Re: IP address fee??
On Sun, 8 Sep 2002 [EMAIL PROTECTED] wrote: On Thu, Sep 05, 2002 at 01:36:27PM -0400, Derek Samford wrote: Shane, There is a practice on that (At least here.). Generally we provide a Class C to our customers at no additional charge, but we have Why in this day and age, 9 years after the invention of CIDR, are we still refering to class C's? Probably for the same reason that people refer to 56K baud modems. It is easier to say, and most people don't care if it is accurate or not. Indeed.. in the same way we all say bandwidth when the term is incorrect and technically speaking we mean bitrate.. point is we all know what you mean so the language is fine albeit technically inaccurate! Steve
Re: IP address fee??
On Sun, 8 Sep 2002 [EMAIL PROTECTED] wrote: Shane: I think an important question would be what level of service are they buying. Including 255 address with a T3 would be very reasonable, less so with a T1, not very reasonable with DSL, and ridiculous with a dial-up account. How is usage need in any way related to circuit size? This kind of allocation policy amazes me. Hmm I dont know, its a guide if nothing else.. A dialup that can justify a /24 is no different than an OC3 customer who can't. Each customer should (only) get the space they can justify, and circuit size is not a justification. Really? So a customer who claims to need a /24 on a dialup doesnt suggest to you that they're wrong or at least worthy of further investigation before you assign it? We expect certain requests from certain types of account and anything above that gets looked at. I believe this is a good position between wasting time on end user IP assignments and handing out a limited resource too freely. Steve
Re: IP address fee??
On Mon, 9 Sep 2002 10:06:29 +0100 (BST), Stephen J. Wilcox wrote: Really? So a customer who claims to need a /24 on a dialup doesnt suggest to you that they're wrong or at least worthy of further investigation before you assign it? The original sender said justify not claim.
Re: IP address fee??
On Mon, 9 Sep 2002, cw wrote: On Mon, 9 Sep 2002 10:06:29 +0100 (BST), Stephen J. Wilcox wrote: Really? So a customer who claims to need a /24 on a dialup doesnt suggest to you that they're wrong or at least worthy of further investigation before you assign it? The original sender said justify not claim. Misread that a little :) it is more aimed at the first poster then not the one I responded to! Well my point is that justify or claim I'd pay more attention to the seemingly ok /24 request on a dialup than I would to one for an OC3.
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Re: classless delegation [Re: IP address fee??]
On Fri, Sep 06, 2002 at 07:42:00PM +0200, Brad Knowles wrote: At 5:11 PM +0200 2002/09/06, Peter van Dijk wrote: I am very willing to believe everything that you are saying, but *what part* of my configuration breaks those nameservers? $DEITY-only-knows how older/less capable nameserver software will deal with the issue of having a zone that is also a PTR record. PTR is not special to nameserver software in any way. If it can handle an A record that is the name of the domain, it can handle a PTR. But there are no A records in that zone. Again, what A-records? The A RRs in the glue that goes along with the NS records that are a result of making this a zone. Glue is kind of necessary, usually. Greetz, Peter -- [EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
Re: classless delegation [Re: IP address fee??]
On Fri, Sep 06, 2002 at 11:04:36PM +0200, Brad Knowles wrote: [snip] 60.1.0.10.in-addr.arpa. CNAME bla-reverse.example.org. bla-reverse.example.org. PTR bla.example.org. bla.example.org. A 10.0.1.60 What's wrong with that? No RFC against it ;) Are you sure about that? IIRC, the definitions of CNAME records and what they can point to are pretty strict. If that is illegal, then so is RFC2317 :) Cool, why does it work then? grin Just because something hasn't actually been made officially illegal doesn't mean that it's not a really bad idea. It seems to me RFC2317 is pushing the edge of standards more than my solution is. Greetz, Peter -- [EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
Re: IP address fee??
On Fri, Sep 06, 2002 at 10:39:05PM +0200, Jeroen Massar wrote: [snip] Or even better... actual popquiz question*: What is the subnet mask of a class E? ;) Does anybody know that one ? Without looking into docs that is. There is none, just as there is none for class D. Greetz, Peter -- [EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
Re: IP address fee??
