Hello,
can someone from Microsoft responsible for security contact me off-list
please?
Thanks regards
--
Henri Wahl
IT Department
Leibniz-Institut fuer Festkoerper- u.
Werkstoffforschung Dresden
tel: (03 51) 46 59 - 797
email: h.w...@ifw-dresden.de
http://www.ifw-dresden.de
Nagios status
Replied offlist
Mehmet
On Apr 1, 2014, at 23:11, Henri Wahl h.w...@ifw-dresden.de wrote:
Hello,
can someone from Microsoft responsible for security contact me off-list
please?
Thanks regards
--
Henri Wahl
IT Department
Leibniz-Institut fuer Festkoerper- u.
Werkstoffforschung
[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.
Not thousands, *tens of millions*.
Our estimate from mid-2013 was 32M such
On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote:
[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.
Not
Hi all,
It's common wisdom that a datagram that needs to be fragmented between
endpoints (because it is bigger than the path MTU) will demonstrate less
reliable delivery and reassembly than a datagram that doesn't need to be
fragmented, because math, firewall, other, take your pick.
Is
I can send you a copy of an invited presentation at AINTEC from 2009.
/bill
On Wed, Apr 02, 2014 at 02:14:22PM -0400, Joe Abley wrote:
Hi all,
It's common wisdom that a datagram that needs to be fragmented between
endpoints (because it is bigger than the path MTU) will demonstrate less
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be contacting the provider about their
misconfiguration
I just received the same exact notification -- same AS announcing one of my
blocks.
On Wed, Apr 2, 2014 at 2:51 PM, Joseph Jenkins
j...@breathe-underwater.comwrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me
I received a similar notification about one of our prefixes also a few
minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I
also couldn't hit the websites for either AS, either.
Frank
-Original Message-
From: Joseph Jenkins [mailto:j...@breathe-underwater.com]
I have received those for two prefixes so far.
Same origin+transit
Br,
Tolli
On 2.4.2014, at 18:57, Joseph Jenkins j...@breathe-underwater.com wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
I just got the same thing.
Possible Prefix Hijack (Code: 10)
Your prefix: 173.44.32.0/19:
Prefix Description: AS8100
Update time:
On 4/2/14, 11:51, Joseph Jenkins wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be contacting
If you contact bgpmon support you may be able to get some more in-depth
information. I've contacted them before with alerts like those and they
were able to give me specific date, time, ASN and interface information
about the peering points that received the announcements; that might
help make
I just got the same alert for one of my prefixes one minute ago.
On 4/2/2014 2:59 PM, Frank Bulk wrote:
I received a similar notification about one of our prefixes also a few
minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I
also couldn't hit the websites for either AS,
Lol, and two minutes after I replied to you, I got the same alert about
the same AS with two of my prefixes.
-Original Message-
From: Joseph Jenkins [mailto:j...@breathe-underwater.com]
Sent: Wednesday, April 02, 2014 2:52 PM
To: nanog@nanog.org
Subject: BGPMON Alert Questions
So I
Same alert for me on two of my prefixes. Still looking into it.
On Wed, Apr 2, 2014 at 1:59 PM, Frank Bulk frnk...@iname.com wrote:
I received a similar notification about one of our prefixes also a few
minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I
also couldn't
On 02/04/14 11:51, Joseph Jenkins wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be
Sadly, it doesn't look like this is the first for Indosat either:
January 14th, 2011
http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222
-Original Message-
From: Þórhallur Hálfdánarson
I'm seeing the same hijack of prefixes by multiple networks under my
watch, at 18:40 UTC and 19:06 UTC.
-- Stephen
On 2014-04-02 2:51 PM, Joseph Jenkins wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and
On 4/2/14, 8:51 PM, Joseph Jenkins wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be
Anyone know if there is a connectivity issue between Cogent and ATT in the
northeast? We're seeing random timeouts to some systems we have in an ATT data
center but only from sources on Cogent's network.
Thanks...
- Eric :)
This seems to be occurring to many, I have two of my prefixes being
announced by the same AS's, and I have confirmation from several others who
are seeing this as well.
