Re: Incoming SSDP UDP 1900 filtering

[Jason Hellenthal via NANOG]

Actually a little surprised to see port 25 blocked in both directions here 
along with 1080. It’s like saying here’s your network but it’s limited.

Though I wouldn’t recommend spawning up 25 it’s still a legitimately used port 
today as alike with 1080.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Mar 25, 2019, at 07:13, Ca By  wrote:
> 
> Blocked ssdp and move on 
> 
> Ssdp is a horrible ddos vector
> 
> Comcast and many others already block it, because is the smart and best thing 
> to do
> 
> https://www.xfinity.com/support/articles/list-of-blocked-ports
> 
> 
>> On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG 
>>  wrote:
>> Dear Community,
>> 
>> We see more and more SSDP 'scan' in our network (coming from outside
>> into our AS). Of course our client have open vulnerables boxes (last one
>> is an enterprise class Synology with all defaults ports open:-)) which
>> could be used as a reflection SSDP client.
>> 
>> As SSDP is used with PnP for local LAN service discovery, we are
>> thinking of:
>> 
>> 1) educate our client (take a lot of time)
>> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
>> 
>> We see option 2 as a good action to remove our autonomous systeme from
>> potential sources of DDOS SSDP source toward the Internet.
>> Of course this might (very few chance) open others problems with clients
>> which use this port as an obfuscation port, but anyhow it would not be a
>> good idea as it is a registered IANA port.
>> We could think of filtering also incoming port 5000 (UPnP), but it is
>> the default port that Synology decide to use (WHY so many trojan use
>> this) for the DSM login into the UI.
>> 
>> What do you think ?
>> 
>> Thank, best regards,
>> 
>> --
>> Marcel

Re: sending again in case Zoom didn't email it correctly

[Jason Hellenthal via NANOG]

Anyone want to have a large off topic zoom meeting ? :-) consisting of IDK and 
willing to weigh in

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Mar 15, 2019, at 14:40, Valdis Klētnieks  wrote:
> 
> On Fri, 15 Mar 2019 13:56:35 -0500, Casey Russell said:
> 
>> SIP failover call.
> 
> It's 2019. Surely we have better ways to have SIP fail over than manually
> sending an e-mail alert redirecting the person to a phone number?
> 

Re: GPS week number rollover event on April 6th

[Jason Hellenthal via NANOG]

Thanks!

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Mar 7, 2019, at 17:02, Gerry Boudreaux  wrote:
> 
> For those who have GPS based NTP servers.
> 
> https://ics-cert.us-cert.gov/sites/default/files/documents/Memorandum_on_GPS_2019.pdf
> 
> G
> 

Re: A Zero Spam Mail System [Feedback Request]

[Jason Hellenthal via NANOG]

http://4.bp.blogspot.com/-nRlbTO3RH1s/Uo-X_PX6WBI/JLU/mirPbTYFa6U/s1600/unnamed.jpg

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Feb 18, 2019, at 16:57, Tom Beecher  wrote:
> 
> Every single person on this list has either sent an email they later regret , 
> or will do so eventually. 
> 
> Full credit to you for acknowledging and owning this. 
> 
> Best of luck to you. 
> 
>> On Mon, Feb 18, 2019 at 09:08 Viruthagiri Thirumavalavan  
>> wrote:
>> @Everyone
>> 
>> I'm not gonna justify my behaviour. Yes my post was rude. I made a mistake. 
>> I was way over in my head. When I typed the original message I was obsessed 
>> with the man John Levine. He was responsible for the attacks on me in 4 
>> mailing lists. DMARC, DKIM, IETF and this one (the old thread).  
>> 
>> I didn't want to face the same thing again. So I was rude. I'm not gonna 
>> make him responsible for this thread. This one is my mistake. I could have 
>> been more professional in my original post.  But I screwed up.
>> 
>> My apologies to everyone here for making you witness my rant. I'm leaving 
>> this mailing list too. But if anyone complete my white paper in the future, 
>> I would love to hear your feedback. I won't be receiving any mails from 
>> nanog. So contact me off-list in that case.
>> 
>> Thanks for the guys who helped in my other threads.
>> 
>> Good luck to you all. 

Re: Quick Script to check the uptime of ASR920's

[Jason Hellenthal via NANOG]

Good stuff! Thanks for sharing this will come in handy.

Quick note for those running  it would be a little more portable 
by changing the shebang line to #!/bin/sh as bash on a lot of systems does not 
exist in /bin



-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jan 25, 2019, at 18:44, Erik Sundberg  wrote:
> 
> It was a script I created in regards to this thread below... Interface 
> counters and some other things stop working after a Cisco ASR920 is up 889 
> days Fun Fun
> 
> https://puck.nether.net/pipermail/cisco-nsp/2019-January/106558.html
> 
> 
> -Original Message-
> From: Mel Beckman 
> Sent: Friday, January 25, 2019 6:39 PM
> To: Erik Sundberg 
> Cc: nanog@nanog.org
> Subject: Re: Quick Script to check the uptime of ASR920's
> 
> Erik,
> 
> That’s a nice little script. Thanks!
> 
> So you want a warning if a router hasn’t been rebooted in a long time?  Just 
> out of curiosity, why? I’m kind of glad that my routers don’t reboot, pretty 
> much ever. Usually I want to know if the uptime suddenly became less than the 
> most recent uptime, indicting a possibly unplanned reboot.
> 
> -mel
> 
>> On Jan 25, 2019, at 4:29 PM, Erik Sundberg  wrote:
>> 
>> All,
>> 
>> I just created a quick script to check the uptime of a ASR920 via SNMP
>> if you have a fairly long list of devices. It's a simple bash script
>> and snmpwalk version 2c. Figured I would share it with you. Happy
>> Friday
>> 
>> Grab the code from GitHub:
>> https://github.com/esundberg/CiscoRouterUptime
>> It's a quick and dirty script and my first repo on github. Let me know if 
>> there any issues with it.
>> 
>> 
>> Output Format in CSV
>> DeviceName, IP, Uptime in Days, OK/Warning
>> 
>> I set my warning to 800 Days, you can change this in the code
>> 
>> 
>> ASR920list.txt
>> -
>> ASR920-1.SEA1, 192.168.28.1, SuperSecretSNMPKey ASR920-2.SEA1,
>> 192.168.28.2, SuperSecretSNMPKey snip you get the idea
>> 
>> 
>> Output
>> 
>> [user@Linux]$ ./CiscoRouterUptime.sh ASR920list.txt ASR920-1.SEA1,
>> 192.168.28.1, 827, WARNING ASR920-2.SEA1, 192.168.28.2, 827, WARNING
>> ASR920-2.ATL1, 192.168.23.2, 828, WARNING ASR920-1.ATL1, 192.168.23.1,
>> 813, WARNING ASR920-1.CHI1, 192.168.21.3, 828, WARNING ASR920-1.NYC1,
>> 192.168.25.1, 787, OK ASR920-2.CHI1, 192.168.21.4, 720, OK
>> ASR920-3.CHI1, 192.168.21.5, 720, OK ASR920-1.DAL1, 192.168.26.3, 488,
>> OK ASR920-4.CHI1, 192.168.21.6, 142, OK
>> 
>> 
>> 
>> 
>> 
>> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files 
>> or previous e-mail messages attached to it may contain confidential 
>> information that is legally privileged. If you are not the intended 
>> recipient, or a person responsible for delivering it to the intended 
>> recipient, you are hereby notified that any disclosure, copying, 
>> distribution or use of any of the information contained in or attached to 
>> this transmission is STRICTLY PROHIBITED. If you have received this 
>> transmission in error please notify the sender immediately by replying to 
>> this e-mail. You must destroy the original transmission and its attachments 
>> without reading or saving in any manner. Thank you.
> 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
> previous e-mail messages attached to it may contain confidential information 
> that is legally privileged. If you are not the intended recipient, or a 
> person responsible for delivering it to the intended recipient, you are 
> hereby notified that any disclosure, copying, distribution or use of any of 
> the information contained in or attached to this transmission is STRICTLY 
> PROHIBITED. If you have received this transmission in error please notify the 
> sender immediately by replying to this e-mail. You must destroy the original 
> transmission and its attachments without reading or saving in any manner. 
> Thank you.

Re: (Netflix/GlobalConnect a/s) Scheduled Open Connect Appliance upgrade is starting

[Jason Hellenthal via NANOG]

HTML gets converted to text here without images unless I want them the 
power of knowledge and ingenuity goes a long way.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jan 13, 2019, at 20:01, Seth Mattinen  wrote:
> 
>> On 1/13/19 2:49 PM, Bryce Wilson wrote:
>> Not to name any names, but there are a few people on this list that for 
>> whatever reason use different fonts or sizes. I like having all of my text 
>> the same size because I can then use the features built into my email client 
>> to change the size as I need for my eyes and the screen I am using. I am 
>> also able to change the font when the email does not already specify one. 
>> More importantly, what is the need to use a different font in your emails? 
>> One of the people that I converse with outside of this list uses a cursive 
>> font which is also in a different color. It’s very hard to read and I see no 
>> need for it at all.
> 
> 
> That's the primary reason I am plain text only: people that think they're 
> being whimsical by picking fonts and colors that are hard to read.

Re: plaintext email?

[Jason Hellenthal via NANOG]

Haha nice troll

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jan 13, 2019, at 14:01, Christoffer Hansen  
> wrote:
> 
> 
> 
>> On 13/01/2019 20:57, Brian Kantor wrote:
>> Are you trying to start another flame war?
> 
> I certainly hope to avoid this discussion currently!
> 
> (back to 1) @NETFLIX: Anybody willing to listen to previous stated
> comment and take action on it?
> 
>- Christoffer
> 

Re: yet another round of SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Jason Hellenthal via NANOG]

No problem. We all come across this here and there. We all fail 100 times or 
more but perception will always be key in how we obtain a final objective that 
benefits everyone. 

Thomas Edison failed thousands of times but of all those times his success only 
came from the knowledge of those so many failures.



-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jan 12, 2019, at 18:13, Viruthagiri Thirumavalavan  wrote:
> 
> Jason, Your comment is one of the best I have seen in this thread. 
> 
> Thanks for the input and being neutral. 

Re: yet another round of SMTP Over TLS on Port 26 - Implicit TLS Proposal [Feedback Request]

[Jason Hellenthal via NANOG]

Honestly, you feel very highly of your work in which any of us do in this field 
but John has a very good point and constructive criticism shroud not be the 
down fall of anyone. Read it 100 times without taking any thought of your own 
work and try to see the whole picture.

Not agreeing with John or you but it is very straight forward and industry 
leading. It’s polite. I would feel the proper response from you would be to 
acknowledge the feedback and ask for some correction and guidance as John has 
had a lot of involvement here as so many others. 

He is not saying what you are doing is bad or such but more of guidance in a 
more proper direction so delusions are not set in the future.

The whole picture of any outcome is not only had by just one person trying to 
make a difference but by the whole for a greater good for which makes sense for 
the current architectures and policies that are in place.

I solute both you and John plus the community at which contribute highly 
valuable aspects to evolving “our” beat practices and judgements.

Whether it’s positive or negative or proof of concept, it is how we get to 
where we “think” we should be.

Criticism is how we get there regardless.

Let’s cut out the other non-sense and discontinue this thread and work 
positively instead of against one-another. 

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jan 12, 2019, at 17:26, Cummings, Chris  wrote:
> 
> Can we please have a mod step in and shut this thread down? Any conversation 
> of value is long gone. 
> 
> /Chris
> 
> 
> 
> On Sat, Jan 12, 2019 at 5:25 PM -0600, "Viruthagiri Thirumavalavan" 
>  wrote:
> 
>> I don't know why you are all try to defend a man who try to silence my work.
>> 
>> Are you saying this thread is necessary?
>> 
>>> On Sun, Jan 13, 2019 at 4:46 AM Töma Gavrichenkov  wrote:
>>> On Sun, Jan 13, 2019 at 12:51 AM Viruthagiri Thirumavalavan
>>>  wrote:
>>> > 5 months back I posted my spam research on DMARC list.
>>> > You have gone through only 50 words and judged my work.
>>> > The whole thread gone haywire because of you. I was
>>> > humiliated there and left.
>>> 
>>> By the way, since that you've left no traces of whatever piece of work
>>> you've posted to that list. The website is empty, slides are removed
>>> from Speakerdeck, etc.
>>> 
>>> In theory, I can easily recall a few cases in my life when going
>>> through just 50 words was quite enough for a judgment.
>>> 
>>> > To be very honest, I don't like you.
>>> 
>>> Please keep our busy mailing list out of this information, though for
>>> me it's a valuable piece of data that someone I don't know personally
>>> doesn't like someone else.
>>> 
>>> > Although I don't like you, I still managed to respond politely in
>>> > IETF lists. Again... In that list the only thing you did was
>>> > attacking my work.
>>> 
>>> So, I've read the whole thread, and, as far as I can see, there was
>>> nothing coming from John except for a balanced judgement.
>>> 
>>> > And then please tell me this man is not biased at all.
>>> 
>>> Sorry, he's not.
>>> 
>>> --
>>> Töma
>> 
>> 
>> -- 
>> Best Regards,
>> 
>> Viruthagiri Thirumavalavan
>> Dombox, Inc.

