Re: Cross-country shipping of large network/computer gear?
Matthew Zito wrote: Hello, snip I've had good luck shipping ~600 lbs of gear next day with Eagle Global Logistics. (http://www.eagleusa.com) It was fairly reasonably priced, too. HTH, Gabriel -- Gabriel Cain www.dialupusa.net Systems Administrator [EMAIL PROTECTED] Dialup USA, Inc.888-460-2286 ext 208 PGP Key ID: 2B081C6D PGP fingerprint: C0B4 C6BF 13F5 69D1 3E6B CD7C D4C8 2EA4 2B08 1C6D Beware he who would deny you access to information, for in his heart he dreams himself your master.
RE: Cross-country shipping of large network/computer gear?
Thanks to everyone for all of the responses. I got in touch with a number of companies - the two big common sticking points seem to be insuring shipments of greater than 50k value and the SLAs on their freight delivery. Overall (price vs. SLA vs. convenience), FedEx won, though they max out at 50k insurance per shipment. ForwardAir was the nicest and most helpful, but they charge $1 per $100 of shipped value and they have very rigid packing requirements for high-value shipments (plus a 4-day delivery timeframe). Airborne Express was notable for their willingness to insure well above the 50k max per shipment, though they require advance notice. Thanks again, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com -Original Message- From: Christopher Bird [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 6:19 PM To: 'Matthew Zito' Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Cross-country shipping of large network/computer gear? I have used Federal Express to great effect in the past. I have tended to stay away from Airborne because the local people here in Dallas didn't know not to turn printers full of toner on their sides. Since Airborne packed them, I felt they should not have been full of toner, but that is another story! Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Zito Sent: Wednesday, August 27, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: Cross-country shipping of large network/computer gear? Hello, I was wondering if anyone could provide any advice or suggestions on shipping heavy/bulky equipment (~300 pounds, about a half-rack worth of gear) on short notice cross-country? We're obviously looking to minimize cost, but realistically it can't be in transit for more than two days. Are there any companies or methods people would recommend? Thanks in advance for the help. Thanks again, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com
Re: Cross-country shipping of large network/computer gear?
On 27 Aug 2003, Robert E. Seastrom wrote: FedEx Heavy = pay a surcharge for heavy boxes, get it moved by a 120 pound delivery person with a handtruck rather than a pallet jack or other appropriate freight handling equipment... and dropped off the truck. My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ That's it Rob, let it all out. ;) I can certainly empathize, as I have have my bad experiences with Fedex as well. We also use Emery on a regular basis for the big things also. The bottom line is, like vendors, all shippers can suck at times...it really is luck of the draw if some guy along the line decides that he is going to not care about your gear at some point while he is handling it. Accidents happen as well... C'est la vie..what can you do. Counter to counter I find is most effective, but as mentioned earlier, does require some effort on the sender's part. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Sobigf + BGP
We have seen that many people *posting* do not have the best of intentions; I can assure you that there are lurkers on Nanog (surprise, surprise) who are not nearly as naive and well-intentioned as J. O. would hope. In fact, I know that there are subscribers from various print media, various on-line media, and certainly some stunningly unpleasant characters that I run into on other lists. And after being /.ed several times, there are undoubtedly end-users, small enterprises, non-network folks from networking companies, and assorted other groups which don't fit the traditional network operator mold. Oh, and sales people...
Re: Cross-country shipping of large network/computer gear?
A counter-to-counter shipment on a passenger airline is a thing of the past (at least from my experiences going directly to the passenger airlines). After Sept 11 the FAA has required that passenger airlines only accept shipments from known shippers (unless this has changed in the last 14 months). What does this mean? You need to setup an account with the airline (may of them will setup the account and still be able to bill to a credit card). You also need to become a known shipper by having their courier/employee visit your location and verify that you are a known shipper. Once this occurs you can do passenger airline counter-to-counter shipments at will. Setup time takes 7-10 days from what I remember. If anybody has counter-to-counter on their disaster recovery plans you may want to get setup as a known shipper. I went through the process with United's Cargo division http://www.unitedcargo.com. I used them as a backup to America West Airlines as I am located in Phoenix, AZ. -Andy --- Robert E. Seastrom [EMAIL PROTECTED] wrote: N. Richard Solis [EMAIL PROTECTED] writes: FedEx will be your best bet. Trust me. FedEx Heavy = pay a surcharge for heavy boxes, get it moved by a 120 pound delivery person with a handtruck rather than a pallet jack or other appropriate freight handling equipment... and dropped off the truck. My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You COULD do a counter to counter shipment via an airline cargo desk. That MIGHT be cheaper but you will still have to transport it from your spot to their pickup and back again on the other side. Counter-to-counter is the *last* way you would want to ship that sort of thing (handled as luggage on a flight, beat to hell by baggage handlers, and you get to retrieve it from baggage claim in an airport and schlep it all the way to your car). Far better (if you have access to trucks on both ends) is to ship it air freight. As you enter your favorite airport, follow the signs to Air Cargo, not the signs to the passenger terminal. When you find a place with a lot of places for 18-wheelers to back up to loading docks, and relatively few places for cars to park, you've found the right place. Matthew doesn't mention specific terminus points for the shipment, but based on whois information I'll make a wild guess that NYC is one end. JFK appears to be the big United installation (vs LGA and EWR), per info on www.unitedcargo.com - I tend to prefer them because of their long hours for pickup and delivery at IAD, which makes life convenient for me. :) If you need door-to-door service, there are numerous air freight forwarders who can handle palletized equipment and move it around the country/world in a timely fashion (and really, if you're talking about 300+ pounds of rackmount equipment, that's how you want to move it anyway). Two companies that I've used and been quite happy with the results are Cavalier International and Eagle Global Logistics. You may recognize Eagle's logo from stickers on previous shipments that you've gotten from major manufacturers who have stuff manufactured in the Far East. The Pros Know. http://www.eaglegl.com/ http://www.cavalier-intl.com/ ---Rob
Re: Cross-country shipping of large network/computer gear?
Andy Walden [EMAIL PROTECTED] writes: That's it Rob, let it all out. ;) I can certainly empathize, as I have have my bad experiences with Fedex as well. We also use Emery on a regular basis for the big things also. The bottom line is, like vendors, all shippers can suck at times...it really is luck of the draw if some guy along the line decides that he is going to not care about your gear at some point while he is handling it. Accidents happen as well... Yes, but my point is that you can stack the deck in your favor by using a company that uses appropriate material handling devices to move every package if you are shipping packages that are heavy enough that moving them with a handtruck or by hand is possible-but-unwise. C'est la vie..what can you do. Counter to counter I find is most effective, but as mentioned earlier, does require some effort on the sender's part. Do you really mean counter to counter, or do you mean Real Air Freight (like going to the United Air Cargo facility behind Gate Gourmet in the same strip as FedEx out at IAD)? Real Air Freight (tm) rocks my world. Going into the terminal to baggage claim and trying to find someone to help you find your package is annoying. ---Rob
Re: Sobigf + BGP
On Wed, 27 Aug 2003 [EMAIL PROTECTED] wrote: We have seen that many people *posting* do not have the best of intentions; I can assure you that there are lurkers on Nanog (surprise, surprise) who are not nearly as naive and well-intentioned as J. O. would hope. In fact, I know that there are subscribers from various print media, various on-line media, and certainly some stunningly unpleasant characters that I run into on other lists. And after being /.ed several times, there are undoubtedly end-users, small enterprises, non-network folks from networking companies, and assorted other groups which don't fit the traditional network operator mold. Oh, and sales people... Case in point: http://slashdot.org/articles/03/08/27/0214238.shtml?tid=111tid=126 references http://www.merit.edu/mail.archives/nanog/msg12818.html For those few finding the NANOG archives for the first time with this /. link, I'm sure they'll take some time to poke around recent threads with interesting titles like Sobigf + BGP Pete.
Re: Cross-country shipping of large network/computer gear?
Excellent points; didn't cross my mind since I've had (personal) accounts with Delta and United for ages now. Probably a call to ForwardAir, Cavalier, or EGL would get you their rules of engagement too. You might want to try http://www.khcargo.com/ for non-passenger air cargo. ---Rob Andy Ellifson [EMAIL PROTECTED] writes: A counter-to-counter shipment on a passenger airline is a thing of the past (at least from my experiences going directly to the passenger airlines). After Sept 11 the FAA has required that passenger airlines only accept shipments from known shippers (unless this has changed in the last 14 months). What does this mean? You need to setup an account with the airline (may of them will setup the account and still be able to bill to a credit card). You also need to become a known shipper by having their courier/employee visit your location and verify that you are a known shipper. Once this occurs you can do passenger airline counter-to-counter shipments at will. Setup time takes 7-10 days from what I remember. If anybody has counter-to-counter on their disaster recovery plans you may want to get setup as a known shipper. I went through the process with United's Cargo division http://www.unitedcargo.com. I used them as a backup to America West Airlines as I am located in Phoenix, AZ. -Andy --- Robert E. Seastrom [EMAIL PROTECTED] wrote: N. Richard Solis [EMAIL PROTECTED] writes: FedEx will be your best bet. Trust me. FedEx Heavy = pay a surcharge for heavy boxes, get it moved by a 120 pound delivery person with a handtruck rather than a pallet jack or other appropriate freight handling equipment... and dropped off the truck. My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You COULD do a counter to counter shipment via an airline cargo desk. That MIGHT be cheaper but you will still have to transport it from your spot to their pickup and back again on the other side. Counter-to-counter is the *last* way you would want to ship that sort of thing (handled as luggage on a flight, beat to hell by baggage handlers, and you get to retrieve it from baggage claim in an airport and schlep it all the way to your car). Far better (if you have access to trucks on both ends) is to ship it air freight. As you enter your favorite airport, follow the signs to Air Cargo, not the signs to the passenger terminal. When you find a place with a lot of places for 18-wheelers to back up to loading docks, and relatively few places for cars to park, you've found the right place. Matthew doesn't mention specific terminus points for the shipment, but based on whois information I'll make a wild guess that NYC is one end. JFK appears to be the big United installation (vs LGA and EWR), per info on www.unitedcargo.com - I tend to prefer them because of their long hours for pickup and delivery at IAD, which makes life convenient for me. :) If you need door-to-door service, there are numerous air freight forwarders who can handle palletized equipment and move it around the country/world in a timely fashion (and really, if you're talking about 300+ pounds of rackmount equipment, that's how you want to move it anyway). Two companies that I've used and been quite happy with the results are Cavalier International and Eagle Global Logistics. You may recognize Eagle's logo from stickers on previous shipments that you've gotten from major manufacturers who have stuff manufactured in the Far East. The Pros Know. http://www.eaglegl.com/ http://www.cavalier-intl.com/ ---Rob
Re: Cross-country shipping of large network/computer gear?
I'm not sure if any of them are here, or if they would make their info known...but I'm sure vendors have some good data. I know Cisco's online ordering tool has about a bazillion (and yes, that's the right term) shippers, and I'm sure they track the number of problems reported. No doubt other vendors do as well. Anyone friends with someone in the logistics department at a big hardware vendor care to comment? :) -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: Cross-country shipping of large network/computer gear?
On 27 Aug 2003, Robert E. Seastrom wrote: Andy Walden [EMAIL PROTECTED] writes: Yes, but my point is that you can stack the deck in your favor by using a company that uses appropriate material handling devices to move every package if you are shipping packages that are heavy enough that moving them with a handtruck or by hand is possible-but-unwise. I can agree in principal, so long as we can designate a company that will execute proper company policy and do so *every* time. Unfortunately, for the purpose of the general well-being of our gear, we arrive back at generally blue collar, none-the-less, well paid, package handlers that individually define preferences for how they feel like doing it that day. C'est la vie..what can you do. Counter to counter I find is most effective, but as mentioned earlier, does require some effort on the sender's part. Do you really mean counter to counter, or do you mean Real Air Freight (like going to the United Air Cargo facility behind Gate Gourmet in the same strip as FedEx out at IAD)? Real Air Freight (tm) rocks my world. Going into the terminal to baggage claim and trying to find someone to help you find your package is annoying. Granted, it's been awhile since I have shipped counter to counter since I joined the dark side (vendor side), it probably was before 9/11, and things may be different now. Please forgive any outdated experiences represented. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Tier-1 without their own backbone?
