Postini contact in the house ??
Hi list, seems there is no technical email contact listed for Postini on their website. a client is having an issue with postini, if there is someone with clue from postini on the list please contact me off list john at chagres d0t net thanks
Re: New mail blocks result of Ralsky's latest attacks?
At 09:07 AM 10/10/2003, Steven M. Bellovin wrote: Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution. From my read, it sounds sufficient in its own right. This month's Communications of the ACM has an interesting article on addressing it as trespass on chattel - attacking someone's property in a manner that reduces their ability to use it or uses it without their permission for purposes they don't agree with. Breaking into a server and using it for a purpose its own doesn't authorize sounds a lot like trespass against chattel to me. It might be interesting for him to wake up in the morning with 50 lawsuits at his door seeking damages in the quantity of money spent horsing around with him.
Re: Abuse Departments
On Sat, Oct 11, 2003 at 08:22:25PM -0500, Andrew D Kirch wrote: [snip] Maybe you should avoid pissing the kiddies off on IRC, or get something other than Ameritech DSL if you want your upstream to give a damn. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Abuse Departments
snip Matthew S. Hallacy wrote: Maybe you should avoid pissing the kiddies off on IRC, or get something other than Ameritech DSL if you want your upstream to give a damn. I think he does make a fair observation about the state of many abuse departments today. How many posts do we see on here requesting someone with a clue in abuse from some domain in the average month?
Re: Abuse Departments
On Sun, Oct 12, 2003 at 01:54:28AM -0500, Matt wrote: I think he does make a fair observation about the state of many abuse departments today. How many posts do we see on here requesting someone with a clue in abuse from some domain in the average month? And how many of them are taken care of by pointing them to Jared's NOC list? I recently had an issue with an open proxy/relay within berkeley.edu's resnet, I shot off an email at around 2:30am CST, got a reply within 20 minutes, and the box was off the net within an hour. Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: Block all servers?
Terry Baranski wrote: That being said, NAT does break stuff and as has been mentioned, filtering is certainly possible without having to bring NAT into the mix. Microsoft assures us that the Windows firewall will be enabled by default starting with WinXP patches early next year. How easy will it be to turn it off? Will a virus be able to do it for you? I would expect most new sophisticated trojans to include this functionality. Most home users run their WinXP with Local Administrator rights anyway because othervise many activities would be more complicated to accomplish. Many turn off AV products already. I would also expect the sophisticated trojans to include NATPT like funcitionality when it becomes neccessary to accumulate the needed number of zombies for effective DDoS and other distruptive activities. We already see them utilizing the local SMTP configuration on the machine to use the relays the user is supposed to. The Road Ahead is to make DDoS and abuse mitigation more efficient and put some real security into the application architechtures without making them unusable. Pete Pete
Re: Abuse Departments
On Sun, Oct 12, 2003 at 02:18:45AM -0500, Matthew S. Hallacy wrote: Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. You've had good experiences with abuse departments. I'm glad for you. The rest of us have not. Yes, some places ARE helpful when you call with a genuine problem. Most places are not. And honestly, regardless of the reason, shouldn't abuse departments be responsive to this type of thing? DoS attacks often effect more than the end target, they often cause people on immediate surrounding network many problems also.