Re: GTT Regulatory Recovery Surcharge

[Jason Hellenthal]

Down on the farm

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Dec 2, 2018, at 20:17, bob evans  wrote:
> 
> I think it's because they need to...not for any legal reason, but to
> increase cash flow by every penny possible. As they just spend 2.3 billion
> dollars on an acquisition. Every penny they can add to a bill is an
> attempt to slow the bleeding that resulting from over borrowing.
> 
> 3600 employees, huge major acquisitions half a billion here - 2 billion
> there, where is this money coming from? Buying sales organizations with no
> network?
> 
> One has to ask is this a secretly government funded/owned business? If so,
> which government? Ours?
> 
> Bob Evans
> CTO/Founder
> 
>>> On Dec 2, 2018, at 6:04 PM, Clayton Zekelman  wrote:
>>> 
>>> I can't imagine how the corporate sociopaths could justify charging an
>>> American recovery fee on a service delivered in Canada.
>> 
>> I would speculate that the reason is ever popular ‘because they can”.
>> 
>> James R. Cutler
>> james.cut...@consultant.com
>> PGP keys at http://pgp.mit.edu
> 
> 

Re: Hulu / ESPN: Commercial IP Address

[Jason Hellenthal]

Exactly ... blocked or rate limited from.a /20 or /18 but it’s pretty hard to 
diff from same customer that is also watching from a full routed VPN’d service 
for privacy which I find quite often being implemented in services like 
AdBlock, AdGuard and the like which becomes a point of confusion for the svc 
providers. It’s not necessarily sharing when you find the user in the US also 
logging in from Italy or France for example.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Oct 13, 2018, at 15:06, Tyler Harden  wrote:
> 
> This happens a lot with people who share their Hulu with friends. Your IP can 
> get tagged as commercial for abuse of their service, especially if using 
> their TV service. 
> 
>> On Oct 13, 2018, at 14:39, Daniel Corbe  wrote:
>> 
>> I had a customer with a similar issue.   I statically assigned them a 
>> different IP and it didn’t resolve it.   The problem turned out to be tied 
>> to their Hulu account.
>> 
>> The customer is going to need to keep pressing the issue with Hulu’s 
>> technical support group.   Make sure they’re not using a VPN to connect to 
>> the Internet and have them keep calling Hulu back until they get someone 
>> clueful on the phone.
>> 
>> In my customer’s case, they eventually had to “re-home” them to resolve it.  
>> I have no idea what that entails.
>> 
>> -Daniel
>> 
>> at 12:35 PM, Jason Canady  wrote:
>> 
>>> Hello,
>>> 
>>> I have a customer that is using Hulu Live to stream ESPN, however it isn't 
>>> showing up in their Channel list.  They reached out to Hulu and it's 
>>> because their IP address is 'commercial'.  We have many customers using 
>>> Hulu without problems, but it seems specific to ESPN.  Anyone else have 
>>> this issue?  Do you reach out to ESPN or Hulu?
>>> 
>>> If anyone has any information, please share it.  Appreciate your help in 
>>> advance!
>>> 
>>> Best Regards,
>>> 
>>> Jason Canady
>>> Unlimited Net, LLC
>>> Responsive, Reliable, Secure
>> 
>> 

Re: bloomberg on supermicro: sky is falling

[Jason Hellenthal]

You are what you allow

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Oct 4, 2018, at 17:07, Naslund, Steve  wrote:
> 
> It would be really noticeable.  In the secure networks I have worked with 
> "default routes" were actually strictly forbidden.  Also, ACLs and firewall 
> policy is all written with Deny All policy first.  Everything talking through 
> them is explicitly allowed.
> 
> The government especially in the three letter intel agencies is not a 
> clownish as they are depicted.
> 
> Steven Naslund
> Chicago IL
> 
>> Which makes the traffic that wanders towards the default route where
>> nothing should go *very* noticeable.
>> 
>> Regards,
>> Bill Herrin
> 

Re: Application or Software to detect or Block unmanaged swicthes

[Jason Hellenthal]

As someone already stated the obvious answers, the slightly more difficult 
route to be getting a count of allowed devices and MAC addresses, then moving 
forward with something like ansible to poll the count of MAC’s on any given 
port ... of number higher than what’s allowed, suspend the port and send a 
notification to the appropriate parties.


All in all though sounds like a really brash thing to do to your network team 
and will generally know and have a very good reason for doing so... but not all 
situations are created equally so good luck.


-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jun 7, 2018, at 03:57, segs  wrote:
> 
> Hello All,
> 
> Please I have a very interesting scenario that I am on the lookout for a
> solution for, We have instances where the network team of my company bypass
> controls and processes when adding new switches to the network.
> 
> The right parameters that are required to be configured on the switches
> inorder for the NAC solution deployed to have full visibility into end
> points that connects to such switches are not usually configured.
> 
> This poses a problem for the security team as they dont have visibility
> into such devices that connect to such switches on the NAC solution, the
> network guys usually connect the new switches to the trunk port and they
> have access to all VLANs.
> 
> Is there a solution that can detect new or unmanaged switches on the
> network, and block such devices or if there is a solution that block users
> that connect to unmanaged switches on the network even if those users have
> domain PCs.
> 
> Anticipating your speedy response.
> 
> Thank You!

Re: Geolocation issue with a twist

[Jason Hellenthal]

You will probably need to host that attachment elsewhere and post a link to it. 
Attachments don’t really fly to mailing lists.

> On May 22, 2018, at 15:50, Clay Stewart  wrote:
> 
> Can someone point me for help with the following issue?
> 
> I purchased a /24 late last year on auction which was originally owned by
> Cox communications in Europe. It had Geolocation in a lot of bad places,
> and Cox got it 'cleared' up for me.
> 
> But there is still one issue, an ISP in Spain has it in a Geo database
> which is pointed to my correct location, but because it is a Spain ISP, the
> block has lots of issues in block apps and redirects to spam sites.
> 
> Attach is a snapshot with the incorrect ISP highlight and Geo database. I
> cannot get any info from the Geo database.
> 
> I am new to this list, so I hope this is an appropriate question.


-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

Re: Whois vs GDPR, latest news

[Jason Hellenthal]

Mind pointing out where in the GDPR that it directly relates to these types of 
mail services ?

> On May 21, 2018, at 20:07, Matthew Kaufman  wrote:
> 
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote:
> 
>> What about my right to not have this crap on NANOG?
>> 
> 
> 
> What about the likely truth that if anyone from Europe mails the list, then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
> 
> Matthew


-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

Re: New DNS Service

[Jason Hellenthal]

Like a wildcard DNS entry !

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Apr 3, 2018, at 10:25, Lee  wrote:
> 
> It depends.  If the web site is hosted on.. let's say cloudflare,
> there could be hundreds of names pointing to the same IP address.
> 
> Lee

Re: Proof of ownership; when someone demands you remove a prefix

[Jason Hellenthal]

haha. Sorry for the top posts. iOS what ya goin to do on a very long thread 
capability. :-)

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Mar 12, 2018, at 22:26, Scott Weeks <sur...@mauigateway.com> wrote:
> 
> 
> 
>>> On Mar 12, 2018, at 4:11 PM, Randy Bush <ra...@psg.com> wrote:
>>> 
>>> it's a real shame there is no authorative cryptographically verifyable
>>> attestation of address ownership.
> 
> 
>> On Mar 12, 2018, at 21:20, George William Herbert <george.herb...@gmail.com> 
>> wrote:
>> 
>> Ownership?...
>> 
>> (Duck)
> 
> 
> --- jhellent...@dataix.net wrote:
> From: Jason Hellenthal <jhellent...@dataix.net>
> 
> : shouldn’t that be proof enough of ownership of the ASN ?
> -
> 
> 
> You don't own the ASN.  And that was a special, friendly poke at randy... :-)
> 
> scott

Re: Proof of ownership; when someone demands you remove a prefix

[Jason Hellenthal]

How about signed ownership ? (https://keybase.io) if you are able to update the 
record … and it is able to be signed then shouldn’t that be proof enough of 
ownership of the ASN ?

If you can update a forward DNS record then you can have the reverse record 
updated in the same sort of fashion and signed by a third party to provide 
first party of authoritative ownership… Assuming you have an assigned ASN and 
the admin has taken the time to let alone understand the concept and properly 
prove the identity in the first place… (EV cert ?)


Just a light opinion from … https://jhackenthal.keybase.pub

Trust is a big issue these days and validation even worse given SSL trust.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Mar 12, 2018, at 21:20, George William Herbert  
> wrote:
> 
> Ownership?...
> 
> (Duck)
> 
> -george 
> 
> Sent from my iPhone
> 
>> On Mar 12, 2018, at 4:11 PM, Randy Bush  wrote:
>> 
>> it's a real shame there is no authorative cryptographically verifyable
>> attestation of address ownership.

Re: Novice sysadmins

[Jason Hellenthal]

People die all the time in our profession. Loss of job due to major failure… 
self inflicted suicide or even homicide by disgruntled employee due to others 
negligent actions and laziness. It only amplifies and is less reported these 
days that in the dot.com boom era. But the higher the classification the more 
likely its to happen whether its someone else or the person that made the “huge 
mistake”.


But this thread is really out of line and can go on forever. I would encourage 
others to not reply as I will not as well.



> On Dec 6, 2017, at 19:39, Miles Fidelman  wrote:
> 
> 
>> On Wed, Dec 6, 2017 at 1:51 PM, Stephen Satchell  wrote:
>> 
>>> What professional engineers you mentioned do can kill people.  I have yet
>>> to hear of anyone dying from a sysadmin or netadmin screwing up. (Other
>>> than dropping something heavy onto someone, using a fork lift
>>> incompetently, or building an unsafe raised floor.).
>>> 
>>> 
> Military networks.  Aviation.  Hospitals.  SCADA.  The list goes on.
> 
> 
> 
> -- 
> In theory, there is no difference between theory and practice.
> In practice, there is.   Yogi Berra
> 

IPv6 Connectivity at Specific Datacenter location.

[Jason Hellenthal]

I need to get in touch with a NOC/IP tech for Level3 previously TW/Telecom. 
Informative only.

We have a /25 block of shared IPv4 at a local Datacenter in a Brookfield, WI 
located datacenter owned by Level3 and I would like to add V6 connectivity at 
our edge but I cannot seem to find a proper contact to inquire with. Were 
currently hosting a one off solution at Rackspace just for V6 and Apple 
requirements and Id like to discuss what its going to take to get that 
connectivity moved to our datacenter edge.


Open for off list contact. Non time sensitive matter but would like to handle 
ASAP.


Thanks

[AS1299] Contact Request

[Jason Hellenthal]

Could someone from AS1299 track down a the source of this problem. Feel free to 
contact me off list for phone number or otherwise. Thanks

Routing from AS11427, AS209 & AS32201 to the IP address of 190.166.236.188 in 
the Dominican Republic (DO) seems to be dropping traffic at AS1299 to and from.


I have a remote programmer that needs VPN access back to our corporate office 
in Wisconsin from that IP address.


/TIA

Re: 403 Labs "Sikich"

[Jason Hellenthal]

Situation has been resolved.

> On Feb 4, 2017, at 16:38, Jason Hellenthal <jhellent...@dataix.net> wrote:
> 
> Is anyone from 403 Labs present on this list ?
> 
> We have a stuck automated test that was never turned off that is effecting 
> our customers and coming from your network to a shared IP block in Chicago. 
> 
> Contact me off list for details please.
> 
> 
> Thanks

403 Labs "Sikich"

[Jason Hellenthal]

Is anyone from 403 Labs present on this list ?

We have a stuck automated test that was never turned off that is effecting our 
customers and coming from your network to a shared IP block in Chicago. 

Contact me off list for details please.


Thanks

PayCom Network Contact Request

[Jason Hellenthal]

Could a network engineer from PayCom contact me off list when you get a chance 
please.

Hoping to glean some subnet information from you that might help us out, if 
there is someone from PayCom on this list.


Thanks


signature.asc
Description: Message signed with OpenPGP

Re: Wanted: volunteers with bandwidth/storage to help save climate data

[Jason Hellenthal]

Simply put… if the data that is hosted on the sites aforementioned then cough 
up the damn space and host it. Data space is cheap as hell these days, parse it 
and get the hell on with it already.


*Disclaimer*
not meant to single out any one party in this conversation but the whole 
subject all together. Need someone to help mirror the data ? I may or may not 
be able to assist with that. Provide the space to upload it to and the 
direction to the data you want. But beyond all that. This subject is plainly 
just off topic.


> On Dec 21, 2016, at 22:16, Royce Williams <ro...@techsolvency.com> wrote:
> 
> On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams <ro...@techsolvency.com> 
> wrote:
> 
> [snip]
> 
>> IMO, *operational, politics-free* discussion of items like these would
>> also be on topic for NANOG:
>> 
>> - Some *operational* workarounds for country-wide blocking of
>> Facebook, Whatsapp, and Twitter [1], or Signal [2]
> 
> [snip]
> 
>> 2. 
>> http://www.nytimes.com/aponline/2016/12/20/world/middleeast/ap-ml-egypt-app-blocked.html
> 
> Steering things back towards the operational, the makers of Signal
> announced today [1] an update to Signal with a workaround for the
> blocking that I noted earlier. Support in iOS is still in beta.
> 
> The technique (which was new to me) is called 'domain fronting' [2].
> It works by distributing TLS-based components among domains for which
> blocking would cause wide-sweeping collateral damage if blocked (such
> as Google, Amazon S3, Akamai, etc.), making blocking less attractive.
> Since it's TLS, the Signal connections cannot be differentiated from
> other services in those domains.
> 
> Signal's implementation of domain fronting is currently limited to
> countries where the blocking has been observed, but their post says
> that they're ramping up to make it available more broadly, and to
> automatically enable the feature when non-local phone numbers travel
> into areas subject to blocking.
> 
> The cited domain-fronting paper [2] was co-authored by David Fifield,
> who has worked on nmap and Tor.
> 
> Royce
> 
> 1. https://whispersystems.org/blog/doodles-stickers-censorship/
> 2. http://www.icir.org/vern/papers/meek-PETS-2015.pdf


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: [nanog] Avalanche botnet takedown

[Jason Hellenthal]

If I could have it my way, I would say no gTLD’s should be allowed to transmit 
any email messages whatsoever. And force them to either use something like 
sendgrid.com or to purchase a primary .com, .org, .net .co.uk whatever etc.. 