On Fri, Sep 06, 2002 at 10:04:08PM +0200, Iljitsch van Beijnum wrote: [snip] About classfulness: I think it's more relevant, even today, than many people like to admit. Why is it that I can type network 192.0.2.0 in my Cisco BGP config and the box knows what I'm talking about, but network 192.0.2.0/24 is no good? That is because Cisco is quite classful-centric, still. I think defaults for netmasks, based on classes, are very bad. They cause trouble (like the time a certain ISP announced 62/8 to all it's peers on AMS-IX). Cisco should support the /n notation! Greetz, Peter -- [EMAIL PROTECTED] | http://www.dataloss.nl/ | Undernet:#clue
Network Attacks
How are you all handling network attacks from say China? We had attack today from China Aerospace. RIPE said it was unallocated, ARIN said it was APNIC, APNIC has no valid info on them. What can one do? -- Manolo Hernandez - Network Administrator The only source of knowledge is experience. - A. Einstein
Talked about this before
Hi, Quick Question, how much memory does the bgp tables actually take. I'm estimating 32 mb in my plan, but I'm worried that's not enough. Thanks, Jane
Re: Network Attacks
How are you all handling network attacks from say China? We had attack today from China Aerospace. RIPE said it was unallocated, ARIN said it was APNIC, APNIC has no valid info on them. What can one do? Filter the netblocks out of the borders (in) Null-route their address space (out) Alex
Re: Talked about this before
Jane == Pawlukiewicz Jane [EMAIL PROTECTED] writes: Jane Hi, Good morning. Jane Quick Question, how much memory does the bgp tables actually Jane take. I'm estimating 32 mb in my plan, but I'm worried Jane that's not enough. I guess that depends which BGP implementation you're using... And the number of sessions with full routes... route-views.oregon-ix.net seems to be using about 215Mb, but it has a lot of peers. -- William Waites [EMAIL PROTECTED] finger [EMAIL PROTECTED] for PGP keys Idiosyntactix Research Laboratories http://www.irl.styx.org
Re: Talked about this before
Jane == Pawlukiewicz Jane [EMAIL PROTECTED] writes: Jane Quick Question, how much memory does the bgp tables actually Jane take. I'm estimating 32 mb in my plan, but I'm worried Jane that's not enough. that was 320Mb, no? ;) -- William Waites [EMAIL PROTECTED] finger [EMAIL PROTECTED] for PGP keys Idiosyntactix Research Laboratories http://www.irl.styx.org
Re: Talked about this before
On Mon, 2002-09-09 at 09:12, William Waites wrote: Jane == Pawlukiewicz Jane [EMAIL PROTECTED] writes: Jane Quick Question, how much memory does the bgp tables actually Jane take. I'm estimating 32 mb in my plan, but I'm worried Jane that's not enough. that was 320Mb, no? ;) Here is a show ip bgp summ from a router with 2 full views and 6 iBGP peers, and a couple of customer peers with 10 routes each: BGP router identifier 209.196.121.1, local AS number 4278 BGP table version is 7175400, main routing table version 7175400 112794 network entries and 505980 paths using 33655314 bytes of memory 89941 BGP path attribute entries using 5037424 bytes of memory 44221 BGP AS-PATH entries using 1134058 bytes of memory 63070 BGP route-map cache entries using 1261400 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Dampening enabled. 127 history paths, 118 dampened paths 223243 received paths for inbound soft reconfiguration BGP activity 219567/1719967 prefixes, 5720413/5214433 paths, scan interval 60 secs -- William Waites [EMAIL PROTECTED] finger [EMAIL PROTECTED] for PGP keys Idiosyntactix Research Laboratories http://www.irl.styx.org -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
Re: Talked about this before
also fyi #sh ver IOS (tm) RSP Software (RSP-JK8SV-M), Version 12.2(8)T4, RELEASE SOFTWARE (fc1) #sh ip bgp sum 113668 network entries and 263570 paths using 21568596 bytes of memory 83881 BGP path attribute entries using 5034840 bytes of memory 24724 BGP AS-PATH entries using 637716 bytes of memory 16 BGP community entries using 384 bytes of memory 77639 BGP route-map cache entries using 1242224 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Dampening enabled. 211 history paths, 234 dampened paths BGP activity 286636/18319023 prefixes, 13135930/12871489 paths, scan interval 60 secs #sh mem sum HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 62AADE40 223683008 126211276974717328758233693694864 Fast 62A8DE40 131080 82776 48304 48304 48252 -- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008 On 9 Sep 2002, Larry Rosenman wrote: On Mon, 2002-09-09 at 09:12, William Waites wrote: Jane == Pawlukiewicz Jane [EMAIL PROTECTED] writes: Jane Quick Question, how much memory does the bgp tables actually Jane take. I'm estimating 32 mb in my plan, but I'm worried Jane that's not enough. that was 320Mb, no? ;) Here is a show ip bgp summ from a router with 2 full views and 6 iBGP peers, and a couple of customer peers with 10 routes each: BGP router identifier 209.196.121.1, local AS number 4278 BGP table version is 7175400, main routing table version 7175400 112794 network entries and 505980 paths using 33655314 bytes of memory 89941 BGP path attribute entries using 5037424 bytes of memory 44221 BGP AS-PATH entries using 1134058 bytes of memory 63070 BGP route-map cache entries using 1261400 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory Dampening enabled. 127 history paths, 118 dampened paths 223243 received paths for inbound soft reconfiguration BGP activity 219567/1719967 prefixes, 5720413/5214433 paths, scan interval 60 secs -- William Waites [EMAIL PROTECTED] finger [EMAIL PROTECTED] for PGP keys Idiosyntactix Research Laboratories http://www.irl.styx.org
