Re: DOD prefixes and AS8003 / GRSCORP

[Filip Hruska]

Contacted HE NOC earlier regarding these announcements, they are 
"legitimate".


Filip

On 11/03/2021 14:56, Javier Henderson wrote:



On Mar 11, 2021, at 8:43 AM, Eric Dugas via NANOG  wrote:

I would be really curious to see the LOA presented to AS6939 to announce 54 
million IPs out of government IP space and what type of verification was done 
because it doesn't seem legit at all.

Did you try calling the number on the WHOIS for AS8003, or maybe HE’s NOC to 
follow up?

-jav

Re: 10g residential CPE

[Filip Hruska]

I wouldn't rely on these numbers too much, your testing methodology is flawed.
People don't expect RING nodes to be used as speedtest servers and so they are 
usually not connected to high speed networks. 

Using a classical speedtest.net (Web or CLI) application would make much more 
sense, given the servers are actually connected to high speed Internet and are 
tuned to achieve such speeds - which is much more akin to how the most 
bandwidth demanding stuff (streaming, game downloads, system updates from CDNs) 
behaves. 

It's certainly possible to get 1G+ over >10ms RTT connections single stream - 
the buffers are certainly not THAT small for it to be a problem - not to 
mention game distribution platforms do usually open multiple connections to 
maximise the bandwidth utilisation. 

Re 85KB: that's just the initial window size, which will grow given tcp window 
scaling is enabled (default on modern Linux). 

Filip


On 26 December 2020 19:14:13 CET, Baldur Norddahl  
wrote:
>lør. 26. dec. 2020 18.55 skrev Mikael Abrahamsson :
>
>> On Sat, 26 Dec 2020, Baldur Norddahl wrote:
>>
>> > It is true there have been TCP improvements but you can very easily
>> verify
>> > for yourself that it is very hard to get anywhere near 1 Gbps of
>actual
>> > transfer speed to destinations just 10 ms away. Try the nlnog ring
>> network
>> > like this:
>> >
>> > gigabit@gigabit01:~$ iperf -c netnod01.ring.nlnog.net
>> > 
>> > Client connecting to netnod01.ring.nlnog.net, TCP port 5001
>> > TCP window size: 85.0 KByte (default)
>> > 
>> > [  3] local 185.24.168.23 port 50632 connected with 185.42.136.5
>port
>> 5001
>> > [ ID] Interval   Transfer Bandwidth
>> > [  3]  0.0-10.0 sec   452 MBytes   379 Mbits/sec
>>
>> Why would you just use 85KB of TCP window size?
>>
>> That's not the problem of buffering (or lack thereof) along the path,
>that
>> just not enough TCP window size for long-RTT high speed transfers.
>>
>
>That is just the starting window size. Also it is the default and I am
>not
>going to tune the connection because no such tuning will occur when you
>do
>your next far away download and wonder why it is so slow.
>
>If you do the math you will realise that 379 Mbps at 10 ms is
>impossible
>with 85 K window.
>
>I demonstrated that it is about buffers by showing the same download
>from a
>server that paces the traffic indeed gets the full 930 Mbps with
>exactly
>the same settings, including starting window size, and the same path
>(Copenhagen to Stockholm).
>
>Regards
>
>Baldur

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Global Peer Exchange

[Filip Hruska]

To expand on that a bit: The pricing differs per geographical region, I
was offered 0.1 EUR/Mbps, someone I know in Australia got a price
several times higher. No fixed port costs, no commit, no distance-based
fees. No discounts for larger ports. 


Both sites have to be separate companies, not just separate ASNs. If you
ask about that, they will point you at their L2 PtP product instead. 


Regards,
Filip 


On 2020-11-30 19:11, Paul Emmons wrote:


You take down a 10g connection and they bill each side $.2 a meg, 95th 
percintile billing.  VLAN between the two sites. Both sites have to have a 
different AS number.  So if you want to move 1g of data, 95th percentile, 
between 2 datacenters I guess it has some utility at $400 a gig effective 
pricing.   I can't beleive it is a great money maker for them. Oh and it's 
Cogent and they say they can't give you above 1500 mtu.


~P

Re: Mystery CDN

[Filip Hruska]

Using Shodan, we can find other nodes belonging to the same CDN by 
searching for "FP6.1.1866.55", which is conveniently present in the 
"Server" HTTP header.


Skimming through the results, it would appear most of the nodes are on 
the Level 3 network. Picking one non-Level3 node at random 
(192.67.191.173) and doing an rDNS lookup reveals the following:


173.191.67.192.in-addr.arpa. 3600 IN    PTR 
LEVEL3-CDN-192-67-191-173.de.kpn-eurorings.net.


There's your answer. "Level 3 CDN".

Kind Regards,
Filip Hruska

On 6/17/20 6:09 PM, Justin Oeder wrote:

Former Level3 operates a CDN.  Might be worth looking into.

On Wed, Jun 17, 2020, 11:43 AM Stephen Satchell <mailto:l...@satchell.net>> wrote:


On 6/17/20 8:29 AM, Clinton Work wrote:
> I'm struggling to determine which CDN owns the servers in
CenturyLink prefix 8.240.0.0/12 <http://8.240.0.0/12>.   During
the Call of Duty Season 4 update on June 11th from 06:00 UTC until
08:30 UTC, we had 240 Gbps of traffic steaming into our network
from CenturyLink prefix 8.240.0.0/12 <http://8.240.0.0/12>.   We
originally thought it was Akamai, but they swear up and down that
the servers don't belong to them.
>
> Here are some of the HTTP/HTTPS servers in 8.240.0.0/12
<http://8.240.0.0/12>:
> 8.253.151.248
> 8.251.135.126
> 8.240.167.126
> 8.240.228.126
> 8.240.168.126
> 8.240.126.254
> 8.240.191.254

You might ask Level3.

Re: Best way to get foreign ISPs to shut down DDoS reflectors?

[Filip Hruska]

Sounds like you'll need to talk to your upstreams if they can provide DDOS 
protection, alternatively look for remote DDOS protection options.

Regards,
Filip

On 23 April 2020 11:30:36 pm GMT+02:00, Bottiger  wrote:
>We are unable to upgrade our bandwidth in those areas. There are no
>providers within our budget there at the moment. Surely there must be
>some
>way to get them to respond.
>
>On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao  wrote:
>
>> It won't work.
>>
>> Get a good DDoS protection and forget about it.
>>
>> On Fri, Apr 24, 2020 at 5:17 AM Bottiger 
>wrote:
>>
>>> Is there a guide on how to get foreign ISPs to shut down reflectors
>used
>>> in DDoS attacks?
>>>
>>> I've tried sending emails listed under abuse contacts for their
>regional
>>> registries. Either there is none listed, the email is full, email
>does not
>>> exist, or they do not reply. Same results when sending to whatever
>other
>>> email they have listed.
>>>
>>> Example Networks:
>>>
>>> CLARO S.A.
>>> Telefonica
>>> China Telecom
>>> Korea Telecom
>>>
>>

-- 
Sent from my mobile device. Please excuse my brevity.

Re: Looking for transit with full table bgp cloud options

[Filip Hruska]

Hi, 
I would recommend taking a look at a spreadsheet available at 
https://bgp.services

Filip

On 12 March 2020 10:30:50 pm GMT+01:00, Joe Maimon  wrote:
>Hey all,
>
>I am looking for some cloud services, that would support Transit and 
>full table BGP to the cloud provided vm(s).
>
>I am specifically not referring to the various BGP private vpn 
>routing/interconnect options available with the big guys.
>
>If anyone has any suggestions or ideas I would love to hear them.
>
>Joe

-- 
Sent from my mobile device. Please excuse my brevity.

Re: Hi-Rise Building Fiber Suggestions

[Filip Hruska]

It really depends on what you're interconnecting. 

Some NICs don't support SM optics, so even if you would like to run SM 
everywhere, it's not necessarily possible depending on the equipment.
For example, I had issues with some SolarFlare cards which happily take 10G-SR 
MM but won't take 10G-LR SM.

Filip

On 26 February 2020 5:30:56 pm GMT+01:00, Warren Kumari  
wrote:
>On Wed, Feb 26, 2020 at 11:20 AM Coy Hile  wrote:
>>
>> On 2020-02-26 11:14, Randy Bush wrote:
>> >> We use plenty of multi-mode, but only in the data centre, between
>our
>> >> own kit, for racks within the same cage.
>> >
>> > so you have to stock both single and multi?  hmmm
>> >
>> > randy
>>
>> I'd expect that from the ToR -> Servers would be MMF, but that other
>> infrastructure cabling would be SMF.
>> Even using aftermarket optics, putting single-mode transceivers in
>every
>> server and access port would quickly become cost-prohibitive, would
>it
>> not?
>
>Cisco GLC-SX-MM Compatible 1000BASE-SX SFP 850nm 550m DOM Transceiver
>Module - $6.00 - https://www.fs.com/products/11774.html
>Cisco SFP-GE-L Compatible 1000BASE-LX/LH SFP 1310nm 10km DOM
>Transceiver Module - $7.00 - https://www.fs.com/products/12622.html
>
>Yup, it is $1.00 more for SM, and you need 2 per link, but unless you
>are doing *lots* that's likely not cost-prohibitive. The delta on 10G
>is a bit more ($21 vs $18), but still not crazy-pants territory...
>
>Of course, sometimes you don't have the option of SM - you are
>connecting some someone else than they only do MM, or you are
>connecting to a piece of kit which doesn't have replaceable optics, or
>you have legacy cabling which is MM, or... but, the cost of the optics
>these days is not really the limiting factor.
>
>>
>> --
>> Coy Hile
>> coy.h...@coyhile.com
>
>
>
>-- 
>I don't think the execution is relevant when it was obviously a bad
>idea in the first place.
>This is like putting rabid weasels in your pants, and later expressing
>regret at having chosen those particular rabid weasels and that pair
>of pants.
>   ---maf

-- 
Sent from my mobile device. Please excuse my brevity.

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

[Filip Hruska]

Hello,

Since OVH has been offering DDOS protection capable of soaking up 
hundreds of gigabits+ per second as a standard with all their services 
for a long time, I'm assuming this is a miscommunication / standard 
support response.


I would try to get in touch with the network team and include pcaps.

Filip

On 2/20/20 11:37 PM, Töma Gavrichenkov wrote:

Peace,

On Fri, Feb 21, 2020, 1:18 AM Octolus Development > wrote:


OVH are threatening to kick us off their network, because we are
victims of this attack.


Most of the hosting companies will do that to you because you're 
causing degradation of service quality for other customers.  
Especially the lowcosters which even cut the costs of processing the 
abuse, and OVH is the world-renowned cost cutter.


Look out for data centers with appropriate DDoS countermeasures.  
Those won't be cheap though.


--
Töma

Re: akamai yesterday - what in the world was that

[Filip Hruska]

Game updates are generally compressed chunks and the client does live 
decompression on the data.


As such, insufficient CPU or IO performance will result in lower overall 
speeds, since it can't keep up with the incoming stream of data.


Regards,
Filip

On 1/23/20 9:11 PM, Tom Deligiannis wrote:


I get annoyed when I'm chatting with friends, waiting to play some
game
we decided to download, and it's ONLY downloading at 300 megabits per
second! :P 



In this scenario, which mechanism controls the download speed? I hear 
many users complain that their gigabit internet connection is not 
maxing out and the update is taking forever. I would never expect a 
gigabit internet connection to be saturated during a game update, but 
I'm curious how the throttling works.


Thanks.

Re: Short-circuited traceroutes on FIOS

[Filip Hruska]

I had this issue while looking at Ripe Atlas measurements.

Turns out these Verizon boxes spoof ICMP with TTL = 3 (or 2, I don't 
recall). Try doing a UDP or TCP based traceroute instead.


