Re: IPv4 smaller than /24 leasing?

[Ken Chase]

$5k aint nothing. I started with less than that (but
hung off the colo's in house bw through NAC.net til I 
could wean off it). I imagine tiny communities (and say on
remote native reserves for eg) that $5k additional expense
could be limiting.

And soon to become even harder to setup an isp?

ttps://np.reddit.com/r/technology/comments/7o41rf/the_fcc_is_preparing_to_weaken_the_definition_of/ds6w3aw/

/kc
--
Ken Chase - m...@sizone.org GUelph Canada

Re: Anyone else blacklisted this morning by rbl.iprange.net?

[John R. Levine]

Alas, these RBLs are often hard-coded into firewalls. Non-sophisticated 
users just think they have a check box saying "block spam". Fixing those 
IS hard.


I believe there are cases where people have made it hard, but there are 
limits on how much I believe in protecting people from the consequences of 
their ineptness.


Perhaps we should spin up a little DNS cache just for DNSBL queries.

R's,
John


In article  
you write:

If you're going to run a DNSBL to advertise your mail software,
perhaps do so in a way that doesn't flip the bird at everyone using it.


On the other hand if you're going to use DNSBLs, you really should do
the tests in RFC 5782 every once in a while so you stop using BLs that
don't exist any more.  It's not hard.

Re: IPv4 smaller than /24 leasing?

[valdis . kletnieks]

On Thu, 04 Jan 2018 19:20:26 -0500, Justin Wilson said:
> How is this a good use of resources when they have to justify 80% of a /24 in
> which they only need half of? I have 5 ISPs I work with that have 300-500
> customer and are using a /26 or smaller of IP space.  They can’t have true
> redundancy they are able to manage because they can’t do BGP themselves.  So
> they are tied to one ISP because thats where they get their space from.  Or,
> going back to the original part of this thread, they lease from someone across
> a tunnel.  Even then, they are still tied to someone.

So you CGNAT 500 users that would easily qualify you for a /22 into a ./26,
and then complain you can't get a /24.

"Doctor, it hurts when I do this" "Don't do that then",


pgpPXIiv6Qhyx.pgp
Description: PGP signature

Re: Anyone else blacklisted this morning by rbl.iprange.net?

[Mel Beckman]

Alas, these RBLs are often hard-coded into firewalls. Non-sophisticated users 
just think they have a check box saying "block spam". Fixing those IS hard.

 -mel 

> On Jan 4, 2018, at 4:45 PM, John Levine  wrote:
> 
> In article 
>  you 
> write:
>> If you're going to run a DNSBL to advertise your mail software,
>> perhaps do so in a way that doesn't flip the bird at everyone using it.
> 
> On the other hand if you're going to use DNSBLs, you really should do
> the tests in RFC 5782 every once in a while so you stop using BLs that
> don't exist any more.  It's not hard.
> 
> R's,
> John

Re: Attacks from poneytelecom.eu

[valdis . kletnieks]

On Thu, 04 Jan 2018 12:58:48 -0800, Dan Hollis said:
> On Thu, 4 Jan 2018, valdis.kletni...@vt.edu wrote:
> > Been there, done that.  Been out of the country and offline for 36 hours,
> > reconnect and there's a user with a problem that would have been dealt
> > with 36 hours earlier if they had sent it to our help desk instead of to me
> > directly.
>
> They use your direct contact info because your help desk isn't responsive.

Not really - because a big chunk of the time, I end up opening a ticket with
the help desk in their behalf, because I wasn't even the person who was
actually responsible for fixing their problem (I do infrastructure, not user
services).  They just splat out a mail to a name they recognize because I've
been here almost 3 decades now.  Why they think I can help with a NetApp CIFS
permission issue just because they remember I fixed their SGI system in the
late 90s is beyond me...

Plus, I know for a fact that if they called our help desk, they'd probably have
a ticket open and called back by somebody faster than I would reply, because
the help desk's SLA is measured in "reply in hours", while mine is "within 2
business days" for non-system-down situations.

Hell, took me 4 hours to respond to your mail. :)





pgpo2zsyO_D82.pgp
Description: PGP signature

Re: Anyone else blacklisted this morning by rbl.iprange.net?

[John Levine]

In article  
you write:
>If you're going to run a DNSBL to advertise your mail software,
>perhaps do so in a way that doesn't flip the bird at everyone using it.

On the other hand if you're going to use DNSBLs, you really should do
the tests in RFC 5782 every once in a while so you stop using BLs that
don't exist any more.  It's not hard.

