On 14 Jan 2009, at 16:06, Jeroen Massar wrote:
Simon Lockhart wrote:
(Yes, I'm in the minority that thinks that Randy hasn't done
anything bad)
Nah, I agree with Randy's experiment too. People should protect
their networks better and this is clearly showing that there are a
lot of
...@sackheads.org]
Sent: Wednesday, January 14, 2009 3:57 PM
To: Michienne Dixon
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Jan 14, 2009, at 10:50 AM, Michienne Dixon wrote:
Interesting - So as a cyber criminal - I could setup a router, start
announcing
On Jan 15, 2009, at 3:54 AM, Andy Davidson wrote:
On 14 Jan 2009, at 16:06, Jeroen Massar wrote:
Simon Lockhart wrote:
(Yes, I'm in the minority that thinks that Randy hasn't done
anything bad)
Nah, I agree with Randy's experiment too. People should protect
their networks better and this
Here's a question that's been bugging me the whole thread, and it's a
bit of a newbie one. How is this different than someone faking SMTP
headers to make it seem like an email came from my domain when it
didn't? I'm talking in terms of morals, obviously; I understand the
technique is different.
On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote:
What if, by doing some research experiment, the researcher discovers some
unknown and latent bug in IOS or JunOS that causes much of the Internet to
go belly up? 1 in a billion chance, but nonetheless, a headsup would have
On Tue, January 13, 2009 8:57 pm, Joe Abley wrote:
The fact that I choose to stick 701 in an AS_PATH attribute on a
prefix I advertise in order to stop that prefix from propagating into
701 is entirely my own business, and it's a practice which, although
apparently not commonplace, has been a
Yes, but I see that Randy has switched over to 3130 poisoned AS 3130,
when olaf first tested our his code in lab, it was against a quagga,
which would not accept that. matt petach, in private email, asked why
we were not doing it. as it seemed to be in spec, olaf did it against a
crisco,
On Mon, Jan 12, 2009 at 5:51 PM, Michienne Dixon mdi...@nkc.org wrote:
I would consider this analogous to a customer testing their home alarm
system and not letting the alarm company know about the test.
It's more like one owner in a condominium deciding to test the fire
alarm without first
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote:
What if, by doing some research experiment, the researcher discovers
some unknown and latent bug in IOS or JunOS that causes much of the
Internet to go belly up
Message-
From: Simon Lockhart [mailto:si...@slimey.org]
Sent: Wednesday, January 14, 2009 2:07 AM
To: Hank Nussbacher
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote:
What if, by doing some
: NANOG list
Subject: RE: Anyone notice strange announcements for 174.128.31.0/24
Um.. no. I can't speak for the others on this list who were
effected like us - but we take this stuff very seriously and
respectively you would too *if* you had a previous legit issue that
appeared to the same
Michienne Dixon wrote:
Interesting - So as a cyber criminal - I could setup a router, start
announcing AS 16733, 18872, and maybe 6966 for good measure and their
routers would ignore my announcements and IP ranges that I siphoned from
searching IANA? Hm... Would that also prevent them from
On Wed, 14 Jan 2009 10:47:23 EST, William Herrin said:
It's more like one owner in a condominium deciding to test the fire
alarm without first asking the condo association or letting the other
owners know about it ahead of time.
On the other hand, pre-announcing We will have a fire drill at
Knowing the Randy's research, i am sure that Randy will be doing great work
this time too. Being a network researcher I can not wait more to see results
of this experiments.
But, even then I dont think it was a real smart thing to do without prior
permission.
And yes, it applies in the network
) 412-7990
-Original Message-
From: Simon Lockhart [mailto:si...@slimey.org]
Sent: Wednesday, January 14, 2009 2:07 AM
To: Hank Nussbacher
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank Nussbacher wrote:
What
On Wed, Jan 14, 2009 at 1:22 PM, valdis.kletni...@vt.edu wrote:
On Wed, 14 Jan 2009 10:47:23 EST, William Herrin said:
It's more like one owner in a condominium deciding to test the fire
alarm without first asking the condo association or letting the other
owners know about it ahead of time.
www.linkcity.org
(816) 412-7990
-Original Message-
From: Simon Lockhart [mailto:si...@slimey.org]
Sent: Wednesday, January 14, 2009 2:07 AM
To: Hank Nussbacher
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Wed Jan 14, 2009 at 09:59:14AM +0200, Hank
.
