Non-GPS derived timing sources (was Re: NTp sources that work in adatacenter)
On Sat, 31 May 2003, Peter Lothberg wrote: > Time2.Stupi.SE and Time4.Stupi.SE are both stratum-1 accessable through > the Internet, tracable to UTC-SP (part of TAI) without use of GPS or slaving > to CDMA (that slaves to GPS). I was wondering about everyone using GPS-derived timing sources last week. I looked at 23 different American backbone providers and I think 19 were traceable back to a GPS clock. 3 were traceable back to USNO/NIST NTP servers on the Internet synched to their respective master clocks. And one claimed to be using the ACTS dialup time service. I don't expect GPS to spin out of control soon, but I did wonder how hard it is to find a another reliable clock source of similar quality to GPS to double check GPS. US clocks account for 40% of the input to TAI.
Re: IANA reserved Address Space
On Sat, 31 May 2003 [EMAIL PROTECTED] wrote: > The only difference between routed and unrouted (note the difference > between that and routable) is consensus. There is nothing inherent in the bits > which prevents RFC1918 from being routed globally. There is no requirement > to use RFC1918 for NAT. Correct, an error in terminology on my part. Substitute "routed" or "public" for the first and "RFC1918" or "private" for the second. I think we all know what was meant. > Therefore, your argument doesn't hold water. The minor error in terminology doesn't really affect what I was trying to say. There may be valid reasons where, within a closed lab environment, it could be useful to use public, routed space not assigned to the entity that is operating the lab. I listed some. > If the entity for some stupid reason can't use RFC1918, they can and should > use their _own_ address space for the balance. And if the reason isn't stupid, and proper safeguards are in place, and they're not training people to do this anywhere BUT within a closed lab environment, then it makes no difference what addresses they use. Even if the reason is stupid, no one outside the lab will know or care. If it makes it easier to debug problems with decimal or binary addresses that are easy to parse, or to paste configurations from a production system to a lab for troubleshooting, so what? -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Clocking Sources (was NTp sources that work in a datacenter (was Re: Is latency equivalentto RTT?))
> The desire for everyone to have a timing source that is tracable to > a Cesium clock comes from the SONET standard. If you tie two SONET > networks together, if they both don't have timing that's tracable to > a Stratum 1 (PRS) source, they'll drift at the points where they > interconnect and PSE (Positive Stuff Event) and NSE (Negative Stuff > Event) errors will be the result. This is BAD BAD BAD for the voice > networks that are provisioned over SONET. BITS and SONET systems do not carry time-of-day information. It's only frequency. Sonet/GR253C SDH/G811 stratum-1 is 1x10-11 that will give you one pointer update every 72 days. But you can do one pointer-update every two frames... -P (you do stuffing on PDH systems)
Re: Clocking Sources (was NTp sources that work in a datacenter (was Re: Is latency equivalentto RTT?))
> Quartz < Rubidium < Cesium. quartz < rubidium < cesium-beam < hydrogen < cesium-fontain -P
Re: NTp sources that work in a datacenter (was Re: Is latency equivalent to RTT?)