Eugene Call for Presentations
Hi - just a reminder that abstracts are due this Monday, Sept. 16. * * * * * * * * * * * * * * * * * CALL FOR PRESENTATIONS NANOG 26 GENERAL SESSION TUTORIALS SPECIAL RESEARCH/OPERATIONS FORUM October 27-29, 2002 * * * * * * * * * * * * * * * * * The North American Network Operators' Group (NANOG) will hold its 26th meeting October 27-29, 2002, in Eugene, Oregon. The meeting will be hosted by the University of Oregon and Sprint. Registration opens September 4. NANOG 26 is a special occasion - the first joint meeting with ARIN, the American Registry for Internet Numbers. ARIN manages IP numbers for North and South America, the Caribbean, and sub-Saharan Africa. NANOG will meet as usual from Sunday to Tuesday, and ARIN from Wednesday to Friday. NANOG conferences provide a forum for the coordination and dissemination of technical information related to large-scale (i.e., national/international) Internet backbone networking technologies and operational practices. Meetings are held three times each year, and include two days of short presentations, plus afternoon/evening tutorial sessions and special forums. The meetings are informal, with an emphasis on relevance to current backbone engineering practices. NANOG conferences draw over 500 participants, mainly consisting of engineering staff from national service providers, and members of the research and education community. The meeting will be held at the Hilton Eugene and Conference Center. For more information about NANOG meetings, schedules, and logistics, see: http://www.nanog.org -- CALL FOR PRESENTATIONS NANOG invites presentations on backbone engineering, coordination, and research topics. Presentations should highlight issues relating to technology already deployed or soon to be deployed in core Internet backbones and exchange points. Previous meetings have included presentations on: - Backbone traffic engineering - Inter-provider security and routing protocol authentication - Routing scalability in backbone infrastructures - Security issues for the Internet core - Routing policy specification and backbone router configuration - Building large-scale measurement infrastructure - Cooperative inter-provider caching - Alternatives to hot-potato routing - Recommendations on queue management and congestion avoidance - Experience with differentiated services - Inter-domain multicast deployment - Backbone network failure analysis Tutorials have covered topics such as: - IP traffic management - BGP multihoming guide - ISP security: real world techniques - IP multicast technologies The special research/operations forum offers researchers a short time slot to present ongoing work for evaluation and feedback from the operations community. Topics include routing, network performance, statistical measurement and analysis, and protocol development and implementation. Researchers from academia, government, and industry are invited to participate. -- HOW TO PRESENT Submit a detailed abstract or outline describing the presentation in email to [EMAIL PROTECTED] The deadline for proposals is September 16, 2002. While the majority of speaking slots will be filled by September 16, a limited number of slots will be available after that date for topics that are exceptionally timely and important. Submissions will be reviewed by the NANOG Program Committee, and presenters will be notified of acceptance by September 30, 2002. NANOG also welcomes suggestions/recommendations for tutorials, panels and other presentation topics. ---
Juniper T Series routers
Does anyone have any opinions on the Juniper T Series routers that they can share? Reply off-list, I'm happy to summarise responses. Thanks regards, Bob Procter, ntl Group Limited. The contents of this email and any attachments are sent for the personal attention of the addressee(s) only and may be confidential. If you are not the intended addressee, any use, disclosure or copying of this email and any attachments is unauthorised - please notify the sender by return and delete the message. Any representations or commitments expressed in this email are subject to contract. ntl Group Limited
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. -Hank On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays.When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few.Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures. Hank Nussbacher
National Moment of Silence
Is anyone planning on measuring backbone loads during the National Moment of Silence at 8:46 a.m. Eastern Standard Time on 9/11? -Hank
Re: How do you stop outgoing spam?
