Re: A letter from the CEO

[Dan Hollis]

On Fri, 20 Nov 2020, Grant Taylor via NANOG wrote:

On 11/20/20 4:41 PM, Matt Erculiani wrote:
Ben is fairly regular on this list and I can't imagine she did this on 
purpose.
How does one /accidentally/ harvest email addresses and /accidentally/ add 
them to a Mailchimp list and /accidentally/ send emails with full header 
personalization?


accidentally on purpose.

-Dan

Re: Parler

[Dan Hollis]

On Sun, 10 Jan 2021, Michael Thomas wrote:

On 1/10/21 3:15 PM, Izaac wrote:

On Sun, Jan 10, 2021 at 12:01:46PM -0800, Michael Thomas wrote:
Considering that it seems that there continues to be talk/planning of 
armed

insurrection, I think we can forgive them for violating professional
courtesy.

Got links?

Ask Google, Apple and Amazon. I'm sure they have the receipts.


You made the claim.

-Dan

Re: Parler

[Dan Hollis]

On Mon, 11 Jan 2021, h...@interall.co.il wrote:
I would assume Google and Azure would act the same to Parler. So what will 
end up happening is that US based fringe content will end up being hosted in 
China or Russia, and Chinese and Russian fringe content will end up being 
hosted in the USA.


With many corporations obeying chinese censorship orders, I would not be 
so sure about the latter.


https://www.reddit.com/r/HongKong/comments/dfg1ce/list_of_companies_under_chinas_censorship_orders/

-Dan

Re: Malicious SS7 activity and why SMS should never by used for 2FA

[Dan Hollis]

paypal used to openly support token 2fa, but have since made it nearly 
impossible to use hardware tokens. they try very hard to ram sms down 
everyones throats.


-Dan

On Sun, 18 Apr 2021, Mel Beckman wrote:


No, every SMS 2FA should be prohibited by regulatory certifications. The telcos 
had years to secure SMS. They did nothing. The plethora of well-secured 
commercial 2FA authentication tokens, many of them free, should be a mandatory 
replacement for 2FA in every security governance regime, such as PCI, financial 
account access, government web portals, etc.

-mel via cell

On Apr 17, 2021, at 6:27 PM, Tim Jackson  wrote:

???
Every SMS 2FA should check the current carrier against the carrier when 
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few 
others do this.

--
Tim

On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke 
mailto:eric.kuh...@gmail.com>> wrote:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80

https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/


Anecdotal: With the prior consent of the DID holders, I have successfully 
ported peoples' numbers using nothing more than a JPG scan of a signature that 
looks like an illegible 150 dpi black and white blob, pasted in an image editor 
on top of a generic looking 'phone bill'.

Re: FCC fines for unauthorized carrier changes and consumer billing

[Dan Hollis]

On Fri, 23 Apr 2021, Eric Kuhnke wrote:

Did the FCC ever collect its $50 million from "Sandwich Isles
Telecommunications" for blatant fraud?  At this scale I wonder how or why
certain people are not in federal prison.


FCC is not law enforcement. The FTC can send people to prison. The FCC can 
only send press releases.


-Dan

ICANN extracts $20m signing fee for $1bn dot-com price increases and guess who's going to pay for it?

[Dan Hollis]

https://www.theregister.co.uk/2020/01/07/icann_verisign_fees/

98% of the comments were opposed.

How many / which companies would have to get onboard in order to get 
enough support for an icann alternative?


Is such a thing even feasible?

-Dan

Re: AFRINIC: The Saga Continues

[Dan Hollis]

On Wed, 29 Jan 2020, Ronald F. Guilmette wrote:

In all cases noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals.


What can or should be done when a registry goes rogue?

-Dan

Re: FCC and FTC Demand Cut-Off Robercallers of Coronavirus Scams

[Dan Hollis]

Sadly I've discovered that >95% of scammers have caught on to lenny by 
now, and hang up within the first few seconds of hearing him.


I guess they've been thoroughly lenny'd already so he's no longer 
effective.


-Dan

On Fri, 3 Apr 2020, JASON BOTHE via NANOG wrote:


I just need my phone to have a warm transfer button with or without supervision 
to Lenny https://toao.net/595-lenny


On Apr 3, 2020, at 18:40, Grimes, Greg  wrote:

???
I was thinking the EXACT same thing!!

--
Greg Grimes
Senior Network Analyst
Information Technology Services
Mississippi State University
662-325-9311(w)

From: NANOG  on behalf of Clayton Zekelman 

Sent: Friday, April 3, 2020 6:21:43 PM
To: Sean Donelan ; nanog@nanog.org 
Subject: Re: FCC and FTC Demand Cut-Off Robercallers of Coronavirus Scams


Finally, but why did it take a pandemic to get them to do this?

At 07:14 PM 03/04/2020, Sean Donelan wrote:


A sternly worded, finger-wagging press release.


https://secure-web.cisco.com/1LWeqrXLGvJdEBzB1uFe8kj9AI4aQYKo58pr0a7HHabjzZjlUFhbYW9sw_3phNW8RRZcfh4T01zhFWJzwlT5koYKFBC0X9DhlUbUeWJCpcaJDWoGiw4jEvVGWiHMyWhb-DgXaHwKqs4DEaqsgXzJvXllUvcmj0hqGdV7dPWOJjhFPMUEnjT8Grl3W7MQ7A5v1nC1W9_K01pTSV8PsbPRjlTzYrA20dcqjx74JJSmlZDRnMsoPxJoZcH2jQ00PAsRaeGGdnA4EE5KwbCYlUu4M0UhYHkKmOkfjSJjZyBfAALCJQveH8qYnTfkSoI5OzVKm1aapZq23qJsbv8OReeHk8w/https%3A%2F%2Fwww.fcc.gov%2Fdocument%2Ffcc-ftc-demand-gateway-providers-cut-covid-19-robocall-scammers

[...]
The FCC??s Enforcement Bureau and FTC??s Bureau of
Consumer Protection wrote to three gateway
providers that are facilitating these scam
COVID-19-related robocalls: SIPJoin of Suffolk,
Virginia; Connexum of Orange, California; and
VoIP Terminator/BLMarketing of Lake Mary,
Florida. The companies have been identified by
the Traceback Group, a consortium of phone
companies that help officials track down suspect
calls, managed by the trade association
USTelecom. The Commissions also wrote to
USTelecom to ask its members to begin blocking
calls from these providers if the flood of
robocalls is  not cut off within 48 hours.


--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Dan Hollis]

On Mon, 13 Apr 2020, Kushal R. wrote:
As far as that tweet is concerned, it???s pending for 16 days because 
they have been blocked from sending us any emails due to the sheer

amount of emails they started sending and then our live support chats.


This is not an acceptable answer.