Re: BellSouth prefix deaggregation (was: as6198 aggregation event)
Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible Steve (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry
.name TLD - resolution issues
Hi there We operate webmail services for the .name TLD (MX and DNS resolution are handled by the nic.name people). After the recent Verisign brouhaha, several of y'all patched their nameservers to stop believing Verisign (so did we). Just that quite a few of you also seem to have set up your resolvers to do the same thing with other wildcarded TLDs. .name is a wildcarded TLD and does have legit domains on it. Right now we are seeing a lot of problems with .name domains being treated as unresolvable thanks to this, and mail from .name users is not getting through as mailservers are configured not to accept mail from unresolvable domains. I know, .name domains don't have zones or NS records attached to them - but yes, this is a legit wildcard (kind of like .museum, but this one is for vanity domains). I'd request DNS admins here to not treat .name as delegation-only. thanks --srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Abuse Departments
- Original Message - From: Matthew S. Hallacy [EMAIL PROTECTED] To: Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. Watch yourself poptix - you don't have such a squeaky clean past either. Point is this. If your network/servers are being used in an attack against someone else, you can be held responsible if you do not act in a timely manner. This script kiddie's DSL is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints. Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
Re: BellSouth prefix deaggregation (was: as6198 aggregation event)
On Sun, Oct 12, 2003 at 01:02:57PM +, Stephen J. Wilcox wrote: Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible This clearly stands out to me as a reason to keep and use prefix filtering on peers to reduce the amount of junk in the routing tables. If bellsouth needs to leak more specifics for load balancing purposes, fine, just make sure those routes don't leave your upstreams networks and waste router memory for the rest of us that don't need to see it. - Jared (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Abuse Departments
Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Bryan - Original Message - From: Brian Bruns [EMAIL PROTECTED] To: Matthew S. Hallacy [EMAIL PROTECTED]; Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 10:20 AM Subject: Re: Abuse Departments - Original Message - From: Matthew S. Hallacy [EMAIL PROTECTED] To: Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. Watch yourself poptix - you don't have such a squeaky clean past either. Point is this. If your network/servers are being used in an attack against someone else, you can be held responsible if you do not act in a timely manner. This script kiddie's DSL is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints. Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it.
Re: Abuse Departments
Only if that script kiddie doesn't have a couple hundred DDoS drones, and most have quite a few more than that. The probelm with these zombie networks is that they could be controlled from a 14.4 dialup and still knock out anything but the biggest infrastructure links on the internet. Active cooperation is needed from abuse departments for the victims of these attacks so that the compromised hosts are shut off quickly. On Sun, 12 Oct 2003 10:33:18 -0500 Bryan Heitman [EMAIL PROTECTED] wrote: Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Bryan - Original Message - From: Brian Bruns [EMAIL PROTECTED] To: Matthew S. Hallacy [EMAIL PROTECTED]; Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 10:20 AM Subject: Re: Abuse Departments - Original Message - From: Matthew S. Hallacy [EMAIL PROTECTED] To: Matt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 3:18 AM Subject: Re: Abuse Departments Most places will take care of abuse issues if they get to the right person, but some places simply won't wake up their network admin at 11:00 on a saturday night because some script kiddie's DSL is getting attacked by another script kiddie on IRC. Watch yourself poptix - you don't have such a squeaky clean past either. Point is this. If your network/servers are being used in an attack against someone else, you can be held responsible if you do not act in a timely manner. This script kiddie's DSL is actually a shared setup with several servers on the end of it and a firewall. What happens to it also affects me and my customers. When my customers go down, I get complaints. Now, if your network was attacking mine from a comprimised box, and you failed to act in a timely fashion, regardless if its a DSL or a T1 or a dialup for that matter, I'd either sue you myself for allowing the attack to continue, or give my customers your info and let THEM sue you for it. -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
Re: Abuse Departments
- Original Message - From: Bryan Heitman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 11:33 AM Subject: Re: Abuse Departments Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Sorry, I meant a DSL, T1, dialup, whatever as the one being attacked. I just woke up, so cut me some slack here.
Re: Abuse Departments
On Sun, Oct 12, 2003 at 10:33:18AM -0500, Bryan Heitman wrote: Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Bryan, I don't mean to be rude, but it sounds like you don't understand the way the script kiddies operate. A dialup is more than sufficient. Generally the attacker will have a number of compromised servers/home PC's/workstations, etc, at their disposal. Each has been infected with a particular type of trojan horse, which allow the abuser to control the compromised machine. The abuse can then instruct these tens, or hundreds, or thousands, or now tens to hundreds of thousands of machines, to performa an attack against a target. Thus, the executor sits back on their dialup, which networks around the world fight with each otehr to stay alive - the attacks for running out of upstream bandwidth, and the victims for running out of downstream.
AOL mail server problems?