How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an off the shelf non NOC-updating solution, you would have to beable to define what is spam and then you could detect it. The only thing that comes to this feeble mind is something ala Snort, with a rule set that will catch most common finger prints of spam. The IDS would then have to trigger something to drop packets and alert the NOC. I guess if you treat it as an Intruder you might be closer at achieving your goals. just an idea. john brown On Mon, Sep 09, 2002 at 12:17:08PM +0300, Hank Nussbacher wrote: Please try to keep this discussion technical and not diverge to opinions. I am not looking for opinions or religion. I am trying to find automated tools/systems/boxes that will stop spam from going *out* from an ISP. The ISP has no servers and allocates IP address space to downstream customers who spam. Yes, I know all about ACLs to block offending IPs. The ISP is willing to buy any box or system to stop outgoing spams and thereby stop constantly playing with ACLs. The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. Technical solutions welcome. Thanks, Hank
RE: How do you stop outgoing spam?
Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 3:50 AM To: Hank Nussbacher Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Hank Nussbacher wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. Correct me if I'm wrong, but the web (ok, most of it) has been running on TCP port 80 for quite a while now. So if you limit outgoing TCP packets to port 80 (and probably some variations, such as HTTP+SSL) to a few kbps, regardless of their destination, you don't hurt legitimate users except some very rare cases such as HTTP uploads but you make life less fun for spammers.
Re: How do you stop outgoing spam?
On Mon, Sep 09, 2002 at 08:24:19PM +0300, Hank Nussbacher wrote: On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. PLEASE don't take this as an opportunity to start another spam thread (lest you find members of nanog testing out their theories from the blowing up the internet thread on your connection), but: Redirect all outgoing port 25 connections to your mail servers, and pipe all the messages through spamassassin (note: scalability not included). -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: National Moment of Silence
On 2002-09-09-13:53:45, Hank Nussbacher [EMAIL PROTECTED] wrote: Is anyone planning on measuring backbone loads during the National Moment of Silence at 8:46 a.m. Eastern Standard Time on 9/11? Those of us polling interfaces in = 1min intervals will... -a
RE: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Al Rowland wrote: Final comment on this subject (I promise) :) How many (more) protocols are we willing to cripple in the name of fighting spam? Obviously the crippled protocol here is SMTP, because it allows pretty much everything. As a rule, I'm against solving application problems at the network layer, but in this specific case (internet cafe) this specific solution (rate limiting/traffic shaping for traffic to HTTP servers) seems reasonable.
Re: National Moment of Silence
On Mon, 9 Sep 2002, Hank Nussbacher wrote: Is anyone planning on measuring backbone loads during the National Moment of Silence at 8:46 a.m. Eastern Standard Time on 9/11? -Hank Moment of slience? backbone loads? ... When a user on a network HTTP GETs a porno, and no one polls their SNMP counters, does it make a sound?