Maybe you're seeing the same problem.

Kind Regards,
Filip

On 12/10/19 8:47 PM, Joe Maimon wrote:
Anyone have an idea why there are some destinations that on 
residential verizon fios here in NY area terminate right on first 
external hop?


There seems to be a CDN common denominator here. On other networks 
with more typical BGP paths and traceroutes, users are reporting 
issues accessing these sites.


C:\Users\Home>tracert www.usfoods.com

Tracing route to statics.usfoods.com [205.132.109.90]
over a maximum of 30 hops:

  1 3 ms    <1 ms    <1 ms  172.18.24.1
  2 4 ms 3 ms 3 ms  192.168.2.33
  3    17 ms 6 ms 3 ms  statics.usfoods.com [205.132.109.90]

Trace complete.

C:\Users\Home>tracert atworkhp.americanexpress.com

Tracing route to atworkhp.americanexpress.com.akadns.net [139.71.19.87]
over a maximum of 30 hops:

  1 2 ms    <1 ms    <1 ms  172.18.24.1
  2 3 ms 4 ms    23 ms  192.168.2.33
  3    21 ms    11 ms 5 ms atworkhomepage2.americanexpress.com 
[139.71.19.87]


Trace complete.

C:\Users\Home>tracert portal.discover.com

Tracing route to e14577.x.akamaiedge.net [23.51.172.254]
over a maximum of 30 hops:

  1 3 ms 1 ms    18 ms  172.18.24.1
  2    21 ms 7 ms 6 ms  192.168.2.33
  3 4 ms 2 ms 2 ms 
a23-51-172-254.deploy.static.akamaitechnologies.com [23.51.172.254]


Trace complete.



--
Filip Hruska
Linux System Administrator

Re: DDoS attack

[Filip Hruska]

Hello, 

which attack protocol are seeing? I suspect you're seeing DNS based 
amplification or similar, in which case you can't really pinpoint the attack 
source... 

800Mbps is not a whole lot of traffic - does it cause any disruptions to you? 
If the prefixes are not in use, I would suggest the use of RTBH (null routing / 
blackholing) 

Kind Regards, 
Filip Hruska



On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dala...@hrins.net" 
 wrote:
>Dear All, 
>
>My network is being flooded with UDP packets, Denial of Service attack,
>soucing from Cloud flare and Google IP Addresses, with 200-300 mbps
>minimum traffic, the destination in my network are IP prefixes that is
>currnetly not used but still getting traffic with high volume.
>The traffic is being generated with high intervals between 10-30
>Minutes for each time, maxing to 800 mbps
>When reached out cloudflare support, they mentioned that there services
>are running on Nat so they can’t pin out which server is attacking
>based on ip address alone, as a single IP has more than 5000 server
>behind it, providing 1 source IP and UDP source port, didn’t help
>either
>Any suggestions?
>
>Regards, 
>Ahmed Dala Ali 

-- 
Sent from my mobile device. Please excuse my brevity.

Re: RIPE our of IPv4

[Filip Hruska]

You can announce your own IPv6 subnets through TunnelBroker.

Filip

On 30 November 2019 8:37:33 pm GMT+01:00, Matthew Kaufman  
wrote:
>On Sat, Nov 30, 2019 at 9:21 AM Justin Streiner 
>wrote:
>
>>
>>
>> While a tunnel from HE works perfectly well, it would be nice to have
>> native v6 from VZ.
>>
>
>Worked perfectly well. Until Netflix blocked all known tunnel
>providers.
>Then my users demanded I turn IPv6 off... so I did. Won’t come back
>until
>both my up streams properly support it.
>
>Matthew Kaufman
>
>>
>>

-- 
Sent from my mobile device. Please excuse my brevity.

Re: CloudFlare issues?

[Filip Hruska]

Verizon is the one who should've noticed something was amiss and dropped 
their customer's BGP session.
They also should have had filters and prefix count limits in place, 
which would have prevented this whole disaster.


As to why any of that didn't happen, who actually knows.

Regards,
Filip

On 6/24/19 4:28 PM, Max Tulyev wrote:
Why almost all carriers did not filter the leak on their side, but 
waited for "a better weather on Mars" for several hours? 


--
Filip Hruska
Linux System Administrator

Re: Russian Anal Probing + Malware

[Filip Hruska]

On 6/22/19 2:13 AM, Ronald F. Guilmette wrote:


 https://twitter.com/GreyNoiseIO/status/1129017971135995904
 https://twitter.com/JayTHL/status/1128718224965685248

Friday Questionaire:

Is there anybody on this list who keeps firewall logs and who
DOESN'T have numerous hits recorded therein from one or more
of the following IP addresses?

80.82.64.21 scanner29.openportstats.com
80.82.70.2 scanner8.openportstats.com
80.82.70.198 scanner21.openportstats.com
80.82.70.216 scanner13.openportstats.com
80.82.78.104 scanner151.openportstats.com
89.248.160.132 scanner15.openportstats.com
89.248.162.168 scanner5.openportstats.com
89.248.168.62 scanner1.openportstats.com
89.248.168.63 scanner2.openportstats.com
89.248.168.73 scanner3.openportstats.com
89.248.168.74 scanner4.openportstats.com
89.248.168.170 scanner17.openportstats.com
89.248.168.196 scanner16.openportstats.com
89.248.171.38 scanner7.openportstats.com
89.248.171.57 scanner20.openportstats.com
89.248.172.18 scanner25.openportstats.com
89.248.172.23 scanner27.openportstats.com
93.174.91.31 scanner10.openportstats.com
93.174.91.34 scanner11.openportstats.com
93.174.91.35 scanner12.openportstats.com
93.174.93.98 scanner18.openportstats.com
93.174.93.149 scanner6.openportstats.com
93.174.93.241 scanner14.openportstats.com
93.174.95.37 scanner19.openportstats.com
93.174.95.42 scanner8.openportstats.com
94.102.51.31 scanner31.openportstats.com
94.102.51.98 scanner55.openportstats.com
94.102.52.245 scanner9.openportstats.com


NOTE:  Dshield has already assigned an 8 rating on their Badness Richter
Scale to the specific one of the above addresses that's been poking me
personally in recent days:

 https://www.dshield.org/ipinfo.html?ip=89.248.162.168
 https://www.dshield.org/ipdetails.html?ip=89.248.162.168

And the Dshield rating is *just* based on the probing.  The addition of
malware slinging also puts this whole mess over the top entirely.

Oh!  And I'll save you all the time looking it up 100% of the IPs
listed above are on AS202425 "IP Volume, Inc. allegedly of the Seychelles
Islands, where the employees and management are no doubt enjoying their
luxurious and expansive new corporate headquarters...


It's just a port/vulnerability scanner, I really don't see anything 
special about this particular case.


"IP Volume" is actually a new brand of Ecatel/Quasi Networks, servers 
are in a Dutch datacenter.



P.S.  This is the kind of thing that everybody really should expect
when the U.S. Department of Defense takes it upon itself to start up
its own little private and unauthorized (cyber)war on Russia, wthout
first obtaining the consent of Congress... you know, kinda like that
ancient yellowed document that nobody in this country reads anymore
says they should.  And apparently, the DoD was understandably not
anxious to brief even the President about all this...

https://www.businessinsider.com/us-officials-hide-russia-cyber-operation-trump-2019-6

(Not that anybody can really blame them for THAT.)
What does that have to do with the vulnerability scanner? Also: You know 
it doesn't make any sense, right?


--
Filip Hruska
Linux System Administrator

Re: someone is using my AS number

[Filip Hruska]

On 15 June 2019 2:32:21 pm GMT+02:00, Owen DeLong  wrote:
>
>
>> On Jun 13, 2019, at 7:06 AM, Job Snijders  wrote:
>> 
>> Hi Joe,
>> 
>> On Thu, Jun 13, 2019 at 9:59 Joe Abley > wrote:
>> Hey Joe,
>> 
>> On 12 Jun 2019, at 12:37, Joe Provo > wrote:
>> 
>> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG
>wrote:
>> >> Send abuse complaint to the upstreams
>> > 
>> > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > be good.
>> 
>> I realise lots of people dislike AS_PATH stuffing with other peoples'
>AS numbers and treat it as a form of hijacking.
>> 
>> However, there's an argument that AS_PATH is really just a
>loop-avoidance mechanism, not some kind of AS-granular traceroute for
>prefix propagation. In that sense, stuffing 9327 into a prefix as a
>mechanism to stop that prefix being accepted by AS 9327 seems almost
>reasonable. (I assume this is the kind of TE you are talking about.)
>> 
>> What is the principal harm of doing this? Honest question. I'm not
>advocating for anything, just curious.
>> 
>> 
>> Excellent question.
>> 
>> 1/ We can’t really expect on the loop detection to work that way at
>the “jacked” side. So if this is innocent traffic engineering, it is
>unreliable at best.
>
>Why not? It’s certainly supposed to work that way according to the
>RFCs. Yes, I know there are knobs for people that are too
>lazy/conservative/otherwise misguided to get multiple ASNs for their
>sites with distanct routing policies so that they’ll accept their
>announcements from their remote sites even though their own ASN is in
>the path (thus breaking BGP loop detection for their particular AS).
>
>However, it’s very likely (and certainly hopeful) that no transit ASN
>would operate this way.
>
>Since this TE method is unlikely to be used to control propagation
>to/through a stub ASN, it ought to be pretty reliable for the intended
>purpose.
>

In other words, if I have an upstream that uses 6939 for transit, I'm free to 
permanently prepend 6939 to stop propagation to that network? Isn't using a 
community that says "do not export to 6939" a better and much cleaner solution? 

>> 2/ Attribution. The moment you stuff AS 2914 anywhere in the path, we
>may get blamed for anything that happens through the IP addresses for
>that route. In a way the ASNs in the AS_PATH attribute an an
>inter-organizational escalation flowchart.
>
>I would think that expecting this to hold true is far less reliable
>than the expectation you just claimed was invalid in 1/ above.
>
>I don’t doubt that it might lead to misguided phone calls to 2914 (or
>other provider) as a result, but I’m not sure I would blame the
>misguided interpretation of the AS Path by the caller on the person who
>put the ASN in the path.
>

You will have to explain that to SpamHaus and other organizations who are in 
the business (literally) of blacklisting all upstreams of "rogue" networks. 

Kind Regards,
Filip

Re: someone is using my AS number

[Filip Hruska]

HE doesn't provide any community based TE and I would say they're a pretty 
major network.

Filip

On 14 June 2019 2:17:43 am GMT+02:00, Joe Provo  
wrote:
>On Thu, Jun 13, 2019 at 09:58:20AM -0400, Joe Abley wrote:
>> Hey Joe,
>> 
>> On 12 Jun 2019, at 12:37, Joe Provo 
>wrote:
>> 
>> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG
>wrote:
>> >> Send abuse complaint to the upstreams
>> > 
>> > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > be good.
>> 
>> I realise lots of people dislike AS_PATH stuffing with other peoples'
>AS numbers and treat it as a form of hijacking.
>> 
>> However, there's an argument that AS_PATH is really just a
>> loop-avoidance mechanism, not some kind of AS-granular traceroute
>> for prefix propagation. In that sense, stuffing 9327 into a prefix
>> as a mechanism to stop that prefix being accepted by AS 9327 seems
>> almost reasonable. (I assume this is the kind of TE you are talking
>> about.)
>> 
>> What is the principal harm of doing this? Honest question. I'm
>> not advocating for anything, just curious.
>
>There is no way at a distance to tell the difference between:
>- legitimate AS forwarding
>- ham-fistedly attempting "innocent" TE away from the forged AS
>- maliciously hiding traffic from the forged AS
>- an error with the forged AS
>
>IME, when you can NOT look like an error or an attack, that's a 
>Good Thing.
>
>The last "major" provider who failed to provide BGP community-based
>TE was 3549, and with their absorbtion into 3356 no one should have
>any tolerance for this garbage, IMNSHO.
>
>Cheers,
>
>joe
>
>
>-- 
>Posted from my personal account - see X-Disclaimer header.
>Joe Provo / Gweep / Earthling 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Filip Hruska]

I don't think the number of networks with disabled loop prevention is that 
small.