Hello everyone, I've noticed some weird things going on with AOL's smtp servers today - 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.138.89] closed connection in response to initial connection 2003-10-12 12:37:55 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.136.153] closed connection in response to initial connection 2003-10-12 12:38:35 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [152.163.224.122] closed connection in response to initial connection Have about 40 of these in my mail logs going to different AOL smtp servers. Trying to connect by hand using telnet results in the mail servers closing the connection right away without giving a reason. I did however, out of about 20 tests, got through once and actually got the server's welcome message. Any ideas? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL mail server problems?
On Sun, 12 Oct 2003, Brian Bruns wrote: I've noticed some weird things going on with AOL's smtp servers today - 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.138.89] closed connection in response to initial connection 2003-10-12 12:37:55 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.136.153] closed connection in response to initial connection 2003-10-12 12:38:35 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [152.163.224.122] closed connection in response to initial connection They're probably blocking you. Have you gotten many scomp complaints recently?...perhaps a big backlog of them that you/your abuse people haven't dealt with? Last time I dealt with AOL blocking us, that was the cause, and the result was mixed. Sometimes we'd get the connection closed as above, sometimes a 550 message telling us we were blocked. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AOL mail server problems?
- Original Message - From: [EMAIL PROTECTED] To: Brian Bruns [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 2:16 PM Subject: Re: AOL mail server problems? They're probably blocking you. Have you gotten many scomp complaints recently?...perhaps a big backlog of them that you/your abuse people haven't dealt with? Last time I dealt with AOL blocking us, that was the cause, and the result was mixed. Sometimes we'd get the connection closed as above, sometimes a 550 message telling us we were blocked. Well, just to be absolutely sure, I checked the forwardings for abuse@, postmaster@, and a few others, all of which go to [EMAIL PROTECTED] I haven't seen any mail from AOL support/abuse/tech/whatever to us (nor has any of the other admins). We are a very small and close nit group with very few actual users - stuff like spam, viruses, and mailbombs get noticed really quickly (we all have pagers/cell phones which get a message whenever the system detects something unusual going on). What I was discussing with someone offlist was that AOL has apparently been threatning to disallow connections from dynamic IPs for a while now, and they apparently are starting to follow through with it. Although my IP looks like a dynamic IP, its a static IP out of a block of /29 (do a whois on 68.78.10.168 and you'll see it belongs to Nathan Drook, one of the people here). This is one of those reasons why I hate DUL lists with a passion. Its not foolproof, and alot of smaller sites get nailed in this mess. Of course, AOL offers up no way of correcting these listings on their site, the postmaster site of theirs, or via the mail daemon itself. Whats very interesting is that the mail finally does go through after rotating a few dozen times between different MX hosts. Whats even more interesting is that when the mail did go through, it went through to an IP which blocked it several times before. I have no idea if its just because not all of their servers are properly updated yet or not. Who knows. *shrug* -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL mail server problems?
[EMAIL PROTECTED] writes on 10/12/2003 11:46 PM: On Sun, 12 Oct 2003, Brian Bruns wrote: I've noticed some weird things going on with AOL's smtp servers today - 2003-10-12 12:37:48 1A8k8X-0002OC-0c Remote host mailin-04.mx.aol.com [64.12.138.89] closed connection in response to initial connection They're probably blocking you. Have you gotten many scomp complaints recently?...perhaps a big backlog of them that you/your abuse people Someone in another thread did say that you were on a DSL line. AOL has a published policy of blocking mail from residential broadband IPs. That, combined with the fact that it is quite often rather tough to tell where an ISP's dynamic / residential pool ends and where its static IP DSL pool begins, might well make AOL cast their net a bit wider than they intend. Call the number they give at http://postmaster.info.aol.com and ask them -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: AOL mail server problems?
Brian Bruns writes on 10/12/2003 11:58 PM: This is one of those reasons why I hate DUL lists with a passion. Its not foolproof, and alot of smaller sites get nailed in this mess. When it comes to a choice between letting in the ~ 1% of small businesses and linux geeks on dialup + dynamic DNS, and letting in all the direct to MX spam and virus mail that is ~ 99% of the traffic from dynamic IP space, I'll surely take the choice of blocking dynamic IPs, thank you very much. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: AOL mail server problems?