Re: National Moment of Silence
Hank Nussbacher wrote: Is anyone planning on measuring backbone loads during the National Moment of Silence at 8:46 a.m. Eastern Standard Time on 9/11? I'm planning on snoring...along with most of the left coast I'd imagine... -davidu
RE: National Moment of Silence
I doubt that the Kazaa servents will get shut down either. -Original Message- From: Greg Maxwell [SMTP:[EMAIL PROTECTED]] Sent: Monday, September 09, 2002 1:14 PM To: Hank Nussbacher Cc: [EMAIL PROTECTED] Subject: Re: National Moment of Silence On Mon, 9 Sep 2002, Hank Nussbacher wrote: Is anyone planning on measuring backbone loads during the National Moment of Silence at 8:46 a.m. Eastern Standard Time on 9/11? -Hank Moment of slience? backbone loads? ... When a user on a network HTTP GETs a porno, and no one polls their SNMP counters, does it make a sound?
Re: How do you stop outgoing spam?
On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland [EMAIL PROTECTED] said: How many (more) protocols are we willing to cripple in the name of fighting spam? Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire insert ethnic organized crime group to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes: 1) Companies with *some* sense of morals/conscience - they won't do that sort of thing. 2) Companies that *would* stoop so low - they won't do it either because that would be attacking their own revenue stream. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05248/pgp0.pgp Description: PGP signature
Re: Talked about this before
On Mon, 9 Sep 2002, Pawlukiewicz Jane wrote: Quick Question, how much memory does the bgp tables actually take. I'm estimating 32 mb in my plan, but I'm worried that's not enough. Two views: hln-cs1#sh ip bgp summ BGP router identifier 206.127.65.1, local AS number 4043 BGP table version is 132881, main routing table version 132881 112575 network entries and 336143 paths using 24365495 bytes of memory 60397 BGP path attribute entries using 3624720 bytes of memory 53004 BGP AS-PATH entries using 1426946 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 20536 BGP filter-list cache entries using 246432 bytes of memory Dampening enabled. 96 history paths, 45 dampened paths 111752 received paths for inbound soft reconfiguration BGP activity 112575/456 prefixes, 336319/176 paths, scan interval 15 secs That said: hln-cs1#sh mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 623C83E0 219380768 117525008 101855760 100536360 100521172 I/OF5011534336 8157292 3377044 3365952 3352444 By the time you populate the routing table and/or cef, and do a few other things, you probably want at least 256MB. If you are using something else, YMMV - it all depends on how efficient the software is at storing it in memory. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technologies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
re: Internet connection secure from surveilance?
Here is my reply to Joe Your solution is good. In general, anyone worried about this kind of invasion of privacy should arrange to run their own root servers. The more the merrier. This is not neccessarily about having multiple roots with colliding TLDs, but about security from surveillance. One discouraging fact is that even if everyone moves to localized root servers, the USG still controls the servers for .COM/.NET and .ORG as well as, most definitly .GOV and .MIL. The same trick that they can play at the root server level can also be played at the gtld-server level. They can just rig [A-M].GTLD-SERVERS.NET instead of the roots. They may not be able to capture all of the traffic that a user generates, but most of it, since most websites/domains are in the big three and those are controlled by USG. John - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 11:28 Subject: [ga] is your Internet connection secure from surveilance? I have attached a draft PDF file addressed to Canada's privacy and information commissioners which outlines my concerns respecting privacy issues in root operations. I would welcome any comments. Please email them directly to me. kindest regards joe baptista
Re: Praise to XO's Security/Abuse