-Dan

Re: Phishing and telemarketing telephone calls

[Dan Hollis]

On Sun, 26 Apr 2020, Michael Thomas wrote:

On 4/25/20 10:23 AM, Anne P. Mitchell, Esq. wrote:
So, harass those phone spammers for fun *and* profit! ;-)  Here's the 
write-up I did, feel free to ask me any questions you may have. :-)
What exactly is this "basic internet research"? I thought the big problem is 
that they are trivially capable of covering their tracks.


I think the bigger issue is they are all entirely operated out of india.

-Dan

Re: Abuse Desks

[Dan Hollis]

On Tue, 28 Apr 2020, Matt Corallo via NANOG wrote:

Please don't use this kind of crap to send automated "we received 3 login attempts 
on our SSH box..wa" emails.
This is why folks don't have abuse contacts that are responsive to real issues 
anymore.


Thats what SBL is for.

-Dan

Re: Abuse Desks

[Dan Hollis]

On Tue, 28 Apr 2020, Matt Corallo wrote:
Sadly dumb kids are plentiful. If you have to nag an abuse desk every 
time they sell a server to a kid who’s experimenting with nmap for the 
first time then we’ll end up exactly where we are - abuse contacts 
are not a reliable way to get in touch with anyone, and definitely not a 
reliable way to do so fast or with any reasonably large network. Please 
don’t clog the otherwise-useful system.


compromised servers on your infrastructure hosting nigerian criminals look 
much the same as a script kiddie experimenting with nmap.



If you have trouble sleeping at night, I’d recommend the 
“PasswordAuthentication no” option in sshd_config.


you either care about reports of potentially compromised hosts on your 
infrastructure or you don't.


-Dan

Re: 29 May 2019: Emotet malspam: 'Mykolab Ref Id: I32560' [Was: Re: Spamming of NANOG list members]

[Dan Hollis]

On Wed, 29 May 2019, Paul Ferguson wrote:

AS  | IP   | AS Name
14061   | 68.183.65[.]234| DIGITALOCEAN-ASN - DigitalOcean, LLC, US (shared 
hosting)
16276   | 158.69.127[.]22| OVH, FR (shared hosting)
51167   | 173.249.2[.]31 | CONTABO, DE (shared hosting)
46475   | 74.63.242[.]18 | LIMESTONENETWORKS - Limestone Networks, Inc., US 
(shared hosting)
33182   | 185.38.44[.]163| DIMENOC - HostDime.com, Inc., US (shared hosting)
44099   | 31.12.67[.]62  | RUNISO-AS RUNISO Autonomous System, FR (appears 
to be stand-alone IP, no PTR record)


few suprises here. known complacent/spam-friendly providers.

-Dan

PSA: change your fedex.com account logins

[Dan Hollis]

I received a credit card scam addressed to my one-off unique address 
registered to fedex.com.


So it seems fedex.com user database has been compromised. Change your 
logins asap.


-Dan

Re: PSA: change your fedex.com account logins

[Dan Hollis]

Phishing scheme didn't happen.

fedex has had a number of major compromises so it's not a stretch that 
their user database was stolen and sold to spammers.


-Dan

On Thu, 30 May 2019, Matt Hoppes wrote:


Possibly. The other possibility I can think of is that you succumbed to a 
phishing scheme where are you entered the login information for your Fed ex 
account.


On May 30, 2019, at 4:12 PM, Dan Hollis  wrote:

I received a credit card scam addressed to my one-off unique address registered 
to fedex.com.

So it seems fedex.com user database has been compromised. Change your logins 
asap.

-Dan

Re: PSA: change your fedex.com account logins

[Dan Hollis]

The one-off email scheme is not predictable. It is randomly generated 
string of characters.


$ ./randgen
jvtMDluV0lwnlY5O

So you can totally eliminate that possibility entirely.

-Dan

On Fri, 31 May 2019, Jason Kuehl wrote:


Is it possible, yes. I've seen it several times now at my place of work.
Targeted attacks are a thing.

On Fri, May 31, 2019 at 2:53 AM Mike Hale  wrote:


Oh for fucks sake.

Really?

You two are questioning someone who subscribes to Nanog over Fedex?
You really think it's more likely that someone is targeting Dan Hollis
(whoever he is) instead of Fedex leaving something else exposed?

On Thu, May 30, 2019 at 11:39 PM Scott Christopher  wrote:


Dan Hollis wrote:

Phishing scheme didn't happen.

fedex has had a number of major compromises so it's not a stretch that
their user database was stolen and sold to spammers.


The other possibility is that your one-off email scheme is predictable,

and someone knows you use FedEx, and that someone is targeting specifically
you, and this obvious phishing email is a red herring for the exploit you
didn't see.


Be concerned.

-- S.C.




--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0




--
Sincerely,

Jason W Kuehl
Cell 920-419-8983
jason.w.ku...@gmail.com

Re: Russian Anal Probing + Malware

[Dan Hollis]

On Sat, 22 Jun 2019, Filip Hruska wrote:
It's just a port/vulnerability scanner, I really don't see anything special 
about this particular case.


they are pushing exploits. trying to RCE, wget a binary, chmod 777 on 
routers and rm -rf files.


this goes way beyond scanner and into criminal trespass and destruction of 
property.


https://twitter.com/JayTHL/status/1128700101675954176

remain ignorant if you want.

-Dan

Re: Russian Anal Probing + Malware

[Dan Hollis]

On Sun, 23 Jun 2019, Randy Bush wrote:

It's just a port/vulnerability scanner, I really don't see anything
special about this particular case.

they are pushing exploits. trying to RCE, wget a binary, chmod 777 on
routers and rm -rf files.

this goes way beyond scanner and into criminal trespass and
destruction of property.

https://twitter.com/JayTHL/status/1128700101675954176

having trouble following the attribution.  yes, of course there are folk
trying to exploit.  but missing the link that *these* folk are.


https://pbs.twimg.com/media/D6oBGYPUwAECG09.png

you're trying to defend them?

-Dan

Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC

[Dan Hollis]

On Tue, 16 Jul 2019, Michael Thomas wrote:
But right you are, it's ultimately the carrier who needs to care about this 
problem at or nothing gets better.


either the carrier starts dealing with it or legislation will come down to 
force the issue.


-Dan

really amazon?

[Dan Hollis]

Amazon, you really should know better.

Source ip: 54.240.4.4

https://search.arin.net/rdap/?query=54.240.4.4

Source Registry ARIN
Kind Group
Full Name Amazon SES Abuse
Handle ASA152-ARIN
Email email-ab...@amazon.com


RCPT To:

<<< 550 #5.1.0 Address rejected.
550 5.1.1 ... User unknown

DATA

<<< 503 #5.5.1 RCPT first

Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=, 
ctladdr= (500/500), delay=00:00:01, xdelay=00:00:01, 
mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown

Re: really amazon?