But thats just me.

It’s not a nice world but it is just the world we live in today.
 
> On Dec 2, 2016, at 05:28, Hugo Salgado-Hernández <hsalg...@nic.cl> wrote:
> 
> According to a 2015 paper, 85% of new gTLDs domains was some form
> of parking, defensive redirect, unused, etc:
> <http://conferences2.sigcomm.org/imc/2015/papers/p381.pdf>
> 
> Hugo
> 
> On 15:02 01/12, J. Hellenthal wrote:
>> 99% ? That's a pretty high figure there.
>> 
>> -- 
>> Onward!, 
>> Jason Hellenthal, 
>> Systems & Network Admin, 
>> Mobile: 0x9CA0BD58, 
>> JJH48-ARIN
>> 
>> On Dec 1, 2016, at 14:56, Rich Kulawiec <r...@gsp.org> wrote:
>> 
>>> On Thu, Dec 01, 2016 at 05:34:26PM -, John Levine wrote:
>>> [...] 800,000 domain names used to control it.
>> 
>> 1. Which is why abusers are registrars' best customers and why
>> (some) registrars work so very hard to support and shield them.
>> 
>> 2. As an aside, I've been doing a little research project for a
>> few years, focused on domains.  I've become convinced that *at least*
>> 99% of domains belong to abusers: spammers, phishers, typosquatters,
>> malware distributors, domaineers, combinations of these, etc. 
>> 
>> In the last year, I've begun thinking that 99% is a serious underestimate.
>> (And it most certainly is in some of the new gTLDs.)
>> 
>> ---rsk
>> 


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Oracle buys... Dyn.

[Jason Hellenthal]

Lets just hope so, or Id think that the there will eventually be a price hike 
by AWS to compensate for Oracle’s outrageous costs.

But again only speculation at this point.

> On Nov 21, 2016, at 11:22, Akshay Kumar <aks...@mongodb.com> wrote:
> 
> Route53 just uses Dyn and Ultra. I would expect AWS to roll out their own 
> soon.
> 
> On Mon, Nov 21, 2016 at 12:18 PM, J. Hellenthal <jhellent...@dataix.net> 
> wrote:
> Don't blame ya I'm a little negative on this one too as I can already 
> "assume" specialized DNS integration with oracle products among possibly 
> ?oracle cloud? Structures spawning up for competition with AWS, Azure ... 
> others but these are just speculations.
> 
> --
>  Onward!,
>  Jason Hellenthal,
>  Systems & Network Admin,
>  Mobile: 0x9CA0BD58,
>  JJH48-ARIN
> 
> On Nov 21, 2016, at 10:26, Jay R. Ashworth <j...@baylink.com> wrote:
> 
> Happy Monday.
> 
> This seems to me to be equivalent (and bad for the same reasons) to cable
> companies and/or ISPs being co-owned with program providers.
> 
>  
> http://www.zdnet.com/article/oracle-acquires-dns-provider-dyn-to-take-on-amazons-lead-in-the-cloud
> 
> How will this affect *your* operations planning, if at all?  Am I being
> overly cynical about Larry Ellison? :-)
> 
> Cheers,
> -- jra
> 
> --
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274
> 


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Network Diagnostic Tool

[Jason Hellenthal]

https://twitter.com/jhackenthal/status/799091998594650112

> On Nov 12, 2016, at 22:05, J. Hellenthal <jhellent...@dataix.net> wrote:
> 
> That is a very cool contribution you've made. Let me run it through some 
> tests and put it to work right away and see if I can provide some feedback 
> and maybe possible patches or incites 
> 
> But thank you!!
> 
> -- 
> Onward!, 
> Jason Hellenthal, 
> Systems & Network Admin, 
> Mobile: 0x9CA0BD58, 
> JJH48-ARIN
> 
> On Nov 12, 2016, at 13:28, Mehrdad Arshad Rad <arshad@gmail.com> wrote:
> 
> Hi,
> 
> I've started to develop an open source tool 4 months ago to help
> neteng/sysadmin/sysops please take look at the below link and let me know
> if you have any suggestions.
> 
> https://github.com/mehrdadrad/mylg
> 
> p.s you can download it for different operating systems at http://mylg.io
> 
> Thanks,
> Mehrdad


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: CenturyLink in Advanced Talks to Merge With Level 3 Communications - Interweb is doomed

[Jason Hellenthal]

lol

> On Oct 28, 2016, at 00:43, Larry Sheldon <larryshel...@cox.net> wrote:
> 
> 
> 
> On 10/27/2016 12:36, Nevin Gonsalves via NANOG wrote:
>> :-)
>> http://www.wsj.com/articles/centurylink-in-advanced-talks-to-merge-with-level-3-communications-1477589011
> 
> OH BOY!  Omaha Taxpayers get to replace all the BGSs for their party venue 
> boondoggle.  Again.
> 
> 
> https://www.google.com/maps/place/CenturyLink+Center+Omaha/@41.2623782,-95.9281322,19z/data=!4m5!3m4!1s0x0:0xe896a8b5037ce4d0!8m2!3d41.2624226!4d-95.9282445
> 
> -- 
> "Everybody is a genius.  But if you judge a fish by
> its ability to climb a tree, it will live its whole
> life believing that it is stupid."
> 
> --Albert Einstein
> 
> From Larry's Cox account.


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Route It Or Lose It

[Jason Hellenthal]

Well what else would you expect from todays information age. It’s like leaving 
a $100.00 bill on the sidewalk and expecting it to be there the following day.

> On Oct 18, 2016, at 00:08, Ronald F. Guilmette <r...@tristatelogic.com> wrote:
> 
> 
> What a friendly, helpful place the modern Internet is!
> 
> Like the forrest floor, its an ecosystem where things don't go
> to waste.
> 
> If you happen to inadvertantly leave your shiny /18 IPv4 block
> lying around, don't worry.  It won't be long before some helpful
> Bulgarian, Romania, Ukranian or Russian will happen by, notice
> that you failed to route it, and then fix that for you, at no
> charge, and without you even having to ask.  Then, as a bonus,
> also at no charge, he'll fill it to the brim with snowshoe spammers
> for you!  How helpful!
> 
> 124.157.0.0/18 (VietNam) -> AS44814 (Bulgaria)
> 


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Jason Hellenthal]

Thanks for chiming in Jesse.

> On Oct 13, 2016, at 08:08, Jesse McGraw <jlmcg...@gmail.com> wrote:
> 
> Lee,
> 
>  Check out the setup.sh script, hopefully it does everything necessary to get 
> the script working on a Debian-derived Linux system
> 
> I've attempted to make the only globally-installed dependencies be cpanm and 
> carton.  Once those are installed it uses carton to install the dependencies 
> locally
> 
> 
> On 10/12/2016 07:59 PM, Lee wrote:
>> On 10/12/16, Jason Hellenthal <jhellent...@dataix.net> wrote:
>>> Give these a shot. https://github.com/jlmcgraw/networkUtilities
>>> 
>>> I know J could use a little feedback on those as well but all in all they
>>> are pretty solid.
>> Where does one get Modern/Perl.pm ?
>> 
>> Can't locate Modern/Perl.pm in @INC (you may need to install the
>> Modern::Perl module) (@INC contains: /tmp/local/lib/perl5
>> /usr/lib/perl5/site_perl/5.22/i686-cygwin-threads-64int
>> /usr/lib/perl5/site_perl/5.22
>> /usr/lib/perl5/vendor_perl/5.22/i686-cygwin-threads-64int
>> /usr/lib/perl5/vendor_perl/5.22
>> /usr/lib/perl5/5.22/i686-cygwin-threads-64int /usr/lib/perl5/5.22 .)
>> at /tmp/iosToHtml.pl line 87.
>> BEGIN failed--compilation aborted at /tmp/iosToHtml.pl line 87.
>> 
>> Lee
>> 
>> 
>> 
>>>> On Oct 11, 2016, at 08:48, Lee <ler...@gmail.com> wrote:
>>>> 
>>>> On 10/10/16, Jay Hennigan <j...@west.net> wrote:
>>>>> On 10/6/16 1:26 PM, Jesse McGraw wrote:
>>>>>> Nanog,
>>>>>> 
>>>>>>(This is me scratching an itch of my own and hoping that sharing it
>>>>>> might be useful to others on this list.  Apologies if it isn't)
>>>>>> 
>>>>>>  When I'm trying to comprehend a new or complicated Cisco router,
>>>>>> switch or firewall configuration an old pet-peeve of mine is how
>>>>>> needlessly difficult it is to follow deeply nested logic in route-maps,
>>>>>> ACLs, QoS policy-maps etc etc
>>>>>> 
>>>>>> To make this a bit simpler I’ve been working on a perl script to
>>>>>> convert
>>>>>> these text-based configuration files into HTML with links between the
>>>>>> different elements (e.g. To an access-list from the interface where
>>>>>> it’s
>>>>>> applied, from policy-maps to class-maps etc), hopefully making it
>>>>>> easier
>>>>>> to to follow the chain of logic via clicking links and using the
>>>>>> forward
>>>>>> and back buttons in your browser to go back and forth between command
>>>>>> and referenced list.
>>>>> Way cool. Now to hook it into RANCID
>>>> It looks like what I did in 2.3.8 should still work - control_rancid
>>>> puts the diff output into $TMP.diff so add this bit:
>>>> grep "^Index: " $TMP.diff | awk '/^Index: configs/{
>>>> if ( ! got1 ) { printf("/usr/local/bin/myscript.sh "); got1=1; }
>>>> printf("%s ", $2)
>>>> }
>>>> END{ printf("\n") }
>>>> ' >$TMP.doit
>>>> /bin/sh $TMP.doit >$TMP.out
>>>> if [ -s $TMP.out ] ; then
>>>>   .. send mail / whatever
>>>> rm $TMP.doit $TMP.out
>>>> fi
>>>> 
>>>> Regards,
>>>> Lee
>>> 
>>> --
>>>  Jason Hellenthal
>>>  JJH48-ARIN
>> .
>> 
> 


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Jason Hellenthal]

Give these a shot. https://github.com/jlmcgraw/networkUtilities

I know J could use a little feedback on those as well but all in all they are 
pretty solid.

> On Oct 11, 2016, at 08:48, Lee <ler...@gmail.com> wrote:
> 
> On 10/10/16, Jay Hennigan <j...@west.net> wrote:
>> On 10/6/16 1:26 PM, Jesse McGraw wrote:
>>> Nanog,
>>> 
>>>(This is me scratching an itch of my own and hoping that sharing it
>>> might be useful to others on this list.  Apologies if it isn't)
>>> 
>>>  When I'm trying to comprehend a new or complicated Cisco router,
>>> switch or firewall configuration an old pet-peeve of mine is how
>>> needlessly difficult it is to follow deeply nested logic in route-maps,
>>> ACLs, QoS policy-maps etc etc
>>> 
>>> To make this a bit simpler I’ve been working on a perl script to convert
>>> these text-based configuration files into HTML with links between the
>>> different elements (e.g. To an access-list from the interface where it’s
>>> applied, from policy-maps to class-maps etc), hopefully making it easier
>>> to to follow the chain of logic via clicking links and using the forward
>>> and back buttons in your browser to go back and forth between command
>>> and referenced list.
>> 
>> Way cool. Now to hook it into RANCID
> 
> It looks like what I did in 2.3.8 should still work - control_rancid
> puts the diff output into $TMP.diff so add this bit:
> grep "^Index: " $TMP.diff | awk '/^Index: configs/{
> if ( ! got1 ) { printf("/usr/local/bin/myscript.sh "); got1=1; }
> printf("%s ", $2)
> }
> END{ printf("\n") }
> ' >$TMP.doit
> /bin/sh $TMP.doit >$TMP.out
> if [ -s $TMP.out ] ; then
>   .. send mail / whatever
> rm $TMP.doit $TMP.out
> fi
> 
> Regards,
> Lee


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Level 3 voice outage

[Jason Hellenthal]

Patience Obi Wan ! They are investigating the root cause and like most root 
causes they don’t just hold out a flag and say here I am !!!

> On Oct 4, 2016, at 10:32, Ivaylo Katovski <ivokatov...@gmail.com> wrote:
> 
> When will L3 notify their customers for the outage?!? According to l3
> twitter account their are aware of the voice impact and working on it
> 
> On Oct 4, 2016 11:03 AM, "Mark Stevens" <mana...@monmouth.com> wrote:
> 
>> Is anyone noticing issue with Level 3 voice? I can't even call their 800
>> number using one of my other carriers.
>> 
>> Mark
>> 


-- 
 Jason Hellenthal
 JJH48-ARIN

[Cox Communications] RFC1918 On WAN Interfaces

[Jason Hellenthal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Could a clueful network operator from Cox contact me off list when they get a 
chance. Pertaining to RFC1918 appearing on our business WAN interfaces.


