Re: AT Business Class Contact
Thanks for that. We did that to start hence the attempt to escalate. Cheers, Harry On Sat, Aug 19, 2023 at 8:15 PM TJ Trout wrote: > Open a ticket > > https://expressticketing.acss.att.com/ > > On Sat, Aug 19, 2023, 3:36 PM Harry Hoffman > wrote: > >> Hi Folks, >> >> We've got a campus out in Oakland, CA running on an ATT Fiber >> connection. We've been down since 3a PDT and we're unable to reach >> someone to get help. >> >> Anyone who can point us to a contact or in the right direction would >> be greatly appreciated. >> >> Cheers, >> Harry >> >
AT Business Class Contact
Hi Folks, We've got a campus out in Oakland, CA running on an ATT Fiber connection. We've been down since 3a PDT and we're unable to reach someone to get help. Anyone who can point us to a contact or in the right direction would be greatly appreciated. Cheers, Harry
Seeking recommendations - Network Eng augmentation
Hi Folks, If you have recommendations on companies that either provide staff augmentation or deliver management services for campus networks would you mind sharing? Cheers, Harry
Comcast IPv6 PD Centos
Hi Folks, I'm wondering if anyone has successfully configured prefix delegation on Comcast's service using CentOS 7 as a router/firewall. I'm trying to help troubleshoot a configuration and I can't find anything current via Google. Cheers, Harry
Fw: new message
Hey! New message, please read <http://foto-vaszonra.vaszonnyomtatas.hu/years.php?hjcab> Harry Hoffman
Fw: new message
Hey! New message, please read <http://afrikaimage.com/ashamed.php?cuf5j> Harry Hoffman
Fw: new message
Hey! New message, please read <http://prestigeimagegroup.com/words.php?map> Harry Hoffman
Fw: new message
Hey! New message, please read <http://battersandco.com/itself.php?0x2j> Harry Hoffman
Re: Any Tool to replace Peakflow CP
Hi Aluisio, Have you had a look at Lancope's Stealthwatch? If you go that route give a shout as we've written a bunch of scripts to do things like scan detection and new service alerting. Cheers, Harry On 9/5/15 10:01 PM, Aluisio da Silva wrote: > Hello, > > Does anyone here have a suggestion for a tool to replace Peakflow CP from > Arbor Networks? > > Please if possible you would like hear some suggestions. > > Thanks. > > Aluísio da Silva > Coordenação de Planejamento e Engenharia > CTBC > (34) 3256-2471 > (34) 9976-0471 > www.ctbc.com.br > > > > > Esta mensagem,incluindo seus anexos,pode conter informação confidencial e/ou > privilegiada,sendo de uso exclusivo dos destinatários. Seu conteúdo não deve > ser revelado.Caso você não seja o destinatário autorizado a receber esta > mensagem,não poderá usar,copiar ou divulgar as informações nela contidas ou > tomar qualquer ação baseada nesse e-mail,por favor,comunique ao remetente e a > elimine imediatamente.Não nos responsabilizamos por opiniões e/ou declarações > veiculadas por e-mail não ficando obrigada ao cumprimento de qualquer > condição constante deste instrumento. > > This message,including its attachments,contains and/or may contain > confidential and privileged information.If you are not the person authorized > to receive this message,you may not use,copy or disclose the information > contained therein or take any action based on this information.If this > message is received by mistake,please notify the sender by immediately > replying to this email and deleting its files.We appreciate your cooperation.