In a message written on Wed, Aug 27, 2003 at 04:39:42PM -0500, Matthew Sweet wrote: Alot of carriers that have a Nationwide backbone actually lease their circuits (Layer 1 and 2) through various other carriers. There are actually a lot more layers than that, not that most people interested in buying a circuit should care. Possible ownership changes occur at: - Owner of the right of way. - Owner of the duct. - Owner of the cable in the duct. - Owner of the fiber in the cable. - Owner of the wavelength on the fiber. - Owner of the circuit on the wavelength. - Owner of the channel on the circuit. - Owner of the VC on the channel (at least, for MPLS, ATM, and Frame) - Owner of the router. (I'll stop there for backbone purposes.) When people ask about ownership, I think they generally want to know the answer to three related questions: 1) Do you have the ability to turn up additional capacity in time? 2) Do you own the right bits of infrastructure so you can control cost (with right being the operative word, not a specific level)? 3) Do you have enough control over the chain above such that it won't be broken if someone who owns another part goes Chapter 7|11? I do wonder who owns it all. Most companies, even if they own their own fiber (fiber in the cable, or cable in the duct) don't own the duct or right of way. Many of the right of way owners don't do circuit or IP services at all. As a practical matter, I'm not sure it matters a whole lot where the divide is, as long as the company has it structured so the answers to those three questions are positive. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: Cross-country shipping of large network/computer gear?
On Wed, 27 Aug 2003, Leo Bicknell wrote: I'm not sure if any of them are here, or if they would make their info known...but I'm sure vendors have some good data. I know Cisco's online ordering tool has about a bazillion (and yes, that's the right term) shippers, and I'm sure they track the number of problems reported. No doubt other vendors do as well. Certainly, with 4.7 BILLION in revnue last quarter (http://biz.yahoo.com/bw/030805/55780_1.html), they must have significant relationships with specific shippers to generate real data. The only objection I can think of is if you are a shipper doing *that much* business with a single company, how much extra care are you going to give boxes with some guy connecting a circuit on the front of them? How much care are you going to give everyone else? It still comes down to human nature and the luck of thd draw unless you are a major part of the shippers revenues and this has been driven into your head? andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Cross-country shipping of large network/computer gear?
On Wed, Aug 27, 2003 at 08:31:58PM -0500, Andy Walden wrote: On 27 Aug 2003, Robert E. Seastrom wrote: Yes, but my point is that you can stack the deck in your favor by using a company that uses appropriate material handling devices to move every package if you are shipping packages that are heavy enough that moving them with a handtruck or by hand is possible-but-unwise. I can agree in principal, so long as we can designate a company that will execute proper company policy and do so *every* time. Unfortunately, for So your position is that the the existence of exceptions defines the probability and severity of damage? That 1% and 40% damage rates are in fact the same? $10 and $10,000? the purpose of the general well-being of our gear, we arrive back at generally blue collar, none-the-less, well paid, package handlers that individually define preferences for how they feel like doing it that day. I still fail to see why I would choose an organiztion with handles hundreds of times more packages, most weighing less and being less breakable than mine, over one with the specialized equipment to move it. An air cargo carrier with heavy-cargo equipment is still less likely to drop a pallet off a pallet jack than an express shipper with a handtruck. That their respective employees are equally lackadaisical doesn't mean all other factors have been equalized. Cargo/freight carriers, in general, are also aware that nearly all their cargo is of declared value, that the fragility warnings are more likely correct, and, perhaps most important, that the customers are far more likely to be filing damage claims against them. Fedex, et al, know that most of THEIR packages are paper and other sturdy items, and that their customers are much less likely to notice/claim damages. It's somewhat like card counting in blackjack. The odds are still quite poor, but that n% shift can make the difference of coming out of the casino money ahead or behind. Of course, good packing is critical either way. If you're going freight, palletize the items with proper/extra padding/packing material, stick some damage (shock and tipping) indicators on each side, and tuck an INSPECTION CHECKLIST for whomever is on the receiving end (not they won't have their own copy, just sends a sign to anyone handling it that someone's going to look when it arrives). If you're still determined to use a shipper, pack and pad it well, then pack that box into another padded/packed box. If you're desperate to get it moved ASAP, see if you can find a college intern you can pay to drive it. You'll want your own people to load it in and out of the car/van, but it'll be cheap and probably less risky than relying on the odds with a shipper. -- Ray Wong [EMAIL PROTECTED]
Re: Cross-country shipping of large network/computer gear?
On Wed, 27 Aug 2003, Ray Wong wrote: On Wed, Aug 27, 2003 at 08:31:58PM -0500, Andy Walden wrote: On 27 Aug 2003, Robert E. Seastrom wrote: Yes, but my point is that you can stack the deck in your favor by using a company that uses appropriate material handling devices to move every package if you are shipping packages that are heavy enough that moving them with a handtruck or by hand is possible-but-unwise. I can agree in principal, so long as we can designate a company that will execute proper company policy and do so *every* time. Unfortunately, for So your position is that the the existence of exceptions defines the probability and severity of damage? That 1% and 40% damage rates are in fact the same? $10 and $10,000? Just out of curiosity, What makes them less likely? I still think anyone driving a pallet for a living (or running a network for that matter;) could have very well had a binger the night before and still feeling the effects. the purpose of the general well-being of our gear, we arrive back at generally blue collar, none-the-less, well paid, package handlers that individually define preferences for how they feel like doing it that day. I still fail to see why I would choose an organiztion with handles hundreds of times more packages, most weighing less and being less breakable than mine, over one with the specialized equipment to move it. An air cargo carrier with heavy-cargo equipment is still less likely to drop a pallet off a pallet jack than an express shipper with a handtruck. That their respective employees are equally lackadaisical doesn't mean all other factors have been equalized. Cargo/freight carriers, in general, are also aware that nearly all their cargo is of declared value, that the fragility warnings are more likely correct, and, perhaps most important, that the customers are far more likely to be filing damage claims against them. Fedex, et al, know that most of THEIR packages are paper and other sturdy items, and that their customers are much less likely to notice/claim damages. What insight do you have into each shipper's package types and the insurance liability? It's somewhat like card counting in blackjack. The odds are still quite poor, but that n% shift can make the difference of coming out of the casino money ahead or behind. Maybe, but make sure you are correct when you place you bet. Of course, good packing is critical either way. If you're going freight, palletize the items with proper/extra padding/packing material, stick some damage (shock and tipping) indicators on each side, and tuck an INSPECTION CHECKLIST for whomever is on the receiving end (not they won't have their own copy, just sends a sign to anyone handling it that someone's going to look when it arrives). If you're still determined to use a shipper, pack and pad it well, then pack that box into another padded/packed box. If you're desperate to get it moved ASAP, see if you can find a college intern you can pay to drive it. You'll want your own people to load it in and out of the car/van, but it'll be cheap and probably less risky than relying on the odds with a shipper. 100% agreed. We are talking about bringing the entire process under your control in this case. Not always an option, but it certainly let's us feel better if the option is available. Unfortunately, in the real world, this isn't always an option. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Cross-country shipping of large network/computer gear?
I was wondering if anyone could provide any advice or suggestions on shipping heavy/bulky equipment (~300 pounds, about a half-rack worth of gear) on short notice cross-country? We're obviously looking to minimize cost, but realistically it can't be in transit for more than two days. Are there any companies or methods people would recommend? Thanks in advance for the help. Thanks again, Matt This probably is too small of a load for this but we have had good luck moving high value industrial control panels using the special cargo division of carriers like United Van Lines (http://www.unitedvanlines.com/spec/highvalue.htm?gid=9). Basically standard household moving trucks with crews dedicated to moving high value electronics, exhibits, art, etc. around the country.With a 2 person crew in the truck you can go a hell of a long ways in 2 days though the cost may not be exactly pretty. Mark Radabaugh Amplex (419) 720-3635
Re: Cross-country shipping of large network/computer gear?
I still fail to see why I would choose an organiztion with handles hundreds of times more packages, most weighing less and being less breakable than mine, over one with the specialized equipment to move it. An air cargo carrier with heavy-cargo equipment is still less likely to drop a pallet off a pallet jack than an express shipper with a handtruck. That their respective employees are equally lackadaisical doesn't mean all other factors have been equalized. Fedex != Fedex Freight I have had fedex heavyweight boxes trashed, but have never had an issue with Fedex Freight. They show up with a liftgate or box truck, and a pallet jack. If your load is not palletized, they put it on one in the truck. I think Fedex Freight is a bit more in the heavy moving industry than Fedex, agreed. bill ps. Is this operational? :)
Re: Cross-country shipping of large network/computer gear?
Speaking on Deep Background, the Press Secretary whispered: Do you really mean counter to counter, or do you mean Real Air Freight (like going to the United Air Cargo facility behind Gate Gourmet in the same strip as FedEx out at IAD)? Real Air Freight (tm) rocks my world. Going into the terminal to baggage claim and trying to find someone to help you find your package is annoying. Beware: IMHE, Real Air Freight seldom comes with a guarantee that it will travel on a given flight. Some time back, I REALLY REALLY needed a 235# 20HP 480V motor moved CLE-ORD-MIA. I {well, you..} paid United ~2X for Priority One and then found out 10 minutes before its departure they'd bumped it off the ORD-MIA plane because we gotta bunch of mail on that 727. [Note the USPS tariff is very profitable to airlines..] I pointed out that this was ALSO a USG shipment, and if it was not at MIA at 1600 that day, United could deliver it to my end point, as at that time I was leaving for South America, with motor, on Eastern. [I was in fact going to get the motor there and install it...] The motor got there on time. (I took it as checked baggage on Eastern; they could not figure out how to charge me so it was the usual $40 flatrate per bag for the international leg) In conclusion: Air freight may well be best but be sure it's a direct flight, and know what you are paying for. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Cross-country shipping of large network/computer gear?
On Wed, 27 Aug 2003 17:56:09 PDT, nanog [EMAIL PROTECTED] said: ps. Is this operational? :) It's *NON* operational if they drop the gear. :) pgp0.pgp Description: PGP signature
Re: Cross-country shipping of large network/computer gear?
On 27 Aug 2003, Robert E. Seastrom wrote: N. Richard Solis [EMAIL PROTECTED] writes: FedEx will be your best bet. Trust me. FedEx Heavy = pay a surcharge for heavy boxes, get it moved by a 120 pound delivery person with a handtruck rather than a pallet jack or other appropriate freight handling equipment... and dropped off the truck. My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You aren't alone: http://www.16paws.com/FedEx/ matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
RE: Tier-1 without their own backbone?
On Wed, 27 Aug 2003, Sean Crandall wrote: I have about 5 GB of IP transit connections from Level3 across 8 markets (plus using their facilities for our backbone). Level3 has been very solid on the IP transit side. MFN/AboveNet has also been very good to us. Another happy Level3 customer. We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. Or as they say, I encourage my competitors buy from them. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Cross-country shipping of large network/computer gear?
http://colofinder.net/gallery/view_album.php?set_albumName=album18 Although this is a small item, I believe it wins the contest for Most thoroughly damaged shipment. :-) My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You aren't alone: http://www.16paws.com/FedEx/
Re: Cross-country shipping of large network/computer gear?
At 08:32 PM 8/27/2003, Eric Kuhnke wrote: http://colofinder.net/gallery/view_album.php?set_albumName=album18 Although this is a small item, I believe it wins the contest for Most thoroughly damaged shipment. Oh dear! Yes, I do think you are the winner (so far). just me [EMAIL PROTECTED] wrote: http://www.16paws.com/FedEx/ The first damaged shipment at this URL was not correctly packed. You can't expect styrofoam peanuts *alone* to properly cushion and center a router in a box, even when you wrap the router itself in bubble wrap. The peanuts will shift, your router will end up abutting the box at one point or another, especially if the box is dropped (even if it's only dropped a short distance, such as can happen when it's being loaded and dropped/slid into place on a stack of boxes). That's why it's important to use the packing cases that the router came in from the manufacture (with the special styrofoam inserts) whenever possible, to properly center your router in the box. If you can't get the correct inserts, use inserts from some other shipment and cut them to fit. Create a ~3 inch layer below the router, add peanuts to fill in that layer between the makeshift inserts, set the router in the box, put more inserts next to the router (~3 inches on all sides) and fill the gaps with peanuts, put more inserts on top (~3 inches) and fill the gaps with peanuts. The inserts will hold the router in the *center* of the box and will prevent the peanuts from shifting enough to allow the inserts to shift and let the router move towards one of the box sides. And as you can see, the box itself should be large enough that you can put ~3+ inches of padding on all sides around the computer. That's why a 1u server typically comes in a box that's 8 to 10 inches thick. When you are shipping something heavy and fragile (in that it can be damaged if the box is dropped or if something is dropped on the box), you have a responsibility to properly pack the box to minimize damage. Don't count on insurance or the shipper to reimburse you if the item is damaged due to inadequate packing. Wrapping an item in bubble wrap and then placing it in the middle of styrofoam peanuts may work for some items, but a critical and expensive piece of computer hardware NEEDS more protection. Ebay vendors who specialize in selling fragile items use a process called double boxing. You wrap the item in bubble wrap, put it in a box with at *least* 1 inch of space all around the bubble wrap, with styrofoam peanuts filling that 1 inch gap. Then you place this box in a larger box with another 1 inch of space all around. Put 1 inch of peanuts in the larger box, place the smaller box on this layer and fill all around and on top with more peanuts, filling them in tightly enough to help prevent the box from shifting. So if you are packing an item that's 6 inches across, the smaller box is at least 8 inches, the larger box is at least 10 inches. For something heavy like a router, you need more than 2 inches of padding. Just some food for thought the next time you pack something for shipment. jc
Fun new policy at AOL
Sometime mid last week, one of my clients--a state chapter of a national association--became unable to send to all of their AOL members. Assuming it was simply that AOLs servers were inundated with infected emails, I gave it some time. The errors were simply delay and not delivered in time specified errors. Well, it was still going on today. So, I went on site and upped the logging on the server. What to my surprise did appear but a nice little message informing us that I'm sorry, your IP is dynamically assigned and aol doesn't accept dynamic IPs. WTF. This IP is NOT dynamic. The client has had it for about two years. I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses. It was on the following page: http://postmaster.info.aol.com/standards.html So, since I know someone from AOL does lurk on this list, what's my recourse. Feel free to email me offlist. Thanks. On a side note, my client is also curious who's going to help pay the bill that they shouldn't have needed to pay me due to AOL changing policy and blocking them needlessly. Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;) And, since static IPs can actually be assigned out of a DHCP pool as well, even that won't work. -- -- -- -Susan -- Susan Zeigler | Technical Services [EMAIL PROTECTED] | Spindustry Systems 515.225.0920 | You cannot strengthen the weak by weakening the strong. -- Abraham Lincoln Spindustry Systems, Inc. DES MOINES / CHICAGO / INDIANAPOLIS / DENVER CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message including any attachments.
