On Tue, Apr 28, 2020 at 11:40:16PM -0700, Matt Corallo wrote:
> Sadly dumb kids are plentiful. If you have to nag an abuse desk every
> time they sell a server to a kid who’s experimenting with nmap for the
> first time then we’ll end up exactly where we are - abuse contacts
> are not a
Hi Matt
On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
> DDoS, hijacker, botnet C, compromised hosts,
> sufficiently-hard-to-deal-with phishing, etc are all things that carry
> real risk to services that are otherwise well-maintained (primarily in
> that many of the latter lead to
Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they
sell a server to a kid who’s experimenting with nmap for the first time
then we’ll end up exactly where we are - abuse contacts are not a reliable
way to get in touch with anyone, and definitely not a reliable
On 4/29/20 2:35 AM, Masataka Ohta wrote:
If you mean getting rid of logging, not necessarily. It is enough if
CPEs are statically allocated ranges of external port numbers.
Yes, you can get rid of the logging by statically allocating ranges of
port numbers to a particular customer.
What I
DDoS, hijacker, botnet C, compromised hosts, sufficiently-hard-to-deal-with
phishing, etc are all things that carry real risk to services that are
otherwise well-maintained (primarily in that many of the latter lead to the
former). Nothing wrong with using or monitoring fail2ban, but if you’re
Brandon Martin wrote:
You can't get rid of all the state tracking without also having the CPE
know which ports to use
If you mean getting rid of logging, not necessarily. It is enough if
CPEs are statically allocated ranges of external port numbers.
A standard would be nice. In some of the auto-responders, I get requirements
that conflict or are unreasonable.
* We don't accept abuse complaints via e-mail, please submit via this site:
Yeah, okay. That's not scaleable.
* Network A wants time in GMT, while network B wants time in
On 4/28/20 11:01 PM, Brandon Martin wrote:
> Depending on how many IPs you need to reclaim and what your target
> IP:subscriber ratio is, you may be able to eliminate the need for a lot
> of logging by assigning a range of TCP/UDP ports to a single inside IP
> so that the TCP/UDP port number
How big is your ip pool for CGNAT?
On Wed, Apr 29, 2020 at 10:17 AM Robert Blayzor
wrote:
> On 4/28/20 11:01 PM, Brandon Martin wrote:
> > Depending on how many IPs you need to reclaim and what your target
> > IP:subscriber ratio is, you may be able to eliminate the need for a lot
> > of
On Wed, Apr 29, 2020 at 03:41:06PM +, Mel Beckman wrote:
> Joe,
>
> Is there any reason to have a root-enabled (or any) ssh server
> exposed to the bare Internet? Any at all? Can you name one?
> I can???t. That???s basically pilot error.
Mel,
I think you're looking at it the wrong way.
On Wed, Apr 29, 2020 at 7:19 AM Ca By wrote:
> Since we are talking numbers ans hard facts
>
> 42% of usa accesses google on ipv6
>
> https://www.google.com/intl/en/ipv6/statistics.html
Be careful with those stats; they might not be telling you what you
think they are. For example, phone clients
In fact, SRonan, the real risk of such a standard is that people would use it
to send an increasingly massive flood of pointless abuse reports, which would
require deployment of an equally massive AI-based data analytics to cull the
flood, which would then be Skynet :)
-mel beckman
> On Apr
IMO, the answer is balance.
- Handful of SSH connection attempts against a server. Nobody got in,
security hardening did it's job. I don't think that is worth reporting.
- Constant brute force SSH attempts from a given source over an extended
period of time, or a clear pattern of probing, yes,
Perhaps some organization of Network Operators should come up with an objective
standard of what constitutes “abuse” and a standard format for reporting it.
If only there was such an organization.
Sent from my iPhone
> On Apr 29, 2020, at 11:14 AM, Chris Adams wrote:
>
> Once upon a time,
On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman said:
> > If an abuse report is incorrect, then it is fair to complain.