R's,
John

making the queries go away, was Re: Anyone else blacklisted this morning

[John Levine]

In article <20180102170409.ga5...@gsp.org> you write:
>On Tue, Jan 02, 2018 at 04:46:02PM +, Mel Beckman quoted:
>> "rbl.iprange.net will mark every ip address as listed to force removal of 
>> this server."
>
>Apparently they didn't read section 3.4 of RFC 6471:

I agree that listing the world is a bad idea but I feel their pain,
having a few DNSBL-like things here that are hammered on at great
length by broken clients.  If you want the traffic to go away, what do
you do?


I run a little DNS server at contacts.abuse.net that provides abuse
contact information in TXT records.  For reasons I can only imagine, a
few hosts hammer on them like crazy (one seems to have the goal of
looking up every 2ld in the .at domain) which is a pain.  So I've
started doing nameserver poisoining.  If one of those annoying hosts
asks for, say, foo.bar.contacts.abuse.net which is how you ask for the
contacts for domain foo.bar, it returns

   bar.contacts.abuse.net. NS 604800 abcde.n.contacts.abuse.net.
...
   bar.contacts.abuse.net. NS 604800 qwert.n.contacts.abuse.net.

with 12 fake NS records with randomish hostnames.  Then when they do A
or  lookups for those host names, I send back a couple of dozen fake
A or  records.  In my experience that makes them go away pretty
fast, with only the occasional revisit when they want something in an
obscure TLD that I haven't poisoned yet.

This is all written in perl, which turned out to be pretty easy, and
not using Net::DNS or anything like that, either.  I suppose if I
wanted to do this on behalf of a normal nameserver I could use some
packet filters to divert traffic from annoying hosts to the poison
server.

R's,
John

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

And this is exactly what other companies are doing.  The traditional way of 
doing a startup ISP is:

1.You get provider assigned IP space
2.You grow big enough to get your own IP space, historically from ARIN.  
Nowadays you have to buy it on the open market.
3.You re-adddress your network for the IP space you have.
4.Chewing up the /24 when you may not too in order to meet justification.

So now, we have a startups and growing ISPs.  I have multiple clients who are 
in the exact same scenario I am going to describe.

They are a startup and can’t justify a /24 so they hope to find two backbone 
providers to play ball.  They hope one will assign them a full /24 so they can 
participate in BGP. That provider is probably charging them $1 per IP per 
month.  Okay fine, pay it.  As said in a previous e-mail, if they can’t afford 
it they shouldn’t be in business right?  They go through the ARIN process to 
get an ASN and can now participate in BGP.  Great, they bring up BGP and work 
towards having the cash flow to buy a /24 on the open market.  Again, if they 
can’t afford to play they shouldn’t be in business right?  Cash flow pays for 
the ability to buy a /24 in 8-14 months.  $4,000 plus the $2500 they spent on 
leasing fees.  Again, if they can’t afford it don’t play huh?

So now, they have a /24 they really don’t need.  In order to meet ARIN 
justification they hand out IPs to people who really aren’t in their business 
model just to meet justification.  Before you know it they are using 80% of a 
/24 when they really only need half or less of it.  The /24 is too small to 
scale of giving everyone publics, so their network design is centered around 1: 
many NAT, CGN, and other such things.

How is this a good use of resources when they have to justify 80% of a /24 in 
which they only need half of? I have 5 ISPs I work with that have 300-500 
customer and are using a /26 or smaller of IP space.  They can’t have true 
redundancy they are able to manage because they can’t do BGP themselves.  So 
they are tied to one ISP because thats where they get their space from.  Or, 
going back to the original part of this thread, they lease from someone across 
a tunnel.  Even then, they are still tied to someone.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Jan 4, 2018, at 7:01 PM, Dovid Bender  wrote:
> 
> I can tell you that when we started (and there were IP's still available)
> we first leased from another company to get our feet when and run tests
> before we requested our own resources.
> 
> On Thu, Jan 4, 2018 at 6:21 PM, William Herrin  wrote:
> 
>> On Thu, Jan 4, 2018 at 6:06 PM, Mike Hammett  wrote:
>> 
>>> There are hundreds of ISPs with under 500 customers. More start up every
>>> week. No need to marginalize them.
>>> 
>> 
>> Hi Mike,
>> 
>> No disrespect, but anyone who can't afford to spend $5000 on resources
>> critical to their activity is not in the Internet business or any other
>> kind of business and should probably stop lying to themselves about that.
>> 
>> Regards,
>> Bill Herrin
>> 
>> 
>> --
>> William Herrin  her...@dirtside.com  b...@herrin.us
>> Dirtside Systems . Web: 
>> 
> 

