RE: Redundant Array of Inexpensive ISP's?
In answer to a question below about experience with similar products... Cisco IOS has the dynamic routing injection feature as part of recent IOS versions. The feature is now called Performance Routing (PfR) formerly known as OER (Optimized Edge Routing) and as of 12.4(24)T, it can optimize routing protocols other than BGP or static routes (called PIRO Protocol Independent Route Optimization), including IS-IS, OSPF and EIGRP. RIP folks should learn about routing protocols :-D PfR does not do compressions/tokenization of the data, so it has no Caching/compression/WAN Acceleration features, BUT it does do dynamic path re-routing based on your policy or observed metrics like latency, packet loss, jitter etc and can also do it based on observed Netflow data and automatic instatiation of IP SLA active probes to see what happens for a RTP data stream marked with dscp 46 or video stream marked with dscp 34 and so on. As of recent IOS versions (12,4(9)T + I think), it can control both inbound and outbound directions, and can do things like send your traffic to ISP X up to bandwidth Bx and then shift traffic over to ISP Y up to bandwidth By to do dynamic load sharing of traffic to IP transit commit levels Not a bad feature for free. Larger scale deployments should probably use a dedicated controller box making the re-routing decisions, but any WAN egress point to an Internet or private WAN provider is your "border" device used by the "master" to get information, setup probes and learn netflow data to make decisions. I've used it for testing purposes on enterprise WAN deployment and it works pretty well. We are planning on deploying on a production DMVPN solution when the MGRE bug below is resolved. My main beef is a bug related to use of PfR on mGRE tunnel interfaces and the memory-hog nature of the feature... It will detect your brown-out issues like increased packet loss for traffic through provider X that cause customers to call you about broken applications and will re-route the traffic so you may never even know there was an issue!! The solution is particularly good for enterprises with only a few WAN or Internet exits from a location and for dynamically load sharing traffic to paid-for commit levels to reduce recurring cost and get the most out of existing connectivity without paying burst charges. We've done testing on use for our internet border routing in the "advice" mode, where is just says what changes it would maek, without actually making the changes. Production deployment soon as part of the ever popular cost-reduction efforts currently in vogue in enterprises right now given the current economy. http://www.cisco.com/go/pfr There's some similar solutions out there.. RouteScience was mentioned, but I didn't see anyone mention InterNAP FCP, which is part of the basis for InterNAP's PNAP business model... They also sell it to others enterprises and ISPs. -Original Message- From: Ken A [mailto:k...@pacific.net] Sent: Thursday, March 12, 2009 9:18 AM To: nanog@nanog.org Subject: Re: Redundant Array of Inexpensive ISP's? Tim Utschig wrote: > [Please reply off-list. I'll summarize back to the list if there is > more than a little interest in me doing so.] > Please do. There are many rural ISPs and WISPs that might benefit from a decent look at these products, or any open source clones that might be available to test & refine these tricks. Pricing for even a fractional DS3 in the rural US is still very high. Being able to shift bandwidth from a colo facility in a large city to a remote site served by 3 or 4 consumer grade broadband links could be a helpful development, if the bottom line works out. Thanks, Ken > I'm curious if anyone has experience with products from Talari > Networks, or anything similar, and would like to share. Did they live > up to your expectations? Caveats? > -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Dynamic IP log retention = 0?
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco wrote: > > Well most port scanning is from compromised boxes. Once a > > box is compromised it can be used for *any* sort of attack. > > If you really care about security you take reports of ports > > scans seriously. > > Yeahbut, the real problem is that port scanning is typically used as > part of a process to infect _other_ boxes. If you allow this sort of > illness to spread, the patient (that is, the Internet) doesn't get > better. > > Port scanning is the Internet equivelant of the common cold. They're a dime a dozen. I recommend taking some Vitamin B and D. Block, and Drop. Best, Martin -- Martin Hannigan mar...@theicelandguy.com p: +16178216079
Re: Dynamic IP log retention = 0?