[Dan Hollis]

"User unknown" is pretty clear.

But whatever.

-Dan


On Mon, 29 Jul 2019, Mel Beckman wrote:


Dan,

I don’t really have the time to parse the debug output you sent. If you want 
me, or most others, to pay attention to your post, please provide a more 
detailed explanation of what the deal is than “Really, amazon?”

 -mel



On Jul 29, 2019, at 4:03 PM, Dan Hollis  wrote:

Amazon, you really should know better.

Source ip: 54.240.4.4

https://search.arin.net/rdap/?query=54.240.4.4

Source Registry ARIN
Kind Group
Full Name Amazon SES Abuse
Handle ASA152-ARIN
Email email-ab...@amazon.com


RCPT To:

<<< 550 #5.1.0 Address rejected.
550 5.1.1 ... User unknown

DATA

<<< 503 #5.5.1 RCPT first

Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=, 
ctladdr= (500/500), delay=00:00:01, xdelay=00:00:01, 
mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown

Re: What can ISPs do better? Removing racism out of internet

[Dan Hollis]

On Tue, 6 Aug 2019, Rob McEwen wrote:
I'm so tired of this thread - but the bottom line is that censorship and even 
the definition of "hate" and "racism" (especially when used in the 
vernacular!) are extremely subjective and can lead to situations where 
reasonable people disagree. And if/when such policies are implemented to try 
to limit or shut down such speech, horrific unintended collateral damage will 
LIKELY occur. Also, totalitarian regimes OFTEN use the same arguments to get 
their foot in the door of controlling and suppressing speech. Even now, the 
mainstream news media is ALREADY highlighting a very selective part of these 
murderer's ideologies, and suppressing other parts, in order to convey an 
overall impression of their ideologies that doesn't actually match them, but 
furthers certain biased agendas. So actions to suppress "hate speech" and 
"racism" based on the 1/2 truths that most have been brainwashed to believe 
about these evil murderers' beliefs (1/2 contradicted by their own actual 
writings, which are already evil!), is ALREADY well on its way towards 
potentially causing collateral damage by unplugging or suppressing 
forums/platforms that really don't closely match the actual ideology of the 
shooters.


those who perform political curation of content are at risk of losing 
their section 230 protections.


archive.fo/zOUBG

if you really want this to happen, go ahead and "remove racism out of 
internet". you won't like the result.


-Dan

Re: User Unknown (WAS: really amazon?)

[Dan Hollis]

On Mon, 12 Aug 2019, Bruce H McIntosh wrote:

On 8/12/19 3:26 PM, Rich Kulawiec wrote:

Half my grump with Amazon here is that they have, for all practical
purposes, unlimited money and unlimited personnel.  They should be the
go-to example for How To Do It Right.  They should be the model (or one
of the models) that we're all trying to emulate, the gold standard that
we can all point to.

But they're not.

The other half of my grump is that they're enormous, and therefore capable
of inflicting enormous damage.  The larger an operation, the more critical
it is that abuse/security/et.al. be fully supported, highly responsive,
empowered to act decisively, etc.

But they're not.

And I have yet to see anyone from Amazon (a) admit this and (b) ask for 
help

fixing it.


The larger they are, the more immune from having to follow the rules they 
think they are.


SBL seems the only way to wake them up.

-Dan

RE: New Alaskan Network

[Dan Hollis]

The verge is garbage. That is all.

-Dan

On Fri, 25 Oct 2019, Keith Medcalf wrote:



Bwahahahaha!

It is internally inconsistent.  Perhaps this is just shoddy reporting,
or perhaps the whole thing is just someone's idea of a wet dream.

"The line will begin in North Pole, Alaska and will travel through
Canada, connecting with Canadian carriers, where it will finally connect
with “any major hub” in the US"

"According to the press release, only internet traffic that both
originates and terminates in the US will be carried over the network."

Questions:

(1) Why interconnect with Canadian Carriers at all?
(2) "Any major hub"?
(3) Only traffic originated and terminated in the US.

Given (3) then (1) is a useless waste of money.
Given (2) it would appear that this is a "fibre to nowhere"
Given (3) it would not provide access to the Internet

--
The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.


-Original Message-
From: NANOG  On Behalf Of Rod Beck
Sent: Friday, 25 October, 2019 11:57
To: Nanog@nanog.org
Subject: New Alaskan Network

Unusual in that it will traverse Canada to reach the lower 48.


https://www.theverge.com/2019/5/1/18525866/alaska-fiber-optic-network-
cable-continental-us-100-terabit




Alaska will connect to the rest of the US via a 100-terabit fiber optic
network - The Verge 
MTA Fiber Holdings announced today that it would build the "first and
only all-terrestrial" fiber optic network running from Alaska and into
the Lower 48. The line will begin in North Pole, Alaska ...
www.theverge.com



Roderick Beck

VP of Business Development

United Cable Company

www.unitedcablecompany.com 

New York City & Budapest


rod.b...@unitedcablecompany.com

36-70-605-5144

RE: FCC proposes $10 Million fine for spoofed robocalls

[Dan Hollis]

Fact is the telcos make lots of money off spoofed robocalls so they have 
zero incentive to stop the practice.


-Dan

On Thu, 19 Dec 2019, Keith Medcalf wrote:



"CallerID" is a misnomer.  It is actually the "Advertized ID".  However, the 
telco's realized you would not pay to receive advertizing so they renamed it to something they 
thought you would pay for.

Pretty canny business model eh?  And apparently y'all fell for it, thinking it 
was related to the Identification of the Caller, rather than being what the 
caller wished to advertize.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


-Original Message-
From: NANOG  On Behalf Of Brandon Martin
Sent: Thursday, 19 December, 2019 10:25
To: nanog@nanog.org
Subject: Re: FCC proposes $10 Million fine for spoofed robocalls

On 12/19/19 12:09 PM, Andreas Ott wrote:

I have also been told that there is no equivalent of uRPF in the phone

world.

This is the biggest issue, and unfortunately (and my knowledge of the
PSTN is admittedly a bit lacking, here), there's likely no good way to
add it.

Calls on the PSTN are routed essentially based on "who do I feel like
handing this off to, today", and then that entity may do the same, and
so on.  It's pretty routine for an outfit to have multiple contracts for
termination that may not even be aware of the "legitimate" numbers from
which their customers might "source" a call.

Further, it's entirely normal and perfectly legitimate (to varying
degrees) for an outfit to purport in CID a number that is not directly
assigned to them nor which will actually result in a callback being
routed to them.

Think of caller ID more like reverse DNS.  It's largely advisory and,
outside some situations where you deliberately want a higher degree of
repuatation/identity verification and are willing to accept a
potentially large number of false flags, there's no real reason to rely
on it outside of human nicety.

