Re: Help on setting up a new block

[Ahad Aboss]

Hi John,

I have gone through this pain previously and I suggest you contact the main
Geo IP database providers and have them update their DB as some
organisation use them, they don't rely on IRR entries.
Some hosting companies and content/streaming/Pay-TV providers also use
these GeoIP Databases which may take a while to update.

Here are a some of these companies FYI;

IP2Location www.ip2location.com
W3C Geolocation
Quova www.quova.com
Geo IP by MaxMind www.maxmind.com

Cheers,
Ahad

On Thu, Mar 21, 2019 at 1:05 AM John Alcock  wrote:

> Odd Issues
>
> We recently went through an IP Broker and bought a /18 worth of IP's
>
> I am listing all my information below.  Should be public record.
>
> AS Number/Range 395437
> AS Handle AS395437
> AS Name HIGHLANDTEL
> RPKI Certified Yes
>
> As for the IP Block
>
> Net Range 138.43.128.0 - 138.43.191.255
> CIDR 138.43.128.0/18
> Net Name HCL-73
> Net Handle NET-138-43-128-0-1
> Net Type Direct Allocation
> Parent NET-138-0-0-0-0 (VR-ARIN)
> RPKI Certified Yes
>
> In addition, I believe I got all the information in the IRR.  I am unclear
> on this part, but I do know ATT is happy now.  I can pass traffic through
> their network.
>
> whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"
>
> 0 - Valid
> 
> ROA Details
> 
> Origin ASN:   AS395437
> Not valid Before: 2019-02-13 05:00:00
> Not valid After:  2029-02-01 05:00:00  Expires in
> 9y318d10h46m2.3997615814s
> Trust Anchor: rpki.arin.net
> Prefixes: 138.43.128.0/18 (max length /24)
>
>
> So here is my problem.  There are certain sites I can not get to on the
> new ip block.
>
> clover.com - They are a large POS vendor catering to small business
> idrive.com - Online backup
> heart.org - american heart association
> onlineproviderservices.com - Looks like an outsourced group that handles
> medicare
> landstar.com - trucking company
>
> I am working on trying to contact the companies above, but I have started
> resorting to public shaming on social media.  Not an ideal solution.
>
> My thought, could I be missing something?  Perhaps I need to add a specfic
> entry in the IRR or anything?  Just seems like a lot of sites will not
> accept my traffic.
>
> Any experts like to chime in?
>
> John
>

Facebook dropping MSS on congestion

[Denys Fedoryshchenko]

Good day,

I am writing here, as in technical support ticket I will most likely end 
up to the outsourcing guys, who will try to write some formal reply and 
close the ticket quickly to keep KPI high:)
I have a faint hope that someone will read and listen. It may also be 
useful to colleagues.
I noticed at last few month, if some congestion occurs on the network 
(specific subnet), facebook reduces the maximum segment size (MSS), even 
down to 256 bytes. Purely academically, on paper - this will reduce 
latency.

In reality - it will cause avalanche effect.
If ISP have CGNAT, or some other appliances - with great probability 
they will encounter the fact that pps will increase 4-5 times, and might 
hit pps limit on hardware. Additionally, overhead on IP headers will 
increase significantly, especially on ipv6, and this will further 
aggravate the congestion.
Facebook don't do that, please. And thank you, if you listen to 
suggestions.


Denys

Re: Amazon Prime video NOC contact

[William Herrin]

On Wed, Mar 20, 2019 at 11:03 AM Davide Gelardi 
wrote:

> we are an italian ISP/WISP and we are experiecing trouble with Amazon
> Prime Video. They blocked our customers that cannot view the video. The
> error says that our IP class is located ouside italy. But this is wrong.
>
> Have you a contact we can get in touch with?
>

Hi Davide,

You may have some luck here:
https://www.amazonforum.com/forums/digital-content/prime-video

Amazon staff working on Prime Video monitor and respond on that forum. The
individuals reading may not be the right people, but they'll likely be on a
first name basis with someone who is.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Amazon Prime video NOC contact

[Davide Gelardi]

Hi,

we are an italian ISP/WISP and we are experiecing trouble with Amazon 
Prime Video. They blocked our customers that cannot view the video. The 
error says that our IP class is located ouside italy. But this is wrong.


Have you a contact we can get in touch with?

thanks in advance!
Davide Gelardi
--
WT Srl
tel 09411935549 / fax 09411936034
Sede legale: via Verdi 7 - 98066 PATTI - MESSINA
www.IcaroInternet.it - www.wt-tech.it

Re: Help on setting up a new block

[william manning]

not clear what network neutrality has to say about this.  are you required
to accept DDoS traffic or is that covered by net neutrality?

