syslog protocol is that timestamps embedded in the message should be used instead of syslogd's time. Most syslog daemons as a result apply this concept to both local and remote messages. You have to keep in mind that syslogd can also send/receive messages to/from remote destinations. William
Re: Chuck Norris Botnet and Broadband Routers
On Mon, 2010-02-22 at 16:21 +0200, Gadi Evron wrote: Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. Today this story hit international news. What makes this any different than psyb0t, which was discovered in the wild last year? William
Re: Linux Router distro's with dual stack capability
On Wed, 2010-02-10 at 17:12 -0700, Blake Pfankuch wrote: Anyone have some insight on a good dual stack Linux (or BSD) router distro? Currently using IPCop but it lacks ipv6 support. I've used SmoothWall Express but not in some time and not sure how well it works with IPv6. Not looking for something huge, just something for the equivalent of a small branch office. Site to Site VPN support and NAT translation capability for a few public IP addresses to private addresses are the only requirements. Public or private responses are welcome! We are having moderate success with IPv6 on Vyatta, but we have seen neighbour discovery glitches in the current production images. The prerelease subscription code crashes on our vyatta appliances, so we haven't tested that yet. William
Re: Linux Router distro's with dual stack capability
Hi, On Thu, 2010-02-11 at 13:05 -0500, Jack Carrozzo wrote: Lots of people roll FreeBSD with Quagga/pf/ipfw for dual stack. See the freebsd-isp list. FreeBSD's network stack chokes up in DDoS attacks due to interrupt flooding. We used to use FreeBSD for firewalling and basic routing, but when noticing that we had horizontal scalability (e.g. a Celeron 667mhz performed nearly as well as a dual dual-core Xeon system when DDoS attacks happened), we switched to Vyatta, and generally have not looked back. William
RE: DDoS mitigation recommendations
Hi, On Tue, 2010-01-26 at 09:56 -0800, Gerald Wluka wrote: I am new to this mailing list - this should be a response to an already started thread that I cannot see: Welcome to NANOG! IntelliguardIT has a new class of network appliance that installs inline (layer 2 appliance). It has no impact on current network capacity and automatically manages flash crowds gracefully. Prove it. As far as I can tell, DDoS mitigation appliances are mostly smoke and mirrors, and I used to work for an IDS vendor. To date the company has over-invested in technology and under-invested in sales and marketing. That is changing now: the company is moving to The Bay Area. LOL. As a testament to this over-investment we have a few customers in Asia who had CiscoGuard and/or Arbor Network solutions deployed - they were failing! IntelliGuard's solution solved their DDoS problems. Can you cite these clients? If you would like to learn more please contact me directly (the IntelliGuardIT website is quite dated at this stage. William
Re: Anyone see a game changer here?
On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote: On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote: The problem with IE is the same problem as Windows, the basic design is fundementally insecure and timely updates can't fix that. You do realize, of course, that IE is recording less than half the security flaw rate of Firefox? (See http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vulnerability-report---firefox-leads-the-pack-at-44.php) Consider for a moment that both Firefox and Safari are built on open-source code where the code can be audited. As a result, it is clear why Firefox and Safari are more insecure than IE, it is simply because the code is there to be audited. Frankly, they are all about the same security-wise. William
Re: I don't need no stinking firewall!
On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote: On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: DDoS attacks are attacks against capacity and/or state. Start reducing DDoS, by its very nature is a type of attack that dances around common security measures like conventional firewalls, by its very nature. The possibility of someone dropping a nuke on your facility, shouldn't stop you from locking your doors at night. If necessary, use another arrangement to detect that threat, and protect firewall+servers from it. DDoS mitigation gear tends to choke up in my experience. It's a really touchy subject. Having no 'firewall' type safeguard at all (stateless or otherwise) would appear pretty risky. Not really, because firewalls don't do anything useful. Stateless ACL policies do something useful, and usually that is handled in the router in a modern network. The other features of a firewall range from not so useful to actively harmful. Because, by definition, all incoming packets to the server are unsolicited. For UDP servers sure.. not for TCP.. the initial SYN is unsolicited, for inbound TCP connections. Once the server acknowledges the connection by invoking accept(), the rest of it the packets are solicited, the packets are either part of an active connection, or unwanted. Wrong. You seem to assume that TCP stacks are well-behaved, or that botnets aren't just synthesizing junk. I've seen unsolicited ACK floods before. They are quite real. So, in fact, all incoming packets should be considered unsolicited until proven otherwise. It should be mentioned that DDoS mitigation gear in use on that network let those packets through without even alerting us about it. William
Re: I don't need no stinking firewall!
