Re: Hijacked IP space.
I must have missed the thread on this, but is there a good summary available of exactly _how_ these netblocks are getting hijacked? Are they taking advantage of sloppy redistribution configurations, 0wning routers, spoofing OSPF updates, taking advantage of default static routes, or is there something more complicated at work? Are these attacks actually generating bogons, or are they isolated to ASN's they have at one point been legitimately announced by, and forgotten? I can think up many more interesting applications for these kind of ghost-nets than spamming, all of which are quite, if you'll pardon the pun, haunting. -- Jamie.Reid, CISSP, [EMAIL PROTECTED] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 chuck goolsbee [EMAIL PROTECTED] 11/03/03 03:56pm All, Sorry, to interrupt any off-topic rambles, but I had a client call last week who had just had some telephone abuse heaped on them, by somebody accusing them of spamming. It turns out our client had a netblock assigned to them back in the mid-90's. They used to put on networking trade shows, and used the space for making show networks. They haven't put on a networking trade show (with a public network) since about 1997. Of course to complicate the matter, the sole contact listed in whois no longer works there. I informed our client how to remove their name from the whois record and relinquish the netblock back to ARIN, which I hope they are doing now. I also have (at the suggestion of some research through the nanog archives) submitted the netblock to the completewhois site. [I have no interest in commenting on the current inane OT nanog thread about that subject, so don't even try me.] Mr. Thomas' cymru.com service was offline when I tried to contact it last week (he replied via email about an outage... sorry to hear... coffee will get there eventually. Order put to the roaster today. - hang in there.) Of course I have no hard data, other than my client's phone call about another phone call, so I can't query based on a timestamp to see where this was being announced from. It appears to vanished, and has remained so according to my casual glances here and there. The netblock in question is: 204.89.0.0/21 So, my question is: Other than the above, and mentioning it here, is there anything else *I* can do to assist my client? Especially since I am not at all directly related to this netblock in any way. Additionally, it would not hurt to know if anyone here *does* know when or where the announcement came from. The client in question are good folks, and I hate to see their reputation tainted by the actions of others. Thanks, --chuck goolsbee, digital.forest !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1 META content=MSHTML 6.00.2800.1226 name=GENERATOR/HEAD BODY style=MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px DIVFONT size=1/FONTnbsp;/DIV DIVFONT face=Arial size=1I must have missed the thread on this, but is there a good summary available/FONT/DIV DIVFONT face=Arial size=1of exactly _how_ these netblocks are getting hijacked? /FONT/DIV DIVFONT face=Arial size=1/FONTnbsp;/DIV DIVFONT face=Arial size=1Are they taking advantage of sloppy redistribution configurations, 0wning/FONT/DIV DIVFONT face=Arial size=1routers, spoofing OSPF updates,nbsp; taking advantage of default static/FONT/DIV DIVFONT face=Arial size=1routes, or is there something more complicated at work? /FONT/DIV DIVFONT face=Arial size=1/FONTnbsp;/DIV DIVFONT face=Arial size=1Are these attacks actually generating bogons, or are they isolated /FONT/DIV DIVFONT face=Arial size=1to ASN's they have at one point been legitimately announced by, /FONT/DIV DIVFONT face=Arial size=1and forgotten? /FONT/DIV DIVnbsp;/DIV DIVFONT face=Arial size=1I can think up many more interesting applications for these kind of /FONT/DIV DIVFONT face=Arial size=1ghost-nets than spamming, all of which are quite, if you'll pardon the/FONT/DIV DIVFONT face=Arial size=1pun, haunting.nbsp; /FONTnbsp;/DIV DIVBRnbsp;/DIV DIVnbsp;/DIV DIV--BRJamie.Reid, CISSP, A href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABRSenior Security Specialist, Information Protection Centre BRCorporate Security, MBSnbsp; BR416 327 2324 BRgt;gt;gt; chuck goolsbee lt;[EMAIL PROTECTED]gt; 11/03/03 03:56pm gt;gt;gt;BRBRAll,BRBRSorry, to interrupt any off-topic rambles, but I had a client call BRlast week who had just had some telephone abuse heaped on them, by BRsomebody accusing them of spamming. It turns out our client had a BRnetblock assigned to them back in the mid-90's. They used to put on BRnetworking trade shows, and used the space for making show networks. BRThey haven't put on a networking trade show (with a public network) BRsince about 1997.BRBROf course to complicate the matter, the sole contact listed in whois
Re: short question
Use E-bay. 1) Cisco 4700 or Cisco 4500 on EBAY, with 2FE card, is the cheapesr solution: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055979445category=28036 + http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055635959category=28036 or http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055680837category=28036 + some memory (it uses standard memory with parity). May be, 4000M with 2 NP-1FE can work, but 4000 is _very_ old (it use Motorola, 4500 and 4700 uses MIPS) and slow, and very far _out of life_. 4500 is the cheapest case, of course. 2) Cisco 3620 +_ this module: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055171886category=28035 for example http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055145110category=51202 3) Cisco 3640: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055678338category=51203 4) Cisco 2621 http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3055489861category=11185 Other choice is to have 1 FE and use switch with ISL trunk. It is veery unlikely that you need full 2xFE interface. From technical point of view (if not think about a price), 3550 is the best solution, of course: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3056042558category=28040 The best by price / features is 3620 or 3640 - it uses standard memory, can b expanded, easy to find modules, modules are compatible with new routers. The worst think you can do is go io Cisco and purchase a new box -:) - prices are crazy high (2 FE roputer shpuld not cost mopre than 500$). - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, November 02, 2003 2:47 PM Subject: Re: short question I have a question. I need for a project a small router than can do 2xFE @wire speed, IOS IP feature set, and it will do BGP with a small subset of the global routing table (~1000 networks). Price is a big issue, but so is stability and reliability of the platform. Cisco Catalyst 3550 with EMI feature set. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
Re: Hijacked IP space.