N. Yaakov Ziskind wrote: Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. Oops, my bad. Well, and Covad's bad too. :-) jc
Re: Dynamic IP log retention = 0?
> Well most port scanning is from compromised boxes. Once a > box is compromised it can be used for *any* sort of attack. > If you really care about security you take reports of ports > scans seriously. Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dynamic IP log retention = 0?
In message , "Ross" writ es: > Whether Covad chooses to enforce their AUP against port scanning is a > business decision up to them. Again, why worry about things out of your > control, especially when we are talking about port scanning. I would think > people have more pressing issues, guess not. > > -- > Ross > ross [at] dillio.net Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
Re: Dynamic IP log retention = 0?
> Not to disagree with any of your points, but the OP (which you quoted!) > was talking about Covad, while you're bashing Comcast. Any sufficiently advanced NANOG conversation is indistinguishable from Comcast-bashing. Rob (Not agreeing, just observing.)
Expert Witness needed for Terry Childs case
All: An attorney needs an Expert Witness for the Terry Childs case. I don't know much about the case and I'm not endorsing it in either way, but justice requires a vigorous defense -- and stating facts and acting on behalf of the legal process is always a good thing to participate in. This is a paid job in a high-profile case. The attorney is looking for someone in/near the SF Bay Area who knows routing, WAN, switches, routers -- a CCIE type who would be willing to act as an expert witness in this case. CCIE is not required, but would be very helpful. Also should be expert in security and protecting these types of networks and gear. Here's a summary from the attorney: I am one of the attorneys working on the defense for Terry Childs. His is a very high profile case in San Francisco. He is charged with denial of service attacks on San Francisco's fiber network for city services. He is also charged with keeping a backdoor to hack the network, by virtue of the fact that he had at least one modem hooked up to the network for his monitoring software. He was in fact the administrator who set up the network and simply failed to turn over the passwords to the network machines to his boss, and now he is being held on $5,000,000.00 bail. That is a very simplified account of what happened. Here is an O'Reilly article about the case: http://news.oreilly.com/2008/07/coverage-of-terry-childs.html They initially wanted a CCIE, because Mr. Childs has that certification. I am not sure any particular certification is required. So we need a defense expert to testify about his security practices. Mr. Childs locked out console ports, took passwords out of NVRAM, set up access lists, and did a host of stuff to make sure that no one but him had access to these machines. It is a paid job in this super high profile case. I remember that you, Dave, know all about security. I also thought Bruno might know someone who can help, because I remember that you, Bruno, know a lot about a lot. Can either of you recommend someone? Or would you like to be involved? The trial date is fast approaching. I look forward to hearing back from you guys. === If you can assist, let me know and I'll get you in touch with the attorney.
Re: Dynamic IP log retention = 0?
> Whether Covad chooses to enforce their AUP against port scanning is a > business decision up to them. Yes, it's all a business decision. That kind of antisocial thinking is the sort of thing that has allowed all manner of bad guys to remain attached to the Internet. > Again, why worry about things out of your > control, especially when we are talking about port scanning. Yes, why not talk about rapists and drug dealers instead. They're much worse. It's just that this forum ... isn't for that. > I would think people have more pressing issues, guess not. While I am all for increasing overall security on the Internet, the reality is that there will often be devices that are attached that are found to be vulnerable in new and intriguing ways. Port scanning is a primary method for finding these vulnerabilities. To the extent that an ISP might proactively port scan its own userbase, that's a good use and probably a good idea (has tradeoffs), but bad guys finding holes in random devices so that they can launch multiGbps attacks against random destinations is a bad thing. If your idea of "operations" is to make your router work and collect your paycheck for another day, then this discussion probably does not make any sense to you and you probably don't understand the importance of the issue. If your idea of "operations" is to ensure the reliable operation and uphold the performance standards of an IP network, then it should not be beyond comprehension that allowing miscreants access to the network is one of many things that can adversely affect operations. If you accept that the presence of miscreants on the network is a negative, it shouldn't be hard to see that complaining about consistent and persistent port scans from what is probably an identifiable host is one way to make an impact. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dynamic IP log retention = 0?