> > In message <[EMAIL PROTECTED]>, Joel Jae > ggli writes: > > > > > >Also if you just need a high level of syncronization between the time on > >all your hosts you can just deploy one standalone ntp server, sync it > >against public time sources and get everything synced against that. its > >probably a 95% solution to most people's timeing needs. > > > > If I recall correctly, NTP assumes that latency = RTT/2. You might > make it work well for his application *if* you set up your tree so that > your paths are each one hop, or at least symmetric over your network. Correct, and if it's asymetric you get a static offset. My laptops internal clock is a bigger source of error... -P
Re: NTp sources that work in a datacenter (was Re: Is latency equivalent
The receiver do not need to be in the datacenter, there is this thing called "the internet" that you can hook it up to. > > >in every PoP to do measurements. In that case, the difficulty isn't in > > >measuring one-way latency, it's in synchronizing the time on all the > > >servers. And with fairly cheap GPS and CDMA clocks that is a lot > > >easier/cheaper than it once was. > > a robust mesh of strat-2 chimers gives one more resilence > and more accuracy than syncing off a single source. > > > But what GPS clock can you install in a datacenter? AFAIK, they all > > require roof (or at least window) access in order to install the > > antenna. (At least, all the GPS based ntp servers I've looked at do). > > Is that not true of CDMA servers? > > some GPS, some PPS, and an atomic source here and there > give great diversity and only a few need roof access. > > > How have others solved this issue? (Short of owning their datacenters.) > > Use NTP, run most systems as strat-2 Time2.Stupi.SE and Time4.Stupi.SE are both stratum-1 accessable through the Internet, tracable to UTC-SP (part of TAI) without use of GPS or slaving to CDMA (that slaves to GPS). -P
Re: Net-24 top prefix generating bogus RFC-1918 queries
> > Why does 65/8 generate almost as many queries as 24/8? because there are lots of cable and DSL users in those prefix's My cable at home is net-65
Re: Net-24 top prefix generating bogus RFC-1918 queries
John Brown wrote: > Operators within Net-24 (typically Cable Operators) would > do good in setting up a AS112 anycasted DNS server within > their networks. Same with 68/8. A few large cable operators (Cox, Comcast, Charter, RoadRunner, etc.) have netblocks in 68/8. . > Based on a 1,000,000 query (2 min period of time) here are the > top 20 /8's that gen bogus queries for RFC-1918 related DNS > data. > > 61637 24.0.0.0 > 51596 65.0.0.0 Why does 65/8 generate almost as many queries as 24/8?
Net-24 top prefix generating bogus RFC-1918 queries
Operators within Net-24 (typically Cable Operators) would do good in setting up a AS112 anycasted DNS server within their networks. Cable modem users tyically NAT their connections to allow multiple machines at home to be "online". This causes local hosts to generate junk traffic towards the global internet when these machines query for or try DynaDNS updates on RFC-1918 addresses. In a 100,000 query sample (lasted for 30 seconds) we saw 768 unique Net-24 prefixes. All of them had multiple queries within the sample period. Looking at the raw data, we saw 7444 queries out of 100,000 queries from Net-24 prefixes. Given this, each Net-24 query, on average, asked for info 10 times within the 30 sec sample window. All of this is from a AS112 server located in NM that is announcing the AS112 prefix towards our transit provider AS 1239. If you are not aware of the AS112 project you should look at : http://www.as112.net Site maintained by Paul Vixie My setup tips page: http://www.chagreslabs.net/jmbrown/research/as112/index.html Based on a 1,000,000 query (2 min period of time) here are the top 20 /8's that gen bogus queries for RFC-1918 related DNS data. 61637 24.0.0.0 51596 65.0.0.0 36974 216.0.0.0 32925 63.0.0.0 31503 66.0.0.0 31483 208.0.0.0 30760 217.0.0.0 25813 168.0.0.0 25538 151.0.0.0 25300 209.0.0.0 19862 200.0.0.0 19375 68.0.0.0 17568 207.0.0.0 17303 80.0.0.0 16585 141.0.0.0 13831 64.0.0.0 11652 206.0.0.0 10295 204.0.0.0 10016 205.0.0.0 7795218.0.0.0 202.0.0.0
Re: Pesky spammers are using my mailbox
On Sat, 31 May 2003, Stephen J. Wilcox wrote: > Hi, > seems some spammers are using one of my personal domains as the from field in > their emails, the local-part being random so I cant easily block it. > > Has anyone any advice on tracking them down and making them stop? > > All I get are the bounces, some include the original headers but that usually > gives an open relay as the origin. > > I think I know the answer (you cant do anything) but I wanted to ask as its very > annoying and I'm not happy! man 8 syslogd, section "SECURITY THREATS", #5. You are being "joe jobbed". Your best bet is contacting a few of the sites that are likely to be a little more clueful and see if they can get you copies of the actual email in full from the recipient, spamtrap, or spam archives. This is happening more and more to the average joe. It used to rarely happen to Joe Blow off the street but was actually a common occurence to anti-spammers (wack-a-mole a spammer a few times and then get very... sad). There isn't much you can do about it. You might ask some of the lists that actually deal in spam or ask NANAE (new.admin.net-abuse.email) for further advice. Procmail is your friend, Justin