>
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
>
> I've typoed IP/FQDN before and gotten an SSH
On 4/29/20 8:41 AM, Mel Beckman wrote:
Is there any reason to have a root-enabled (or any) ssh server
exposed to the bare Internet? Any at all? Can you name one? I can’t.
That’s basically pilot error.
Remember HeartBleed? That didn't require a rout-enabled SSH server. It
didn't require SSH
On Wed, Apr 29, 2020 at 03:41:06PM +, Mel Beckman wrote:
> Joe,
>
> Is there any reason to have a root-enabled (or any) ssh server exposed
> to the bare Internet? Any at all? Can you name one? I can’t. That’s
> basically pilot error.
The last time (a couple of weeks ago) when I installed a
Thank you everyone for the suggestions.
To clarify small ISP.
12K subscribers
35 Gigs traffic at peak.
Growing about 500 megs per month traffic.
John
On Tue, Apr 28, 2020 at 3:12 PM John Alcock wrote:
> Afternoon,
>
> I run a small ISP in Tennessee. COVID has forced a lot of people to work
On Wed, 29 Apr 2020, Robert Blayzor wrote:
So as a happy medium of about 2048 ports per subscriber, that's roughly
a 32:1 NAT/IP over-subscription ?
Yes, around that.
--
Mikael Abrahamssonemail: swm...@swm.pp.se
Joe,
Is there any reason to have a root-enabled (or any) ssh server exposed to the
bare Internet? Any at all? Can you name one? I can’t. That’s basically pilot
error.
-mel
> On Apr 29, 2020, at 8:37 AM, Joe Greco wrote:
>
> On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
>>
In testing, I observed opening a website, for instance cnn.com can cause >200
ports/sessions to fire off. Although, many are short-lived sessions, but,
ports requests nonetheless.
Overall, I use about 1,500 public ip's for 50,000 private ip customers
I allow 3,000 ports per customer ... 30
On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
If there's a lock on my door, and someone tries to pick it, you can call
me at fault for having a lock on my door facing outside all you
want. But the thief picking it has no business doing so, and will be
guilty of a crime if caught.
This is a good
On Wed, 29 Apr 2020, Robert Blayzor wrote:
One would think a 1000 ports would be enough, but if you have a dozen
devices at home all browsing and doing various things, and with IOT,
etc, maybe not?
https://www.juniper.net/documentation/en_US/junos/topics/concept/nat-best-practices.html
Once upon a time, Mukund Sivaraman said:
> If an abuse report is incorrect, then it is fair to complain.
The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
I've typoed IP/FQDN before and gotten an SSH response, and taken several
tries before I realized my error. Did I
SRonan,
If only such a standard were feasible :)
-mel beckman
> On Apr 29, 2020, at 8:25 AM, "sro...@ronan-online.com"
> wrote:
>
> Perhaps some organization of Network Operators should come up with an
> objective standard of what constitutes “abuse” and a standard format for
> reporting
On Wed, Apr 29, 2020 at 1:06 AM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
> Brandon Martin wrote:
>
> >> If you mean getting rid of logging, not necessarily. It is enough if
> >> CPEs are statically allocated ranges of external port numbers.
> >
> > Yes, you can get rid of the
I haven't used them, but 6-WIND is pretty proud of their CGNAT performance.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "John Alcock"
To: nanog@nanog.org
Sent: Tuesday, April 28,
The standards are perfectly feasible.
That doesn't mean people will follow them, however it's much better to say
"I ignored your notification because it didn't follow the objective
standard" then it is to just say "I ignored your notification because I
felt like it"
On Wed, Apr 29, 2020, 11:37
On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman said:
> > If an abuse report is incorrect, then it is fair to complain.
>
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
It is configurable. Anyway, I don't know how else
That's not always feasible.
My routers have ACLs, but my servers for the most part do not.
It's kind of counter productive to put ACLs on SMTP, POP3, IMAP, and HTTP\S
ports, now isn't it? SIP, FTP, and SSH may or may not make sense, depending on
the type and volume of users.