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Again, why worry about things out of your control, especially when we are talking about port scanning. I would think people have more pressing issues, guess not. -- Ross ross [at] dillio.net > > In message <20090312120816.b...@egps.egps.com>, "N. Yaakov Ziskind" > writes: >> JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): >> > Ross wrote: >> > >> > There seems to be a big misconception that he asked them to "hand >> over" >> > the info. As I read the OP, he asked Covad to do something about it >> > and Covad said "we can't do anything about it because we don't have >> > logs". Here's a quote from the OP: > > The real problem is that Covad claim (second hand) that they can't > identify the perpetrator(s). > > I've been nudging an operator at Covad about a handful of > hosts from his DHCP pool that have been attacking - > relentlessly port scanning - our assets. I've been informed > by this individual that there's "no way" to determine which > customer had that address at the times I list in my logs - > even though these logs are sent within 48 hours of the > incidents. > > One shouldn't need to have to get the indentities of the perpetrators > to get AUP enforced. Port scanning is against 99.9% of AUP's. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org > >
Re: FYI RE: microsoft please contact me off list
What were the traffic characteristics that lead you to believe you were under a DDOS attack? Thomas P. Galla wrote: Here is what I got back OBTW thanx Thomas = Sent: Thursday, March 12, 2009 4:22 PM To: Thomas P. Galla Subject: FW: microsoft please contact me off list Importance: High Thomas, I work in the research group managing the network range that you are reporting. Your network could be randomly included Honeymonkey(http://en.wikipedia.org/wiki/HoneyMonkey) or another research project(http://research.microsoft.com/en-us/um/redmond/projects/strider). Could you give me more details on what you are seeing or the IP range on your side that is being hit? Thx Steve Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:35 PM To: nanog@nanog.org Subject: RE: microsoft please contact me off list Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
FYI RE: microsoft please contact me off list
Here is what I got back OBTW thanx Thomas = Sent: Thursday, March 12, 2009 4:22 PM To: Thomas P. Galla Subject: FW: microsoft please contact me off list Importance: High Thomas, I work in the research group managing the network range that you are reporting. Your network could be randomly included Honeymonkey(http://en.wikipedia.org/wiki/HoneyMonkey) or another research project(http://research.microsoft.com/en-us/um/redmond/projects/strider). Could you give me more details on what you are seeing or the IP range on your side that is being hit? Thx Steve Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:35 PM To: nanog@nanog.org Subject: RE: microsoft please contact me off list Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00
Re: Dynamic IP log retention = 0?
In message <20090312120816.b...@egps.egps.com>, "N. Yaakov Ziskind" writes: > JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): > > Ross wrote: > > > > There seems to be a big misconception that he asked them to "hand over" > > the info. As I read the OP, he asked Comcast to do something about it > > and Comcast said "we can't do anything about it because we don't have > > logs". Here's a quote from the OP: The real problem is that Covad claim (second hand) that they can't identify the perpetrator(s). I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
Re: microsoft please contact me off list
In our case we didn't bother with where it was coming from - our router guy figured out where it was going to - and had that IP shut down a couple levels away from us. Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Jeff Shultz
Re: microsoft please contact me off list
On Thu, 12 Mar 2009 12:40:06 PDT, Charles Wyble said: > You are getting dossed from a Microsoft network range? Really? Perhaps > they got bit by a worm targeting windows systems? :) You mean like this? http://www.theregister.co.uk/2001/07/20/code_red_bug_hits_microsoft/ (To be fair, screw-ups happen at *all* vendors eventually - the RedHat/Fedora crew had a small "whoops!" with the system that digitally signs their RPM packages a while ago. Just proves that security is harder to get right than a lot of people think...) pgpGWyhwKXmWq.pgp Description: PGP signature
Re: microsoft please contact me off list
Yes I agree. I forgot to do the *raises an incredulous eyebrow* bit. :) By the way try calling that number and reaching an operator then asking for the NOC. chris.ra...@nokia.com wrote: More likely spoofed sources. Good luck.
