Re: .ORG Registrar ID List (was: Stupid .org registry code change)
On Mon, 22 Dec 2003, Mike Lewinski wrote: > Bruce Beckwith wrote: > > >You should deal with a registrar for this information, since that is one > >of the services they can provide for you. > > > > > Right, but in a case where my client inherited a domain from their > predecessor, and has no idea who their registrar is, I seem to be in a > catch-22 This was my purpose in issuing a whois query to begin with- > to learn which registrar they need to contact to make DNS authority changes. > OTOH, if you are suggesting that I should contact *my* registrar of > choice to obtain this information... this seems more than a little > ridiculous (to me at least, and I suspect OpenSRS is not going to > appreciate getting a new support ticket every time I want to do a whois > to figure out what other registrar has a domain that my client doesn't > even intend to transfer to them). Actually your registrar of choice should be able to easily get this information. However if your registrar is just doing things to keep prices as low as possible then they probably won't appreciate being asked to do this sort of thing (there is a reason to use the more expensive registrars). > Why should I {e-mail|call} to get what used to be available with a > simple whois query? Is there a standard for a whois query? If not you are kind of screwed. You have just been relying on things staying the same and been "lucky" so far that they haven't changed much. > What have we gained by making this process even more > complicated? I have no beef with the use of Registrar IDs, I'm sure > there are benefits to using them. But I do think that they are a poor > substitute for what used to be human-readable information. This I agree with. However for my .org domain and a couple of others I work with (that are at different registrars) all have the same outputs if you use "whois -h whois.pir.org domainname.org". Different registrars at the .com/.net level have different outputs so I can't see where this would be a difficult problem. bye, ken emery
Re: .ORG Registrar ID List (was: Stupid .org registry code change)
Bruce Beckwith wrote: You should deal with a registrar for this information, since that is one of the services they can provide for you. Right, but in a case where my client inherited a domain from their predecessor, and has no idea who their registrar is, I seem to be in a catch-22 This was my purpose in issuing a whois query to begin with- to learn which registrar they need to contact to make DNS authority changes. OTOH, if you are suggesting that I should contact *my* registrar of choice to obtain this information... this seems more than a little ridiculous (to me at least, and I suspect OpenSRS is not going to appreciate getting a new support ticket every time I want to do a whois to figure out what other registrar has a domain that my client doesn't even intend to transfer to them). Why should I {e-mail|call} to get what used to be available with a simple whois query? What have we gained by making this process even more complicated? I have no beef with the use of Registrar IDs, I'm sure there are benefits to using them. But I do think that they are a poor substitute for what used to be human-readable information. If you are interested in the cross-reference list, please see http://www.pir.org/whois_search/registrar_whois_ids, which can be accessed via the link at http://www.pir.org/whois_search/. In addition, if you choose to use the web-based whois, then you can use the link on the whois output for the registrar - so for example, the domain nanog.org is at http://www.pir.org/cgi-bin/whois.cgi?yes_popup_flag=0&whois_query_field= domain+NANOG.ORG, and using the link for Sponsoring Registrar, in this example "NSI(R63-LROR)" will give information on how to reach the registrar - see http://www.pir.org/cgi-bin/whois.cgi?yes_popup_flag=0&whois_query_field= registrar+id+R63-LROR. Thanks, but again this seems unnecessarily complicated. Why can't your whois server do this for me as .com/.net are, and .org used to be? I.E. $ whois rockynet.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: ROCKYNET.COM Registrar: TUCOWS, INC. <- This is all I really need Whois Server: whois.opensrs.net <- but this is helpful too Referral URL: http://www.opensrs.org <- this is icing on the cake :) At the very least, I think it's only reasonable for the pir.org whois server to provide some basic help text on where to get more information, i.e. as Tim Wilde pointed out: For more information do a 'whois -h whois.pir.org "registrar id r11-lror"' If I knew a bit more C, I'd hack my copy of whois to do this for me automagically. For now I guess I'll live with having to do two whois queries to get the information I need (I'm stubborn and would rather not use the web-based whois, since I'm already in the shell for the corresponding digs and named configuration- that's what I liked about whois, it was a nice general purpose tool that could tell me certain things about any domain with one simple query). Mike
Re: northeast fiber cut
On Tue, 23 Dec 2003 00:04:18 EST, Alex Rubenstein <[EMAIL PROTECTED]> said: > b) is it me, or does it seem the number of fiber cuts per time period is > decreasing, or does sean donelan no longer have an email client? Wait till April, the traditional mating season of backhoes and other construction equipment, when the male backhoes seek to impress the females with how much dirt (and rock, and cable) they can move in one shot pgp0.pgp Description: PGP signature
northeast fiber cut
Circuits we had that were affected by the fiber cut in NJ/PA have been coming up over the last hour. two notes: a) anyone know of where this happened, specifically, and also what actually happened? I heard ?langhorne?, pa, and two 288 bundles were affected, MFN had to dig to find it -- if thats the case, what cuases fiber to magically go boom? b) is it me, or does it seem the number of fiber cuts per time period is decreasing, or does sean donelan no longer have an email client?
