RE: Question about SLAs
Find a new vendor is certainly one solution. Regards, chad From: [EMAIL PROTECTED] on behalf of Barry Shein Sent: Thu 2/8/2007 3:00 PM To: nanog@merit.edu Subject: Question about SLAs Other than give them the bum's rush! what do you do when a vendor is a PITA about SLAs for outages? Obviously there's not enough on the table to get lawyers involved, but it's aggravating when first they act like they lost your SLA request, then claim their logs don't match your logs in some significant way, then try to avoid returning calls to find out what got decided about disputes I guess hoping you'll give up, etc. It's lousy game theory if the vendor just wants to insist their logs are very different than the customer's (highly detailed logs), for example, short of bolting, which there might be other reasons to not want to do except as a last resort, like the cost would be a lot more than the SLAs in question. But where's the leverage? I hope this is operational enough for this list, if not feel free point me somewhere else. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com http://www.theworld.com/ Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
RE: Question about SLAs
Agreed, any termination liability is something to consider. You also need to consider the impact to your business that the SLA violations is causing and how that might translate to dollars. Documentation is going to be key if the vendor is nickel and diming you. If you have solid documentation of a pattern of behavior that is contrary to the spirit (and hopefully letter) of your SLA the vendor is probably not going to push the termination liability. They may not refund for SLA violations but they also would probably not push the termination liability too far. SLA claims can turn into a game of chicken at times. If you honestly feel your position is solid, don't blink. Good luck, Chad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, February 08, 2007 7:29 PM To: Chad Skidmore Cc: Barry Shein; nanog@merit.edu Subject: Re: Question about SLAs On Thu, 08 Feb 2007 19:09:34 PST, Chad Skidmore said: Find a new vendor is certainly one solution. Your current vendor probably knows how much it would cost for you to move to another vendor (quite possibly to more significant digits than *you* know). They also know exactly how much they're making/losing on SLA issues, and what percent of the move cost you're willing to tolerate - there's probably very few of us that can get away with being righteous and principled and spending $100K on a move to a new vendor over a $980 SLA issue. And even those of us who *can* do that probably can't do it a second time anytime soon. Of course, YMMV - spending $25K to get out of a contract with somebody who's already shafted you for $12K of SLA rebates and shows no sign of stopping is probably justifiable by almost all of us But I think Barry was asking specifically about the vendor who nickels and dimes you precisely because they know it's not enough to make a business case for moving.
RE: SNMP Accounting Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Check out RTG. It has 95th percentile reporting and if you don't like the included reporting format you are free to build your own. Data is retained in a SQL db so it is easy enough to report on. http://rtg.sourceforge.net/ Regards, chad From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: Tuesday, October 11, 2005 9:21 AM To: nanog@merit.edu Subject: SNMP Accounting Software We need some fairly complex SNMP accounting software (data center) style stuff that can monitor cisco equipment for bandwidth utilization and generate reports based on 95th percentile and also perhaps even their actual bandwidth usage (how many gigs of transfer they use per month, day, week.. etc) Does anyone know of anything good that does anything like this? It needs to be reliable? Can be open source, we're using MRTG to track utilization but we need something that really handles accounting for us. Thanks, - -Drew -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQ0vuHKwCFKUp08LxEQLGSQCgjj6yQ6ECUTqgkKb2niWYlxtk/9IAoNcc hDfi2aqExzX2fybAwagmpfRN =g5/t -END PGP SIGNATURE-
RE: SNMP Accounting Software
