Re: Providing transit to unallocated networks

2016-09-27 Thread joel jaeggli
On 9/27/16 5:46 PM, Alistair Mackenzie wrote: > Thanks for this, it shows as > > apnic|ZZ|ipv4|103.***.***.0|1024|20160927|reserved||e-stats > > I expect this still stands with it being reserved? I'm not sure why you would bother obscuring it. What purpose does that serv

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 28 Sep 2016, at 0:18, Brielle Bruns wrote: > I call shenanigans on providers not seeing their unruly users. I was talking about the users, not the ISPs. --- Roland Dobbins

Re: Providing transit to unallocated networks

2016-09-27 Thread Alistair Mackenzie
Thanks for this, it shows as apnic|ZZ|ipv4|103.***.***.0|1024|20160927|reserved||e-stats I expect this still stands with it being reserved? William, it's 100% an apnic range and shows no org and is registered to the APNIC Hostmaster. This applies for both the ASN and the address space. On 28

Re: Providing transit to unallocated networks

2016-09-27 Thread Tom Beecher
I've seen this with increasing frequency in the last 8-12 months, more with ASNs that were either expired/unallocated. Spammers seem to be snatching them up and hijacking IPs via bilateral peering to make it harder to notice. I've found it very difficult in some cases to get traction from IXes or

Re: Providing transit to unallocated networks

2016-09-27 Thread William Herrin
On Tue, Sep 27, 2016 at 8:18 PM, Alistair Mackenzie wrote: > I've come across a network which seem to be getting transit yet both the > ASN and IP space is not allocated by the RIR. Hi Alistair, There is still unicast address space that isn't allocated by any RIR?

Re: Providing transit to unallocated networks

2016-09-27 Thread William Herrin
On Tue, Sep 27, 2016 at 8:18 PM, Alistair Mackenzie wrote: > Hi, > > I've come across a network which seem to be getting transit yet both the > ASN and IP space is not allocated by the RIR. It does appear at some point > that it was valid however this is no longer the case. >

Providing transit to unallocated networks

2016-09-27 Thread Alistair Mackenzie
Hi, I've come across a network which seem to be getting transit yet both the ASN and IP space is not allocated by the RIR. It does appear at some point that it was valid however this is no longer the case. The network is single homed and I tried asking the transit provider what their policy was

Re: nested prefixes in Internet

2016-09-27 Thread Michael Hallgren
Hi Martin, What do you want to do? Move from A to B or add A to B? Cheers, mh Le 27 sept. 2016 17:52, à 17:52, Mel Beckman a écrit: >Precisely. This is how it's done by providers I've worked with. > > -mel beckman > >> On Sep 27, 2016, at 7:06 AM, Roy

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Mark Andrews
In message , Jared Mauch writes: > > > On Sep 27, 2016, at 12:43 AM, Mark Andrews wrote: > > > > Why not? You call a washing machine mechanic when the washing > > machine plays up. This is not conceptually different. > >

RE: BCP38 adoption "incentives"?

2016-09-27 Thread Peter Beckman
On Tue, 27 Sep 2016, White, Andrew wrote: This assumes the ISP manages the customer's CPE or home router, which is often not the case. Adding such ACLs to the upstream device, operated by the ISP, is not always easy or feasible. Which is why the manufacturer should deploy a default config

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mike Hammett
They don't need to manage the router. The raw DSL modem, cable modem, etc. can watch the packets and see what's assigned. This would need new hardware, but it's not like this is happening quickly any other way. Yes, there are some consumer purchased DSL routers and cable routers, but doing what

RE: BCP38 adoption "incentives"?

2016-09-27 Thread White, Andrew
Hi Mike, This assumes the ISP manages the customer's CPE or home router, which is often not the case. Adding such ACLs to the upstream device, operated by the ISP, is not always easy or feasible. It would make sense for most ISPs to have egress filtering at the edge (transit and peering

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mike Hammett
It would be incredibly low impact to have the residential CPE block any source address not assigned by the ISP. Done. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Stephen Satchell"

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Jared Mauch
> On Sep 27, 2016, at 10:48 AM, Brielle Bruns wrote: > > You start cutting off users or putting them into a walled garden until they > fix their machines, and they will start caring. Wait until the user who claims perfection gets on the phone, etc. We had a network outage

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Mike Hammett
We can't teach other network operators the value of IPv6. Good luck teaching a consumer anything other than cat videos (and now recipes - unrelated to the former). - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Jared Mauch
> On Sep 27, 2016, at 12:43 AM, Mark Andrews wrote: > > Why not? You call a washing machine mechanic when the washing > machine plays up. This is not conceptually different. Mark, Your logic is infallible here, but the equivalencies are not. If I drive on the road and it’s