Re: OPM Data Breach - Whitehouse Petition - Help Wanted
I think it would be great if you were to include some source links in your petition/email so that folks unaware of the specifics can educate themselves in a non-partisan and factual manner. Just my $0.02. Cheers, Harry On 6/17/15 8:54 PM, Ronald F. Guilmette wrote: My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list does. By now, most of you will have read about the massive federal data breach at the U.S. Government's Office of Personnel Management (OPM), and also the fact that (by OPM's own preliminary estimates) this massive data breach affects at least four million federal government employees... but perhaps as many as 14 million current and former employees. However as this story is still evolving, even as we speak, you may perhaps not be familiar with the following additional important facts that have just come out: *) In addition to ordinary government personel records, including the usual kinds of frequently-hacked personal information (e.g. social security numbers), an as-yet undetermined number of highly detailed 127-page government security clearance forms (SF86) containing vast and intimate details of virtually every aspect of the lives of essentially EVERYONE who has applied for or been granted a government security clearance at any time within THE PAST 30 YEARS have also been hacked/leaked. (Experts seem to agree that this security clearance data constitutes and absolute gold mine and treasure trove of information for foreign intelligence services, opening up vast possibilities for phishing, blackmail, and on and on.) *)The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's systems were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online. Given the above facts, I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be. I *really* would like some help from members of this list on this endeavor. In particular, if you agree, I'd appreciate it if you would sign my petition, and, whether you agree or not, I sure would appreciate it if you would all share the following URL widely: https://petitions.whitehouse.gov//petition/immediately-fire-office-personnel-managements-director-katherine-archueta-gross-incompetence Note that Whitehouse petitions do not even get properly or completely published on the Whitehouse web site until such time as they receive at least 150 signatures. I am hoping that members of this (NANOG) mailing list will help me to get past that threshold. Thanks for your attention. Regards, rfg
OT: Long term contract work in Boston/Cambridge area
Good morning, First, I beg your pardon if job posting are unacceptable. I had a quick glance at the website and didn't see anything jump out as prohibited. I've got a couple of contractor positions open in Infosec and am hoping to find someone with a good background in networking, tools (IDS, Flow collection reporting, Splunk, etc.) who is also decent at scripting (most stuff is in perl but python would be ok too). Positions report to me so I'll be able to answer any questions you might have. Cheers, Harry
Re: lotsa pcap reporting
So, NTop or Afterglow might be a good start. They are both user-friendly tools that can ingest pcap files and output all sorts of pretty things. Cheers, Harry On 04/05/2015 09:36 AM, Hank Disuko wrote: Thanks for the response, Harry. the basic stuff that managers are interested in seeing: - yes what you said - who or what is taking up all my precious network bandwidth - colourful 3D pie charts Kind regards, Hank Date: Sun, 5 Apr 2015 09:30:03 -0400 Subject: Re: lotsa pcap reporting From: hhoff...@ip-solutions.net To: gourmetci...@hotmail.com CC: nanog@nanog.org Hmm, maybe start with defining what you want to report about? Top talkers, top protocols/ports, open services, DNS info, reconstructed files, etc... Lots of different tools but it depends on what you want to do. Cheers, Harry On Apr 5, 2015 9:16 AM, Hank Disuko gourmetci...@hotmail.com wrote: hi nanog folks, i have 7GB of darn pcap data separated into individual 50MB files. Collected via Wireshark. i need a tool that can slurp in all this data and regurgitate pretty, colourful and management-friendly reports. Windows or Linux. any suggestions? thanks, Hank
Re: lotsa pcap reporting
Hmm, maybe start with defining what you want to report about? Top talkers, top protocols/ports, open services, DNS info, reconstructed files, etc... Lots of different tools but it depends on what you want to do. Cheers, Harry On Apr 5, 2015 9:16 AM, Hank Disuko gourmetci...@hotmail.com wrote: hi nanog folks, i have 7GB of darn pcap data separated into individual 50MB files. Collected via Wireshark. i need a tool that can slurp in all this data and regurgitate pretty, colourful and management-friendly reports. Windows or Linux. any suggestions? thanks, Hank
Re: Comcast thinks it ok to install public wifi in your house
Or, ya know you could just buy your own cable modem and separate AP. Cheaper then renting from Comcast and gives you the control :-) Cheers, Harry On Dec 10, 2014 9:35 PM, Jeroen van Aart jer...@mompl.net wrote: Why am I not surprised? Whose fault would it be if your comcast installed public wifi would be abused to download illegal material or launch a botnet, to name some random fun one could have on your behalf. :-/ (apologies if this was posted already, couldn't find an email about it on the list) http://www.theregister.co.uk/2014/12/10/disgruntled_customers_lob_sueball_at_comcast_over_public_wifi/ A mother and daughter are suing Comcast claiming the cable giant's router in their home was offering public Wi-Fi without their permission. Comcast-supplied routers broadcast an encrypted, private wireless network for people at home, plus a non-encrypted network called XfinityWiFi that can be used by nearby subscribers. So if you're passing by a fellow user's home, you can lock onto their public Wi-Fi, log in using your Comcast username and password, and use that home's bandwidth. However, Toyer Grear, 39, and daughter Joycelyn Harris – who live together in Alameda County, California – say they never gave Comcast permission to run a public network from their home cable connection. In a