For example, let's say you're a hosting provider who has 3 locations... no 
reason to do cold potato routing and you don't have dedicated links between 
sites, yet you still want ranges announced at DC A to be reachable from DC B 
and C.

Kind Regards,
Filip

On 13 June 2019 5:56:16 pm GMT+02:00, Jon Lewis  wrote:
>I've used it in the distant past for TE purposes.  Assuming you're 
>poisoning one ASN via one transit it's not exactly rocket science to 
>figure out if "it worked" or not.  As Warren mentioned, sometimes your 
>transits just don't provide all the knobs you need.
>
>I suspect the number of networks that have intentionally disabled loop 
>prevention is relatively small, and those more likely "end user'ish" 
>networks that are less likely to be the target of as-path poisoning 
>TE...says the guy who just disabled loop prevention on a bunch of
>routers. 
>:)
>
>On Thu, 13 Jun 2019, Jared Mauch wrote:
>
>> You also may not know who allows their own ASN inbound as well. It
>certainly is a mixed bag. 
>> I do consider poisoning at best horrible hygiene and at worst
>evidence of malicious intent. 
>> 
>> Good filtering isn’t just prefix or AS path based it’s both. 
>> 
>> Best filtering is pinning the prefix to a specific ASN. 
>> 
>> Sent from my iCar
>> 
>> On Jun 13, 2019, at 11:24 AM, Job Snijders  wrote:
>>
>>   On Thu, Jun 13, 2019 at 11:18 Warren Kumari 
>wrote:
>>   On Thu, Jun 13, 2019 at 9:59 AM Joe Abley 
>wrote:
>>   >
>>   > Hey Joe,
>>   >
>>   > On 12 Jun 2019, at 12:37, Joe Provo
> wrote:
>>   >
>>   > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via
>NANOG wrote:
>>   > >> Send abuse complaint to the upstreams
>>   > >
>>   > > ...and then name & shame publicly. AS-path forgery "for TE"
>was
>>   > > never a good idea. Sharing the affected prefix[es]/path[s]
>would
>>   > > be good.
>>   >
>>   > I realise lots of people dislike AS_PATH stuffing with other
>peoples' AS numbers and treat it as a form of hijacking.
>>   >
>>
>>   Actually, I've been meaning to start a thread on this for a
>while.
>>
>>   I have an anycast prefix - at one location I'm a customer of a
>>   customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers
>customer
>>   routes, any time a packet touches ISP_X, it goes to this
>location,
>>   even though it is (severely) suboptimal -- things would be
>better if
>>   ISP_X didn't accept this route in this location.
>>
>>   Now, the obvious answer of "well, just ask your provider in
>this
>>   location to not announce it to ISP_X. That's what communities /
>the
>>   telephone were invented for!" doesn't work for various
>(entirely
>>   non-technical) reasons...
>>
>>   Other than doing path-poisoning can anyone think of a way to
>>   accomplish what I want? (modulo the "just become a direct
>customer
>>   instead of being a customer of a customer" or "disable that
>site", or
>>   "convince the AS upstream of you to deploy communities /
>filters").
>>   While icky, sometimes stuffing other people's AS in the path
>seems to
>>   be the only solution...
>> 
>> 
>> 
>> Given the prevalence of peerlock-style filters at the transit-free
>club, poisoning the path may result in a large outage for your prefix
>rather than
>> a clever optimization. Poisoning paths is bad for all parties
>involved.
>> 
>> Kind regards,
>> 
>> Job
>> 
>> 
>>
>
>--
>  Jon Lewis, MCP :)   |  I route
>  |  therefore you are
>_ http://www.lewis.org/~jlewis/pgp for PGP public key_

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Filip Hruska]

Seems the issue was on AS25213 side. They don't provide transit to AS15001 at 
all. 

Regards,
Filip

On 12 June 2019 7:57:52 pm GMT+02:00, Philip Lavine  
wrote:
> Here is what I got from BGPMon- MY AS is 15053
>
>Detected new prefix: 134.37.2.0/23
>Update time: 2019-06-11 17:58 (UTC)
>Detected by #peers: 70
>Announced by: AS15053 (ROLL-GLOBAL-LLC - Roll Global LLC, US)
>Upstream AS: AS15001 (ITCONVERGENCE-COM - IT Convergence Inc., US)
>ASpath: 394256 174 702 25213 25213 25213 15001 15053 
>
>I tried contacting the upstream provider and they were no help :Contact
>- IT Convergence
>
>| 
>| 
>| 
>|  |  |
>
> |
>
> |
>| 
>|  | 
>Contact - IT Convergence
>
>Contact us today to learn more about how your business can benefit by
>partnering with IT Convergence.
> |
>
> |
>
> |
>
>
>
>
>
>On Wednesday, June 12, 2019, 9:34:16 AM PDT, Job Snijders 
>wrote:  
> 
>Can you share more details? Perhaps we can put the human social network
>to good use.
>Other than that this is annoying - are right now operationally
>impacted?
>Kind regards,
>Job
>On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:
>
>I would contact upstreams of the upstream then. This is quite a serious
>offence and they should help you. 
>
>Regards,
>Filip
>
>On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine
> wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Filip Hruska]

I would contact upstreams of the upstream then. This is quite a serious offence 
and they should help you. 

Regards,
Filip

On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine  
wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Filip Hruska]

Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: CenturyLink/Level 3 combined AS

[Filip Hruska]

Cogent and "great" don't belong in one sentence in my opinion. It's usable 
though and their pricing is (if you push hard enough) simply unbeatable.

I would pick L3 any day over Cogent if the pricing was the same. 

Kind Regards,
Filip Hruska

On 8 June 2019 3:36:26 pm GMT+02:00, David Hubbard 
 wrote:
>Cogent is great, or worthless, depending on whether you like talking to
>Google via IPv6.
>
>From: NANOG  on behalf of Darin Steffl
>
>Date: Saturday, June 8, 2019 at 9:10 AM
>To: Brielle Bruns 
>Cc: North American Network Operators' Group 
>Subject: Re: CenturyLink/Level 3 combined AS
>
>Ok just so simplify things.
>
>Is Cogent or CenturyLink/L3 better for transit?
>
>On Fri, Jun 7, 2019, 3:00 PM Brielle Bruns
>mailto:br...@2mbit.com>> wrote:
>On 6/7/2019 11:03 AM, Romeo Czumbil wrote:
>> All new CL Internet get's provisioned on AS3356
>> You would need a strong case for them to put you on AS209
>
>
>Got provisioned last year on AS209 when they turned up my ent Fiber
>with
>BGP.
>
>Could depend heavily on what services and where.
>
>--
>Brielle Bruns
>The Summit Open Source Development Group
>http://www.sosdg.org/ http://www.ahbl.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Google weird routing?

[Filip Hruska]

Google maintains their own GeoIP database. If you peer with them and have 
access to the peering portal, you can correct the location yourself.
Otherwise they have a public form somewhere.

--- Filip

On 23 May 2019 10:11:30 pm GMT+02:00, Matt Harris  wrote:
>On Thu, May 23, 2019 at 2:55 PM Jared Mauch 
>wrote:
>
>> I would say that it says BOM at the start of the name, perhaps they
>are
>> sending you to India?
>>
>> Are you using a DNS service that uses ECS facing the various
>CDN/Cloud
>> providers or a different one?
>>
>
>This is my thinking, too, however my recursive DNS servers are all on
>the
>same network as the systems trying to reach google, all of which are on
>IP
>space that I own and announced exclusively by AS 394102 here in the US.
>I've also taken care to maintain as many geoip service entries as could
>be
>found/maintained, including maxmind's.  Where they would get the idea
>that
>my packets should go to India is beyond me.
>
>On Thu, May 23, 2019 at 3:06 PM Christopher Morrow
>
>wrote:
>
>> not sure where you are starting from (really) .. can you provide a:
>>   dig www.google.com
>>
>> for me? My guess is that as Jared noted you got somehow looking like
>> you are in india to whatever does that magic :)
>>
>
>Google's coming back with bom* addresses; no idea why though.
>
>;; ANSWER SECTION:
>www.google.com. 300 IN  A   172.217.26.228
>
>
>Hoping someone over there can shed some light on why they are sending
>my
>packets on a world trip.  :)
>
>Thanks,
>Matt

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Help on setting up a new block

[Filip Hruska]

I would start with basic stuff first.

Traceroutes to check if/where the packets are being dropped. If the path is 
clear, then it's probably a HTTP level block, in which case figure out if these 
companies share the same CDN/web protection solution/hoster. If that's the 
case, contact them directly. 

Regards,
Filip Hruska

On 20 March 2019 3:02:13 pm GMT+01:00, John Alcock  wrote:
>Odd Issues
>
>We recently went through an IP Broker and bought a /18 worth of IP's
>
>I am listing all my information below.  Should be public record.
>
>AS Number/Range 395437
>AS Handle AS395437
>AS Name HIGHLANDTEL
>RPKI Certified Yes
>
>As for the IP Block
>
>Net Range 138.43.128.0 - 138.43.191.255
>CIDR 138.43.128.0/18
>Net Name HCL-73
>Net Handle NET-138-43-128-0-1
>Net Type Direct Allocation
>Parent NET-138-0-0-0-0 (VR-ARIN)
>RPKI Certified Yes
>
>In addition, I believe I got all the information in the IRR.  I am
>unclear
>on this part, but I do know ATT is happy now.  I can pass traffic
>through
>their network.
>
>whois -h whois.bgpmon.net " --roa 395437 138.43.128.0/24"
>
>0 - Valid
>
>ROA Details
>
>Origin ASN:   AS395437
>Not valid Before: 2019-02-13 05:00:00
>Not valid After:  2029-02-01 05:00:00  Expires in
>9y318d10h46m2.3997615814s
>Trust Anchor: rpki.arin.net
>Prefixes: 138.43.128.0/18 (max length /24)
>
>
>So here is my problem.  There are certain sites I can not get to on the
>new
>ip block.
>
>clover.com - They are a large POS vendor catering to small business
>idrive.com - Online backup
>heart.org - american heart association
>onlineproviderservices.com - Looks like an outsourced group that
>handles
>medicare
>landstar.com - trucking company
>
>I am working on trying to contact the companies above, but I have
>started
>resorting to public shaming on social media.  Not an ideal solution.
>
>My thought, could I be missing something?  Perhaps I need to add a
>specfic
>entry in the IRR or anything?  Just seems like a lot of sites will not
>accept my traffic.
>
>Any experts like to chime in?
>
>John

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: BGP Experiment

[Filip Hruska]

This experiment should be continued.

It's the only way to get people to patch stuff.
And if all it takes to break things is a single announcement, than that's 
something that should be definitely fixed.

Blacklisting an ASN is not a solution, that's ignorance.