Chris
-Original Message-
From: Seth Mattinen [mailto:se...@rollernet.us]
Sent: Wednesday, April 02, 2014 12:03 PM
To:
bgpmon has tweeted that We're currently observing a large hijack event.
Indosat AS4761 originating many prefixes not assigned to them.
Let's hope that AS4651 can quickly apply filters.
Frank
-Original Message-
From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
Sent: Wednesday,
... and same here.
Indosat looks now to have developed a solid experience in BGP prefix hijack
mess (last time was in 2011).
Olivier
On 4/2/14, 11:51, Joseph Jenkins wrote:
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks
I can confirm that indosat appears to be hijacking many prefixes.
HE 6939 is one of the networks picking it up and distributing it
further. Here's an example for a Syrian prefix:
http://portal.bgpmon.net/data/indosat-hijack.png
Snap, announcing a few of our /21s and a /23. Seems they did something similar
a few year ago: http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
I can't make any contact with Indosat (website non responsive / email queuing).
This is what I have back from Aware Corp. AS18356 (first
yeah you're seeing the impact of a pretty broad prefix injection
indosat's upstream filters seem to be working for the most part.
On 4/2/14, 12:10 PM, Stephen Fulton wrote:
I'm seeing the same hijack of prefixes by multiple networks under my
watch, at 18:40 UTC and 19:06 UTC.
-- Stephen
Just got the same for 5 of my prefixes.
Possible Prefix Hijack (Code: 10)
Your prefix: 192.225.232.0/21:
Prefix Description: ARIN direct allocation
Another 5 of ours just got hit.
Anyone have any ideas on what will be done about it?
On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote:
bgpmon has tweeted that We're currently observing a large hijack event.
Indosat AS4761 originating many prefixes not assigned to them.
On Wed, Apr 2, 2014 at 3:41 PM, joel jaeggli joe...@bogus.com wrote:
yeah you're seeing the impact of a pretty broad prefix injection
indosat's upstream filters seem to be working for the most part.
Based on the image they tweeted, I don't think they are doing much
filtering; the Syrian
Yes, I too have alerts for some of our prefixes from the same offending
origin 4761
On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change
event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal)
The detected prefix: 66.201.48.0/20, was announced by AS4761
I have someone from cat.net.th on the phone and he doesn't speak a lot of
English and I don't speak any Thai. He knew what indosat was and their AS
number. He further stated he got my email (never told him who I was), but he
said he would be replying ASAP. We only had one /24 announced
I called into +66 2104-2374
James Laszko
Mythos Technology Inc
Sent from my iPad
On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote:
Another 5 of ours just got hit.
Anyone have any ideas on what will be done about it?
On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk
Seeing the same here for a /21. This seems to have happened before with
AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from
january 2011.
On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins
j...@breathe-underwater.comwrote:
So I setup BGPMON for my prefixes and got an
This isn't a direct answer to the question, but I find this paper pretty useful
(even though it is dated now):
Beyond Folklore: Observations on Fragmented Traffic
by Colleen Shannon, David Moore, and k claffy
IEEE/ACM Transactions on Networking, December 2002
Hi All,
I am a network admin for Aware Corporation AS18356 (Thailand), as
mentioned in the alert.
We operate a BGPMon PeerMon node on our network, which peers with the
BGPMon service as a collector.
It is likely that AS4761 (INDOSAT) has somehow managed to hijack these
prefixes and CAT
route-views4 /64.25.208.71 has seen updates that contains large amount of
prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path
[20225, 6939, 4761]
full prefixes list: http://pastebin.com/Eu4ePgp4
is it normal for single update to contain such large amount NLRI info?
On Wed, Apr
They have advertised all of ours now.
On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote:
Yes, I too have alerts for some of our prefixes from the same offending
origin 4761
On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change
event for your
Saw this as well on my blocks.
Is this malicious or did someone redistribute all of bgp with bad upstream
filtering?