It uses the 2nd (monthly) method you describe and gives you a 95th percentile number for both inbound and outbound. You can then use both or one of them. Also, as I mentioned, you can write your own reports using anything that can query MySQL. I've done Crystal Reports and some C# .Net reporting off of RTG data with great success. Chad -Original Message- From: Martin Mersberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 11, 2005 1:43 PM To: Chad Skidmore Cc: Drew Weaver; nanog@merit.edu Subject: Re: SNMP Accounting Software On Tue, Oct 11, 2005 at 09:53:48AM -0700, Chad Skidmore wrote: Hi... Check out RTG. It has 95th percentile reporting and if you don't like the included reporting format you are free to build your own. Data is retained in a SQL db so it is easy enough to report on. from the documentation, this looks interesting. Does anybody know, which 95%ile is implemented? I know at least about 6 95%ile favors around. Does anybody know, which of them are mostly used? the two variants, I have in mind are daily 95%ile ( drop the max 5% samples per day for each direction, average on the end of the month for each direction and use the higher value then ) and a monthly 95%ile ( drop the max 5% samples over all samples over the month for both directions, use the higher value then ) cheers Martin
RE: Verizon wins MCI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Jon Lewis [mailto:[EMAIL PROTECTED] Posted At: Monday, February 14, 2005 8:38 PM Posted To: NANOG Conversation: Verizon wins MCI Subject: Re: Verizon wins MCI On Mon, 14 Feb 2005, william(at)elan.net wrote: Verizon wins the battle for MCI, pays 7B. I'm not financier, but this price seems rather low considering how large Worldcom is/used to be and that it includes all former UUNET, MCI, MFS, WCOM, etc. BTW - did this include Digex as well? But does anyone really know how big WorldCon is/was? First thing Verizon will have to do is fire the entire billing department and replace them with people/systems that can generate correct bills and send them to the correct customers. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ Then the question is can Verizon actually generate an accurate and readable bill. :) Based on our experience it will just be inaccurate and unreadable in new and unusual ways. Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQhIkTk2RUJ5udBnvEQIIWQCdHIcqdckE2jSdZhnXrYfxfb+F2z4AnA2G 7bnkB7BcMzzUbvWFyI8Oc+2f =1Nhl -END PGP SIGNATURE-
RE: 3rd Party Cisco CWDM GBICs?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Be aware that on most types of fiber the loss in the 1400nm range is so high (due to H2O in the glass) that it is unusable. Some manufacturers are now using a process that extracts all, or nearly all, of the H2O out of the glass to make that range useable. OFS Allwave claims to be doing that. Regards, Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -Original Message- From: Aaron Thomas [mailto:[EMAIL PROTECTED] Posted At: Monday, February 14, 2005 11:53 AM Posted To: NANOG Conversation: 3rd Party Cisco CWDM GBICs? Subject: 3rd Party Cisco CWDM GBICs? Hi List, Cisco currently provides 8 lambdas for CWDM and we have a 10 lambda mux/de-mux system we want to make use of over a single fibre (5 data channels). The 1430 and 1450nm lambdas are dark and I was wondering if there are any 3rd party vendors out there that have produced Cisco compatible GBICs for these wavelengths. I have looked around and seen Finisar does make Cisco GBICs, but not in the 1430/1450 lambdas. Any help appreciated Aaron -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQhIj0U2RUJ5udBnvEQJhFgCeM60pB1kU+gx++3GSxV31kmUUjaYAnjil NC9PdWqfsCva35VMghMVOPiw =kRiR -END PGP SIGNATURE-
RE: Blocking worms/ddos for customer for free?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Kim Onnel [mailto:[EMAIL PROTECTED] Posted At: Monday, December 06, 2004 11:46 AM Posted To: NANOG Conversation: Blocking worms/ddos for customer for free? Subject: Blocking worms/ddos for customer for free? Hello, Currently, on our ingress, we block spoofed packets, common worms/trojans ports. We do that for all of our customers(residential DSL, Dial-up, Corporate DSL, and the data center hosted websites/servers), however, For me there are 2 ways to look at it, if i leave these worms to come in, they would consume our bandwidth and CPU, and on the other hand, it looks like we're giving a free service, which in a way uses up our resources, Its the same for DDoS, if i stop it for a customer, i'm giving him a free a service, if i dont, its gonna wreck my network. Personally, i block the illegitimate packets out of my network(egress) but thats because i owe this to the internet community, even if i am not getting paid for it. I would like to know other providers policy about this? Blocking spoofed packets (inbound and outbound) is certainly a good thing and, in my opinion should be done by providers across the board. Blocking worms/trojan/whatever ports starts to get a little more difficult. Mainly due to the fact that they often times use ports and protocols that are valid and blocking them breaks things that are required. At the risk of starting the whole Microsoft stuff should be banned from the Internet rant I'll use the example of ports 135-139. Some people block those ports and don't get too much grief from their customer base. Others that try to block them find that at least some portion of the customer base complains