/Wm

On Wed, Mar 20, 2019 at 9:47 AM Bryan Fields  wrote:

> On 3/20/19 12:32 PM, william manning wrote:
> > of course at the end of the day, there is ZERO requirement for anyone to
> > accept traffic from any prefix. to paraphrase an old greybeard,
> > "my network, my rulez"
>
> Wouldn't this be in conflict with the idea of "network neutrality" rules?
>
> >_>
> <_<
>
> --
> Bryan Fields
>
> 727-409-1194 - Voice
> http://bryanfields.net
>

Re: Help on setting up a new block

[Valdis Klētnieks]

On Wed, 20 Mar 2019 12:45:35 -0400, Bryan Fields said:
> On 3/20/19 12:32 PM, william manning wrote:
> > of course at the end of the day, there is ZERO requirement for anyone to
> > accept traffic from any prefix. to paraphrase an old greybeard,
> > "my network, my rulez"
>
> Wouldn't this be in conflict with the idea of "network neutrality" rules?

Depends.  Was softlayer up-front with the customers about what addresses
are blocked, and why?

If the customers knew that softlayer had a block list and had a way to tell
if it was impacting their network access, that's one thing.

If softlayer was doing it without informed consent from its customers, that's
a different kettle of fish

Re: Help on setting up a new block

[Valdis Klētnieks]

On Wed, 20 Mar 2019 10:22:34 -0400, Pete Baldwin said:

>  ��� It's potentially more difficult now than in the past because there 
> are some hosting providers that are simply a few people that own VMs on 
> some other infrastructure that they do not control or have visibility 
> into.� The VM hosting company might be blocking your network, and so the 
> VMs never see your traffic.�� This means you might contact Landstar, and 
> then Landstar calls up their web person, but the web person doesn't 
> understand this stuff.�� The web person phones his web hosting company 
> who can't find anything wrong, because they never see your packets to 
> begin with.�� Now the web hosting company (if you can get them to do 
> this) needs to contact their DC company that is hosting their VMs to 
> find out if there is a firewall or anti DDoS system etc that is sitting 
> in front of their VMs.

Have we reached the point where it is (or should be) due diligence and a BCP to
make sure your new address space is reachable on IPv6 as well, to improve your
chances of being reachable even if your IPv4 space is in somebody's block list?

Re: Help on setting up a new block

[Bryan Fields]

On 3/20/19 12:32 PM, william manning wrote:
> of course at the end of the day, there is ZERO requirement for anyone to
> accept traffic from any prefix. to paraphrase an old greybeard,
> "my network, my rulez"

Wouldn't this be in conflict with the idea of "network neutrality" rules?

>_>
<_<

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

softlayer.com

[John Alcock]

Afternoon,

Thought I would start a new thread.  After researching, traceroutes, etc, I
think I found my problem.

9 out of the 10 sites that subscribers on my new block is being hosted by
softlayer.

Anyone on the list have contacts with softlayer.  Right now I have an email
to abuse.  The support line will not help me out.

John

Re: Help on setting up a new block

[william manning]

of course at the end of the day, there is ZERO requirement for anyone to
accept traffic from any prefix. to paraphrase an old greybeard,
"my network, my rulez"

/Wm

On Wed, Mar 20, 2019 at 8:40 AM Siyuan Miao  wrote:

> They block IP address from Iran, Cuba, North Korea, and Syria.
>
> You can check
> https://cloud.ibm.com/docs/overview/terms-of-use?topic=overview-terms#notices
> for more details.
>
> On Wed, Mar 20, 2019 at 11:37 PM Bryan Holloway  wrote:
>
>>
>> On 3/20/19 10:28 AM, John Alcock wrote:
>> > I found an interesting pattern.  I see a lot of traffic stopping at
>> > softlayer.com .  Big datacenter?  Could they be
>> > doing some blocking?
>> >
>> > John
>> >
>>
>> Could be. They were acquired by IBM a few years ago.
>>
>

Re: Help on setting up a new block

[Siyuan Miao]

They block IP address from Iran, Cuba, North Korea, and Syria.

You can check
https://cloud.ibm.com/docs/overview/terms-of-use?topic=overview-terms#notices
for more details.