- Original Message - From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Brian Bruns [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 2:39 PM Subject: Re: AOL mail server problems? When it comes to a choice between letting in the ~ 1% of small businesses and linux geeks on dialup + dynamic DNS, and letting in all the direct to MX spam and virus mail that is ~ 99% of the traffic from dynamic IP space, I'll surely take the choice of blocking dynamic IPs, thank you very much. Just checked their DUL lookup. My range is not on their list. I guess I'll call them a little later and ask whats up. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: BellSouth prefix deaggregation (was: as6198 aggregation event)
IMHO, I think we should create a route-set obj like call it... RS-DEAGGREGATES and list all the major irresponsible providers's specific /24's in it... So some ASes who wish to not accept deaggregated specifics using RPSL can update their AS import policy to not import RS-DEAGGREGATES... Just my humble opinion.. Comments/critics welcome :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Oct 12, 2003 at 11:26:49AM -0400, Jared Mauch wrote: On Sun, Oct 12, 2003 at 01:02:57PM +, Stephen J. Wilcox wrote: Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible This clearly stands out to me as a reason to keep and use prefix filtering on peers to reduce the amount of junk in the routing tables. If bellsouth needs to leak more specifics for load balancing purposes, fine, just make sure those routes don't leave your upstreams networks and waste router memory for the rest of us that don't need to see it. - Jared (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: BellSouth prefix deaggregation (was: as6198 aggregation event)
IMHO, I think we should create a route-set obj like call it... RS-DEAGGREGATES and list all the major irresponsible providers's specific /24's in it... CASE: Business has a /24 from X provider in order to multihome. That /24 is de-aggregated from a /19, with this policy that /24 may not be routed. possible exception: When 2002-3 get passed by ARIN, this could even take on new meaning. ARIN says they will use a single /8 for the handing out of /22-/24 for multihoming end users. will you then filter those /24's also? Also: What happens when that /24 for Business Y noted above is dual routed by ISP A and ISP B, and ISP A's upstream filters but ISP B's does not? Will there be asymmetric routing? Finally: Can anyone from BellSouth, explain the end goal of the de-aggregation? I suspect with 40 + ASs they may be rebuilding their network with a recently announced list of new IP services and DSL growth as asked for under the Federal government Rural DSL regulations... (I'm not trying to defend them, just giving some possibilities) So some ASes who wish to not accept deaggregated specifics using RPSL can update their AS import policy to not import RS-DEAGGREGATES... Just my humble opinion.. Comments/critics welcome :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Oct 12, 2003 at 11:26:49AM -0400, Jared Mauch wrote: On Sun, Oct 12, 2003 at 01:02:57PM +, Stephen J. Wilcox wrote: Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible This clearly stands out to me as a reason to keep and use prefix filtering on peers to reduce the amount of junk in the routing tables. If bellsouth needs to leak more specifics for load balancing purposes, fine, just make sure those routes don't leave your upstreams networks and waste router memory for the rest of us that don't need to see it. - Jared (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions are still present isn't encouraging. -Terry -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: BellSouth prefix deaggregation (was: as6198 aggregation event)