because they have something that relies on those ports to work. This leads many to choose the path of least resistance and not filter. The other challenge with filtering is that it can consume resources, in some cases more quickly than not filtering at all. If traffic levels are high enough filtering can melt down your router more quickly than not filtering. This obviously depends on a number of things and we are seeing vendors produce routers that can filter at line rate without impacting performance or just plain falling over. Those routers can be very expensive however and if someone isn't paying for that additional service it can be hard to justify upgrading to a new line card that runs an easy six figures just to become your customer's free firewall. Those two things said, we don't believe that we are our customer's firewall unless specifically contracted to perform that task. That insures that we are compensated for the resources consumed and that we all agree on what is or is not valid traffic. All to often we have found that valid traffic for one person is not valid traffic for another so firewall rules will vary from one customer to the next. DDOS inbound to your customer may or may not wreck your network and what looks like a DDOS attack can be valid traffic for some customers. I know that we handle it on a case-by-case basis with good customer communication before we take action, assuming it isn't wrecking the rest of our network. If it is wrecking our network then we subscribe to the Sacrifice the one to save the many philosophy and will stop the attack. DDOS outbound from your network is again something that you need to double check to insure that it really is a DDOS attack. In our case if we see something that we strongly believe to be an outbound attack or can verify as an outbound attack then we'll take action. Anomolous traffic gets investigated to see if it is an attack or if it is valid. That, to us, is just part of being a good net citizen and making sure our customers don't ruin someone else's day. Regards, Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQbS/XU2RUJ5udBnvEQKY9ACdEDqM/PMlkKCokIgduKfQnvkHf3cAoN2B 40u2sItiQQdZ/xVChcXO1oTP =E0NF -END PGP SIGNATURE-
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Steven Champeon [mailto:[EMAIL PROTECTED] Posted At: Thursday, December 02, 2004 1:09 PM Posted To: NANOG Conversation: How many backbones here are filtering the makelovenotspam scr eensaver site? Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? My point was to Martin's question about what would happen if - god forbid - there were large botnets under the control of spammers; a careful reading will suggest that my major point was, duh, that there already are large botnets under the control of spammers. I realize that is the point you were trying to make. I also realize that Martin is pretty well aware of botnets and the threat they create. I suspect that most other readers on NANOG are also well aware. What doesn't seem to be as common knowledge as I would expect is that botnets are a commodity. As such they are traded, sold, purchased and even stolen. That last point is particularly important in this case. Lycos has created a large botnet (at least by most people's definition) that is hidden in the guise of a screen saver claiming to only go after the bad guys. This botnet uses a command and control server that is now well publicized, and uses a communication channel that is not encrypted or obfuscated in any way. That makes it a botnet just asking to be stolen. Fortunately the CC server is blackholed by what seem to be a large number of providers and the botnet is now fairly useless. Good point. Simply put, I can (and do) read my own mail server logs. And I can see that many ISPs - regardless of what they may be doing in onesy-twosy increments - simply aren't doing enough to prevent new botnet infections from wasting my server's cycles in futile attempts to deliver spam, outscatter, virus warnings, etc. etc. ad infinitum. It is certainly more than onesy-twosy increments but I agree that the problem is large enough that it certainly feels like a weak attempt from the average user/operator's point of view. This costs me time and money, and many of the same ISPs mentioned above are simply cost-shifting their own responsibility onto me and everyone else, and I'm tired of it. I encourage everyone to vote with their wallet when it comes to this type of thing. Buy your transit from organizations with dedicated security teams that actively engage in SPAM/Bot/Worm/Viri fighting efforts. Those things cost money and take time and are usually unacknowledged efforts. Larger providers seem to make easier targets when it comes to placing blame and saying that they aren't doing enough to combat miscreant activity. I don't believe