On 8/30/2002 at 8:25 PM, [EMAIL PROTECTED] wrote: On 04:36 PM 8/30/02, John M. Brown wrote: Jason at XO's security/abuse staff. Very helpful chap Indeed he is. Which is why I'm totally mystified about why rfc-ignorant insists that my domain doesn't have a working abuse address. I would privately email the admin at rfc-ignorant about this problem, but, well (see below) jc I don't think rfc-ignorant.org tests entries at a later time, ever. I have brought the concentric.net case to their attention today. Speaking of Concentric domains: cnc.net has not had a working abuse@ address for several YEARS, and I have brought that to Concentric's attention, oh, 3-4 years ago? I consider this a reckless way of operating: some people have interpreted RFC822 in such a way that you only have to accept mail to postmaster@FQDN if you actually accept any mail for the domain at all. I wonder who's smart idea within Concentric it was to use cnc.net for a bazillion FQDN's and in-addr.arpa records, but create an MX record for the domain and not accept postmaster and [EMAIL PROTECTED] . If I wouldn't know better (the whole incompetent vs. malevolent logic), I'd outright describe this as being evasive. Speaking of evading: I wish to remind the readers of this thread (a subset of NANOG readers) that the good deeds of a few cannot make up for the colossal, corrupt policy failures of a bankrupt organization as a whole, or else I wouldn't currently be in possession of about 90 complaints (and corresponding 90 auto-replies, with exactly ZERO human-generated replies) from xo.com regarding spam-spewing factories of crime in their IP space, with such complaints sent to them in the short, short period of the last 2.5 months, based on an amazingly small swath of IP space at the receiving end of this Internet crime. Examples of XO customers who can't tell right from wrong, and 220 DO ME HARD from 550 NO TRESPASSING, CRIMINAL SCUM, and who continue to criminally trespass onto other people's property after being told to stay away: Sep 9 08:13:25 sonet sendmail[895]: IAA00895: from=[EMAIL PROTECTED], size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=gw.iaccess.com [64.221.226.129] Sep 9 02:19:51 saturn sendmail[5229]: NOQUEUE: ruleset=check_relay, arg1=lsv-004.cynergen.net, arg2=66.239.204.53, relay=lsv-004.cynergen.net [66.239.204.53], reject=550 no access for OIN - Spammers must die. Sep 9 00:35:21 saturn sendmail[1729]: NOQUEUE: ruleset=check_relay, arg1=host28.anglcorp.com, arg2=67.105.80.91, relay=host28.anglcorp.com [67.105.80.91], reject=550 no access for list-washing twits at anglcorp.com - Spammers must die. Sep 8 00:13:57 saturn sendmail[12484]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50, relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die. Sep 7 20:58:36 saturn sendmail[6541]: NOQUEUE: ruleset=check_relay, arg1=host24.anglcorp.com, arg2=67.105.80.87, relay=host24.anglcorp.com [67.105.80.87], reject=550 no access for list-washing twits at anglcorp.com - Spammers must die. Sep 7 16:26:39 sonet sendmail[11480]: NOQUEUE: ruleset=check_relay, arg1=lsv-002.cynergen.net, arg2=66.239.204.51, relay=lsv-002.cynergen.net [66.239.204.51], reject=550 no access for OIN - Spammers must die. Sep 7 05:01:49 saturn sendmail[2655]: FAA02655: X... User unknown - user never existed - single-opt-in is spam - and Spammers must die. Sep 7 05:01:49 saturn sendmail[2655]: FAA02655: from=102338940173691-709021-X?[EMAIL PROTECTED], size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ul1.tilw.net [209.164.4.171] Sep 6 20:55:27 saturn sendmail[14573]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50, relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die. Sep 5 20:10:41 sonet sendmail[18779]: UAA18779: from=[EMAIL PROTECTED], size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=host228.iaccess.com [64.221.226.228] (may be forged) Sep 5 18:44:45 saturn sendmail[9560]: NOQUEUE: ruleset=check_relay, arg1=lsv-002.cynergen.net, arg2=66.239.204.51, relay=lsv-002.cynergen.net [66.239.204.51], reject=550 no access for OIN - Spammers must die. Sep 5 14:30:19 saturn sendmail[26113]: NOQUEUE: ruleset=check_relay, arg1=thething.emailfactory.com, arg2=64.35.34.30, relay=thething.emailfactory.com [64.35.34.30], reject=550 NO TRESPASSING for emailfactory.com/newc.com - Spammers must die. Sep 4 16:20:57 saturn sendmail[817]: NOQUEUE: ruleset=check_relay, arg1=lsv-001.cynergen.net, arg2=66.239.204.50, relay=lsv-001.cynergen.net [66.239.204.50], reject=550 no access for OIN - Spammers must die. There is no doubt in my mind that XO is fully aware of the criminal trespass committed by their customers, and continues to aid and abet these criminal activities on a daily basis by knowingly and willingly providing service and /dev/null'ing complaints about them -
RE: Network Attacks
I've got a new version of the remote-triggered black hole filtering paper. That is one way of handling the incident. http://www.ispbook.com/supplements/Remote_Triggered_Black_Hole_Filtering-02. pdf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 09, 2002 7:04 AM To: Manolo Hernandez Cc: Nanog Subject: Re: Network Attacks How are you all handling network attacks from say China? We had attack today from China Aerospace. RIPE said it was unallocated, ARIN said it was APNIC, APNIC has no valid info on them. What can one do? Filter the netblocks out of the borders (in) Null-route their address space (out) Alex
Re: classless delegation [Re: IP address fee??]