lawsuit [PDF] filed in the northern district of the golden state, the pair accuse the ISP of breaking the Computer Fraud and Abuse Act and two other laws. Grear – a paralegal – and her daughter claim the Xfinity hotspot is an unauthorized intrusion into their private home, places a vast burden on electricity bills, opens them up to attacks by hackers, and degrades their bandwidth. Comcast does not, however, obtain the customer's authorization prior to engaging in this use of the customer's equipment and internet service for public, non-household use, the suit claims. Indeed, without obtaining its customers' authorization for this additional use of their equipment and resources, over which the customer has no control, Comcast has externalized the costs of its national Wi-Fi network onto its customers. The plaintiffs are seeking monetary damages for themselves and on behalf of all Comcast customers nation-wide in their class-action case – the service was rolled out to 20 million customers this year. -- Earthquake Magnitude: 4.8 Date: 2014-12-10 22:10:36.800 UTC Date Local: 2014-12-10 13:10:36 PST Location: 120km W of Panguna, Papua New Guinea Latitude: -6.265; Longitude: 154.4004 Depth: 35 km | e-quake.org
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
I'm currently looking into AS3 in an attempt to figure out what's going on. Always interested to hear what others have found out. Cheers, Harry On Nov 30, 2014 8:57 AM, Simon Leinen simon.lei...@switch.ch wrote: cidr-report writes: BGP Update Report Interval: 20-Nov-14 -to- 27-Nov-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name [...] 11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US Disappointing to see Symbolics (AS5) on this list. I would expect these Lisp Machines to have very stable BGP implementations, especially given the leisurely release rhythm for Genera for the past few decades. Has the size of the IPv4 unicast table started triggering global GCs? Seriously, all these low-numbered ASes in the report look fishy. I would have liked this to be an artifact of the reporting software (maybe an issue with 4-byte ASes?), but I do see some strange paths in the BGP table that make it look like (accidental or malicious) hi-hacking of these low-numbered ASes. Now the fact that these AS numbers are low makes me curious. If I wanted to hijack other folks' ASes deliberately, I would probably avoid such numbers because they stand out. Maybe these are just non-standard private-use ASes that are leaked? Some suspicious paths I'm seeing right now: 133439 5 197945 4 Hm, maybe 32-bit ASes do have something to do with this... Any ideas? -- Simon. (Just curious) [...] 17 - AS3 30043 0.4% 3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US [...] TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name [...] 13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US [...] 15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US [...] 19 - AS4 5345 0.1% 1437.0 -- ISI-AS - University of Southern California,US 20 - AS4 8784 0.1% 2303.0 -- ISI-AS - University of Southern California,US
Re: Craigslist hacked?
Probably a good time to remind folks of HTTPS everywhere plugin for Chrome and Firefox :-) Cheers, Harry On Nov 24, 2014 1:04 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Sun, Nov 23, 2014 at 11:51 PM, Randy Bush ra...@psg.com wrote: and what tasty things did the hijacker's web site serve? probably not much for very long... :( CL traffic is a bit crushy.
Re: Heartbleed Bug Found in Cisco Routers, Juniper Gear
Didn't Cisco already release a bunch of updates related to Anyconnect and heartbleed? Cheers, Harry On Apr 12, 2014, at 6:03 PM, Lamar Owen lo...@pari.edu wrote: On 04/11/2014 07:16 AM, Glen Kent wrote: VPN, on the other hand, is a totally different world of pain for this issue. What about VPNs? SSL VPN's could possibly be vulnerable.
Re: Managing IOS Configuration Snippets
Wow, this sounds fantastic! Have any code you can share? Cheers, Harry On Feb 27, 2014 6:52 AM, Andrew Latham lath...@gmail.com wrote: For a large install I set up a solution that might help. I utilized a Mediawiki install and its API to create, update and pull the configuration on many IOS devices. A wiki page for the host name was dynamically created and the configuration was placed there daily or hourly. This allowed support to review the configuration and advise customers quicker. Additional hacks for updating the devices via the wiki were used. The goal was transparency for the support team and the side effect was wiki page history showing what day and what lines changed. As mentioned the answer to your question would likely make a good article. On Wed, Feb 26, 2014 at 3:22 PM, Ryan Shea ryans...@google.com wrote: Howdy network operator cognoscenti, I'd love to hear your creative and workable solutions for a way to track in-line the configuration revisions you have on your cisco-like devices. Let me clearify/frame: You have a set of tested/approved configurations for your routers which use IOS style configuration. These configurations of course are always refined and updated. You break these pieces of configuration into logical sections, for example a configuration file for NTP configuration, a file for control plane filter and store these in some revision control system. Put aside for the moment whether this is a reasonable way to comprehend deployed configurations. What methods do some of you use to know which version of a configuration you have deployed to a given router for auditing and update purposes? Remarks are a convenient way to do this for ACLs - but I don't have similar mechanics for top level configurations. About a decade ago I thought I'd be super clever and encode versioning information into the snmp location - but that is just awful and there is a much better way everyone is using, right? Flexible commenting on other vendors/platforms make this a bit easier. Assume that this version encoding perfectly captures what is on the router and that no person is monkeying with the config... version 77 of the control plane filter is the same everywhere. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: Filter NTP traffic by packet size?