On Tue, 2010-01-05 at 16:24 -0500, Robert Brockway wrote: On Tue, 5 Jan 2010, Dobbins, Roland wrote: In the most basic terms, a stateful firewall performs bidirectional classification of communications between nodes, and makes a pass/fail determination on each packet based on a) whether or not a bidirectional communications session is already open between the nodes and b) any policy rules configured on the firewall as to what ports/protocols should be allowed between said nodes. Stateful firewalls make good sense in front of machines which are primarily clients; the stateful inspection part keeps unsolicited packets away from the clients. Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the initial connection is always unsolicited). Putting firewalls in front of servers is a Really Bad Idea - besides the Hi Roland. I disagree strongly with this position. As someone who worked for a startup several years ago working on solving precisely the problem of having a reliable firewall/IDS solution infront of the server, I'm going to have to disagree with your disagreement. fact that the stateful inspection premise doesn't apply (see above), The problem is that your premise is wrong. Stateful firewalls (hereafter just called firewalls) offer several advantages. This list is not necessarily exhaustive. (1) Security in depth. In an ideal world every packet arriving at a server would be for a port that is intended to be open and listening. Unfortunately ports can be opened unintentionally on servers in several ways: sysadmin error, package management systems pulling in an extra package which starts a service, etc. By having a firewall in front of the server we gain security in depth against errors like this. ACLs in the router hardware handle this. Your average datacentre switch, even a small one can handle stateless ACL checks in hardware. Also ACLs don't protect you from the bad guys, especially if you're incompetent. What my team found was that it was infact -impossible- to sanely do DPI infront of a server and also survive a DDoS attack. DDoS attacks are a big problem these days, in case you didn't notice. (2) Centralised management of access controls. Many services should only be open to a certain set of source addresses. While this could be managed on each server we may find that some applications don't support this well, and management of access controls is then spread across any number of management interfaces. Using a firewall for network access control reduces the management overhead and chances of error. Even if network access control is managed on the server, doing it on the firewall offers additional security in depth. ACLs in the router hardware handles this. Doing it on a firewall provides no additional security, and may infact decrease network performance and throughput. Additionally, predictive firewalls can be gamed. (3) Outbound access controls. In many cases we want to stop certain types of outbound traffic. This may contain an intrusion and prevent attacks against other hosts owned by the organisation or other organisations. Trying to do outbound access control on the server won't help as if the server is compromised the attacker can likely get around it. ACLs in the router hardware as well as blackholed /32s in the route table of the router handle this. Doing it on a firewall provides no additional security and *will* decrease network performance and throughput. Routers are built for large route tables and make use of RADIX tries and other optimizations that hardware server-oriented firewalls do not typically have. (4) Rate limiting. The ability to rate limit incoming and outgoing data can prevent certain sorts of DoSes. I am not sure what makes you believe that. The ability to rate limit incoming data at the server level would definitely not prevent a DoS. The ability to rate limit outgoing data would cause a DoS of anything other than DoS traffic that is hosted on the server. The basic rule here is you can't filter more than your port speed, and if your port is getting hit with 1.3gbit of DDoS and your port is only 1gbit, you're still offline. (5) Signature based blocking. LOL. Signature based blocking is the biggest scam since the 1980s when IDS technology was first invented. It doesn't work. It is snake oil. The only type of 'signature' that would work would be a list of all known botnet IPs, and you're never going to get that. Modern firewalls can be tied to intrusion prevention systems which will 'raise the shields' in the face of certain attacks. Many exploits require repeated probing and this
Re: RBN and it's spin-offs