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Mike Hammett
"who from my experience tend to be the least experienced and network knowledgeable people running a customer network" Also most likely to have built their network from scratch out of pure need (perhaps for themselves) rather than someone cashing in on a trend. No offense meant (though surely

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Eygene Ryabinkin
Sun, Sep 25, 2016 at 05:57:42PM -0400, Patrick W. Gilmore wrote: > Remember University of Wisconsin vs. D-Link and their hard-coded > NTP server address? UW vs Netgear and Poul-Henning Kamp vs D-Link, both on NTP stuff? -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Joe Klein
The knobs that are available to push adoption of any standard can include "Doing nothing", "Educating the community", "Incentives", "Public Shaming", "Loss of business", "Engaging the policy & legal wanks". It seems to me the first two options have not moved the ball much. Must we move the last

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mikael Abrahamsson
On Tue, 27 Sep 2016, Mike Jones wrote: Any network operator should know if their network is blocking it or not without having to deploy active probes across their network. Err... I was not referring to the operator doing this on the CPEs they provide to their customers. I was referring to

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Brielle Bruns
On 9/27/16 11:18 AM, Brielle Bruns wrote: On 9/27/16 10:05 AM, Roland Dobbins wrote: I point to the current trend of parents watching and smiling, doing nothing as their kids destroy people's stores and restaurants. ISPs are literally doing the exact same thing when it comes to coddling their

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mike Jones
On 27 September 2016 at 15:32, Mikael Abrahamsson wrote: > On Tue, 27 Sep 2016, Joe Klein wrote: > >> What would it take to test for BCP38 for a specific AS? > > > Well, you can get people to run > https://www.caida.org/projects/spoofer/#software > > I tried to get OpenWrt to

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Brielle Bruns
On 9/27/16 10:05 AM, Roland Dobbins wrote: I point to the current trend of parents watching and smiling, doing nothing as their kids destroy people's stores and restaurants. ISPs are literally doing the exact same thing when it comes to coddling their customers. They can *see* the unruly

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Dale W. Carder
Thus spake Patrick W. Gilmore (patr...@ianai.net) on Sun, Sep 25, 2016 at 05:57:42PM -0400: > On Sep 25, 2016, at 5:50 PM, ryan landry wrote: > > On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews wrote: > > >> This is such a golden opportunity for each of you

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Peter Beckman
On Tue, 27 Sep 2016, Brielle Bruns wrote: I don't see how this is a problem exactly? If people want to buy devices that connect to their home network, they need to be aware of what these devices can do, and it is their responsibility. I understand that is what you want. What you might

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Keith Stokes
Assuming all devices are vulnerable isn't a bad start. -- Keith Stokes > On Sep 27, 2016, at 11:04 AM, Roland Dobbins wrote: > >> On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote: >> >> All the more reason to educate people TODAY on why having vulnerable devices >> is

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 27 Sep 2016, at 22:49, Florian Weimer wrote: Most people over here have at least two providers of water and Internet (although the second one is perhaps sufficient for brushing your teeth, but certainly not for a shower or a bath). That's not a common arrangement in much of the world,

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Patrick W. Gilmore
On Sep 27, 2016, at 11:49 AM, Roland Dobbins wrote: > On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote: >> All the more reason to educate people TODAY on why having vulnerable devices >> is a Very Bad Idea. > > Yes, but how do they determine that a given device is

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 27 Sep 2016, at 22:46, Brielle Bruns wrote: I point to the current trend of parents watching and smiling, doing nothing as their kids destroy people's stores and restaurants. ISPs are literally doing the exact same thing when it comes to coddling their customers. They can *see* the

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote: All the more reason to educate people TODAY on why having vulnerable devices is a Very Bad Idea. Yes, but how do they determine that a given device is vulnerable? --- Roland Dobbins

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Florian Weimer
* Roland Dobbins: > On 27 Sep 2016, at 12:17, Sam Silvester wrote: > >> or call their electricity retailer/distributer > > This is the problematic case that is, unfortunately, the default. > > People tend to view anything related to 'the Internet' as a utility, > and for consumers and SMBs, they

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Brielle Bruns
On 9/27/16 9:35 AM, Roland Dobbins wrote: On 27 Sep 2016, at 21:48, Brielle Bruns wrote: You start cutting off users or putting them into a walled garden until they fix their machines, and they will start caring. It's important to keep in mind that in the not-so-distant future, their

