Justin Shore wrote:
I'm assuming everyone uses uRPF at all their edges already so that
eliminates the need for specific ACEs with ingress/egress network
verification checks.
ha. I only wish that was true.
We do filter all customer ports for IPs we believe from them, but darn
few other prov
Doesn't anyone RTFM before posting anymore?
http://mail.google.com/support/bin/answer.py?hl=en&answer=13287
# Configure your client to match the settings below:
Incoming Mail (POP3) Server - requires SSL: pop.gmail.com
Use SSL: Yes
Port: 995
Outgoing Mail (SMTP) Server - requires TLS: smtp
Those using Google for SMTP can still use their ISP's SMTP servers for
outbound
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ang
Kah Yik
Sent: Monday, March 10, 2008 7:40 PM
To: Andy Dills
Cc: nanog@merit.edu
Subject: Re: Customer-facing ACL
We have a two-dozen line long ACL applied to our CMTS and BRAS blocking
Windows and "virus" ports and have never had a complaint or a problem. We
do have a more sophisticated residential or large-biz customers ask, but
only once has our ACL been the source of a problem and it's only because the
O
Ang Kah Yik wrote:
However, considering the number of mobile workers out there who send
email via their laptops to corporate SMTP servers, won't blocking
outbound SMTP affect them?
After all, there are also those who frequently move from place to place
so they're going to have to keep chan
I've attempted to summarise the replies I found useful in the Wiki:
http://nanog.cluepon.net/index.php/MailTopics#Customer-Facing_ACLs
My personal observations:
* More information about what networks are doing would be nice!
* More data points about probes/scans/etc would be nice!
* Filtering t
On Mon, Mar 10, 2008 at 7:58 PM, Ang Kah Yik <[EMAIL PROTECTED]> wrote:
>
> Hi Justin (and all others on-list)
>
> I understand your grounds for blocking outbound SMTP for your customers
> (especially those on dynamic IP connections).
> It probably will do good to block infected customers that
Chris,
That's a good question. IAR peers that also wish to run PGBGP will transmit
their anomalous routes out of band to the IAR. This will likely be done via
logs and a simple forwarding script.
Josh
On Mon, Mar 10, 2008 at 4:01 PM, Christopher Morrow <
[EMAIL PROTECTED]> wrote:
> On Mon,
On Mon, 10 Mar 2008, Scott Weeks wrote:
The default policy is we allow eveything. It takes no explaining.
If you don't bother to explain to the same customers who you believe
couldn't figure out how to change the default settings, what the
risks and how to protect their computers on the Int
> --
>
> Date: Tue, 11 Mar 2008 07:58:01 +0800
> From: Ang Kah Yik <[EMAIL PROTECTED]>
> Subject: Customer-facing ACLs
>
> Hi Justin (and all others on-list)
>
> I understand your grounds for blocking outbound SMTP for your customers
> (especially those on dynamic IP c
Hi Andy (and all who responded),
Thanks for the heads-up on the redirection on SMTP traffic. I've yet to
see an implementation of it but I agree that it's a possible solution.
As for the issue I raised previously, perhaps corporate users isn't a
good example but what about users of email ser
On Tue, 11 Mar 2008, Ang Kah Yik wrote:
>
> Hi Justin (and all others on-list)
>
> I understand your grounds for blocking outbound SMTP for your customers
> (especially those on dynamic IP connections).
> It probably will do good to block infected customers that are spewing spam all
> over the
Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers
(especially those on dynamic IP connections).
It probably will do good to block infected customers that are spewing
spam all over the world.
However, considering the number of mobile wo
On Mon, Mar 10, 2008 at 11:01 AM, Josh Karlin <[EMAIL PROTECTED]> wrote:
> All,
>
> Some of you are aware of the site for network operators:
> http://iar.cs.unm.edu/ which has running for two years now. The purpose of
> the site is to detect and distribute network anomaly information to the
> ne
-- [EMAIL PROTECTED] wrote: --
On Mon, 10 Mar 2008, Scott Weeks wrote:
> The hard part is I now always take over networks that have been in
> operation a long time and enabling these policies can be very painful
> after the fact. Establishing them when the network is new is a
On Mon, 10 Mar 2008, Scott Weeks wrote:
The hard part is I now always take over networks that have been in
operation a long time and enabling these policies can be very painful
after the fact. Establishing them when the network is new is a
different story.
Whatever you decide, whether you k
Long response with answers inline...