Most of what I've seen are reset configs on network gear, standalone devices (printers), and the occasional win 98 box with network addons. We put blocks in place for ntp, SNMP for a short time to get things under control. Chargen was so small it was easier to just alert folks directly. HTH. Cheers, Harry On Feb 26, 2014 5:33 PM, valdis.kletni...@vt.edu wrote: On Wed, 26 Feb 2014 11:44:55 -0600, Brandon Galbraith said: Blocking chargen at the edge doesn't seem to be outside of the realm of possibilities. What systems are (a) still have chargen enabled and (b) common enough to make it a viable DDoS vector? Just wondering if I need to go around and find users of mine that need to be smacked around with a large trout
Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic
That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state. Cheers, Harry Niels Bakker niels=na...@bakker.net wrote: * mi...@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]: Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds. False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. -- Niels.
Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic
So, I'm not sure if I'm being too simple-minded in my response. Please let me know if I am. The purpose of encrypting data is so others can't read your secrets. If you use a simple substitution cipher it's pretty easy to derive the set of substitution rules used. Stronger encryption algorithms employ more difficult math. Figuring out how to get from the ciphertext to the plaintext becomes a, computationally, difficult task. If your encryption algorithms are good *and* your source of random data is really random then the amount of time it takes to decrypt the data is so far out that it makes the data useless. Cheers, Harry Mike Lyon mike.l...@gmail.com wrote: So even if Goog or Yahoo encrypt their data between DCs, what stops the NSA from decrypting that data? Or would it be done simply to make their lives a bit more of a PiTA to get the data they want? -Mike On Nov 1, 2013, at 19:08, Harry Hoffman hhoff...@ip-solutions.net wrote: That's with a recommendation of using RC4. Head on over to the Wikipedia page for SSL/TLS and then decide if you want rc4 to be your preference when trying to defend against a adversary with the resources of a nation-state. Cheers, Harry Niels Bakker niels=na...@bakker.net wrote: * mi...@stillhq.com (Michael Still) [Fri 01 Nov 2013, 05:27 CET]: Its about the CPU cost of the crypto. I was once told the number of CPUs required to do SSL on web search (which I have now forgotten) and it was a bigger number than you'd expect -- certainly hundreds. False: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. -- Niels.
Re: semi-ot: network monitoring tools
Have them check out the various services from Team Cymru: https://www.team-cymru.org/Services/ Specifically the TC Console Cheers, Harry On 10/02/2013 02:34 AM, Nikolay Shopik wrote: No all stats are snmp based On 02 окт. 2013 г., at 9:07, Dobbins, Roland rdobb...@arbor.net wrote: On Oct 2, 2013, at 12:57 PM, Ryan Dooley wrote: Coworkers of mine introduced me to Observium: http://www.observium.org/wiki/Main_Page Does it utilize flow telemetry? On the main page, they talk about SNMP, making it sound a lot like Nagios . . . --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: iOS 7 update traffic
They implemented fanboy-lust which :-) Paul Ferguson fergdawgs...@mykolab.com wrote: Can someone please explain to a non-Apple person what the hell happened that started generating so much traffic? Perhaps I missed it in this thread, but I would be curious to know what iOS 7 implemented that caused this... Thanks in adavnce, - ferg On 9/19/2013 10:23 AM, Nick Olsen wrote: We also saw a huge spike in traffic. Still pretty high today as well. We saw a ~60% above average hit yesterday, And we're at ~20-30% above average today as well. Being an android user, It didn't dawn on me until some of the IOS users in the office started jumping up and down about IOS7 Nick Olsen Network Operations (855) FLSPEED x106 From: Justin M. Streiner strei...@cluebyfour.org Sent: Wednesday, September 18, 2013 6:19 PM To: NANOG nanog@nanog.org Subject: Re: iOS 7 update traffic On Wed, 18 Sep 2013, Tassos Chatzithomaoglou wrote: We also noticed an interesting spike (+ ~40%), mostly in akamai. The same happened on previous iOS too. I see it here, too. At its peak, our traffic levels were roughly double what we would see on a normal weekday. jms Zachary McGibbon wrote on 18/9/2013 20:38: So iOS 7 just came out, here's the spike in our graphs going to our ISP here at McGill, anyone else noticing a big spike? [image: internet-sw1 - Traffic - Te0/7 - To Internet1-srp (IR Canet) - TenGigabitEthernet0/7] Zachary McGibbon -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com
