On Thu, 23 Jul 2015, Nicholas Warren wrote:
How will the customer know the ISP is blocking the traffic? Does the
FCC make ISPs disclose this information?
If a customer is legitimately trying to reach someone in one of the
affected IP ranges and failing, at some point, they will either a)
How will the customer know the ISP is blocking the traffic? Does the FCC make
ISPs disclose this information?
Thank you,
- Nich Warren
On 07/22/2015 09:01 PM, Justin M. Streiner wrote:
You're certainly free to block whatever traffic you wish, but your
customers might not appreciate a
On Thu, Jul 23, 2015 at 6:25 AM, Justin M. Streiner strei...@cluebyfour.org
wrote:
On Thu, 23 Jul 2015, Nicholas Warren wrote:
How will the customer know the ISP is blocking the traffic? Does the FCC
make ISPs disclose this information?
If a customer is legitimately trying to reach
On Thu, 23 Jul 2015 09:25:33 -0400, Justin M. Streiner said:
If a customer is legitimately trying to reach someone in one of the
affected IP ranges and failing, at some point, they will either a) give up
and try later, or b) contact their provider to try to find out what's
going on.
You
On 07/22/2015 09:01 PM, Justin M. Streiner wrote:
You're certainly free to block whatever traffic you wish, but your
customers might not appreciate a heavy-handed approach to stopping bad
traffic at the gates.
As opposed to not being able to pass traffic at all? After all, isn't
the goal of
On Mon, 20 Jul 2015, Colin Johnston wrote:
blocking to mitigate risk is a better trade off gaining better
percentage legit traffic against a indventant minor valid good network
range.
There are bound to be an awful lot of babies in that bathwater you're
planning to throw out.
You're
Computing Solutions
http://www.ics-il.com
- Original Message -
From: Rafael Possamai raf...@gav.ufsc.br
To: Jared Mauch ja...@puck.nether.net
Cc: nanog@nanog.org
Sent: Tuesday, July 21, 2015 8:07:34 AM
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in
last 24
On 7/21/2015 8:43 AM, Jared Mauch wrote:
On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
DNS is still largely UDP.
Water is also still wet :) - but you may not be doing 10% of your
links as UDP/53.
DNS can also use TCP as well, including sending more than one
Hello!
There are few vendors which could offer 100GE capture solutions which
could be used with FastNetMon. I could share vendor names off list if
you are interested in it.
Now we do only packet counting and compare it with fixed thresholds.
But we are working on deep packet inspection of
Pavel, what kind of resources does the analysis of a 100G circuit require?
Or is it just counting packets?
On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov pavel.odint...@gmail.com
wrote:
You could do SQC with FastNetMon. We have per subnet / per host and
per protocol counters. We are working
Hello, folks!
Could anybody tun my toolkit https://github.com/FastVPSEestiOu/fastnetmon with
collect_attack_pcap_dumps = on option agains this attack type?
With pcap dump we could do detailed analyze and share all details with
Community.
On Tue, Jul 21, 2015 at 2:16 PM, Jared Mauch
I'm reminded of the the russians are hacking our water system
stories from a few years back, when it turned out the water system
adminstrator was on vacation in russia.
often traffic comes from unexpected locations. perhaps you
should fail-closed with good business practices to
DNS is still largely UDP.
--Curtis
On 7/20/2015 5:40 PM, Ca By wrote:
Folks, it may be time to take the next step and admit that UDP is too
broken to support
https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
Your comments have been requested
On Mon, Jul 20, 2015 at 8:57 AM,
...@gav.ufsc.br
To: Jared Mauch ja...@puck.nether.net
Cc: nanog@nanog.org
Sent: Tuesday, July 21, 2015 8:07:34 AM
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last
24 hours
Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics
On Tue, Jul 21, 2015 at 08:07:34AM -0500, Rafael Possamai wrote:
Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics and use math to determine if traffic is
normal or if there's a chance it's garbage. You won't be able to notice
one-off attacks,
Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics and use math to determine if traffic is
normal or if there's a chance it's garbage. You won't be able to notice
one-off attacks, but anything that repeats enough times should pop up.