Re: Dynamic IP log retention = 0?
J. Oquendo wrote: On Thu, 12 Mar 2009, Glen Turner wrote: William Allen Simpson wrote: A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that? Hey, bad quotation! I'm not from Australia. That's not my writing. Nor did I ever advocate releasing a customer's details -- to anybody. :-( I also disagree with your point about responsibilities of ISPs. Yes, it's true that Microsoft externalized its costs upon its customers. But only the ISPs are in a position to detect the abuse, and that's part of the business. Some of us take network security seriously.
Re: microsoft please contact me off list
He's gonna need it! On Thu, Mar 12, 2009 at 12:54 PM, wrote: > More likely spoofed sources. > > Good luck. > > >>-Original Message- >>From: ext Charles Wyble [mailto:char...@thewybles.com] >>Sent: Thursday, March 12, 2009 12:40 PM >>To: Thomas P. Galla >>Cc: nanog@nanog.org >>Subject: Re: microsoft please contact me off list >> >>You are getting dossed from a Microsoft network range? Really? >>Perhaps they got bit by a worm targeting windows systems? :) >> >> >> >>Thomas P. Galla wrote: >>> Sorry I am getting dos attacked from below and it would be >>nice if microsoft working abuse ph# or noc# or a name ? >>> >>> >>> >>> Thomas P Galla >>> t...@bluegrass.net >>> BluegrassNet >>> Voice (502) 589.INET [4638] >>> Fax 502-315-0581 >>> 321 East Breckinridge St >>> Louisville KY 40203 >>> >>> >>> -Original Message- >>> From: Thomas P. Galla [mailto:t...@bluegrass.net] >>> Sent: Thursday, March 12, 2009 3:24 PM >>> To: nanog@nanog.org >>> Subject: microsoft please contact me off list >>> >>> Can a person in charge contact me off list >>> >>> >>> >>> >>> mail:~ $ whois -h whois.arin.net 131.107.65.41 >>> >>> OrgName: Microsoft Corp >>> OrgID: MSFT >>> Address: One Microsoft Way >>> City: Redmond >>> StateProv: WA >>> PostalCode: 98052 >>> Country: US >>> >>> NetRange: 131.107.0.0 - 131.107.255.255 >>> CIDR: 131.107.0.0/16 >>> NetName: MICROSOFT >>> NetHandle: NET-131-107-0-0-1 >>> Parent: NET-131-0-0-0-0 >>> NetType: Direct Assignment >>> NameServer: NS1.MSFT.NET >>> NameServer: NS5.MSFT.NET >>> NameServer: NS2.MSFT.NET >>> NameServer: NS3.MSFT.NET >>> NameServer: NS4.MSFT.NET >>> Comment: >>> RegDate: 1988-11-11 >>> Updated: 2004-12-09 >>> >>> RTechHandle: ZM39-ARIN >>> RTechName: Microsoft >>> RTechPhone: +1-425-882-8080 >>> RTechEmail: ...@microsoft.com >>> >>> OrgAbuseHandle: ABUSE231-ARIN >>> OrgAbuseName: Abuse >>> OrgAbusePhone: +1-425-882-8080 >>> OrgAbuseEmail: ab...@msn.com >>> >>> OrgAbuseHandle: HOTMA-ARIN >>> OrgAbuseName: Hotmail Abuse >>> OrgAbusePhone: +1-425-882-8080 >>> OrgAbuseEmail: ab...@hotmail.com >>> >>> OrgAbuseHandle: MSNAB-ARIN >>> OrgAbuseName: MSN ABUSE >>> OrgAbusePhone: +1-425-882-8080 >>> OrgAbuseEmail: ab...@msn.com >>> >>> OrgNOCHandle: ZM23-ARIN >>> OrgNOCName: Microsoft Corporation >>> OrgNOCPhone: +1-425-882-8080 >>> OrgNOCEmail: ...@microsoft.com >>> >>> OrgTechHandle: MSFTP-ARIN >>> OrgTechName: MSFT-POC >>> OrgTechPhone: +1-425-882-8080 >>> OrgTechEmail: ipr...