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

Most of the ones I know personally are doing CGN and have no real need for IP 
addresses.  I know of Wireless ISPs with 2000 customers and only about 50 IPv4 
addresses in use for nat and the occasional Public IP customer.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Jan 4, 2018, at 5:51 PM, valdis.kletni...@vt.edu wrote:
> 
> On Thu, 04 Jan 2018 17:40:27 -0500, Justin Wilson said:
>> I know of dozens, if not hundreds of small ISPs that can’t participate in 
>> BGP
>> because they don’t have big enough blocks.
> 
> What's the business model, if you have less than 120 customers? Selling
> value-add services on top of moving the packets? Or just be in a country
> where cost-of-everything is so cheap that you can make a profit on 120
> customers at $20/mo?
> 
> And hundreds?  Is that "in the US", or "worldwide"?

Re: IPv4 smaller than /24 leasing?

[Dovid Bender]

I can tell you that when we started (and there were IP's still available)
we first leased from another company to get our feet when and run tests
before we requested our own resources.

On Thu, Jan 4, 2018 at 6:21 PM, William Herrin  wrote:

> On Thu, Jan 4, 2018 at 6:06 PM, Mike Hammett  wrote:
>
> > There are hundreds of ISPs with under 500 customers. More start up every
> > week. No need to marginalize them.
> >
>
> Hi Mike,
>
> No disrespect, but anyone who can't afford to spend $5000 on resources
> critical to their activity is not in the Internet business or any other
> kind of business and should probably stop lying to themselves about that.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
>

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Thu, Jan 4, 2018 at 6:06 PM, Mike Hammett  wrote:

> There are hundreds of ISPs with under 500 customers. More start up every
> week. No need to marginalize them.
>

Hi Mike,

No disrespect, but anyone who can't afford to spend $5000 on resources
critical to their activity is not in the Internet business or any other
kind of business and should probably stop lying to themselves about that.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Attacks from poneytelecom.eu

[Stephen Satchell]

On 01/04/2018 01:02 PM, Dan Hollis wrote:

when the first tier incompetence stops, the direct contacts will stop too.


But, but, but...when the first tier support person gets the training to 
not be incompetent, he is promoted to the second tier and the vacuum is 
filled with another incompetent first-tier person.


So, by definition, the first tier of support will only be able to answer 
questions "from the book".  Anything more complex than what's in "the 
book" is bumped to the second tier...where the problem is above the 
second-tier pay grade and it gets bumped further up the chain.


It's a variation of the Peter Principal:  ex-incompetents will rise up 
the promotion ladder.

Re: Attacks from poneytelecom.eu

[William Herrin]

On Thu, Jan 4, 2018 at 4:02 PM, Dan Hollis  wrote:

> On Thu, 4 Jan 2018, William Herrin wrote:
>
>> On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse 
>> wrote:
>>
>>> I've never dealt with a support queue that resolved the issue faster than
>>> a direct contact.
>>>
>> I've never dealt with a support queue that's more competent than the last
>> direct contact I talked with. Navigating the support queue to the guy
>> competent to deal with my problem is one of the more infuriating things
>> about big company support.
>>
>
> it does get kind of old when you have to argue with first tier support on
> how to read smtp headers. or that an IP address registered to them in ARIN
> actually belongs to them.
>

Those are the good ones. The bad ones are when the the support tech wanders
down the script without understanding you at all.

"Your email server at 1.2.3.4 gave me the following error message when my
server at 6.7.8.9 tried to pass email to b...@yourcompany.com from
j...@mycompany.com at 13:54:06 UTC."

"Reboot your computer. Then please take this survey to let me know how I
did."

-Bill

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[Mike Hammett]

Startups, people serving areas where there aren't a ton of people, etc. 

I'm sure they'd love to have /24s, but ARIN is out of them and the market is 
too pricey for most of these guys. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "valdis kletnieks"  
To: "Justin Wilson"  
Cc: "NANOG"  
Sent: Thursday, January 4, 2018 4:51:20 PM 
Subject: Re: IPv4 smaller than /24 leasing? 

On Thu, 04 Jan 2018 17:40:27 -0500, Justin Wilson said: 
> I know of dozens, if not hundreds of small ISPs that can’t participate in 
> BGP 
> because they don’t have big enough blocks. 

What's the business model, if you have less than 120 customers? Selling 
value-add services on top of moving the packets? Or just be in a country 
where cost-of-everything is so cheap that you can make a profit on 120 
customers at $20/mo? 

And hundreds? Is that "in the US", or "worldwide"? 

Re: IPv4 smaller than /24 leasing?

[Mike Hammett]

No. ARIN is out of IPv4 other than IXes, critical infrastructure and IPv6 
transition. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Michael Hallgren"  
To: "William Herrin"  
Cc: "NANOG"  
Sent: Thursday, January 4, 2018 4:56:21 PM 
Subject: Re: IPv4 smaller than /24 leasing? 