Re: Cross-country shipping of large network/computer gear?
Various war-story authors wrote: My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You aren't alone: http://www.16paws.com/FedEx/ Although this is a small item, I believe it wins the contest for Most thoroughly damaged shipment. http://colofinder.net/gallery/view_album.php?set_albumName=album18 While I sadly no longer have the image, sometimes words paint a more vivid picture... We had a 7505 which could have won, simultaneously, awards for: Most Blantant Disregard For Shipment Contents Least Excusible or Fathomable Damage Mode Failure To Note Packing Material Damage - Outstand Achievement Shipper Rules Weaseling - Special Mention Vendor Sudden Observance Of Fine Print One *Tough* Box We shipped the 7507 in its original packing material, including crimped straps, to a colo site. The site contact received it, signed for it, and discarded the packing material, all without noticing the damage. What damage, you ask? UPS had driven a forklift tine through its side. As in, straight in, through packing material, and *pierced* the chassis, right in the center of the side, ie into the card cage. Without the packing material, UPS wouldn't pay damages. Cisco wouldn't RMA the chassis. Not a pleasant situation at all. However, the router only had a couple of cards, which were installed (luckily) next to the power supplies, and at the opposite end from the gaping 3/4 x 2.5 hole. The site tech suggested seeing if it would boot. Sure enough, it did. And ran fine. And to the best of my knowledge, is still in service. It's a good thing the airflow wasn't too badly disrupted by the hole. It's the last time we used UPS... -- Brian Dickson Email: [EMAIL PROTECTED] http://www.cineclix.comTel : +1 604 688 2339
RE: Measured Internet good v. bad traffic
On Wed, 27 Aug 2003, David Schwartz wrote: I mean if the traffic were unrealistically to increase so that bad traffic was 50% of all traffic we would all have to double our circuit and router capacity and you either pass that cost on directly (charge for extra usage) or indirectly (increase the $ per Mb) to the user. I think you're right to say that if thats not acceptable to the user then usage based billing should be avoided for them but ultimately they will still incur the cost as you increase prices over time to foot the cost of increasing overheads. Analogically, imagine if Burger King kept getting shipments of buns that they didn't want but still had to pay for. Their customers would get pretty pissed if BK added an 'unwanted bun' charge to their bill (absent specific prior agreement). I pay for the food I order, not the food BK's suppliers ship to BK. Of course, it's reasonable for BK to raise their prices for the costs of having to deal with the unwanted food. No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb port from you and you dont charge me extra for unwanted bandwidth across your network.. I sympathize with the customer. There is no reason he should pay for traffic he did not request and does not want. If unwanted traffic raises your cost of providing the service for which you are paid (providing wanted traffic) then you should raise your rates. Thats the nature of the Internet which is what you're buying.. you get a permanent supply of unwanted packets, attacks, spam, viruses etc. If you want to avoid it dont connect to the Internet. In principle, one could certainly enter into an agreement where the customer agrees to bear the costs of unwanted traffic in exchange for a lower rate. But I certainly wouldn't assume the customer agreed to pay for traffic he doesn't want and didn't ask for unless the contract explicitly says so. Most contracts define traffic as the averaged rate across the interface, they dont look into what that traffic is and whether anyone requested it. In this sense the comparisons between internet traffic and toll phone calls breaks down, its also the basis for an argument on settlement free bilateral peering ;p And for those people entering into contracts, make sure the contract is clear about what happens with DoS attacks and where the billable traffic is measured. Otherwise you might be pretty surprised if you get a bill for 250Mbps of traffic when you contracted for a 45Mbps circuit. Indeed, but most contracts are either 95 percentile or another kind of smoothed average.. if however it specifies for example you are charged on the peak 5 minute average in the month you could be in trouble! For those dealing with contracts already in place, if your provider argues that you are responsible for all attack traffic no matter what, ask them if that means you could possibly get billed for 1Gbps of traffic even though you only bought a T1. Presumably as the measurement is on the rate across the interface this couldnt happen.. Steve
RE: Measured Internet good v. bad traffic
On Wed, 27 Aug 2003, David Schwartz wrote: Analogically, imagine if Burger King kept getting shipments of buns that they didn't want but still had to pay for. Their customers would get pretty pissed if BK added an 'unwanted bun' charge to their bill (absent specific prior agreement). I pay for the food I order, not the food BK's suppliers ship to BK. Of course, it's reasonable for BK to raise their prices for the costs of having to deal with the unwanted food. No that wouldnt work, that was be an analogy to non-usage based eg I buy a 10Mb port from you and you dont charge me extra for unwanted bandwidth across your network.. The point is that 'usage' is supposed to be 'what you use', not what somebody else uses. 'My' traffic is the traffic I want, not the traffic you try to give me that I don't want. I sympathize with the customer. There is no reason he should pay for traffic he did not request and does not want. If unwanted traffic raises your cost of providing the service for which you are paid (providing wanted traffic) then you should raise your rates. Thats the nature of the Internet which is what you're buying.. you get a permanent supply of unwanted packets, attacks, spam, viruses etc. If you want to avoid it dont connect to the Internet. I don't want to avoid it, I just don't want to be charged for what I do not want. If someone FedExed me a bomb postage due, there are many things FedEx might do, but to try to get me to pay the postage is not one of them. There are few things I can do to stop FedEx from delivering me a bomb and there are many things FedEx can do to stop them from delivering one to me. In general, the customer cannot fix the problem. In principle, one could certainly enter into an agreement where the customer agrees to bear the costs of unwanted traffic in exchange for a lower rate. But I certainly wouldn't assume the customer agreed to pay for traffic he doesn't want and didn't ask for unless the contract explicitly says so. Most contracts define traffic as the averaged rate across the interface, they dont look into what that traffic is and whether anyone requested it. In this sense the comparisons between internet traffic and toll phone calls breaks down, its also the basis for an argument on settlement free bilateral peering ;p Suppose, for example, my provider's network management scheme pings my end of the link every once in a while to see if the link is up. Suppose further this ping made a dent in my bill, so the provider decides to ping more often, say five times a second with large packets to be *sure* the link is reliable. Do you seriously think it's reasonable for me to pay for this traffic? And for those people entering into contracts, make sure the contract is clear about what happens with DoS attacks and where the billable traffic is measured. Otherwise you might be pretty surprised if you get a bill for 250Mbps of traffic when you contracted for a 45Mbps circuit. Indeed, but most contracts are either 95 percentile or another kind of smoothed average.. if however it specifies for example you are charged on the peak 5 minute average in the month you could be in trouble! There is no limit to how long a DoS attack can last. And your provider has no incentive to trace/filter if he gets a major profit if he can just make that attack last a few more hours. Even with 95 percentile billing, seven hours of 100Mbps can push your 95% from 5Mbps up to 12Mbps very easily. Heck, stalling from 6PM when the attack starts until 10AM the next morning could make them a bundle. For those dealing with contracts already in place, if your provider argues that you are responsible for all attack traffic no matter what, ask them if that means you could possibly get billed for 1Gbps of traffic even though you only bought a T1. Presumably as the measurement is on the rate across the interface this couldnt happen.. If the contract isn't explicit, it costs the provider just as much to drop the traffic at the interface as it does to send it over the interface. So the 'we have to pay for it' argument is not limited to the interface rate. By definition, anything two parties agree to with full knowledge is fair to both of them. How DoS attacks are handled should be part of the negotiation of any ISP/customer agreement. However, for many of the contracts I've seen the contract was silent and ambiguous. For a 95 percentile agreement, it's reasonable for the customer to take responsibility for DoS traffic until he makes a request to the provider's NOC. It's also reasonable for the provider to charge a fixed 'incident fee' for each attack that requires NOC and network resources. It is not reasonable for the incentive structure to reward the NOC for doing nothing and penalize them for any attempt to help.
Re: relays.osirusoft.com
On Wed, 27 Aug 2003, Iljitsch van Beijnum wrote: I wouldn't recommend this. If you have two DNS servers on different addresses, everyone can talk to #2 if #1 doesn't answer. I noticed that many Windoze mail servers don't bother to check the second server if the primary's dead. --vadim
Re: Fun new policy at AOL
At 02:34 AM 8/28/2003 -0500, Susan Zeigler wrote: WTF. This IP is NOT dynamic. The client has had it for about two years. What is the IP address they are rejecting ? Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;) What would BGP tables tell you about internal routing and DNS ? ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
RE: Measured Internet good v. bad traffic
On Thu, 28 Aug 2003, David Schwartz wrote: The point is that 'usage' is supposed to be 'what you use', not what somebody else uses. 'My' traffic is the traffic I want, not the traffic you try to give me that I don't want. Okay but in Internet terms the receiver usually pays for the traffic without necessarily initiating it, this is different from everyday experience of FedEx-ing a parcel or making a telephone call in which it is the sender who picks up the charge. This isnt really a quesion its more a statement of fact.. I don't want to avoid it, I just don't want to be charged for what I do not want. Which is a natural enough reaction but you dont necessarily get what you want :) I cant see any ISP negotiating a transit contract which takes account of unwanted traffic, apart from the fact that there is a real cost which has to be borne somewhere (I previously suggested if they didnt charge you the Mbs they would just increase the $$$s to compensate) its just too complicated from a billing point of view to work this out. Suppose, for example, my provider's network management scheme pings my end of the link every once in a while to see if the link is up. Suppose further this ping made a dent in my bill, so the provider decides to ping more often, say five times a second with large packets to be *sure* the link is reliable. Do you seriously think it's reasonable for me to pay for this traffic? That would be deliberate on the providers part and I'm sure some lawyer would be able to put up a case for fraud.. thats not what we're talking about tho. If it was required legitimately that would be different but in which case you could make appropriate direct or indirect deductions to your costs. There is no limit to how long a DoS attack can last. And your provider has no incentive to trace/filter if he gets a major profit if he can just make that attack last a few more hours. Indeed, and I'd be annoyed if my provider deliberately allowed this to happen, I'd probably shut down my connection to them and find some relevant contractual clause before demanding credit or legal action. I cant imagine they'd last too long doing this to everyone! That said however, my own experience of big providers (no names but one of whose name has been praised quite a lot recently on this list) is that their abuse team were completely useless. By definition, anything two parties agree to with full knowledge is fair to both of them. How DoS attacks are handled should be part of the negotiation of any ISP/customer agreement. However, for many of the contracts I've seen the contract was silent and ambiguous. True, but this is the nightmare legal world we're in, DoS attacks have tended not to disrupt billing and we assume we wont be charged but you're right, these days you have to explicitly mitigate for all possibilities.. For a 95 percentile agreement, it's reasonable for the customer to take responsibility for DoS traffic until he makes a request to the provider's NOC. It's also reasonable for the provider to charge a fixed 'incident fee' for each attack that requires NOC and network resources. It is not reasonable for the incentive structure to reward the NOC for doing nothing and penalize them for any attempt to help. Sounds like the start for a whole new discussion topic.. :) Steve
Re: Fun new policy at AOL
I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses. It was on the following page: http://postmaster.info.aol.com/standards.html Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses. I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP!