The idea is to not filter just /24's. The idea is to work with people who run cidr-report.org (may be.. or other people who are willing to coop), and find an ASNs who advertise a lots of irresponsible deaggregates. As you can see, cidr-report only shows deaggregation for the prefixes that an AS _specifically_ _originates_. It does not show /24's out of downstream ASes, so it is safe. Basically there would need to be some sort of monitoring process to review the cidr-report regularly to keep a close watch on irresponsible providers, and generate route-set filter against them until they aggregate themselves. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Oct 12, 2003 at 03:07:46PM -0400, McBurnett, Jim wrote: IMHO, I think we should create a route-set obj like call it... RS-DEAGGREGATES and list all the major irresponsible providers's specific /24's in it... CASE: Business has a /24 from X provider in order to multihome. That /24 is de-aggregated from a /19, with this policy that /24 may not be routed. possible exception: When 2002-3 get passed by ARIN, this could even take on new meaning. ARIN says they will use a single /8 for the handing out of /22-/24 for multihoming end users. will you then filter those /24's also? Also: What happens when that /24 for Business Y noted above is dual routed by ISP A and ISP B, and ISP A's upstream filters but ISP B's does not? Will there be asymmetric routing? Finally: Can anyone from BellSouth, explain the end goal of the de-aggregation? I suspect with 40 + ASs they may be rebuilding their network with a recently announced list of new IP services and DSL growth as asked for under the Federal government Rural DSL regulations... (I'm not trying to defend them, just giving some possibilities) So some ASes who wish to not accept deaggregated specifics using RPSL can update their AS import policy to not import RS-DEAGGREGATES... Just my humble opinion.. Comments/critics welcome :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Oct 12, 2003 at 11:26:49AM -0400, Jared Mauch wrote: On Sun, Oct 12, 2003 at 01:02:57PM +, Stephen J. Wilcox wrote: Can anyone from BellSouth comment? What if a few other major ISPs were to add a thousand or so deaggregated routes in a few weeks time? Would there be a greater impact? one word - irresponsible This clearly stands out to me as a reason to keep and use prefix filtering on peers to reduce the amount of junk in the routing tables. If bellsouth needs to leak more specifics for load balancing purposes, fine, just make sure those routes don't leave your upstreams networks and waste router memory for the rest of us that don't need to see it. - Jared (Note: The above numbers are based on data from cidr-report.org. Some other looking glasses were also checked to see if cidr-report.org's view of these AS's is consistent with the Internet as a whole. This appears to be the case, but corrections are welcome.) -Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Baranski Sent: Sunday, October 05, 2003 3:01 PM To: 'James Cowie'; [EMAIL PROTECTED] Subject: RE: as6198 aggregation event James Cowie wrote: On Friday, we noted with some interest the appearance of more than six hundred deaggregated /24s into the global routing tables. More unusually, they're still in there this morning. AS6198 (BellSouth Miami) seems to have been patiently injecting them over the course of several hours, between about 04:00 GMT and 08:00 GMT on Friday morning (3 Oct 2003). If you look at the 09/19 and 09/26 CIDR Reports, BellSouth Atlanta (AS6197) did something similar during this time period -- they added about 350 deaggregated prefixes, most if not all /24's. Usually when we see deaggregations, they hit quickly and they disappear quickly; nice sharp vertical jumps in the table size. This event lasted for hours and, more importantly, the prefixes haven't come back out again, an unusual pattern for a single-origin change that effectively expanded global tables by half a percent. That AS6197's additions
Re: AOL mail server problems?