On Wed, Mar 20, 2019 at 11:37 PM Bryan Holloway  wrote:

>
> On 3/20/19 10:28 AM, John Alcock wrote:
> > I found an interesting pattern.  I see a lot of traffic stopping at
> > softlayer.com .  Big datacenter?  Could they be
> > doing some blocking?
> >
> > John
> >
>
> Could be. They were acquired by IBM a few years ago.
>

Re: Help on setting up a new block

[Bryan Holloway]

On 3/20/19 10:28 AM, John Alcock wrote:
I found an interesting pattern.  I see a lot of traffic stopping at 
softlayer.com .  Big datacenter?  Could they be 
doing some blocking?


John



Could be. They were acquired by IBM a few years ago.

Re: Help on setting up a new block

[John Alcock]

I found an interesting pattern.  I see a lot of traffic stopping at
softlayer.com.  Big datacenter?  Could they be doing some blocking?

John


On Wed, Mar 20, 2019 at 10:31 AM Filip Hruska  wrote:

> I would start with basic stuff first.
>
> Traceroutes to check if/where the packets are being dropped. If the path
> is clear, then it's probably a HTTP level block, in which case figure out
> if these companies share the same CDN/web protection solution/hoster. If
> that's the case, contact them directly.
>
> Regards,
> Filip Hruska
>
> On 20 March 2019 3:02:13 pm GMT+01:00, John Alcock 
> wrote:
>>
>> Odd Issues
>>
>> We recently went through an IP Broker and bought a /18 worth of IP's
>>
>> I am listing all my information below.  Should be public record.
>>
>> AS Number/Range 395437
>> AS Handle AS395437
>> AS Name HIGHLANDTEL
>> RPKI Certified Yes
>>
>> As for the IP Block
>>
>> Net Range 138.43.128.0 - 138.43.191.255
>> CIDR 138.43.128.0/18
>> Net Name HCL-73
>> Net Handle NET-138-43-128-0-1
>> Net Type Direct Allocation
>> Parent NET-138-0-0-0-0 (VR-ARIN)
>> RPKI Certified Yes
>>
>> In addition, I believe I got all the information in the IRR.  I am
>> unclear on this part, but I do know ATT is happy now.  I can pass traffic
>> through their network.
>>
>> whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"
>>
>> 0 - Valid
>> 
>> ROA Details
>> 
>> Origin ASN:   AS395437
>> Not valid Before: 2019-02-13 05:00:00
>> Not valid After:  2029-02-01 05:00:00  Expires in
>> 9y318d10h46m2.3997615814s
>> Trust Anchor: rpki.arin.net
>> Prefixes: 138.43.128.0/18 (max length /24)
>>
>>
>> So here is my problem.  There are certain sites I can not get to on the
>> new ip block.
>>
>> clover.com - They are a large POS vendor catering to small business
>> idrive.com - Online backup
>> heart.org - american heart association
>> onlineproviderservices.com - Looks like an outsourced group that handles
>> medicare
>> landstar.com - trucking company
>>
>> I am working on trying to contact the companies above, but I have started
>> resorting to public shaming on social media.  Not an ideal solution.
>>
>> My thought, could I be missing something?  Perhaps I need to add a
>> specfic entry in the IRR or anything?  Just seems like a lot of sites will
>> not accept my traffic.
>>
>> Any experts like to chime in?
>>
>> John
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

Re: Help on setting up a new block

[Filip Hruska]

I would start with basic stuff first.

Traceroutes to check if/where the packets are being dropped. If the path is 
clear, then it's probably a HTTP level block, in which case figure out if these 
companies share the same CDN/web protection solution/hoster. If that's the 
case, contact them directly. 

Regards,
Filip Hruska

On 20 March 2019 3:02:13 pm GMT+01:00, John Alcock  wrote:
>Odd Issues
>
>We recently went through an IP Broker and bought a /18 worth of IP's
>
>I am listing all my information below.  Should be public record.
>
>AS Number/Range 395437
>AS Handle AS395437
>AS Name HIGHLANDTEL
>RPKI Certified Yes
>
>As for the IP Block
>
>Net Range 138.43.128.0 - 138.43.191.255
>CIDR 138.43.128.0/18
>Net Name HCL-73
>Net Handle NET-138-43-128-0-1
>Net Type Direct Allocation
>Parent NET-138-0-0-0-0 (VR-ARIN)
>RPKI Certified Yes
>
>In addition, I believe I got all the information in the IRR.  I am
>unclear
>on this part, but I do know ATT is happy now.  I can pass traffic
>through
>their network.
>
>whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"
>
>0 - Valid
>
>ROA Details
>
>Origin ASN:   AS395437
>Not valid Before: 2019-02-13 05:00:00
>Not valid After:  2029-02-01 05:00:00  Expires in
>9y318d10h46m2.3997615814s
>Trust Anchor: rpki.arin.net
>Prefixes: 138.43.128.0/18 (max length /24)
>
>
>So here is my problem.  There are certain sites I can not get to on the
>new
>ip block.
>
>clover.com - They are a large POS vendor catering to small business
>idrive.com - Online backup
>heart.org - american heart association
>onlineproviderservices.com - Looks like an outsourced group that
>handles
>medicare
>landstar.com - trucking company
>
>I am working on trying to contact the companies above, but I have
>started
>resorting to public shaming on social media.  Not an ideal solution.
>
>My thought, could I be missing something?  Perhaps I need to add a
>specfic
>entry in the IRR or anything?  Just seems like a lot of sites will not
>accept my traffic.
>
>Any experts like to chime in?
>
>John