On Wed, Apr 2, 2014 at 3:16 PM, James Laszko jam...@mythostech.com wrote:
I have someone from cat.net.th on the phone and he doesn't speak a lot of
English and I don't speak
In message c7e435c6-344f-49cd-9152-7a9ef2fa6...@puck.nether.net, Jared Mauch
writes:
On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote:
[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project
where did you get that number ?
aut-num:AS4761
as-name:INDOSAT-INP-AP
descr: INDOSAT Internet Network Provider
descr: Internet Network Access Point in INDONESIA
country:ID
admin-c:IH151-AP
tech-c: DA205-AP
mnt-by:
Three of ours just got jacked. I have tried to contact via email for update /
fix of their end.
-Mike
-Original Message-
From: Felix Aronsson [mailto:fe...@mrfriday.com]
Sent: Wednesday, April 02, 2014 3:22 PM
To: Joseph Jenkins
Cc: nanog@nanog.org
Subject: Re: BGPMON Alert Questions
Same here:
Possible Prefix Hijack (Code: 10)
Your prefix: 132.206.0.0/16:
Prefix Description: MCGILL-NET-132-206
Update time: 2014-04-02
I emailed hostmas...@indosat.com a little over an hour ago, and no response
as yet. Anyone having luck making contact with Indosat themselves?
On Wed, Apr 2, 2014 at 2:33 PM, Andrew (Andy) Ashley
andre...@aware.co.thwrote:
Hi All,
I am a network admin for Aware Corporation AS18356
Contacted ip@indosat.com about this, I urge others to do the same.
--Aris
On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley
andre...@aware.co.thwrote:
Hi All,
I am a network admin for Aware Corporation AS18356 (Thailand), as
mentioned in the alert.
We operate a BGPMon PeerMon node
We are getting multiple alerts for a mix of our and customers prefixes.
Could someone from HE tell if they started filtering yet ?
Erik Bais
Verstuurd vanaf mijn iPad
Op 2 apr. 2014 om 21:21 heeft Felix Aronsson fe...@mrfriday.com het volgende
geschreven:
Seeing the same here for a /21.
On 4/2/14, 13:31, Bob Evans wrote:
where did you get that number ?
I think that was a number for CAT, AS4651.
~Seth
On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote:
Is this malicious or did someone redistribute all of bgp with bad upstream
filtering?
They perfectly re-advertized all mine. Loos like a huge mistake. And still
ongoing.
Although this was nice to see:
I got a bounce from Indosat saying:
Dear Senders,
Thank you for your email, started March,1st 2012 email address for
correspondence with Indosat IP Support All Support INP will be change and
not active with detail information as follows :
1. Correspondence and complain handling for Indosat
They are advertising one of /22 right now as well,
Bret
On 04/02/2014 04:21 PM, Bryan Tong wrote:
They have advertised all of ours now.
On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote:
Yes, I too have alerts for some of our prefixes from the same offending
Same here :
Your prefix: 178.212.137.0/24:
Prefix Description: Engine Networks EU
Update time: 2014-04-02 20:54 (UTC)
Detected by #peers: 1
Detected prefix: 178.212.137.0/24
Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
Provider,ID)
Upstream AS:
So,
Just tired e-mailing to that address.
*Delivery has failed to these recipients or groups:*
indriana.triyunianingt...@indosat.com
mailto:indriana.triyunianingt...@indosat.com
The recipient's mailbox is full and can't accept messages now. Please
try resending this message later, or contact
Tried the recipients mailbox is full, but it looks like all of the bgpmon
alerts have cleared.
On Wed, Apr 2, 2014 at 1:40 PM, Aris Lambrianidis effulge...@gmail.comwrote:
Contacted ip@indosat.com about this, I urge others to do the same.
--Aris
On Wed, Apr 2, 2014 at 9:33 PM, Andrew
Thanks, also emailed support@ noc@. Didn't receive any bounce emails..
e...@zerofail.com
AS40191
On Apr 2, 2014 5:06 PM, Aris Lambrianidis effulge...@gmail.com wrote:
Contacted ip@indosat.com about this, I urge others to do the same.
--Aris
On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy)
Got this response from HE
We are not in the as-path of the routes listed below. It seems we accepted
some of them from a route server. I'm not seeing them in the table at this
time.