On Wed, 2009-12-30 at 20:12 -0800, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Dec 30, 2009 at 8:05 PM, Keith Medcalf kmedc...@dessus.com wrote: Without a warrant, there is an absolute right to privacy. It continues to exist right up until either (a) one party chooses to give up that privacy or (b) a third party arrives with a Court Order. This is simply a covenant between two parties to preserve that private state unless lawfully compelled by lawful process otherwise. In other words, a covenant to adhere to the rule of law and the courts in the event of any dispute between the parties or any third party. It sure seems like a good thing to me -- and a covenant I would hope anyone I do business adheres to. That's funny. You're assuming that the MLAT [1] process works -- it doesn't. It worked against Indymedia UK: http://www.indymedia.org/fbi/ William
Re: RBN and it's spin-offs
On Wed, 2009-12-30 at 23:25 -0500, Christopher Morrow wrote: On Wed, Dec 30, 2009 at 11:13 PM, William Pitcock neno...@systeminplace.net wrote: It worked against Indymedia UK: http://www.indymedia.org/fbi/ indymedia is in texas, no mlat required. It was an MLAT initiated by the Dutch government because someone posted pictures of a Dutch policeman breaking the law that they wanted removed. Yes, the M in MLAT stands for *Mutual*. As in, it goes both ways. William
Re: Arrogant RBL list maintainers
Hi, On Thu, 2009-12-10 at 16:55 +, Sven Olaf Kamphuis wrote: thing is that it's illegal to maintain a database with personal details which ip addresses according to various german courts are (don't ask.. mmk? ;) ofcourse we all know ip addresses identify nodes on a network, not persons, but the germans seem to mainain a different view on this, despite us isps being the owners of the internet and not the german government ;). therefore we are not even -allowed- to cooperate with trend micro *grin* You're Swedish, not German. So that doesn't really apply to you. I'm pretty sure that if you just update the WHOIS and say it's static assignments, that they will in fact remove you. Your network hosts e-trash anyway (thepiratebay), so I can hardly blame them for assuming everything on your network is rotten. sometimes laws really come in handy you know ;) Sometimes *valid* laws come in handy. Citing laws that do not, at all, apply to you, is not handy. In fact if you are citing it in some circumstances, it is fraud. William
Re: Is there anyone from ASPEWS on this list?
On Mon, 2009-12-14 at 11:32 +0100, Michelle Sullivan wrote: Read the last paragraph again.. will be submitted for delisting .. not has been delisted and it will take 3-5 hours to propagate... I have to process all removals manually after the robot because the robot does get it wrong, and then you have the likes of JustHost and the spammers there that keep requesting delisting with totally bogus (but static looking) hosts. And then you take several days if not several weeks to delist them. You have spent a considerably longer time replying to people on NANOG discussing your policies on NANOG, when you could just delist the IPs in question already. Like I said before, I am sorry that you deal with a lot of morons, but maybe like others have said, you need to add more staff to your project. William
IP to authoritative CIDR webservices
Hi, Does anyone know of a webservice that converts a given IP into the public CIDR range that belongs to? I am developing a tool where IP to CIDR conversion based on RIR whois data would be useful for implementing filtersets. William
Re: IP to authoritative CIDR webservices
Hi, On Mon, 2009-12-14 at 21:10 -0800, Mehmet Akcin wrote: Current RIR whois actually does that. ie: search for 199.4.29 it will show you 199.4.28/22 Yes, but it has to be parsed, and RIRs have varying whois formats. ARIN vs RIPE whois output, for example. William
Re: IP to authoritative CIDR webservices
Hi, On Mon, 2009-12-14 at 21:12 -0800, Paul Ferguson wrote: On Mon, Dec 14, 2009 at 8:57 PM, William Pitcock neno...@systeminplace.net wrote: Hi, Does anyone know of a webservice that converts a given IP into the public CIDR range that belongs to? I am developing a tool where IP to CIDR conversion based on RIR whois data would be useful for implementing filtersets. WHOIS? Alternatively, use the Team Cymru tool to find the AS, then the CIDR Report portal to determine all perfixes originated by the AS in question: http://asn.cymru.com/ Looks like their WHOIS server in verbose mode will do the trick for what I want, as it provides predictable output. Thank you. William
Re: Is there anyone from ASPEWS on this list?