Re: nested prefixes in Internet

2016-09-27 Thread Mel Beckman
Precisely. This is how it's done by providers I've worked with. -mel beckman > On Sep 27, 2016, at 7:06 AM, Roy wrote: > > > > Option 3? > > ISP A announces the /19 and the /24 while ISP B does just the /24 > >> On 9/27/2016 4:20 AM, Martin T wrote: >> Hi, >> >>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Alan Buxey
hi, >From: NANOG on behalf of Mike Hammett > >Sent: 27 September 2016 16:30 >Cc: nanog@nanog.org >Subject: Re: Krebs on Security booted off Akamai network after DDoS attack >proves pricey > >You must not support end users. haha...i read that wrong.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 27 Sep 2016, at 12:17, Sam Silvester wrote: or call their electricity retailer/distributer This is the problematic case that is, unfortunately, the default. People tend to view anything related to 'the Internet' as a utility, and for consumers and SMBs, they typically have a single

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Patrick W. Gilmore
On Sep 27, 2016, at 11:35 AM, Roland Dobbins wrote: > On 27 Sep 2016, at 21:48, Brielle Bruns wrote: >> You start cutting off users or putting them into a walled garden until they >> fix their machines, and they will start caring. > > It's important to keep in mind that in

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Roland Dobbins
On 27 Sep 2016, at 21:48, Brielle Bruns wrote: You start cutting off users or putting them into a walled garden until they fix their machines, and they will start caring. It's important to keep in mind that in the not-so-distant future, their 'machines' will include every article of clothing

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Mike Hammett
You must not support end users. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Mark Andrews" To: "Roland Dobbins" Cc: nanog@nanog.org Sent:

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Sam Silvester
On Tue, Sep 27, 2016 at 1:35 PM, Roland Dobbins wrote: > It call comes down to the network operator, one way or another. There's > no separation in the public mind of 'my network' from 'the Internet' that > is analogous to the separation between 'the power company' and 'the

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Brielle Bruns
On 9/26/16 10:05 PM, Roland Dobbins wrote: +1 for this capability in CPE. OTOH, it will be of no use whatsoever to the user. Providing the user with access to anomalous traffic feeds won't help, either. Users aren't going to call in some third-party service/support company, either. You

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mikael Abrahamsson
On Tue, 27 Sep 2016, Joe Klein wrote: What would it take to test for BCP38 for a specific AS? Well, you can get people to run https://www.caida.org/projects/spoofer/#software I tried to get OpenWrt to include similar software, on by default, but some people are afraid that they might

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mikael Abrahamsson
On Tue, 27 Sep 2016, Zbyněk Pospíchal wrote: Dne 27.09.16 v 15:17 Mikael Abrahamsson napsal(a): Hm, so the IX operator looks at packets at the IX (sFlow perhaps), see who is sending attack packets, and if they're spoofed, this ISP is then put in "quarantine", ie their IX port is basically now

Re: nested prefixes in Internet

2016-09-27 Thread Roy
Option 3? ISP A announces the /19 and the /24 while ISP B does just the /24 On 9/27/2016 4:20 AM, Martin T wrote: Hi, let's assume that there is an ISP "A" operating in Europe region who has /19 IPv4 allocation from RIPE. From this /19 they have leased /24 to ISP "B" who is multi-homed.

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Joe Klein
What would it take to test for BCP38 for a specific AS? Joe Klein "Inveniam viam aut faciam" PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 On Tue, Sep 27, 2016 at 8:31 AM, Stephen Satchell wrote: > Does anyone know if any upstream and tiered internet

Re: nested prefixes in Internet

2016-09-27 Thread Florian Weimer
* Martin T.: > let's assume that there is an ISP "A" operating in Europe region who > has /19 IPv4 allocation from RIPE. From this /19 they have leased /24 > to ISP "B" who is multi-homed. This means that ISP "B" would like to > announce this /24 prefix to ISP "A" and also to ISP "C". AFAIK this

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Zbyněk Pospíchal
Dne 27.09.16 v 15:17 Mikael Abrahamsson napsal(a): > Hm, so the IX operator looks at packets at the IX (sFlow perhaps), see > who is sending attack packets, and if they're spoofed, this ISP is then > put in "quarantine", ie their IX port is basically now useless. Definitely not. Try to read

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mikael Abrahamsson
On Tue, 27 Sep 2016, Zbyněk Pospíchal wrote: The implementation of BCP38 over local market strongly increased after massive DDoS attacks in 2013 affecting major part of the industry thanks to an initiative of the most important local IXP. Hm, so the IX operator looks at packets at the IX