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Help on setting up a new block

[Tom Beecher]

Taking a quick look, seems like reachability to the first /24 at least is
ok, so I don't think you have a problem there.

You may have picked up a subnet with some nuggets of abuse history in
there, it's quite common on the secondary V4 market.

On Wed, Mar 20, 2019 at 10:05 AM John Alcock  wrote:

> Odd Issues
>
> We recently went through an IP Broker and bought a /18 worth of IP's
>
> I am listing all my information below.  Should be public record.
>
> AS Number/Range 395437
> AS Handle AS395437
> AS Name HIGHLANDTEL
> RPKI Certified Yes
>
> As for the IP Block
>
> Net Range 138.43.128.0 - 138.43.191.255
> CIDR 138.43.128.0/18
> Net Name HCL-73
> Net Handle NET-138-43-128-0-1
> Net Type Direct Allocation
> Parent NET-138-0-0-0-0 (VR-ARIN)
> RPKI Certified Yes
>
> In addition, I believe I got all the information in the IRR.  I am unclear
> on this part, but I do know ATT is happy now.  I can pass traffic through
> their network.
>
> whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"
>
> 0 - Valid
> 
> ROA Details
> 
> Origin ASN:   AS395437
> Not valid Before: 2019-02-13 05:00:00
> Not valid After:  2029-02-01 05:00:00  Expires in
> 9y318d10h46m2.3997615814s
> Trust Anchor: rpki.arin.net
> Prefixes: 138.43.128.0/18 (max length /24)
>
>
> So here is my problem.  There are certain sites I can not get to on the
> new ip block.
>
> clover.com - They are a large POS vendor catering to small business
> idrive.com - Online backup
> heart.org - american heart association
> onlineproviderservices.com - Looks like an outsourced group that handles
> medicare
> landstar.com - trucking company
>
> I am working on trying to contact the companies above, but I have started
> resorting to public shaming on social media.  Not an ideal solution.
>
> My thought, could I be missing something?  Perhaps I need to add a specfic
> entry in the IRR or anything?  Just seems like a lot of sites will not
> accept my traffic.
>
> Any experts like to chime in?
>
> John
>

Re: Help on setting up a new block

[Pete Baldwin]

    Do a search on the /16 parent block.   It has a history of being on 
block lists.   I imagine some admins have old lists that they do not 
update very often, or have the entire /16 or greater blocked. I also 
went through this process when we purchased IPs, and I've had to contact 
hundreds of networks over the last couple of years to try and get our 
blocks removed from their firewalls.    Our specific block was never on 
any block lists, but the parent was plastered all over the place.


    It's potentially more difficult now than in the past because there 
are some hosting providers that are simply a few people that own VMs on 
some other infrastructure that they do not control or have visibility 
into.  The VM hosting company might be blocking your network, and so the 
VMs never see your traffic.   This means you might contact Landstar, and 
then Landstar calls up their web person, but the web person doesn't 
understand this stuff.   The web person phones his web hosting company 
who can't find anything wrong, because they never see your packets to 
begin with.   Now the web hosting company (if you can get them to do 
this) needs to contact their DC company that is hosting their VMs to 
find out if there is a firewall or anti DDoS system etc that is sitting 
in front of their VMs.


    Most of these calls take a long time.   There is a lot of 
hand-holding, and captures that need to be sent, and then you just hope 
you can find someone willing to dig into it on the other end of the phone.


    Good luck with the process.  I believe you will be successful in 
most cases, but it will take awhile.


-

Pete Baldwin
Tuckersmith Communications
(P) 519-565-2400
(C) 519-441-7383

On 3/20/19 10:02 AM, John Alcock wrote:

Odd Issues

We recently went through an IP Broker and bought a /18 worth of IP's

I am listing all my information below.  Should be public record.