Hi, On Sat, 2009-12-12 at 18:02 +0100, Michelle Sullivan wrote: Michelle Sullivan wrote: Seth Mattinen wrote: You should still be able to submit a ticket to SORBS, no? I was always under the impression that it was open a ticket and wait or you are moved to the back of the line with SORBS. That is correct on all counts. Oh and to re-iterate a point made so many times in so many forums and so often ignored. Posting to any of my email personal addresses will not help your case at all.. ever.. in any way... and in fact posting to some of the old and disused ones will likely cause a spamtrap listing. SORBS Support is done through the SORBS support system (which is what it is there fore funnily enough!) Posting on mailing lists, or emailing to me, other SORBS staff, or GFI will result in various responses from completely ignoring you to sending you a PDF that tells you that you can only gain support through the SORBS support system - NO EXCEPTIONS. The only thing my email address is valid for is if the SORBS Support system is down for telling me such (and I have plenty of systems monitoring all components of it so an email is pretty pointless in most cases.) Robot rejection and refusal to delist is not a failure in the support system... Read the response and act upon the contents if you want a review. Sorry if that sounds harsh, but when you had seen even a couple of the idiotic messages I get, you'll understand why. Logging a ticket is simple if a little ownerous (it takes 7 clicks to get a ticket logged, 3 if you use the contact form!) Perhaps people wouldn't have to email you if the robot actually did what it said it was going to do. Your website promises that the robot will get things delisted out of the DUHL zone in 3 to 5 hours. It has been more than 3 to 5 hours, and it is costing me money. Considering that you shouldn't have listed the space to begin with, I think it would be fantastic if you updated the website to reflect the reality of the situation. While I am sorry to hear that most of the people you deal with are morons, it does not change the facts that SORBS listed IP address space for no valid reason, other than the first version of the RDNS not having .static. in it. Perhaps if this sort of thing didn't keep happening, on a regular basis, we would never hear about SORBS, MAPS, or any other RBLs on NANOG in a bad light. Personally, I like SORBS. I would like to continue to be able to use SORBS on my mail servers. The fact that my addresses are listed as being dynamic in SORBS when they are not, and it hasn't been fixed in the timeframe that the website promises it would be fixed in, is making me re-evaluate whether or not I should use SORBS and recommend it to people looking for good DNSBLs to use on their mailservers. NO I DO NOT ACCEPT DELISTING REQUESTS OUT OF THE SUPPORT SYSTEM! Then you should make your delisting process more streamlined. You already have a robot for most things, make it do the next step and just delist the IP ranges it is given. William
Is there anyone from ASPEWS on this list?
Hi, ASPEWS is listing 216.83.32.0/20 as being associated with the whole Atrivo incident of 2008. My memory does not recall 216.83.32.0/20 being involved, nor the provider that belongs to. So it'd be cool if I could you know, talk to someone who has involvement with that, because frankly, I do not see why it is listed as having any involvement with Atrivo. Also, the fact that Atrivo is *dead* and this stuff is still listed means that anyone who gets those blocks from ARIN next are basically screwed. Which kind of sucks. William
RE: Is there anyone from ASPEWS on this list?
On Fri, 2009-12-11 at 09:55 -0800, Alex Lanstein wrote:
Also, the fact that Atrivo is *dead* and this
stuff is still listed means that anyone who gets
those blocks from ARIN next are basically screwed
Why would you say Atrivo is dead?
r...@localhost --- {~} nslookup www.googleadservices.com 85.255.114.83
Server: 85.255.114.83
Address:85.255.114.83#53
Name: www.googleadservices.com
Address: 67.210.14.113
That is Cernal, and it is hosted in Russia now.
Cernal and Atrivo are two different entities, Atrivo used to host
Cernal, but now they have different hosting arrangements.
Can people get a clue and understand this very critical difference?
Thanks.
William
RE: Is there anyone from ASPEWS on this list?
On Fri, 2009-12-11 at 17:25 -0800, Alex Lanstein wrote: William Pitcock wrote: Cernal and Atrivo are two different entities, Atrivo used to host Cernal, but now they have different hosting arrangements. I now understand the original point you were trying to make about Atrivo. I disagree with your premise that it is actually a different entity than Cernel, but am not trying to debate that on this list for various reasons. Then why did you make the post? Acting under my (incorrect or correct) assumption that they are in fact the same entity, I made my post to show that the boys were back. They are separate entities, and Cernal hosts with other providers, and did so while Atrivo existed as well. Infact, read below for some poignant analysis on this fact. That is, for a decent amount of time, parts of 85.255.112.0/20 were not being advertised, and hence the dns hijacking pointing selected http traffic to 67.210.0.0/20 wasn't happening. My point was that it (fairly) recently started being advertised again, and it was the same old song and dance wrt dns/http hijacking/fraud. That doesn't surprise me, but I see it coming from Amazon EC2. Infact, traceroutes end at 67.210.14.1, which is a router servicing the EC2 cloud. 85.255.112.0/20 appears to be announced by Bandcon / Internet-Path in the NYC area. I believe that Amazon EC2's NYC cloud uses these providers, but not 100% sure on that one. Regardless, Amazon EC2 is not Atrivo, at all, period, and if you believe that it is, you're bloody crazy. William
Re: Is there anyone from ASPEWS on this list?