Since
I think we all agree with this. The requl question is...how do we build such a
thing? The abuse process we have clearly
doesn't work. Maybe its the fault of the Big Providers (AWS/GCP/OVH/etc) who
don't invest enough to have a robust
abuse-processing system to actually deal with reports, maybe
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a decision that I shouldn't
be doing that, even though it is completely legitimate and authorized
activity? What if
I obviously agree it *can* be an indication of a bigger issue, but it isn't
always. Lets take an example from one of my
(isolated netblocks):
~$ whois 208.68.4.129
Comment:---
Comment:208.68.4.128/28 and 208.68.7.128/28 provide privacy services
Comment:(incl
On Wed, Apr 29, 2020 at 09:50:42AM -0700, Stephen Satchell wrote:
> On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
> > If there's a lock on my door, and someone tries to pick it, you can call
> > me at fault for having a lock on my door facing outside all you
> > want. But the thief picking it has no
That you have some ACLs that whack low-hanging fruit doesn't negate the fact
that you can't block the untrusted Internet accessing an intentionally publicly
accessible port.
It's all just a distraction from the fact that *SOME* services *MUST* remain
available to the general public and those
On 4/29/20 9:57 AM, Mike Hammett wrote:
My routers have ACLs, but my servers for the most part do not.
I'm not trying to argue, but...what servers do you have that don't have
sysadmin-definable firewalls and tun-able knobs? My edge routers are
Linux boxes (CentOS 8 for the one I'm now
hey,
I'm wondering if there are any real world examples of this, namely in
the realm of subscriber to IP and range of ports required, etc. ie: Is
is a range of 1000 ports enough for one residential subscriber? How
about SMB where no global IP is required.
One would think a 1000 ports would be
On 4/29/20 10:29 AM, Mikael Abrahamsson wrote:
> There are some numbers in there for instance talking about 1024 ports
> per subscriber as a good number. In presentations I have seen over time,
> people typically talk about 512-4096 as being a good number for the bulk
> port allocation size.
So
On Wed, 2020-04-29 at 09:50 -0700, Stephen Satchell wrote:
>
> As I build up my new
> firewall, I'll turn off public SSH access completely, and instead use
> a
> robust VPN implementation. (Which has its own issues.)
How does that solve the problem at hand in any way?
The abuse/probing just
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
> What if I am at home, and while working on a project, fire off a wide
> ranging nmap against say a /19 work network to validate something
> externally? Should my ISP detect that and make a decision that I shouldn't
> be doing that,
It is rather easy to block SSH cracking attempts from your own side. Rarely
do they put any significant load on your network or computer.
I would sympathize with this except for the fact that abuse desks won't
even respond to DDoS attacks, something that can't be fixed on your own end
without
Sabri,
A clever idea to be sure, but it seems open to abuse. What stops someone from
forging a tcp syn from every /24 on the Internet, causing you to blackhole your
access to everywhere?
-mel
> On Apr 29, 2020, at 2:24 PM, Sabri Berisha wrote:
>
> - On Apr 29, 2020, at 9:08 AM,
I do, in this case, have such a right, because I know exactly what is going on
in my network, and any non-automated
system (ie, a human who reads the one sentence in the whois comments) does as
well.
Of course, I'm not going to get up in arms about it because this isn't about me
(I just put
On Wed, Apr 29, 2020 at 3:36 PM Matt Corallo wrote:
> I do, in this case, have such a right, because I know exactly what is going
> on in my network,
Hi Matt,
If someone in your address space is knock-knocking on a stranger's ssh
ports (your example, not mine), you have some work to do
On April 29, 2020 at 07:35 na...@ics-il.net (Mike Hammett) wrote:
> "What is it, exactly, that you expect a provider to do with your report of a
> few failed SSH login attempts to stop the activity?... disconnect the
> customer."
>
> Yes.
What I've done in the past is tell the customer we
Ah, I'd pasted the following in a response to the mail you responded to:
~$ whois 208.68.4.129
Comment:---
Comment:208.68.4.128/28 and 208.68.7.128/28 provide privacy services
Comment:(incl running tor exit node(s)!)