1. RIRs don't sell address space or make any claim of the merchantability, routability, or functionality of the address space they hand out. 2. RIRs assets do not include the unregistered addresses. They are not transferrable and have no book value. As such, it would be difficult for an RIR customer to successfully sue. Most likely if they explained the problems to the RIR, they could trade for a less impacted block, but, suing the RIR is unlikely to accomplish much. The RIR afterall, only provided a registration service to show in a public database that as far as the particular RIR was concerned, those integers were unique to the network operator in question. They make no claims about the actions of others WRT those addresses, they just promise not to issue them to someone else. Owen --On Tuesday, November 4, 2003 7:10 AM +0200 Hank Nussbacher [EMAIL PROTECTED] wrote: On Mon, 3 Nov 2003, Ray Wong wrote: I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space. So a RIR giving out that /24 would in fact be selling damaged goods and the customer who got it would be able to sue. I think RIRs have to make a larger effort to protect their assets. Ray Wong [EMAIL PROTECTED] -Hank -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: Hijacked IP space.
No, they do not view themseleves as leasing address space. They view themseleves as registering it. They are quite clear about this. The term leasing is commonly misapplied by people outside the RIR, but, I have never seen any RIR claim that they are leasing the address space. Certainly not in the financial sense. What they do say is that as long as they are paid the correct fees for registering the address space, they will not make a duplicate registration for another party. They just register the address space. They do not lease it. They do not claim to own it. They make no claims on the actions of others with regard to the address space. By common consent the majority of the internet regards the RIR registrations as binding effective ownership, but, that is voluntary on the part of each and every network provider. Owen --On Tuesday, November 4, 2003 7:25 AM +0200 Hank Nussbacher [EMAIL PROTECTED] wrote: On Tue, 4 Nov 2003, Ron da Silva wrote: On Tue, Nov 04, 2003 at 07:10:27AM +0200, Hank Nussbacher wrote: On Mon, 3 Nov 2003, Ray Wong wrote: I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh*That's what I get for trying to find low-cost ISPs willing to announce portable space. So a RIR giving out that /24 would in fact be selling damaged goods and the customer who got it would be able to sue.I think RIRs have to make a larger effort to protect their assets. But the RIRs are not selling any goods; are they not simply selling a directory service? They view themselves as leasing out IP address space. Although they never reclaim IP address space that has long since never been announced. But even if it is leasing - if I lease an apartment that has termites and can prove that the owner of the building knew about the termites - then I would probably have a good case to sue. -Hank -ron Hank Nussbacher -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: Hijacked IP space.
lease-licensed is different from leased. They are leasing you a license to use the address space and claim it as unique to your organization. If you look at the contract that you sign with the RIR, you will notice that it does not convey ownership or any sort of lease in the commercial lease sense of the word, but, the use of the term in policies is more along the lines of the DHCP lease sense of the word. Also, notice that all of the policies you quote are WRT IPv6 space and not current IPv4 policies. IPv6 is still regarded as experimental in nature by the RIRs and as such, they have probably not spent a lot of time refining the legalese in the language for their allocation policies. Owen --On Tuesday, November 4, 2003 10:44 AM +0200 Hank Nussbacher [EMAIL PROTECTED] wrote: At 12:33 AM 04-11-03 -0800, Owen DeLong wrote: No, they do not view themseleves as leasing address space. They view themseleves as registering it. They are quite clear about this. The term leasing is commonly misapplied by people outside the RIR, but, I have never seen any RIR claim that they are leasing the address space. Certainly not in the financial sense. That is not what RIPE and ARIN state. They specifically use the word lease. http://www.ripe.net/ripencc/mem-services/registration/ipv6/global-ipv6-a ssign-2001-12-22.html and http://www.arin.net/policy/global-ipv6-assign-2001-12-22.txt The global IPv6 policies in this document are based upon the understanding that address space is lease-licensed for use rather than owned. All Internet Registries are expected to manage address space operations correctly in accordance with this principle. Also: http://www.ripe.net/ripencc/about/presentations/ir-allocation-procedures /tsld009.html Also: http://www.arin.net/library/minutes/ARIN_IX/ppm_doc.html In regard to the criteria that organizations who are granted initial allocations, but after two years no longer satisfy the requirements above, are subject to having their allocations revoked, the following model was proposed for allocations: - Addresses are leased, assignments are not permanent Many more examples. -Hank -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: Hijacked IP space
Chuck Goolsbee wrote that one of his clients was having problems because miscreants have hijacked IP space that they own but haven't actively used in a while. While it's definitely worth submitting it to completewhois and developing whatever paper trail it takes to give it back to the registrars if they don't want to keep it, another obvious stopgap would be to advertise the space, including their /21 and any /24s they see route advertisements for. Either point it to some spare PC with a web server handing out Forgers hijacked our address space pages, or null route it. Also check the reverse DNS listings, if there are any, and have them advertise a pointer to a subdomain like weve-been-hijacked.theirdomain.com with an appropriate web page.