--
Rob Mosher
Senior Network and Software Engineer
Hurricane Electric / AS6939
On Wed, Apr 2, 2014 at 2:51 PM,
They're just leaking every route right?
Is it possible to poison the AS paths you announce with their own AS to get
them to let go of your prefixes until it's fixed?
Would that work, or some other trick that can be done without their cooperation?
Thanks,
Laszlo
Same here. AS path is 18356 38794 4651 4761.
Did anybody had any contact with AS 4761?
Regards,
Peter
Op 2 apr. 2014 om 22:57 heeft Curtis Doty cur...@greenkey.net het volgende
geschreven:
On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote:
Is this malicious or did
Already too late :(
*Delivery has failed to these recipients or groups:*
indriana.triyunianingt...@indosat.com
mailto:indriana.triyunianingt...@indosat.com
The recipient's mailbox is full and can't accept messages now. Please
try resending this message later, or contact the recipient
My connectivity between Fios and Cogent in Washington DC has been mostly
down for the past hour.
Andrew
Andrew Fried
andrew.fr...@gmail.com
On 4/2/14, 3:03 PM, Eric wrote:
Anyone know if there is a connectivity issue between Cogent and ATT in the
northeast? We're seeing random timeouts to
On Wed, 2 Apr 2014, Laszlo Hanyecz wrote:
They're just leaking every route right?
Is it possible to poison the AS paths you announce with their own AS to get
them to let go of your prefixes until it's fixed?
Would that work, or some other trick that can be done without their cooperation?
On Thu, 3 Apr 2014, Adrian Minta wrote:
Already too late :(
*Delivery has failed to these recipients or groups:*
indriana.triyunianingt...@indosat.com
mailto:indriana.triyunianingt...@indosat.com
The recipient's mailbox is full and can't accept messages now. Please try
resending this
On 4/2/14, 11:59 AM, Justin M. Streiner wrote:
Two things need to happen:
1. Indosat needs to clean their mess up.
2. Indosat's upstreams need to apply some BGP clue to Indosat's
announcements.
It's pretty clear that both parties have dropped the ball in a big way,
in terms of sane BGP
Quick update from BGPmon:
We've detected 415,652 prefixes being hijacked by Indosat today. 8,233
of those were seen by more than 10 of our BGP collectors.
When receiving a BGPmon alerts, one of the metrics to look at that will
help with determining the scope and impact is the 'Detected by #peers'
note joels careful use of 'injected'. imiho, 'hijacked' is perjorative
implying evil intent. i very much doubt that is the case here. it
looks much more like an accident. could we try to be less accusatory
with our language. 'injected', 'mis-originated', ... would seem to
descrive the
On Wed, 02 Apr 2014 16:16:23 -0700, Andree Toonk said:
Quick update from BGPmon:
We've detected 415,652 prefixes being hijacked by Indosat today.
Those who do not understand AS7007 are doomed to repeat it?
pgpU55zVC12U9.pgp
Description: PGP signature
Agreed - focus on the fix. Then take a deep breath and figure out what happened.
BTW - Indosat is down hard. Cannot call into their network (cell phone). I've
got my team reaching in to their buddies to help.
On Apr 3, 2014, at 7:22 AM, Randy Bush ra...@psg.com wrote:
note joels careful use
Hi Team,
Confirmation from my team talking directly to Indosat - self inflected with a
bad update during a maintenance window. Nothing malicious or intentional.
Barry
signature.asc
Description: Message signed with OpenPGP using GPGMail
We've detected 415,652 prefixes being hijacked by Indosat today.
Those who do not understand AS7007 are doomed to repeat it?
i very much doubt this is a 7007, where bgp was redistributed into rip,
which sliced it into a jillion /24s, and then redistributed from rip
back into bgp.
of course
So we're somewhat safe until the fast food burger grills and fries
cookers advance to level-3 routing? Or Daquiri blenders get their own
ASNs?
Bad enough that professional folks can goof to this extent, but
scarier still that the Internet of Everything seems to progress
without bounds...
Jeff
69 matches
Mail list logo