Re: Looking for Netflow analysis package
Check out argus http://www.qosient.com/argus/ Netflow v9 support was added within the last few months. Cheers, Harry On 05/17/2013 06:11 AM, Tim Vollebregt wrote: Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. Currently looking into nfdump. Tim On May 17, 2013, at 12:16 AM, Scott Weeks wrote: Does anyone know of a netflow collector that will do the following. snip -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] UCE snipped out -- -Meshier, Brent wrote: Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. - tcan...@beatsmusic.com wrote: -- From: Thomas Cannon tcan...@beatsmusic.com That wasn't in your signature's disclaimer. Perhaps now would be a good time to add it? You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. For any other sales folks out there considering doing this, Brent's warning is a good one: It's a sure fire way to get your company blacklisted among IT professionals. scott ps. WTF is this?!? The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holding s, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
RE: Looking for Netflow analysis package
Re: Google Public DNS Problems?
Works fine from here, Philadelphia, PA .edu and FIOS networks Cheers, Harry On 05/01/2013 12:09 PM, Blair Trosper wrote: Is anyone else seeing this? From Santa Clara, CA, on Comcast Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and 8.8.4.4... Level 3's own public resolvers are fine for me, as are OpenDNS's resolvers. Blair
Re: Data Center Installations
On the cheap Lowes/Home Depot are awesome, and they're everywhere. On 05/01/2013 03:23 PM, Warren Bailey wrote: Do any of you have a go to resource for materials used in installations? Tie wraps, cable management, blahblahblah? I have found several places, but I'm curious to know what the nanog ninja's have to say. //warren
RE: IPv6 and HTTPS
Re: So how big was it *really*?
It's interesting, this just came up on gizmodo. As I said in another forum, take it for what it's worth: http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie Cheers, Harry On 03/28/2013 09:23 AM, Valdis Kletnieks wrote: So we all have heard the breathless news reports of how the recent urinating contest between Spamhaus and a butthurt ISP was the biggest in history. Where would you guys put it, if measured as percent of total worldwide available Internet bandwidth/resources? My gut feeling is that by that metric, it didn't even make the top 20. Think back to the Morris worm, or Blaster/Nachi/etc - *nobody* had any free bandwidth when those happened. And even if you restrict the discussion to intentional targeted attacks, I'm sure we've had worse (Smurf, anybody? :)
Re: Open Resolver Problems
https://developers.google.com/speed/public-dns/docs/security Cheers, Harry On 03/26/2013 11:07 AM, valdis.kletni...@vt.edu wrote: On Tue, 26 Mar 2013 07:43:15 -0700, Tom Paseka said: On Tue, Mar 26, 2013 at 7:38 AM, Jay Ashworth j...@baylink.com wrote: Sure. But OpenDNS, Google, and the other providers of recursive servers for edge cases can't do that anymore? Of cos they can. But they take the security of their open recursive servers very seriously. 99.9% of the open recursors dont, hence the problem. And what, *exactly* do they do different from the other 5-9's? So far, I've seen lots of people say close that shit down, but only 2 actual URLs posted that basically both say only do recursion for IP addresses within your ASN. That's at least a *bit* more helpful than just telling us to close it down. Unfortunately, we already know now to do that - but that isn't the problem that some of us are looking to solve, which is queries from your own users mobile devices that are currently *outside* your ASN. (And *please* make note that although the fine networking staff of AS1312 can probably figure this out on our own once we're supplied with a big enough pile of square tuits and a belt sander, there's a *lot* of AS's out there that are going to need a tad more hand-holding...)