AS Number/Range 395437
AS Handle AS395437
AS Name HIGHLANDTEL
RPKI Certified Yes

As for the IP Block

Net Range 138.43.128.0 - 138.43.191.255
CIDR 138.43.128.0/18 
Net Name HCL-73
Net Handle NET-138-43-128-0-1
Net Type Direct Allocation
Parent NET-138-0-0-0-0 (VR-ARIN)
RPKI Certified Yes

In addition, I believe I got all the information in the IRR. I am 
unclear on this part, but I do know ATT is happy now.  I can pass 
traffic through their network.


whois -h whois.bgpmon.net  " --roa 395437 
138.43.128.0/24 "


0 - Valid

ROA Details

Origin ASN:   AS395437
Not valid Before: 2019-02-13 05:00:00
Not valid After:  2029-02-01 05:00:00  Expires in 
9y318d10h46m2.3997615814s

Trust Anchor: rpki.arin.net 
Prefixes: 138.43.128.0/18  (max length /24)


So here is my problem.  There are certain sites I can not get to on 
the new ip block.


clover.com  - They are a large POS vendor catering 
to small business

idrive.com  - Online backup
heart.org  - american heart association
onlineproviderservices.com  - Looks 
like an outsourced group that handles medicare

landstar.com  - trucking company

I am working on trying to contact the companies above, but I have 
started resorting to public shaming on social media.  Not an ideal 
solution.


My thought, could I be missing something?  Perhaps I need to add a 
specfic entry in the IRR or anything?  Just seems like a lot of sites 
will not accept my traffic.


Any experts like to chime in?

John

Help on setting up a new block

[John Alcock]

Odd Issues

We recently went through an IP Broker and bought a /18 worth of IP's

I am listing all my information below.  Should be public record.

AS Number/Range 395437
AS Handle AS395437
AS Name HIGHLANDTEL
RPKI Certified Yes

As for the IP Block

Net Range 138.43.128.0 - 138.43.191.255
CIDR 138.43.128.0/18
Net Name HCL-73
Net Handle NET-138-43-128-0-1
Net Type Direct Allocation
Parent NET-138-0-0-0-0 (VR-ARIN)
RPKI Certified Yes

In addition, I believe I got all the information in the IRR.  I am unclear
on this part, but I do know ATT is happy now.  I can pass traffic through
their network.

whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"

0 - Valid

ROA Details

Origin ASN:   AS395437
Not valid Before: 2019-02-13 05:00:00
Not valid After:  2029-02-01 05:00:00  Expires in
9y318d10h46m2.3997615814s
Trust Anchor: rpki.arin.net
Prefixes: 138.43.128.0/18 (max length /24)


So here is my problem.  There are certain sites I can not get to on the new
ip block.

clover.com - They are a large POS vendor catering to small business
idrive.com - Online backup
heart.org - american heart association
onlineproviderservices.com - Looks like an outsourced group that handles
medicare
landstar.com - trucking company

I am working on trying to contact the companies above, but I have started
resorting to public shaming on social media.  Not an ideal solution.

My thought, could I be missing something?  Perhaps I need to add a specfic
entry in the IRR or anything?  Just seems like a lot of sites will not
accept my traffic.

Any experts like to chime in?

John

Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

[Rich Kulawiec]

On Tue, Mar 19, 2019 at 09:17:23AM -0700, Eric Kuhnke wrote:
> Absolutely unrelated to Ronald's original post, but it's ironic that the
> abuse@ address is itself heavily "abused", by commercial copyright
> enforcement companies which think it's a catch-all address for things which
> are not operationally related to the health of a network [snip]

I've seen this movie and have implemented various mitigation approaches
to it -- none of which constitute a "solution" but all of which help.

1. Block the addresses originating this traffic.  There's no need for
staff/processes on the receiving end to put up with spam.  (If it's UBE,
then it's spam -- by definition.  The content and intention are irrelevant.)

2. Use procmail to redirect it where it needs to go.

3. Set up (non-public) Mailman-operated mailing lists for each role
account and use the moderation queue on those as a throttling tool.
(This works best in conjunction with (2).  Let procmail do some of
the heavy/straightforward lifting and sort the rest out later.)
This also makes it easy to archive everything by subscribing an
address that's an append-only mailbox.

4. Funnel the output of (2) and/or (3) into one of the many ticketing
systems with priority assigned based on the characteristics of the
senders as observed over time.  

---rsk