Comment:Abuse reports will be
The machines that are ssh probing are probably doing other stuff. Take the win
that you have been informed about a compromised machine and get it cleaned /
quarantined.
--
Mark Andrews
> On 30 Apr 2020, at 06:20, Bottiger wrote:
>
>
> It is rather easy to block SSH cracking attempts
And it is still on going. Just got 4 of these.
Mark
> On 22 Apr 2020, at 08:34, Bryan Fields wrote:
>
> On 4/21/20 6:28 PM, Bryan Fields wrote:
>> On 4/21/20 5:11 PM, William Herrin wrote:
>>> Howdy,,
>>>
>>> How do we contact the nanog mail admins? I looked at
>>>
On 2020-04-28 18:57, Mike Hammett wrote:
I noticed over the weekend that a Fail2Ban instance's complain
function wasn't working. I fixed it. I've noticed a few things:
1) Abusix likes to return RIR abuse contact information. The vast
majority are LACNIC, but it also has kicked back a couple for
> On 4/28/20 11:57 AM, Mike Hammett wrote:
> > I noticed over the weekend that a Fail2Ban instance's complain function
> > wasn't working. I fixed it.
On the one hand, if you have programmed your computer to originate
email to lots of people without any review to consider the email's
accuracy or
- On Apr 29, 2020, at 3:15 PM, mel m...@beckman.org wrote:
Hi Mel,
> A clever idea to be sure, but it seems open to abuse. What stops someone from
> forging a tcp syn from every /24 on the Internet, causing you to blackhole
> your
> access to everywhere?
Fair point, and I lied a bit. My
- On Apr 29, 2020, at 9:08 AM, Stephen Satchell l...@satchell.net wrote:
Hi,
> That said, I use TCPWRAPPER to limit access to SSH to specific IP
> addresses. I process my LogWatch messages manually. I pull the fire
> alarm for showshoe probes, and excessive number of probes (over 30 in a
>
I don't think anyone in this thread meant to suggest that there is no reason to
be concerned about such scans, as you
point out they are occasionally compromised hosts and the like. The real
question here is what is the cost of sending
all that mail?
The abuse system as it exists today is
On Tue, 28 Apr 2020, Matt Corallo wrote:
Sadly dumb kids are plentiful. If you have to nag an abuse desk every
time they sell a server to a kid who’s experimenting with nmap for the
first time then we’ll end up exactly where we are - abuse contacts
are not a reliable way to get in touch
Brandon Martin wrote:
If you mean getting rid of logging, not necessarily. It is enough if
CPEs are statically allocated ranges of external port numbers.
Yes, you can get rid of the logging by statically allocating ranges of
port numbers to a particular customer.
And, that was the original
Ca By wrote:
You can't eliminate that unless the CPE also knows what internal port
range it's mapped to so that it restricts what range it uses. If you
can do that, you can get rid of the programmatic state tracking entirely
and just use static translations for TCP and UDP which, while
On Wed, 29 Apr 2020 11:25:19 -0400, sro...@ronan-online.com said:
> Perhaps some organization of Network Operators should come up with an
> objective standard of what constitutes âabuseâ and a standard format for
> reporting it.
> If only there was such an organization.
A different
On Wed, Apr 29, 2020 at 7:17 PM Brandon Martin
wrote:
> On 4/29/20 10:12 PM, William Herrin wrote:
> >> What allows them to work with v6 in such an efficient manner?