Thanks

- -- 
 Jason Hellenthal
 JJH48-ARIN




-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJXQ1MIAAoJEDLu+wRc4KcIAOoH/A+HtiKIACE2ec07feb6RWRJ
ed0tzLjW8ahljw+NGHYtSR4MZ0UtylUL8/QFplu9fxjVl6A4hFlpXY0Jjvkyq5T1
3R9Ec5V8hvKdW3r0yzpV/QghBWFPeV49C44SmQgnMPmlMksurBCH91yuPytTW5fz
JKIJtjjhaDn4Zyg6eSSsMp0ueyOk8N8nLouCkjF/bj3EHS6bkRWwQDR6KNCLjKdB
yXAV7ZnrtyrcqZBzW+covFGmGA6yrFwTNe7FaMCYT4jsm8HhEC1afW639iBhcZ23
+XaJKTPZF97X1x8/6VtMoooDoN7cW7OMRzGhF16kycv6gWSIbsoNQuKuqoJxQj0=
=31hc
-END PGP SIGNATURE-

Re: Cisco CMTS SNMP OID's

[Jason Hellenthal]

Not that you wouldn't have looked already but at the moment too much 
information for me to consume I figured it would be worthwhile mentioning I 
case you didn't know or maybe others as well.

ftp://ftp.cisco.com/pub/mibs/oid/


I've had some custom ones around in the past and if I can figure out where they 
are held I'll shoot them your way.

-- 
 Jason Hellenthal
 JJH48-ARIN

On Jan 24, 2016, at 13:06, Lorell Hathcock <lor...@hathcock.org> wrote:

All:

Does anyone out there have some valuable OID's for a Cisco CMTS?

The ones I am looking for are:
   Signal to Noise per upstream channel
   Cable Modem counts of all kinds
   connected / online
   ranging
   offline 

I opened a ticket through Cisco's help desk.  I have a SmartNET contract for 
the unit, but they were not very helpful.  The OIDs they suggested did not 
yield any useful data.  ("0" when I know there are CMs connected, etc).

Thanks in advance.

Lorell Hathcock

1and1 Clueful Email / DNS Admin Requested

[Jason Hellenthal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Would a 1and1 clueful DNS and Email Expert contact me off list. Tech support 
cannot seem to provide a customer of ours with appropriate help.

Thanks

- -- 
 Jason Hellenthal
 JJH48-ARIN




-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJWgrHgAAoJEDLu+wRc4KcIC4sH/1Uo02IRtY5C1WOqZTMzYJcO
Y4W1p2og4AUmf9M4QaENfdR2zvQkorkvJFZ9yg15RGH5icg8adpxs98MbI5QeL/R
8Ylsre3MqvTbWPSqRzWdud2ClYjtlclCXEFNn/gYZP1LXaFu2EUixcoMDdQx4ogY
0FdV3cOT6K1/3czywKb3oWa6NUYSWELsErheq559jmxTNZPpIogJBWuCNR57OH2f
7XigD8kdXgVjIc3sY4ttj+KEZL7BQgw25KFLGmdrCvvb1HZQg3mbGQEq1vo+Tn0S
Cbm5+wYKsc+v5liRwgmA8eapGQb903V/Y/dAGMD9X6Z45hVhXMJG21mYG/L55FY=
=H+9V
-END PGP SIGNATURE-

[CenturyLink][Proto UDP] Blockage of UDP Outbound from Source Port 53

[Jason Hellenthal]

Could a CenturyLink network admin/engineer contact me off list.

We have multiple locations receiving DNS queries over UDP where we see the 
connections making into our server and back out to our CenturyLink edge routers 
but never completes back to the connecting client at multiple locations.

Connections Failing From Digital Ocean NY, Time Warner WI, Rackspace DFW TX
(Hartford CT)# dig +short +novc @208.46.135.X domain.com A
(Cleveland OH)# dig +short +novc @65.112.236.X domain.com A


Connections from Chicago Rackspace to the above locations work as expected.

CenturyLink Orlando FL to Hartford CT or Cleveland OH, CenturyLink circuits 
work as expected.


Contact off list for domain and ip information used above.


Thanks

-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Google IMAP

[Jason Hellenthal]

$ dig @8.8.8.8 imap.gmail.com

; <<>> DiG 9.10.3 <<>> @8.8.8.8 imap.gmail.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49149
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;imap.gmail.com.IN  A

;; ANSWER SECTION:
imap.gmail.com. 299 IN  CNAME   gmail-imap.l.google.com.
gmail-imap.l.google.com. 299IN  A   173.194.74.108
gmail-imap.l.google.com. 299IN  A   173.194.74.109

;; Query time: 28 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 21 01:02:22 UTC 2015
;; MSG SIZE  rcvd: 109


I don’t recall this ever being imap.google.com

> On Oct 20, 2015, at 19:54, Nathanael Cariaga 
> <nathanael.cari...@adec-innovations.com> wrote:
> 
> Any GMail / Google Apps guys here?  Just want to ask if there are issues
> with imap.google.com
> 
> 
> ; <<>> DiG 9 <<>> @localhost imap.google.com A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24131
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;imap.google.com. IN  A
> 
> ;; AUTHORITY SECTION:
> google.com.   60  IN  SOA ns4.google.com. 
> dns-admin.google.com.
> 105915603 900 900 1800 60
> 
> ;; Query time: 16 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Oct 21 02:53:04 2015
> ;; MSG SIZE  rcvd: 83
> 
> 
> 
> 
> -- 
> Regards,
> 
> 
> -nathan


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: IP-Echelon Compliance

[Jason Hellenthal]

RoFLx1000 

Srysly! Cluebat who are these people again and why does anyone need them ?

#Sigh

-- 
 Jason Hellenthal
 JJH48-ARIN

On Oct 13, 2015, at 09:52, s...@ip-echelon.com wrote:

Hi Fred,

I can’t find your name, email address or the domain-name from your email in our 
mailboxes.

If you send the request via this webform or via email to the address specified 
in the notice, we’ll absolutely jump on it and respond ASAP.

I can’t monitor this thread further but please reach out via the channels 
described so we can help.

Cheers,
Seth

> On Oct 13, 2015, at 2:10 AM, Fred Hollis <f...@web2objects.com> wrote:
> 
> At least, we tried contacting you many times, but you ignored all our 
> requests.
> 
> Still receiving thousands of e-mails not related to our IPs on daily basis.
> 
>> On 13.10.2015 at 00:04 Seth Arnold wrote:
>> Hi All,
>> 
>> Please feel free to get in touch with us to request changes.
>> 
>> Expedited processing of your requests is offered through the Notice 
>> Recipient Management for ISPs section of our website located here:
>> http://www.ip-echelon.com/isp-notice-management/ 
>> <http://www.ip-echelon.com/isp-notice-management/>
>> 
>> If you are in the U.S., please also ensure that your change is reflected in 
>> the records of the US Copyright Office:  
>> http://copyright.gov/onlinesp/list/a_agents.html 
>> <http://copyright.gov/onlinesp/list/a_agents.html>
>> 
>> 
>> Cheers,
>> Seth
>> 

Re: Level(3) ex-twtelecom midwest packet loss (4323)

[Jason Hellenthal]

Cleared up here in WI TW/Level3 COLO between 19:00 - 19:20 CST - 3235 Intertech 
Dr. Brookfield

 On Aug 26, 2015, at 16:44, Ryan K. Brooks r...@hack.net wrote:
 
 Seems to be impacting their entire network now.
 
 On 8/26/15 4:41 PM, Rafael Possamai wrote:
 I have been seeing the same issues, but haven't heard anything back yet. It 
 has improved in the last 30 minutes or so, see below.
 
 
 http://imgur.com/KVAzetA
 *
 *
 
 
 On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net 
 mailto:r...@hack.net wrote:
 
Seeing packet loss on AS4323 since 2:30 Central time.   NOC is
unresponsive to phone and email.  Anyone have an idea what's going
on over there?
 
 
 


--
 Jason Hellenthal
 JJH48-ARIN






signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: GoDaddy : DDoS :: Contact

[Jason Hellenthal]

Just block it 

-- 
 Jason Hellenthal
 JJH48-ARIN

On Aug 2, 2015, at 14:59, Jason LeBlanc jason.lebl...@infusionsoft.com wrote:

My company is being DDoS'd by a single IP from a GoDaddy customer.

I havent had success with the ab...@godaddy.com email.  Was hoping someone
that could help might be watching the list and could contact me off-list.


//Jason

Re: grepcidr 2.99

[Jason Hellenthal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi John,

Great contribution. Thanks

Might I make a suggestion? with the following command it gives Invalid CIDR. In 
my usage it would seem logically convenient to throw any quad octet at it and 
have it translate to the proper CIDR range that isn’t reported as invalid since 
it does this anyway. For instance 127.0.0.1/8 would just become 127.0.0.0/8. 
Then add a (-d) flag for debugging or verbose messages. My first impression of 
the output was that it was only going to grep for valid CIDR ranges which was 
not true.

$ cidr 127.0.0.1/8
Invalid cidr: 127.0.0.1/8

$ grepcidr -q 192.0.0.1/24
Invalid cidr: 192.0.0.1/24


All-in-all great tool and putting it to use right away!

Thank you John

On Jun 9, 2015, at 11:27, John Levine jo...@iecc.com wrote:

I've updated grepcidr again, adding some code contributed by a user.
(This open source thing may actually have a future.)

grepcidr is what it sounds like, you give it a bunch of CIDR ranges,
and files to read, and it prints out the lines in the files that
contain addresses that match any of the CIDR ranges.  The new feature
lets it match CIDR ranges in the input files as well as IP addresses.
It handles both IPv4 and IPv6.  It maps each file into memory and runs
a state machine over the file in one pass so it's quite fast.  There
should be no limits on line length, file size, or number of patterns
other than running out of memory.

Find it here:

http://www.taugh.com/grepcidr-2/

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly


- -- 
 Jason Hellenthal
 JJH48-ARIN




-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJVd4OPAAoJEDLu+wRc4KcIKNYH/15qbVxyPhtcR3HnIXxEWzY+
hwLL0650Dr3cCxFAYkvNqcATgF8e3ZJTxDSKKs3jOlYTzGqQvMfbfI1AAMZyVuWD
uyYDHP3SdQfzLlNclDAKZYHVdGNLVn76kew9k1R3uV8qdxfxtuRIhrko2bM60IxM
dokeftVUafApnVU40O3mnHaDwAuoqWhKXZhMntNNrPRQqpwNoGfdiGMUtqTsDF6f
XjTfY6Xtn3L6lzWK48PGqU6Tvj8/yKVR4BTMlfAp5UNqozYFl8nxfbfRBFEJDfDw
JrlHpI52Z2n4d8zy/XKByWhiOskpPnm5QIxZHYXIfcvFA6nJSfl4J7ZiQvkkajE=
=GuNx
-END PGP SIGNATURE-

ControlNow / MailEssentials Admin Requested

[Jason Hellenthal]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Could a clueful ControlNow smtp admin contact me off-ist.

RE: na0102.smtpout.com

- -- 
 Jason Hellenthal
 JJH48-ARIN

-BEGIN PGP SIGNATURE-

iQEcBAEBAgAGBQJU7LauAAoJEDLu+wRc4KcIMecIAI35ZHbTDyLWcSLtYkuM8oxP
zvsDZhHtD5r3j0iUkhD0jDpEWS2F1wTkQwZ6fZDWfaLcrqM90y2F5jQMYkmQ1FZa
IlyAOlOqqOGvzLAuhNlXEac92MoIGMK6bcgxl1LBunO2k7CyGa1j0kFn7e0df5jp
vSD3J5Rt97AvnqWUjLxJ37wy2tDlVTZbYASvaW+bDRen2oeU0rZu8blHoWbMTILo
V/9JOblSgMpp3NvyjfeZI7G5u/qswescr6zikErHfIMx0t3sO0NYnsmmgV9yXuJw
+uswFRclM3MGs6ExKDkg3Vsu8rMv/6S/0BjF1v4hmIDOo6T/d2W0IybpTjnOtlo=
=ikhw
-END PGP SIGNATURE-

Re: Charter ARP Leak

[Jason Hellenthal]

Well sure they are subnets :-) of 0.0.0.0/4

range:   0.0.0.0  15.255.255.255
range b10:   0  268435455
range b16:   0x0  0xfff
hosts:   268435456
prefixlen:   4
mask:240.0.0.0

Doubt anyone should ever describe them as such unless they own all that space 
though. May God rest their soul if they do.

 On Dec 29, 2014, at 19:21, Larry Sheldon larryshel...@cox.net wrote:
 
 On 12/29/2014 11:35, Brett Frankenberger wrote:
 On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote:
 
 Valdis, you are correct. What your seeing is caused by multiple IP
 blocks being assigned to the same CMTS interface.
 
 Am I incorrect, though, in believing that ARP packets should only be visible
 within a broadcast domain,
 
 broadcast domain != subnet
 
 It surprises me that in this day and age, in a forum like this that has an 
 active thread about kids being taught archaic concepts, we see language like 
 broadcast domain != subnet and a perceived need to explain it.
 
 [no longer germane material deleted to reduce excess baggage charges]
 
 int ethernet 0/0
   ip address 10.0.0.1 255.255.0.0
   ip address 11.0.0.1 255.255.0.0 secondary
   ip address 12.0.0.1 255.255.0.0 secondary
 
 The broadcast domain will have ARP broadcasts for all three subnets.
 
 This are not subnets!  They are IP addresses in three different IP networks.
 
 Doing it over a CMTS doesn't change that.
 
 Communication here perceived as hostile is apologized-for.
 
 
 -- 
 The unique Characteristics of System Administrators:
 
 The fact that they are infallible; and,
 
 The fact that they learn from their mistakes.
 
 
 Quis custodiet ipsos custodes

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN

Re: Looking for piece of undersea cable

[Jason Hellenthal]

Tanzania looks to have a peace they wouldn’t miss … grab your scuba gear we’ll 
go swimming :-)

 On Dec 12, 2014, at 14:58, Colin McIntosh cmcintos...@gmail.com wrote:
 
 Hey all,
 
 I'm looking for a piece of undersea cable to use for educational purposes
 and was hoping somebody would have a section they can part with. Doesn't
 need to be a big piece, really any size will work. I can pay for shipping
 and the cable, if needed.
 