Re: Open Resolver Problems
What are those who provide open resolvers, such as google, doing to combat the problem? It would be nice to be able to provide open resolvers as a service and combat the various threats associated with them. Cheers, Harry On 03/25/2013 10:22 AM, Jared Mauch wrote: All, Open resolvers pose a security threat. I wanted to let everyone know about a search tool that can help you find the ones within your organization. Treat it like a big BETA stamp is across it, but please try it out and see if you can close down any hosts within your network. This threat is larger than the SMURF amplification attacks in the past and can result in some quite large attacks. I've seen this spilling out into other mailing lists (e.g.: juniper-nap and others). Please send feedback about links that should be included or documentation and spelling errors to me. openresolverproject.org Some basic stats: 27 million resolvers existed as of this dataset collection only 2.1 million of them were closed. We have a lot to do to close the hosts, please do what you can to help. Thanks, - Jared
Re: Interesting debugging: Specific packets cause some Intel gigabit ethernet controllers to reset
On a similar vein here's some fun reading: http://travisgoodspeed.blogspot.com/2011/09/remotely-exploiting-phy-layer.html On 02/06/2013 03:33 PM, Kristian Kielhofner wrote: Over the year I've read some interesting (horrifying?) tales of debugging on NANOG. It seems I finally have my own to contribute: http://blog.krisk.org/2013/02/packets-of-death.html The strangest issue I've experienced, that's for sure.
RE: Google / Gmail SSL write errors
RE: Level 3 BGP Advertisements
This is what happens when old network folk don't learn about new convention or new network / security folk read old books. And it happens alot! Although not as common as blanket blocking of ICMP . -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. STARNES, CURTIS curtis.star...@granburyisd.org wrote: Sorry for the top post... Not necessarily a Level 3 problem but; We are announcing our /19 network as one block via BGP through ATT, not broken up into smaller announcements. Earlier in the year I started receiving complaints that some of our client systems were having problems connecting to different web sites. After much troubleshooting I noticed that in every instance the xlate in our Cisco ASA for the client's IP last octet was either a 0 or 255. Since I am announcing our network as a /19, the subnet mask is 255.255.224.0, that would make our network address x.x.192.0 and the broadcast x.x.223.255. So somewhere the /24 boundary addresses were being dropped. Just curious if anyone else has seen this before. -Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Wednesday, August 29, 2012 3:36 PM To: n...@flhsi.com Cc: nanog@nanog.org Subject: Re: Level 3 BGP Advertisements On Wed, Aug 29, 2012 at 3:28 PM, Nick Olsen n...@flhsi.com wrote: In practice, We've always advertised our space all the way down to /24's but also the aggregate block (the /20 or the /21). Just so there was still reachability to our network in the event that someone made the foolish mistake of filtering lets say prefixes smaller /23... Anyways, I've always thought that was standard practice. That's very poor practice. Each announcements costs *other people* the better part of $10k per year. Be polite with other peoples' money. If the /24 shares the exact same routing policy as the covering route, announce only the covering route. For all the good it'll do you, you can break it out to /24's when and if someone mis-announces one of your address blocks. Competing announcements of the /24 still won't leave you with correct connectivity. If anything, putting the /24 announcement in ahead of time will delay your detection of the problem by causing a partial failure instead of a total one. I noticed that while the /24's made it out to the world. The larger counterparts (2 /21's and a /20) did not. So, I start sniffing around. Find that I do indeed see the prefixes in Level 3's looking glass but they aren't handing it off to peers. So, Naturally, I land on this being some kind of prefix filtering issue and open a ticket with Level 3. They tell me this is standard practice. And If I want to see the /20 or /21's make it out to the rest of the world, I need to stop sending the /24's. Does this sound normal? That's insane. Assuming you're authorized to announce that address space, Level 3 should be propagating your announcements exactly as you make them. As only one of your peers, they're in no position to understand the traffic engineering behind your announcement choices. If they are acting as you say, they are dead wrong to do so. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/; Falls Church, VA 22042-3004
Re: Verizon's New Repair Method: Plastic Garbage Bags
What? That's totally legit. Look! There's even bubble wrap there for cushioning! ;-) On 08/20/2012 03:09 PM, Eric Wieling wrote: For a while we have had a customer with some lines which go down every time it rains. We put in the trouble ticket, a couple of days later Verizon says the issue is resolved...until the next time it rains. The customer sent us some pictures today of the pole outside their office. The repair appears to be wrapping some plastic bags around something up on the pole. Here is link to the pictures the customer sent us, in case anyone in the mood for a good scare. http://rock.nyigc.net/verizon/
Re: Real world sflow vs netflow?