Re: Extreme spam testing
On Mon, 22 Dec 2003 15:01:35 EST, Chris Brenton <[EMAIL PROTECTED]> said: > Except its broken because the message in question was not spam. It was a > technical post to the NANOG mailing list that triggered the 100+ port Chris - please see if you can find out if it *was* your message. A few weeks ago, I posted a note to NANOG, and somebody on the list is infected with malware that took the From/To/CC list and stuck them onto a spam for "enhancement pills". In near real-time no less - the site that caught it had its "your note has been quarantined" notice to me some 8 minutes after I hit 'send'. When they fished it out of quarantine, it did indeed have my NANOG headers joe-job glued onto the spam. pgp0.pgp Description: PGP signature
Re: Extreme spam testing
Andy Dills writes on 12/22/2003 7:33 PM: Oh, sure have. Spews has listed an entire /19 of ours before, merely because of a multi-stage relay (customer had an open relay configured to dump everything to our mailserver). As far as I have seen, that is not the typical reason for a spews nom. Spews seems to target a fairly similar crowd to what (say) the SBL targets, but uses a rather wider brush. To forestall further discussion on this, I'd suggest reading http://www.scconsult.com/bill/dnsblhelp.html - especially http://www.scconsult.com/bill/dnsblhelp.html#4-20 srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Bay area Earthquake
On Mon, 22 Dec 2003 [EMAIL PROTECTED] wrote: > > foxnews reporting 6.5 on the richter scale > > cant get more info than that http://quake.wr.usgs.gov/recenteqs/Maps/121-36.html It was quite noticable in Santa Barbara. Building swayed for a good 30 seconds, localized power failures for a few hours. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Bay area Earthquake
foxnews reporting 6.5 on the richter scale cant get more info than that
Re: Request for submissions: messy cabling and other broken things
Sorry this is a bit blurred being from my phone but this is recent from telehouse london, the area under the floor is about 2ft6 deep http://www.thedogsbollocks.co.uk/pictures/opalpops/P7090001.JPG On Mon, 22 Dec 2003, Russel Callen wrote: > > i've started taking pictures of the places i've worked, since I was proud > of one...and entertained by another. you can decide which is which: > > http://gallery.arxys.net/gallery/Cogent/IMGP0320 > http://gallery.arxys.net/gallery/Cogent/IMGP0322 > > http://gallery.arxys.net/gallery/Rivien/main_LAN_rack > http://gallery.arxys.net/gallery/Rivien/LAN_2 > http://gallery.arxys.net/gallery/Rivien/main_rack_front_1 > http://gallery.arxys.net/gallery/Rivien/main_LAN_back > > Eric Kuhnke said: > > > > Sometimes illustrating the way a job should *not* be done is a powerful > > educational tool. I have collected a gallery of messy and ridiculous > > cabling jobs: > > > > http://gallery.colofinder.net/shameful-cabling > > > > my favorite (not horrible, but funny): > > http://gallery.colofinder.net/shameful-cabling/cables > > > > Anonymous submissions can be sent to [EMAIL PROTECTED] , equipment > > labels and faces will be blurred if requested. > > > > > >
Re: Minimum Internet MTU
On Mon, 2003-12-22 at 19:10, Stephen J. Wilcox wrote: > > Whats IP over DNS, 512 bytes.. wouldnt want to kill my hotel access now huh? LOL! And least we forget RFC 1149. I think this limits carrier pigeon MTU to 256 milligrams. ;-) C
Re: Extreme spam testing
On Mon, 2003-12-22 at 16:55, Andy Dills wrote: > > > This is going to sound really snippy, but who died and made then > > god/goddess of the Internet? Where is the document trail empowering them > > to be spam cops of the Internet with absolute authority to probe who > > ever they see fit? > > This is a can of worms with no answer. Who gives authority to IANA for > that matter? That was my point. I was responding to someone that was implying that njabl was doing this for the benefit of everyone and thus had some authority to do so. Obviously that's not the case. > > Humm. This is something I have not run into before. Can you supply a URL > > that explains how to relay mail though a Telnet or RADIUS server? > > No, but I can supply a URL that explains how to change the port that proxy > servers bind to. I don't think you actually need that, though. > > You really think people who professionally hack servers and setup spam > relay proxies put them on the standard ports? Again, this was my point. Finding out if I have an exposed RADIUS server is not really evidence that I'm running an open SMTP proxy. So where does it stop? Scanning all 65K ports? Full OS fingerprinting to shun the most compromised OS's? Maybe we insist on being provided with root access to verify the box as