Re: Need FSO link in Santa Clara Sunnyvale
Brennan I don't know anything about them, but these folks seem to be doing some interesting things: http://www.loeacom.com/About/ http://www.infoworld.com/article/03/10/17/HNloea_1.html --Michael - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 10:49 AM Subject: OT: Need FSO link in Santa Clara Sunnyvale What are the top vendors these days for wireless FSO links? I need at least 100Mb link over a distance of about 1-2 miles. Seems like last time I looked at this though, the speeds were up to a Gig at pretty low cost. Any insights? Would also accept emails from sales persons if they can briefly (1paragraph) summarize what they've got and at what price. I'll contact the top 3 or 5 offers directly. Thanks, BM
Re: Hijacked IP space.
Jamie Reid writes on 11/4/2003 12:54 AM: Are they taking advantage of sloppy redistribution configurations, 0wning routers, spoofing OSPF updates, taking advantage of default static routes, or is there something more complicated at work? Sometimes as simple as social engineering - a company goes out of business, but still has a /16 allocated to it. So what happens is that some fake letterheads get typed up (and possibly the company name re-registered under new management), and a request for routing these blocks goes out ... Then you get (say) a T1 from some random ISP, and then get them to announce the /16. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Harassment (was Re: ELAN.NET ...)
OK, enough is enough. We've all had a spammer or spam site sign up, and we've all (presumably) kicked them off. Why are you referencing data from some spam posting over 4 years old? Because, as I showed you, Elan is still hosting their domains. Lets be clear about something - having our nameserver listed as one of dns servers for domain, does not mean we're hosting it. There are LOTs of domains which use our dns servers (in fact couple people at nanog receive free secondary dns from elan), there are also number of domains for which we're listed but we do not provide dns services any more (I can't really force somebody to remove our dns server from their domain whois, I can ask, but they may refuse or do not answer at all - if this is a problem, then I set our dns server to do reply as NXDOMAIN, which may get their attention; but 99% of the time, the domain that was in dns server but is no more, simply has its records and configs purged from our dns server - that however means that our server may still answer queries about it in a normal caching mode, i.e. by getting data from the first listed primary dns and caching it on the fly without using any local configuration). If you have problem with any PARTICULAR domain, send email to [EMAIL PROTECTED] and clearly indicate what the problem is - you will receive a reply (within 72 hours if email is directly from user and not from automated system). If the email is ccd to newsgroup (if you want to make it public), there will be reply to that newsgroup, but be particular about each and every case separately, don't just list bunch of domains (i.e. those with elan.net and with with - that you sorted out of .com/.net root dns zone file). For others, please note that I already told all this before to Michael or else somebody who I'm certain he knows. If William would take some action and clean up the spammers on his network, I wouldn't need to post about it. There are no spammers on the network. Anybody who tries to spam, gets removed according to our policies, usually within first 24 hours, sometimes if longer investigations are necessary and they try to fight it, then within 7 days or within 30 days depending on what circumstances are. Only one case (and it did not involve mass emailing) has ever survived over 30 days and to get rid of him, the change of AUP was necessary but this was all several years ago anyway. And all those google references provided from 2-4 years ago are for companies that were not even direct customers but customers of a customers, none are hosted on the network for long long time (several years). Another item of note is the phone number in ELAN.NET domain registration is invalid. William is in breach of his registration agreement, and liable to lose his domain name unless he corrects this. There are known ICANN approved ways to report invalid registration data. Otherwise we'll correct any wrong data on the next domain annvessary or when domain registrar sends a notice (as they should at least once/year) to check if data is correct. P.S. This will be the last time I answer this kind of allegations on the list. All these allegations are baseless as others in fact already said as well are simply harrassment because you have problem that I'm listing ip blocks you hijacked (or somebody you know based on the company you associate with) and posted data about in public as well as references to what you did. Well, if you yourself want to answer those problems, feel free to do so on any public list (preferably not nanog, but who am I to stop you...). I'll reference those posting to on the webpage for wdh/starlan so others could see your own view on what happened and how you're connected to mailcourier, etc. For reference about why this is happening, please see: http://www.completewhois.com/hijacked/gang_wdh.htm -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Harassment (was Re: ELAN.NET ...)