Regards,
Filip Hruska

On 23 January 2019 18:19:09 CET, Italo Cunha  wrote:
>Ben, NANOG,
>
>We have canceled this experiment permanently.
>
>On Wed, Jan 23, 2019 at 12:00 PM Ben Cooper  wrote:
>
>> Can you stop this?
>>
>> You caused again a massive prefix spike/flap, and as the internet is
>not
>> centered around NA (shock horror!) a number of operators in Asia and
>> Australia go effected by your “expirment” and had no idea what was
>> happening or why.
>>
>> Get a sandbox like every other researcher, as of now we have black
>holed
>> and filtered your whole ASN, and have reccomended others do the same.
>>
>> On Wed, 23 Jan 2019 at 1:19 am, Italo Cunha 
>wrote:
>>
>>> NANOG,
>>>
>>> This is a reminder that this experiment will resume tomorrow
>>> (Wednesday, Jan. 23rd). We will announce 184.164.224.0/24 carrying a
>>> BGP attribute of type 0xff (reserved for development) between 14:00
>>> and 14:15 GMT.
>>>
>>> On Tue, Dec 18, 2018 at 10:05 AM Italo Cunha 
>wrote:
>>> >
>>> > NANOG,
>>> >
>>> > We would like to inform you of an experiment to evaluate
>alternatives
>>> > for speeding up adoption of BGP route origin validation (research
>>> > paper with details [A]).
>>> >
>>> > Our plan is to announce prefix 184.164.224.0/24 with a valid
>>> > standards-compliant unassigned BGP attribute from routers operated
>by
>>> > the PEERING testbed [B, C]. The attribute will have flags 0xe0
>>> > (optional transitive [rfc4271, S4.3]), type 0xff (reserved for
>>> > development), and size 0x20 (256bits).
>>> >
>>> > Our collaborators recently ran an equivalent experiment with no
>>> > complaints or known issues [A], and so we do not anticipate any
>>> > arising. Back in 2010, an experiment using unassigned attributes
>by
>>> > RIPE and Duke University caused disruption in Internet routing due
>to
>>> > a bug in Cisco routers [D, CVE-2010-3035]. Since then, this and
>other
>>> > similar bugs have been patched [e.g., CVE-2013-6051], and new BGP
>>> > attributes have been assigned (BGPsec-path) and adopted (large
>>> > communities). We have successfully tested propagation of the
>>> > announcements on Cisco IOS-based routers running versions
>12.2(33)SRA
>>> > and 15.3(1)S, Quagga 0.99.23.1 and 1.1.1, as well as BIRD 1.4.5
>and
>>> > 1.6.3.
>>> >
>>> > We plan to announce 184.164.224.0/24 from 8 PEERING locations for
>a
>>> > predefined period of 15 minutes starting 14:30 GMT, from Monday to
>>> > Thursday, between the 7th and 22nd of January, 2019 (full schedule
>and
>>> > locations [E]). We will stop the experiment immediately in case
>any
>>> > issues arise.
>>> >
>>> > Although we do not expect the experiment to cause disruption, we
>>> > welcome feedback on its safety and especially on how to make it
>safer.
>>> > We can be reached at disco-experim...@googlegroups.com.
>>> >
>>> > Amir Herzberg, University of Connecticut
>>> > Ethan Katz-Bassett, Columbia University
>>> > Haya Shulman, Fraunhofer SIT
>>> > Ítalo Cunha, Universidade Federal de Minas Gerais
>>> > Michael Schapira, Hebrew University of Jerusalem
>>> > Tomas Hlavacek, Fraunhofer SIT
>>> > Yossi Gilad, MIT
>>> >
>>> > [A] https://conferences.sigcomm.org/hotnets/2018/program.html
>>> > [B] http://peering.usc.edu
>>> > [C] https://goo.gl/AFR1Cn
>>> > [D]
>>>
>https://labs.ripe.net/Members/erik/ripe-ncc-and-duke-university-bgp-experiment
>>> > [E] https://goo.gl/nJhmx1
>>>
>> --
>> Ben Cooper
>> Chief Executive Officer
>> PacketGG - Multicast
>> M(Telstra): 0410 411 301
>> M(Optus):  0434 336 743
>> E: b...@packet.gg & b...@multicast.net.au
>> W: https://packet.gg
>> W: https://multicast.net.au
>>
>> --
>> You received this message because you are subscribed to the Google
>Groups
>> "DISCO Experiment" group.
>> To unsubscribe from this group and stop receiving emails from it,
>send an
>> email to disco-experiment+unsubscr...@googlegroups.com.
>> To post to this group, send email to
>disco-experim...@googlegroups.com.
>> To view this discussion on the web visit
>>
>https://groups.google.com/d/msgid/disco-experiment/CAPZQKs8aVT%3D7gJdGcoC-KOPDR0F4Ms33KAKKG5-4k96SVCSFEw%40mail.gmail.com
>>
><https://groups.google.com/d/msgid/disco-experiment/CAPZQKs8aVT%3D7gJdGcoC-KOPDR0F4Ms33KAKKG5-4k96SVCSFEw%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Impacts of Encryption Everywhere (any solution?)

[Filip Hruska]

Dne 28. 5. 2018 v 17:00 Rich Kulawiec napsal(a):


On Mon, May 28, 2018 at 09:23:09AM -0500, Mike Hammett wrote:

Some things certainly do need to be encrypted, but encrypting everything
means people with limited Internet access get worse performance OR
mechanisms have to be out in place to break ALL encryption, this
compromising security and privacy when it's really needed.

There are better places to reduce traffic while simultaneously enhancing
security and privacy.  The new EU version of the home page of USA Today
is about 20% the size of the one presented in the US -- because it's
had all the tracking and scripting stripped out -- with a concomitant
reduction in load time and rendering time.
That's awesome, that page fully loaded instantly (roughly in half a 
second) and uBlock Origin blocked 0 elements. 291KB for the home page.


This is a sight I want to see more.

Regards,
Filip

Re: Is WHOIS going to go away?

[Filip Hruska]

On 04/14/2018 07:24 PM, DaKnOb wrote:


As far as IP Addresses go (and domains too), currently GDPR recognizes the 
rights of individuals, not companies, which means that a company can be in the 
whois query, since it does not have the right to privacy.

My understanding is that this will only affect natural persons.


On 14 Apr 2018, at 20:19, Matt Harris <m...@netfire.net> wrote:


On Sat, Apr 14, 2018 at 12:14 PM, Rich Kulawiec <r...@gsp.org> wrote:

The only people served by restriction on WHOIS availability are abusers
and attackers, and the entities (e.g., registrars) who profit from them.


Not that whois data for domain names has been particularly useful for the
past decade anyhow since most TLDs and registrars either provide for free,
or sell as an addon, "private" registration via some "proxy corporation" or
whatever.  Domain name whois for most TLDs has not been the sort of
accountability measure that ICANN seems to think it is for a very long
time, at least in practice.

I'd be much more concerned about RIPE's whois data for AS and IP address
An individual can also own an ASN and IP space. You don't have to be a 
company.


--
Filip Hruska
Linux System Administrator

Re: Is WHOIS going to go away?

[Filip Hruska]

On 04/14/2018 07:29 PM, Florian Weimer wrote:

* Filip Hruska:


EURID (.eu) WHOIS already works on a basis that no information about the
registrant is available via standard WHOIS.
In order to get any useful information you have to go to
https://whois.eurid.eu and make a request there.

Seems like a reasonable solution.

Why?  How does the protocol matter?

Either you may publish individual personal information for use by the
general public, or you may not.  Adding a 4 to the port number doesn't
change that.



The EURID webwhois cannot be scraped, there are anti-bot measures in 
place (captcha, throttling, all information displayed in images).
Scraping WHOIS systems for thousands domains at once using the WHOIS 
protocol is easy though. There are "WHOIS History" sites which scrape 
all domains and then publish the data along with the date of retrieval.


GDPR contains this in relation to the right to erasure:

1. Where the controller has made the personal data public and is
   obliged pursuant to paragraph 1 to erase the personal data, *the
   controller, taking account of available technology and the cost of
   implementation, shall take reasonable steps, including technical
   measures, to inform controllers which are processing the personal
   data that the data subject has requested the erasure* by such
   controllers of any links to, or*copy or replication of, those
   personal data*.

Controller is the TLD operator in this case, other controllers would be 
WHOIS scrapers. The problem here is the definition of "reasonable steps".
Would doing nothing be reasonable? Or would the TLD operator need to 
somehow track all those scrapers and contact them?


IANAL, but I see a problem here.

--
Filip Hruska
Linux System Administrator

Re: Is WHOIS going to go away?

[Filip Hruska]

EURID (.eu) WHOIS already works on a basis that no information about the 
registrant is available via standard WHOIS.
In order to get any useful information you have to go to 
https://whois.eurid.eu and make a request there.


Seems like a reasonable solution.

--
Filip Hruska
Linux System Administrator



On 04/14/2018 04:06 PM, Brian Kantor wrote:

There is concern that the WHOIS database service will be in violation
of the new European GDPR which takes effect May 25th, and may have
to shut down.

http://www.theregister.co.uk/2018/04/14/whois_icann_gdpr_europe/

https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-11apr18-en.pdf

- Brian

Re: IPv6 addressing plan spreadsheet issue

[Filip Hruska]

Hi,

I actually got that value from curl (on Mac) so who knows.

It's certainly possible that it's generated on-the-fly and curl just 
shows garbage info.



Regards,

--
Filip Hruska
Linux System Administrator

Dne 4/2/18 v 18:59 Tarko Tikan napsal(a):

hey,

How did you actually create the .txt file? Is the filesize spoofed in 
some way?

8191PB is a lot of storage.


Probably just handcrafted index.html with fake file size and CGI 
script that outputs the actual prefixes on-demand?

Re: IPv6 addressing plan spreadsheet issue

[Filip Hruska]

Well played.


How did you actually create the .txt file? Is the filesize spoofed in 
some way?

8191PB is a lot of storage.

--
Filip Hruska
Linux System Administrator

Dne 4/1/18 v 13:09 Job Snijders napsal(a):

Hi all,

I made a list of the IPv6 addresses in my home LAN, but have trouble
copy+pasting the list into a cloud spreadsheet. My address list is here:
http://pete.meerval.net/~job/

How do other folks do this? Just administrate things in text files?

Kind regards,

Job

Re: Re: Yet another Quadruple DNS?

[Filip Hruska]

  
  
Is it just me, or is there a problem with the website? I get a nginx 403 
Forbidden error when trying to access it.   
  

  
 Regards, 
Filip
  

  
  
  
  
  
>   
> On 29 Mar 2018 at 2:41 pm,wrote:
>   
>   
>  Cloudflare’s website provides some more information: https://1.1.1.1/ 
> According to Cloudflare’s CEO, we’ll have more news on 1/4, so in a few days. 
> https://twitter.com/eastdakota/status/979257292938911744 From their website I 
> can see that it is a low latency and privacy oriented service. Now whether 
> it’s actually needed, I think there’s place for it in the market. Currently 
> in Greece, 8.8.8.8 is ~65ms away. This is 11ms away. Antonis  >  On 29 Mar 
> 2018, at 14:46, Stephane Bortzmeyer wrote:  >   >  On Thu, Mar 29, 2018 at 
> 07:33:08AM -0400,  >  Matt Hoppes wrote  >  a message of 7 lines which said:  
> >   >>  We already have 8.8.8.8 and 8.8.4.4.  >   >  And 9.9.9.9 and several 
> others public DNS resolvers.  >   >>  And any reputable company or ISP should 
> be running their own.  >   >  I fully agree.  >   >>  What purpose would this 
> serve?  >   >  In Europe, the most common technique of censorship is through 
> lying  >  DNS resolvers. So, in order to go to forbidden Web sites (music and 
>  >  film sharing, for instance), many users switched from the ISP's  >  
> resolver (which implements the censorship) to a public resolver. See  >  my 
> talk at NANOG  >   
>   

Re: Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

[Filip Hruska]

  
  
This is just stupid.   
  

  
OVH is one of the largest server providers in the world - of course they will 
be at the top of that list.   
  