By the way, RIPE still seems to provide fresh /22s to new LIRs. Same in the 
ARIN region? 
mh 

Le 4 janv. 2018 à 23:50, à 23:50, William Herrin  a écrit: 
>On Thu, Jan 4, 2018 at 5:40 PM, Justin Wilson  wrote: 
> 
>> I know of dozens, if not hundreds of small ISPs that can’t 
>participate in 
>> BGP because they don’t have big enough blocks. 
> 
> 
>Hi Justin, 
> 
>Not much of an ISP if they can't get a /24. We're talking about a 
>one-time 
>market purchase under $5000 and the ARIN justification for that small a 
>block almost writes itself. 
> 
>Regards, 
>Bill Herrin 
> 
> 
>-- 
>William Herrin  her...@dirtside.com b...@herrin.us 
>Dirtside Systems . Web:  

Re: IPv4 smaller than /24 leasing?

[Mike Hammett]

There are hundreds of ISPs with under 500 customers. More start up every week. 
No need to marginalize them. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "William Herrin"  
To: "Justin Wilson"  
Cc: "NANOG"  
Sent: Thursday, January 4, 2018 4:48:40 PM 
Subject: Re: IPv4 smaller than /24 leasing? 

On Thu, Jan 4, 2018 at 5:40 PM, Justin Wilson  wrote: 

> I know of dozens, if not hundreds of small ISPs that can’t participate in 
> BGP because they don’t have big enough blocks. 


Hi Justin, 

Not much of an ISP if they can't get a /24. We're talking about a one-time 
market purchase under $5000 and the ARIN justification for that small a 
block almost writes itself. 

Regards, 
Bill Herrin 


-- 
William Herrin  her...@dirtside.com b...@herrin.us 
Dirtside Systems . Web:  

Re: IPv4 smaller than /24 leasing?

[Michael Hallgren]

By the way, RIPE still seems to provide fresh /22s to new LIRs. Same in the 
ARIN region?
mh

Le 4 janv. 2018 à 23:50, à 23:50, William Herrin  a écrit:
>On Thu, Jan 4, 2018 at 5:40 PM, Justin Wilson  wrote:
>
>> I know of dozens, if not hundreds of small ISPs that can’t
>participate in
>> BGP because they don’t have big enough blocks.
>
>
>Hi Justin,
>
>Not much of an ISP if they can't get a /24. We're talking about a
>one-time
>market purchase under $5000 and the ARIN justification for that small a
>block almost writes itself.
>
>Regards,
>Bill Herrin
>
>
>--
>William Herrin  her...@dirtside.com  b...@herrin.us
>Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[valdis . kletnieks]

On Thu, 04 Jan 2018 17:40:27 -0500, Justin Wilson said:
> I know of dozens, if not hundreds of small ISPs that can’t participate in 
> BGP
> because they don’t have big enough blocks.

What's the business model, if you have less than 120 customers? Selling
value-add services on top of moving the packets? Or just be in a country
where cost-of-everything is so cheap that you can make a profit on 120
customers at $20/mo?

And hundreds?  Is that "in the US", or "worldwide"?


pgpZgVMAeHmBJ.pgp
Description: PGP signature

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Thu, Jan 4, 2018 at 5:40 PM, Justin Wilson  wrote:

> I know of dozens, if not hundreds of small ISPs that can’t participate in
> BGP because they don’t have big enough blocks.


Hi Justin,

Not much of an ISP if they can't get a /24. We're talking about a one-time
market purchase under $5000 and the ARIN justification for that small a
block almost writes itself.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

Yes, we do this for several clients.  We route them a smaller than 24 block 
over a tunnel.

Which bring up an interesting question.  Will there be a time where the 
smallest block size recognized will be something smaller than a /24? /25, /26 ? 
Most modern routers have the horsepower to deal with larger route tables. 

I know of dozens, if not hundreds of small ISPs that can’t participate in BGP 
because they don’t have big enough blocks.  Many others who do are not 
utilizing their /24 so it just kinda sits there. They have to have their 
provider assigned IP space be advertised. Does not help them getting on to an 
IX though.

I know I know IPV6 is the answer not going to accepting smaller blocks. 