The rough analogy to the source IP address is the ANI information that's
not even passed to most end users.  That's "who should I bill this to?".
 But even that can get overwritten sometimes during call routing, from
what I gather.  It's also rarely a valid callback number for any
non-trivial call source.  Or, at least, if you did call it, the person
who (might) answer the phone will have no idea what prompted you to do
so.

SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a
way albeit very much re-envisioned based on circuit switching rather
than packet switching.  Each intervening network can attest to what
degree they are able to verify the CID (and maybe ANI?) information in
the call.  Unfortunately, a perfectly valid attestation is "I cannot
verify it", and indeed that's likely to be most of the attestations
you'll see at least at first.  The best it really lets you do is figure
out some networks at which to point fingers.

When "full attestation" is present, i.e. the network operator has been
able to verify that the CID field represents a number authorized for use
by the entity originating the call, it's maybe more like DKIM in that
you can, with cryptographic certainty, know THE network at which to
point fingers as they're the ones who admitted the call into the PSTN
with authority that the CID field (among others) is "valid".

[And all the old PSTN folks will please forgive me if I'm inaccurate,
here, though corrections are welcome]
--
Brandon Martin

Re: FCC proposes $10 Million fine for spoofed robocalls

[Dan Hollis]

On Thu, 19 Dec 2019, Paul Timmins wrote:

The people handling these calls know exactly who their customers are,


yep


and they'd remove them in hours if a legal mandate came down to provide
passthrough penalties for providing service to these people.


the only penalties that would motivate them is prison terms.

financial penalties will be ignored.

-Dan

Re: FCC proposes $10 Million fine for spoofed robocalls

[Dan Hollis]

On Fri, 20 Dec 2019, Mike Hammett wrote:

So send them all to Lenny?


I wish there was a phone app to do this.

-Dan

Re: power to the internet

[Dan Hollis]

Nothing.

It is extremely cheap, extremely durable, and nearly 100% recyclable. All 
the things lithium is not.


The only thing is lead acid is not power dense, but that is not generally 
a problem at sites.


-Dan

On Sat, 28 Dec 2019, Baldur Norddahl wrote:


What is wrong with lead acid battery backup? Seems to be exceedingly stable
from my experience. We have all our equipment on -48V DC and have never had
a power interruption at any site.

The requirements here are 48 hours of backup by law. Telecom is declared to
be part of emergency and defense, so they put in a requirement for
resilience.

Regards

Baldur


tor. 26. dec. 2019 11.33 skrev Joe Maimon :


Unless telecom infrastructure has been diligently changing out the lead
acid battery approach at all their remote terminals, powered gpon, hfc
and antennae plants will never last more than minutes. If at all.

A traditional car has between a 100-200amp alternator @12volts

How much generating capacity can you get out of a typical hybrid?

Self-isolating and re-tieing inverters. Economic household ATS systems.
Do those exist?

Enough independent distributed capacity and now comes the ability to
create grid islands. How might that look?

Electric grid shortage is likely coming to NYC, courtesy of folk of
certain political persuasion and their love of stone age era living. IP
decommissioning.

If you have CO loop copper, keep it.

Joe

Don Gould wrote:

This is a very short term problem.

The market is going to fill with battery storage sooner rather than
later.

Solar is just exploding.

Your car will "house tie".

6G will solve your data problem.

D



--
Don Gould
5 Cargill Place
Richmond
Christchurch, New Zealand
Mobile/Telegram: + 64 21 114 0699
www. bowenvale.co.nz



 Original message 
From: Michael Thomas 
Date: 26/12/19 2:33 PM (GMT+12:00)
To: nanog@nanog.org
Subject: power to the internet




https://www.politico.com/news/2019/12/25/california-power-shutoffs-089678



This article details some of the issues with California's "new reality"
of planned blackouts. One of the big things that came to light with
these blackouts is that our network infrastructure's resilience is
pretty lacking. While I was (surprisingly to me) ok with my DSL
connection out in the boonies, lots and lots of people with cable
weren't so lucky. And I'm not sure how bad the situation is with
cellular infrastructure, but I assume it's not much better than cable.
And I wouldn't doubt that other DSL deployments go dark when power is
down. I have no clue with fiber.

So I guess what I'm wondering is what can we do about this? What should
we do about this? These days IP access is not just convenience, it's the
way we go about our lives, just like electricity itself. At base, it
seems to me that network operators should be required to keep the lights
on in blackouts just like POTS operators do now. If I have power to
light my modem or charge in my phone, I should be able to get onto the
net. That seems like table stakes.

One of the things we learned also is that the blackouts seem to last
between 2-3 days apiece. I happen to have a generator since I'm out in
the boonies and our power gets cut regularly because of snow, but not
everyone has that luxury. I kind of want to think that my router+modem
use about 20 watts, so powering it up would take about 1.5kwh for 3
days. a quick google look shows that I'd probably need to shell out $500
or so for a battery of that capacity, and that's doesn't include your
phones, laptops, tv's, etc power needs. What does that mean? That is a
major expense for a lot of people.

On the bright side, I hear that power generator companies stocks have
gone through the roof.

On the dark side, this is probably coming to a lot more states and
countries due to climate change. Australia. Sigh.

Mike

Re: EVERYTHING about Booters (and CloudFlare)

[Dan Hollis]

On Wed, 27 Jul 2016, b...@theworld.com wrote:

There isn't even general agreement on whether (or what!) Cloudfare is
doing is a problem.


aiding and abetting. at the very least willful negligence.

-Dan

Re: Should abuse mailboxes have quotas?

[Dan Hollis]

On Thu, 27 Oct 2016, Christopher Morrow wrote:

On Thu, Oct 27, 2016 at 11:03 AM, Stephen Satchell 
wrote:

I'm tired of blatantly uncaring administrations.

it's also totally possible that in some cases the mailbox for abuse@ got
moved behind some orgs other mail systems... This happened numerous times
at $PREVIOUS_EMPLOYER. When moving around ~200k mailboxes 1 special unicorn
often gets mishandled :(

we wouldn't find out until someone called in all complainy about how 'you
never care about email... blah...' "Sure we care, but our mail-admin team
sometimes breaks us, whoops!"

ascribing malice is often unhelpful... Also, of course it's your network
you can balkanize from the rest of the internet as much as you please.


not so much malice as gross incompetence.

running spamfilters on your abuse@ mailbox, really? that is, for those 
which actually have an abuse mailbox that doesn't bounce outright.


-Dan

Re: Should abuse mailboxes have quotas?

[Dan Hollis]

On Thu, 27 Oct 2016, Steve Atkins wrote:

If mail to abuse@ doesn't bounce, give them the benefit
of the doubt until statistics say otherwise.