Re: Fun new policy at AOL
On Thu, 28 Aug 2003 10:10 (UTC) Stephen J. Wilcox [EMAIL PROTECTED] wrote: | Whoa.. thats crazy. Obviously its an effort to stop relay forwarding | from cable modem and DSL customers but there are *lots* of legitimate | smtp servers sitting on customer sites on dynamic addresses. And at one time it was considered helpful for mail servers to relay anything that was presented to them. We don't think that way now, as a DIRECT result of the way in which that arrangement has been abused. So with legitimate smtp servers sitting on customer sites on dynamic addresses: the flexibility and convenience of such arrangements became subsidiary to the abuse and security issues they facilitated. Now if the abuse and security teams of the large providers would move *quickly* to isolate compromised machines and deal with other security related issues when they arise, the flexibility and convenience would probably win out in the end. But as things stand it isn't going to. We can thank the usual suspects - Cogent, Qwest, ATT, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. They may think it's better for their bottom line to de-resource their security and abuse departments, and better for their customers to let them stay online while issues are resolved, but they remain oblivious to the harm this policy is doing to the internet community as a whole. | I've numerous customers I can think of straight away who use setups | such a MS Exchange on dynamic addresses where they poll POP3 boxes | and send their own SMTP! The fact that it is impossible to readily distinguish between their IPs and those of compromised boxes running Jeem etc, will mean that those sites are already likely to be experiencing significant mail rejection - and that will get worse, not better. Unless there is a turn-around soon in the attitude of backbones and other providers, I can see a registered SMTP senders only policy being put in place by the majority of sites by the end of 2004. Or possibly sooner. AOL's mail handling policy may be disappointing - but those of us who have been hit by their other disappointing mail policy (of accepting all undeliverable mail and then bouncing it to the (forged) sender), may see this as actually improving the situation because it visibly reduces the quantity of forged bounces *we* see originating from AOL! -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
Re: Fun new policy at AOL
Funny, I didn't think this was 'aol-mail-policy-list'. This isn't new, crazy, nor out of step with generally accepted practices. They [and many others] have been doing it for a while. A dynamic block is generally listed as such in a service provider's reverse DNS and also often in a voluntary listing such as the DUL. AOL's specific definition is point 12 on their postmaster FAQ (http://postmaster.info.aol.com/faq.html). If a service provider is providing business/static addressing and not making it clear, thats a customer-provider issue. Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses. I suspect your definition of legitimate is different than the service providers' on whose network these machines are sitting. Use the submit protocol for client/end stations. SMTP is for inter-server traffic; if you have a server on a residential connection, check your service agreement. If you have a business service being incorrectly tagged as residential, then you have a legitimate beef - with your provider. Not AOL and not NANOG. I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP! POP XMIT; SUBMIT [even MS products support it]. Use TLS if you care that your customers are sharing their passwords in the clear. Anyway, [EMAIL PROTECTED] might be more interested in your concerns. Then again, they set the rules for their network, so they might not. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Fun new policy at AOL
On Thu, 28 Aug 2003, Stephen J. Wilcox wrote: I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses. It was on the following page: http://postmaster.info.aol.com/standards.html Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses. I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP! ...and I can think of alot of servers that will BL those customers. DUL blacklists are very commonly used. However legitimate these MS Exchange servers are, they'd better get a static IP if they want to avoid problems with many recipients. My guess is that since many of the BL's are being DDoS'd. perhaps AOL came up with their own, possibly out of date DUL-type BL... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. What are other transit providers doing about this or is it just GLBX? Cheers, Rich
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Thu, Aug 28, 2003 at 01:23:40PM +0100, [EMAIL PROTECTED] wrote: On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. I guess this depends on the type of interconnect you have with them. If you're speaking across a public-IX or private (or even paid) peering link, this doesn't seem unreasonable that they would limit traffic to a particular percentage across that circuit. I think the key is to determine what is 'normal' and what obviously constitutes an out of the ordinary amount of ICMP traffic. If you're a customer, there's not really a good reason to rate-limit your icmp traffic. customers tend to notice and gripe. they expect a bit of loss when transiting a peering circuit or public fabric, and if the loss is only of icmp they tend to not care. This is why when I receive escalated tickets I check using non-icmp based tools as well as using icmp based tools. What are other transit providers doing about this or is it just GLBX? here's one of many i've posted in the past, note it's also related to securing machines. http://www.ultraviolet.org/mail-archives/nanog.2002/0168.html I recommend everyone do such icmp rate-limits on their peering circuits and public exchange fabrics to what is a 'normal' traffic flow on your network. The above message from the archives is from Jan 2002, if these were a problem then and still are now, perhaps people should either 1) accept that this is part of normal internet operations, or 2) decide that this is enough and it's time to seriously do something about these things. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
Not that Yipes is necessarily a transit provider by any means, but they have done the same thing within the cores of their network. I was troubleshooting an issue yesterday that was pointing to them for 15-20% packet loss, and I called them and they stated that they started rate limiting ICMP last weekend, but that it was only on a temporary basis. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 8:24 AM To: [EMAIL PROTECTED] Subject: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?) On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. What are other transit providers doing about this or is it just GLBX? Cheers, Rich
Re: Lazy Engineers and Viable Excuses
--On Tuesday, August 26, 2003 9:35 AM -0400 Leo Bicknell [EMAIL PROTECTED] wrote: Almost everyone filters customers. The large ISP's all have the same opinion, if small to medium sized players abuse the system I wish this was true but it is not!!! In particular I call your attention to Qwest. Their customer in LA with AS29809 was announcing ip block 138.252.0.0/16, which is hijacked ip block, see details at http://www.completewhois.com/hijacked/files/138.252.0.0.txt It took us a little time to find out who to report it to because amount of abuse was small and all traceroutes were faked, here is part of it as it was several days ago: 8 204.255.169.138 (204.255.169.138) 33.299 ms 28.885 ms 30.188 ms 9 bur-core-01.inet.qwest.net (205.171.13.9) 35.992 ms 28.280 ms 10 bux-edge-01.inet.qwest.net (205.171.13.174) 32.468 ms 30.766 ms 11 tbr1-p012201.la2ca.ip.att.net (12.123.28.130) 40.104 ms -- Faked here 12 gbr4-p20.sffca.ip.att.net (12.122.2.69) 51.680 ms 52.195 ms 50.259 13 gbr6-p70.sffca.ip.att.net (12.122.5.153) 62.751 ms 61.256 ms 14 ar2-p3110.sfcca.ip.att.net (12.123.195.81) 71.827 ms 71.376 ms 15 12.119.200.38 (12.119.200.38) 83.024 ms 82.612 ms 82.004 ms 16 203.148.164.170 (203.148.164.170) 89.747 ms 92.942 ms 87.614 ms 17 203.148.164.228 (203.148.164.228) 103.087 ms 99.536 ms 99.910 ms 18 svoa-bkk.a-net.net.th (203.148.200.145) 1104.594 ms 1098.491 ms 19 138.252.0.1 (138.252.0.1) 33.634 ms 33.220 ms 32.514 ms And that is when sh ip bgp was showing: 8001 7911 209 29809 6395 1239 209 29809 5650 1239 209 29809 From above everything starting with 11 was faked and once this was realized Qwest security was notified and they even said the ip block will be filtered and indeed it was for 1 day!!! But appearently they just started advertising smaller 138.252.0.0/21 ip block from exactly same Qwest POP in Burbank, CA but with new faked traceroute: traceroute to 138.252.0.10 (138.252.0.10), 30 hops max, 38 byte packets ... 5 qwest.sjc03.atlas.psi.net (154.54.10.154) 1.988 ms 1.264 ms 1.243 ms 6 svl-core-01.inet.qwest.net (20r.171.214.41) 2.526 ms 2.229 ms 2.383 ms 7 sbur-core-02.inet.qwest.net (205.171.5.217) 9.491 ms 9.519 ms 9.494 ms 8 bux-edge-01.inet.qwest.net (205.171.13.178) 9.514 ms 9.860 ms 9.467 ms 9 * * * 10 obl-rou-1003.NL.eurorings.net (134.222.229.238) 22.436 ms 18.489 ms 11 ffm-s1-rou-1002.DE.eurorings.net (134.222.230.30) 40.087 ms 47.130 12 ksrh-s1-rou-1071.DE.eurorings.net (134.222.227.86) 39.634 ms 38.361 13 ksrh-s1-rou-1072.DE.eurorings.net (134.222.227.74) 40.083 ms 42.067 14 r1-ka.strato.cust.eurorings.net (134.222.102.18) 39.853 ms 39.022 ms 15 81.169.144.22 (81.169.144.22) 39.770 ms 43.874 ms 39.956 ms 16 81.169.144.38 (81.169.144.38) 60.088 ms 59.179 ms 60.091 ms 17 lb1.webmailer.de (192.67.198.246) 70.123 ms 76.9934ms 69.991 ms router#sh ip bgp 138.252.0.1 BGP routing table entry for 138.252.0.0/21, version 10503636 Paths: (2 available, best #1, not advertised outside local AS) 16631 174 209 29809 216.151.223.17 (metric 65) from 216.151.223.17 Origin IGP, metric 100, localpref 100, weight 500, valid, internal, best Community: 16631:1000 local-AS 6347 701 209 29809 209.144.160.89 from 209.144.160.89 (209.83.159.23) Origin IGP, localpref 100, weight 10, valid, external Community: 6347:1023 6347:5000 6347:5001 local-AS I'm pretty sure Qwest is doing something wrong by allowing such an open BGP annoncements from their customers without checking what they would be announcing. Instead of putting filters as allow all and then adding filtering only 138.252.0.0/16 when they were contacted, they instead should have filtered all announcement except for specific ones customer asked and was authorized. And I do hope there is somebody from Qwest here who can deal with this issue and educate on proper filtering whoever is responsible for their bgp router in Burbank. Also as for this particular case, I'll strongly advise to just filter AS29809 entirely, I have serious doubts about whoever controls this asn and have done the research on it (see above referenced file) and it appears the addresses at ARIN are all wrong (I have some doubts about Trimeda being located on the grounds of Mormon Temple for example...) and has been recently changed from completely different set of addresses and besides it would have been enough that AS29809 only advertises this particular hijacked ip block (and nothing else!) and they on purpose fake traceroute to their AS to move blame away from themselve. Just a shame that not everyone filters their customers. And although it has been a while, I know I've seen a route-leak from 6461 at AMS-IX. (Probably last year sometime) Indeed it really is a shame, especially when its large players like Qwest who do not filter their customers, how can you expect it from smaller European
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
NAC is not a global intercontinental super-duper backbone, but we do the same. It takes some education to the customers, but after they understand why, most are receptive. Especially when they get DOS'ed. On Thu, 28 Aug 2003 [EMAIL PROTECTED] wrote: On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. What are other transit providers doing about this or is it just GLBX? Cheers, Rich
Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
Of the DDOS attacks I have had to deal with in the past year I have seen none which were icmp based. As attacks evolve and transform are we really to believe that rate limiting icmp will have some value in the attacks of tomorrow? -Gordon On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. What are other transit providers doing about this or is it just GLBX? Cheers, Rich
Re: Max TNT ping thing
On Wednesday, August 27, 2003, at 11:10 PM, Edward Murphy wrote: Is anyone having this problem on a unit with the mad-2 cards? We are not experiencing the reboots/lock ups on our APX 8000. We are using the Ethernet card with the dongle. E-100-V I think. We are using the Channelized DS-3 card We are using 96 port madd2 modem cards (5 modem cards, 480 modems) Our APX is not even close to 25% capacity. admin show Controller { left-controller } ( PRIMARY ): Reqd Oper Slot Type { right-controller } UPUP ( SECONDARY ) { shelf-1 slot-34 0 }UPUP madd2-card { shelf-1 slot-35 0 }UPUP madd2-card { shelf-1 slot-36 0 }UPUP madd2-card { shelf-1 slot-37 0 }UPUP madd2-card { shelf-1 slot-38 0 }UPUP madd2-card { shelf-1 slot-39 0 }UPUP t3-card { shelf-1 slot-40 0 }UPUP ether3-card admin admin list [in SLOT-INFO/{ shelf-1 slot-39 0 }] slot-address* = { shelf-1 slot-39 0 } serial-number = 1038406179 software-version = 10.0 software-revision = 2 software-level = hardware-level = K software-release = admin read slot-info {1 40 } SLOT-INFO/{ shelf-1 slot-40 0 } read admin list [in SLOT-INFO/{ shelf-1 slot-40 0 }] slot-address* = { shelf-1 slot-40 0 } serial-number = 10516825 software-version = 10.0 software-revision = 2 software-level = hardware-level = C software-release = admin ls ls Flash card 1: /: current/0 Fri Sep 29 11:36:36 2000 /current: tntt3.ffs 416034 Mon Dec 16 19:47:20 2002 Version 10.0.2 tntmadd.ffs 1726366 Mon Dec 16 19:51:10 2002 Version 10.0.2 tntenet3.ffs 446882 Mon Dec 16 19:48:22 2002 Version 10.0.2 apxsr.ffs 3031819 Mon Dec 16 19:46:34 2002 Version 10.0.2
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Joe Provo nanog- [EMAIL PROTECTED] writes AOL's specific definition is point 12 on their postmaster FAQ (http://postmaster.info.aol.com/faq.html). That's their definition of Residential IP, not Dynamic IP. if you have a server on a residential connection, check your service agreement. My own ISP has DSL products called Home Based Business (and provide static IP addressing). Residential and Business are not mutually exclusive. -- Roland Perry
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Richard Cox [EMAIL PROTECTED] writes We can thank the usual suspects - Cogent, Qwest, ATT, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. -- Roland Perry
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Richard Cox [EMAIL PROTECTED] writes We can thank the usual suspects - Cogent, Qwest, ATT, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. -- Roland Perry Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections. SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) -Matt
Re: Fun new policy at AOL
Sometime mid last week, one of my clients--a state chapter of a national association--became unable to send to all of their AOL members. Assuming it was simply that AOLs servers were inundated with infected emails, I gave it some time. The errors were simply delay and not delivered in time specified errors. AOL appear to have recently changed their MX receiving policies, see the following demon.announce post: http://groups.google.com/groups?selm=xVIP4XA5f7M%24EwzW%40demon.netoe=UTF-8 output=gplain --- cut here --- One such scheme uses a list of end user IP addresses on the basis that such users will only be sending legitimate email via their own ISP's smarthost email server. The idea is that the blocklist will be able to block non-legitimate email because it arrives directly. In particular it should block spam sent via insecure systems or virus/worm infections. We have recently been in discussion with AOL who are, at a future date, planning to implement just such a scheme as they have found, working with many ISPs around the world, that it significantly impacts their incoming spam volumes. --- cut here --- Regards, Jonathan