At 1:41 PM +0200 2002/09/09, Peter van Dijk wrote: PTR is not special to nameserver software in any way. If it can handle an A record that is the name of the domain, it can handle a PTR. Maybe not the nameserver software you've seen. Moreover, the real problem is not the nameserver software, but all the other incredibly broken applications out there that can't handle PTR co-existing with SOA NS RRs. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
RE: How do you stop outgoing spam?
At 10:18 AM -0700 2002/09/09, Al Rowland wrote: Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things. No, the traffic budget is on upstream traffic, not downstream. Stream content all you want, but don't try to generate too much upstream traffic or you get your bandwidth severely curtailed. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 10:08 AM -0700 2002/09/09, John M. Brown wrote: How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an off the shelf non NOC-updating solution, you would have to beable to define what is spam and then you could detect it. You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change. However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most normal activity. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
Brad == Brad Knowles [EMAIL PROTECTED] writes: Brad No, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. good consumer... don't try to talk. just watch the propaganda...
Re: How do you stop outgoing spam?
At 6:06 PM -0400 2002/09/09, William Waites wrote: BradNo, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Brad Knowles wrote: Brad No, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. [The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.] good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
What have we learned in 3 decades? Not much.
The guys who did the Multics penetration tests for the Air Force have re-released it, with commentary on what 30 years has changed (and more importantly, not changed). Most depressing quote: Thus, systems that are weaker than Multics are consid- ered for use in environments in excess of what even Mul- tics could deliver without restructuring around a security kernel. There really seem to be only four possible con- clusions from this: either (1) today's systems are really much more secure than we claim; (2) today's potential attackers are much less capable or motivated; (3) the in- formation being processed is much less valuable; or (4) people are unwilling or unable to recognize the compel- ling need to employ much better technical solutions. http://domino.watson.ibm.com/library/cyberdig.nsf/papers/FDEFBEBC9DD3E35485256C2C004B0F0D/$File/RC22534.pdf msg05260/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 00:41:09 +0200 (CEST) Iljitsch van Beijnum [EMAIL PROTECTED] wrote: On Tue, 10 Sep 2002, Brad Knowles wrote: BradNo, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. [The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.] good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Regards Marshall Eubanks
Re: How do you stop outgoing spam?
At 12:41 AM +0200 2002/09/10, Iljitsch van Beijnum wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. You're forgetting keyboard macros. That might take you to 8Kbps, or perhaps a little more. ;-) -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
## On 2002-09-09 17:53 -0400 Marshall Eubanks typed: ME ME ME When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book ME to the local ethernet if at all possible (that's why I like Global Gossip) and ME use high bit rates (i.e., file transfers) in both direction. ME ME If I was limited to 4 kbps outbound, I would want my money back. Are you doing your file transfers via HTTP or SMTP ? What about rate limiting TCP SYN packets ? I assume you're not doing more than say 1 file per second ? ME ME Just one customer viewpoint :) ME ME Regards ME Marshall Eubanks ME P.S. funny thing is I learnt the SYN rate limiting trick from Hank ... -- Rafi
Re: How do you stop outgoing spam?
Paul Vixie wrote: per-destination host AND port egress rate shaping. if someone tries to send more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single IP address, then you can safely RED their overage. this violates the whole peer-to-peer model but there's no help for that in the short term. if some internet cafe has a CuCme camera setup then you can find a way to let that traffic off-net without rate shaping. this will be the exception. Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all. Eliot
Re: How do you stop outgoing spam?