being clean before we accept their e-mail? This slope can get pretty scary. > > LOL! I see, this is my fault because I actually take steps to secure my > > environment. ;-) > > No, but it is your fault for overreacting to your IDS. I honestly don't think I over reacted. My original post labeled the traffic as simply "interesting" and I stated I was posting it in case others were interested and had not noticed it in their logs. No call to arms, flames, or rants for wide spread blacklisting, just an FYI in case others found the info useful. > Security doesn't require an IDS. An IDS merely tells you who's checking > your doorknobs to see if they're locked. If you do a good enough job > keeping your doors locked, an IDS is little more than a touchy doorbell at > 3 AM, being tripped by the wind. An IDS is more like an empty box. One person may look at it and see a simple storage device. Show it to a 5 year old however and it becomes a boat, a plane, a car, a castle, etc. etc. etc. I mentioned in another thread that I've caught plenty of 0-day stuff with my IDS. In other words, stuff that had no known signatures or patches. Its also helped me out in a fair amount of troubleshooting. Its all a matter of being inventive and knowing what to look for. If you perceive your IDS to be "little more than a touchy doorbell", I would highly recommend attending SANS IDS training. It'll open your mind and show you a wealth of other possibilities. Regards, Chris
Re: Trace and Ping with Record Option on Cisco Routers
On Mon, 2003-12-22 at 18:18, Crist Clark wrote: > > [EMAIL PROTECTED] wrote: > > > > Hey, Group. > > > > In my production network, I'm trying to do some extended traces and pings with the > > record option turned on to see what route my packets take going and returning. > > It's not working. If I do the extended traceroute or ping without the record > > option, it works fine. There is a firewall (PIX) a few hops in front of the > > destination I'm trying to record the route for. What part of ICMP is this that > > needs to be opened on the firewall to allow this to come back? First time I'm > > coming across this. > > It's not ICMP. It's the IP Options. Most firewalls will drop any > packet with an IP Options. Actually, I've done some testing on this. Most firewalls completely ignore options and do not allow you to filter them. I've found quite a few NAT firewalls that you can easily bounce over using lose source routing. The exceptions I've found are PIX, IPFilter, pf and iptables. Cisco IOS has a new "ip options drop" command, but I have not tried it. Older versions of IOS would let you do rudimentary option filtering via ACLs, but I don't remember record route as being one of the possible options. So I would also guess that the PIX is the culprit. You can try disabling the options drop to see if that helps, and check the ACLS to see if options are being filtered. Either way you can confirm this is where you are losing the packet by taking some traces or checking the logs. HTH, C
Re: Extreme spam testing
On Mon, 22 Dec 2003, Vadim Antonov wrote: > > > On Mon, 22 Dec 2003, Andy Dills wrote: > > > Hmm...actually, YOUR spam is MY problem. That's how this works. > > > > I applaud njabl. > > Then you've never been on receiving end of their (and their ilk) > viligantine "justice" for no reason other than being in the same block of > addresses as some hacked windoze host (NOT on your network, mind you) and > using business-grade DSL. Oh, sure have. Spews has listed an entire /19 of ours before, merely because of a multi-stage relay (customer had an open relay configured to dump everything to our mailserver). NJABL isn't Spews. To my knowledge, NJABL doesn't write off entire subnets...thus the need for scanning so many IPs. It's possible you were grouped in with dynamic IP DSL...but from the njabl.org website: http://www.njabl.org/listing.html "2. If an IP is listed because we think it's in a dial-up range, show us that it not. If it really is a dial-up, it'll most likely remain in the list, but we may add non-dial-up range IP's to the list thinking they are dial-up range IP's. In these cases, we'll be happy to correct the error." > I wish you have an opportunity to try that being YOUR problem, _then_ > we'll hear your opinion on spam nazi. Having used NJABL for well over a year, the collateral damage is almost nil. I'm well aware of the issues involved. I still think proactive scanning is better than reactive scanning. I'm also completely aware that others will disagree with that sentiment. It's not really something that's worth our time debating, we may as well debate abortion. You're either offended that somebody is probing your systems or you aren't. No amount of conjecture is going to change an opinion on this issue. But I felt somebody needed to stick up for them, lest people think there is some sort of consensus. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