I give them a couple weeks/months. The vast majority of them ignore, and 
allow the abuse to continue.


It's amazing how quickly they respond when they get SBL'd though! 
Lightning quick.


-Dan

Re: Should abuse mailboxes have quotas?

[Dan Hollis]

On Thu, 27 Oct 2016, Jimmy Hess wrote:

On Thu, Oct 27, 2016 at 1:35 PM, Dan Hollis  wrote:

not so much malice as gross incompetence.
running spamfilters on your abuse@ mailbox, really? that is, for those which
actually have an abuse mailbox that doesn't bounce outright.

Sorry about that,  many networks do perform standard filtering on
messages to Abuse contacts based on DNS RBLs,  SPF/DMARC
policy enforcement,  virus scans,  etc,  and do send a SMTP Reject on
detected spam or malware.


This is a good way to get your block listed on RBLs.


For many networks;  files sent to abuse mailboxes are likely aliased to the
normal mailbox of sysadmins who have access to high privileges.As such,
these mailboxes may require even stronger protection  than other accounts,
because of increased risk   (when a mistake is made).


If anyone actually does this, it is incompetence beyond comprehension.


There is a reason that phone numbers, and not just e-mail addresses are listed
in the WHOIS records..

If you get a SMTP reject, then call the the Abuse POC of the organization you
need to report abuse from.


Again, good way to end up on RBLs. I encourage competitors to heavily filter 
their POCs.

Oh yes, and also be sure your phone numbers are out of date.

-Dan

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Tue, 22 May 2018, Jimmy Hess wrote:

Perhaps it's time that some would consider  new RBLs  and  Blackhole
feeds  based on :
Domains with deliberately unavailable WHOIS data.


How about the ones with broken contact data - deliberately or not?

A whois blacklist sounds good to me. DNS WBL?


exhibit A:
==
https://whois.arin.net/rest/net/NET-66-111-32-0-1/pft?s=66.111.56.98

   - Transcript of session follows -
... while talking to aspmx.l.google.com.:

DATA

<<< 550-5.1.1 The email account that you tried to reach does not exist. Please 
try
<<< 550-5.1.1 double-checking the recipient's email address for typos or
<<< 550-5.1.1 unnecessary spaces. Learn more at
<<< 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser 
d26-v6si14042755pge.500 - gsmtp
550 5.1.1 ... User unknown
<<< 503 5.5.1 RCPT first. d26-v6si14042755pge.500 - gsmtp


exhibit B:
=
https://apps.db.ripe.net/db-web-ui/#/query?searchtext=79.121.0.5#resultsSection

   - Transcript of session follows -
... while talking to mail.kabelnet.hu.:

DATA

<<< 451 Could not complete sender verify callout ... 
Deferred: 451 Could not complete sender verify callout
<<< 503-All RCPT commands were rejected with this error:
<<< 503-Could not complete sender verify callout
<<< 503 Valid RCPT command must precede DATA
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old



-Dan

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Wed, 23 May 2018, Owen DeLong wrote:

On May 23, 2018, at 08:53, John Levine  wrote:
If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

Actually, due to treaty, it is. At least according to some lawyers that have 
been advising ICANN stakeholder group(s).


can treaties supercede US law?

-Dan

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Sat, 26 May 2018, Seth Mattinen wrote:

On 5/24/18 4:21 PM, Anne P. Mitchell Esq. wrote:
Actually, GDPR specifically requires processors to include statements of 
compliance right in their contracts;  we also strongly recommend that 
controllers insist on indemnification clauses in their contracts with 
processors, because if the processor screws up and there is a breach, 
the_controller_  can also be held liable, and the financial penalties in 
GDPR are very stiff.
Good luck getting multiple millions worth of fines out of small businesses 
that never even touch a million a year in revenue, let alone the added 
expenses of trying to do all the crap GDPR thinks everyone can suddenly 
afford out of nowhere.


I imagine small businesses who do a small percentage of revenue to EU 
citizens will simply decide to do zero percentage of revenue to EU 
citizens. The risk is simply too great.


-Dan

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Sat, 26 May 2018, Royce Williams wrote:

Naively ... to counter potential panic, it would be awesome to crowdsource
some kind of CC-licensed GDPR toolkit for small orgs. Something like a
boilerplate privacy policy (perhaps generated by answers to questions),
plus some simplified checklists, could go a long way - towards both
compliance and actual security benefit.


who is willing to accept the risk of being involved in creation of such a 
thing? would you?


if someone uses it and ends up being hit by eu regulators, you can bet 
the toolkit creators will be sued.


who would be willing to use a crowdsourced legal toolkit given the risks 
of a violation? would you?


-Dan

ICANN GDPR lawsuit

[Dan Hollis]

http://www.circleid.com/posts/20180527_icann_files_legal_action_against_domain_registrar_whois_data/

-Dan

Re: ICANN GDPR lawsuit

[Dan Hollis]

On Thu, 31 May 2018, b...@theworld.com wrote:

FWIW a German court has just ruled against ICANN's injunction and in
favor of Tucows/EPAG.
  https://www.icann.org/news/announcement-4-2018-05-30-en


Welcome to contact-free whois?

-Dan

Re: ICANN GDPR lawsuit

[Dan Hollis]

On Mon, 4 Jun 2018, Rubens Kuhl wrote:

On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
wrote:
Usually, identifying attackers at other online services is a duty on RIR
directories, and even the RIPE one is not suffering that many changes due
to GDPR.

Also, GDPR doesn't prevent law enforcement access.


It might be desirable to provide enough contact information to mitigate 
issues before it has to end up in the hands of law enforcement.


black hats and bullet proof hosting are definitely going to enjoy using 
gdpr to hide behind though.


-Dan

Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

[Dan Hollis]

On Tue, 26 Jun 2018, Suresh Ramasubramanian wrote:

"we are not the internet police" right? (


Indeed. Aid and abet would be a more accurate description.

-Dan

looking for collaborating data for phishing email

[Dan Hollis]

Anyone who recently received the following phishing email, please drop me 
an email. I'm looking for collaborating data on an email database breach.


Date: Wed, 18 Jul 2018 06:36:19 -0400
Return-Path: 
Received: from amp3.nuskin.com (amp3.nuskin.net [170.89.24.19] (may be forged))
From: American Express 
To: americanexpr...@aep.com
Subject: Act Now: Information About your Cardmember Account.


-Dan

unwise filtering policy on abuse mailboxes

[Dan Hollis]

can we please just stop this nonsense?

ip under your direct control originates sewage. you should accept reports as-is.

requiring victims of your sewage to go through special contortions to 
report it to you is not acceptable.