Re: Fun new policy at AOL
On Thursday, August 28, 2003 4:18 PM, Matthew Crocker [EMAIL PROTECTED] wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? At least here in DE there are resellers of DTAG which offer DSL connections without any SMTP relay. If you want relaying you also have to order a domain via them. More funny: you cannot deliver mails to DTAG (actually T-Online) as the resellers use address space of DTAG and hence the DTAG servers believe you are a customer of them and should use the internal relays ... Arnold
Re: Fun new policy at AOL
On Thu, 28 Aug 2003, Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Also depends on how much clue said ISP has. I have a DSL-like connection at home from a large LEC/ISP, but half the time their mail server either doesn't respond or rejects me. If I was more concerned, I would just set up my own mail server here and be done with it. As it is, I use ssh/pine. But there's another good reason for customers to use their own mail server. Aaron
Re: Fun new policy at AOL
On Thu, 28 Aug 2003, Nipper, Arnold wrote: On Thursday, August 28, 2003 4:18 PM, Matthew Crocker [EMAIL PROTECTED] wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? At least here in DE there are resellers of DTAG which offer DSL connections without any SMTP relay. If you want relaying you also have to order a domain via them. More funny: you cannot deliver mails to DTAG (actually T-Online) as the resellers use address space of DTAG and hence the DTAG servers believe you are a customer of them and should use the internal relays ... I think that is also true of BT in the UK who as the incumbent are the only provider of things like unmetered dialup.. Steve
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Thu, Aug 28, 2003 at 08:48:50AM -0400, Jared Mauch wrote: they [customers] expect a bit of loss when transiting a peering circuit or public fabric, and if the loss is only of icmp they tend to not care. Um, since when? My customers expect perfection and if they don't get it, they're gonna gripe. Even if it's just the appearance of a problem (through traceroute and ICMP echo or similar), I'm going to hear about it. Personally, I tollerate a little loss. But I'm an engineer. I'm not a customer who has little or no concept of how the internet works and who doesn't really want to. The customer just wants it to work and when it doesn't they expect me to fix it, not explain to them that there really isn't a problem and that it's all in their head. What are other transit providers doing about this or is it just GLBX? here's one of many i've posted in the past, note it's also related to securing machines. http://www.ultraviolet.org/mail-archives/nanog.2002/0168.html I recommend everyone do such icmp rate-limits on their peering circuits and public exchange fabrics to what is a 'normal' traffic flow on your network. The above message from the archives is from Jan 2002, if these were a problem then and still are now, perhaps people should either 1) accept that this is part of normal internet operations, or 2) decide that this is enough and it's time to seriously do something about these things. While rate limiting ICMP can be a good thing, it has to be done carefully and probably can't be uniform across the backbone. (think of a common site that gets pinged whenever someone wants to test to see if their connection went down or if it's just loaded.. Limit ICMP into them impropperly and lots of folks notice.) Such limiting also has to undergo periodic tuning as traffic levels increase, traffic patterns shift, and so forth. If a provider is willing to put the effort into it to do it right, I'm all for it. If they're just gonna arbitrarily decide that the allowable flow rate is 200k across an OC48 and never touch it again then that policy is going to cause problems. --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/ pgp0.pgp Description: PGP signature
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
At 09:26 AM 8/28/2003, you wrote: It takes some education to the customers, but after they understand why, most are receptive. Especially when they get DOS'ed. We have been rate limiting ICMP for a long time, however, it is only recently that the percentage limit has been reached and people have started to see packet loss as a result. However, the fact that customers stay up and are not affected by the latest DOS attacks and real traffic makes it to the proper destination makes a slight increase in support calls well worth it. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: Fun new policy at AOL
SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to ^ OH YES THERE IS (at least to a different resolver other than yours) go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) -Matt Except for the fact the your DNS server may be using a root cache file that points to the restrictive USG root network that is currently controlled by a a corrupt monopoly. What about customers who want to use ORSC or Pacificroot? There are about 11,000 TLDs out there and you want to limit your customers to have to suffer under the current totalitarian dictatorship? I wouldn't ever be a customer of your's.
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Gordon wrote: Of the DDOS attacks I have had to deal with in the past year I have seen none which were icmp based. As attacks evolve and transform are we really to believe that rate limiting icmp will have some value in the attacks of tomorrow? The folks doing the attacking aren't 100% stupid... If their tcp flooder fails they will attempt udp then icmp or some other serial list of flooding tools. A large number of the 'bot' programs today have multiple flooding tools on them, so attempt proto X, if !success then attempt proto Y and so on :( Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile and you, as the provider, want to deal with the headache phone calls... It might not stop everything, but in reality nothing really can :( If someone really wants your site/system/server off the network its as good as gone. -Chris
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Matthew Crocker [EMAIL PROTECTED] writes Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool. [snip] there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) Dial-up, I agree. DSL is a slightly different story. And I'm as much against Spam as anyone. -- Roland Perry
Re: Fun new policy at AOL
Speaking on Deep Background, the Press Secretary whispered: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? applying that standard just how large do you have to get before you graduate to running your own smtp server. I'm sorry we won't accept mail from you because you're not an lir? Yea! I think the registry should run the mail server. That way, there's just 3 or 4 nationwide. Makes it easier for Ashcroft and RIAA, to boot. And we all know how well NSI does on complex things... -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Fun new policy at AOL
On Thu, 28 Aug 2003, Roland Perry wrote: In article [EMAIL PROTECTED], Stephen J. Wilcox [EMAIL PROTECTED] writes BT in the UK who as the incumbent are the only provider of things like unmetered dialup.. I have a 19.99 a month unmetered dialup from Freeserve (based on FRIACO). There must be others. i was avoiding going into detail as most ppl here are probably not that interested in the uk setup.. its complicated, energis, worldcom operate their own pstn friaco, there are also ways of buying it in at sufficient volume as isdn or modem terminated l2tp or buying ports on someone elses platform. but my generalisation is that there is a dominant player in this market who is dominant as they can offer things which the others cant afford to do ! Steve
Re: Fun new policy at AOL
Matthew Crocker wrote: SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) ...and there is no reason for dialup customer to have direct access to any other port either, they´ll just use the www-proxy and other ALG services from the ISP ? This is a self-solving problem. Pete
RE: Fun new policy at AOL
-On Thursday, August 28, 2003 4:18 PM, Matthew Crocker [EMAIL PROTECTED] -wrote: - - Shouldn't customers that purchase IP services from an ISP use the ISPs - mail server as a smart host for outbound mail? - -At least here in DE there are resellers of DTAG which offer DSL connections -without any SMTP relay. If you want relaying you also have to order a domain -via them. More funny: you cannot deliver mails to DTAG (actually T-Online) -as the resellers use address space of DTAG and hence the DTAG servers -believe you are a customer of them and should use the internal relays ... - -Arnold I wouldn't say that the answer is to use a relay.. I have had the problem, and due to the business we are in, we sometimes are forced to email proofs that can be as big at 10 Meg, zipped Don't think many would allow us to realy that.. J
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
* [EMAIL PROTECTED] said: On Wed, 27 Aug 2003, [EMAIL PROTECTED] wrote: We have a similarly sized connection to MFN/AboveNet, which I won't recommend at this time due to some very questionable null routing they're doing (propogating routes to destinations, then bitbucketing traffic sent to them) which is causing complaints from some of our customers and forcing us to make routing adjustments as the customers notice MFN/AboveNet has broken our connectivity to these destinations. We've noticed that one of our upstreams (Global Crossing) has introduced ICMP rate limiting 4/5 days ago. This means that any traceroutes/pings through them look awful (up to 60% apparent packet loss). After contacting their NOC, they said that the directive to install the ICMP rate limiting was from the Homeland Security folks and that they would not remove them or change the rate at which they limit in the foreseeable future. Homeland Security recommended the filtering of ports 137-139 but have not, to my knowledge, recommended rate limiting ICMP. I speak for Global Crossing when I say that ICMP rate limiting has existed on the Global Crossing network, inbound from peers, for a long time ... we learned our lesson from the Yahoo DDoS attack (when they were one of our customers) back in the day and it was shortly thereafter that we implemented the rate limiters. Over the past 24 hours we've performed some experimentation that shows outbound rate limiters being also of value and we're looking at the specifics of differentiating between happy ICMP and naughty 92 byte packet ICMP and treating the latter with very strict rules ... like we would dump it on the floor. This, I believe, will stomp on the bad traffic but allow the happy traffic to pass unmolested. The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines. Our results show that were we to raise the size of the queues the quantity of ICMP is such that it would just fill it up and if we permit all ICMP to pass unfettered we would find some peering circuits that become conjested. Our customers would not appreciate the latter either. -Steve
Re: Fun new policy at AOL
- Original Message - From: David Lesher [EMAIL PROTECTED] To: nanog list [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 10:22 Subject: Re: Fun new policy at AOL Speaking on Deep Background, the Press Secretary whispered: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? applying that standard just how large do you have to get before you graduate to running your own smtp server. I'm sorry we won't accept mail from you because you're not an lir? Yea! I think the registry should run the mail server. That way, there's just 3 or 4 nationwide. Makes it easier for Ashcroft and RIAA, to boot. And we all know how well NSI does on complex things... This brings up a more general point about the dangers of blocking everything under the sun. When you limit yourself to just a few chokepoints, its easier for those who would stifle communications to shut things down. This is a very dangerous path to take. Not that we shouldn't consider some sort of port restrictions to stop spam, but there are undesirable long term effects that need to be considered. Those on the dark side will be considering them, you may be sure, while licking their chops.
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Christopher L. Morrow wrote: Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile and you, as the provider, want to deal with the headache phone calls... Would it be fair to say that UUNET haven't been asked by Homeland Security to do the rate limiting that GLBX claim they have been asked to do? Has anyone else been asked to rate limit by the U.S. Department of Homeland Security? Rich
Re: Measured Internet good v. bad traffic
I can have some sympathy for the customer in this case...But... Do you consider the definition of 'bad traffic to include spam? To me, this is really simple. (as usual, IANAL, BUT...) It is 'theft of services' on the part of: a) the person(s) who wrote and released the virus, and b) contributory negligence on the part of anyone who didn't patch their systems when they found out. It would remain an open legal question if the ISP could be held negligent for not blocking the ports. Not ground I, as an ISP, would like to see explored either. Even though we did block all the appropriate ports. As to billing credit, it is an interesting problem. An equivalent would be someone causes your power utilization to go up. You still have to pay the bill. If you can prove who is doing it, you might be able to re-coup some of the costs. This all comes, again, back to the matter of enforcment for the crimes. And LEO's being unwilling to do anything unless you can show a direct financial loss. Well, the financial loss is starting to show up. Complain to your upstream, and call the long arm of the law. Bob Raymond, Steven wrote: Have received complaints from usage-based-billing Internet customers lately about not wanting to pay for the nuisance traffic caused by worm-of-the-day. I believe that in the case of a short-duration, targeted attack that can be eventually be stopped, a billing credit is probably appropriate. But what about these current plagues that go on for weeks or forever- what is your network's response? Some simply want the traffic filtered in our routers- permanently. That is my least favorite option. Others want to simply not be billed for bad traffic. My reaction is to suggest that metered billing is probably not for you, then. But I could of course sympathize if I were footing the bill. What are other network operators doing about this issue, if it is an issue for them at all? Thanks
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Wayne E. Bouchard wrote: While rate limiting ICMP can be a good thing, it has to be done carefully and probably can't be uniform across the backbone. (think of a common site that gets pinged whenever someone wants to test to see if their connection went down or if it's just loaded.. Limit ICMP into them impropperly and lots of folks notice.) Such limiting also has to undergo periodic tuning as traffic levels increase, traffic patterns shift, and so forth. Along these lines, how does this limiting affect akamai or other 'ping for distance' type localization services? I'd think their data would get somewhat skewed, right?
ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting
On Thu, 28 Aug 2003, Steve Carter wrote: The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines. Yep, the amount of ICMP traffic seems to be increasing on most backbones due to worm activity. It probably hasn't exceed HTTP yet, but it is surpasssing many other protocols. Some providers have seen ICMP increase by over 1,000% over the last two weeks. Unfortunately, the question sometimes becomes which packets do you care about more? Ping or HTTP? Patch your Windows boxes. Get your neighbors to patch their Windows boxes. Microsoft make a CD so people can fix their Windows machines before they connect them to the network.
Re: Fun new policy at AOL
On Thursday, August 28, 2003, at 11:07 AM, Joel Jaeggli wrote: On Thu, 28 Aug 2003, Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? applying that standard just how large do you have to get before you graduate to running your own smtp server. I'm sorry we won't accept mail from you because you're not an lir? If a larger corporation showed that they have a clue we remove the filters. If we start getting virus/spam notifications on again we re-enable the filter. We are either primary or backup MX for all of our customers. We can implement a port 25 inbound filter on a customer and their inbound mail is unaffected. We can then contact the customer and work with them to fix their broken mail server and remove the filter. We make the determination based on skill level of the customer, not their size. How does this sound for a new mail distribution network. Customers can only send mail through their direct provider ISPs can only send mail to their customers and their upstream provider. They purchase the ability to send mail to the upstream as part of their bandwidth. ISPs can contact and work out other direct mail routing arrangements between themselves. For example, ISP A could send directly to ISP B if there is a large amount of A - B mail. Both ISPs have to agree. ISPs form a trusted ring of mail servers for direct connection. All others get shipped upstream to the next available mail server. All mail servers are known, logged and can be kicked off the network by the upstream provider. A central core of distributed mail servers gets built by each backbone ISP. The backbone ISPs peer with one another (trust each others mail). backbone ISPs accept mail from their customers and can block that mail if their customer doesn't have a clue. Everything is logged, everything is validated. Setting up a mail server involves more than getting a static IP and setting up an MX record. SPAM is eliminated because it can't enter the trust ring unless it goes through an ISP. That ISP can be kicked off if they allow spammers. Viruses are managed because they can be tracked back to their origin. block at the core. virus protection could also be made a requirement for entering the trusted mail ring. Mail servers are set to deny all mail by default, opening up connections from trusted hosts as you build trusts relationships. Contact information needs to be maintained. I can't get into Sprints trust ring unless I can contact them This can be phased into service by setting up trusted and untrusted mail servers. All mail entering untrusted mail servers has a higher spam score and cannot be forwarded outside the local network. Trusted mail (i.e. from customers) can be forwarded upstream to other trusted,non-trusted mail servers. -Matt
Re: Cross-country shipping of large network/computer gear?
I've only shipped a few (moderately) heavy things on short notice in my career. Almost all of those involved FedEx because it was simple and hassle-free. If we're talking about shipping palettes of equipment then I agree with the use of air cargo. It wasn't entirely clear from the first post that a few palette's worth of equipment was what was being shipped. BTW, counter-to-counter service isn't always handled as luggage. In a few cases the package is hand-carried over to the cargo terminal where it's put on the next flight out. Then it's held for you at the destination, NOT put out on the conveyor belt. Most air cargo firms are set up to deal with companies that ship products as a part of their daily business. They usually dont do a whole lot of business with individual shippers. YMMV. I've used air, rail, and truck. IMHO, if you dont know a bill of lading from a hotel bill then an air cargo company isn't where you should start. WRT FedEx: just because your stuff got damaged, don't assume that they break everything they touch. There isn't a single business that I can think of that would tolerate a 40% loss rate on anything. FedEx could NOT stay in business long with those kinds of numbers. Nor could they keep an insurance carrier. Robert E. Seastrom wrote: N. Richard Solis [EMAIL PROTECTED] writes: FedEx will be your best bet. Trust me. FedEx Heavy = pay a surcharge for heavy boxes, get it moved by a 120 pound delivery person with a handtruck rather than a pallet jack or other appropriate freight handling equipment... and dropped off the truck. My experience is a 40% damage rate when shipping Cisco 7507 and 7513 routers via FedEx Heavy. Here are some pictures from back when I was at AboveNet: http://www.seastrom.com/fedex/ You COULD do a counter to counter shipment via an airline cargo desk. That MIGHT be cheaper but you will still have to transport it from your spot to their pickup and back again on the other side. Counter-to-counter is the *last* way you would want to ship that sort of thing (handled as luggage on a flight, beat to hell by baggage handlers, and you get to retrieve it from baggage claim in an airport and schlep it all the way to your car). Far better (if you have access to trucks on both ends) is to ship it air freight. As you enter your favorite airport, follow the signs to Air Cargo, not the signs to the passenger terminal. When you find a place with a lot of places for 18-wheelers to back up to loading docks, and relatively few places for cars to park, you've found the right place. Matthew doesn't mention specific terminus points for the shipment, but based on whois information I'll make a wild guess that NYC is one end. JFK appears to be the big United installation (vs LGA and EWR), per info on www.unitedcargo.com - I tend to prefer them because of their long hours for pickup and delivery at IAD, which makes life convenient for me. :) If you need door-to-door service, there are numerous air freight forwarders who can handle palletized equipment and move it around the country/world in a timely fashion (and really, if you're talking about 300+ pounds of rackmount equipment, that's how you want to move it anyway). Two companies that I've used and been quite happy with the results are Cavalier International and Eagle Global Logistics. You may recognize Eagle's logo from stickers on previous shipments that you've gotten from major manufacturers who have stuff manufactured in the Far East. The Pros Know. http://www.eaglegl.com/ http://www.cavalier-intl.com/ ---Rob
Re: Fun new policy at AOL
On Thursday, August 28, 2003, at 11:31 AM, Petri Helenius wrote: Matthew Crocker wrote: SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) ...and there is no reason for dialup customer to have direct access to any other port either, they´ll just use the www-proxy and other ALG services from the ISP ? This is a self-solving problem. Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly. We do remove the filters for customers that have a valid need and show that they have a clue out it all works. -Matt
Re: Fun new policy at AOL
This brings up a more general point about the dangers of blocking everything under the sun. When you limit yourself to just a few chokepoints, its easier for those who would stifle communications to shut things down. This is a very dangerous path to take. Not that we shouldn't consider some sort of port restrictions to stop spam, but there are undesirable long term effects that need to be considered. Those on the dark side will be considering them, you may be sure, while licking their chops. It can be built without choke points. ISPs could form trust relationships with each other and bypass the central mail relay. AOL for example could require ISPs to meet certain criteria before they are allowed direct connections. ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming. -Matt
Re: Fun new policy at AOL
Matthew Crocker wrote: Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly. How many ISPs actively provide ALG´s for the 50% of their traffic which consists of the peer2peer applications? Or is the most popular killer app not a required service? RIAA friends would love you if you declared HTTP the only allowed protocol. Would also give a boost to the applications implementing IP over HTTP. Pete
Re: Fun new policy at AOL
On Thu, 28 Aug 2003 12:00:29 EDT, Matthew Crocker said: How does this sound for a new mail distribution network. Only a few problem here: 1) Bootstrapping it - as long as you need to accept legacy SMTP because less than 90% of the mail is being done the new way, you have a hard sell in getting anybody to go to the effort of buying in. 2) Feel free in working out arrangements with 4,000 other ISPs, or getting stuck with a provider. You thought it sucked trying to get a route announced for multihoming, this is going to be a lot worse. 3) Go read up on why ADMD/PRMD sucked in X.400 (hint - see (2)). pgp0.pgp Description: PGP signature
Re: W32/Sobig-F - Halflife correlation ???
One possibility is that half-life servers are inherently directory services. The list of connected players could be used to encode directory data for the worm to attack. Owen --On Friday, August 22, 2003 8:50 PM -0400 Matt Martini [EMAIL PROTECTED] wrote: I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity. I routed traffic to these 20 ips to Null0. At 3:09 I started getting traffic from 10 of the 20 machines to a Halflife server on my network. This continued until 6:14pm. The conversations could not be productive because of my Null route, but what were these machines trying to do? Even more interesting is the fact that these machines were supposed to be shutdown before 3:00. How could they be sending data to this halflife server? I suspect that the addresses are spoofed, but to what end? Are there any halflife vunerabilies that the virus writers are using? It just seems like too much of a coincidence that 10 out of 20 machines were hitting this server. I have the original Netflow data and the complete logs. Below is a sample of what I was seeing. Port 27015 is the normal Halflife port. Anyone have any ideas? or seeing anything similar? Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes 2003/08/22 15:09:54 67.73.21.6.50416 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:00 12.232.104.221.64550 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:03 61.38.187.59.43445 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:07 67.9.241.67.17414 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:09 63.250.82.87.2956 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:12 24.197.143.132.18637 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:23 61.38.187.59.64072 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:31 67.73.21.6.27900 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:39 65.177.240.194.1448 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:46 63.250.82.87.33876 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:16 65.177.240.194.40713 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:18 61.38.187.59.58060 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:25 24.197.143.132.4336 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:40 67.9.241.67.6812 - XXX.XXX.XXX.XXX.27015 17 1 37 [...] 2003/08/22 18:13:27 65.95.193.138.11565 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:31 12.232.104.221.32662 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:35 61.38.187.59.28106 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:37 24.33.66.38.19736 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:38 67.9.241.67.51452 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:46 65.95.193.138.46930 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:53 61.38.187.59.16641 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:59 63.250.82.87.56358 - XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:14:09 12.232.104.221.19923 - XXX.XXX.XXX.XXX.27015 17 1 37 Total = 1751 flows from 15:09:54 to 18:14:09 Servers hitting the Halflife machine 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 61.38.187.59 63.250.82.87 65.95.193.138 65.177.240.194 67.9.241.67 67.73.21.6 __ http://www.invision.net/ ___ Matthew E. Martini, PEInVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer [EMAIL PROTECTED](631) 864-8896 Fax ___pg p_
Re: ICMP traffic increasing on most backbones Re: GLBX ICMP rate limiting
* Sean Donelan said: On Thu, 28 Aug 2003, Steve Carter wrote: The rate-limiters have become more interesting recently, meaning they've actually started dropping packets (quite a lot in some cases) because of the widespread exploitation of unpatched windows machines. Yep, the amount of ICMP traffic seems to be increasing on most backbones due to worm activity. It probably hasn't exceed HTTP yet, but it is surpasssing many other protocols. Some providers have seen ICMP increase by over 1,000% over the last two weeks. The results of our data collection is almost unbelievable. I've had to have it rechecked multiple times because I had a hard time even groking the scale. Like, dude, is your calculator broken? It appears that the volume is still growing ... even with the widespread publicity. Those of us that are sourcing this traffic need to protect ourselves and the community by rate limiting because the exploited are not. I agree with Wayne that we need to be smart (reads: very specific) about how we rate limit during this event. When the event is over we can go back to just a simple rate limit that protects us in a very general way until the next event jumps up. private message Yuh, Jay, I changed my tune ... you were right. /private message -Steve
Re: Sobig.f surprise attack today
Again, I am not proposing a worm. Simply a cleaner that would neuter the worm that connected. What I am proposing would _ONLY_ provide software that, if the connecting client chose to execute it, would neuter the worm on the connecting client that executed it. Nothing that would worm to other computers from there. That's high risk. Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish. Again, I don't propose or advocate actively tampering with other peoples systems. However, if someone comes to my website and asks for executable code, then executes it, I do not feel that it is my responsibility to provide them code which will not alter the contents of their system. I also don't feel it is my responsibility to determine if their request came from a human authorized to use the computer or a worm. Owen --On Friday, August 22, 2003 4:54 PM -0700 Doug Barton [EMAIL PROTECTED] wrote: On Fri, 22 Aug 2003, Owen DeLong wrote: Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. I seriously doubt that most (any?) ISP would be willing to accept the legal liability for altering anything on the computer of a third party that just happened to connect to an IP in a netblock they are responsible for. White worms are an elegant engineering concept, but have little practical value (and huge risk) outside of networks that you control directly. Doug -- You're walkin' the wire, pain and desire. Looking for love in between. - The Eagles, Victim of Love
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, [EMAIL PROTECTED] wrote: On Thu, 28 Aug 2003, Christopher L. Morrow wrote: Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile and you, as the provider, want to deal with the headache phone calls... Would it be fair to say that UUNET haven't been asked by Homeland Security to do the rate limiting that GLBX claim they have been asked to do? Has That is not fair at all :) DHS asked 'all ISPs' to filter 'all relevant traffic' for this latest set of MS worm events. Some ISPs did the filtering in part or in whole, others didn't... I would think that any ISP should have made the decision to take action not based on DHS's decree, but on the requirements of their network. So, if the ISP's network was adversely impacted by this even, or any other, they should take the action that is appropriate for their situation. That action might be to filter some or all of the items in DHS's decree, it might be to drop prefixes on the floor or turn down customers, or a whole host of other options. Doing things for the govt 'because they asked nicely' is not really the best of plans, certianly they don't know the mechanics of your network, mine, GBLX's, CW's or anyone elses... they should not dictate a solution. They really should work with their industry reps to 'get the word out' about a problem and 'make people aware' that there could be a crisis. Dictating solutions to 'problems' that might not exist is hardly a way to get people to help you out in your cause :) Oh, and why didn't they beat on the original software vendor about this?? Ok, no more rant for me :) anyone else been asked to rate limit by the U.S. Department of Homeland Security? Just about everyone with a large enough US office was asked by DHS, in a public statement...