--- [EMAIL PROTECTED] wrote:---
> Might as well do TCP 20, 21 and 23, too. Woah, that slope's getting slippery!
Depends on how you ask the questions.
How about: Should a statefull firewall be provided for casual broadband
dynamic
The American Registry for Internet Numbers (ARIN), in cooperation with
the Cooperative Association for Internet Data Analysis (CAIDA), is
conducting a survey to gather data regarding the current and future use
of IPv6 throughout the ARIN Region. For a complete list of countries go
to: http://
On Fri, 7 Mar 2008, Scott Weeks wrote:
To me there is no question of whether or not you filter traffic for
residential broadband customers.
SBC in my area (Dallas) went from wide open to outbound 25 blocked by
default/opened on request. I think doing the same thing with port 22 would
hardly be
A couple of tools I use from time to time are iperf and ttcp. I'll run
iperf on some host and either run ttcp to it from a router or iperf to
another host. You can also run ttcp router to router.
-wil
On Mar 10, 2008, at 8:51 AM, Joe Shen wrote:
we do not just want to analyze e2e perform
Ttcp will give you what you're looking for, but it's not something you
can run in the background and forget. You have to bring it up on both
ends, and while it's running, it won't even pretend to try and be
friendly about bandwidth usage. It'll give you a summary after it has
finished transferri
we do not just want to analyze e2e performance, but to
monitor network performance at IP and TCP layer.
We monitor end-to-end ping with smokeping, but as you
know, ICMP data does not reflect application layer
permance at any time. So, we set up two hosts to
measure TCP permance.
Is there tools
Adrian Chadd wrote:
Does anyone have any handy links to actual raw data and papers about this?
I'm sure we've all got our own personal datapoints to support automated
network probes but I'd prefer to stuff something slightly more concrete
and official(!) into the Wiki.
SANS ISC might have som
All,
Some of you are aware of the site for network operators:
http://iar.cs.unm.edu/ which has running for two years now. The purpose of
the site is to detect and distribute network anomaly information to the
network operators that need to know. The flip side of our proposed security
system, Pr
> >Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
> >are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
> >23 too; I think it's used about as rarely by "normal" customers as SSH is.
> >
>
> Depending on the ip space I find FTP brute force attac
Dave Pooser wrote:
Do bots try brute force attacks on Telnet and FTP? All I see at my firewall
are SSH attacks and spam. But sure, if there's a lot of Telnet abuse block
23 too; I think it's used about as rarely by "normal" customers as SSH is.
Depending on the ip space I find FTP brute forc
On Mon, Mar 10, 2008 at 4:00 AM, Joe Shen <[EMAIL PROTECTED]> wrote:
>
> hi,
>
> is there any tool could measue e2e TCP connection
> speed?
>
>
> e.g. we want to measue the delay between the TCP SYN
> and receiving SYN ACK packet.
So, all you want to know is basic RTT? Do you want to know
We use LAN Traffic v2 to test speeds on our network.
http://www.omnicor.com/netest.htm
-
Michienne Dixon
Network Administrator
liNKCity
312 Armour Rd
North Kansas City, MO 64116
www.linkcity.org
(816) 412-7990
From: Joe Shen
Sent: Mon 3/10/2008 4:00 AM
To: NANGO
Subject: Tools to measure TCP
>
> On 2008-03-10, Joe Shen <[EMAIL PROTECTED]> wrote:
> > is there any tool could measue e2e TCP connection speed?
>
WireShark, which also has a basic analysis package built-in for error and
connection setup statistics.
--
Scanned for viruses and dangerous content at
http://www.oneunifi
On 2008-03-10, Joe Shen <[EMAIL PROTECTED]> wrote:
> is there any tool could measue e2e TCP connection
> speed?
hping (or tcpdump while you make a connection by any method).
Best way to do it is right after the SYN just count "one one thousand, two one
thousand" until you get the ACK. This works best for RFC 1149 traffic, but is
applicable for certain others as well.
I don't know of any automated tool, per se. You really couldn't do it *well*
on the software si
hi,
is there any tool could measue e2e TCP connection
speed?
e.g. we want to measue the delay between the TCP SYN
and receiving SYN ACK packet.
Joe
__
Search, browse and book your hotels and flights through Yaho
William Allen Simpson wrote:
Marshall Eubanks wrote:
I used to count the proportion of Mac laptops in the room (or, at
least, my row) to pass the time when I was bored.
I remember at the 1999 Washington IETF I saw exactly one, and I
could hear people whisper about it around me.
I used
33 matches
Mail list logo