  - The following addresses had permanent fatal errors -

   (reason: 550 "The mail server detected your message as spam and has prevented 
delivery.")

Re: unwise filtering policy on abuse mailboxes

[Dan Hollis]

I'm saying people who filter their abuse mailboxes need to stop doing so.

-Dan

On Wed, 25 Jul 2018, Mel Beckman wrote:


Dan,

Are you saying Nanog if spamming you? It's not at all clear what your complaint 
is.

-mel via cell


On Jul 24, 2018, at 4:37 PM, Brian Kantor  wrote:



On Tue, Jul 24, 2018 at 04:19:22PM -0700, Dan Hollis wrote:
can we please just stop this nonsense?

ip under your direct control originates sewage. you should accept reports as-is.

requiring victims of your sewage to go through special contortions to
report it to you is not acceptable.


 - The following addresses had permanent fatal errors -

  (reason: 550 "The mail server detected your message as spam and has prevented 
delivery.")



ab...@fsec.or.kr and c...@fsec.or.kr do the same thing.
   - Brian

Re: Oracle abuse contact

[Dan Hollis]

Contact some DNSBLs? Sometimes it takes 550 responses to all their smtp 
connections for them to wake up from their slumber.


-Dan

On Fri, 9 Nov 2018, David Shaw wrote:


Hi,

I could really use some help reaching someone at Oracle for a spam problem 
coming from 129.145.16.122.  I've sent countless emails to their abuse contact 
with no response, tried their tech support chat system and even calling several 
times without any reaction beyond confusion.  It's been almost two weeks now, 
and while I don't like asking on NANOG, I'm out of options.

Any pointers would be very welcomed.

David

Re: Extending network over a dry pair

[Dan Hollis]

On Wed, 12 Dec 2018, Nick Bogle wrote:

A quick question for you guys;

If you had a single dry pair (pair of copper wires originally for phones)
to a remote site that was around 6 miles away, what would you use? We
currently are just extending a T1 line to this site, but 1.5Mbps isn't
cutting it anymore. Unfortunately it's a research site on a federally
protected wildlife preserve so we can't run any new infrastructure (fiber
etc) and it isn't in a geographical place where point to point wireless is
practical. We were thinking there is some sort of network extender that
uses some form of DSL for higher bandwidth capacity.

Any suggestions?


If this is telco provided dry pair then the distance is probably longer 
than 6 miles as the endpoints are probably tied together through a telco 
CO.


I have not heard of any equipment which will work over a 6 mile pair any 
faster than you're getting with T1.


You might consider setting up wireless repeaters to bridge where there is 
no direct LOS. Look at what the hamwan guys have done. http://hamwan.org/


-Dan

Re: Extending network over a dry pair

[Dan Hollis]

I doubt he will get >1.5mbps with those over a 6 mile long connection.

I did a quick check and flowpoint 2200s seem to max out at 192kbps at 3 
miles.


-Dan

On Wed, 12 Dec 2018, Tim Pozar wrote:


For dry pairs, I have used Flowpoint SDSL modems (see attached).  I
picked these up for a sawbuck.

Tim

On 12/12/18 5:00 PM, Dan Hollis wrote:

On Wed, 12 Dec 2018, Nick Bogle wrote:

A quick question for you guys;

If you had a single dry pair (pair of copper wires originally for phones)
to a remote site that was around 6 miles away, what would you use? We
currently are just extending a T1 line to this site, but 1.5Mbps isn't
cutting it anymore. Unfortunately it's a research site on a federally
protected wildlife preserve so we can't run any new infrastructure (fiber
etc) and it isn't in a geographical place where point to point
wireless is
practical. We were thinking there is some sort of network extender that
uses some form of DSL for higher bandwidth capacity.

Any suggestions?


If this is telco provided dry pair then the distance is probably longer
than 6 miles as the endpoints are probably tied together through a telco
CO.

I have not heard of any equipment which will work over a 6 mile pair any
faster than you're getting with T1.

You might consider setting up wireless repeaters to bridge where there
is no direct LOS. Look at what the hamwan guys have done.
http://hamwan.org/

-Dan

Re: Extending network over a dry pair

[Dan Hollis]

Repeaters are standard for T1s.

I strongly suggest looking at wireless. There is almost guaranteed to be a 
spot you can put a repeater up to bridge you to your gateway.


-Dan

On Wed, 12 Dec 2018, Nick Bogle wrote:


The driving distance is 4 miles, we are leasing it from CenturyLink whose
headend maybe adds a mile or less, it's on the route and about half way
through. I made it 6 miles to be safe. We currently can pull a full 1.5Mbps
off of that T1 we run there so perhaps CenturyLink is repeating at their CO
and/or along the route?


On Wed, Dec 12, 2018 at 6:32 PM Dan Hollis  wrote:


I doubt he will get >1.5mbps with those over a 6 mile long connection.

I did a quick check and flowpoint 2200s seem to max out at 192kbps at 3
miles.

-Dan

On Wed, 12 Dec 2018, Tim Pozar wrote:


For dry pairs, I have used Flowpoint SDSL modems (see attached).  I
picked these up for a sawbuck.

Tim

On 12/12/18 5:00 PM, Dan Hollis wrote:

On Wed, 12 Dec 2018, Nick Bogle wrote:

A quick question for you guys;

If you had a single dry pair (pair of copper wires originally for

phones)

to a remote site that was around 6 miles away, what would you use? We
currently are just extending a T1 line to this site, but 1.5Mbps isn't
cutting it anymore. Unfortunately it's a research site on a federally
protected wildlife preserve so we can't run any new infrastructure

(fiber

etc) and it isn't in a geographical place where point to point
wireless is
practical. We were thinking there is some sort of network extender that
uses some form of DSL for higher bandwidth capacity.

Any suggestions?


If this is telco provided dry pair then the distance is probably longer
than 6 miles as the endpoints are probably tied together through a telco
CO.

I have not heard of any equipment which will work over a 6 mile pair any
faster than you're getting with T1.

You might consider setting up wireless repeaters to bridge where there
is no direct LOS. Look at what the hamwan guys have done.
http://hamwan.org/

-Dan

Re: Auto-reply from Yahoo...

[Dan Hollis]

Yes, someone needs to forcefully remove this subscription:

Subject: Re: Your message to lem...@yahoo-inc.com (was:  Re: Extending network 
over a dry pair)


On Fri, 14 Dec 2018, Grant Taylor via NANOG wrote:

Is anyone else receiving the "Your message to REDACTED (was: $oldSubject)" 
auto-responses to posts to NANOG?


I've been seeing them for three or four days now.



--
Grant. . . .
unix || die

attempted archive.is hijacking

[Dan Hollis]

https://twitter.com/archiveis/status/1081276424781287427

Wonder what tactic the hijackers are using, and if it would work with any 
registrar - or if there is something specific about isnic that allows it 
to happen.