What exactly should they do, according to you?
  
Why should people de-peer them?   
  

  
Regards,   
  
Filip Hruska
  

  
  
  
  
  
>   
> On 28 Feb 2018 at 1:13 am,wrote:
>   
>   
>  OVH does not suprise me in the least. Maybe this is finally what it will 
> take to get people to de-peer them. -Dan On Tue, 27 Feb 2018, Ca By wrote:  > 
>  Please do take a look at the cloudflare blog specifically as they name and  
> >  shame OVH and Digital Ocean for being the primary sources of mega crap  >  
> traffic  >   >  
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
>   >   >  Also, policer all UDP all the time... UDP is unsafe at any speed.  > 
>   >   >  On Tue, Feb 27, 2018 at 12:28 PM Barry Greene wrote:  >   >>  Hello 
> Fellow NANOGer,  >>   >>  If you have not already seen it, experiences it, or 
> read about it, working  >>  to head off another reflection DOS vector. This 
> time it is memcached on  >>  port 11211 UDP  &  TCP. There are active 
> exploits using these ports.  >>  Reflection attacks and the memcached is not 
> new. We know how reflection  >>  attacks work (send a spoofed packet to a 
> device and have it reflected back  >>  (yes please deploy source address 
> validation and BCP 38).  >>   >>  Operators are asked to review their 
> networks and consider updating their  >>  Exploitable Port Filters 
> (Infrastructure ACLs) to track or block UDP/TCP  >>  port 11211 for all 
> ingress and egress traffic. If you do not know about  >>  iACLs or Explorable 
> port filters, you can use this white paper details and  >>  examples from 
> peers on Exploitable Port Filters:  >>  
> http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
>   >>   >>  Enterprises are also asked to update their iACLs, Exploitable Port 
>  >>  Filters, and Firewalls to track or block UDP/TCP port 11211 for all 
> ingress  >>  and egress traffic.  >>   >>  Deploying these filters will help 
> protect your network, your organization,  >>  your customers, and the 
> Internet.  >>   >>  Ping me 1:1 if you have questions.  >>   >>  Sincerely,  
> >>   >>  --  >>  Barry Raveendran Greene  >>  Security Geek helping with 
> OPSEC Trust  >>  Mobile: +1 408 218 4669  >>  E-mail: bgre...@senki.org  >>   
> >>    >>  Resources on memcached Exploit (to 
> evaluate your risk):  >>   >>  More information about this attack vector can 
> be found at the following:  >>   >>  • JPCERT – memcached のアクセス制御に関する注意喚起 
> (JPCERT-AT-2018-0009)  >>  http://www.jpcert.or.jp/at/2018/at180009.html  >>  
> • Qrator Labs: The memcached amplification attacks reaching 500  >>  Gbps  >> 
>   >>  
> https://medium.com/@qratorlabs/the-memcached-amplification-attack-reaching-500-gbps-b439a7b83c98
>   >>  • Arbor Networks: memcached Reflection/Amplification Description  >>  
> and DDoS Attack Mitigation Recommendations  >>   >>  
> https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/
>   >>  • Cloudflare: Memcrashed – Major amplification attacks from UDP  >>  
> port 11211  >>   >>  
> https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
>   >>  • Link11: New High-Volume Vector: Memcached Reflection  >>  
> Amplification Attacks  >>   >>  
> https://www.link11.com/en/blog/new-high-volume-vector-memcached-reflection-amplification-attacks/
>   >>  • Blackhat Talk: The New Page of Injections Book: Memcached  >>  
> Injections by Ivan Novikov  >>   >>  
> https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf
>   >>  • Memcache Exploit  >>  
> http://niiconsulting.com/checkmate/2013/05/memcache-exploit/  >>   >   
>   

Re: Blockchain and Networking

[Filip Hruska]

Application Specific Integrated Circuit. It's even in the name!

You can't just run normal software on ASICs. It's not a computer. 
They're literally hard-wired to do one thing - and do it well.
Switch ASICs, for example, are good for switching network packets 
around. Though (I would assume) they

can't do any kind of hashing, much less Bitcoin-specific stuff.

Trying to mine Bitcoin on switch ASICs would be like trying to transfer
water through a 2.4GHz WiFi connection - both are absolutely 
preposterous ideas.



Regards

--
Filip Hruska
Linux System Administrator

Dne 1/9/18 v 17:02 Michael Crapse napsal(a):

The definition of an ASIC is that it has only one use. Just because half of
a 100gb switch is not in use doesn't mean that you can mine bitcoin, or run
a blockchain with the asics not in use..

On 9 January 2018 at 08:49, Jean | ddostest.me via NANOG <nanog@nanog.org>
wrote:


BTC miners use asics. Big switches/routers use 100Gb asics. Some
switches have multiple 100 Gb asics and sometimes only half is use or
even less.

I guess it could be nice for some smaller telcos to generate some profit
during off peak period. I don't know how feasible and I fully understand
that the vendor warranty should be instantly void.

Also, sometimes telcos have off the shelves spare that gather dust for
years... It could be interesting to also generate few coins.

Jean

On 18-01-09 10:31 AM, Naslund, Steve wrote:

Sure but there are lots of blockchains other than bitcoin.  A lot of

real smart people do not even suspect that bitcoin is a long term survivor
due to its long transaction times.  Which blockchains do you want to
support?  150GB may not seem like a lot (although a lot of my gear does not
have the memory to cache that) but 10 of those is beyond the memory on the
vast majority of network gear I am aware of.  That sure looks like a
slippery slope to me.   Now that a lot of network switching and routers can
support applications, you could just host all of your apps on them just
like you could do all of your routing in your servers.   The question for
you is what responsibilities do you want to take on.   That probably
depends on what business you are in.

There is absolutely no reason that the networking equipment itself

can't both operate the blockchain and keep a full copy.  It's a pretty good
bet that your own routers will probably be online;  if not, you have bigger
problems.

The storage requirements aren't particularly onerous.  The entire

Bitcoin blockchain is around 150GB, with several orders of magnitude more
transactions (read: config changes) than you're likely to see even on a
very large network.  SSDs are small >enough and reliable enough now that
the physical space requirements are quite small.

Steven Naslund
Chicago IL

Re: Any experience with Broadcom ICOS out there?

[Filip Hruska]

I think FS reviews are simply fake.

Check out reviews on this bag of connectors: 
https://www.fs.com/products/10964.html#all_reviews


3 different people from supposedly 3 countries added pictures of the 
bag. To me it looks like the bag is on the exact same table in all photos,
under totally same lighting conditions, just shot from different angles. 
Also, there is a dent in the table, which is visible in 2 of the photos.


I wonder, why would they do this? Doesn't instill a lot of confidence in me.


Regards

--
Filip Hruska
Linux System Administrator

Dne 1/6/18 v 06:15 Chuck Church napsal(a):

I smell some BS here, at least in their 'Verified Purchase' reviews:

"It is installed as a network hub in my basement and it is working fine. Great 
quality product. I've had a lot of business with FS for years. This is a very reliable 
company and they stand behind their company's products with a first class warranty! I 
highly recommend."

"It just takes several days to receive my 100G switch with Broadcom ICOS which is 
packaged safely and intactly. I followed the instruction and seems simple for a non-tech 
user. Three steps would be done: plug it in, cable it up, turn it on. Just the way a good 
product should be. I would like to recommend both the product and the seller."


Non tech user, network hub in my basement.  $10K L3 switch.  Jesus.  The 
Tactical Flashlight seems more believable right now.

Chuck.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eric Kuhnke
Sent: Friday, January 05, 2018 4:55 PM
To: Bryan Holloway <br...@shout.net>; nanog@nanog.org list <nanog@nanog.org>
Subject: Re: Any experience with Broadcom ICOS out there?

You may have better results with the same question on OCP (open compute
platform) related forums and mailing lists. The Quanta version of that switch 
sold by FS is pretty much the same thing:

https://linustechtips.com/main/topic/801037-qct-reveals-their-quantamesh-network-switches/

Quanta has been very active in the OCP community for whitebox switches. I have 
heard that they are the switch manufacturer for a great deal of Facebook's 
hyperscale stuff.



On Fri, Jan 5, 2018 at 1:46 PM, Bryan Holloway <br...@shout.net> wrote:


Thank you everyone for the responses so far; I should probably
re-phrase the question at this point ...

Has anyone had production experience with Broadcom ICOS and the
features it claims to support? Positive or negative?


On 1/5/18 2:46 PM, joel jaeggli wrote:



On 1/5/18 10:50 AM, Bryan Holloway wrote:


Fiberstore is rolling out some CRAZY cheap 100Gbps switches, and I'm
curious if anyone in the community has any thoughts or real-life
world experience with them.

E.g.: https://www.fs.com/products/69340.html

For the price point, it's almost in the "too good to be true" category.


The COGS on a single ASIC tomahawk switch was is in $5000-7000 range.
so it's consistent with a low value add reseller of merchant silicon.
that silicon is getting older (tomahawk 3 was announced in
anticipation of 2018) so we can presume they are getting cheaper. I
generally have a favorable experience of FS but then I buy optics and
cables, not switches so your mileage may vary.

Naturally it claims to support an impressive range of features
including

BGP, IS-IS, OSPF, MPLS, VRFs, blah blah blah.


The software stack is Broadcom ICOS. if you're not familiar with that
I start looking at that. if it meets you needs that's cool. if not
you might be looking at cumulus or onos. That said Broadcom does
enough to get their customers (whitebox odms) out the door, not
necessarily the customers of those odms so your recourse to a
developer is kind of limited which you get a from a vendor more
involved in the software stack. A lot of those choices here depend on
how responsible you want to be for what's running inside the box.


There was an earlier discussion about packet buffer issues, but,
assuming for a second that it's not an issue,


It can be avoided, but for people used to running all 10Gb/s
cut-through trident 2s kind of hot, some of consequences are kind of
impressive. 4 much smaller buffers and the virtual assurance that
you'll be doing rate conversion eats into the forwarding budget.


can anyone say they've used these and/or the L2/L3 features that
they purportedly support?

Thanks!
 - bryan

Re: IPv4 smaller than /24 leasing?

[Filip Hruska]

Thanks for all the responses!

Seems like I was right about doubting this.


Regards

--
Filip Hruska
Linux System Administrator

Dne 1/4/18 v 20:20 Matt Harris napsal(a):
They're probably using GRE or other sorts of tunnels, I'd imagine?  It 
would likely involve increased latency, as any packets coming to those 
addresses would hit them first, and then be tunneled - either over the 
public internet using gre or some kind of vpn, or perhaps via a 
private connection or even an IX, to you?  As far as outgoing traffic 
from those addresses, you'd probably need to make sure that any 
upstreams you're sending packets to from those addresses are not 
running urpf which would cause them to be discarded, or otherwise get 
around such a configuration.


Take care,
Matt


On Thu, Jan 4, 2018 at 1:13 PM, Filip Hruska <f...@fhrnet.eu 
<mailto:f...@fhrnet.eu>> wrote:


Hi,

I have stumbled upon this site [1] which seems to offer /27 IPv4
leasing.
They also claim "All of our IPv4 address space can be used on any
network in any location."

I thought that the smallest prefix size one could get routed
globally is /24?
So how does this work?

[1] http://www.forked.net/ip-address-leasing/
<http://www.forked.net/ip-address-leasing/>


    Thanks

--
Filip Hruska
Linux System Administrator




--
Matt Harris - Chief Security Officer
Main: +1 855.696.3834 ext 103
Mobile: +1 908.590.9472
Email:m...@netfire.net <mailto:m...@netfire.net>

IPv4 smaller than /24 leasing?

[Filip Hruska]

Hi,

I have stumbled upon this site [1] which seems to offer /27 IPv4 leasing.
They also claim "All of our IPv4 address space can be used on any 
network in any location."