Without comment on any other issue, hat = registrar Another item of note is the phone number in ELAN.NET domain registration is invalid. William is in breach of his registration agreement, and liable to lose his domain name unless he corrects this. I don't know of a registrar who cares above nominally about the correctness of whois:43 data. Billing data is another matter. The author of the para above is ... should breath into a paper bag for a few minutes until the hypervenilation passes. /hat Please note expired_hat == (registry ICANN_INSIDER) agree /hat Cheers, Eric
Re: Harassment (was Re: ELAN.NET ...)
Eric Brunner-Williams in Portland Maine writes on 11/4/2003 7:51 AM: I don't know of a registrar who cares above nominally about the correctness of whois:43 data. Billing data is another matter. The author of the para above is ... should breath into a paper bag for a few minutes until the hypervenilation passes. I believe at least one antispam service - spamcop.net - had its domain pulled by joker.com, ostensibly for invalid whois data. This seems to be fixed now. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Hijacked IP space.
Correct. Unfortunately, that's my old block and I wasn't quite ready to hand it back since I'd sort of wanted to announce it again. I've been trying to chase down CW as the upstream of AS 30080, the jokers who've been pulling this stuff for quite some time with other blocks. CW received quite a number of reports about abuse from AS30080, I'm very surprised they have not reacted yet (in previous cases of hijacked block, CW acted on part with other large networks). The two ip blocks 199.245.138.0/24 and 204.89.224.0/24 are actually hijacked in rather unique way by getting old @netcom.com email account forwarded to hijackers (who is presumably a customer of earthlink). Nanog has just seen confirmation from one of these people whose ip block has been hijacked this way, for the other block you can see the data file at http://www.completewhois.com/hijacked/files/199.245.138.0.txt The 3rd ip block used by as30080 is 192.107.49.0/24 and there ARIN already deleted this block from whois (but AS30080 still announces it). I'm certain CW knows about all the issues with those blocks (I actually only emailed them once, but I know others did it quite a bit more then once and cw person is present at hijacked mail list too). It would really be good if CW finally take a stand on this and stopped this clearly bad activity from their customer (not to mention that there are uncountable number of unsolicited emails all originating in those blocks, I've received more then two dozen in last months just on couple accounts). If CW does not take a stand and at least explain why is as30080 is still their customer (public if possible or private to those individuals and organizations looking into this matter), then more active measures may have to be taken that that may very well cost CW a lot more money in legal fees. I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh* That's what I get for trying to find low-cost ISPs willing to announce portable space. You should not be asking somebody to announce this space while whois is not fixed and current and while its still announced by somebody else. Afterwards, I'm sure you will be able to find somebody to announce the space (as long as original company the ip block has been assigned to is still around and you still represent it). 204.89.224.0/24 has not been on blacklists too long yet (no more then 10 days) and its not too contaminated yet and should be reusable fairly easily once you post on couple appropriate mail lists that real ip block owner is now announcing it. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Harassment (was Re: ELAN.NET ...)
Suresh Ramasubramanian [EMAIL PROTECTED] writes: I believe at least one antispam service - spamcop.net - had its domain pulled by joker.com, ostensibly for invalid whois data. This seems to be fixed now. http://www.julianhaight.com/jokerstupidity.shtml ---rob
Re: Hijacked IP space.
Also while we're on ip hijacking subject as I mentioned there is a new way it has been done where instead of reregistering domains, the actual email account is reused by somebody else and where whois at arin is for themost part left unchanged (making it difficult for arin to do anything). Because these cases are difficult to track the original owners and to proof hijacking or to notice that it happend, it would be nice to stop such activity in the first place. So I'd would really be good if somebody from earthlink contacts me and I can then tell them privately what names they need to lock as far as what their customers can request for additional emails. Same applies for other ISPs - if you who work for company that has in the past bought other large ISPs AND where you still allow new or existing customers to get new email accounts at the domains of those old companies (i.e. like earthlink is presumably doing with netcom.com), then let me know domains and I can tell you what not to allow your customers for emails. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Harassment (was Re: ELAN.NET ...)
Again, without comment on any other issue ... hat = registrar Siegfried Langenbach's execution of some registrar-basics causes many registrars puzzlement and/or concern. I don't know of any registrants who actually transfered successfully _from_ joker/csl to a compeating registrar, but I do know many registrars who've complained that they have been unsuceessful in obtaining registrant-authorized transfers from joker/csl. I don't have any direct customer experience, that's just registrars at the table/bar talk, 2nd hand. /hat Eric
Re: Rural nework economics [was: Sabotage...]