-Dan

Re: EFF Call for sign-ons: ISPs, networking companies and engineers opposed to FCC privacy repeal

[Dan Hollis]

Why aren't _ALL_ consumer privacy regulations managed by the FTC?

Why is the FCC needed here?

-Dan

On Wed, 29 Mar 2017, Mark Radabaugh wrote:




On Mar 29, 2017, at 9:59 AM, Joe Loiacono  wrote:

Lowering barriers to entry is where the next political focus should be.

Joe Loiacono



And there you have much of the problem with this privacy bill.

Read the actual Report and Order:  
https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1.pdf 


219 pages

You want to start a competitive ISP these days?   Make sure you:

Incorporate your business
Obtain Liability, Workers Comp, Unemployment, Auto Insurance
Comply with the FCC Privacy Act (short reading, requires considerable 
investment in tracking opt in, opt out, privacy policies)
File the mandatory FCC 477 filings twice a year with detailed information on 
the geolocation of all of your customers and service area.
If offering VoIP service file your 499-A and Quarterly 499-Q’s with the FCC
Draft your “Open Internet Disclosure Statement”, pay a FCC lawyer a couple 
grand to renew it, make sure it’s prominent on your website
Build your website
Obtain bandwidth and IP, fill out your ARIN information.
Make up your “Consumer Label” for Broadband: 
https://www.fcc.gov/consumers/guides/consumer-labels-broadband-services 
  
(probably need a lawyer for this too..)
Pay the lawyer to write your “Terms of Service” so that you have at least some 
chance of surviving the lawsuits
Implement your CALEA plan and file that paperwork with the FBI so they can find 
you
Register with the Copyright office so that you can deal with DMCA notices.
Establish your copyright policy and procedures.  Have your lawyer review it.
Make sure you comply with 18 USC 2258A regarding reporting and registration for 
kiddie porn, train your employees
Make sure you have a CPNI policy, training, and report to the FCC yearly
Implement and file your Section 255 “Disability Rights” policy and make sure 
you file yearly with the FCC your information

Slap up a Ubiquiti access point and you can now make millions of dollars in 
short order.

I’m sure I forgot a few things like “build your network”, but that’s simple.

Mark

competent earthlink abuse contact please

[Dan Hollis]

A competent earthlink abuse contact please?

I am getting the runaround from people who are unable to read headers.

-Dan

Re: Vendors spamming NANOG attendees

[Dan Hollis]

It's funny to see all this apologia for nanog spammers and attempts to 
normalize the practice and brush it off as acceptable or unavoidable, 
especially after the "omg evil politicans voted to rollback fcc privacy 
rules and let companies sell your data" derpy derp thread.


You can't have it both ways.

-Dan

Re: Vendors spamming NANOG attendees

[Dan Hollis]

On Tue, 13 Jun 2017, Mike Hammett wrote:

I think it would too subject to wild variance in what someone views as bad.
Actual SPAM (viagra, Nigerian prices, etc.), of course.
Industry-related SPAM, probably.
Targeted marketing (looking for someone at Facebook, seeing someone from 
Facebook and tracking them down... or seeing someone at someone in a specific 
area or...) ehh, probably not


Do you view collecting lists of nanog members and using it for 
unsolicited marketing purposes as bad or not?


-Dan

Re: Vendors spamming NANOG attendees

[Dan Hollis]

On Wed, 14 Jun 2017, b...@theworld.com wrote:

Merely deciding not to patronize them may not be sufficient and that's
why we make that sort of thing just outright illegal rather than hope
market forces will suffice.


Most spam is sent from compromised machines anyway, so there are already 
criminal violations involved in sending spam.


-Dan

Re: Vendors spamming NANOG attendees

[Dan Hollis]

On Tue, 20 Jun 2017, Rod Beck wrote:

And how do you tell if an address was scraped or not? There are databases and 
zillions of other ways of gaining addresses.


One-off addresses.

I've used it numerous times to catch the origin, companies like Roland 
Corporation either leaking databases or selling to spammers.


-Dan

Re: Contact at Orange?

[Dan Hollis]

On Thu, 3 Aug 2017, Benoit Panizzon wrote:

Apparently this was not their problem.


As long as the money's green?

-Dan

Re: For the Wireless Guys

[Dan Hollis]

Good for a few meters at best? Terahertz is blocked by air.

-Dan

On Mon, 14 Aug 2017, Rod Beck wrote:


https://phys.org/news/2017-08-transmission-terahertz-multiplexer.html


Roderick Beck

Director of Global Sales

United Cable Company

DRG Undersea Consulting

Affiliate Member

www.unitedcablecompany.com

85 Király utca, 1077 Budapest

rod.b...@unitedcablecompany.com

36-30-859-5144


[1467221477350_image005.png]

Re: Attacks from poneytelecom.eu

[Dan Hollis]

On Wed, 3 Jan 2018, Dovid Bender wrote:

On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand 
wrote:

Hi Dovid,

Just fill in our abuse form at https://abuse. 
online.net


I have no idea why anyone thinks it is acceptable to require victims to 
fill out online web forms.


-Dan

Re: Attacks from poneytelecom.eu

[Dan Hollis]

On Thu, 4 Jan 2018, valdis.kletni...@vt.edu wrote:

On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:

Why anyone thinks it's acceptable for the form submission to vanish in to
the faceless support queue is more of a quandary. The form submission
should provide a case number, the individual to whom it is assigned, direct
contact information for that individual and a promise that your report will
receive a response.

The very real problem with direct contact info is that people latch onto it.
Then, if there's another issue the person will bypass your form submission,
send a direct e-mail - which would then not be dealt with if that particular
person wasn't working, for reasons ranging from vacation to no longer being
with the provider in an abuse desk role.

Been there, done that.  Been out of the country and offline for 36 hours,
reconnect and there's a user with a problem that would have been dealt
with 36 hours earlier if they had sent it to our help desk instead of to me
directly.


They use your direct contact info because your help desk isn't responsive.

They go where they get results. No results from help desk = direct contact 
to you.


-Dan

Re: Attacks from poneytelecom.eu

[Dan Hollis]

On Thu, 4 Jan 2018, William Herrin wrote:

On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse  wrote:

I've never dealt with a support queue that resolved the issue faster than
a direct contact.

I've never dealt with a support queue that's more competent than the last
direct contact I talked with. Navigating the support queue to the guy
competent to deal with my problem is one of the more infuriating things
about big company support.


it does get kind of old when you have to argue with first tier support 
on how to read smtp headers. or that an IP address registered to them in 
ARIN actually belongs to them.


people reach out to nanog because first tier support is clueless and 
completely ineffective.


when the first tier incompetence stops, the direct contacts will stop too.