I thought that the smallest prefix size one could get routed globally is 
/24?

So how does this work?

[1] http://www.forked.net/ip-address-leasing/


Thanks

--
Filip Hruska
Linux System Administrator

Re: Re: Attacks from poneytelecom.eu

[Filip Hruska]

  
Quite a lot actually. Those servers are fine seedboxes. People also use them 
for media storage, i.e. online galleries and smaller video streaming sites.   

  

  
Filip
  
  
  


  
  
>   
> On 4 Jan 2018 at 6:46 am,wrote:
>   
>   
>  AS12876 is online.net... home of the €2.99 physical server, perfect for all 
> of your favorite illegitimate activity. I’m curious how much traffic 
> originates from that ASN that is actually legitimate... probably close to 
> none. Sent from my iPhone  >  On Jan 3, 2018, at 1:35 AM, Troy Mursch wrote:  
> >   >  Dovid,  >   >  Back in September, I documented my poor experience with 
> AS12876 here:  >  https://badpackets.net/ongoing-large-scale-sip-attack-  >  
> campaign-coming-from-online-sas-as12876/  >  Since then, their handling of 
> abuse notifications (or lack thereof) has  >  largely remained the same. The 
> volume of malicious traffic from their  >  network hasn't decreased either.  
> >   >  As you noted, others have reported similar issues with AS12876, 
> including  >  my associate Dr. Neal Krawetz: https://twitter.com/h  >  
> ackerfactor/status/932593355648667649. I've also compiled a list of  >  
> complaints regarding AS12876 in this thread: https://twitter.com/ba  >  
> d_packets/status/937220987371732992  >   >   >  Thanks,  >  __  >   >  *Troy 
> Mursch*  >   >  @bad_packets  >   >>  On Tue, Jan 2, 2018 at 6:51 PM, Dovid 
> Bender wrote:  >>   >>  Hi All,  >>   >>  Lately we have seen a lot of 
> attacks from IPs where the PTR record ends in  >>  poneytelecom.eu to PBX 
> systems. A quick search on twitter (  >>  
> https://twitter.com/hashtag/poneytelecom) shows multiple people  >>  
> complaining  >>  that they reported the IP's yet nothing happens. Has anyone 
> had the  >>  pleasure of dealing with them and have you gotten anywhere? I 
> wonder if the  >>  only option is public shaming.  >>   >>  I would rather 
> not ban their AS as it may hurt legit traffic but I am out  >>  of ideas at 
> this point  >>   >>  TIA.  >>   >>  Dovid  >>   
>   

Re: Suggestions for a more privacy conscious email provider

[Filip Hruska]

SES can't hit your firewall with bots, it's just an email service.

Maybe you meant EC2? And as I said earlier, if you have correctly setup 
firewall and servers, port scanning or bots can't hurt you in any way.



--
Filip Hruska
Linux System Administrator

Dne 12/6/17 v 18:31 Edwin Pers napsal(a):

Email sending limits are one thing. A couple hundred ssh/rdp/sql bots hitting 
my firewalls constantly is another.

 From what I'm reading on that AWS doc page, those limits only apply to SES 
users.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell
Sent: Wednesday, December 6, 2017 11:44 AM
To: nanog@nanog.org
Subject: Re: Suggestions for a more privacy conscious email provider

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.html

On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote:

AWS imposes "email sending limitations", by default, on all EC2
accounts. Anyone who wants those limitations removed has to fill out a
form and make a use case to AWS Support.

AWS also says they work with ISPs and "Internet anti-SPAM orgs" like
Spamhaus.

That sounds a bit more than "doesn't care about it", no?

Re: Novice sysadmins

[Filip Hruska]

I disagree that nobody cares about abuse.

I actually received an abuse report from SES as someone thought it would 
be funny to flag my previous email I sent to this discussion as spam.

https://i.imgur.com/RgQa2fN.png


--
Filip Hruska
Linux System Administrator

Dne 12/6/17 v 11:52 Rich Kulawiec napsal(a):

On Tue, Dec 05, 2017 at 09:54:21AM -0700, Grant Taylor via NANOG wrote:

The vast majority of what I've experienced in the last ~20 years has been
people willing to help others who are trying to help themselves.

"Help will always be given at Hogwarts to those who ask for it."


If you are trying, make an honest mistake, and are willing to correct it
when others politely let you know, you will quite likely find people willing
to help you.  Especially if you return the favor in kind.

Yes.  That's how we all get better at this.  And when any of us learn,
we all benefit, so it's in our mutual best interest to share knowledge.
(I've learned more here than I can measure.  And I'm grateful for it.)


If you are being a hooligan and not responding to problems reported to you
or purposefully ~> wantonly doing things to others ... good luck.

And the latter is the problem: we are faced, unfortunately, with massive
operations that were designed, built, and deployed without the slightest
consideration for responsible behavior toward the rest of the Internet.
All the rest of us are paying the price for that arrogance, incompetence
and negligence: we're paying for it with DoS/DDoS defenses, with spam
and phish defenses, with brute-force attack defenses, with time and
money and computing resources,  with complexity, with late nights and
early mornings, with annoyed customers, and -- on the occasions when those
defenses fail -- devastating consequences for organizations and people.

These costs aren't always obvious because they're not highlighted line
items in an accounting statement.  But they're real, and they're huge.

How huge?  Well, one measure could be found in the observation that
there's now an entire -- large and growing -- market segment that
exists solely to mitigate the fallout from these operations.

And those same massive operations are doing everything they possibly
can to avoid hearing about any of this.  That's why abuse@ is effectively
hardwired to /dev/null.  And I note with interest that nobody from AWS
has had the professionalism to show up in this thread and say "Gosh, we're
sorry.  We screwed up.  We'll try to do better.  Can you help us?"

Because we would.

---rsk

Re: Suggestions for a more privacy conscious email provider

[Filip Hruska]

AWS is probably the biggest cloud provider in the world. Of course the 
majority of junk is going to be coming from their network,

simply because they are that big.


Hovever, I really wanted to see what the bot statistics for my mail 
server were so I scanned my `Postfix` and `secure` log files for "access 
denied" entries.

In the past 10 hours, there were:

* 573 Postfix SASL Auth Failed entries from 106 different IPs
* 1479 SSH Auth Failed attempts from 13 different IPs

I see lots of OVH, Azure, home/business connection providers (TELSTRA 
Australia, lot of Asian stuff, Telefonica, Vodafone, Verizon...),
some random cloud/dedicated server provider here and there... but not a 
single Amazon IP - which surprised me quite a bit actually.


For reference, this server is with OVH in France and does not have 
fail2ban installed. Postfix has connection rate limiting enabled though.



On another note, I wouldn't recommend blatantly blacklisting anyone, 
especially not large service/platform/infrastructure providers. Many 
businesses (such as e-shops) rely completely
on AWS (or other cloud) infrastructure. If you don't receive emails 
containing order details or invoices because you completely blacklisted 
them... well, that's your problem.


If your server is setup correctly, those bots are completely harmless 
and spamassassin will destroy 99.9% of spam emails, which I call success.
The other 0.1% that goes through (that one email a week) I can delete 
manually.



Regards

--
Filip Hruska
Linux System Administrator

Dne 12/4/17 v 12:19 Edwin Pers napsal(a):

As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh 
bots/etc that hit the firewalls at my sites are coming from AWS.
I used to send abuse emails but eventually gave up after receiving nothing beyond 
"well, aws ip's are dynamic/shared so we can't help you"


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec
Sent: Monday, December 4, 2017 2:27 AM
To: nanog@nanog.org
Subject: Re: Suggestions for a more privacy conscious email provider

On Sun, Dec 03, 2017 at 05:08:33PM +, Filip Hruska wrote:

I personally run my own mail server, but route outgoing emails via Amazon
SES.

Not a good idea.  Amazon's cloud operations are a constant source of
spam and abuse (e.g., brute-force SSH attacks), they refuse to accept
complaints per RFC 2142, and -- apparently -- they simply don't care to
do anything about it.  I've had SES blacklisted in my MTA for years (among
other preventative measures) and highly recommend to others.

---rsk

Re: Suggestions for a more privacy conscious email provider

[Filip Hruska]

It's kind of a pain to manage a mail server.

Even if you have SPF, DKIM correctly setup and you are not on any common 
blacklists,
you constantly have to fight for good deliverability - some mail server 
solutions will simply reject you no matter what.
You might be on some obscure blacklist nobody uses and then you have to 
waste time sending blacklist removal requests.


I personally run my own mail server, but route outgoing emails via 
Amazon SES. Gives me all the benefits
of having my own mail server (domain aliases, extensions, custom spam 
filter etc) and saves me from the pain

of managing outgoing reputation.


--
Filip Hruska
Linux System Administrator

Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a):

If you plan to use it for a small group of people, you should consider
hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.

It could be seen as a personal challenge to achieve.

Then if you need real privacy, you will need to encrypt with public keys
like PGP or S/MIME. You can upload your public key to the public pgp key
servers. I guess that one day this thing will be very popular.

Challenge accepted?

Jean

On 17-12-02 05:20 PM, Paul Ferguson wrote:

On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh <mich...@wadadli.me>
wrote:


I am in need of some suggestions for some privacy conscious email
providers. I am currently using Migadu [...]

I use KolabNow, based in Switzerland, for a lot of personal e-mail
communications. They are very, very privacy conscious:

--> https://kolabnow.com/feature/confidence

They are *not* free, but quite reasonable, and I am quite happy with the
m.

- ferg

Re: Google DNS intermittent ServFail for Disney subdomain

[Filip Hruska]

Re: Google DNS intermittent ServFail for Disney subdomain

[Filip Hruska]

Would be great if makers of home routers would implement full recursive 
DNS resolvers

instead of just forwards in their gear.


--
Filip Hruska
Linux System Administrator

Dne 10/20/17 v 15:23 Mike Hammett napsal(a):

I know it doesn't help your problem, but friends don't let friends use public 
DNS resolvers (Google, L3, Open DNS, etc.). ;-)




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

- Original Message -

From: "David Sotnick" <sotnickd-na...@ddv.com>
To: "NANOG" <nanog@nanog.org>
Sent: Thursday, October 19, 2017 10:41:46 PM
Subject: Google DNS intermittent ServFail for Disney subdomain

Hi Nanog,

I am principal network engineer for sister-studio to Disney Studios. They
have been struggling with DNS issues since Thursday 12th October.

By all accounts it appears as though *some* of the Google DNS resolvers
cannot reach the authoritative nameservers for "studio.disney.com".

This is causing ~20-30% of all DNS requests against Google Public DNS
8.8.8.8 / 8.8.4.4 to fail for requests in this subdomain.

The name servers reside in 153.7.233.0/24.

Might someone be able to *connect me* with someone at Google to assist my
poor colleagues who are banging their heads against a brick wall here.

Thank you,
David

Re: Question about Customer Population by ASN for Canada

[Filip Hruska]

Hi,

There are various reasons that might be causing this:
* Lots of VPNs on OVH network
* OVH offers "desktop-as-a-service" and from what I understand it's 
quite popular
* OVH is also a home ISP - just in France though; but not sure if/how 
APNIC separated OVH as an ISP and OVH as a server provider.

I think it's all under the same ASN (might be wrong though)
* There are some scrapers on the OVH network - definitely not half a 
million though



Best Regards,
Filip Hruska

Dne 10/2/17 v 22:05 Stephen Fulton napsal(a):

Hi Jack,

As OVH is a data centre, I find that extraordinary if eyeballs were 
the cost.  VPN's may be popular but that seems excessive. Probably 
bots of some sort, scraping the internet.