.ORG Registrar ID List (was: Stupid .org registry code change)
Mike, You should deal with a registrar for this information, since that is one of the services they can provide for you. If you are interested in the cross-reference list, please see http://www.pir.org/whois_search/registrar_whois_ids, which can be accessed via the link at http://www.pir.org/whois_search/. In addition, if you choose to use the web-based whois, then you can use the link on the whois output for the registrar - so for example, the domain nanog.org is at http://www.pir.org/cgi-bin/whois.cgi?yes_popup_flag=0&whois_query_field= domain+NANOG.ORG, and using the link for Sponsoring Registrar, in this example "NSI(R63-LROR)" will give information on how to reach the registrar - see http://www.pir.org/cgi-bin/whois.cgi?yes_popup_flag=0&whois_query_field= registrar+id+R63-LROR. I will pass on your offer of career advice ;-) Regards, Bruce Bruce W. Beckwith VP, Operations Public Interest Registry 1775 Wiehle Avenue Suite 102A Reston, VA 20190 v: +1 703.464.7005 x105 [EMAIL PROTECTED] -Original Message- From: Michael Lewinski [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 6:19 PM To: [EMAIL PROTECTED] Subject: Stupid .org registry code change During the recent changes to .org, whois stopped being useful for what I need. > Sponsoring Registrar:R11-LROR All I really want to know is the Registrar's name/URL to tell my client so they can modify their nameservers. Does anyone have: 1) A URL to the table that will allow me to lookup a name from the above code (or better, a hack to whois that will do said lookup for me)? 2) The e-mail address where I should my suggestion that the person who came up with this brilliant scheme needs to pursue a new career in a non-IT related field? TIA, Mike
ALLTEL contact?
Sorry for the noise, but I'm having trouble getting a router on an ALLTEL circuit configured correctly and I am getting caught in the level one support net. Can a clueful ALLTEL network engineer please contact me off list? Thanks, Allan
Re: Minimum Internet MTU
> You mean like everyone who's still running TCP/IP over AX.25 in the > ham radio community? They're generally technically adept and good at > complaining... I'm sure rbush would encourage his competitors to do this. Whats IP over DNS, 512 bytes.. wouldnt want to kill my hotel access now huh? Steve
Re: Stupid .org registry code change
On Mon, Dec 22, 2003 at 04:18:37PM -0700, Michael Lewinski wrote: > > Sponsoring Registrar:R11-LROR > > All I really want to know is the Registrar's name/URL to tell my client > so they can modify their nameservers. > > Does anyone have: > > 1) A URL to the table that will allow me to lookup a name from the > above code (or better, a hack to whois that will do said lookup for > me)? http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=R11-LROR+registrar which finds: http://www.orgtransition.info/whois/registrar_list -- Ray Wong [EMAIL PROTECTED]
Re: Extreme spam testing
On Mon, 22 Dec 2003, Andy Dills wrote: > Hmm...actually, YOUR spam is MY problem. That's how this works. > > I applaud njabl. Then you've never been on receiving end of their (and their ilk) viligantine "justice" for no reason other than being in the same block of addresses as some hacked windoze host (NOT on your network, mind you) and using business-grade DSL. I wish you have an opportunity to try that being YOUR problem, _then_ we'll hear your opinion on spam nazi. Oh, and I usually get it fixed by forcing postmasters on receiving end to stop using offending lists, sometimes by forging "spam" from them (yes, Virginia, the one-way TCP hack works) - when it's for some reason important to me to communicate with their customer, and the a*le running the mailserver is immune to reason. --vadim
RE: Stupid .org registry code change
Strangely enough, PIR doesn't recognize that one... Google-mining seems to indicate that its TUCOWS/OPENSRS, but I wont swear to that. As for actually contacting someone to get it fixed, considering past experience I think nothing short of a public outcry is going to draw attention to the problem, and whois issues might be just a little to esoteric for NYT/WP/CNET coverage... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Lewinski Sent: Monday, December 22, 2003 6:19 PM To: [EMAIL PROTECTED] Subject: Stupid .org registry code change During the recent changes to .org, whois stopped being useful for what I need. > Sponsoring Registrar:R11-LROR All I really want to know is the Registrar's name/URL to tell my client so they can modify their nameservers. Does anyone have: 1) A URL to the table that will allow me to lookup a name from the above code (or better, a hack to whois that will do said lookup for me)? 2) The e-mail address where I should my suggestion that the person who came up with this brilliant scheme needs to pursue a new career in a non-IT related field? TIA, Mike