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com
www.fd-ix.com


> On Jan 4, 2018, at 5:31 PM, Michael Hallgren  wrote:
> 
> Thanks Bill. Kinda ugly, but OK I see... Prefer v6 ;-)
> mh
> 
> Le 4 janv. 2018 à 23:17, à 23:17, William Herrin  a écrit:
>> On Thu, Jan 4, 2018 at 5:07 PM, Michael Hallgren  wrote:
>> 
>>> Am I missing something? What's the trigger for doing tunneling here?
>>> 
>> 
>> With "IP address leasing" you aren't connected to the network which
>> holds
>> the address registration.
>> 
>> For leasing less than a /24, they need a plan other than "advertise to
>> your
>> peers with BGP" because even if your peer accepts a /27, most of their
>> peers will not.
>> 
>> Regards,
>> Bill Herrin
>> 
>> 
>> 
>> --
>> William Herrin  her...@dirtside.com  b...@herrin.us
>> Dirtside Systems . Web: 
> 

Re: IPv4 smaller than /24 leasing?

[Michael Hallgren]

Thanks Bill. Kinda ugly, but OK I see... Prefer v6 ;-)
mh

Le 4 janv. 2018 à 23:17, à 23:17, William Herrin  a écrit:
>On Thu, Jan 4, 2018 at 5:07 PM, Michael Hallgren  wrote:
>
>> Am I missing something? What's the trigger for doing tunneling here?
>>
>
>With "IP address leasing" you aren't connected to the network which
>holds
>the address registration.
>
>For leasing less than a /24, they need a plan other than "advertise to
>your
>peers with BGP" because even if your peer accepts a /27, most of their
>peers will not.
>
>Regards,
>Bill Herrin
>
>
>
>--
>William Herrin  her...@dirtside.com  b...@herrin.us
>Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Thu, Jan 4, 2018 at 5:07 PM, Michael Hallgren  wrote:

> Am I missing something? What's the trigger for doing tunneling here?
>

With "IP address leasing" you aren't connected to the network which holds
the address registration.

For leasing less than a /24, they need a plan other than "advertise to your
peers with BGP" because even if your peer accepts a /27, most of their
peers will not.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[Michael Hallgren]

Le 2018-01-04 20:16, Job Snijders a écrit :

On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:

I have stumbled upon this site [1] which seems to offer /27 IPv4 
leasing.
They also claim "All of our IPv4 address space can be used on any 
network

in any location."

I thought that the smallest prefix size one could get routed globally 
is

/24?



Yes

So how does this work?



Probably with GRE, IPIP or OpenVPN tunnels.

Kind regards,

Job


IPv4 /24 is commonly the minimal chunk advertised to (and accepted by) 
neighbors. If I run a global (or regional) network, I may advertise this 
/24 -- or rather an aggregate covering it -- over my diverse 
interconnection with neighbors, your /27 being part of the chunk and 
routed to you internally (if you're va customer)-- no need for 
encapsulation efforts. Similar scenario may be multi-upstream, subject 
to acceptance of "punching holes in aggregates"... Am I missing 
something? What's the trigger for doing tunneling here?


Happy New Year '18, by the way !

mh

Re: IPv4 smaller than /24 leasing?

[Michael Hallgren]

Le 2018-01-04 20:27, Harald Koch a écrit :

"IPv6 available upon request. "

LOL.

+1 :-)
mh

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Thu, Jan 4, 2018 at 2:16 PM, Job Snijders  wrote:

> On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:
> > I thought that the smallest prefix size one could get routed globally is
> > /24? So how does this work?
> >
> Probably with GRE, IPIP or OpenVPN tunnels.
>

Hi Flip, Job:

With the cooperation of your local ISP, it's possible to get clever about
this.

If your ISP sets its filter to allow it, you can send packets from the /27
directly without having to transit the GRE tunnel. So, half the path has no
latency hit at all.

The tunnel ingress which takes the /24 off the Internet and sends the /27
to you does not have to be a single node in a single location. GRE and IPIP
both support stateless multipoint tunnels where they can receive packets
from multiple sources. The /24 can be anycasted from multiple nodes around
the world allowing near-optimal routing from most origins.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Attacks from poneytelecom.eu

[Dan Hollis]

On Thu, 4 Jan 2018, William Herrin wrote:

On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse  wrote:

I've never dealt with a support queue that resolved the issue faster than
a direct contact.

I've never dealt with a support queue that's more competent than the last
direct contact I talked with. Navigating the support queue to the guy
competent to deal with my problem is one of the more infuriating things
about big company support.


it does get kind of old when you have to argue with first tier support 
on how to read smtp headers. or that an IP address registered to them in 
ARIN actually belongs to them.


people reach out to nanog because first tier support is clueless and 
completely ineffective.


when the first tier incompetence stops, the direct contacts will stop too.