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 2003-08-28 at 17:37, Steve Carter wrote: I speak for Global Crossing when I say that ICMP rate limiting has existed on the Global Crossing network, inbound from peers, for a long time ... we learned our lesson from the Yahoo DDoS attack (when they were one of our customers) back in the day and it was shortly thereafter that we implemented the rate limiters. Over the past 24 hours we've performed some experimentation that shows outbound rate limiters being also of value and we're looking at the specifics of differentiating between happy ICMP and naughty 92 byte packet ICMP and treating the latter with very strict rules ... like we would dump it on the floor. This, I believe, will stomp on the bad traffic but allow the happy traffic to pass unmolested. I think I can safely say that GBLX is beyond looking at the specifics of dropping 92-byte ICMP's, and are in fact doing it. And have not really bothered telling their customers about it either. We happen to use GBLX as one of our upstreams, and have a GigE pipe towards them. Since MS in their infinite wisdom seem to use 92-byte ICMP Echos in the Windows tracert.exe without having any option to use another protocol and/or packetsize, this certainly has generated several calls to OUR support desk today, by customers of ours claiming your routing is broken, traceroutes aren't getting anywhere!. Although I obviously understand the reasons, it WOULD be nice if if a supplier would at least take the trouble to inform us when they start applying filters to customer traffic, so our helpdesk would be prepared to answer questions about it. We are not a peer, but a paying customer after all. Oh, and it is not rate-limiting causing this, it is most definitely 92-byte filters. traceroute -P icmp www.gblx.net 92 from a decent OS will drop, any other packetsize works like a charm. /leg
Re: Cross-country shipping of large network/computer gear?
N. Richard Solis [EMAIL PROTECTED] writes: BTW, counter-to-counter service isn't always handled as luggage. In a few cases the package is hand-carried over to the cargo terminal where it's put on the next flight out. Then it's held for you at the destination, NOT put out on the conveyor belt. Rarely (but it does happen on occasion) put on the conveyor belt, equally rarely hand-carried to the cargo building -- usually stuck in a marked cargo container on the ramp. The big problem that I have with counter-to-counter is that you have to park your car and hoof it into the terminal to retrieve the package at baggage claim. Always inconvenient (particularly on the return trip with a bunch of boxes) and often pricey if you park anywhere near the terminal. Good luck tracking down the baggage agent if a flight hasn't just come in, and have fun waiting in line with disgruntled travelers if one has. Compare and contrast to parking right outside of the air freight or FedEx station and walking 50 feet, then backing your pickup or u-haul truck (or unimog ;-)) up to dock 7 to have them fork the pallet in. Life can be as simple or as difficult as you want to make it. Most air cargo firms are set up to deal with companies that ship products as a part of their daily business. They usually dont do a whole lot of business with individual shippers. YMMV. I've used air, rail, and truck. IMHO, if you dont know a bill of lading from a hotel bill then an air cargo company isn't where you should start. For the average NANOG denizen, the most difficult part of filling out bills of lading and commercial invoices for the first time will be the gymnastics necessary to swallow his pride and politley ask the guy behind the counter for help determining what goes in one or two non-obviously-labeled spaces on the form. :) WRT FedEx: just because your stuff got damaged, don't assume that they break everything they touch. There isn't a single business that I can think of that would tolerate a 40% loss rate on anything. FedEx could NOT stay in business long with those kinds of numbers. Nor could they keep an insurance carrier. Certainly _we_ (the company I was working for at that point) didn't tolerate the 40% loss rate - we took our business elsewhere. Those pictures were taking to support my cast for giving them the final boot for large objects - such measures had been discussed on previous occasions. We still used FedEx for stuff that could be carried under one arm, and even on one or two occasions for stuff that was sufficiently large as to discourage even the most intrepid soul from trying to move it without a pallet jack. Not, though, for the stuff in the middle which they showed themselves to be uniquely incompetent to handle, which explains why our mae-east router (also a 7513 at the time) ended up with 1800nofedex as an enable password for a while. ---Rob
Re: Fun new policy at AOL
On 28 Aug 2003 16:07 UTC Matthew Crocker [EMAIL PROTECTED] wrote: | AOL for example could require ISPs to meet certain criteria before | they are allowed direct connections. ISPs would need to contact AOL, | provide valid contact into and accept some sort of AUP (I shall not | spam AOL...) and then be allowed to connect from their IPs. AOL could | kick that mail server off later if they determine they are spamming. If you replace AOL with some body or set of bodies, unrelated to (but trusted by) large numbers of networks, then you have what I regard as the only ultimately workable solution to the present situation. The devil is in the details - finding and trusting such bodies: however it may be that they are already amongst us but under a different name! -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
On Thu, Aug 28, 2003 at 03:55:26PM +, Christopher L. Morrow wrote: On Thu, 28 Aug 2003, Wayne E. Bouchard wrote: While rate limiting ICMP can be a good thing, it has to be done carefully and probably can't be uniform across the backbone. (think of a common site that gets pinged whenever someone wants to test to see if their connection went down or if it's just loaded.. Limit ICMP into them impropperly and lots of folks notice.) Such limiting also has to undergo periodic tuning as traffic levels increase, traffic patterns shift, and so forth. Along these lines, how does this limiting affect akamai or other 'ping for distance' type localization services? I'd think their data would get somewhat skewed, right? Perhaps they'll come up with a more advanced system of monitoring? probally the best way to do that is to track the download speed either with cookies (with subnet info) or by subnet only to determine the best localization. With an imperfect system of tracking localization, you will get imperfect results. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Fun new policy at AOL
On Thu, Aug 28, 2003 at 12:04:09PM -0400, Matthew Crocker wrote: Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly. We do remove the filters for customers that have a valid need and show that they have a clue out it all works. There is a perfectly good reason for direct access: We buy IP connectivity. We don't buy {list of specific applications} connectivity. If I create a new network application, how many ISPs are going to sit there and create a new proxy so it will work? Even on the outside chance that I could talk my own ISP into it since I pay them, it's not going to be a very useful app if one of the prerequisites is must be a customer of ISP X. -c
Re: Fun new policy at AOL
On Thu, Aug 28, 2003 at 10:18:45AM -0400, Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port For some, sure. Maybe even most. That doesn't mean all. Are you a fairly small, perhaps boutique, provider? Such players have very different rules than ones with more than one kind of customer. 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick Asking is one thing, forcing is another. Giving the option but leaving the choice entirely up to the customer's discretion is yet another. Giving a default, but allowing customers to request exceptions, with reasonably automated tests to verify they can handle it... well, you get the idea. You get SPAM/abuse notifications without diverting all mail through you. You need to investigate either way (unless you trust unknown third parties more than your own customers), which still doesn't require all mail to pass through your server. the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections. Do you also limit your customers' use of web traffic? Bandwidth, at the end of the day, is still bandwidth. Having it all eaten up is a problem, but not enough justification to take away all choice. Your own border shouldn't be that much greater than the aggregate total of your customers, should it? That'd be bandwidth you pay a lot for and can't use. Usual model would suggest your downstream customers represent some value more bandwidth from you than your incoming server could get, or perhaps 1:1. What if I have my own virus scanner? What if your mail server is too slow because all those scans chew up a lot more resources than my own traffic on my server will? What size attachments do you allow? What spam filters do you run; do they account for sender IP in the same probability weighting that mine does? Even per-user configuration of filters like Postini represents a reduction in choice that may not fly with all customers, particularly small and home busineses. Finding solutions that account for the broadest number of cases is useful. If you provide a server architecture doc the way I can expect to see line topo docs, then maybe I'll trust you to get it right, or maybe not. Expecting to tell customers, I know how to run an email server better than you, doesn't fly in this age of bonehead ISPs, at least not for a lot of us/them. Perhaps you do the former; if so, please let me know if you provide service in the San Francisc/Sillycon Valley area, as our choices in home/small pipe have declined quite a bit these years. =) SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) Let's back up. It's entirely possible, even probable, that any ISP I go to will provide good Internet (pipe) and bad Service (protocols), or vice-versa. If they're good pipe, I can setup my own server, and have everything I need. Providing reliable and high-rate connectivity does not mean I trust you, or anyone else, to run an extra man in the middle. You, of course, are not required to trust your customers, and your policy will self-select out the ones who disagree, but suggesting it's applicable in enough cases to be a general standard misses the point. I can think of a number of businesses (including some who are fairly well known in email software, services, etc) who came up with the use of DSL as a server home. They may not rely on it for their primary bandwidth (which would probably be foolish), but particularly for things like DNS and SMTP, both of which provide for multiple addresses and locations, could sanely choose to maintain secondary servers over a completely isolated alternate pipe. Remember, BGP fails, ISPs fail, T1 cards fail, routers fail, etc. Having that last home DSL connection may just save some companies from going totally unreachable at times. That's worth $79.99/month in many books. -- Ray Wong [EMAIL PROTECTED]
Re: W32/Sobig-F - Halflife correlation ???
Realistically, it doesn't need a hole to communicate. All it needs to do is impersonate a player that doesn't mind dying alot. It can still communicate with it's team-mates using the built-in communications channels in the game and it can still use CS servers as a directory service. These are FEATURES of the game with no vulnerability required. Owen --On Tuesday, August 26, 2003 6:12 AM -0500 Adam 'Starblazer' Romberg [EMAIL PROTECTED] wrote: Regarding the half life exploits, the 'remote root' exploits have been addressed to VALVe and they were fixed in 3.1.1.1d for linux (4.1.1.1d for win32).. which was released July 30th 2003[1]. Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit bugtraq until July 29th, 2003[2]. On the other hand though, alot of server admins(from what I can grasp from the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that it uses a bit more CPU then x.1.1.0c. There is an unoffical patch for x.1.1.0c that does plug the hole. Unless this worms communicating with an unknown hole or something... Thanks Adam [1] http://www.mail-archive.com/hlds_linux%40list.valvesoftware.com/msg17381. html [2] http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0 Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC-=- http://www.extremepcgaming.net On Mon, 25 Aug 2003, Darren Smith wrote: Did anyone else see anything with regards to this thread? Regards Darren Smith - Original Message - From: Darren Smith [EMAIL PROTECTED] To: Robert Blayzor [EMAIL PROTECTED]; North American Network Operators Group [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? Hi Just a quick look at my syslog file, where MOO is the name of my ACL. fgrep MOO /var/log/cisco/router.log | grep 27015 -c 2383 fgrep MOO /var/log/cisco/router.log | grep 27016 -c 459 fgrep MOO /var/log/cisco/router.log | grep 27017 -c 210 fgrep MOO /var/log/cisco/router.log | grep 27018 -c 59 As you can see most of them were on 27015, these logs were from just one of my transit interfaces. Best Regards Darren Smith - Original Message - From: Robert Blayzor [EMAIL PROTECTED] To: North American Network Operators Group [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ??? On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote: They were trying to hit servers in multiple subnets, all on ports 270XX. I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc. It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the only game server in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them. So if it's not looking for a HL only exploit, I'd bet it's trying to get the infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the Game Spy type networks so the computers can't find each other. -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them! -- Homer J. Simpson
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Matthew Crocker [EMAIL PROTECTED] writes ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming. Next time I'm lobbying about the cost of Spam, I'll have to remember to add in all this activity as well as the end user perspective (and the more traditional we need to buy bigger servers and pipes stuff). -- Roland Perry
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
At 12:39 PM 8/28/2003, you wrote: Along these lines, how does this limiting affect akamai or other 'ping for distance' type localization services? I'd think their data would get somewhat skewed, right? Perhaps they'll come up with a more advanced system of monitoring? probally the best way to do that is to track the download speed either with cookies (with subnet info) or by subnet only to determine the best localization. With an imperfect system of tracking localization, you will get imperfect results. I'm not sure about other implementations, but our Akamai boxes in our datacenter receive all traffic requests which originate from our address space as predefined with Akamai. I believe they also somehow factor in address space announcements originated via our AS as well since they asked for our AS when we originally started working with them. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Matthew Crocker [EMAIL PROTECTED] writes Everything is logged I have some policemen friends who will immediately add you to their Xmas card list! -- Roland Perry
RE: Fun new policy at AOL
Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Trouble is with some ISPs you get more rejections when using their mail servers than when havong your own, not to mention theirs eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc. Michel.