@microsoft.com >>> >>> # ARIN WHOIS database, last updated 2009-03-11 19:10 >>> # Enter ? for additional hints on searching ARIN's WHOIS database. >>> mail:~ $ whois -h whois.arin.net 131.107.65.41 >>> >>> >>> >>> >>> >>> Thomas P Galla >>> t...@bluegrass.net >>> BluegrassNet >>> Voice (502) 589.INET [4638] >>> Fax 502-315-0581 >>> 321 East Breckinridge St >>> Louisville KY 40203 >>> >>> >>> >>> >>> No virus found in this incoming message. >>> Checked by AVG - www.avg.com >>> Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release >>Date: 03/11/09 20:42:00 >>> >> >>-- >>Charles N Wyble char...@thewybles.com >>(818)280-7059 http://charlesnw.blogspot.com >>CTO SocalWiFI.net >> >> >
RE: microsoft please contact me off list
More likely spoofed sources. Good luck. >-Original Message- >From: ext Charles Wyble [mailto:char...@thewybles.com] >Sent: Thursday, March 12, 2009 12:40 PM >To: Thomas P. Galla >Cc: nanog@nanog.org >Subject: Re: microsoft please contact me off list > >You are getting dossed from a Microsoft network range? Really? >Perhaps they got bit by a worm targeting windows systems? :) > > > >Thomas P. Galla wrote: >> Sorry I am getting dos attacked from below and it would be >nice if microsoft working abuse ph# or noc# or a name ? >> >> >> >> Thomas P Galla >> t...@bluegrass.net >> BluegrassNet >> Voice (502) 589.INET [4638] >> Fax 502-315-0581 >> 321 East Breckinridge St >> Louisville KY 40203 >> >> >> -Original Message- >> From: Thomas P. Galla [mailto:t...@bluegrass.net] >> Sent: Thursday, March 12, 2009 3:24 PM >> To: nanog@nanog.org >> Subject: microsoft please contact me off list >> >> Can a person in charge contact me off list >> >> >> >> >> mail:~ $ whois -h whois.arin.net 131.107.65.41 >> >> OrgName:Microsoft Corp >> OrgID: MSFT >> Address:One Microsoft Way >> City: Redmond >> StateProv: WA >> PostalCode: 98052 >> Country:US >> >> NetRange: 131.107.0.0 - 131.107.255.255 >> CIDR: 131.107.0.0/16 >> NetName:MICROSOFT >> NetHandle: NET-131-107-0-0-1 >> Parent: NET-131-0-0-0-0 >> NetType:Direct Assignment >> NameServer: NS1.MSFT.NET >> NameServer: NS5.MSFT.NET >> NameServer: NS2.MSFT.NET >> NameServer: NS3.MSFT.NET >> NameServer: NS4.MSFT.NET >> Comment: >> RegDate:1988-11-11 >> Updated:2004-12-09 >> >> RTechHandle: ZM39-ARIN >> RTechName: Microsoft >> RTechPhone: +1-425-882-8080 >> RTechEmail: n...@microsoft.com >> >> OrgAbuseHandle: ABUSE231-ARIN >> OrgAbuseName: Abuse >> OrgAbusePhone: +1-425-882-8080 >> OrgAbuseEmail: ab...@msn.com >> >> OrgAbuseHandle: HOTMA-ARIN >> OrgAbuseName: Hotmail Abuse >> OrgAbusePhone: +1-425-882-8080 >> OrgAbuseEmail: ab...@hotmail.com >> >> OrgAbuseHandle: MSNAB-ARIN >> OrgAbuseName: MSN ABUSE >> OrgAbusePhone: +1-425-882-8080 >> OrgAbuseEmail: ab...@msn.com >> >> OrgNOCHandle: ZM23-ARIN >> OrgNOCName: Microsoft Corporation >> OrgNOCPhone: +1-425-882-8080 >> OrgNOCEmail: n...@microsoft.com >> >> OrgTechHandle: MSFTP-ARIN >> OrgTechName: MSFT-POC >> OrgTechPhone: +1-425-882-8080 >> OrgTechEmail: ipr...@microsoft.com >> >> # ARIN WHOIS database, last updated 2009-03-11 19:10 >> # Enter ? for additional hints on searching ARIN's WHOIS database. >> mail:~ $ whois -h whois.arin.net 131.107.65.41 >> >> >> >> >> >> Thomas P Galla >> t...@bluegrass.net >> BluegrassNet >> Voice (502) 589.INET [4638] >> Fax 502-315-0581 >> 321 East Breckinridge St >> Louisville KY 40203 >> >> >> >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release >Date: 03/11/09 20:42:00 >> > >-- >Charles N Wyble char...@thewybles.com >(818)280-7059 http://charlesnw.blogspot.com >CTO SocalWiFI.net > >