North Kansas City, MO 64116
www.linkcity.org
(816) 412-7990
-Original Message-
From: Simon Lockhart [mailto:si...@slimey.org]
Sent: Wednesday, January 14, 2009 2:07 AM
To: Hank Nussbacher
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Wed Jan 14, 2009
--- On Tue, 1/13/09, Jared Mauch ja...@puck.nether.net wrote:
No, they are both victims. If I inject a path that
purports
there is an edge between two networks which are engaged in
a bitter
dispute, (i'll use cogent sprint as an example) -
_1239_174_ that may
create a
On Jan 13, 2009, at 6:34 AM, Joe Abley jab...@hopcount.ca wrote:
On 2009-01-13, at 00:05, Paul Wall wrote:
Also, I'd agree
announcing other peoples' ASNs,
How do you announce an ASN?
Clearly it means to use someone else's ASN without authorization in a
way that is not intended by the
On Tue, Jan 13, 2009 at 12:11 PM, Matthew Kaufman matt...@eeph.com wrote:
On Jan 13, 2009, at 6:34 AM, Joe Abley jab...@hopcount.ca wrote:
On 2009-01-13, at 00:05, Paul Wall wrote:
Also, I'd agree
announcing other peoples' ASNs,
How do you announce an ASN?
Clearly it means to use
On Jan 13, 2009, at 11:53 AM, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch ja...@puck.nether.net wrote:
No, they are both victims. If I inject a path that
purports
there is an edge between two networks which are engaged in
a bitter
dispute, (i'll use cogent sprint as an
--- On Tue, 1/13/09, Patrick W. Gilmore patr...@ianai.net wrote:
AS_PATH != identity, and I would not recommend loading
the latter onto the former.
We disagree. When I am researching something, I frequently
look at ASNs in the path to figure out not just where but
who controls the path.
On Tue, Jan 13, 2009 at 08:53:42AM -0800, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch ja...@puck.nether.net wrote:
Does that mean that I hijacked their identiy and forged
it? What level of trust do you place in the AS_PATH for your
routing, debugging and
decision making
On Tue, Jan 13, 2009, Patrick W. Gilmore wrote:
How can anyone seriously argue the ASN owner is somehow wrong and keep
a straight face? How can anyone else who actually runs a network not
see that as ridiculous?
Speaking purely as an outsider who hasn't had to pull such jack moves
with
On Jan 13, 2009, at 1:18 PM, Matthew Kaufman wrote:
Patrick W. Gilmore wrote:
Filtering and other manipulation happened on your router,
prepending my ASN is putting that information into every router.
That seems to be a serious qualitative difference to me. Do you
disagree?
I think
On Jan 13, 2009, at 1:27 PM, Adrian Chadd wrote:
On Tue, Jan 13, 2009, Patrick W. Gilmore wrote:
How can anyone seriously argue the ASN owner is somehow wrong and
keep
a straight face? How can anyone else who actually runs a network not
see that as ridiculous?
Speaking purely as an
On 13 Jan 2009, at 11:12, Leo Bicknell wrote:
Loop detection kicks in only when there is a loop. You see your
own ASN coming back to you.
In the case we're discussing THERE IS NO LOOP. Someone is mis-using
this feature to control the propagation of routes.
Surely controlling the
On 13 Jan 2009, at 15:32, Patrick W. Gilmore wrote:
On Jan 13, 2009, at 3:30 PM, Joe Abley wrote:
Were the victim
Heh, if only there was any sign of a victim.
The guy who spent time effort investigating why his AS was misused
announced it here. I'd call that at least a sign.
I'd
Seriously, you believe it's OK to blame the guy whose ASN was spoofed
for spending too long researching it?
I was _literally_ shaking my head when I read that.
--
TTFN,
patrick
It should be pointed out that pre-provisioned AS_Path filters and
prefix-lists would actually be effective at defeating this and
preventing someone who is actually malicious from using this
technique. This is an excellent argument for implementing SIDR...
Finally we agree. Although I
-
From: Joe Abley [mailto:jab...@hopcount.ca]
Sent: Tuesday, January 13, 2009 3:37 PM
To: Patrick W. Gilmore
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On 13 Jan 2009, at 15:32, Patrick W. Gilmore wrote:
On Jan 13, 2009, at 3:30 PM, Joe Abley wrote:
Were
On Mon, Jan 12, 2009 at 12:40:42PM -0600, Michienne Dixon wrote:
I'm not entirely certain what is going on but has anyone noticed some
strange announcements for 174.128.31.0/24?