On Fri, 2009-12-11 at 23:39 +, John Levine wrote: ASPEWS is listing 216.83.32.0/20 as being associated with the whole Atrivo incident of 2008. My memory does not recall 216.83.32.0/20 being involved, nor the provider that belongs to. Since nobody but the occasional highly vocal GWL uses ASPEWS, it's hard to see why one would care, but if you want to find ASPEWS, crank up your favorite usenet program, post a question to nanae, and watch the vitriol roll in. There might be a comment from ASPEWS in there. Well, I just want to reach SORBS to clear up some confusion regarding what ranges of mine are dynamic (e.g. none of them, but they seem to think otherwise). Unfortunately, e-mail to SORBS bounces due to ethr.net being listed in ASPEWS as being part of Atrivo. I think it is kind of fail that RBL people do not have e-mail based contact addresses. Snoozenet is unpleasant to deal with. William
Re: HE.net, Fremont-2 outage?
Yeah. They had yet another power outage. The fourth in 16 months. Luckily we have already begun plans to leave their facility. William --Original Message-- From: Tico To: nanog@nanog.org Subject: HE.net, Fremont-2 outage? Sent: Nov 3, 2009 1:50 PM Hey guys, I can't get through to Hurricane Electric, and they seem to be having an outage at their Fremont-2 facility again (as of 17:30 UTC or thereabouts) -- ticket system is unanswered, phones go to voicemail, all equipment is unreachable. Does anyone here have a presence at 48233 Warm Springs Blvd, that can provide any information about this? I got hit by the ATS failure last month, so I guess it's possible that that equipment may have flaked again. -t -- William Pitcock SystemInPlace - Simple Hosting Solutions 1-866-519-6149
Re: DMCA takedowns of networks
Mayfirst / Peoplelink did not get any notice that service would be turned down prior to it happening. Hurricane has had a really bad history of handling copyright complaints. The situation for example resulting in mayfirst's circuit being turned down had nothing at all to do with copyright and was instead a trademark violation dispute. IANAL, but trademark issues are not copyright issues nor are they handled via the dmca. Therefore what hurricane did in this instance is really unacceptable. It should be emphasized that the dmca does not require turning down service - only sending the takedown notice along to an appropriate contact. See also: common-carrier immunity concept. I don't know about you, but hurricanes actions in this instance has made me reevaluate the use of their products in future projects. (this post definitely does not reflect the opinions of my employer.) William --Original Message-- From: Jack Bates To: Richard A Steenbergen Cc: North American Network Operators Group Subject: Re: DMCA takedowns of networks Sent: Oct 26, 2009 1:44 PM Richard A Steenbergen wrote: had no liability in the matter. Of course Hurricane is well within their rights not to serve any customer that they please, but the customer is also well within their rights to find another provider who better respects the rights of free speech on the Internet (if the above is what actually happened). I'm sure HE respects the rights of free speech just fine. That being said, a notice was delivered, customer may not have replied with the appropriate legal notice, and so HE honored it's obligation to maintain safe harbor. One would have to be an idiot to jeopardize their company by rolling the dice in an effort to protect free speech (which may not legally be free speech). Courts determine what is free speech. ISPs just try to stay the hell out of the way. Jack -- William Pitcock SystemInPlace - Simple Hosting Solutions 1-866-519-6149
Re: DMCA takedowns of networks
Option 5 sounds like it fits the bill to me. After all, what HE said was basically take the site down or else to which they backed down but then wound up turning service down anyway. It is truly disappointing to see HE evolve in this way. I hope that their management decides to change the way IP issues get handled. (again, not the opinions of my employer.) William -- William Pitcock SystemInPlace - Simple Hosting Solutions 1-866-519-6149 -Original Message- From: Brian Johnson bjohn...@drtel.com Date: Mon, 26 Oct 2009 17:03:29 To: North American Network Operators Groupna...@merit.edu Subject: RE: DMCA takedowns of networks Per Dictionary.com: blackmail -noun 1. any payment extorted by intimidation, as by threats of injurious revelations or accusations. 2. the extortion of such payment: He confessed rather than suffer the dishonor of blackmail. 3. a tribute formerly exacted in the north of England and in Scotland by freebooting chiefs for protection from pillage. -verb (used with object) 4. to extort money from (a person) by the use of threats. 