that is the case overall. They just have a much larger customer base, higher volumes of traffic to inspect, and more politics to work within. Not to say there aren't responsible ISPs, and I hope that anyone who /is/ a part of the solution, rather than the fertile substrate for the problem, is capable of recognizing that and not taking offense when I point out there are others who could do more. I believe that EVERYONE could do more on this front. It is a moving battle that requires constant improvement just to stay afloat, let alone get ahead. For those genuinely interested in improving what they are doing on this front I strongly encourage you to attend the NSP-Sec BOFs at NANOG. You might be surprised what you learn and who you meet that can be helpful. As for go180.net, you don't show up much on my radar, but on Nov 9th we were hit by a spammer from SpokaneHotZone-63.go180.net [66.225.5.63]. I trust this is not a legitimate mail server and I can block it and any other host that looks like it within the same domain, right? Thanks. Otherwise, you may want to do something to distinguish it from the other generic hosts in the same range. Glad you don't see much from us, must mean that the effort put forth by some of our team is not going to waste. You are correct, that is not a legitimate mail server but is an IP from a City Wide wireless network. That network has since been secured to restrict TCP 25 outbound (along with other typical miscreant traffic) so you shouldn't see anything again from that network on port 25. If we rise up on your radar in the future feel free to make use of the typical NOC and Abuse e-mail addresses, they do get answered and acted upon here. Regards, Chad - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+VUk2RUJ5udBnvEQJXPQCeMhYgS4vHzmjP2fpgVeEFySQWw4QAn1f/ g70E3QaL3VOcZvILXD80AqjF =he0W -END PGP SIGNATURE-
RE: What good is a noc team? How do you mitigate this? [was: How many backbones ...]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 3:21 PM To: Chad Skidmore Cc: Aaron Glenn; [EMAIL PROTECTED] Subject: What good is a noc team? How do you mitigate this? [was: How many backbones ...] Okay, making this an operational issue. Say you are attacked. Say it isn't even a botnet. Say a new worm is out and you are getting traffic from 19 different class A's. Who do you call? What do you block? How can a noc team here help? Please block any outgoing connections from your network to ours on port 25? Please? I tried this once.. it doesn't help. I ended up blackholing an entire country just to mitigate it a bit, for a few hours. Any practical suggestions? Gadi. Well, the easy answer is that it depends. Lets use SQL Slammer as one example that might be comparable to the scenario you mention. During Slammer some networks did stay up. We'd have to ask each one of them what they did to know why they stayed up but I think I can guess at some. Shortly after Slammer there was a NANOG presentation on Slammer and some discussion at the NSP-Sec BOF at that NANOG regarding why some people survived and others didn't. What came out of that was enlightening, if not obvious in hind sight. 1. Those providers that made use of contacts at other providers and worked together, shared information, etc. were less affected than those that did not. 2. Those providers that had various mechanisms in place for just such an issue did better than those that did not. This included, but was not limited to, darknet monitoring quick reaction to darknet data anomalies, automated and semi-automated sifting of Netflow data, pre-staged classification ACLs on at least key backbone/peering/transit routers, and BGP (or other) triggered blackhole mechanisms. 3. Teams with dedicated incident response teams did better than those that didn't. 4. Those with grossly oversubscribed networks did worse than those with sufficient bandwidth to handle the ebb and flow of traffic that rides the Internet today. Good traffic engineering practices don't mean that you have to purchase lots of excess bandwidth to make this happen. Not being oversubscribed is also not just an issue of circuit utilization. For example, make sure you have enough CPU on your routers, line cards, whatever so that you can turn various features on to help track and mitigate an attack without making your routers fall over. So, armed with that data you can assume the following. With good darknet monitoring practices you would likely see a rapid up tick in scanning, backscatter, etc. and could start investigating the cause prior to the issue becoming service affecting. Maybe it is so crazy and randomized that you don't see it on your darknet monitoring but you see it on your PPS data collection. More often than not I know we see indications of miscreant activity on PPS monitoring first. The classification ACLs