Re: Network Maps - Western Europe

> On 1 Nov 2016, at 00:15, Rod Beck wrote: > > I am trying to determine the physical diversity of the Zayo and Level3 > networks vis-a-vis each other on the European racetrack - > London/Amsterdam/Frankfurt/Paris/London. It is for a client of mine. try

Re: Help interpret a strange traceroute?

Does anyone have an IP that involves a load balancing router to test with? On Mon, Oct 31, 2016 at 5:54 PM, Bryan Holloway wrote: > On 10/31/16 4:20 PM, Olivier Benghozi wrote: > >> Hi Randy, >> >> >> ECMP loadbalancing is most frequently done on layer3+layer4 headers, and >>

RE: IPv6 automatic reverse DNS

-Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of White, Andrew > > There are two competing drafts for synthetic rule-based PTR responses > for IPv6 rDNS: > > Howard Lee, Time Warner Cable (now Charter) > https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08 >

RE: IPv6 automatic reverse DNS

> Hi John, > > Thanks for the info and background. > > One operational suggestion I have is … why link synthesis rules to a > specific DNS zone? > > Most larger operators of auth DNS use an IP management tool, like BT > Diamond IPAM, BlueCat, or Infoblox. Oftentimes, allocations of IP space > will

Re: Syn flood to TCP port 21 from priveleged port (80)

Hello, A couple of cuts from tcpdump output: 21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0 21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0 21:27:50.413927 IP 95.131.188.179.80 >

Re: Syn flood to TCP port 21 from priveleged port (80)

Does the synflood have tcp option headers? I am seeing this same activity at our forward observation system, however it's not showing any tcp options like mss,sack,timestamps etc, was curious if others were seeing the same [root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] ==

Re: Syn flood to TCP port 21 from priveleged port (80)

yeah it looks like the person behind the flood may have scanned for active ftp servers, not seeing any activity on other observation subnets of this flood, and so far the only servers showing this port 80 to port 21 is ones that do have actual ftp servers, however, the connection is not actually

Re: Syn flood to TCP port 21 from priveleged port (80)

01.11.2016, 22:06, "Eric Tykwinski" : > Oleg, > > I'm seeing the same to a single client here source IPs seem to be matching up > as well. > I attached a pcap, just so you can compare. > And the same sources: 141.138.128.0 - 141.138.135.255 194.73.173.0 - 194.73.173.127

RE: Syn flood to TCP port 21 from priveleged port (80)

> Does the synflood have tcp option headers? Not seeing any here. From this morning. 12:45:46.180665 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok] 1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40) 12:45:46.180667 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]

RE: Syn flood to TCP port 21 from priveleged port (80)

Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take). Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at boundary, 502 unique sources to 10 destination hosts on our AS. Obligatory data should this be of use to anyone listening in. -Original Message-

Re: Syn flood to TCP port 21 from priveleged port (80)

seeing an awful lot of port 80 hitting port 21. (Why would port 80 ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering on and off as the service throttled itself at a couple client sites I manage. I see 540 unique source IPs hitting 32 destinations on my network in

Re: Syn flood to TCP port 21 from priveleged port (80)

Not sure why reflected RSTs are the goal here, they're not much of an amplification to the original syn size. Additionally causing a mild dos of my clients' stuff when it begins throttling # of connections, ie noticeable. (not that i want to help scriptkids improve their attacks...). Im guessing

Re: Syn flood to TCP port 21 from priveleged port (80)

I think Ken has nailed it. I think the source addresses are spoofed so you reflect the connection (tcp syn ack) to those source addresses. Get enough of those connections and the server is dead. Since your port 21 is open telnet 109.72.248.114 21 Trying 109.72.248.114... Connected to

netcalc: a tool for aggregating networks, subtracting, and more

Hello, In the spirit of Ken's script below, I've started development of a tool which I called NetCalc: https://github.com/israel-lugo/netcalc (source code) https://pypi.python.org/pypi/netcalc (Python package) Currently, NetCalc allows one to add (aggregate) multiple networks, subtract a

Syn flood to TCP port 21 from priveleged port (80)

RE: DNS Services for a registrar

Thanks everyone for their response. We are going to use the Azure Zone Service. Cheers Ryan From: Matthieu Michaud [mailto:matth...@nxdomain.fr] Sent: Friday, August 12, 2016 1:34 PM To: Ryan Finnesey Cc: nanog@nanog.org Subject: Re: DNS Services for a registrar Hi, I

Re: DNS Services for a registrar

Route 53 have IPv6 now handled out of the .co.uk zones though they still don't do EDNS. Azure also mishandles EDNS. Route 53 returns plain DNS responses when presented with a EDNS(1) query. This breaks validating EDNS(1) clients getting answers from a signed zone. Azure echoes back unknown

Re: Syn flood to TCP port 21 from priveleged port (80)

Yeah it is an odd ball attack for sure, here is a 5000 packet sample of what I was seeing in connection to this attack https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp port as I am not seeing it on many other subnets, which is why I am thinking someone did a pre-scan before

Re: Syn flood to TCP port 21 from priveleged port (80)

what's the density of open port 21s on the planet though? trying to estimate the traffic resulting against the two target /21s. Your dump only has 2 ip's in it though, on your /19 so not representative. My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would give 128M ftp