I received a hijack notice that my AS (AS11708) was announcing the above
IP range. I verified that I was not
)
Paul
-Original Message-
From: Majdi S. Abbas [mailto:m...@latt.net]
Sent: Monday, January 12, 2009 1:49 PM
To: Michienne Dixon
Cc: nanog@nanog.org
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Mon, Jan 12, 2009 at 12:40:42PM -0600, Michienne Dixon wrote:
I'm
... especially on something as major as a
prefix hijacking (potentially)
Paul
-Original Message-
From: Majdi S. Abbas [mailto:m...@latt.net]
Sent: Monday, January 12, 2009 1:49 PM
To: Michienne Dixon
Cc: nanog@nanog.org
Subject: Re: Anyone notice strange announcements
to notify us first... especially on something as major as a
prefix hijacking (potentially)
Paul
-Original Message-
From: Majdi S. Abbas [mailto:m...@latt.net]
Sent: Monday, January 12, 2009 1:49 PM
To: Michienne Dixon
Cc: nanog@nanog.org
Subject: Re: Anyone notice strange
. Abbas; Michienne Dixon; nanog@nanog.org
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
At some point 3130 announced these prefixes, and is now prepending other
ASes to them. Pretty Good BGP (and hence the IAR) sees them as prefix
hijacks. If you'd like to see the entire list
MSA Date: Mon, 12 Jan 2009 18:48:42 +
MSA From: Majdi S. Abbas
MSA More seriously, this is indeed reachability research. Try emailing
MSA the AS 3130 contacts although I'd imagine Randy will see this.
Why not do this in a lab instead?
;-)
Eddy
--
Everquick Internet -
before wasting a lot
of people's time...
Paul
-Original Message-
From: Michienne Dixon [mailto:mdi...@nkc.org]
Sent: Monday, January 12, 2009 2:20 PM
To: nanog@nanog.org
Subject: RE: Anyone notice strange announcements for 174.128.31.0/24
The IAR was the source of my notice as well
. Abbas; Michienne Dixon; nanog@nanog.org
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On 09.01.13 03:52, Paul Stewart wrote:
Same here.. got a notice this morning and while it's false, I still
have no response from Randy neither on this matter..
guy's gotta sleep some
Florian Weimer wrote:
I think this is over the line. You can't put other people's IDs into
routing data on production networks. (Well, technically you can,
obviously, but you shouldn't.)
Actually, the placement of the ASN is exactly what they need to do the
test, as it is treated as a
On 2009-01-12, at 15:39, Florian Weimer wrote:
So does academic mean unethical these days?
I think this is over the line. You can't put other people's IDs into
routing data on production networks. (Well, technically you can,
obviously, but you shouldn't.)
The AS_PATH attribute is a
On Jan 12, 2009, at 4:12 PM, Joe Abley wrote:
On 2009-01-12, at 15:39, Florian Weimer wrote:
So does academic mean unethical these days?
I think this is over the line. You can't put other people's IDs into
routing data on production networks. (Well, technically you can,
obviously, but you
* Jack Bates:
Florian Weimer wrote:
I think this is over the line. You can't put other people's IDs into
routing data on production networks. (Well, technically you can,
obviously, but you shouldn't.)
Actually, the placement of the ASN is exactly what they need to do the
test, as it is
If this were not Randy doing a research project, but, say, Cogent
prepending the ASN of $LATEST_DEPEERED_NETWORK on announcements to
Verio, how different would the tone of this thread have been?
yep, tools can be used for both good and bad.
randy
On Mon, Jan 12, 2009 at 3:34 PM, Randy Bush ra...@psg.com wrote:
On 09.01.13 05:32, Michienne Dixon wrote:
guy's gotta sleep some time. it's 04:40 here.
My apologizes for jumping the gun.
i demand a full refund! :)
but that's about the best use for guns i can think of.
randy
Might
Might be helpful to update the WHOIS data:
arin's good folk say it will be updated in tonight's (stateside night) run.
randy
On 2009-01-12, at 16:16, Patrick W. Gilmore wrote:
People have been doing it forever. However, it has been considered
sketchy at best.
This all seems highly subjective. Considered that way by some, sure
(including you, it seems).
In my experience prepending someone else's AS to a
On Mon, Jan 12, 2009 at 04:51:36PM -0500, Joe Abley wrote:
[snip]
In my experience prepending someone else's AS to a prefix has only
been useful operationally only as a short-term, emergency measure
(e.g. when trying to avoid a black-hole between two remote ASes,
neither of whom shows
In a message written on Mon, Jan 12, 2009 at 04:51:36PM -0500, Joe Abley wrote:
Randy's application, and Lorenzo's before him also seem like short-
term applications designed to explore answering operational questions.