Re: Fun new policy at AOL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Demon announcement was interesting to me as a subscriber. Historically Demon allocated static IP addresses to (nearly) all dial up users. For many businesses this was a cheap and effective way to have their own email servers running. For those of us running businesses (from home) in areas without ADSL, it is still convenient, although suddenly looks a lot less good value for money. I understand AOL have asked Demon for a list of all legitimate sources of SMTP traffic. Seems AOL intend to maintain a whitelist of senders, where as historically I was led to believe they maintained their own blacklist. The policy is flawed, as maintaining a straight list of legitimate senders is a huge task. They have already failed at maintaining accurate blacklists, and accurate lists of dynamic IP address ranges, so I don't see why this one will work better. I can't believe the effort wouldn't be better spent on some easier task (like replacing SMTP! or agreeing reverse DNS entries to indicate legitimate mail senders (or entries to flag dynamic IP addresses - probably easier to implement) which stops virus and spam email (sent without the DNS maintainers knowledge) - obviously should be called an XM record). I understand the issues with dynamic IP addresses, but where an IP address is readily traceable, blacklisting, not whitelisting seems the obvious answer. End users do have a various legitimate reasons for wanting to send SMTP mail from their own static IP addresses. Not least for Demon it has been more reliable, their own servers often being overworked through mailing lists, viruses and spam. Also the SMTP relays often ended up in various blacklists because they were relaying spam from one of the many thousands of subscribers. Being forced to use the ISP SMTP relay merely means more multistage relays, and big ISP SMTP servers relay spam much more efficiently than their subscribers boxes on the end of narrow pipes, and worse you can't blacklist the big ISPs SMTP relays without losing bucket loads of genuine mail. In a similar fashion as someone who does work with DNS I run my own DNS caching server (sometimes even caching off the ICANN root servers ;-). I'd be somewhat upset if my ISP insisted I send all DNS queries via their caches. The various country code maintainers would probably get less reports, so I guess that is a plus for someone ;-) Not every end user is some naive computer user who needs lots of hand holding. -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/TjywGFXfHI9FVgYRApWxAKCuVNkifrrKkHhUm5Fvgxoge3OXfwCdFSoS Hrl4YkfjXYRrMeHDD0zke60= =r5d+ -END PGP SIGNATURE-
Re: Fun new policy at AOL
Speaking on Deep Background, the Press Secretary whispered: Trouble is with some ISPs you get more rejections when using their mail servers than when havong your own, not to mention theirs eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc. And this assumes your upstream does a better job than you do on running mail -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Fun new policy at AOL
In article [EMAIL PROTECTED] py.sacramento.ca.us, Michel Py [EMAIL PROTECTED] writes eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc. Isn't this where we started? One ISP I know decided to limit customers to 200 outgoing recipients a day. Great for stopping spammers, great for stopping anyone running a mailing list, or mailing to big cc: lists [1]. Hey, on a good day, I can even send 200 one-to-one emails. [1] I regularly get emails with 60-80 people listed, bad practice perhaps, but it's all some users seem to be able to implement. -- Roland Perry
Re: Fun new policy at AOL
Matthew Crocker [EMAIL PROTECTED] wrote: Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. Good idea. I'll start working on the SSH proxy tomorrow. -Matt --Johnny
RE: Fun new policy at AOL
I think the inherent mantra and wise philosophy that gets tossed out the window by AOL in this policy change is be strict in what you send, and liberal in what you accept. I'll gladly publish my dialup loozer list in a voluntary RBL so that other sites won't be forced to accept mail from hit and run spammers, but broadband connected users should have the right to run their own SMTP, and I don't trust AOL to be able to determine one from the other. Plus, it would be much better to fix SMTP once and for all than to create an e-mail schema that would allow Ashcroft and his gang of wrinkly re-hashed reaganite hawks any access to data that they could use to further violate individual citizen's privacy. Jay Stewart You can't enslave a free man, the most you can do is kill him. - Robert Anson Heinlein -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Lesher Sent: Thursday, August 28, 2003 10:22 AM To: nanog list Subject: Re: Fun new policy at AOL Speaking on Deep Background, the Press Secretary whispered: Trouble is with some ISPs you get more rejections when using their mail servers than when havong your own, not to mention theirs eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc.
Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
Along these lines, how does this limiting affect akamai or other 'ping for distance' type localization services? I'd think their data would get somewhat skewed, right? using icmp to predict tcp performance has always been a silly idea; it doesn't take any icmp rate limit policy changes to make it silly. other silly ways to try to predict tcp performance include aspath length comparisons, stupid dns tricks, or geographic distance comparisons. the only reliable way to know what tcp will do is execute it. not just the syn/synack as in some blast protocols i know of, but the whole session. and the predictive value of the information you'll gain from this decays rather quickly unless you have a lot of it for trending/aggregation. gee, ping was faster to A but tcp was faster to B, do you s'pose there could be a satellite link, or a 9600 baud modem, in the system somewhere? -- Paul Vixie
Re: Fun new policy at AOL
On Thu, 28 Aug 2003, Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive. --vadim
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003, Christopher L. Morrow wrote: Rate-limiting ICMP is 'ok' if you, as the provider, think its worthwhile and you, as the provider, want to deal with the headache phone calls... Would it be fair to say that UUNET haven't been asked by Homeland Security to do the rate limiting that GLBX claim they have been asked to do? Has anyone else been asked to rate limit by the U.S. Department of Homeland Security? I have a different question, mostly directed to the likes of ATT and GlobalCrossing that came out with this fabulous explanation - (1) Did you get an order from DHS to do that or were you just asked? (2) How did DHS managed to not know about such order? (3) Are you going to bend over and do everything DHS politely asks you to do? Thanks, Alex
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
anyone else been asked to rate limit by the U.S. Department of Homeland Security? Just about everyone with a large enough US office was asked by DHS, in a public statement... Isnt there a difference between we have been asked and we have been ordered to? Alex
Re: XO as a provider
Really good performance from where we sit in Salt Lake. On Wed, 20 Aug 2003, Bil Herd wrote: Anyone have positive or negative experiences with XO as a 'tier1' provider? We are re-evaluating our backbone connections and looking for new where appropriate. Bil Herd - INS
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)
As attacks evolve and transform are we really to believe that rate limiting icmp will have some value in the attacks of tomorrow? no. nor those of today. the only way we're going to flatten the increase of attack volume, or even turn it into a decrease, is with various forms of admission control which are considered the greater evil by a lot of the half baked civil libertarians who inhabit the internet at layer 9. for example, edge urpf. for example, full realtime multinoc issue tracking. for example, route filtering based on rir allocations. for example, peering agreements that require active intermediation when downstreams misbehave. you can have peace. or you can have freedom. don't ever count on having both at once. -LL (RAH) -- Paul Vixie
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
On Thu, 28 Aug 2003 [EMAIL PROTECTED] wrote: anyone else been asked to rate limit by the U.S. Department of Homeland Security? Just about everyone with a large enough US office was asked by DHS, in a public statement... Isnt there a difference between we have been asked and we have been ordered to? I suppose there is, but DHS's request (order/asking whatever) was NOT in the form of a court order... its: http://www.dhs.gov/dhspublic/verify_redirect.jsp?url=http%3A%2F%2Fwww.dhs.gov%2Fdhspublic%2Finterweb%2Fassetlibrary%2FAdvisory_Attack_MS.PDFtitle=Advisory+-+Potential+Internet+Attack+Targeting+Microsoft+Beginning+August+16%2C+2003+-+August+14%2C+2003 (ouch, how about: http://tinyurl.com/li0i ) and/or http://tinyurl.com/li0s Neither is really an 'order' so much as a 'suggestion'.. either way, its kind of inappropriate to make this suggestion without knowing how each operator can or could apply a fix... that is my opinion atleast.
Re: Fun new policy at AOL
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive. If your ISP violates your privacy or has a privacy policy you don't like, find another one. If your ISP doesn't allow your domain through, attachments of a certain size or quantity of RCPT TOs, find another one. If the ISP is too restrictive you can't do what you want, find another one If the ISP isn't restrictive and your IP gets black holed because of another customer, find another one. The market will decide what is acceptable. I filter a chunk of stuff for my users. It is a service to help protect them as well as me. If they ask for and appear to have a clue I will remove filters for customers. I'll never force them to do it 'my way or the highway' but by default customers are filtered. 99% of them are happy that I am doing it and think it is a good thing. 1% call and I remove the filters. Simple RADIUS update and they are back to full, unfiltered Internet. I do this on all my dialup, DSL, dedicated circuits. Everything is built from either LDAP or RADIUS (which comes from LDAP anyway) information about the customer. Pull down menu to select/deselect a filter and reconnect. It isn't all that hard and for 99% of my customers I am saving myself a ton of work in the long run. I'm not huge by any stretch of the imagination but I'm pretty good sized for my area. I think my current network design/management could easily scale to the 100's of thousands and/or millions of customers. I'm in the 10's of thousands now. -Matt
Re: Fun new policy at AOL
Play with DNS MX records like QMTP does. Something like crocker.com. MX 65000 trusted-mx.crocker.com. MX 66000 untrusted-mx.crocker.com. there are at least two problems with this approach. one is that an mx priority is a 16 bit unsigned integer, not like your example. another is that spammers do not follow the MX protocol, they deliberately dump on higher cost relays in order to make the victim's own inbounds carry more of the total workload of delivery. (additionally, many hosts do more spam filtering on their lower cost MX's than on their higher cost (backup?) MX's, and the spammers know this, and take advantage of it.) -- Paul Vixie
Re: Fun new policy at AOL
I have RCN cable internet in Chicago and they recently implemented blocking port 25 access outbound. They say that we should just use their mail servers instead. I connect with my laptop from 3 or 4 locations to drop off mail to my servers. I cannot use their mail servers from other locations other than when I am connected to them. I have about 2 dozen e-mail accounts defined in outlook express and would have to change the outbound mail server setting for EACH one ever time I move off the RCN connection to one of the other locations from which I work and then back again when I get back to RCN. More than a few people have this problem. I'm lucky because I run the mail server myself and can configure it to listen on an alternative port as well as 25 (authentication is required to relay, though). Again, any provider that wants to start blocking ports should do so only very carefully and should make exceptions for users who need them AT NO ADDITIONAL COST TO THE USER because there will be competitors that will treat the customer better. - Original Message - From: Michel Py [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 12:11 Subject: RE: Fun new policy at AOL Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Trouble is with some ISPs you get more rejections when using their mail servers than when havong your own, not to mention theirs eating some email from no reason, having limits in attachment size, you can't have a mailing list that way, etc. Michel.
Re: Fun new policy at AOL
I think the inherent mantra and wise philosophy that gets tossed out the window by AOL in this policy change is be strict in what you send, and liberal in what you accept. that policy was wiser when everyone who could get an internet connection saw the merits of it. in an assymetric warfare situation where the good guys follow the above policy and the bad guys do not, it's a slaughter. -- Paul Vixie
Re: Fw: GLBX ICMP rate limiting (was RE: Tier-1 without their ownbackbone?)
http://tinyurl.com/li0s Neither is really an 'order' so much as a 'suggestion'.. either way, its kind of inappropriate to make this suggestion without knowing how each operator can or could apply a fix... that is my opinion atleast. The thing is - DHS told us so is the new favourite excuse for operators to refuse to fix anything that is/or could be broken. Over last two weeks I have heard the We have implemented the DHS order as the excuse from - Transport company whose gige transport went from 5ms to 700ms rtt. - Enterprise IP provider who filtered everything but ICMP/TCP/UDP while offering multicast services. - Two different IP backbones as the explanation of ICMP echo-requests being dropped (the issue was that in reality they were selling multiple 100Mbit/sec connections from 155 link). Of course, the moment one hears the DHS told us line, nothing else can be done. Alex