Re: Pesky spammers are using my mailbox
Hi, Stephen. ] seems some spammers are using one of my personal domains as the ] from field in their emails... This is also happening to one of my domains. The spam advertised two web sites, one in Brasil and the other in China. I attempted to contact these folks, but the domain in China doesn't accept inbound email. :/ The hosts used to send the mail are all hacked Windows boxes. I notified all of the ISPs that had hacked hosts, but decided to focus my energy on the two sites being advertised. I'm not accusing them of launching the Joe Job, but I doubt a spammer would randomly advertise these sites. Perhaps these two sites hired a shady marketing group. Anyway, this is really all I could do. The spam never uses my resources, except for the bounces. I share your pain. :( ] PS Anyone around at the Sheraton today.. I cant spot anyone looking ] nanogish! I just arrived, and I look pretty darn NANOGish if I do say so myself. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: IANA reserved Address Space
> On Fri, 30 May 2003 [EMAIL PROTECTED] wrote: > > > > > > I'm tasked with coming up with an IP plan for an very large lab > > > network. I want to maximize route table manageability and > > > router/firewall log readability. I was thinking of building this > > > lab with the following address space: > > > > > > 1.0.0.0 /8 > > > 10.0.0.0 /8 > > > 100.0.0.0 /8 > > > > I encourage my competitors to do this. > > > > or read another way, this is fairly stupid, but as log as > > this stupidity doesn't affect me, I don't care. However the > > person tasked with cleaning tha crap up behind you may not feel > > the same. > > > > Doing something right, the first time saves having to do it over > > again and again and again and again. > > If this is a test lab or a learning/practice lab where the users will be > simulating real-world scenarios and/or doing NAT and other things that > involve public/private addressing issues, then it would IMHO be suitable > to use a mix of reserved private space and routable space as appropriate. The only difference between routed and unrouted (note the difference between that and routable) is consensus. There is nothing inherent in the bits which prevents RFC1918 from being routed globally. There is no requirement to use RFC1918 for NAT. Therefore, your argument doesn't hold water. If the entity for some stupid reason can't use RFC1918, they can and should use their _own_ address space for the balance.
ISP in Exodus Dulles (Sterling)?
Are you an ISP (in the sense of terminates leased line type things) in Exodus Dulles (aka Sterling)? If so, I'd like to ask you a few questions off list. Thanks. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: Pesky spammers are using my mailbox
[EMAIL PROTECTED] wrote: I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. A good section of my users get User unknown bounces from the AOL servers where spammers are using their spam lists not only as recipients, but to spoof senders. Most of the time, it's just two or three per user. There are cases where the remote server has to be contacted reguarding the bounces to request that bounce handling for the domain be turned off. -Jack
Re: Pesky spammers are using my mailbox
At 02:39 PM 5/31/2003, you wrote: On Sat, 31 May 2003, Stephen J. Wilcox wrote: > seems some spammers are using one of my personal domains as the from > field in their emails, the local-part being random so I cant easily > block it. > > Has anyone any advice on tracking them down and making them stop? Tactical baseball bat at close range? :) I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. There are known spamming viruses making their rounds that I believe behave like klez and others that use known email addresses. A couple of our customers have been infected by them and have had their computers unknowingly sending out spam. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Pesky spammers are using my mailbox
On Sat, 31 May 2003, Stephen J. Wilcox wrote: > seems some spammers are using one of my personal domains as the from > field in their emails, the local-part being random so I cant easily > block it. > > Has anyone any advice on tracking them down and making them stop? Tactical baseball bat at close range? :) I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: IANA reserved Address Space