are a good way to turn the router into a poor mans sniffer (assuming it isn't so heavily loaded already that it falls over) so you can see what types of traffic you are dealing with. Using MCI/UUs method you could track any spoofed traffic back to where it enters your network pretty easily. I know that Chris and company do it with amazing speed across 701. If it works for them then it likely works for the rest of you. Netflow data would likely lead you to sources of the most pain so you could go after those first. Fighting an attack isn't always about making the attack go away. Often times the key to not getting killed is to find the big guns and get them silenced first. Sure, you're still getting shot, but it isn't going to kill you and you can take some additional time to find the smaller guns. If you are seeing the bulk of the attack come from a few sources let their security teams deal with it and take the pain away from you. Armed with the data you glean from this approach you will usually be able to get a positive response from your upstream or peers. If not make a quick note to yourself that you need to replace them once your attack is over and done with. If all else fails blackhole the host under attack at your borders, or even better on your upstream's network via BGP triggered blackhole (if they don't support it make a note to replace them with someone who does when the attack is over). You might sacrifice that host but you'll save the rest of your network and likely buy yourself some more time to track back to the source and kill it. I'm certainly not suggesting I have all the answers or that I have it all figured out. I also realize that the world is not a rosy place where inter-provider communication is perfect and I always get the answers I need when I call them. I'm just tired of seeing people play the victim, complaining how the Big Providers won't protect them, etc. without looking
RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Justin Ryburn [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 4:18 PM To: Chad Skidmore; [EMAIL PROTECTED] Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site? This is what scares me. Who determines the bad guys? I don't know anyone over at Lycos so I have no trust (or lack there of) in Lycos. Who is to say that Lycos won't decide next month that Yahoo, Google, MSN, _insert your own network here_ are bad guys and point the screen saver at them. Are they likely to do it? Probably not; it would be a PR nightmare for them. But who is to stop them? What if they don't go so extreme and just point the screen saver at gray hat hosts who are open relays or something? I agree 100%. I believe that I get to decide what is or is not ok traffic on my network. I define that in my AUP and customers agree to and understand that when they buy service from me. My opinion (not that anyone asked) is retaliation is childish and unprofessional. I remember the Internet before Spam, Also agree 100%. If there is traffic hitting my network that I don't believe is ok then I can choose not to carry that traffic on my network. It doesn't give me the right to attack the originator of that traffic or the person that I believe to be the originator of that traffic. That's why I am a very firm believer in the power of ip route x.x.x.x y.y.y.y null0 command. :) Makes the problem go away for me (for the most part) and doesn't cause anyone else any pain as a result except my customers, who agreed to let me use that power when they purchased service from me. botnets, DDOS, etc. and dream of a day when these are under control again just as much as the next geek. However, stooping to the level of the miscreant is not the answer to the problem in my opinion. Justin Ryburn [EMAIL PROTECTED] Dance like nobody's watching; love like you've never been hurt. Sing like nobody's listening; live like it's heaven on earth. -- Mark Twain - Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQa+yXU2RUJ5udBnvEQLX1gCglUjYXtQXyrSMFdfsQeZg9beq/xsAoI/C jOJ77EI+PIQs01sPNEnBphWK =ZScz -END PGP SIGNATURE-
RE: Sabotage investigation of fiber cuts in Northwest