BCP38 -- disabusing misinformation in this discussion

2016-09-27 Thread Stephen Satchell
"BCP38 applies only to egress filtering" INCORRECT. The title of the update to BCP38/RFC2827, BCP84/RFC2074, exposes the balderdash on its face. That title? "Ingress Filtering for Multihomed Networks." Oops. This is a short snipping from the Introduction: RFC 2827 recommends that ISPs

Re: Request for comment -- BCP38

2016-09-27 Thread Florian Weimer
* Stephen Satchell: > Given a single local inside network with: > * multiple uplink providers (typical multi-home situation) > * multiple edge routers, each connected to an upstream via a public > routeable /30, and each further connected to the downstream inside > network > * 50 subnets

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Zbyněk Pospíchal
The implementation of BCP38 over local market strongly increased after massive DDoS attacks in 2013 affecting major part of the industry thanks to an initiative of the most important local IXP. There is a special separate last-resort "island mode" network, which is intended to be activated in

Re: BCP38 adoption "incentives"?

2016-09-27 Thread Mikael Abrahamsson
On Tue, 27 Sep 2016, Stephen Satchell wrote: You have to make their ignorance SUBTRACT from the bottom line. I'd say there is no way to actually achieve this. BCP38 non-compliance doesn't hurt the one not in compliance in any significant amount, it hurts everybody else. The only way I can

BCP38 adoption "incentives"?

2016-09-27 Thread Stephen Satchell
Does anyone know if any upstream and tiered internet providers include in their connection contracts a mandatory requirement that all directly-connected routers be in compliance with BCP38? Does anyone know if large ISPs like Comcast, Charter, or AT have put in place internal policies

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Jared Mauch
> On Sep 26, 2016, at 7:58 PM, Christopher Morrow > wrote: > > On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews wrote: > >> >> Giving them real time access to the anomalous traffic log feed for >> their residence would also help. They or the specialist

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Eliot Lear
On 9/27/16 1:19 PM, Florian Weimer wrote: > * Eliot Lear: > >> As some on this thread know, I've been working with the folks who make >> light bulbs and switches. They fit a certain class of device that is >> not general purpose, but rather are specific in nature. For those >> devices it is

Re: Request for comment -- BCP38

2016-09-27 Thread Florian Weimer
* Jason Iannone: > I have a question regarding language. We've seen bcp38 described as a > forwarding filter, preventing unallocated sources from leaving the AS. I > understand that unicast reverse path forwarding checks support bcp38, but > urpf is an input check with significant technical

Re: Request for comment -- BCP38

2016-09-27 Thread Stephen Satchell
I'm trying to come up with a simple picture that embraces all the comments I've seen thus far on the definition of BCP38. The example scenario I'm about to paint may be over-simplified -- but I like to start simple. Given a single local inside network with: * multiple uplink providers

Re: Request for comment -- BCP38

2016-09-27 Thread Jason Iannone
I have a question regarding language. We've seen bcp38 described as a forwarding filter, preventing unallocated sources from leaving the AS. I understand that unicast reverse path forwarding checks support bcp38, but urpf is an input check with significant technical differences from output

nested prefixes in Internet

2016-09-27 Thread Martin T
Hi, let's assume that there is an ISP "A" operating in Europe region who has /19 IPv4 allocation from RIPE. From this /19 they have leased /24 to ISP "B" who is multi-homed. This means that ISP "B" would like to announce this /24 prefix to ISP "A" and also to ISP "C". AFAIK this gives two

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Florian Weimer
* Eliot Lear: > As some on this thread know, I've been working with the folks who make > light bulbs and switches. They fit a certain class of device that is > not general purpose, but rather are specific in nature. For those > devices it is possible for the manufacturers to inform the network

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Florian Weimer
* Mark Andrews: > Dear customer, >we are seeing traffic coming from your network. > > If you need help isolating the source of the traffic here are a few > companies in your city that can help you. > > > > This is not a exhaustive list. > > Support We already had the problem in

Re: Request for comment -- BCP38

2016-09-27 Thread Florian Weimer
* Baldur Norddahl: > This means we can receive some packet on transit port A and then route out >>> a ICMP response on port B using the interface address from port A. But >>> transit B filters this ICMP packet because it has a source address >>> belonging to transit A. >> Interesting. But this

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-27 Thread Eliot Lear
John, On 9/27/16 2:13 AM, John R. Levine wrote: >> Therein lies the problem if the traffic does not look anomalous I >> suppose. But even if it does look unusual, ISPs would be asking >> consumers to trash/update/turn off a lot of devices in time – like >> when every home has 10s or 100s of these