Hi David, I'm not sure that sflow is going to get your the granularity that you are looking for. It's usually better to start more granular and then aggregate into larger flows when you graph or reference for historic values. Have you looked at other options, such as argus [1] to collect flow data outside of the networking gear? This way the networking gear can do what its primary job and flow collection can happen elsewhere. There's a whole argus community that discusses the information security topics you're interested in and Carter, the guy who wrote all (?) of the code is very responsive. Argus can also take in NetFlow flows from your routers too. There are obviously other tools available, that may work as well or better, but argus is one I've been using with great success in a fairly heavily trafficked environment. Cheers, Harry [1] http://www.qosient.com/argus/ On 07/13/2012 01:30 PM, David Hubbard wrote: Can anyone on or off list give me some real world thoughts on sflow vs netflow for border routers? (multi-homed, BGP, straight v4 v6 only for web hosting, no mpls, vpns, vlans, etc.) Finding it hard to decipher the vendor version of the answer to that question. We use netflow v9 currently but are considering hardware that would be sflow. We don't use it for billing purposes, mostly for spotting malicious remote hosts doing things like scans, spotting traffic such as weird ports in use in either direction that warrant further investigation, watching for ddos/dos destinations to act on mitigation, or investigating the nature of unusual levels of traffic on switch ports that set off alarms. I'm concerned things like port scans, etc. won't be picked up by the NMS if fed by sflow due to the sampling nature, or similar concern if 500 ssh connections by the same remote host are sampled as 1 connection, etc. Of course these concerns were put in my head by someone interested in me continuing to use equipment that happens to output netflow data, hence me wanting some real people answers. :-) Thanks!
Re: U.S. spy agencies ... email for cybersecurity
The government is already doing this via the ISACs. http://www.ren-isac.net/docs/charter.html Cheers, Harry On 07/10/2012 11:13 AM, Suresh Ramasubramanian wrote: On Tue, Jul 10, 2012 at 8:33 PM, valdis.kletni...@vt.edu wrote: Back in the dark ages at the beginning of this millennium (L1on worm, anybody?), the guys at SANS created this thing called DShield. https://isc.sans.edu/about.html#history Sure. But if what Gen.Alexander says comes off - this looks like a US-CERT or other clearinghouse to handle sensitive data of all sorts (critical infrastructure attacks, sensitive data leaks / breaches etc) I can see where DShield - and various other players in similar, but heavily silo'd spaces - might coordinate with a neutral centralized clearinghouse.
Re: Collecting flows at an IXP
Hi Graham, Have you had a look at Argus? http://www.qosient.com/argus/ It works well for us and they have very active support community to boot! Cheers, Harry On 06/26/2012 01:45 AM, Graham Beneke wrote: Hi All I'm busy doing some digging to find a solution for collecting layer-2 flows data on a medium sized IXP. All we have at the moment is some MRTG graphs and we're trying to get a better view into IPv4 vs IPv6, src and dst MACs, packet sizes and also perhaps port protocol trends. I found Richard A. Steenbergen's NANOG 39 presentation and not much since then. Is it still correct that Cisco does not support sFlow? Are you able to get the same kind of useful data using Netflow v9? Which FOSS flow collectors do an decent/adequate job at crunching about 10Gbps worth of flows and presenting it in a useful way? Thanks
Re: Penetration Test Assistance
There are lots of reasons why a pentester would want a network diagram. The foremost being a point to which they can say, these are the networks that I was given as a point of reference to pentest. This is often a CYA policy for when people start complaining about the scanning that is going to occur and potentially break their systems. Cheers, Harry On 06/05/2012 02:34 PM, Darden, Patrick S. wrote: I'm with Barry--a network diagram showing everything from the pov of the pen team should be part of the end report. --p -Original Message- From: Barry Greene [mailto:bgre...@senki.org] Hi Tim, A _good_ pen test team would not need a network diagram. Their first round of penetration test would have them build their own network diagram from their analysis of your network. Barry
RE: Switch designed for mirroring tap ports
Re: Switch designed for mirroring tap ports
Gigamon has a new product offering that claims to do this (their sales guys just met with me a few days ago and gave me a update on their latest offerings). It's the G-Secure-something or other. We're using the 2404's so I don't have any experience with it. Cheers, Harry On 03/01/2012 10:22 AM, Jeff Kell wrote: How about splitting up a heavy stream (10G) into components (1G) to run through an inline device and reassemble the pieces back to an aggregate afterward? TippingPoint makes a core controller box for this but it's pretty hideously expensive. Could do it with two 6500s but that's pretty hideously expensive as well :) Jeff
Re: US DOJ victim letter
We get these letters all of the time. They are indeed legit but pretty much worthless. About as good as some of our DMCA letters. Original Message From: Jon Lewis jle...@lewis.org Sent: Fri, Jan 27, 2012 3:23 PM To: Bryan Horstmann-Allen b...@mirrorshades.net CC: nanog@nanog.org Subject: Re: US DOJ victim letter On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: +-- | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of ip's within our network that where | affected with date and time stamps. Anyone else get these yet? I have. The login doesn't work (for me). htauth pops up on fbi.gov, creds don't auth. Ours didn't work initially either. Eventually it did. Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. We got numerous copies to the same email address, the logins didn't work initially. The phone numbers given are of questionable utility. Virtually no useful information was provided. My attitude at this point is, ignore it until they provide some useful information. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: events
It's a bit old but still works well. Russel Fulton and I worked on this when I was down in NZ. You still need to run syslog-ng but this allows you to ignore, warn, alert on logs via regex. http://www.ip-solutions.net/syslog-ng/ Cheers, Harry On 09/30/2011 09:50 AM, harbor235 wrote: What is everyone using to collect, alert, and analyze syslog data? I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features. Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there? Mike
Re: What do you do when your Home ISP is down?
