Re: Incident notification
While we do not do this ourseleves, I wonder why we would not use Twitter. You can receive SMS, or texts in the app on a smart phone, or look at a webpage. You can make them private and have lots of subscribers. I find Twitter more reliable that our local SMS providers too. d On Fri, Nov 21, 2014 at 9:52 AM, Thijs Stuurman thijs.stuur...@is.nl wrote: Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant. -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information Systems University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: Vendor cert levels
I found the fastest way to open a sev 1 case is to open it online as sev 3, that gets all the questions out of the way, then call the 800 number and escalate to network down emergency. You then hold for the next available engineer. I am pleased with the responsiveness of this approach. d On Wed, Sep 3, 2014 at 3:34 PM, Jon Garrison blueg...@freeshell.org wrote: On 3 Sep 2014, at 12:23, Jared Mauch wrote: On Sep 3, 2014, at 5:00 AM, Isaac Adams isaacna...@gmail.com wrote: Hey Folks, I am trying to work out a strategy for vendor certification in our company. As a general rule, do you all fund employees certification and if so what kind of levels do you try to maintain as good practice? For example. NOC staff should be JNCIA and engineering JNCIP to JNCIE? Clearly certification does not usually reflect ability but it does help people feel valued and to maintain a basic level of competence. Cisco discriminates against customers without certification and delays service and support to them as a result. (e.g.: you can’t open a sev 1 case online unless you are “CCIE”). You can however just call them and yell Environment Down and they will call it whatever Sev you want. There are an unending number of issues with their online case opening portal however. Filling out a form online to wait a call back was never my first choice. Plus putting that Cisco hold music on speaker is a good way to improve the mood! You likely want to have someone with this access in their account to speed access when there are network critical issues. - Jared -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: NAT IP and Google
As others have said, Google's abuse systems are smart enough to understand NAT and proxies, and won't block on request volume alone. When we automatically apply a block, we'll generally offer a captcha to give innocent users a workaround and limit the annoyance until the abuse stops and the block can expire This failed at our site. Our entire IPv4 and IPv6 addresse blocks received captcha after captcha after captcha, forever and ever. There was a link on the page to get more information, but all that got was another captcha. Normally I am 100% behind Google in everything, but sadly, this has now fallen to 99.8%. derek On Wed, May 21, 2014 at 10:42 PM, Damian Menscher dam...@google.com wrote: On Tue, May 20, 2014 at 7:21 AM, Pui Edylie em...@edylie.net wrote: May I know what is the best approach so that Google would not ban our Natted IP from time to time as it suspect it as a bot. As others have said, Google's abuse systems are smart enough to understand NAT and proxies, and won't block on request volume alone. When we automatically apply a block, we'll generally offer a captcha to give innocent users a workaround and limit the annoyance until the abuse stops and the block can expire. While we do everything we can to limit the collateral damage, if your organization has an infected user spewing abuse, you need to take responsibility for your network. IPv6 is the best long-term solution, as this will allow Google's abuse systems to distinguish between your users and block only those violating the ToS. Please give each user a distinct /64 (this seems obvious, but I've seen someone put all their users in the same /96). If you can't deploy IPv6 yet, some other suggestions: - Put your users behind a proxy that adds the X-Forwarded-For header with the user's internal IP. Google's abuse systems use that header to limit blocking when possible. - Review your machines for signs of infection -- many blocks are triggered by botnets that are sending abuse. Another common cause is a browser extension that automatically sends requests. Finally, don't set up monitoring to test whether you're being blocked -- those automated monitoring requests are also a violation of the ToS and only increase the chance of being blocked. - If you have a proxy, test it to ensure it's not an open proxy. Open proxies are frequently abused, and will get blocked as a result. - Partitioning users across different IPs can help contain the collateral damage when one user's machine goes rogue. If you load-balance all users across all your IPs then it will likely just result in the entire pool being blocked. Is there any official channel from Google which we could work with them for resolution? There's no official channel for working to resolve a blocking issue. Years of experience proves the abuse systems are very accurate (and constantly being improved) -- false positives are extremely rare. Despite this certainty, due to privacy concerns no evidence can be shared back to the ISP to point to the source of abuse. Since nothing can be shared except for times abuse was seen (which is rarely helpful due to lack of logging by the ISP), the response is generally just the suggestions listed above. The blocks will expire on their own once the abuse has been stopped. Damian -- Damian Menscher :: Security Reliability Engineer :: Google -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: NAT IP and Google
They take out our campus, both IPv4 and IPv6. All hailing attempts fail. Good luck. On Tue, May 20, 2014 at 8:21 AM, Pui Edylie em...@edylie.net wrote: Hi Everyone, May I know what is the best approach so that Google would not ban our Natted IP from time to time as it suspect it as a bot. Is there any official channel from Google which we could work with them for resolution? Thanks much! Best, Edy -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: [VoiceOps] (cross post) VoIP heat charts...