Re: microsoft please contact me off list
You are getting dossed from a Microsoft network range? Really? Perhaps they got bit by a worm targeting windows systems? :) Thomas P. Galla wrote: Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00 -- Charles N Wyble char...@thewybles.com (818)280-7059 http://charlesnw.blogspot.com CTO SocalWiFI.net
RE: microsoft please contact me off list
Sorry I am getting dos attacked from below and it would be nice if microsoft working abuse ph# or noc# or a name ? Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 -Original Message- From: Thomas P. Galla [mailto:t...@bluegrass.net] Sent: Thursday, March 12, 2009 3:24 PM To: nanog@nanog.org Subject: microsoft please contact me off list Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1979 - Release Date: 03/11/09 20:42:00
microsoft please contact me off list
Can a person in charge contact me off list mail:~ $ whois -h whois.arin.net 131.107.65.41 OrgName:Microsoft Corp OrgID: MSFT Address:One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country:US NetRange: 131.107.0.0 - 131.107.255.255 CIDR: 131.107.0.0/16 NetName:MICROSOFT NetHandle: NET-131-107-0-0-1 Parent: NET-131-0-0-0-0 NetType:Direct Assignment NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS2.MSFT.NET NameServer: NS3.MSFT.NET NameServer: NS4.MSFT.NET Comment: RegDate:1988-11-11 Updated:2004-12-09 RTechHandle: ZM39-ARIN RTechName: Microsoft RTechPhone: +1-425-882-8080 RTechEmail: n...@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@hotmail.com OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ab...@msn.com OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: n...@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: ipr...@microsoft.com # ARIN WHOIS database, last updated 2009-03-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. mail:~ $ whois -h whois.arin.net 131.107.65.41 Thomas P Galla t...@bluegrass.net BluegrassNet Voice (502) 589.INET [4638] Fax 502-315-0581 321 East Breckinridge St Louisville KY 40203
Four blocks of AS Numbers allocated
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The IANA AS Numbers registry has been updated to reflect the allocation of four blocks of AS Numbers recently. 49152-50175Assigned by RIPE NCC whois.ripe.net 2009-03-06 50176-51199Assigned by RIPE NCC whois.ripe.net 2009-03-06 51200-52223Assigned by RIPE NCC whois.ripe.net 2009-03-06 52224-53247Assigned by LACNIC whois.lacnic.net 2009-03-11 The registry can be found at: http://www.iana.org/assignments/as-numbers/as-numbers.xml Regards, Leo Vegoda Number Resources Manager, IANA -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFJuUXxvBLymJnAzRwRAkgiAJ4gPAIF9egizyMbGGB/2MAciOCsdQCfXQfX N4gRb5lyNjDDcKZ4bhf5AqY= =LKc/ -END PGP SIGNATURE-
Re: Dynamic IP log retention = 0?