-Dan

Re: Attacks from poneytelecom.eu

[Dan Hollis]

On Thu, 4 Jan 2018, valdis.kletni...@vt.edu wrote:

On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:

Why anyone thinks it's acceptable for the form submission to vanish in to
the faceless support queue is more of a quandary. The form submission
should provide a case number, the individual to whom it is assigned, direct
contact information for that individual and a promise that your report will
receive a response.

The very real problem with direct contact info is that people latch onto it.
Then, if there's another issue the person will bypass your form submission,
send a direct e-mail - which would then not be dealt with if that particular
person wasn't working, for reasons ranging from vacation to no longer being
with the provider in an abuse desk role.

Been there, done that.  Been out of the country and offline for 36 hours,
reconnect and there's a user with a problem that would have been dealt
with 36 hours earlier if they had sent it to our help desk instead of to me
directly.


They use your direct contact info because your help desk isn't responsive.

They go where they get results. No results from help desk = direct contact 
to you.


-Dan

Re: IPv4 smaller than /24 leasing?

[Filip Hruska]

Thanks for all the responses!

Seems like I was right about doubting this.


Regards

--
Filip Hruska
Linux System Administrator

Dne 1/4/18 v 20:20 Matt Harris napsal(a):
They're probably using GRE or other sorts of tunnels, I'd imagine?  It 
would likely involve increased latency, as any packets coming to those 
addresses would hit them first, and then be tunneled - either over the 
public internet using gre or some kind of vpn, or perhaps via a 
private connection or even an IX, to you?  As far as outgoing traffic 
from those addresses, you'd probably need to make sure that any 
upstreams you're sending packets to from those addresses are not 
running urpf which would cause them to be discarded, or otherwise get 
around such a configuration.


Take care,
Matt


On Thu, Jan 4, 2018 at 1:13 PM, Filip Hruska > wrote:


Hi,

I have stumbled upon this site [1] which seems to offer /27 IPv4
leasing.
They also claim "All of our IPv4 address space can be used on any
network in any location."

I thought that the smallest prefix size one could get routed
globally is /24?
So how does this work?

[1] http://www.forked.net/ip-address-leasing/



Thanks

--
Filip Hruska
Linux System Administrator




--
Matt Harris - Chief Security Officer
Main: +1 855.696.3834 ext 103
Mobile: +1 908.590.9472
Email:m...@netfire.net 

Re: IPv4 smaller than /24 leasing?

[Harald Koch]

"IPv6 available upon request. "

LOL.

-- 
Harald

RE: IPv4 smaller than /24 leasing?

[Luke Guillory]

Notice that the LOA is only checked off on /24 or larger.




Luke Guillory
Vice President – Technology and Innovation

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Filip Hruska
Sent: Thursday, January 04, 2018 1:13 PM
To: NANOG
Subject: IPv4 smaller than /24 leasing?

Hi,

I have stumbled upon this site [1] which seems to offer /27 IPv4 leasing.
They also claim "All of our IPv4 address space can be used on any network in 
any location."

I thought that the smallest prefix size one could get routed globally is /24?
So how does this work?

[1] http://www.forked.net/ip-address-leasing/


Thanks

--
Filip Hruska
Linux System Administrator

Re: IPv4 smaller than /24 leasing?

[Job Snijders]

On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:

> I have stumbled upon this site [1] which seems to offer /27 IPv4 leasing.
> They also claim "All of our IPv4 address space can be used on any network
> in any location."
>
> I thought that the smallest prefix size one could get routed globally is
> /24?


Yes

So how does this work?
>
Probably with GRE, IPIP or OpenVPN tunnels.

Kind regards,

Job

IPv4 smaller than /24 leasing?

[Filip Hruska]

Hi,

I have stumbled upon this site [1] which seems to offer /27 IPv4 leasing.
They also claim "All of our IPv4 address space can be used on any 
network in any location."


I thought that the smallest prefix size one could get routed globally is 
/24?

So how does this work?

[1] http://www.forked.net/ip-address-leasing/


Thanks

--
Filip Hruska
Linux System Administrator

Re: Attacks from poneytelecom.eu

[William Herrin]

On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse  wrote:

> I've never dealt with a support queue that resolved the issue faster than
> a direct contact.
>

I've never dealt with a support queue that's more competent than the last
direct contact I talked with. Navigating the support queue to the guy
competent to deal with my problem is one of the more infuriating things
about big company support.

-Bill

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Attacks from poneytelecom.eu

[Rob McEwen]

On 1/4/2018 12:36 PM, valdis.kletni...@vt.edu wrote:

On Thu, 04 Jan 2018 09:48:24 -0700, Michael Crapse said:

I've never dealt with a support queue that resolved the issue faster than a
direct contact.