http://www.nanpa.com/nanp1/allutlzd.zip lists NPANXX and Ratecentre. derek On Mon, Jan 13, 2014 at 7:33 PM, Paul Timmins p...@telcodata.us wrote: On Jan 9, 2014, at 2:38 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - Looking to heat chart where fraudelent calls are going. So you want to be able to feed NPANXX Count to something that will map the call counts on a US map. You have anything that does NPANXX to HV, or directly to Lat Lon, already? Cause that's the hard part. Telcodata has this available. city-county-zip-byratecenterTelcoData - Advanced Membership Area code, exchange, State, City, County, Zip - By Ratecenter (Requires Advanced Subscription) -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: OpenNTPProject.org
nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch ja...@puck.nether.net wrote: Greetings, With the recent increase in NTP attacks, I wanted to advise the community of a few things: There are about 1.2-1.5 million of these servers out there. 1) You can search your IP space to find NTP servers that respond to the ‘MONLIST’ queries. 2) I’ve found some vendors have old embedded versions of NTP including ILO/Service Processors and other parts of the “internet of things”. 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ or ‘restrict’ lines or both. (I defer to someone else to be an expert in this area, but am willing to learn :) ) 4) Please prevent packet spoofing where possible on your network. This will limit the impact of spoofed NTP or DNS (amongst others) packets from impacting the broader community. 5) Some vendors don’t have an easy way to alter the ntp configuration, or have not or won’t be updating NTP, you may need to use ACLs, firewall filters, or other methods to block this traffic. I’ve heard of many routers being used in attacks impacting the CPU usage. Take a moment and see if your devices respond to the following query/queries: ntpdc -n -c monlist 10.0.0.1 ntpdc -n -c loopinfo 10.0.0.1 ntpdc -n -c iostats 10.0.0.1 6) If you do VMs/Servers and have a template, please make sure that they do not respond to NTP requests. Thanks! - Jared -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty
The topic of Canadian network sovereignty has been part of the Canadian conscience since the failure of CANNET back in the 1970s. Canadians citizens, on Canadian soil, already supply feeds directly to the NSA. Rerouting Internet traffic would make no difference. On Sat, Sep 7, 2013 at 3:08 PM, Paul Ferguson fergdawgs...@mykolab.comwrote: A Canadian ISP colleague of mine suggested that the NANOG constituency might be interested in this, given some recent 'revelations', so I forward it here for you perusal. Preliminary analysis of more than 25,000 traceroutes reveals a phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian internet transmissions are routinely routed through the United States. Canadian originated transmissions that travel to a Canadian destination via a U.S. switching centre or carrier are subject to U.S. law - including the USA Patriot Act and FISAA. As a result, these transmissions expose Canadians to potential U.S. surveillance activities – a violation of Canadian network sovereignty. http://lawprofessors.typepad.com/media_law_prof_blog/2013/09/routing-internet-transmission-across-the-canada-us-border-and-us-surveillance-activities.html Cheers, - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com -- Copyright 2013 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: What do people use public suffix for?
dnswl.org should look at publicsuffix.org to correct errors. On Mon, Apr 15, 2013 at 7:55 AM, Matthias Leisi matth...@leisi.net wrote: On Mon, Apr 15, 2013 at 3:10 PM, John Levine jo...@iecc.com wrote: You don't have to tell me that it's a gross crock, but it seems to be a useful one. What do people use it for? Here's what I know of: At dnswl.org, we use a heuristic (and manual checks) to derive different levels of management (ie, foo.example.org may or may not be under the same operational responsibility as bar.example.org). Using publicsuffix.orgdata would allow us to automate some of that work (I just have not yet got around to implement it). -- Matthias -- Copyright 2013 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: job screening question
Isn't MTU discovery on IP and not TCP? On Thu, Jul 5, 2012 at 11:11 AM, Oliver Garraux oli...@g.garraux.netwrote: Seems fairly straightforward to me. It'll break path MTU discovery. I would hope someone applying for an IP expert position would know that. Could HR be mangling the question or something? Oliver - Oliver Garraux Check out my blog: www.GetSimpliciti.com/blog Follow me on Twitter: twitter.com/olivergarraux On Thu, Jul 5, 2012 at 1:02 PM, William Herrin b...@herrin.us wrote: Hi folks, I gave my HR folks a screening question to ask candidates for an IP expert position. I've gotten some unexpected answers, so I want to do a sanity check and make sure I'm not asking something unreasonable. And by unexpected I don't mean naively incorrect answers, I mean oh-my-God-how-did-you-get-that-cisco-certification answers. The question was: You implement a firewall on which you block all ICMP packets. *What* *part of the TCP protocol (not IP in general, TCP specifically)* *malfunctions as a result?* My questions for you are: 1. As an expert who follows NANOG, do you know the answer? Or is this question too hard? 2. Is the question too vague? Is there a clearer way to word it? 3. Is there a better screening question I could pass to HR to ask and check the candidate's response against the supplied answer? Thanks, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Copyright 2012 Derek Andrew (excluding quotations) +1 306 966 4808 ICT University of Saskatchewan Peterson 120; 105 North Road Saskatoon,Saskatchewan,Canada. S7N 4L5 Timezone GMT-6 Typed but not read. [image: Description: Description: Description: Description: Description: cid:image002.png@01CCD52C.EA7400D0] http://www.usask.ca/ -- image002.png