FWIW, the following is the notes from Qwest's outage notification on the 3rd. -- NOTES: SS7 DUAL A-LINK FAILURE UNDER INVESTIGATION BY SS7,NFC AND SWITCH. (3) OC48'S FAILED/ SUSPECT FIBER CUT BTWN BLHMWA E. STANWD RPTR/ UPGRADED TO RED DUE TO NALS/ STILL INVEST./ RR'G SS7 LINK TO RADIO OTDR INDICATES 42 N. OF STTLWA04/ TECH ENROUTE TO ESWDWA RPTR/ ETA 45MINS. TECHS ON SITE NOW / SUSPECT VANDALISM / LAW ENFORCEMENT ON SITE TECHS ARE INSIDE HUT/ CABLE IS CUT AT HUT/ CONFIRMED VANALISM INSIDE HUT TAKING PICTURES INSIDE HUT/ TEN FIBERS CUT/ LOADING EQPT. FROM TRUCK/ NO ETR FIBERS PRIORITIZED / 6 OF 10 FIBERS CUT / SPLICING WILL START IN 15MINS. FIRST FIBERS ARE SPLICED/ A-LINKS RESTORED/ BLOCKING IS ST FIRST FIBERS ARE SPLICED/ A-LINKS RESTORED/ BLOCKING IS STARTING TO CLEAR BLOCKAGE STOPPED AT 12:45 PDT / SPLICING CONTINUES CLEARING ALARMS FINAL CLEAN UP ONGOING/ 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. RESTORE DATE TIME 2003-09-03 12:28:44 PDT -- Regards, Chad Chad Skidmore One Eighty Networks http://www.go180.net 509-688-8180 -Original Message- From: Laurence F. Sheldon, Jr. [mailto:[EMAIL PROTECTED] Posted At: Monday, November 03, 2003 8:08 PM Posted To: NANOG Conversation: Sabotage investigation of fiber cuts in Northwest Subject: Re: Sabotage investigation of fiber cuts in Northwest JC Dill wrote: At 07:32 PM 11/3/2003, John Fraizer wrote: On Mon, 3 Nov 2003, Owen DeLong wrote: Maybe I'm missing something, but, if you have the bolt cutters, I don't see why you need the key to an adjacent lock or any of the locks. Um, cutting a lock out gets it out of the mix but, you still have to have the key to one of the other locks to complete the chain again. Think about it. A cut lock can be replaced with a similar replacement lock and usually no one will be the wiser. Look at the locks here: http://www.qsl.net/kf4lhp/telweb/microwave/kiv70/padlocks.jpg The lock marked ATC is between 2 other locks (that's a hasp to its left, with rusty chain further to the left). It could be cut and replaced with a similar lock linking the other two locks, without opening either of the other two locks. On gates with many locks (I've seen chains of 6 or more), there is rarely any interest given to the locks that are not one's own responsibility. I wonder if that Bell System (F7?) is ever unlocked anymore.
RE: uunet
Last week we experienced a significant (for us anyway) DDOS against one of our customers and UUNET was one of the quickest to respond. No, we are not a UUNET customer but Chris (with UUNET) responded very quickly (within 30min I believe) to a post we made to a mail list and began blackholing traffic in UUNET's network. BTW, this was at about 10:30pm on a Monday night his time. WorldCom/UUNET is an easy company to beat on (and probably deserves it some of the time) but the UUNET security team is, in my opinion, top notch. They have been very willing to share information and techniques and been very willing to help others implement DDOS/DOS tracking. I'm not disputing the fact that you probably had a bad experience getting through to the right person. It sounds like the UUNET NOC (like many NOCs) was not terribly helpful. Other forms of communication like NANOG and nsp-sec are often times better forms of communication when it comes to DOS/DDOS attacks and other security issues. Hopefully that will change over time. Regards, Chad --- Chad Skidmore One Eighty Networks http://www.go180.net 509-688-8180 -Original Message- From: Scott Granados [mailto:[EMAIL PROTECTED]] Posted At: Sunday, January 19, 2003 2:27 PM Posted To: NANOG Conversation: uunet Subject: Re: uunet Its just unfortunate that some companies not mentioning names feel this is good practice. Others don't feel this way which is a good thing. Just a note, uunet wouldn't take my call when a ddos attach originated on their network either. Same response with the exception of Well we don't have security persons available after hours so write us an e-mail and you may get a response within 48 hours. Which to me sounded just plain wrong because I've seen threds onhere to the contrary. - Original Message - From: blitz [EMAIL PROTECTED] To: Scott Granados [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, January 19, 2003 1:24 AM Subject: Re: uunet I'll copy this email, and keep it for reference when someone asks about buying service from UUnet...thanks... At 17:17 1/18/03 -0800, you wrote: What's interesting is that I just tried to call the noc and was told We have to have you e-mail the group my response, I can't I have no route working to uunet Well you have to my response, ok I'll use someone elses mail box where do I mail? We can't tell you your not a customer My response its a routing issue do you have somewhere I can e-mail you. Your not my customer I really don't care *click* Nice. professional too. Anyone have a number to the noc that someone with clue might answer? - Original Message - From: David Diaz [EMAIL PROTECTED] To: Scott Granados [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, January 18, 2003 4:35 PM Subject: Re: uunet Im not seeing anything coming from qwest. At 16:55 -0800 1/18/03, Scott Granados wrote: Is something up on uunet tonight? It looks to me that dns is broken forward and reverse but more likely it looks like a bad bogan fiilter popped up suddenly. I have issue as soon as I leave mfn's network and hit uunet. -- David Diaz [EMAIL PROTECTED] [Email] [EMAIL PROTECTED] [Pager] www.smoton.net [Peering Site under development] Smotons (Smart Photons) trump dumb photons