Just because something is generally not used, or even if it's only
] part of the experiment is to measure the difference between the amount
] of nanog mail lorenzo drew in 2005 by pre-announcing with the amount we
] get in 2009 while not pre-announcing. :)
This statement is an admission that he set out to annoy people,
annoy them enough they would complain on
snip
] part of the experiment is to measure the difference between the amount
] of nanog mail lorenzo drew in 2005 by pre-announcing with the amount we
] get in 2009 while not pre-announcing. :)
This statement is an admission that he set out to annoy people,
annoy them enough they would
: Christian Koch [mailto:christ...@broknrobot.com]
Sent: January 12, 2009 5:34 PM
To: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
snip
] part of the experiment is to measure the difference between the
amount
] of nanog mail lorenzo drew in 2005 by pre-announcing
On 09.01.13 07:42, Paul Stewart wrote:
For us, it was annoying - we look for prefix hijackings or what appear
to be.
i think herein lies the rub. it is not prefix hijacking and in no way
should it appear that way to you. i suggest tuning your detectors. i
am told that path poisoning is
Network Administrator
liNKCity
312 Armour Rd.
North Kansas City, MO 64116
www.linkcity.org
(816) 412-7990
-Original Message-
From: Joe Abley [mailto:jab...@hopcount.ca]
Sent: Monday, January 12, 2009 3:52 PM
To: Patrick W. Gilmore
Cc: NANOG list
Subject: Re: Anyone notice strange
Hi Randy (and the cast of characters on this thread),
Could you please put in a lightning talk for this experiment? It would be
great to hear more about this in .DR. We're accepting submissions now for
lightning talks on Monday the 26th of January. http://www.nanogpc.org is
the best place.
www.linkcity.org
(816) 412-7990
-Original Message-
From: Randy Bush [mailto:ra...@psg.com]
Sent: Monday, January 12, 2009 4:47 PM
To: Paul Stewart
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On 09.01.13 07:42, Paul Stewart wrote:
For us, it was annoying - we look
Could you please put in a lightning talk for this experiment? It would
be great to hear more about this in .DR. We're accepting submissions now
for lightning talks on Monday the 26th of January.
a - i will not be in dr. i really wanted to support the dr meeting,
but it's hard to justify
On Jan 12, 2009, at 5:55 PM, Michienne Dixon wrote:
But isn't this method kind of related to how an network from the
Mediterranean/Mid-east went about blocking what they felt was
undesirable/offensive content from entering their network?
No.
--
TTFN,
patrick
: Anyone notice strange announcements for 174.128.31.0/24
Sent: Jan 12, 2009 6:55 PM
But isn't this method kind of related to how an network from the
Mediterranean/Mid-east went about blocking what they felt was
undesirable/offensive content from entering their network?
-
Michienne Dixon
Network
...@ianai.net]
Sent: Monday, January 12, 2009 5:00 PM
To: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24
On Jan 12, 2009, at 5:55 PM, Michienne Dixon wrote:
But isn't this method kind of related to how an network from the
Mediterranean/Mid-east went about blocking what
Fair enough. Unfortunate, and I'll miss you in .DR, but understood.
Now that doesn't mean other operators can't put in a lightning talk about
the impact or 'event' this triggered in their own NOC environments along
with what they recommend operators do to reduce the spun cycles G
Cheers, -ren
snip
Now that doesn't mean other operators can't put in a lightning talk
about the impact or 'event' this triggered in their own NOC environments
along with what they recommend operators do to reduce the spun cycles
G
snip
Easy - Refer all anomalies that do not the result of a direct outage to
: Re: Anyone notice strange announcements for 174.128.31.0/24
This was a test using unassigned IP block, unless I'm reading it wrong.
If a noc alerted on this it should have still be a low priority issue.
I don't see any issues with the way this was carried out at all.
-jim
--Original Message
In a message written on Tue, Jan 13, 2009 at 08:20:28AM +0900, Randy Bush wrote:
of course, we're sorry we set off folk's broken alarm systems :-) [
sense of humor required, leo ]
Ah, I get the smiley this time. That's the indication you're not
serious about the sentence you just wrote! Ah
On Mon, Jan 12, 2009 at 7:29 PM, Leo Bicknell bickn...@ufp.org wrote:
You really should make some friends Randy.
He is, on Second Life.
Seriously though... I've not seen any discussion of the application of
allowas-in, a valid neighbor configuration under certain
topologies/scenarios, as
66 matches
Mail list logo