 Thanks!
 -Colin

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN

Re: Looking for piece of undersea cable

[Jason Hellenthal]

http://www.submarinecablemap.com/

 On Dec 12, 2014, at 15:11, Jason Hellenthal jhellent...@dataix.net wrote:
 
 Tanzania looks to have a peace they wouldn’t miss … grab your scuba gear 
 we’ll go swimming :-)
 
 On Dec 12, 2014, at 14:58, Colin McIntosh cmcintos...@gmail.com wrote:
 
 Hey all,
 
 I'm looking for a piece of undersea cable to use for educational purposes
 and was hoping somebody would have a section they can part with. Doesn't
 need to be a big piece, really any size will work. I can pay for shipping
 and the cable, if needed.
 
 Thanks!
 -Colin
 
 -- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN
 

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN

Re: Kind of sad

[Jason Hellenthal]

Ha ya know what they say... Don't ever trust someone that says trust me...

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellent...@dataix.net
 JJH48-ARIN

On Nov 10, 2014, at 21:43, Joe jbfixu...@gmail.com wrote:

Generally speaking its best you do what your good at and this is not it.

Exposing there is a window open to a gov agency is not hacking, trust me. I
would say go back to fathering children and once you have a few more years
under your belt feel free to join in.
 On Mon, Nov 10, 2014 at 5:48 PM, Brian Henson marin...@gmail.com wrote:
 
 Generally speaking its a bad idea to show you hacking into a server. Makes
 it to easy to prosecute those who do.
 

Re: Can anyone check this routing against Charter in WI?

[Jason Hellenthal]

No particular issues from where I'm at.

 Route
- #1: 12.1 ms
  IP Address: 172.31.32.1
  Hostname: gateway.dataix.local
- #2: 5.2 ms
  IP Address: 192.168.1.1
- #3: 11.5 ms
  IP Address: 10.155.64.1
- #4: 14.0 ms
  IP Address: 96.34.34.206
  Hostname: dtr02hlldmi-tge-0-1-1-2.hlld.mi.charter.com
  Country Name: United States
  Country Code: US
- #5: 16.6 ms
  IP Address: 96.34.32.30
  Hostname: crr02aldlmi-bue-12.aldl.mi.charter.com
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #6: 20.3 ms
  IP Address: 96.34.2.10
  Hostname: bbr01aldlmi-bue-2.aldl.mi.charter.com
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #7: 23.7 ms
  IP Address: 96.34.0.99
  Hostname: bbr01chcgil-bue-4.chcg.il.charter.com
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #8: 19.9 ms
  IP Address: 96.34.3.114
  Hostname: prr02chcgil-bue-3.chcg.il.charter.com
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #9: 154.7 ms
  IP Address: 23.30.206.169
  Hostname: be-204-pe04.350ecermak.il.ibone.comcast.net
  AS Number: AS7922
  AS Name: Comcast Cable Communications, Inc.
  Country Name: United States
  Country Code: US
- #10: 27.5 ms
  IP Address: 68.86.83.53
  Hostname: he-3-1-0-0-cr01.350ecermak.il.ibone.comcast.net
  AS Number: AS7922
  AS Name: Comcast Cable Communications, Inc.
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #11: 26.1 ms
  IP Address: 68.86.94.242
  Hostname: he-0-12-0-0-ar01.pontiac.mi.michigan.comcast.net
  AS Number: AS7922
  AS Name: Comcast Cable Communications, Inc.
  Country Name: United States
  Country Code: US
  Time Zone: America/Los_Angeles
  Region: California
  City: San Francisco
  Latitude: 37.775
  Longitude: -122.419
- #12: 29.0 ms
  IP Address: 162.151.20.173
  Hostname: te-0-8-0-7-ar01.taylor.mi.michigan.comcast.net
  AS Number: AS7922
  AS Name: Comcast Cable Communications, Inc.
  Country Name: United States
  Country Code: US
- #13: 26.9 ms
  IP Address: 68.85.223.185
  Hostname: te-7-1-ur02.ypwest.mi.michigan.comcast.net
  AS Number: AS7922
  AS Name: Comcast Cable Communications, Inc.
  Country Name: United States
  Country Code: US


-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

 On Jun 15, 2014, at 20:20, Michael Clark mikeal.cl...@gmail.com wrote:
 
 Well my routing isn't nearly that bad.  I haven't been able to get 
 confirmation but support said they are probably just routing around a problem 
 and they can't get any direct feedback form network engineers. 
 
 I should get an update tomorrow hopefully.  I'm also seeing some bandwidth 
 issues on charters internal network.  Something must be going on.
 
 Best to have up and go get some Bells :)
 
 Sent from my iPhone
 
 On Jun 15, 2014, at 7:10 PM, Rusty Dekema rdek...@gmail.com wrote:
 
 Are you still seeing odd routing with Charter in Wisconsin? Charter's 
 routing in Michigan seems to be going pretty crazy at the moment as well. 
 
 The following traceroute is from a Charter residential line* in Kalamazoo MI 
 to a Comcast business (DOCSIS) line in Ypsilanti MI, by way of several 
 unknown hops, some of which are in RFC 1918 space, Sprintlink possibly in 
 Fort Worth TX, another unknown hop, then Comcast Dallas TX, Comcast Marietta 
 GA, Comcast Ashburn VA, then finally Comcast MI. Needless to say, this is 
 not the normal route:
 
http://pastebin.com/9CKmea6M
 
 Tracing the same route but in the other direction also yields odd results. 
 The route proceeds normally to a Comcast ibone router in 350 E. Cermak 
 (Chicago IL), but the very next hop after that router is the public IP of 
 the Charter service in Kalamazoo MI as follows:
 
http://pastebin.com/VCCgnUsn
 
 For what it's worth, if anyone could explain to me what might cause that 
 behavior (between hops 8 and 9), I would really appreciate the knowledge.
 
 The routing between that same Charter residential service and a 
 Merit/Michnet endpoint in southeast Michigan is also odd, taking a detour 
 through Virginia [xe-8-3-0.1018.asbn0.tr-cps.internet2.edu (198.71.47.25)], 
 which it does not normally do. The routing in that case does appear to be 
 the same regardless of which side you initiate the traceroute from.
 
 Cheers,
 Rusty Dekema
 
 
 * The Charter residential line's IP address is currently reverse resolving 
 to a Charter DHCP pool in Bay City, MI, which is over 100 miles from 
 Kalamazoo. This is also unusual. The Charter service in question is now and 
 has

Re: yahoo.fr is no longer interested in your abuse reports.

[Jason Hellenthal]

RoJlx100

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

 On Jun 11, 2014, at 17:28, Harald Koch c...@pobox.com wrote:
 
 On 11 June 2014 16:41, goe...@anime.net wrote:
 
 It's the content.
 
 They're spamfiltering their abuse mailbox.
 
 
 As supporting evidence I offer the fact that this entire conversation ended
 up in my (Google) Junk folder.
 
 -- 
 Harald


smime.p7s
Description: S/MIME cryptographic signature

Re: Remote Hands Spokane, WA?

[Jason Hellenthal]

I know a guy that lives out that way if you'd like me to bring him in.

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

 On Mar 27, 2014, at 15:11, Aaron C. de Bruyn aa...@heyaaron.com wrote:
 
 Anyone available for remote hands (installing memory) in Spokane, WA on a
 Thursday during business hours?
 
 -A


smime.p7s
Description: S/MIME cryptographic signature

Re: If you're on LinkedIn, and you use a smart phone...

[Jason Hellenthal]

Well said

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

On Oct 26, 2013, at 2:06, Jimmy Hess mysi...@gmail.com wrote:

On Fri, Oct 25, 2013 at 6:43 PM, Chris Hartley hartl...@gmail.com wrote:

 Anyone who has access to logs for their email infrastructure ought
 probably to check for authentications to user accounts from linkedin's
 servers.
 [snip]

Perhaps a prudent countermeasure would be to redirect all  POP,  IMAP,  and
Webmail access to your corporate mail server from all of  LinkedIn's  IP
space to a  Honeypot   that will simply  log   usernames/credentials
attempted.

The list of valid credentials,  can then be used to  dispatch a warning to
the offender,  and force a password change.

This could be a useful proactive countermeasure against the  UIT
(Unintentional Insider Threat);  of employees  inappropriately   entering
 corporate  e-mail credentials  into a known  third party service  with
outside of organizational control.

Seeing as  Linkedin  almost certainly is not providing signed NDAs and
privacy SLAs;   it seems reasonable that  most organizations who
understand what is going on,  would not approve  of use of the service with
their internal business email accounts.


-- 
-JH


smime.p7s
Description: S/MIME cryptographic signature

Re: Yahoo is now recycling handles

[Jason Hellenthal]

Alec . . . I'll take I dont use Yahoo because of Yahoo 's for a 100 please.

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


 On Sep 4, 2013, at 9:36, Leo Bicknell bickn...@ufp.org wrote:
 
 
 On Sep 3, 2013, at 10:47 PM, Peter Kristolaitis alte...@alter3d.ca wrote:
 
 The issue was studied thoroughly by a committee of MBAs who, after extensive 
 thought (read: 19 bottles of scotch), determined that there was money to be 
 made.
 
 whatcouldpossiblygowrong?
 
 Apparently it was implemented by a group of low-bid programmers in a far off 
 land.
 
 I have, err, had, a Yahoo! account I used for two things, getting e-mail from 
 Yahoo! groups and accessing Flickr.  I was on Flickr not a two or three 
 months ago to fix a picture someone noticed was in the wrong album.
 
 When I saw this I thought I should log in again to reset my one year ticker.  
 Off to www.yahoo.com and click sign in.
 
 Enter userid, enter password.
 
 Drops me to a CAPTCHA screen, that's odd, never seen that before, but ok.
 
 Enter CAPTCHA and it redirects me to https://edit.yahoo.com/forgot;, which 
 when reached from said CAPTCHA screen renders as a 100% blank page.
 
 That's some fine web coding.
 
 I went to the flickr site, tried to log in.  At least there it tells me my 
 userid is in the process of being recycled.  No option to recover.
 
 Try creating a new account with the same userid, sorry, it's in use.
 
 So as far as I can tell:
  - The must be inactive for one year is BS, and/or logging into Flickr didn't 
 count in my case.
  - No notifications are sent, so if you're a person who is there for things 
 like Yahoo groups and forwards your e-mail elsewhere you may be using the 
 service in a way that generates no logs.
  - There is no way to get an account back that is in the recycling phase, 
 which is frankly stupid.
 
 As a result Yahoo! has lost a Flickr and Groups member, and I'm not sure I 
 see any reason to sign up again at this point.
 
 -- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
 
 
 


smime.p7s
Description: S/MIME cryptographic signature

Re: A split window multi ping program

[Jason Hellenthal]

Nifty idea but could you give me a scenario where this would come in handy 
where a single instance of fPing -g would not be adequate ?

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


 On Aug 25, 2013, at 15:47, sharon saadon sharon...@gmail.com wrote:
 
 Hello,
 At the passing month, i  looked for some small program that can ping to
 multiply servers in a split window or a program with a split  dos windows,
 i did not found it,
 So i developed one :)
 
 You can download it here..
 http://www.sharontools.com/products/9ping.php
 
 Regards,
 Sharon Saadon


smime.p7s
Description: S/MIME cryptographic signature

Re: A split window multi ping program

[Jason Hellenthal]

Nice features. Good work and thanks for sharing. I'll see if I can put it to 
use and hopefully be able to provide some intelligible feedback.

Thanks.

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


 On Aug 25, 2013, at 17:30, sharon saadon sharon...@gmail.com wrote:
 
 I need it for ATP tests,
 I need to know if there was  packet lost while disconnecting cables / making 
 changes
 all the ping results are saved, and you can add bookmarks of the tests you 
 do..
 
 Sharon
 
 
 On Sun, Aug 25, 2013 at 10:59 PM, Jason Hellenthal jhellent...@dataix.net 
 wrote:
 Nifty idea but could you give me a scenario where this would come in handy 
 where a single instance of fPing -g would not be adequate ?
 
 -- 
  Jason Hellenthal
  Inbox: jhellent...@dataix.net
  Voice: +1 (616) 953-0176
  JJH48-ARIN
 
 
 On Aug 25, 2013, at 15:47, sharon saadon sharon...@gmail.com wrote:
 
 Hello,
 At the passing month, i  looked for some small program that can ping to
 multiply servers in a split window or a program with a split  dos windows,
 i did not found it,
 So i developed one :)
 
 You can download it here..
 http://www.sharontools.com/products/9ping.php
 
 Regards,
 Sharon Saadon
 


smime.p7s
Description: S/MIME cryptographic signature

Re: Assistance for Eavesdropping Legally on Avian Carriers (AELAC)

[Jason Hellenthal]

Wow I can't believe this is still going around.

All you apparently need for this is a .gov spook possessed by evil entity X and 
all these avians will come crashing right into their federal widows like a DDoS.

Scary head spinning fun ;-)

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


On Jun 25, 2013, at 22:58, Sean Donelan s...@donelan.com wrote:

 
 On Tue, 25 Jun 2013, Nick Khamis wrote:
 We are however trying to conform to RFC standards as pointed out by
 Jev. You guys really need to look at this. It's easily implementable:
 
 http://tools.ietf.org/html/rfc1149
 
 That remind me I need to finish my April 1 submission to the RFC editor
 for next year. This has been sitting in my todo pile for several
 years.
 