-- Stephen

On 2017-10-02 3:57 PM, Jacques Latour wrote:

Hi all!

I'm working on our IPv6 and DNSSEC adoption report for Canada and the 
data I use comes largely from APNIC 
(https://stats.labs.apnic.net/dnssec/CA) and 
(https://stats.labs.apnic.net/ipv6/CA).


Labs.APNIC has a pretty cool system to measure this kind of stuff by 
deploying specially crafted google ads, see "How Big is that 
Network?"  https://labs.apnic.net/?p=526, and APNIC is able to assess 
the population behind a network based on ad placement distribution. 
See https://stats.labs.apnic.net/cgi-bin/aspop?c=CA for Canada.


The question I have is why does OVH come #6 with an estimated 
population of 1,480,927 behind its ASN? Remember these are actual 
placement of ads.  Should I count those users as part of my stats?


Rank    ASN AS Name CC  Users (est.)    % of country % of 
Internet   Samples
1   AS812   ROGERS-CABLE - Rogers Cable Communications Inc. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 5,420,034   
16.72   0.16    555,718
2   AS577   BACOM - Bell Canada 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 4,474,012   
13.8    0.132   458,722
3   AS6327  SHAW - Shaw Communications Inc. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 3,708,414   
11.44   0.109   380,225
4   AS852   ASN852 - TELUS Communications Inc. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 2,914,405   
8.99    0.086   298,815
5   AS5769  VIDEOTRON - Videotron Telecom Ltee 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 2,189,946   
6.76    0.065   224,536
6   AS16276 OVH 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 1,480,927   
4.57    0.044   151,840
7   AS15290 ALLST-15290 - Allstream Corp. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 1,272,374   
3.93    0.038   130,457
8   AS855   CANET-ASN-4 - Bell Aliant Regional Communications, 
Inc. CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 
1,211,485   3.74    0.036   124,214
9   AS7992  COGECOWAVE - Cogeco Cable 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 1,112,002   
3.43    0.033   114,014
10  AS5645  TEKSAVVY - TekSavvy Solutions, Inc. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 967,401 2.98    
0.029   99,188
11  AS11260 EASTLINK-HSI - EastLink 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 695,598 2.15    
0.021   71,320
12  AS47027 SEASIDE-COMM - Seaside Communications, Inc. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 425,561 1.31    
0.013   43,633
13  AS803   SASKTEL - Saskatchewan Telecommunications 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 392,186 1.21    
0.012   40,211
14  AS11814 DISTRIBUTEL-AS11814 - DISTRIBUTEL COMMUNICATIONS LTD. 
CA<https://stats.labs.apnic.net/cgi-bin/aspop?c=CA> 370,348 1.14    
0.011   37,972


Jack








--
Best Regards,
Filip Hruska
Linux System Administrator

Re: Has Level3 done away with traceroute??

[Filip Hruska]

Hi,

Did a measurement with RIPE Atlas and it seems like a worldwide problem, 
based on data from 100 probes.


https://atlas.ripe.net/measurements/9324230/#!tracemon


Dne 9/21/17 v 19:10 Van Dyk, Donovan via NANOG napsal(a):

Hello All,

Recently I was troubleshooting a network event for a client of our who resides 
on the Level3 network. While trying to verify the path, I noticed I am no 
longer able to traceroute through the Level3 network.
The funny thing is this is not just isolated to the /32. It appears to be that 
the entire 4.0.0.0/9 network is no longer able to traceroute through. 
Everything dies on their edge network.

This appears to be isolated to traceroute. I have check this in NA and EU.

My carrier contacted Level3 who pretty much stated that they can’t provide 
anything.

I have checked multiple looking glasses and other online tools and none of them 
make it. Even Level3 looking glass drops the packets.

Does anyone know anything about this? I’m pretty sure this is the first time we 
are seeing this.


Random 4.0.0.0/9 address.

NTT looking glass
Tracing the route to 4.35.230.7

1   *
 ae-2.a00.snjsca04.us.bb.gin.ntt.net (129.250.3.58) 3 msec  1 msec
  2   *  *  *
  3   *  *  *
  4   *  *  *
  5   *  *  *
  6   *  *  *


TATA looking glass
traceroute to 4.7.6.4 (4.7.6.4), 30 hops max, 52 byte packets
1  if-ae-14-3.tcore2.FNM-Frankfurt.as6453.net (195.219.87.89)  2.056 ms 
if-ae-6-2.tcore1.FR0-Frankfurt.as6453.net (195.219.50.173)  1.253 ms  1.177 ms
  MPLS Label=616998 CoS=0 TTL=1 S=1
2  195.219.50.50 (195.219.50.50)  1.214 ms  1.247 ms  1.535 ms
3  195.219.50.50 (195.219.50.50)  1.144 ms *  2.246 ms
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *


Telia looking glass
traceroute to 4.7.6.4 (4.7.6.4), 30 hops max, 52 byte packets
1  if-ae-14-3.tcore2.FNM-Frankfurt.as6453.net (195.219.87.89)  2.056 ms 
if-ae-6-2.tcore1.FR0-Frankfurt.as6453.net (195.219.50.173)  1.253 ms  1.177 ms
  MPLS Label=616998 CoS=0 TTL=1 S=1
2  195.219.50.50 (195.219.50.50)  1.214 ms  1.247 ms  1.535 ms
3  195.219.50.50 (195.219.50.50)  1.144 ms *  2.246 ms
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *


Level3 looking glass
Traceroute results from Atlanta, GA to 
4.200.65.42(dialup-4.200.65.42.Dial1.LosAngeles1)

   1  0.0.0.0  * * *
   2  0.0.0.0  * * *
   3  0.0.0.0  * * *
   4  0.0.0.0  * * *
   5  0.0.0.0  * * *
   6  0.0.0.0  * * *
   7  0.0.0.0  * * *
   8  0.0.0.0  * * *
   9  0.0.0.0  * * *
  10  0.0.0.0  * * *
  11  0.0.0.0  * * *

--
Donovan Van Dyk
SOC Network Engineer
Fort Lauderdale, FL USA

[cid:image001.png@01D332DA.F4DD00A0]
The information contained in this electronic mail transmission and its 
attachments may be privileged and confidential and protected from disclosure. 
If the reader of this message is not the intended recipient (or an individual 
responsible for delivery of the message to such person), you are strictly 
prohibited from copying, disseminating or distributing this communication. If 
you have received this communication in error, please notify the sender 
immediately and destroy all electronic, paper or other versions.



--
Best Regards,
Filip Hruska
Linux System Administrator

Re: Drop cable

[Filip Hruska]

Hi,

Try FiberStore - fs.com


Dne 9/21/17 v 10:27 Ahmed Munaf napsal(a):

sorry I forgot to mention the model:

drop cable 6 core fiber optic GYXTW 1Km/ drum

in I am using  this model too:

drop fiber cable 2 core G657A2 fiber & 1.2mm self-supporting steel &  LSZH

Regards,




On Sep 21, 2017, at 11:08 AM, ahmed.dala...@hrins.net 
<mailto:ahmed.dala...@hrins.net> wrote:

Hello,

I would like to buy drop cable 6 core, I am already buying from China, but the 
quality sometimes is bad so anyone who deals with good companies there can 
share their contact with me?

Regards,


--
Best Regards,
Filip Hruska
Linux System Administrator

Re: bogon identified? how to track down bogus IPs/ASN's

[Filip Hruska]

According to HE's BGP tool, the IP range is actually 103.206.16.0/22 and 
it looks like it's a bogon.


http://bgp.he.net/net/103.206.16.0/22#_bogon

Regards,
Filip

On 29.9.2016 21:46, Ken Chase wrote:

My turn for the newb question:

I've got a traceroute with this IP in it thats close to the end of the trace.

103.206.16.46

Chasing down this IP to see who the ISP a friend is using, figured out
the diff between ARIN and APNIC whois for IPs (..bit of a learning curve, not
sure why there's not just one whois interface syntax).

 whois -h whois.apnic.net -m 103.206.16.0/21

shows only the upper /22 being registered with APNIC (if you do -m on
.16.0/22, there's no entry).

So it seems to me these Ips arent registered properly with APNIC (could it
be cross-registered with another RIR? Well it's not with ARIN who'd be the 
local.)

But I do see this block in global bgp tables so it wasnt like someone decided 
to use
10.10.10/24 or 1.2.3/24 in their routing infrastructure. They're actually 
announcing;

 sh ip bg 103.206.16.0  ends in a path with  394786 135022

looking up 394786 I see avetria networks. looking up 135022 I see nothing at 
ARIN.

At APNIC I get

as-block:   AS134557 - AS135580
descr:  APNIC ASN block
remarks:These AS numbers are further assigned by APNIC
remarks:to APNIC members and end-users in the APNIC region

but nothing more specific.

However, this does show up in radb as avetria networks as well. (and various 
geolocate
DBs put it in Melbourn.au though i know it's in use in Kitchener ontario).

So what's not matching up here?

/kc
--
Ken Chase - m...@sizone.org Guelph Ontario

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Filip Hruska]

While we are on topic of DDOS, it looks like it's quite a storm now.

According to this WHT post [1], some large server providers were 
recently attacked, and many are still being attacked with quite a large 
bandwidth, ie 1Tbps attacks against OVH. [2], [3]



Regards,
Filip


[1] http://www.webhostingtalk.com/showthread.php?t=1599694
[2] https://twitter.com/olesovhcom/status/778019962036314112
[3] https://twitter.com/olesovhcom/status/778830571677978624


On 23.9.2016 20:02, Chris Adams wrote:

Once upon a time, Grant Ridder  said:

Didn't realize Akamai kicked out or disabled customers


Any business is likely to kick out customers that cost them much more
than they are being paid (under relevant contract terms of course).
Since his blog was being hosted for free, it isn't surprising that
Akamai told him they couldn't do that anymore.

It certainly isn't fair to expect Akamai (and their paying customers) to
deal with that.

Re: comcast and msoft ports

[Filip Hruska]

If you really need them, you'll need to use some sort of tunneling 
mechanism, ie PPTP.


Regards,
Filip

On 11.9.2016 21:21, Ryan, Spencer wrote:

Having those ports exposed to the Internet is scary. Comcast is right in 
blocking them.



Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Randy Bush 
Date: 9/11/16 2:48 PM (GMT-05:00)
To: Ca By 
Cc: North American Network Operators' Group 
Subject: Re: comcast and msoft ports

sigh.  well that was some fun hours debugging; not.

thanks

randy

Re: Handling of Abuse Complaints

[Filip Hruska]

Google, Level 3 and the like's open DNS resolvers are strictly 
rate-limited. They can't be used as DDOS amplifiers.


On the other hand, there are tons of open resolvers on the internet 
without any sort of limiting. These are very effective amplifiers.


Regards,
Filip

On 29.8.2016 19:04, Laszlo Hanyecz wrote:

I know this is against the popular religion here but how is this abuse
on the part of your customer?  Google, Level3 and many others also run
open resolvers, because they're useful services. This is why we can't
have nice things.


On 2016-08-29 15:55, Jason Lee wrote:

NANOG Community,

I was curious how various players in this industry handle abuse
complaints.
I'm drafting a policy for the service provider I'm working for about
handing of complaints registered against customer IP space. In this
example
I have a customer who is running an open resolver and have received a few
complaints now regarding it being used as part of a DDoS attack.

My initial response was to inform the customer and ask them to fix it.
Now
that its still ongoing over a month later, I'd like to take action to
remediate the issue myself with ACLs but our customer facing team is
pushing back and without an idea of what the industry best practice is,
management isn't sure which way to go.

I'm hoping to get an idea of how others handle these cases so I can
develop
our formal policy on this and have management sign off and be able to
take
quicker action in the future.