On Thu, 12 Mar 2009, Glen Turner wrote: > William Allen Simpson wrote: > > A telecommunications carrier releasing a customer's details without their > permission, to a non-investigatory third party, without a court order. > Hmmm. It's certainly illegal here in Australia. And last I checked wasn't > the US firm Hewlett Packard in trouble for hiring people to do just that? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Re: Dynamic IP log retention = 0?
valdis.kletni...@vt.edu wrote: You *do* realize that "has a public address" does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say "bugger off" to unwanted traffic. And you can put a firewall appliance inline without using NAT as well. The other big benefit to using real public IPs is abuse related. There's a scenario we encounter on a semi-regular basis where we forward a report of an apparently infected host to a customer who responds back: "How can I tell which one of our hosts is infected? We've got 200 workstations inside our NAT and this abuse report only has our single public address." So I recommend a packet sniffer inside their LAN or accounting on their firewall. But sometimes the source is a salesperson's laptop, and they've gone on a business trip. So no new reports come in and everyone decides it must have been a false alarm. Now imagine that salesperson only stops back in the office once a month, at random undocumented intervals to make backups. How do we ever track him down? The abuse report cycle just doesn't turn around fast enough - often we don't even get reports for a day or two. So I find myself advising customers in this situation to give every user a public IP. Even if they still do 1:1 NAT, the problem is mostly resolved provided they faithfully document MAC addresses and keep DHCP logs for a suitable length of time. Mike
Re: Dynamic IP log retention = 0?
On Wed, 11 Mar 2009 07:53:01 -0800, Marcus Reid said: > A quick scan of the reverse mapping for your address space in DNS reveals > that you have basically your entire network on public addresses. No wonder > you're worried about portscans when the printer down the hall and the > receptionists machine are sitting on public addresses. I think you are > trying to secure your network from the wrong end here. You *do* realize that "has a public address" does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say "bugger off" to unwanted traffic. And you can put a firewall appliance inline without using NAT as well. pgpXjezqNw16b.pgp Description: PGP signature
Re: Dynamic IP log retention = 0?
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700): > Ross wrote: > > There seems to be a big misconception that he asked them to "hand over" > the info. As I read the OP, he asked Comcast to do something about it > and Comcast said "we can't do anything about it because we don't have > logs". Here's a quote from the OP: > > >I've been nudging an operator at Covad about a handful of hosts from > >his DHCP pool that have been attacking - relentlessly port scanning - > >our assets. I've been informed by this individual that there's "no > >way" to determine which customer had that address at the times I list > >in my logs - even though these logs are sent within 48 hours of the > >incidents. > > IMHO, that's a bunch of BS from whoever he's talking with at Comcast. > In the normal course of business they would have logs of which customer > had that IP just 48 hours earlier. They *can* do something about their > customer. And they *should* do something about their customer who is > causing problems on another network, the same as if that customer was > spewing spam, or actually attacking (DDoS etc.) another network. > > So the question circles back around to how does the OP get Comcast to > step up, internally identify and take care of their problem customer? > What path should he take to get connected with someone who has more clue > about this type of problem so that they can address it in a timely fashion? > > Has it come to needing to get a lawyer to write a strongly worded letter > just to get this type of thing done today? > > jc [Disclaimer - I am a lawyer, and I write strongly worded letters to pay my bills.] Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. -- _ Nachman Yaakov Ziskind, FSPA, LLM aw...@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Re: Dynamic IP log retention = 0?
Ross wrote: I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know. There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Comcast to do something about it and Comcast said "we can't do anything about it because we don't have logs". Here's a quote from the OP: I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. IMHO, that's a bunch of BS from whoever he's talking with at Comcast. In the normal course of business they would have logs of which customer had that IP just 48 hours earlier. They *can* do something about their customer. And they *should* do something about their customer who is causing problems on another network, the same as if that customer was spewing spam, or actually attacking (DDoS etc.) another network. So the question circles back around to how does the OP get Comcast to step up, internally identify and take care of their problem customer? What path should he take to get connected with someone who has more clue about this type of problem so that they can address it in a timely fashion? Has it come to needing to get a lawyer to write a strongly worded letter just to get this type of thing done today? jc
Re: Redundant Array of Inexpensive ISP's?