Facebook uses
You could do SQC with FastNetMon. We have per subnet / per host and
per protocol counters. We are working on multi 100GE mode very well :)
On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai raf...@gav.ufsc.br wrote:
Has anyone tried to implement real-time SQC in their network? You can
calculate
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last
24 hours
On Mon, 20 Jul 2015 21:12:33 +0100, Colin Johnston said:
source user to use phone contact and or postal service to establish contact
And your phone and postal addresses are listed *where* that Joe Aussie
nanog@nanog.org
Sent: Monday, July 20, 2015 4:44:47 PM
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last
24 hours
On Mon, Jul 20, 2015 at 5:40 PM, Colin Johnston col...@gt86car.org.uk wrote:
a gentle talk to china folks from neighbours/asia associated areas might
On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
DNS is still largely UDP.
Water is also still wet :) - but you may not be doing 10% of your
links as UDP/53.
DNS can also use TCP as well, including sending more than one
query in a pipelined fashion.
The
On Mon, 20 Jul 2015 19:04:27 +0100, Colin Johnston said:
route block china range whole of and/or firewall block china range whole of
Do you have an authoritative list of *all* IP blocks that end up routed into
China?
For bonus points, IPv6 blocks too. :)
pgpKvTqvdD5J4.pgp
Description: PGP
On 20 Jul 2015, at 18:12, Drew Weaver wrote:
Ah, alright. I've seen the general amplification attacks
SNMP/DNS/NTP/you name it, plenty but this is the first one I've ever
seen one that targeted 1720/5060 and as its mitigated in one place it
keeps moving from dst to dst fairly rapidly until
Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming
from China being sent towards IP addresses which provide VoIP services?
I'm talking in the 20-30Gbps range?
The first incident was yesterday at around 13:00 EST, the second incident was
today at 09:00 EST.
I'm
I’m sure this is just the extension of all the UDP amplification attacks that
are ongoing. My experience is that 1720/CUCM should not be connected to a
public network as those devices are often not well maintained or patched.
If it’s of value I can look at adding this to the set of things that
see below for china ranges I believe, ipv4 and ipv6
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
1.0.32.0/19
1.1.0.0/24
1.1.2.0/23
1.1.4.0/22
1.1.8.0/21
1.1.16.0/20
1.1.32.0/19
1.2.0.0/23
1.2.2.0/24
1.2.4.0/22
1.2.8.0/21
1.2.16.0/20
1.2.32.0/19
1.2.64.0/18
1.3.0.0/16
1.4.1.0/24
1.4.2.0/23
1.4.4.0/22
route block china range whole of and/or firewall block china range whole of
then contact gov and tell them trade talks need to involve china engaging with
incident teams and abuse teams
colin
Sent from my iPhone
On 20 Jul 2015, at 16:57, Drew Weaver drew.wea...@thenap.com wrote:
Has anyone
My network also saw 30gbps+ originating from the same region on multiple
occasions beginning last night around 2300EST.
On Jul 20, 2015 12:20 PM, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 19:04:27 +0100, Colin Johnston said:
route block china range whole of and/or firewall block china
On Mon, 20 Jul 2015 19:42:39 +0100, Colin Johnston said:
see below for china ranges I believe, ipv4 and ipv6
You may believe... but are you *sure*? (Over the years, we've seen
*lots* of block China lists that accidentally block chunks allocated
to Taiwan or Australia or other Pacific Rim
Message-
From: Jared Mauch [mailto:ja...@puck.nether.net]
Sent: Monday, July 20, 2015 12:06 PM
To: Drew Weaver drew.wea...@thenap.com
Cc: nanog@nanog.org
Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last
24 hours
I’m sure this is just the extension of all the UDP
On Mon, Jul 20, 2015 at 09:50:44PM +0100, Colin Johnston wrote:
blocking to mitigate risk is a better trade off gaining better percentage
legit traffic against a indventant minor valid good network range.
That may be your call, or your management's call, but that doesn't make it
*my* call or
Folks, it may be time to take the next step and admit that UDP is too
broken to support
https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
Your comments have been requested
On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com wrote:
Has anyone else seen a massive
On Mon, Jul 20, 2015 at 3:18 PM, Colin Johnston col...@gt86car.org.uk wrote:
in war you take information at face value and use it if needed to mitigate
risk, if there is legit traffic in blocked ranges then excemption procedure
in place to unblock.
it's not clear how blocking any list of
blocking to mitigate risk is a better trade off gaining better percentage legit
traffic against a indventant minor valid good network range.