5. to force or coerce into a particular action, statement, etc.: The strikers claimed they were blackmailed into signing the new contract. ... thus, this is not blackmail. Please thrown your grenades and run. :) - Brian -Original Message- From: Sven Olaf Kamphuis [mailto:s...@cyberbunker.com] Sent: Monday, October 26, 2009 12:25 PM To: Joe Greco Cc: Brian Johnson; North American Network Operators Group Subject: Re: DMCA takedowns of networks Is there a better solution that doesn't require intrusive parsing? Sure. Tell the hoster they've got to shut it down, or else lose their connectivity. which would be called blackmail. sure, have the cops arrest the guy that actually runs the site or uploaded it onto the site, if they cannot (because it simply doesnt happen to be illegal in the country where he resides) they are out of luck and have to live with it. furthermore, in any case, a proper court order specifically mentioning the url, the customer, the right company out of our christmastree of companies worldwide, etc would be required as we dont plan to decide whats illegal and what not. ofcourse all of this only applies to real crime. not to whining dmca idiots, whom are criminals themselves. -- Sven Olaf Kamphuis CB3ROB DataServices Phone: +31/87-8747479 Skype: CB3ROB MSN: s...@cb3rob.net C.V.: http://www.linkedin.com/in/cb3rob Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 26 Oct 2009, Joe Greco wrote: So why are we having this discussion? Because it appears that HE took down non-infringing sites? Excuse me for stating the obvious. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - On the technical side of this question... Let's say that a customer is doing virtual hosting. So they have a bunch of sites (Let's say hundreds) on a single IP address. Given that one of the sites is misbehaving (use your own definition), how would a provider block the one site, without blocking others that share the same IP address, without looking at every port 80 request and parsing for the header for the URL? Is there a better solution that doesn't require intrusive parsing? Sure. Tell the hoster they've got to shut it down, or else lose their connectivity. Sometimes it can be both simple *and* obvious. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. X-CONTACT-FILTER-MATCH: nanog
Re: IPv6 could change things - Was: DMCA takedowns of networks
To expand on this from a programmers perspective, usually at the kernel/network stack level, a patricia radix-style trie is used for fast ipv6 lookups. The benefit of the patricia trie being that if you only have a difference keylength of 8 bits (/120) then the ip lookup only takes 8 steps in a worst-case scenario. The same concept applies to ipv4 cidr as well, but it is less obvious. William --Original Message-- From: Adrian Chadd To: Jeroen Massar Cc: North American Network Operators Group Subject: Re: IPv6 could change things - Was: DMCA takedowns of networks Sent: Oct 27, 2009 10:39 AM On Tue, Oct 27, 2009, Jeroen Massar wrote: But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;) Funny you should mention that. A couple of tricks I've seen: * instead of a linked list and O(n) searching of interface aliases, use some kind of tree to map local IP - interface. * hacks to do a bind to all damned IP addresses and let userspace sort it out. I've done the former for a few thousand aliases with no degredation in performance. The hacks available for freebsd-4.x for the Web Polygraph software did something similar. 2c, Adrian -- William Pitcock SystemInPlace - Simple Hosting Solutions 1-866-519-6149
Re: IPv6 internet broken, cogent/telia/hurricane not peering
On Mon, 2009-10-12 at 10:47 -0700, Seth Mattinen wrote: Patrick W. Gilmore wrote: On Oct 12, 2009, at 12:52 PM, Randy Bush wrote: sure would be nice if there was a diagnosis before the lynching If this happened in v4, would customers care 'why' it happened? Obviously not. I suspect more NAT will become a better solution than migrating to IPv6 if/when runout becomes a problem because there's just not enough visibility or providers that take it seriously enough for IPv6 to be a viable solution. I try to do my part but it's a horrible pain. And then you have the hoards of DSLreports people screaming about how they do not have a routeable IP address anymore, which is bad for business, and then IPv6 comes about because the people *demand* it. (although they do not necessarily know they are demanding that -- what they are demanding is the ability to continue having publically routeable IP addresses for their broadband connection.) William