 
 RFC for publication on April 1, 
 
 Assistance for Eavesdropping Legally on Avian Carriers (AELAC)
 
 Abstract
 
 The memo provides an overview and principles regarding Lawful Intercept(LI) 
 of networks using RFC 1149, A Standard for the Transmission of IP Datagrams 
 on Avian Carriers.  National requirements are not addressed.
 
 Overview and Rational
 
 Avian Carriers have not provided law enforcement with advanced capabilities 
 to conduct covert surveillance of a subject's communications. When approached 
 by law enforcement, Avian Carriers take flight leaving behind difficult to 
 decode droppings of their activities. Identifying a specific packet stream 
 within a large flock of carriers is difficult. Due to the 3D ether space 
 available to carriers and their intrinsic collision avoidance systems, 
 although sometimes poorly implemented with windows, performing full content 
 communications interceptions can be hit or miss.
 
 This memo does not address specific national requirements for eavesdropping. 
 Nevertheless, it may be important to public safety that carriers never use 
 any communication technology which could hinder law enforcement.s access to 
 the communications of a subject of a lawful order authorizing surveillance.
 
 Avian Carriers have a long and distinguished history in communications. For 
 thousands of years they have been used to carry important messages to 
 military and business leaders.  However, they have also been used for 
 nefarious purposes ranging from possible financial market manipulation after 
 Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England 
 during World War II.
 
 


smime.p7s
Description: S/MIME cryptographic signature

Re: Assistance for Eavesdropping Legally on Avian Carriers (AELAC)

[Jason Hellenthal]

Matter of fact the sky is full of lightening right now...

Anyone got a pentagram packet and a weje board ?

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


On Jun 25, 2013, at 22:58, Sean Donelan s...@donelan.com wrote:

 
 On Tue, 25 Jun 2013, Nick Khamis wrote:
 We are however trying to conform to RFC standards as pointed out by
 Jev. You guys really need to look at this. It's easily implementable:
 
 http://tools.ietf.org/html/rfc1149
 
 That remind me I need to finish my April 1 submission to the RFC editor
 for next year. This has been sitting in my todo pile for several
 years.
 
 
 RFC for publication on April 1, 
 
 Assistance for Eavesdropping Legally on Avian Carriers (AELAC)
 
 Abstract
 
 The memo provides an overview and principles regarding Lawful Intercept(LI) 
 of networks using RFC 1149, A Standard for the Transmission of IP Datagrams 
 on Avian Carriers.  National requirements are not addressed.
 
 Overview and Rational
 
 Avian Carriers have not provided law enforcement with advanced capabilities 
 to conduct covert surveillance of a subject's communications. When approached 
 by law enforcement, Avian Carriers take flight leaving behind difficult to 
 decode droppings of their activities. Identifying a specific packet stream 
 within a large flock of carriers is difficult. Due to the 3D ether space 
 available to carriers and their intrinsic collision avoidance systems, 
 although sometimes poorly implemented with windows, performing full content 
 communications interceptions can be hit or miss.
 
 This memo does not address specific national requirements for eavesdropping. 
 Nevertheless, it may be important to public safety that carriers never use 
 any communication technology which could hinder law enforcement.s access to 
 the communications of a subject of a lawful order authorizing surveillance.
 
 Avian Carriers have a long and distinguished history in communications. For 
 thousands of years they have been used to carry important messages to 
 military and business leaders.  However, they have also been used for 
 nefarious purposes ranging from possible financial market manipulation after 
 Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England 
 during World War II.
 
 


smime.p7s
Description: S/MIME cryptographic signature

Re: Assistance for Eavesdropping Legally on Avian Carriers (AELAC)

[Jason Hellenthal]

Lol

-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


On Jun 26, 2013, at 0:04, Lyndon Nerenberg lyn...@orthanc.ca wrote:

 
 On 2013-06-25, at 8:54 PM, Jason Hellenthal jhellent...@dataix.net wrote:
 
 Anyone got a pentagram packet and a weje board ?
 
 Be careful, when you pull out the chalk to draw a pentaGRAM around your data 
 centre, that you don't – accidentally – draw a pentaGONE.


smime.p7s
Description: S/MIME cryptographic signature

Re: GMail IPv6 IMAP Issue, or is it Just Me?

[Jason Hellenthal]

IDK,

But I get NXDOMAIN upon lookup of imap. But have all my clients using 
mail.google.com for imaps.

I get ipv6 on 2607:f8b0:4009:802::1015


-- 
 Jason Hellenthal
 Inbox: jhellent...@dataix.net
 Voice: +1 (616) 953-0176
 JJH48-ARIN


On Jun 1, 2013, at 13:53, Stevens, Brant I. bra...@argentiumsolutions.com 
wrote:

 Is anyone else having issues reaching GMail on IPv6 via IMAP, or is it just
 me?
 
 Here's some of what I'm seeing:
 
 It responds to ping...
 
 imac01:~ branto$ ping6 imap.gmail.com
 PING6(56=40+8+8 bytes) 2001:470:8d30:b00c::bb0e -- 2607:f8b0:400d:c00::6c
 16 bytes from 2607:f8b0:400d:c00::6c, icmp_seq=0 hlim=55 time=31.299 ms
 16 bytes from 2607:f8b0:400d:c00::6c, icmp_seq=1 hlim=55 time=41.528 ms
 16 bytes from 2607:f8b0:400d:c00::6c, icmp_seq=2 hlim=55 time=30.092 ms
 16 bytes from 2607:f8b0:400d:c00::6c, icmp_seq=3 hlim=55 time=35.450 ms
 ^C
 --- gmail-imap.l.google.com ping6 statistics ---
 4 packets transmitted, 4 packets received, 0.0% packet loss
 round-trip min/avg/max/std-dev = 30.092/34.592/41.528/4.470 ms
 
 
 TCP Sessions on v6 seem to time-out:
 
 imac01:~ branto$ telnet -6 imap.gmail.com 993
 Trying 2607:f8b0:400d:c01::6c...
 telnet: connect to address 2607:f8b0:400d:c01::6c: Operation timed out
 telnet: Unable to connect to remote host
 
 IPv4 Connects:
 
 imac01:~ branto$ telnet -4 imap.gmail.com 993
 Trying 173.194.76.108...
 Connected to gmail-imap.l.google.com.
 Escape character is '^]'.
 
 ^]
 telnet close
 Connection closed.
 
 and other connectivity via IPv6 works:
 
 imac01:~ branto$ telnet -6 www.google.com 80
 Trying 2607:f8b0:400c:c04::68...
 Connected to www.google.com.
 Escape character is '^]'.
 
 GET /
 HTTP/1.0 200 OK
 Date: Sat, 01 Jun 2013 17:08:58 GMT
 
 snip
 
 Connection closed by foreign host.
 
 I've tried flushing my dnscache to make sure I'm not holding on to
 something that's not valid, but no dice.
 
 -Brant


smime.p7s
Description: S/MIME cryptographic signature

Re: Widespread Outages

[Jason Hellenthal]

That's a no.

Not quite sure what you would see in these statistics given the weather 
conditions around the US.

Might be more useful looking at a direct route from a specific point to 
destination where it might seem like things are awry. Looking glasses would be 
of more help to determine that.

Though I can say mobile YouTube traffic has been quirky lately.

On May 23, 2013, at 13:13, James Smits james.sm...@gmail.com wrote:

 Is something major going on?
 
 This looks like a X-mas tree http://www.internetpulse.net/
 
 And FedEx rate servers are returning a 503 for up to an hour according to
 their rep.


smime.p7s
Description: S/MIME cryptographic signature

Re: The BGP Visibility Scanner

[Jason Hellenthal]

Pretty nice. Thanks!

I don't suppose there is any straight text version of all this info is there ?

-- 
 Jason Hellenthal
 IST Services Professional
 Inbox: jhellent...@dataix.net
 JJH48-ARIN


On May 15, 2013, at 6:22, Andra Lutu andra.l...@imdea.org wrote:

 Dear all,
 
 We have built a tool that checks the visibility of IPv4 prefixes at the 
 interdomain level.
 The tool is available at *http://visibility.it.uc3m.es/* and you can use it 
 to retrieve the Limited Visibility Prefixes (LVPs) (i.e., prefixes that are 
 not present in all the global routing tables we analyse) injected by a 
 certain originating AS.
 The query is very simple, it just requires to input the AS number for which 
 you want to retrieve the originated LVPs, if any.
 After checking the limited-visibility prefixes, we would appreciate any 
 feedback that you can provide on the cause of the limited visibility (we 
 provide a form with a few very short questions which you could fill in and 
 submit).
 
 Using a dataset from May 2nd 2013, we generated a list with the ASes which 
 are originating LVPs: *http://visibility.it.uc3m.es/fullASlist.html*
 We would like to hear from any operator who might find this project 
 interesting, and, in particular, from these large contributors to the LVPs 
 set.
 Please note that advertising prefixes with limited visibility does not mean 
 that the originating AS is necessarily doing something wrong.
 The ASes might be generating the LVPs knowingly (e.g., scoped 
 advertisements). However, there might be cases where the origin AS might be 
 unaware that some prefixes are not globally visible (when they should) or 
 that others are leaking as a consequence of mis-configurations/slips.
 
 Our purpose is to spread awareness about these latter phenomena, help 
 eliminate the cause of unintended/accidental LVPs and upgrade this tool to an 
 anomaly detection mechanism.
 For more information on the definition and characteristics of a Limited 
 Visibility prefix, please check the Frequently Asked Questions section of the 
 webpage, available here: *http://visibility.it.uc3m.es/Q_and_A_latest.html*
 
 The tool works with publicly available BGP routing data, retrieved from the 
 RIPE NCC RIS and RouteViews Projects. The results are updated on a daily 
 basis.
 For more information on the methodology we refer you to the slides of the 
 NANOG57 presentation about the BGP Visibility Scanner:
 http://www.nanog.org/meetings/nanog57/presentations/Wednesday/wed.general.Lutu.BGP_visibility_scanner.19.pdf
 Also, you can check the RIPE labs article about the BGP Visibility Scanner, 
 available here: 
 https://labs.ripe.net/Members/andra_lutu/the-bgp-visibility-scanner
 
 We are looking forward to your feedback!
 
 Thank you, best regards,
 Andra

Re: The BGP Visibility Scanner

[Jason Hellenthal]

Awesome! Thank you to you as well!

-- 
 Jason Hellenthal
 IST Services Professional
 Inbox: jhellent...@dataix.net
 JJH48-ARIN


On May 15, 2013, at 11:01, Rene Wilhelm wilh...@ripe.net wrote:

 
 On 5/15/13 3:00 PM, Jason Hellenthal wrote:
 Pretty nice. Thanks!
 
 I don't suppose there is any straight text version of all this info is there 
 ?
 At the RIPE NCC we are publishing aggregated dumps from our collective of 12 
 RIS route collectors every 8 hours. For each prefix we list the origin AS and 
 the number of peers (on all collectors) which observe the prefix. If you are 
 happy to do your own post-processing,  set your own boundaries on what to 
 consider limited visibility prefixes, have a look at the IPv4 and IPv6 table 
 dumps at http://www.ris.ripe.net/dumps/
 
 Note that the fact that not all RIS peers give us a full BGP table blurs the 
 counts somewhat. Prefixes which are globally visible may (today) have 
 anywhere between 96 and 110 peers announcing the prefix to the RIS route 
 collectors.
 
 -- Rene
 -- Jason Hellenthal IST Services Professional Inbox: jhellent...@dataix.net 
 JJH48-ARIN On May 15, 2013, at 6:22, Andra Lutu andra.l...@imdea.org wrote:
 Dear all,
 
 We have built a tool that checks the visibility of IPv4 prefixes at the 
 interdomain level.
 The tool is available at *http://visibility.it.uc3m.es/*  and you can use 
 it to retrieve the Limited Visibility Prefixes (LVPs) (i.e., prefixes that 
 are not present in all the global routing tables we analyse) injected by a 
 certain originating AS.
 The query is very simple, it just requires to input the AS number for 
 which you want to retrieve the originated LVPs, if any.
 After checking the limited-visibility prefixes, we would appreciate any 
 feedback that you can provide on the cause of the limited visibility (we 
 provide a form with a few very short questions which you could fill in and 
 submit).
 
 Using a dataset from May 2nd 2013, we generated a list with the ASes which 
 are originating LVPs:*http://visibility.it.uc3m.es/fullASlist.html*
 We would like to hear from any operator who might find this project 
 interesting, and, in particular, from these large contributors to the LVPs 
 set.
 Please note that advertising prefixes with limited visibility does not 
 mean that the originating AS is necessarily doing something wrong.
 The ASes might be generating the LVPs knowingly (e.g., scoped 
 advertisements). However, there might be cases where the origin AS might 
 be unaware that some prefixes are not globally visible (when they should) 
 or that others are leaking as a consequence of mis-configurations/slips.
 
 Our purpose is to spread awareness about these latter phenomena, help 
 eliminate the cause of unintended/accidental LVPs and upgrade this tool to 
 an anomaly detection mechanism.
 For more information on the definition and characteristics of a Limited 
 Visibility prefix, please check the Frequently Asked Questions section of 
 the webpage, available 
 here:*http://visibility.it.uc3m.es/Q_and_A_latest.html*
 
 The tool works with publicly available BGP routing data, retrieved from 
 the RIPE NCC RIS and RouteViews Projects. The results are updated on a 
 daily basis.
 For more information on the methodology we refer you to the slides of the 
 NANOG57 presentation about the BGP Visibility Scanner:
 http://www.nanog.org/meetings/nanog57/presentations/Wednesday/wed.general.Lutu.BGP_visibility_scanner.19.pdf
 Also, you can check the RIPE labs article about the BGP Visibility 
 Scanner, available 
 here:https://labs.ripe.net/Members/andra_lutu/the-bgp-visibility-scanner
 
 We are looking forward to your feedback!
 