On Mon, 3 Nov 2003 19:53:00 -0700 John Brown (CV) wrote: rural or not, capitalism will hinder redundancy unless the shareholders or the insurance companies say otherwise. Lack of capitalism killed telco redundancy. The telephone company had no competitive reason to build it and the regulators don't understand the issue enough to enforce it. Therefore, the telco management (and engineers?) coasted. We compete to some extent with the incumbent. Our shareholders care an awfully lot about redundancy. Senior management has promised that our networks are redundant in the vast majority of cases and any existing lack of redundancy will be removed in short order. We buy fiber from the telco, CLECs and the power company. The telco could get redundancy cheaply from bothering to buy fiber from other sources, but they have a real not invented here mentality which reduces the quality of their services. If they can't justify the capital costs to pull fiber, they don't have fiber... at least in Maine. I believe in the long run, our shareholders will see a better return on investment than telco shareholders caused by issues like this. If so, capitialism works in this case. regards, fletcher
RE: Harassment (was Re: ELAN.NET ...)
Enough with this thread already. -Original Message- From: Eric Brunner-Williams in Portland Maine [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:29 AM To: Suresh Ramasubramanian Cc: Eric Brunner-Williams in Portland Maine; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Booth, Michael (ENG); [EMAIL PROTECTED] Subject: Re: Harassment (was Re: ELAN.NET ...) Again, without comment on any other issue ... hat = registrar Siegfried Langenbach's execution of some registrar-basics causes many registrars puzzlement and/or concern. I don't know of any registrants who actually transfered successfully _from_ joker/csl to a compeating registrar, but I do know many registrars who've complained that they have been unsuceessful in obtaining registrant-authorized transfers from joker/csl. I don't have any direct customer experience, that's just registrars at the table/bar talk, 2nd hand. /hat Eric --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.536 / Virus Database: 331 - Release Date: 11/3/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.536 / Virus Database: 331 - Release Date: 11/3/2003
RE: Hijacked IP space.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. -Bill
RE: Hijacked IP space.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs randy
Re: Hijacked IP space.
On 4 Nov 2003, at 10:08, Randy Bush wrote: Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs How should your peers certify that the routes you announce are reasonable for them to receive?
Re: Rural nework economics [was: Sabotage...]
On Mon, 3 Nov 2003, John Brown (CV) wrote: rural or not, capitalism will hinder redundancy unless the shareholders or the insurance companies say otherwise. YM, capitalism will foster redundancy? It does from where I sit.. matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
RE: Hijacked IP space.
Randy, Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW. Owen --On Tuesday, November 4, 2003 7:08 AM -0800 Randy Bush [EMAIL PROTECTED] wrote: Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs randy -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: Hijacked IP space.
- Original Message - From: Joe Abley [EMAIL PROTECTED] To: Randy Bush [EMAIL PROTECTED] Cc: Bill Woodcock [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:17 AM Subject: Re: Hijacked IP space. How should your peers certify that the routes you announce are reasonable for them to receive? Still doesn't solve the problem of ISPs announcing out hijacked blocks. It is stupidly simple to announce out blocks you don't own. A few years ago, when I was a netadmin, we on several occasions announced out blocks we had no permission to announce out (/24s). This happened on the days after 9/11 as well when we acquired customers who's ISPs didn't survive the collapse of the NYC telco network. All it took was using the BGP request form at a large unnamed Tier 1 backbone provider, and our filters were adjusted to allow us to announce out any network we wanted to. No questions asked, no authorization forms, nothing. I've confirmed this behavior with several of the backbones. Why are these backbones allowing their T1 customers to make these kind of announcements without any kind of authorization forms or simple checking to see if its a valid announcement for that customer? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Hijacked IP space.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs How should your peers certify that the routes you announce are reasonable for them to receive? completely orthogonal issue. but, if you have interest in the topic, you might look into sbgp. randy
RE: Hijacked IP space.
Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW. Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
RE: Hijacked IP space.
On Tue, 4 Nov 2003, Randy Bush wrote: i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. Nah, you were just being disagreeable. -Bill
Re: Hijacked IP space.
On Tuesday, November 04, 2003 4:48 PM, Randy Bush [EMAIL PROTECTED] wrote: How should your peers certify that the routes you announce are reasonable for them to receive? completely orthogonal issue. but, if you have interest in the topic, you might look into sbgp. sBGP does don't protect you to pick up garbage ... Arnold
Re: Hijacked IP space.
On Tue, 4 Nov 2003, Brian Bruns wrote: [snip] I've confirmed this behavior with several of the backbones. Why are these backbones allowing their T1 customers to make these kind of announcements without any kind of authorization forms or simple checking to see if its a valid announcement for that customer? Because confirming this isn't always trivial, and is easy to fake. Most importantly because it hasn't been a major problem, unless you consider william's ranting to be of operational impact.
RE: Hijacked IP space.
i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. Nah, you were just being disagreeable. thanks for the sound logical argument, woody
Re: Hijacked IP space.