> > A piece of client software is installed on every phone that presents
> > an IPv4 address to the phone and then translates
Good thing I care, but that's missing the point here - the volume of abuse
requests makes the entire abuse system
unworkable. Not for me so much, I can deal with the volume (a few obnoxious
individuals aside), but AWS/OVH/Hertzner
appear to have decided they cannot, and that means I can't
On Wed, Apr 29, 2020 at 8:00 PM Kaiser, Erich wrote:
>
> So it has been 3 weeks of major ICMP packet loss to any google service over
> the Dallas Equinix IX, it is not affecting performance of service but is
> affecting us with customer complaints and service calls due to some software
> using
On Wed, Apr 29, 2020 at 7:46 PM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:
> Ca By wrote:
>
> >>>You can't eliminate that unless the CPE also knows what internal
> port
> >>> range it's mapped to so that it restricts what range it uses. If you
> >>> can do that, you can get rid
Jeff,
FTPS
The prosecution rests :)
-mel
On Apr 29, 2020, at 5:25 PM, Jeffrey Ollie wrote:
On Wed, Apr 29, 2020 at 10:43 AM Mel Beckman
mailto:m...@beckman.org>> wrote:
Is there any reason to have a root-enabled (or any) ssh server exposed to the
bare Internet? Any at all? Can you name
On 4/29/20 10:12 PM, William Herrin wrote:
What allows them to work with v6 in such an efficient manner?
A piece of client software is installed on every phone that presents
an IPv4 address to the phone and then translates packets to IPv6 for
relay over the network. This works because T-Mobile
So it has been 3 weeks of major ICMP packet loss to any google service over
the Dallas Equinix IX, it is not affecting performance of service but is
affecting us with customer complaints and service calls due to some
software using it for monitoring purposes people using it for benchmark
testing.
On Wed, Apr 29, 2020 at 4:19 PM Matt Corallo wrote:
> Now you can decide to pass judgement on the idea that someone may want to run
> a Tor exit node
Wait... You run a TOR exit node and you find it unreasonable that
folks would send you automated abuse complaints? In my dictionary
under
On Wed, Apr 29, 2020 at 5:27 PM Thomas Scott wrote:
> > cell-phone environment. A classic small ISP fills a different niche.
>
> I've dealt with traditional cable and fiber SP environments, but I'm curious
> how the architecture differs so drastically with T-Mobile to allow v6 to work
> so
Well, I think our disagreement is on what we constitute 'legitimate abuse'
to be.
On Wed, Apr 29, 2020 at 1:51 PM Mukund Sivaraman wrote:
> On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
> > What if I am at home, and while working on a project, fire off a wide
> > ranging nmap
On 2020-04-29 17:51, Mukund Sivaraman wrote:
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a
Rich,
It’s interesting that you mention “the lesson of the 75-cent accounting error”
from Cliff Stoll’s The Cuckoos Egg. Because the lesson from that account is
precisely that exerting a massive human-labor-intensive effort to trace every
tiny abuse signal is not worth the heavy cost — in this
Enforcing rate limiting comes to mind. And if there is a blatant problem then
very strict rate limiting to make even surfing yahoo news a pain is a good idea.
Not to mention conn tracking and limiting to allow a customer to fix their
problem is much better than a plain cut-off.
The Oh my
On Wed, Apr 29, 2020 at 12:24:01PM +0530, Mukund Sivaraman wrote:
> On Tue, Apr 28, 2020 at 11:40:16PM -0700, Matt Corallo wrote:
> > Sadly dumb kids are plentiful. If you have to nag an abuse desk every
> > time they sell a server to a kid who’s experimenting with nmap for the
> > first time
On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
> Please don't use this kind of crap to send automated "we received 3 login
> attempts on our SSH box..wa" emails.
> This is why folks don't have abuse contacts that are responsive to real
> issues anymore.
[ "you"
"What is it, exactly, that you expect a provider to do with your report of a
few failed SSH login attempts to stop the activity?... disconnect the
customer."
Yes.
Comcast does it. My wife's aunt and uncle had a compromised box on their
network. They don't check their e-mail, so they
==> Our press release in German:
https://drive.google.com/open?id=1WSAmAQRBsdllyMMq7_FIeuE_-630ETL2
Translated with www.DeepL.com
Init7 wins peering case against Swisscom
Federal Administrative Court overturns ComCom decision
On 22 April 2020, the Federal Administrative Court (BVGER)
74 matches
Mail list logo