Tim Utschig wrote: [Please reply off-list. I'll summarize back to the list if there is more than a little interest in me doing so.] Please do. There are many rural ISPs and WISPs that might benefit from a decent look at these products, or any open source clones that might be available to test & refine these tricks. Pricing for even a fractional DS3 in the rural US is still very high. Being able to shift bandwidth from a colo facility in a large city to a remote site served by 3 or 4 consumer grade broadband links could be a helpful development, if the bottom line works out. Thanks, Ken I'm curious if anyone has experience with products from Talari Networks, or anything similar, and would like to share. Did they live up to your expectations? Caveats? -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Redundant Array of Inexpensive ISP's?
Hello Tim, a lot of our customers need a very stable Internet access got their portable address space and their AS number from us (we are a LIR) and connected to 2 or even more upstreams. Sure, some of broadband ISPs didn't provide BGP for their clients, but there are companies providing BGP over L2TP or GRE. So all the solution costs ~$1000 one-time fee (PI/AS, BGP router like Cisco or Quagga box, a bit consulting). Good advice is to diverse upstreams by the media, i.e. CaTV+DSL+Fiber+Radio, so if fiber to the house is cut - radio still working. It is possible to integrate that to a complete service - i.e. install a box that connects to 2-3 ISPs and "just works", but we haven't requests to to that. Please, contact me off-list if somebody interesting in it. Tim Utschig wrote: > [Please reply off-list. I'll summarize back to the list if there > is more than a little interest in me doing so.] > > I'm curious if anyone has experience with products from Talari > Networks, or anything similar, and would like to share. Did they > live up to your expectations? Caveats? > -- WBR, Max Tulyev (MT6561-RIPE, 2:463/2...@fido)
Re: Dynamic IP log retention = 0?
On Mar 12, 2009, at 12:25 AM, Ross wrote: How did a simple thread about network scanning get so derailedwe have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. it's nanog, you expect something different? :)
Re: Dynamic IP log retention = 0?
How did a simple thread about network scanning get so derailedwe have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know. You can ask their abuse department to intervene but that is all up to that department. They may have told you they don't have them just because they didn't want you pestering them anymore or they may really not have them, who knows. Don't try to judge them but try to fix this very minute problem in a way you can control. The ways you can control this are simple. 1) Block all of covad (not very smart) 2) Block all of covad except for essential ports (25,80,443 or whatever other common ports they may need) 3) Setup a perimeter protection that blocks hosts that are scanning you and removes them after a determined amount of time This trying to shun people in public because they aren't following your guide to network administration probably isn't going to work very well for you. If 65000 covad addresses were ddosing you then I would agree that you have a legitimate gripe but focus on what you can control and not what you believe others should be doing. -- Ross ross [at] dillio.net > I've been nudging an operator at Covad about a handful of hosts from his > DHCP pool that have been attacking - relentlessly port scanning - our > assets. > I've been informed by this individual that there's "no way" to determine > which > customer had that address at the times I list in my logs - even though > these > logs are sent within 48 hours of the incidents. > The operator advised that I block the specific IP's that are attacking > us at my perimeter. When I mentioned the fact that blocking individual > addresses > will only be as effective as the length of lease for that DHCP pool I get > the > email equivalent of a shrug. > "Well, maybe you want to ban our entire /15 at your perimeter..." > I'm reluctant to ban over 65,000 hosts as my staff have colleagues > all over the continental US with whom they communicate regularly. > I realize these are tough times and that large ISP's may trim abuse team > budgets before other things, but to have NO MECHANISM to audit who has > what > address at any given time kinda blows my mind. > Does one have to get to the level of a subpoena before abuse teams pull > out the tools they need to make such a determination? Or am I naive enough > to > think port scans are as important to them as they are to me on the > receiving > end? > > -- > > Brett Charbeneau, GSEC Gold, GCIH Gold > Network Administrator > Williamsburg Regional Library > 7770 Croaker Road > Williamsburg, VA 23188-7064 > (757)259-4044 www.wrl.org > (757)259-4079 (fax)br...@wrl.org > > > >