> Since all of the replies have been pretty close to the same (Use RFC1918 > ...etc), I'd like to rephrase it to answer a curiosity of mine. The answers seemed correct, rephrasing wont change current systems or policies to suit you! > RFC1918 is a set number of IP addresses. If you are working on a private > network lab Use anything you like, its private. > that will be on the internet eventually or have parts on the > internet and exceeds the total number of IPV4 addressing set aside in Follow the current policy for public Internet Address space, get what IPs you need, implement NAT where/if possible. > RFC1918, and IPV6 private addressing is not an option, what can you do? (I thats the way it is, take it or leave it.. Steve > know it's a stretch, but I think it asks specifically what Brennan wants > to know and what I'm curious about now) > > IPV6 would seem to be the best answer overall since it has already been > determined the solution for limited addressing, but there is still > equipment/software and such that does not support it. > > Brennan, is a mix of IPV6 and IPV4 private addressing an option for you? I > do have to agree wholeheartedly that using address space not assigned to > you is unprofessional, and will cause someone headaches later even if it > is not you. > > Gerald >
Pesky spammers are using my mailbox
Hi, seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it. Has anyone any advice on tracking them down and making them stop? All I get are the bounces, some include the original headers but that usually gives an open relay as the origin. I think I know the answer (you cant do anything) but I wanted to ask as its very annoying and I'm not happy! PS Anyone around at the Sheraton today.. I cant spot anyone looking nanogish! Steve
Re: dnsbl's? - an informal survey
On Sat, 31 May 2003 [EMAIL PROTECTED] wrote: > > On Sat, 31 May 2003, Mr. James W. Laferriere wrote: > > > > White listing comes with any blacklist. The blacklists in particular > > > being discussed were the @dynamics, like the PDL and dynablock at > > > easynet. Both lists quite clearly state how they build their lists and > > > what they are designed to block (dynablock only takes out dialup, and > > > PDL takes out all dynamic addressing). > > Query , How is it determined that the address in question is > > dynamic or not ? Who/how/what makes that determination ? > > This is the core of my concerns . > > It's usually determined via in-addr.arpa, whois data, or direct > information from the provider. When MAPS was freely available, I used to > periodically email them updates on our IP space (please add these dial > ranges, please remove these others). I'm sure others did the same. > AFAIK, they had at least one FTE who's job it was to maintain the DUL. Many providers list their own dynamically assigned blocks voluntarily. It helps the fight against spam to an extent; plus it's good PR. Someday I expect to either see someone create a list of known MTAs through which you must register it with some entity, or a list of everything that isn't an MTA--every statically/dynamically assigned desktop, laptop, home node, etc... If that ever happens the results should be quite interesting. > Those large providers who stole copies of the DUL before MAPS pulled the > plug on them, and continued to use them without maintenance still annoy > me as we've run into issues multiple times with space removed from the DUL > still being in their private copies. I agree. Something like that could have large chunks go stale in a hurry. If you toss in the number of providers going belly-up since MAPS went commercial, then that's a lot netblocks that shouldn't be in the DUL and aren't if people are paying for a current copy (like we do). Justin
Re: dnsbl's? - an informal survey
On Sat, 31 May 2003, Mr. James W. Laferriere wrote: > > White listing comes with any blacklist. The blacklists in particular > > being discussed were the @dynamics, like the PDL and dynablock at > > easynet. Both lists quite clearly state how they build their lists and > > what they are designed to block (dynablock only takes out dialup, and > > PDL takes out all dynamic addressing). > Query , How is it determined that the address in question is > dynamic or not ? Who/how/what makes that determination ? > This is the core of my concerns . It's usually determined via in-addr.arpa, whois data, or direct information from the provider. When MAPS was freely available, I used to periodically email them updates on our IP space (please add these dial ranges, please remove these others). I'm sure others did the same. AFAIK, they had at least one FTE who's job it was to maintain the DUL. Those large providers who stole copies of the DUL before MAPS pulled the plug on them, and continued to use them without maintenance still annoy me as we've run into issues multiple times with space removed from the DUL still being in their private copies. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_