- Original Message - From: Joshua Levitsky To: Brian Bruns Cc: [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; Suresh Ramasubramanian Sent: Sunday, October 12, 2003 3:10 PM Subject: Re: AOL mail server problems? What is the PTR record for your mail server? If you don't have one or if it reads like a residential one then I've heard of that getting blocked. Also be advised you can contact [EMAIL PROTECTED] or AOL Postmaster HelpDesk at 1-703-265-4670 or 1- 888-212-5537. Before you email or call you should try this to verify that you have a PTR and that it doesn't read like a residential. (For example dsl081-214-123.nyc2.dsl.speakeasy.net. ) Ah yeah, we have an ameritech PTR right now (working on that problem as well). I guess I'll have one of my guys call ameritech and complain about the PTR. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: Abuse Departments
Bryan Heitman wrote: Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Yeah? See: http://www.irbs.net/internet/nanog/0308/1463.html / Mat
RE: Abuse Departments
Yes, I agree with everyone, in a distributed environment many things are possible. Perhaps I should have read the entire thread rather than responding to a single message. Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Sullivan Sent: Sunday, October 12, 2003 5:16 PM Cc: [EMAIL PROTECTED] Subject: Re: Abuse Departments Bryan Heitman wrote: Would you perhaps have more underlying problems if a script kiddie on a dialup can attack you in such a way to impact your service? Yeah? See: http://www.irbs.net/internet/nanog/0308/1463.html / Mat
Extreme BlackDiamond
How are these for CORE SWITCHES (distribution) compared to BigIron and the CISCO 6509? From what I have heard and reports they are very solid switches. Thanks in advance -Shazzy
abuse from a user of this list
Last night in conjunction with the attacks on my DSL line and the Summit Open Source Development Group, I received a threatening phone call on my home business line at 1:44 in the morning (GMT-5 CST Indiana-East). My roommate answered the call, and the dialog was simply how's your DSL B!, then the caller hung up. This evening my roommate informed me of the call, and told me that the caller had not blocked caller ID, the number in question being 320-282-5940. I tracked this number to a T Mobile cellphone in St Cloud, MN. Thinking this might be the kiddie responsible for the attack I made a *67 call back. I was greeted with the voice mail of Matthew Hallacy (AKA poptix) who has used this forum to take cheap shots at myself and my staff repeatedly. Now he has denigrated to simple threats and harassment off list that didn't even get to me but to my roommate who is entirely uninvolved in this. I must note that this incident greatly saddened me, as I would have thought that all on this list have suffered Denial of Service attacks, and understand the seriousness and severity of these attacks, obviously one of us doesn't get it. please contact me if you have questions regarding this incident. -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
Re: abuse from a user of this list
Quoting from 2mbit.com: Our group was formed after the split of Valley Of The Mage Consulting two years ago. We chose to continue our Open Source/Free Software development services under a new name and bring together all of the sites owned by Brian Bruns and Josh Rollyson under one umbrella. Since you are Director of Security, I will offer you some advice: 1) Cease your incessant shrieking as it is neither warranted nor desired on this list. 2) It is not possible to denigrate to anything. 3) Grow up. At 09:02 PM 10/12/2003 -0500, you wrote: Last night in conjunction with the attacks on my DSL line and the Summit Open Source Development Group, I received a threatening phone call on my home business line at 1:44 in the morning (GMT-5 CST Indiana-East). My roommate answered the call, and the dialog was simply how's your DSL B!, then the caller hung up. This evening my roommate informed me of the call, and told me that the caller had not blocked caller ID, the number in question being 320-282-5940. I tracked this number to a T Mobile cellphone in St Cloud, MN. Thinking this might be the kiddie responsible for the attack I made a *67 call back. I was greeted with the voice mail of Matthew Hallacy (AKA poptix) who has used this forum to take cheap shots at myself and my staff repeatedly. Now he has denigrated to simple threats and harassment off list that didn't even get to me but to my roommate who is entirely uninvolved in this. I must note that this incident greatly saddened me, as I would have thought that all on this list have suffered Denial of Service attacks, and understand the seriousness and severity of these attacks, obviously one of us doesn't get it. please contact me if you have questions regarding this incident. -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
Re: Extreme BlackDiamond