 Thank you, best regards,
 Andra
 

Re: Speedtest Results speedtest.net vs Mikrotik bandwidth test

[Jason Hellenthal]

When is speed ever ensured past someone else's edge/border ?

You may pass through your upstream that fast but once you are out in the open 
range you are free game to all the lions, tigers  bears..,

There is always going to be something eating you. Best off letting it be the 
Spanish queasiness from the night before than the results from speedtest.net

 

-- 

 Jason Hellenthal
 JJH448-ARIN
 - (2^(N-1))


On Apr 4, 2013, at 4:14, Mike mike-na...@tiedyenetworks.com wrote:

 On 04/03/2013 02:48 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 03 Apr 2013 14:07:48 -0700, Mike said:
 
 These speedtests are pure unscientific bs and I'd love to see them
 called out on the carpet for it.
 
 As far as I know, it's possible for the end-to-end reported values to be
 lower than your immediate upstream due to issues further upstream.
 
 But if it reports 20MBbits/sec down and 5MBits/sec up, then the link is
 able to go *at least* that fast.
 
 (If anybody's got evidence of it reporting more than the link is technically
 capable of, feel free to correct me...)
 
 
 
 Yeah, I do... I've had T1 lines reported at 4.7mbps down and 2.8mbps up.
 
 These tests are hogwash.
 
 Mike-
 

Re: Packets dropped due to ICMP off

[Jason Hellenthal]

I don't recall seeing this thread before this message but this is
nothing new. Most times you allowed to pass-thru these networks but not
directly communicate with them. Whether it be some strenuous policy put
in place by someone that still desires to provide routes back to the
community or just the vision of the administrator of that router... it
still works as intended for all other types of traffic.

Besides, blocking ICMP type 0 doesn't neccesarily bust traceroutes.

Using options (-I | -P icmp) would definately be busted but a normal
traceroute from most systems that I have been on default to UDP
datagrams.

On Wed, Aug 08, 2012 at 08:46:35PM -0400, Jim Ray wrote:
 Awe, man, don't laugh too hard. Turned out to be problem with Firefox. Safari 
 on iPhone and IE on PC work. 
 
 I learned something, too, and appreciate the input: tracert using ICMP is not 
 valid test. Not everyone has ping enabled. So, what looks like packet loss at 
 next hop is really ICMP turned off. 
 
 Sent from my iPhone

-- 

 - (2^(N-1)) JJH48-ARIN



pgpSvu2UTBo5K.pgp
Description: PGP signature

Re: NFSen plugin - ddd

[Jason Hellenthal]

Don't know if you ever recieved a reply for this but this is the best I
have come up with to get more eyes on it.

http://sourceforge.net/apps/trac/nfsen-plugins/wiki/RequestPlugin

I have not submitted a request for it but if you happen to come accross
this plugin, I would be interested.

On Fri, Aug 03, 2012 at 01:55:21PM +1000, Andrew Jones wrote:
 Hi All,
 Does anyone have a copy of the DDoS detection plugin for NFSen called ddd
 that they could send to me?
 According to a blog article [1] I read, it used to be available at [2].
 It's not there, and I haven't had any luck trying to track it down the
 usual ways. If anyone is able to provide a copy, I'd appreciate it.
 Thanks,
 Jonesy
 
 
 [1] http://www.ccieflyer.com/2010-01-JasonRowley.php
 [2] http://www.synacknetworks.com/ddd/ddd.zip

-- 

 - (2^(N-1)) JJH48-ARIN



pgpA58Bu577Q6.pgp
Description: PGP signature

Re: IPv6 only streaming video

[Jason Hellenthal]

On Thu, Jul 26, 2012 at 04:48:48AM +, Tina TSOU wrote:
 Do u mean I am a cow? I stop breast feeding this year.
 
 Tina

ROGFLOL This is the best thing I have read yet this morning. Thanks for
the laugh.

 
 On Jul 25, 2012, at 9:47 PM, Randy Bush ra...@psg.com wrote:
 
  I'm responsible for IPv6 deployment in my enterprise network, the
  users are my colleagues.  In this context, I'm not vendor, not
  operator.
  
  i smell cows
 

-- 

 - (2^(N-1)) JJH48-ARIN

Re: HELP IN SETTING UP iBGPlay

[Jason Hellenthal]

Anyone going to block this fool ?


On Tue, Jul 10, 2012 at 08:45:35AM -0700, NIG NOG wrote:

-- 

 - (2^(N-1))

Re: F-ckin Leap Seconds, how do they work?

[Jason Hellenthal]

On Wed, Jul 04, 2012 at 06:10:45PM -0400, William Herrin wrote:
 On Wed, Jul 4, 2012 at 1:44 PM, Brett Frankenberger rbf+na...@panix.com 
 wrote:
  Without leap seconds, the sun stops being overhead at noon.
 
 But that's ridiculous. The sun *isn't* overhead at noon except at one
 particular longitude within each time zone. Everywhere else time synch
 to local noon is +/- half an hour.
 
 IMO, leap seconds are a really bad idea. Let the vanishingly few
 people who care about a precision match against the solar day keep
 track of the deviation from clock time and let everybody else have a
 *simple* clock year after year. When the deviation increases to an
 hour every what, thousand years? Then you can do a big, well
 publicized correction where everybody is paying attention to making it
 work instead of being caught by surprise.
 

Yeah but what you don't understand is that manual navigation after a
certain point of difference becomes inaccurate to a degree that is
unacceptable by most military standards.

100 or a 1000 years the difference is too big. Someone somewhere at some
point evaluated this need in the range of 0.3 - 0.9? in order for
nauticle and other means of direction to not be impacted.

It would be easy to disagree and say Well! we have GPS and other such
digital devices to tell where you are now!... and if those go out just
like all these failing Java Apps ?. I would not want to be the guy that
would have to calculate all possible differences just to attempt to get
a accurate location and then find out the math was wrong and you are 100
miles off target. Just sayin!


-- 

 - (2^(N-1))

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Jason Hellenthal]

What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
 
 It was not DNS issue, but it was a clear case on how community-support helped.
 
 Some of us may even learn some new tricks. :)
 
 Regards,
 as
 
 Sent from mobile device. Excuse brevity and typos.
 
 
 On 27 Jun 2012, at 05:07, Daniel Rohan dro...@gmail.com wrote:
 
  On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
  bortzme...@nic.frwrote:
  
  What made you think it can be a DNS cache poisoning (a very rare
  event, despite what the media say) when there are many much more
  realistic possibilities (trollspecially for a Web site written in
  PHP/troll)?
  
  What was the evidence pointing to a DNS problem?
  
  
  It seems likely that he made a mistake in his analysis of the evidence.
  Something that could happen to anyone when operating outside of a comfort
  zone or having a bad day. Go easy.
  
  -DR
 

-- 

 - (2^(N-1))

Re: DNS poisoning at Google?

[Jason Hellenthal]

On Tue, Jun 26, 2012 at 10:36:55PM -0700, Landon Stewart wrote:
 There is definitely a 301 redirect.
 
 $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
 HTTP/1.1 301 Moved Permanently
 Date: Wed, 27 Jun 2012 05:36:31 GMT
 Server: Apache/2.0.63
 Location: http://www.couchtarts.com/media.php
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 

And if you visit http://www.couchtarts.com/media.php using the correct
broser you end up back at http://google.com ...


 On 26 June 2012 22:05, Matthew Black matthew.bl...@csulb.edu wrote:
 
  Google Webtools reports a problem with our HOMEPAGE /. That page is not
  redirecting anywhere.
  They also report problems with some 48 other primary sites, none of which
  redirect to the offending couchtarts.
 
  matthew black
  information technology services
  california state university, long beach
 
 
 
 
 
  -Original Message-
  From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
  Sent: Tuesday, June 26, 2012 9:58 PM
  To: Matthew Black
  Cc: nanog@nanog.org
  Subject: Re: DNS poisoning at Google?
 
  It's not DNS.  If you're sure there's no htaccess files in place, check
  your content (even that stored in a database) for anything that might be
  altering data based on referrer.  This simple test shows what I mean:
 
  Airy:~ user$ curl -e 'http://google.com' csulb.edu !DOCTYPE HTML PUBLIC
  -//IETF//DTD HTML 2.0//EN htmlhead
  title301 Moved Permanently/title
  /headbody
  h1Moved Permanently/h1
  pThe document has moved a href=http://www.couchtarts.com/media.php
  here/a./p
  /body/html
 
  Running curl without the -e argument gives the proper site contents.
 
  On Jun 26, 2012, at 9:24 PM, Matthew Black matthew.bl...@csulb.edu
  wrote:
 
   Running Apache on three Solaris webservers behind a load balancer. No MS
  Windows!
  
   Not sure how malicious software could get between our load balancer and
  Unix servers. Thanks for the tip!
  
   matthew black
   information technology services
   california state university, long beach
  
  
  
   From: Landon Stewart [mailto:lstew...@superb.net]
   Sent: Tuesday, June 26, 2012 9:07 PM
   To: Matthew Black
   Cc: nanog@nanog.org
   Subject: Re: DNS poisoning at Google?
  
   Is it possible that some malicious software is listening and injecting a
  redirect on the wire?  We've seen this before with a Windows machine being
  infected.
   On 26 June 2012 20:53, Matthew Black matthew.bl...@csulb.edumailto:
  matthew.bl...@csulb.edu wrote:
   Google Safe Browsing and Firefox have marked our website as containing
  malware. They claim our home page returns no results, but redirects users
  to another compromised website couchtarts.comhttp://couchtarts.com.
  
   We have thoroughly examined our root .htaccess and httpd.conf files and
  are not redirecting to the problem target site. No recent changes either.
  
   We ran some NSLOOKUPs against various public DNS servers and
  intermittently get results that are NOT our servers.
  
   We believe the DNS servers used by Google's crawler have been poisoned.
  
   Can anyone shed some light on this?
  
   matthew black
   information technology services
   california state university, long beach
   www.csulb.eduhttp://www.csulb.eduhttp://www.csulb.edu
  
  
  
   --
   Landon Stewart lstew...@superb.netmailto:lstew...@superb.net
   Sr. Administrator
   Systems Engineering
   Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more Ahead
   of the Rest:
   http://www.superbhosting.nethttp://www.superbhosting.net/
  
 
 
 
 
 
 
 
 -- 
 Landon Stewart lstew...@superb.net
 Sr. Administrator
 Systems Engineering
 Superb Internet Corp - 888-354-6128 x 4199
 Web hosting and more Ahead of the Rest: http://www.superbhosting.net

-- 

 - (2^(N-1))

Re: ISPs and full packet inspection

[Jason Hellenthal]

On Thu, May 24, 2012 at 08:37:52PM -0500, Jimmy Hess wrote:
 On 5/24/12, not common notcommonmista...@gmail.com wrote:
 [snip
  I am looking for some guidance on full packet inspection at the ISP level.
 Aside from any legal issue;  there is a  respectable practices
 issue. Even if there is no regulation that prohibits something does
 not mean it is OK.  Your customers' deserve to be made aware of any
 full packet capture practices that may impact traffic to/from network
 they own/manage,  before packet capture occurs,  especially when there
 is data retention, or human examination/analysis based on contents of
 large numbers of packets;  otherwise there is a risk you will be in
 trouble, for some definition of in trouble that depends on the
 circumstances.
 
 Because your packet interception can put your user at risk;
 proprietary information can be disclosed.And most ISP customers
 intend to purchase network connectivity service,  not   record all my
 traffic without telling me  service ..

If you need a call center to handle this just let me know... :) since
your call volume is going to spike through the roof.

 
 
 
 Are you prepared to explicitly explain to your customers,  both
 existing, and new ones,
 before they are allowed to buy or continue service from you --   under
 what circumstances
 you intercept full packets, whose packets do you capture,  what
 packets do you capture, how many packets / how long will you capture
 their packets,   what do you do with their contents after you capture
 them,  how long do you keep  data,  what security controls do you have
 in place  to prevent unauthorized   access to their packets  and
 ensure timely destruction of sensitive data?
 
 
 If the answer is NO,   that you   have poor planning,  or your privacy
 practices are not solid enough to reveal to your customers  with
 confidence,  then  save the money on consulting lawyers,  by choosing
 NOT   to   implement   interception and capture of  full packets.
 
 
  Is there any regulations that prohibit or provide guidance on this?
 -- 
 -JH

-- 

 - (2^(N-1))

Re: Vixie warns: DNS Changer ‘blackouts’ inevitable

[Jason Hellenthal]

On Wed, May 23, 2012 at 06:42:34PM -0700, Lynda wrote:
 On 5/23/2012 6:35 PM, Brett Watson wrote:
 
  On May 23, 2012, at 18:27, George Herbertgeorge.herb...@gmail.com  wrote:
 
  Please don't make me remember hosts.txt before I've had a chance to
  wrap up work, go home, and get some Scotch in...
 
  Come on George, hosts.txt was the good old days :)
 
 I still have a copy (from around 1992, so one of the very last), 
 although much edited (and NOT 10,000 hosts, thanks).
 

ftp://ftp.math.ethz.ch/pub/doc/hosts.txt

Leftovers!