## On 2002-09-09 17:15 -0700 Eliot Lear typed: EL EL Paul Vixie wrote: EL per-destination host AND port egress rate shaping. if someone tries to send EL more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL IP address, then you can safely RED their overage. this violates the whole EL peer-to-peer model but there's no help for that in the short term. if some EL internet cafe has a CuCme camera setup then you can find a way to let that EL traffic off-net without rate shaping. this will be the exception. EL EL Please be aware that this could have unintended consequences, and should EL be used in very constrained ways. In particular, there are any number EL of applications, including VPN applications that use port 80. I would EL recommend that only specified destinations get such treatment, if you EL apply it at all. Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? -- Regards, Rafi
Re: How do you stop outgoing spam?
Rafi Sadowsky wrote: Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? There is something called flow-based RED (FRED) but it consumes a whole lot of memory because you have to keep track of lots more state. I don't know about that code. At the least what you can do is use the rate-limit command and rate limit *all* outbound TCP/80 traffic (or for that matter all access-list captured traffic). Now, doing so will make any but the most trivial outbound TCP/80 absolutely painful, and will cause tail drop. See Cathy Wittbrodt's work in this space, which was presented at NANOG some time ago. Note, I'm not saying you should *do* this. It may be going a bit too far for anti-spam. Eliot
Re: How do you stop outgoing spam?
Don't have to do it with Cisco IOS. FreBSD works quite nice for this. If a Internce Cafe, then place it on the upstream side of the network, or right before it. On Tue, Sep 10, 2002 at 03:32:31AM +0300, Rafi Sadowsky wrote: ## On 2002-09-09 17:15 -0700 Eliot Lear typed: EL EL Paul Vixie wrote: EL per-destination host AND port egress rate shaping. if someone tries to send EL more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL IP address, then you can safely RED their overage. this violates the whole EL peer-to-peer model but there's no help for that in the short term. if some EL internet cafe has a CuCme camera setup then you can find a way to let that EL traffic off-net without rate shaping. this will be the exception. EL EL Please be aware that this could have unintended consequences, and should EL be used in very constrained ways. In particular, there are any number EL of applications, including VPN applications that use port 80. I would EL recommend that only specified destinations get such treatment, if you EL apply it at all. Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? -- Regards, Rafi
Re: Talked about this before
Forrest W. Christian wrote: On Mon, 9 Sep 2002, Pawlukiewicz Jane wrote: Quick Question, how much memory does the bgp tables actually take. I'm estimating 32 mb in my plan, but I'm worried that's not enough. Two views: hln-cs1#sh ip bgp summ BGP router identifier 206.127.65.1, local AS number 4043 BGP table version is 132881, main routing table version 132881 112575 network entries and 336143 paths using 24365495 bytes of memory 60397 BGP path attribute entries using 3624720 bytes of memory 53004 BGP AS-PATH entries using 1426946 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 20536 BGP filter-list cache entries using 246432 bytes of memory Dampening enabled. 96 history paths, 45 dampened paths 111752 received paths for inbound soft reconfiguration BGP activity 112575/456 prefixes, 336319/176 paths, scan interval 15 secs That said: hln-cs1#sh mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 623C83E0 219380768 117525008 101855760 100536360 100521172 I/OF5011534336 8157292 3377044 3365952 3352444 By the time you populate the routing table and/or cef, and do a few other things, you probably want at least 256MB. If you are using something else, YMMV - it all depends on how efficient the software is at storing it in memory. And add to that the below, noting the 20%+ difference between what the process holds and what is reported via the bgp commands : router#sh proc mem Total: 226435680, Used: 98336472, Free: 128099208 PID TTY Allocated FreedHoldingGetbufsRetbufs Process 0 0 98188 18485744500 0 0 *Init* 0 0716 473572020716 0 0 *Sched* 0 0 1695597520 282572480 48536 182184 0 *Dead* ... 103 0 394643684 1139584448 91248608 13000 0 BGP Router ... router#sh ip bgp sum BGP table version is 45578905, main routing table version 45578905 112990 network entries and 338257 paths using 23363262 bytes of memory 59466 BGP path attribute entries using 3568080 bytes of memory 52666 BGP AS-PATH entries using 1780032 bytes of memory 1 BGP community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 7862100/10119105 prefixes, 24954823/24616566 paths, scan interval 60 secs router#sh mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 6210DDA0 22643568098330588 128105092 122426928 124143936 I/OF90 7340032 2345240 4994792 4859760 4994748 FYI, 3660 w/256MB and 3 transit peers with 112K+ routes each. -- == bep