On Mon, 13 Oct 2003, Shazad - eServers wrote: How are these for CORE SWITCHES (distribution) compared to BigIron and the CISCO 6509? From what I have heard and reports they are very solid switches. Some things to know about them: They use CPU to route ICMP just like all Extreme equipment (makes it harder to diagnose network trouble using ICMP). They have a 256k entry ipfdb (fastpath hardware L3 hostbased route-cache). They're very quick and stable when it comes to forwarding traffic that has a normal pattern, but they do not perform well when it comes to handling stuff like DoS attacks that generates packets that are not in its ipfdb. The last months virus attacks have not been fun to us (both the ICMP and the scanning from infected customers and our aggregates being scanned from infected internet hosts). They do everything in hardware when it comes to access lists, QoS etc. Either it does it in ASIC without performance impact or not at all. Just like all other equipment you'd better look it thru thoroughly for your application and check what drawbacks might hit you etc. I don't know much about the BigIron. but it's hard to compare to a 6509 unless you know what's in the 6509. Compare it to a Sup1A with older cards and the Black Diamond is a performance screamer that'll do circles around the 6509, bring out the OSMs and all the other 7600 stuff and that's a better core router probably (but much much more expensive). I like the fact that all Extreme equipment of the same generation (they have two total) use the same ASICs and the same software and you can do the same things in all of them. Very consistant. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Extreme BlackDiamond
On Mon, 13 Oct 2003, Mikael Abrahamsson wrote: On Mon, 13 Oct 2003, Shazad - eServers wrote: How are these for CORE SWITCHES (distribution) compared to BigIron and the CISCO 6509? From what I have heard and reports they are very solid switches. Some things to know about them: They use CPU to route ICMP just like all Extreme equipment (makes it harder to diagnose network trouble using ICMP). Actually, as far as I know, all switches and routers use the CPU to process ICMP. It is a control protocol and the safest option is to ensure the vendor has implemented some sort of CPU rate-limiting so it can't be overwhelmed. They're very quick and stable when it comes to forwarding traffic that has a normal pattern, but they do not perform well when it comes to handling stuff like DoS attacks that generates packets that are not in its ipfdb. The last months virus attacks have not been fun to us (both the ICMP and the scanning from infected customers and our aggregates being scanned from infected internet hosts). This is the kicker and real question: does it require the CPU to forward regular traffic? I believe the answer is yes, the Extreme is a flow-based architecture and the first packet of each unique flow (however it is defined) will need to be processed by the CPU. This is why the problems described above occur. The alternative is a packet-based architecure and does not rely on the CPU for forwarding. It doesn't take a lot of packets to overwhelm any CPU. They do everything in hardware when it comes to access lists, QoS etc. Either it does it in ASIC without performance impact or not at all. Assuming the CPU doesn't have to process the first packet before it reaches the ACL, QoS policy, etc.. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Extreme BlackDiamond
On Mon, 13 Oct 2003, Shazad - eServers wrote: How are these for CORE SWITCHES (distribution) compared to BigIron and the CISCO 6509? From what I have heard and reports they are very solid switches. As long as you only use them for switching, they're fine :) For routing, I wouldn't touch em with a 10 foot pole, but I can also say that for the BigIron, or the 6509. If you want a router, buy a router...
Re: Extreme BlackDiamond
On Sun, 12 Oct 2003, Andy Walden wrote: Actually, as far as I know, all switches and routers use the CPU to process ICMP. It is a control protocol and the safest option is to ensure the vendor has implemented some sort of CPU rate-limiting so it can't be overwhelmed. I don't know of anyone else who *routes* ICMP. Yes, ICMP packets destined for the router, but Extreme actually CPU route all ICMP packets passing thru. This is the kicker and real question: does it require the CPU to forward regular traffic? I believe the answer is yes, the Extreme is a flow-based architecture and the first packet of each unique flow (however it is defined) will need to be processed by the CPU. This is why the problems Yes, exactly what I'm saying. Flow here is defined as a destination IP number. described above occur. The alternative is a packet-based architecure and does not rely on the CPU for forwarding. It doesn't take a lot of packets to overwhelm any CPU. Quite, 10kpps is enough, if even that. They do everything in hardware when it comes to access lists, QoS etc. Either it does it in ASIC without performance impact or not at all. Assuming the CPU doesn't have to process the first packet before it reaches the ACL, QoS policy, etc.. Well, actually I believe ACLs are processed on ingress before being punted to the CPU even though the flow hasnt been set up yet. This is the observation I have seen so far anyway, but I am not 100% sure. I can understand how a virus like Welchia can affect a flow-based architecture like Extremes. I was under the impression that CEF enabled Cisco gear wouldnt have this problem, but Cisco has instructions on their webpage on how deal with it and cites CPU usage as the reason. With CEF I thought the CPU wasn't involved? CEF is perhaps differently implemented on different plattforms? -- Mikael Abrahamssonemail: [EMAIL PROTECTED]