-- 

 - (2^(N-1))

Re: Looking for W7 whois freeware

[Jason Hellenthal]

On Sun, May 13, 2012 at 08:19:42AM +0300, Hank Nussbacher wrote:
 At 16:57 10/05/2012 -0400, Scott Berkman wrote:
 
 I am looking for a simple Windows GUI s/w for a secretary to use to do 
 whois lookups for IP and ASNs and to easily copy/paste the 
 results.  Amazing that there is no such beast.
 

Use your internal company webserver and write a simple CGI form that she
can fill out and hit enter. This way you can simply control the results
if you ever find out that you are not getting what you want.

You could have that CGI also email out the results to her mailbox and
yours just so you can keep an eye on it.

 
 I use Launchy (a keystroke launcher similar to GnomeDo, Quicksilver, etc)
 and it's Runner plugin with some bat scripts that reference the builtin
 whois DOS/CLI command to create my own.
 
 So for example, to look up an IP at ARIN I just hit my hotkey (Atl-Space)
 and type arin tab IP enter.  My bat script really just runs whois, sizes
 the command prompt window, and waits for user input before disappearing.
 
 I'm happy to share my scripts off list if you are interested.
 
  -Scott
 
 -Original Message-
 From: Hank Nussbacher [mailto:h...@efes.iucc.ac.il]
 Sent: Thursday, May 10, 2012 2:49 AM
 To: nanog@nanog.org
 Subject: Looking for W7 whois freeware
 
 I am looking for a Window 7 GUI utility that does raw whois - not the
 standard domain lookup, but rather allows me to specify and change the whois
 server I am talking to and allows me to customize the whois search string
 for IPs or ASNs or anything else a whois server will accept, like:
 -B -G as378.
 
 I know of ezwhois but am looking for something better (for example - they
 don't have whois.ripe.net listed - one can add it but not save it).
 
 Thanks,
 Hank
 

-- 

 - (2^(N-1))

Re: IPv6 aggregation tool

[Jason Hellenthal]

The Net::CIDR package contains functions that manipulate lists of
IP netblocks expressed in CIDR notation. The Net::CIDR functions
handle both IPv4 and IPv6 addresses.

WWW: http://search.cpan.org/dist/Net-CIDR/

On Thu, May 03, 2012 at 04:58:27PM -0400, chip wrote:
 Looks like the most recent NetAddr::IP perl module will do it:
 
 http://search.cpan.org/~miker/NetAddr-IP-4.059/IP.pm#EXPORT_OK
 
 Take a look at the Compact function.  I think that's what will do it.
 
 
 --chip
 
 On Thu, May 3, 2012 at 4:25 PM, Rafael Rodriguez packetjoc...@gmail.com 
 wrote:
  Hi list,
 
  I can't seem to find any tools that'll aggregate a list of IPv6 prefixes.
   Used to 'aggregate' for IPv4, looking for something similar for IPv6.
   Thanks!
 
 
 
 -- 
 Just my $.02, your mileage may vary,  batteries not included, etc
 

-- 

 - (2^(N-1))

Re: FW: Communal Dining

[Jason Hellenthal]

Shoot I was half way there already!

:-)


On Mon, Apr 16, 2012 at 10:11:44AM -0400, Ronald Bonica wrote:
 Folks,
 
 Sorry, you are not all invited to dinner. I apologize for the spam.
 
 MS mail address completion helped me a little more than I wanted.
 
 Ron
 
 
  -Original Message-
  From: Ronald Bonica
  Sent: Monday, April 16, 2012 10:05 AM
  To: 'frbi...@aol.com'; 'Nicholas Hinko'; 'Susan Hinko'; jay cuasay;
  'William Richey'; Will Ress; 'maria torres'; 'landre...@gmail.com';
  nanog@nanog.org
  Subject: Communal Dining
  
  Folks,
  
  You are all invited to an extremely informal dinner at our house at 6PM
  on Saturday, April 21. Spouses and children are all invited. I will
  bake bread and put on a huge pot of soup. If your kids are picky
  eaters, feel free to bring whatever they will eat.
  
  Our house is located at:
  
  241 West Meadowland Lane
  Sterling, Virgina 20164
  703 430 8379
  
  --
  Ron and Nancy Bonica
  vcard:   www.bonica.org/ron/ronbonica.vcf
  
 
 

Re: is sbcglobal throttling Cuban traffic?

[Jason Hellenthal]

From this location it looks aweful... and I am on a sbcglobal line.

Console traceroute -a havanatimes.org
...[INTERNAL]...
3  [AS0] adsl-99-181-143-254.dsl.klmzmi.sbcglobal.net (99.181.143.254)
19.510 ms  27.116 ms  19.387 ms
4  [AS7132] dist2-vlan60.klmzmi.ameritech.net (67.36.55.243)  19.482
ms  18.178 ms  19.939 ms
5  [AS7132] bb2-10g4-0.klmzmi.sbcglobal.net (151.164.38.108)  19.897
ms  26.879 ms  19.883 ms
6  * * *

...

It stops there not even a ping.

On Sat, Mar 24, 2012 at 02:41:01PM -0500, C. A. Fillekes wrote:
 Reports from around the country are that traceroutes through sbcglobal
 (in Austin, Houston and NJ) are failing with timeout to
 havanatimes.org -- yet when we go in through TOR or Comcast or using
 overseas services, their routing is just fine.  What gives?

-- 
;s =;

Re: Monitoring other people's sites (Was: Website for ipv6.level3.com returns HTTP/1.1 500 Internal Server Error)

[Jason Hellenthal]

On Tue, Mar 20, 2012 at 03:54:13PM +0100, Jeroen Massar wrote:
 On 2012-03-20 15:40 , vinny_abe...@dell.com wrote:
  FYI - it's also the main IPv4 site, not just IPv6... although I'm
  unsure if it's the same issue.
  
  I was monitoring availability as a point of reference for my network
  and started receiving 500 errors recently as well that tripped up the
  monitoring system, even though the page comes up in any browser I
  try.
  
  GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01;
  Windows NT)
 
 For everybody who is monitoring other people's websites, please please
 please, monitor something static like /robots.txt as that can be
 statically served and is kinda appropriate as it is intended for robots.
 Oh and of course do set the User-Agent to something logical and to be
 super nice include a contact address so that people who do check their
 logs once in a while for fishy things they at least know what is
 happening there and that it is not a process run afoul or something.
 
 Of course, asking before doing tends to be a good idea too.
 
 The IPv6 Internet already consists way too much out of monitoring by
 pulling pages and doing pings...
 
 Fortunately that should heavily change in a few months.
 
 Greets,
  Jeroen
 
  (who noticed a certain sh company performing latency checks against
 one of his sites, which was no problem, but the fact that they where
 causing almost more hits/traffic/load than normal clients was a bit on
 the much side, them pulling robots.txt solved their problem to be able
 to check if their IPv6 worked fine and the load issue on the server side
 was gone too as nginx happily serves little robots.txt's at great speed
 from cache ;)
 
  And for the few folks putting nagios's on other people's sites, they
 obviously do not understand that even if the alarm goes off that
 something is broken that they cannot fix it anyway, thus why bother...

I agree! leave the monitoring for those that are hired to do so. Using
someone elses server to verify that your ipv6 connectivity works should
just strictly get your traffic dropped or null-routed with an alert sent
to your provider.

ping6 your provider... wget -6 your provider but beyond that you, most
likely cannot fix it...

-- 
;s =;

Falling for address collection (Was: Evil Bit and Spread Spectrum IP Addressing - NANOG Source Address Shaping)

[Jason Hellenthal]

Why does everyone keep falling for the same address collector ? ;-)

-- LoL

On Sun, Mar 04, 2012 at 10:22:15AM -0600, Guru NANOG wrote:
 Common Misconception: One additional bit of IPv4 Addressing will solve
 world hunger
 
 The Evil Bit (or spare unused bit) can be used to store (restore) one bit
 
 The Left-Most bit of the 32-bit Source Address Field can be SET to
 Zero no matter what the original value. The Evil bit can be set IFF
 the Left-Most bit is **changed**.
 
 Setting the Left-Most bit to zero **folds** this table in half.
 http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
 
 Setting the Left-Most bit to ONE would move return traffic to the
 upper half of the Spectrum which has vast quantities of unused /8s
 
 Wide-spread consensus shows that TWO bits can work. Three bits folds
 the table to 1/8th.
 Governments want a 4-bit Return Prefix to their Super-Hubs for
 IPv6-like intercept.
 
 The U.S.FCC is expected to issue the regulations on how Spread
 Spectrum Source Address Shaping will work in their licensed CPE
 wireless devices. There are 160-bits
 in the deprecated header so there are many ways to go.
 
 One-Way Broadcast IP Addressing is now available. The Source Address
 Field is used
 for the second half of the 64-bit Destination Address. The DF (Did
 Flip) bit near the Evil
 Bit is used to note the two halves of the Destination Address have
 been *flipped*.
 NANOGers simply route 32 and then 32 after the flip based only on the
 Destination Field.
 There is no Source Address, only a channel (port).
 
 Keywords: WRT DNSMASQ Tomato WIFI Linux CPE

-- 
;s =;

Re: NANOG Digest, Vol 48, Issue 41

[Jason Hellenthal]

On Sun, Jan 15, 2012 at 01:56:45PM -0500, Scot Loach wrote:
 On 1/15/12, nanog-requ...@nanog.org nanog-requ...@nanog.org wrote:
 
  When replying, please edit your Subject line so it is more specific
  than Re: Contents of NANOG digest...
 

These are good tips. Might also help to strip some of the context from what you 
are replying as well.

Re: Why is IPv6 broken?

[Jason Hellenthal]

deBunk

Where did you get all this from ?

There is not even one single reference to a URL, not to be rude but how
long did it take you to write this theory ?

As for It's broken, first and foremost... They may be a Tier 1
provider of other services and also happen to offer IPv6 at which they
are only a Tier 2 or 3 but using the marketing gimics of theyre original
Tier 1 status to get acknowledgement.

I stopped reading shortly after 'I think' the second paragraph and scanned
the rest for URLs that might have made this clear and to the point but
did not find any.

Heresay.

/deBunk

On Sat, Jul 09, 2011 at 03:25:27PM -0600, Bob Network wrote:
 
 Why is IPv6 broken?
 
 It's broken, first and foremost, because not all network providers who claim 
 to be tier 1 are tier 1.
 
 Even worse, some of these providers run 6to4 relays or providers to home 
 users.  A user has no choice which provider is running their 6to4 relay...so, 
 they might end up using a relay that is run by a provider who doesn't peer 
 with their intended destination.  I don't think the IETF saw that one coming. 
  But the result is to make 6to4 even more broken.  Now, I know some people 
 want 6to4 to die, but while it still exists in some form, user experience is 
 worse than it could be.  The temporary fix is for any provider to run their 
 own 6to4 relay for their own customers (assuming that they themselves have 
 full connectivity).
 
 Right now, unless you buy transit from multiple tier 1s, and do so with 
 carefully chosen tier ones, you have only part of the IPv6 internet.  Many 
 tier 1s are unsuitable even as backup connections, since you still want your 
 backup connection to have access to the whole internet!  Good tier 2 
 providers might be an excellent choice, sine good providers have already done 
 this leg work and can monitor their providers for compliance.
 
 A few myths...
 
 Routing table size has nothing to do with completeness of routes.  Google may 
 be one route, through aggregation.  And SmallCo may advertise a large route 
 through one provider, and, due to traffic engineering, a smaller route 
 through a second one - in many cases, anyone that had the large route would 
 be able to contact SmallCo, even without the smaller route being present.  So 
 routing table size doesn't work.  In addition, some providers aggregate their 
 routing tables to reduce routing load and such.  Others intentionally don't 
 or deaggregate it intentionally so that they can brag about having bigger 
 routing tables.  What you need to ask is: How many /64s can you get to from 
 your network, and how many of these /64s are reachable from at least one 
 other major provider (you don't care about internal-only networks, after 
 all)?  They can give you that information, but many won't want to.
 
 It's also not about technical people not getting along.  It's about business 
 players trying to make money, but not just that either.  It's also about 
 ensuring that providers don't end up assuming more than their share of costs 
 for a link.  Just because you have a common peering point doesn't mean that 
 turning peering on would reduce your costs.  In some cases it may increase 
 costs tremendously, particularly on your long haul backbone links, because 
 the other party would like to take advantage of an attitude of trust on the 
 internet.  That's why we end up with peering policies and contracts.
 
 What is the issue?
 
 Let's take Hurricane.  This is no different than other providers...basically, 
 they want to say, We shouldn't need to pay for IPv6 transit from anyone.  
 This is what Cogent said on IPv4 a few years ago.  Google used to say this 
 too for IPv6, not sure if they are still saying it.  Basically, We know 
 we're big enough that you won't want to screw your users by not peering with 
 us.
 
 A small network couldn't do this tactic - a 100 node network who said to the 
 IPv4 tier 1s: Hey, I'm in the Podunk Internet Exchange, so are you, so I'm 
 going to peer from you so I don't have to buy any bandwidth for my web server 
 (placed in the Podunk exchange).  Sure, they would like to - it would save a 
 ton of money if their site got lots of hits.  I mean, who wouldn't want free 
 connectivity?
 
 In IPv6, we're going through what we settled years ago in IPv4 - who has to 
 pay who to connect.  After all, even free peering connections have a cost in 
 manpower, debugging, traffic engineering, documentation, etc.
 
 Some players who aren't getting free interconnection to tier 1s in IPv4 want 
 to get it in IPv6.  So they've worked to attract lots of users, and done so 
 under the guise of We like IPv6 and want to promote it.  Others have not 
 bothered with trying to attract the users, but have said, We're too big for 
 you to not want to give us connectivity for free, since it would piss off 
 your users if you don't (Google did this at one point in the past, may still 
 be doing it).  The Google example is basically trying