Ray Wong wrote: On Mon, Nov 03, 2003 at 04:47:44PM -0500, Chris Lewis wrote: The .224/24, on the other hand, it a real sewer. I'm starting to figure that, given the delays, there's been enough damage done that 204.89.224/24 will never be able to get off the blocking lists anyway, so perhaps I'll turn it back in afterall. *sigh* That's what I get for trying to find low-cost ISPs willing to announce portable space. As strange as this may seem, I still think there's hope since it's thoroughly covered by existing DNSBLs. A few POCs, and you should be able to get it delisted. Yes, there's local listings such as ours, but the number of local BLs that identify specific blocks in _advance_ of, say, SBL, should be relatively small. And we're quick to delist once we find out. But _first_, you have to get it disconnected from whose hijacking it now. There's no way you can get it delisted given it's _current_ metrics, not a chance.
RE: Hijacked IP space.
Your statement is contrary to what we were told at the ARIN meeting by ARIN. Owen Q: Why is top posting appreciated? A: Because it allows people who've been part of the thread to identify the newest information more quickly and ignore the previous stuff they don't need for reference. However, at your request, I have avoided top posting in this message. -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
RE: Hijacked IP space.
On Tue, 2003-11-04 at 10:51, Randy Bush wrote: Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW. Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. randy --- I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very PGP-like. See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdf
Re: Harassment (was Re: ELAN.NET ...)
* [EMAIL PROTECTED] (Eric Brunner-Williams in Portland Maine) [Tue 04 Nov 2003, 15:26 CET]: hat = registrar Siegfried Langenbach's execution of some registrar-basics causes many registrars puzzlement and/or concern. I don't know of any registrants who actually transfered successfully _from_ joker/csl to a compeating registrar, but I do know many registrars who've complained that they have been unsuceessful in obtaining registrant-authorized transfers from joker/csl. I've moved domains away from joker.com. Their form is kinda tricky (ok, very counter-intuitive) but in the end it worked. -- Niels. -- the generation that used acid to escape reality is now using antacid to deal with reality
Re: Hijacked IP space.
Larry J. Blunk wrote: On Tue, 2003-11-04 at 10:51, Randy Bush wrote: Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW. Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. randy --- I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very PGP-like. See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdf Yes and no. For the RIPE Database authentication pgp and x.509 will be equally accepted with no CA involved as such. This is different from x.509 certificates the RIPE NCC issues for the members, only to authenticate themselves while accessing RIPE NCC services. Thanks, Andrei Robachevsky RIPE NCC
RE: Hijacked IP space.
On Tue, 4 Nov 2003, Bill Woodcock wrote: Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. I'm very much for what RIRs are doing in this area (though ARIN could do PGP together with x.509 as I mentioned back in Memphis) as it will provide good security for communication to ARIN and making changes to RIR whois and other data and thus in the far future should seriously decrease possibility of hijacking even blocks when company is gone and blocks are no longer in use. But lets be clear about it, what RIRs are doing as far as pgp or x.509 are for communication between RIR and the admin of the ip space. RIRs specifically do not want to certify by digital means that particular entity has the right to that netblock. What it means is that if you have a customer that has this x.509 certificate from ARIN and they ask you to announce it, you really can not see their certificate and will have to just do regular whois like you usually do (in fact you will not even know if the ip block whois is protected by this security feature). You can not actually ask the for some digital certificate signed by ARIN showing its their block. At these RIR signed certificates for use by 3rd parties are really what is needed for at least automated checking when peer or customer is asking to let their new announced block in and adjust the filters (we are not even talking about S-BGP here, just way to improve the security of the process of adjusting filter to announce new routes through your network). S-BGP would be next and will also require to use these kind of certificates as well, but as others will be quick to mention, S-BGP proposal still needs some work before we could begin beta-testing it. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Hijacked IP space
While it's definitely worth submitting it to completewhois and developing whatever paper trail it takes to give it back to the registrars if they don't want to keep it, another obvious stopgap would be to advertise the space, Does anyone actually have a low-cost offering to do this officially? This is almost a network operation issue, even if it's more about network non-operation. =) Part of the whole point is that people stop routing the space itself in the first place, for many reasons. In my case, it's gotten harder and harder to find ISPs who have the clue/pricing to actually route space they didn't get assigned. I'm not a big bandwidth customer, but (when budget again allows) would like to have portable space that isn't tied to a single upstream. I've received a couple offers of help, but doubt we want to advocate setting up a volunteer network of nice guy ASs. It would seem to be a relatively easy offering to make, not really any more complicated than domain name parking or any of the other services that tend to be in the add to configuration once, remove at end of service category. I do think it's worth paying a few bucks for, and would happily have done so before, even without knowing what trouble NOT advertising it would lead to. Either a parking web-site or even a null route would have simplified life dramatically. A tunnel to a residential linux/bsd box would have been nifty, if not particularly reliable or wise. Anyone? Should such a boutique offering be official somewhere or what would be the reason not to? -- Ray Wong [EMAIL PROTECTED]
RE: Hijacked IP space.