Thanks,

Jason

Re: DNS Services for a registrar

[Filip Hruska]

Even for registrars?

Because OP's question was
> We need to provide DNS services for domains we offer as a registrar.

Best Regards,
Filip

On 12.8.2016 22:11, Justin Paine via NANOG wrote:

I won't push further than this -- but it seems a bit silly not to
mention that CloudFlare provides free AnyCast DNS. You can elect not
to even use any of our caching if you just want to use us for DNS.

J


Justin Paine
Head of Trust & Safety
CloudFlare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman  wrote:

If there are other metrics in which to measure DNS speed, availability and
redundancy, I'd love to seeing them. I have but my own datapoint and the
metrics from others. Tear down the testing model, but at least show a
different/better one in return.

On Fri, 12 Aug 2016, Keith Stokes wrote:


Route53 can get expensive for lots of domains. Queries are cheap with the
first 1M free, but if you have 1000 domains you’ll pay $500/month.

You can build dedicated servers in multiple AZs and data centers able to
handle that many domains for far less.

You might also consider running dedicated servers in each of AWS and
Azure to avoid a single-provider failure.



Having worked for AWS, there is no "global" control plane that would bring
two regions down at the same time. While possible, due to say a targeted
successful attack on both regions simultaneously, highly unlikely. Control
and data plane software updates and deployments are done regionally, and
often on an Availability Zone basis where applicable, to ensure there are
no defects.  Automation measures and will automatically roll back code that
breaks deployment metrics.

It's pretty sweet. Their internal tools team does amazing things with
automation.

Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10
per month per zone after that. 1000 domains would be $110 a month, not
$500. 500 million queries at $0.40 per million, another $200/month.

Who knows if you need that much, but it is pretty affordable.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: DNS Services for a registrar

[Filip Hruska]

Hi,

If you are going the IaaS route, definitely checkout KnotDNS project.
According to their benchmarks [1], it does much better than other DNS 
servers in about every workload.



Best Regards,
Filip

[1] https://www.knot-dns.cz/benchmark/

On 12.8.2016 07:56, Ryan Finnesey wrote:

We need to provide DNS services for domains we offer as a registrar.  We were 
discussing internally the different options for the deployment.  Does anyone 
see a down side to using IaaS on AWS and Azure?

We were also kicking around the idea of a PaaS offering and using Azure DNS or 
AWS Route 53.

Cheers
Ryan

Re: Gmail down

[Filip Hruska]

Hi,

It's UP for me.
Location: Czech Republic, IPv6 access via TunnelBroker.

Regards,
Filip

On 07/05/2016 04:56 PM, Martin Hepworth wrote:

Ok from here in the UK

Re: IPv6 deployment excuses

[Filip Hruska]

Without firewalls, internet is not very secure, regardless of protocol used.

On 07/04/2016 11:41 AM, Masataka Ohta wrote:
> Jared Mauch wrote:
> 
>> Actually they are not that great. Look at the DDoS mess that UPnP has
>> created and problems for IoT (I call it Internet of trash, as most
>> devices are poorly implemented without safety in mind) folks on all
>> sides.
> 
> Are you saying, without NAT or something like that to restrict
> reachable ports, the Internet, regardless of whether it is with
> IPv4 or IPv6, is not very secure?
> 
> With end to end NAT, you can still configure your UPnP capable NAT
> boxes to restrict port forwarding.
> 
>> The fact that I go to a hotel and that AT mobility have limited
>> internet reach is a technology problem that we all must work to fix.
> 
> Want to run a server at the hotel?
> 
> IP mobility helps you, if you have a home agent at your home and
> you can use IP over UDP/TCP over IP as mobility tunnel.
> 
>  Masataka Ohta
>>
>>
>> Jared Mauch
>>
>>> On Jul 1, 2016, at 11:49 PM, Masataka Ohta
>>>  wrote:
>>>
>>> And, to applications running over TCP/UDP, UPnP capable legacy NATs
>>> are transparent, if host TCP/UDP are modified to perform reverse
>>> NAT, information to do so is provided by UPnP.
>>
>>
>>
> 

Re: craigslist.com admin

[Filip Hruska]

Would be really stupid if they were blocking all users behind NATs.

BTW if I enter craigslist.com, it redirects me to "prague.craigslist.cz" 
(makes sense, I'm from CZ and close to Prague), but it uses an invalid 
SSL certificate.




--- Filip

On 06/02/2016 10:45 PM, Darin Steffl wrote:

Have been getting reports of the same thing. Went to the craigslist help
forums where some people there decided to call us a fake ISP because we
don't hand out publics to every customer. They were VERY rude and hopefully
none of them were employees. They said our customers can't use craigslist
if we don't hand publics to everyone. It didn't matter to them that we
don't have enough IP's for every customer.

I sent an email to some admin account someone recommended but haven't heard
anything back yet.



On Tue, May 31, 2016 at 3:07 PM, Dennis Burgess 
wrote:


Looking for a craigslist.com admin to connect with offlist about a block
:)

[DennisBurgessSignature]
www.linktechs.net - 314-735-0270 x103 -
dmburg...@linktechs.net

Re: 10G-capable customer router recommendations?

[Filip Hruska]

Hi,

I would also vote for Mikrotik products; IMHO this looks perfect for 
this situation.


http://routerboard.com/CCR1009-8G-1S-1SplusPC



On 04/16/2016 12:01 AM, mike.l...@gmail.com wrote:

Check out the Mikrotik Cloud Core routers, they make them with SFP+ support 
now. I have one of them with 10g deployed right now.

-Mike


On Apr 15, 2016, at 14:52, Aaron  wrote:

Not a lot of 10G capable CPEs out there.  For our 10G residential customers we 
install Brocade ICXs.

Aaron



On 4/15/2016 3:18 PM, David Sotnick wrote:
Hello masters of the Internet,

I was recently asked to set up networking at a VIP's home where he has
Comcast "Gigabit Pro" service, which is delivered on a 10G-SR MM port on a
Comcast-supplied Juniper ACX-2100 router.

Which customer router would you suggest for such a setup? It needs to do
IPv4 NAT, DHCP, IPv4+IPv6 routing and have a decent L4 firewall (that also
supports IPv6).

The customer pays for "2Gb" service (Comcast caps this at 2G+10% = 2.2Gbps)
and would like to get what he pays for (*cough*) by having the ability to
stream two 1Gbps streams (or at least achieve > 1.0Gbps).

I'm tempted to get another ACX-2100 and do a 4x1Gb LACP port-channel to the
customer switch, or replace the AV-integrator-installed Cisco SG300-52P
(Cisco switch with e.g. an EX-3300 with 10Gb uplinks).

Thanks in advance for your suggestions.

-Dave


--

Aaron Wendel
Chief Technical Officer
Wholesale Internet, Inc. (AS 32097)
(816)550-9030
http://www.wholesaleinternet.com

Re: Stop IPv6 Google traffic

[Filip Hruska]

If I'm not mistaken, when there is some "abuse",
Google typically shows captcha for the single IPs, not for whole 
provider, so only the customers who actually do something nefarious 
should get flagged.


Also, if you see captcha while using IPv6, switching to IPv4-only won't 
solve the problem because if there really is abuse, Google will flag the 
IPs regardless of IP protocol version.




On 04/10/2016 04:27 PM, Max Tulyev wrote:

The problem is IPv6-enabled customers complaints see captcha, and Google
NOC refuses to help solve it saying like find out some of your customer
violating some of our policy. As you can imagine, this is not possible.

So, the working solutions is either correctly cut IPv6 to Google, or cut
all IPv6 (which I don't want to do).

On 10.04.16 17:17, Mike Hammett wrote:

I think the group wants to know what problem you're trying to solve. Obviously 
if you block something, there will be a timeout in getting to it.

What is broken that you're trying to fix by blackholing them?




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



Midwest Internet Exchange
http://www.midwest-ix.com


- Original Message -

From: "Max Tulyev" 
To: nanog@nanog.org
Sent: Sunday, April 10, 2016 9:07:47 AM
Subject: Re: Stop IPv6 Google traffic

Customers see timeouts if I blackhole Google network. I looking for
alternatives (other than stop providing IPv6 to customers at all).

On 10.04.16 16:50, valdis.kletni...@vt.edu wrote:

On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said:


I need to stop IPv6 web traffic going from our customers to Google
without touching all other IPv6 and without blackhole IPv6 Google
network (this case my customers are complaining on long timeouts).

What can you advice for that?


Umm.. fix the reasons why they're seeing timeouts? :)

Have you determined why the timeouts are happening?

Re: Stop IPv6 Google traffic

[Filip Hruska]

Why do you want to prevent IPv6 access to Google?
What's the point?

On 04/10/2016 04:07 PM, Max Tulyev wrote:

Customers see timeouts if I blackhole Google network. I looking for
alternatives (other than stop providing IPv6 to customers at all).

On 10.04.16 16:50, valdis.kletni...@vt.edu wrote:

On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said:


I need to stop IPv6 web traffic going from our customers to Google
without touching all other IPv6 and without blackhole IPv6 Google
network (this case my customers are complaining on long timeouts).

What can you advice for that?


Umm.. fix the reasons why they're seeing timeouts? :)

Have you determined why the timeouts are happening?

Re: OT: BdNOG announces website blocks

[Filip Hruska]

I think that means they'd like to use deep packet inspection equipment 
for the whole country. But they don't have the budget for equipment with 
such capabilities so they want to limit bandwidth usage by cutting off 
access to some popular services.


Maybe I got it all wrong; That article is very confusing.

On 12/01/2015 07:36 PM, Scott Weeks wrote:


--- nanog@nanog.org wrote:
From: ABDUL AWAL via NANOG 

http://bdnews24.com/bangladesh/2015/11/29/proxy-servers-to-access-facebook-will-soon-be-unavailable-state-minister-tarana
-


Hahaha, gov't official - meet reality.


"State Minister for Posts and Telecommunications Tarana
Halim says proxy servers being used..."

""I think Facebook can't be closed unless the internet
is shut down. We don't want to do that. We won't shut
down the internet," said Tarana Halim."

"We are only catching only those that need to be caught,
not everyone."

"I ask you (journalists) to find out whether it's possible
or not. I hope you will find the answer. Closing down
Facebook 100 percent is not possible in any country in the
world"

Or any other app a gov't wants to keep from its citizenry
so their communications with others can be controlled.



"Those who are using them are using a bandwidth with
a specific capacity. They won't be able to do that
much longer. Because this bandwidth's capacity is low."

"The second bandwidth's speed is far lower than normal.
Saboteurs can't communicate and organise attacks fast
enough using that bandwidth. It's very easy to track
(anyone's internet activity) if the speed is low.""


wtf does that even mean?


scott

Re: Gmail spam filtering

[Filip Hruska]

You might need to setup/change a SPF record for that domain. I always 
had Google marking my email as spam when I tried to send emails with no 
SPF record.


On 11/22/2015 06:03 PM, Jay Ashworth wrote:

Bout a month ago, I had someone crack a POP password on my private mail server,
and got a couple days of spam out through it before I caught it on Sunday
afternoon.

I locked it down, and am this weekend replacing that mail server with one
of current vintage, serving the same domain from a linode instance on a
different IP and, obviously, transport network.

I'm finding, though, that gmail is spam-filing the emails I send out,
presumably because they're on the same domain name in the envelope.

Anyone got a pointer to where I go to assure Google I'm on top of it now?

The mail delivers to their inbound MX ok, it just ends up in the spam folder,
even on my business GoogleApps account.  Delivers to Yahoomail just fine.

I checked the new IP in the MXtoolbox RBL checker, and no hits, but does
gmail know what ranges are assigned to VPS providers, like with the cable
swamp, and bias its spamchecking accordingly?

Cheers,
-- jra