it's just you... most of us can use contaxt to know what the person actually meant ;-) On 08/18/2011 02:05 PM, Jay Nakamura wrote: Is it just me that has a hard time reading a paragraph when there and their are misused?
Re: Home computer rooms
RE: IPv6 day fun is beginning!
I have the same setup as you, except a Linux box that does the firewalling. The actiontec is pretty bad-ass, hardware-wise, and latest firmware versions give you a bit more freedom. Eth0 is the public addr and eth1 is the private addr. On Eth1 I've got a address from the routed /48 and then everything behind eth1 also gets addrs in that /48. (Maybe a firmware update is available for the Linksys? Or open/dd wrt). One thing to note, if you're not doing ipv6 filtering at the router. TCP/135 is open by default on a Windows 7 laptop here so if you're not filtering at the laptop then you're potentially allowing the world to access that port. Cheers, Harry -Original Message- From: Jamie Bowden [mailto:ja...@photon.com] Sent: Wednesday, June 08, 2011 7:40 AM To: NANOG list Subject: RE: IPv6 day fun is beginning! Thanks to HE's tunnel broker service, I've got fully functional dual stack at home (well, mostly, like most folks, VZ gives me a single address and I live behind that with NATv4, but otherwise, I loves me some FiOS) and yesterday went by for me without a hitch, including accessing Facebook (I'd hear from the wife and kid really quickly if they weren't working). For a working tunnel, I put my DIR-825 as the DMZ host behind the cheesy Actiontec router VZ requires, forward all traffic with zero firewalling to it, and let the D-Link appliance handle all my firewall needs (and it terminates my v6 tunnel obviously). The one thing I haven't quite figured out how to make it do (and maybe it's just not capable) is use the /48 HE routes to me. The box insists that the internal interface be on the same subnet as the external, and it hands out v6 addresses from that /64. Jamie -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, June 07, 2011 7:15 PM To: Iljitsch van Beijnum Cc: NANOG list Subject: Re: IPv6 day fun is beginning! On Jun 7, 2011, at 7:13 PM, Iljitsch van Beijnum wrote: www.facebook.com has but doesn't load for me over IPv6, it does for others though If you go to www.v6.facebook.com it works, but it seems they have some problem on their main site. I am seeing some issues reaching them over IPv6. - Jared
Re: Netflow Tool
argus, www.qosient.com/argus On Fri, 2010-09-17 at 14:49 -0400, Mike Gatti wrote: Anyone out there using a good netflow collector that has the capability data to export to CSV? Open Source would be best, but any suggestions are welcome. Thanks, =+=+=+=+=+=+=+=+=+=+=+=+= Michael Gatti cell.703.347.4412 ekim.it...@gmail.com =+=+=+=+=+=+=+=+=+=+=+=+=
Re: Google wants your Internet to be faster
Heh, well is seems like one of the PIRGs is joining the fray, at least in PA: http://www.pennpirg.org/action/google?id4=es On Mon, 2010-08-09 at 15:46 -0400, valdis.kletni...@vt.edu wrote: On Mon, 09 Aug 2010 15:29:46 EDT, Joly MacFie said: Nor ensure 'lawful' content Do you *really* want to go there?
Re: Tcpdump data collection
Check out argus http://www.qosient.com/argus/ It can do exactly what you what. Cheers, Harry On Tue, 2008-12-02 at 17:19 -0800, Subba Rao wrote: Hello, I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the -s 0 option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. Subba Rao