I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very PGP-like. See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdfv smart. the careful reader might have noted that i did not say i did not like x.509 certs, especially given future sbgp etc. use. there is an rfc out on use of x.509 certs in the web of trust model. randy
OT - list netiquette
At 08:16 AM 11/4/2003, Owen DeLong wrote: ignore the previous stuff they don't need for reference. If the previous stuff is ignorable, it doesn't need to be quoted. Top posting while quoting material that is ignorable is lazy and not appreciated by most participants on *this* forum. Please snip ignorable material, and then post your reply *below* what you are commenting on, so that ALL can easily participate in this forum using this standard format. jc P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH. pps: Lazily clicking reply to all and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy easy thing even when it inconveniences others.
Re: OT - list netiquette
JC Dill wrote: pps: Lazily clicking reply to all and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy easy thing even when it inconveniences others. Most mail servers worth using discard duplicates as long as they contain the same message-id. Unfortunately this does not help discarding duplicate subjects like the monthly spam discussion. Pete
Re: OT - list netiquette
On Tue, Nov 04, 2003 at 03:31:28PM -0500, [EMAIL PROTECTED] wrote: Oh yeah: If dupes bother you, 'man procmailex' and implement dupe filtering. For one, with nanog-l delays from one to 12 hours, I like to see responses quickly. # from the procmailex man page, this is supposed to weed out duplicate # messages. :0 Wh: msgid.lock | formail -D 16384 msgid.cache -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: OT - list netiquette
P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH. pps: Lazily clicking reply to all and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy easy thing even when it inconveniences others. I've seen lots of requests in both directions, over the years. On a slow list like this, people often like to be cc'd directly. It's hard to know what to do in all situations, other than mind one's own mailbox. There are ways to filter out duplicates, and that seems (to me) to be the best. Yours, mm
Re: OT - list netiquette
On Tue, 04 Nov 2003 15:42:11 EST, Jared Mauch [EMAIL PROTECTED] said: # from the procmailex man page, this is supposed to weed out duplicate # messages. :0 Wh: msgid.lock | formail -D 16384 msgid.cache Might want to go for 32K or 64K there, if you get a lot of mail. I just checked a folder of 6K or so messages, and the average message-id was 48 chars long. So only about 334 of them will fit in 16K (less if you allow for database overhead) - so if you're likely to get more than 250-300 messages between the two you care about dup suppression, it won't catch it. pgp0.pgp Description: PGP signature
Abovenet
Anyone know if abovenet had a major router crash in or near Seattle or some location that feeds it?? Thanks -Nakul
Re: Abovenet
Hello: On Wed, 5 Nov 2003, Nakul Malik wrote: Anyone know if abovenet had a major router crash in or near Seattle or some location that feeds it?? Thanks -Nakul There was an announcement to that effect earlier this evening, although it gave no indication of what the issue actually is/was. Mike
Re: Abovenet
http://west-boot.mfnx.net/traffic/backbone/index.html Interesting traffic hiccup today on the Seattle OC-48s There was an announcement to that effect earlier this evening, although it gave no indication of what the issue actually is/was.
Re: Hijacked IP space.
Certification of internet resource allocations is being actively considered by most if not all RIRs. In the case of APNIC, this has been regarded as a likely development since our CA project started several years ago (always subject to community agreement on appropriate standards). As it happens, the IETF PKIX working group has almost completed the certificate extension specification for this very purpose, within the S-BGP framework: http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-03.txt Regardless of the deployment of S-BGP, RIRs could start issuing certificates any time after specification is completed. APNIC is currently investigating this possibility. cheers -George -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton QLD 4064 Phone: +61 7 3367 0490 | Australia Fax: +61 7 3367 0482 | http://www.apnic.net --- On Tue, 4 Nov 2003 09:35:23 -0800 (PST) [EMAIL PROTECTED] wrote: On Tue, 4 Nov 2003, Bill Woodcock wrote: Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. I'm very much for what RIRs are doing in this area (though ARIN could do PGP together with x.509 as I mentioned back in Memphis) as it will provide good security for communication to ARIN and making changes to RIR whois and other data and thus in the far future should seriously decrease possibility of hijacking even blocks when company is gone and blocks are no longer in use. But lets be clear about it, what RIRs are doing as far as pgp or x.509 are for communication between RIR and the admin of the ip space. RIRs specifically do not want to certify by digital means that particular entity has the right to that netblock. What it means is that if you have a customer that has this x.509 certificate from ARIN and they ask you to announce it, you really can not see their certificate and will have to just do regular whois like you usually do (in fact you will not even know if the ip block whois is protected by this security feature). You can not actually ask the for some digital certificate signed by ARIN showing its their block. At these RIR signed certificates for use by 3rd parties are really what is needed for at least automated checking when peer or customer is asking to let their new announced block in and adjust the filters (we are not even talking about S-BGP here, just way to improve the security of the process of adjusting filter to announce new routes through your network). S-BGP would be next and will also require to use these kind of certificates as well, but as others will be quick to mention, S-BGP proposal still needs some work before we could begin beta-testing it. --- William Leibzon Elan Networks [EMAIL PROTECTED]
Copper 10 gigabit @ 15 metres
http://www.lightreading.com/document.asp?doc_id=42956site=lightreading http://grouper.ieee.org/groups/802/3/10GBCX4/ Regarding the first URL, I am curious how many networks will be interested in using a 15 metre 10GbE solution. Even for intra-MMR xconns, it seems like the cable length limit will very quickly become an obstacle. I guess it depends what price point copper 10Gb solutions enter the market at, compared to their optical counterparts.