Which would the user prefer - a guaranteed 15 minute response time from the 
queue,
or 10 minute from a direct contact, unless it's an hour because they're in a 
meeting,
or the next day because they're out sick, or 2 weeks because they're on 
vacation?

Bonus points for recognizing there's a confirmation bias effect here - people 
will
remember the 2 week response time more than they'll remember the 5 minutes
faster the rest of the time.

Hint: How many "I haven't heard back in a week" do we see here and on the mailop
list, and how many "Congrats to so-n-so who fixed my problem in 5 minutes flat?"



Also, unless the requester already has a close relationship with someone 
in that department at the company they are contacting - it is sort of 
offensive to contact them without FIRST filling out the form and 
allotting a reasonable time for a response. Then, if filling out the 
form didn't work as fast as expected - THEN it might be appropriate to 
contact someone directly to help escalate the form submission. That is 
the RIGHT way to do these things. The opposite of this produces 
insufficiency, miscommunication, legal entanglements (if things didn't 
get handled properly), lost audit-trails/metrics etc. Some larger 
companies FORBID their employees from doing such direct help that is 
entirely outside their regular support system.


--
Rob McEwen
 

Re: Attacks from poneytelecom.eu

[valdis . kletnieks]

On Thu, 04 Jan 2018 09:48:24 -0700, Michael Crapse said:

> I've never dealt with a support queue that resolved the issue faster than a
> direct contact.

Which would the user prefer - a guaranteed 15 minute response time from the 
queue,
or 10 minute from a direct contact, unless it's an hour because they're in a 
meeting,
or the next day because they're out sick, or 2 weeks because they're on 
vacation?

Bonus points for recognizing there's a confirmation bias effect here - people 
will
remember the 2 week response time more than they'll remember the 5 minutes
faster the rest of the time.

Hint: How many "I haven't heard back in a week" do we see here and on the mailop
list, and how many "Congrats to so-n-so who fixed my problem in 5 minutes flat?"



pgpAe_Q0NkBoN.pgp
Description: PGP signature

Re: Attacks from poneytelecom.eu

[Michael Crapse]

I've never dealt with a support queue that resolved the issue faster than a
direct contact.

On 4 January 2018 at 09:12,  wrote:

> On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:
>
> > Why anyone thinks it's acceptable for the form submission to vanish in to
> > the faceless support queue is more of a quandary. The form submission
> > should provide a case number, the individual to whom it is assigned,
> direct
> > contact information for that individual and a promise that your report
> will
> > receive a response.
>
> The very real problem with direct contact info is that people latch onto
> it.
> Then, if there's another issue the person will bypass your form submission,
> send a direct e-mail - which would then not be dealt with if that
> particular
> person wasn't working, for reasons ranging from vacation to no longer being
> with the provider in an abuse desk role.
>
> Been there, done that.  Been out of the country and offline for 36 hours,
> reconnect and there's a user with a problem that would have been dealt
> with 36 hours earlier if they had sent it to our help desk instead of to me
> directly.
>
>
>

Re: Attacks from poneytelecom.eu

[valdis . kletnieks]

On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:

> Why anyone thinks it's acceptable for the form submission to vanish in to
> the faceless support queue is more of a quandary. The form submission
> should provide a case number, the individual to whom it is assigned, direct
> contact information for that individual and a promise that your report will
> receive a response.

The very real problem with direct contact info is that people latch onto it.
Then, if there's another issue the person will bypass your form submission,
send a direct e-mail - which would then not be dealt with if that particular
person wasn't working, for reasons ranging from vacation to no longer being
with the provider in an abuse desk role.

Been there, done that.  Been out of the country and offline for 36 hours,
reconnect and there's a user with a problem that would have been dealt
with 36 hours earlier if they had sent it to our help desk instead of to me
directly.




pgpdr6GpWyMWr.pgp
Description: PGP signature

Re: Attacks from poneytelecom.eu

[Rich Kulawiec]

On Thu, Jan 04, 2018 at 09:33:51AM -0500, William Herrin wrote:
> Because the number of people who successfully provide actionable
> information without being prompted is vanishingly small and the number of
> people who fire off automated complaints to the best guess abuse address
> (also without actionable information) is disappointingly large?

Not a valid excuse.  (1) It is a trivial matter for any "abuse desk" worthy
of the title to priority-sort incoming traffic.  (2) An excellent way for
operations to reduce the volume of such complaints is to reduce the volume
of the abuse they emit/support.

---rsk

Re: Attacks from poneytelecom.eu

[Dovid Bender]

In their defense I was pleasantly surprised that I got a response back from
them telling me the account was banned. Though it makes me wonder if this
is just them trying to save face. I have spoken with the guys that run DO's
network and they have an extensive amount of automation to weed out
spammers, attackers etc. It makes you wonder why for years that are known
in the spammer community as a safe heaven.