Sent from my iPhone
On 20 Jul 2015, at 21:20, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 21:12:33 +0100, Colin Johnston said:
source user to
:: So how does Joe Aussie-Sixpack notify you that you
:: goofed, when you've blocked his IP range?
-
He doesn't. This is war and us amuricans're gonna
make them change their culture to fit our expectations,
too. ;-)
Hahaha... Could not have said it
On Mon, Jul 20, 2015 at 5:40 PM, Colin Johnston col...@gt86car.org.uk wrote:
a gentle talk to china folks from neighbours/asia associated areas might help
to pursude china to do the right thing and tackle abuse and tackle direct
network attacks.
it's confusing to me that you think china (the
On 20 Jul 2015, at 21:04, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 20:18:46 +0100, Colin Johnston said:
in war you take information at face value and use it if needed to mitigate
risk, if there is legit traffic in blocked ranges then excemption procedure
in
place to unblock.
On Mon, 20 Jul 2015 21:12:33 +0100, Colin Johnston said:
source user to use phone contact and or postal service to establish contact
And your phone and postal addresses are listed *where* that Joe Aussie-Sixpack
is likely to be able to find?
(Hint 1: If it's on your website, they can't find
in war you take information at face value and use it if needed to mitigate
risk, if there is legit traffic in blocked ranges then excemption procedure in
place to unblock.
colin
Sent from my iPhone
On 20 Jul 2015, at 19:57, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 19:42:39
new idea to free up network ranges for arin and ripe
give a class c to china firewall, then put all the existing china ranges back
in allocation pool and reallocate to new customers.
anounce these new ranges with a higher pref than china ranges and then watch
china start to cooperate at the nic
On Mon, 20 Jul 2015 15:40:09 -0400, ML said:
If you really wanted to go the route of blocking all/almost all China.
Isn't there a short list of ASNs that provide transit to China
citizens/networks?
I'm referring to AS4134, AS4837, etc
Wouldn't blackholing any prefix with those ASNs in the AS
On 7/20/2015 2:57 PM, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 19:42:39 +0100, Colin Johnston said:
see below for china ranges I believe, ipv4 and ipv6
You may believe... but are you *sure*? (Over the years, we've seen
*lots* of block China lists that accidentally block chunks
On Mon, 20 Jul 2015 20:18:46 +0100, Colin Johnston said:
in war you take information at face value and use it if needed to mitigate
risk, if there is legit traffic in blocked ranges then excemption procedure in
place to unblock.
So how does Joe Aussie-Sixpack notify you that you goofed, when
--- valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 20:18:46 +0100, Colin Johnston said:
in war you take information at face value and use it
if needed to mitigate risk, if there is legit traffic
in blocked ranges then excemption procedure in place to
unblock.
:: So how does Joe
On Mon, Jul 20, 2015 at 3:40 PM, ML m...@kenweb.org wrote:
On 7/20/2015 2:57 PM, valdis.kletni...@vt.edu wrote:
On Mon, 20 Jul 2015 19:42:39 +0100, Colin Johnston said:
see below for china ranges I believe, ipv4 and ipv6
You may believe... but are you *sure*? (Over the years, we've seen
On Monday, July 20, 2015, John Weekes j...@nuclearfallout.net wrote:
Ca,
Folks, it may be time to take the next step and admit that UDP is too
broken to support
https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
Your comments have been requested
My comment would be that
Ca,
Folks, it may be time to take the next step and admit that UDP is too
broken to support
https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
Your comments have been requested
My comment would be that UDP is still widely used for game server
traffic. This is unlikely to change
TCP packets travel at the same speed as udp.
I will go into more detail.
TCP is designed to be a reliable protocol. When a packet is lost, TCP
reduces the transfer rate and retransmits the packet. If enough packets
are lost, the connection is reset entirely. This is not desirable with a
On Mon, Jul 20, 2015 at 5:31 PM, Tony Wicks t...@wicks.co.nz wrote:
Hahaha... Could not have said it better. But seriously as a new Zealand
based engineer who has 20+ years in the internet industry the number of
times I have had to deal with arrogant *** who block ip ranges that
affect my
48 matches
Mail list logo