attribution
in chicago, kc attributed this quote to me Dopeler effect: the tendency of stupid ideas to seem smarter when they come at you rapidly. the closest attribution i have is The Washington Post's Style Invitational asked readers to take any word from the dictionary, alter it by adding, subtracting, or changing one letter, and supply a new definition. randy
RE: Sabotage investigation of fiber cuts in Northwest
FWIW, the following is the notes from Qwest's outage notification on the 3rd. -- NOTES: SS7 DUAL A-LINK FAILURE UNDER INVESTIGATION BY SS7,NFC AND SWITCH. (3) OC48'S FAILED/ SUSPECT FIBER CUT BTWN BLHMWA E. STANWD RPTR/ UPGRADED TO RED DUE TO NALS/ STILL INVEST./ RR'G SS7 LINK TO RADIO OTDR INDICATES 42 N. OF STTLWA04/ TECH ENROUTE TO ESWDWA RPTR/ ETA 45MINS. TECHS ON SITE NOW / SUSPECT VANDALISM / LAW ENFORCEMENT ON SITE TECHS ARE INSIDE HUT/ CABLE IS CUT AT HUT/ CONFIRMED VANALISM INSIDE HUT TAKING PICTURES INSIDE HUT/ TEN FIBERS CUT/ LOADING EQPT. FROM TRUCK/ NO ETR FIBERS PRIORITIZED / 6 OF 10 FIBERS CUT / SPLICING WILL START IN 15MINS. FIRST FIBERS ARE SPLICED/ A-LINKS RESTORED/ BLOCKING IS ST FIRST FIBERS ARE SPLICED/ A-LINKS RESTORED/ BLOCKING IS STARTING TO CLEAR BLOCKAGE STOPPED AT 12:45 PDT / SPLICING CONTINUES CLEARING ALARMS FINAL CLEAN UP ONGOING/ 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. 6 FIBERS SPLICE ALL ALARMS HAVE CLEARED 911 BACK ON NORMAL PATH AND TESTED. RESTORE DATE TIME 2003-09-03 12:28:44 PDT -- Regards, Chad Chad Skidmore One Eighty Networks http://www.go180.net 509-688-8180 -Original Message- From: Laurence F. Sheldon, Jr. [mailto:[EMAIL PROTECTED] Posted At: Monday, November 03, 2003 8:08 PM Posted To: NANOG Conversation: Sabotage investigation of fiber cuts in Northwest Subject: Re: Sabotage investigation of fiber cuts in Northwest JC Dill wrote: At 07:32 PM 11/3/2003, John Fraizer wrote: On Mon, 3 Nov 2003, Owen DeLong wrote: Maybe I'm missing something, but, if you have the bolt cutters, I don't see why you need the key to an adjacent lock or any of the locks. Um, cutting a lock out gets it out of the mix but, you still have to have the key to one of the other locks to complete the chain again. Think about it. A cut lock can be replaced with a similar replacement lock and usually no one will be the wiser. Look at the locks here: http://www.qsl.net/kf4lhp/telweb/microwave/kiv70/padlocks.jpg The lock marked ATC is between 2 other locks (that's a hasp to its left, with rusty chain further to the left). It could be cut and replaced with a similar lock linking the other two locks, without opening either of the other two locks. On gates with many locks (I've seen chains of 6 or more), there is rarely any interest given to the locks that are not one's own responsibility. I wonder if that Bell System (F7?) is ever unlocked anymore.
RE: Copper 10 gigabit @ 15 metres
http://www.lightreading.com/document.asp?doc_id=42956site=lightreading http://grouper.ieee.org/groups/802/3/10GBCX4/ Regarding the first URL, I am curious how many networks will be interested in using a 15 metre 10GbE solution. Even for intra-MMR xconns, it seems like the cable length limit will very quickly become an obstacle. I guess it depends what price point copper 10Gb solutions enter the market at, compared to their optical counterparts. Until the distances become reasonable, it will probably be a connection of opportunity. Instead of nxGE you can use 1x10GE for an MMR x-connect. The question is will people be converting 10GE copper to fiber to bridge the distances and then back? There are no highly dense 10GE platforms that I can think of right now, much less cost effective ones. DJ