On Thu, Jan 4, 2018 at 9:33 AM, William Herrin  wrote:

> On Wed, Jan 3, 2018 at 10:57 PM, Dan Hollis 
> wrote:
>
>> On Wed, 3 Jan 2018, Dovid Bender wrote:
>>
>>> On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand >> >
>>> wrote:
>>>
 Hi Dovid,

 Just fill in our abuse form at https://abuse. 
 online.net

>>>
>> I have no idea why anyone thinks it is acceptable to require victims to
>> fill out online web forms.
>
>
> Because the number of people who successfully provide actionable
> information without being prompted is vanishingly small and the number of
> people who fire off automated complaints to the best guess abuse address
> (also without actionable information) is disappointingly large?
>
> Why anyone thinks it's acceptable for the form submission to vanish in to
> the faceless support queue is more of a quandary. The form submission
> should provide a case number, the individual to whom it is assigned, direct
> contact information for that individual and a promise that your report will
> receive a response.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
>

Re: Attacks from poneytelecom.eu

[Stephen Satchell]

On 01/03/2018 09:46 PM, Tim Burke wrote:

AS12876 is online.net... home of the €2.99 physical server, perfect
for all of your favorite illegitimate activity. I’m curious how much
traffic originates from that ASN that is actually legitimate...
probably close to none.


SETI at home?
Bitcoin mining?

Re: Attacks from poneytelecom.eu

[William Herrin]

On Wed, Jan 3, 2018 at 10:57 PM, Dan Hollis  wrote:

> On Wed, 3 Jan 2018, Dovid Bender wrote:
>
>> On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand 
>> wrote:
>>
>>> Hi Dovid,
>>>
>>> Just fill in our abuse form at https://abuse. 
>>> online.net
>>>
>>
> I have no idea why anyone thinks it is acceptable to require victims to
> fill out online web forms.


Because the number of people who successfully provide actionable
information without being prompted is vanishingly small and the number of
people who fire off automated complaints to the best guess abuse address
(also without actionable information) is disappointingly large?

Why anyone thinks it's acceptable for the form submission to vanish in to
the faceless support queue is more of a quandary. The form submission
should provide a case number, the individual to whom it is assigned, direct
contact information for that individual and a promise that your report will
receive a response.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Attacks from poneytelecom.eu

[Fredrik Korsbäck]

Depends on what "legitimate" means.

We have a decent amount of traffic to the network (like 2Gbps sustained in any afternoon). Its typically a mix of 
bittorrent, tor-relay traffic, ftp-transfers and of course the expected scanners, malware-hosts, ddos-bots and such.


For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response 
to abuse has always been NIL. I know tons of my customers just blocks out their whole ip-ranges in their SIP-servers and 
email-machines to lessen the white-noise.


However - judging from the Online.net website it atleast seems that they are trying to up their game and look like 
something that would be attractive to a legitimate business to consider. On the other hand, looking at 
http://as12876.net/  it looks more like something that would rather fit as a place where i put the shady stuff, so not 
sure where on the map they fall these days.





AS12876 is online.net... home of the €2.99 physical server, perfect for all of 
your favorite illegitimate activity. I’m curious how much traffic originates 
from that ASN that is actually legitimate... probably close to none.

Sent from my iPhone


On Jan 3, 2018, at 1:35 AM, Troy Mursch  wrote:

Dovid,

Back in September, I documented my poor experience with AS12876 here:
https://badpackets.net/ongoing-large-scale-sip-attack-
campaign-coming-from-online-sas-as12876/
Since then, their handling of abuse notifications (or lack thereof) has
largely remained the same. The volume of malicious traffic from their
network hasn't decreased either.

As you noted, others have reported similar issues with AS12876, including
my associate Dr. Neal Krawetz: https://twitter.com/h
ackerfactor/status/932593355648667649. I've also compiled a list of
complaints regarding AS12876 in this thread: https://twitter.com/ba
d_packets/status/937220987371732992


Thanks,
__

*Troy Mursch*

@bad_packets 


On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender  wrote:

Hi All,

Lately we have seen a lot of attacks from IPs where the PTR record ends in
poneytelecom.eu to PBX systems. A quick search on twitter (
https://twitter.com/hashtag/poneytelecom) shows multiple people
complaining
that they reported the IP's yet nothing happens. Has anyone had the
pleasure of dealing with them and have you gotten anywhere? I wonder if the
only option is public shaming.

I would rather not ban their AS as it may hurt legit traffic but I am out
of ideas at this point

TIA.

Dovid




--
hugge