-Dan

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Dan Hollis]

OVH does not suprise me in the least.

Maybe this is finally what it will take to get people to de-peer them.

-Dan

On Tue, 27 Feb 2018, Ca By wrote:


Please do take a look at the cloudflare blog specifically as they name and
shame OVH and Digital Ocean for being the primary sources of mega crap
traffic

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Also, policer all UDP all the time... UDP is unsafe at any speed.


On Tue, Feb 27, 2018 at 12:28 PM Barry Greene  wrote:


Hello Fellow NANOGer,

If you have not already seen it, experiences it, or read about it, working
to head off another reflection DOS vector. This time it is memcached on
port 11211 UDP & TCP. There are active exploits using these ports.
Reflection attacks and the memcached is not new. We know how reflection
attacks work (send a spoofed packet to a device and have it reflected  back
(yes please deploy source address validation and BCP 38).

Operators are asked to review their networks and consider updating their
Exploitable Port Filters (Infrastructure ACLs) to track or block UDP/TCP
port 11211 for all ingress and egress traffic. If you do not know about
iACLs or Explorable port filters, you can use this white paper details and
examples from peers on Exploitable Port Filters:
http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/

Enterprises are also asked to update their iACLs, Exploitable Port
Filters, and Firewalls to track or block UDP/TCP port 11211 for all ingress
and egress traffic.

Deploying these filters will help protect your network, your organization,
your customers, and the Internet.

Ping me 1:1 if you have questions.

Sincerely,

--
Barry Raveendran Greene
Security Geek helping with OPSEC Trust
Mobile: +1 408 218 4669
E-mail: bgre...@senki.org


Resources on memcached Exploit (to evaluate your risk):

More information about this attack vector can be found at the following:

• JPCERT – memcached のアクセス制御に関する注意喚起 (JPCERT-AT-2018-0009)
http://www.jpcert.or.jp/at/2018/at180009.html
• Qrator Labs: The memcached amplification attacks reaching 500
Gbps

https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
• Arbor Networks: memcached Reflection/Amplification Description
and DDoS Attack Mitigation Recommendations

https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
• Cloudflare: Memcrashed – Major amplification attacks from UDP
port 11211

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
• Link11: New High-Volume Vector: Memcached Reflection
Amplification Attacks

https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
• Blackhat Talk: The New Page of Injections Book: Memcached
Injections by Ivan Novikov

https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
• Memcache Exploit
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Dan Hollis]

On Wed, 28 Feb 2018, Filip Hruska wrote:

What exactly should they do, according to you?


read and act on abuse reports.


Why should people de-peer them?


because they ignore abuse reports.

-Dan

Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it

[Dan Hollis]

This is what's going on at verizon.

http://www.spamhaus.org/news/article/726/

-Dan

On Wed, 13 Jan 2016, Gordon Cook wrote:


dear Nanog

Sorry to bother you,   I am sitting here in shock,   I have been a Verizon to  
FiOS customer for about the past six years at least I think maybe eight.
every now and then the Verizon server will bounce an email back and tell me 
that it’s busy or not functioning but just now it bounced one back and I’m 
sorry I don’t have a screenshot of what it said but it clearly said that it 
considered me to be a spammer.   I may be a lot of things but a spammer I am 
not.  ;-)   when I get an email bounced back Apple OS X  always volunteers to 
use the pair networks server and I always automatically take that choice giving 
it never a second thought.

it also reminded me that there was a limit on the amount of private emails a 
customer could send.

And it said I needed to take the alleged spam and send it to

spamdetector.upd...@verizon.net  and if I remember correctly wait at least an 
hour and then try to send the message again.

Stating very clearly that no human being would talk to me.

what in God’s name is going on?   Please a year and a half or two years ago 
when a route  to Ecuador was being filtered a couple of NANOG folk  knew whom 
to contact and the problem was fixed in record time.   I am hoping   that I 
will experience the same thing.   I should not be a stranger to any old time 
Nanog-ers.   but right now I’m feeling really paranoid!

Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it

[Dan Hollis]

complacency. it's a winning formula.

-Dan

On Thu, 14 Jan 2016, Christopher Morrow wrote:


'4 MILLION IP ADDRESSES!!!'

On Wed, Jan 13, 2016 at 4:55 PM, Dan Hollis  wrote:

This is what's going on at verizon.

http://www.spamhaus.org/news/article/726/

-Dan


On Wed, 13 Jan 2016, Gordon Cook wrote:


dear Nanog

Sorry to bother you,   I am sitting here in shock,   I have been a Verizon
to  FiOS customer for about the past six years at least I think maybe eight.
every now and then the Verizon server will bounce an email back and tell me
that it’s busy or not functioning but just now it bounced one back and I’m
sorry I don’t have a screenshot of what it said but it clearly said that it
considered me to be a spammer.   I may be a lot of things but a spammer I am
not.  ;-)   when I get an email bounced back Apple OS X  always volunteers
to use the pair networks server and I always automatically take that choice
giving it never a second thought.

it also reminded me that there was a limit on the amount of private emails
a customer could send.

And it said I needed to take the alleged spam and send it to

spamdetector.upd...@verizon.net  and if I remember correctly wait at least
an hour and then try to send the message again.

Stating very clearly that no human being would talk to me.

what in God’s name is going on?   Please a year and a half or two years
ago when a route  to Ecuador was being filtered a couple of NANOG folk  knew
whom to contact and the problem was fixed in record time.   I am hoping
that I will experience the same thing.   I should not be a stranger to any
old time Nanog-ers.   but right now I’m feeling really paranoid!

Re: de-peering for security sake

[Dan Hollis]

On Sun, 17 Jan 2016, b...@theworld.com wrote:

Sure, you have your hands on BGP etc, so what router commands (hammer)
can effect international policy (nail)?

This is fundamentally a social and political issue and needs to be
dealt with on that level, not with changes in router configs.


bgp blackhole fed by rbl?

at the very least, scavenger queue packets by rbl.

complacency / willful negligence needs to have a monetary cost.

-Dan

Re: de-peering for security sake

[Dan Hollis]

On Sun, 17 Jan 2016, Doug Barton wrote:

On 1/17/2016 12:44 PM, b...@theworld.com wrote:

We need an effective forum with effective participation perhaps
eventually leading to signed contractual obligations agreed to by all
parties.
Not gonna help. The same people who have no incentive to do the right thing 
now will still have no incentive to join the group you propose.


I've said it before, and it's an unpopular option, but the only way that this 
will change is to make it more expensive to do the wrong thing than it is to 
do the right thing.


I think it can happen without lawsuits. look at RBLs and spamhaus. a bit 
sad that spamhaus has to exist in order to motivate operators to clean up 
their cesspools, but it does work to a certain extent.


-Dan