Re: california quake
On Mon, Dec 22, 2003 at 11:27:01AM -0800, Scott Granados wrote: > Apparently there was just a 6.4 quake in central california. > > We felt it here in San Jose but its probably to minor up here to cause any > disruptions. However closer to the center there may be. We felt it pretty good here in San Luis Obispo. Listening to local public service radio reports it sounds like mostly chimneys and minor gas leaks and structure damage to older buildings. An air conditioning unit on the roof of the Bank of America downtown was smoking just a few minutes ago and was handled by city FD with no problems. Damage to the north of us in Paso Robles is the real deal, collapsed buildings and all, fatalities according to CNN. This is probably what you're seeing on news reports. Here in San Luis Obispo cell phones became immediately useless, presumably due to high call volumes. We (AS 12273) had no wireline telco outages at all, and our colo provider (AS 14589 across town also in San Luis Obispo) went unscathed as well. Power was unstable for a few minutes but only very small parts of the city lost power for more than a few minutes, nothing the UPSes couldn't handle. -- -Will :: AD6XL Orton :: http://www.loopfree.net/
Re: Minimum Internet MTU
> I'm working with a few folks on firewall and IDS rules that will flag > suspicious fragmented traffic. I know the legal minimum of a > non-terminal fragment is 28 bytes, but given non-terminals should > reflect the MTU of the topologies along the link, this number is far > lower than what I expect you should see for legitimate fragmentation in > the wild. > > A few years back I noted some 512-536 MTU links in ASIA. I've been doing > some testing and can't seem to find them anymore. Is is safe to assume > that 99.9% of the Internet is running on 1500 MTU or higher these days? there are many deployment of DSL-based layer 2 providers, which use L2TP (or whatever) tunnelling as well as PPPoE to associate end clients to layer 3 ISPs. they enforce MTU like 1450 or lower. in Japan, NTT east/west (NTT is a previously-government-owned telco) provide such service and enforce MTU of 1454. itojun
Re: Stupid .org registry code change
On Mon, 22 Dec 2003, Tim Wilde wrote: > whois -h whois.pir.org "registry id r11-lror" It would help if I could type. s/registry/registrar/ - sorry. Tim -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/
Re: Stupid .org registry code change
On Mon, 22 Dec 2003, Michael Lewinski wrote: > > During the recent changes to .org, whois stopped being useful for what > I need. > > > Sponsoring Registrar:R11-LROR > > All I really want to know is the Registrar's name/URL to tell my client > so they can modify their nameservers. > > Does anyone have: > > 1) A URL to the table that will allow me to lookup a name from the > above code (or better, a hack to whois that will do said lookup for > me)? whois -h whois.pir.org "registry id r11-lror" Or your whois-implementation-specific version of same. Can't help you on the clueful contact at PIR. -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/
Stupid .org registry code change
During the recent changes to .org, whois stopped being useful for what I need. > Sponsoring Registrar:R11-LROR All I really want to know is the Registrar's name/URL to tell my client so they can modify their nameservers. Does anyone have: 1) A URL to the table that will allow me to lookup a name from the above code (or better, a hack to whois that will do said lookup for me)? 2) The e-mail address where I should my suggestion that the person who came up with this brilliant scheme needs to pursue a new career in a non-IT related field? TIA, Mike
Re: Trace and Ping with Record Option on Cisco Routers
> [EMAIL PROTECTED] wrote: > > Hey, Group. > > In my production network, I'm trying to do some extended traces and pings with the > record option turned on to see what route my packets take going and returning. It's > not working. If I do the extended traceroute or ping without the record option, it > works fine. There is a firewall (PIX) a few hops in front of the destination I'm > trying to record the route for. What part of ICMP is this that needs to be opened > on the firewall to allow this to come back? First time I'm coming across this. It's not ICMP. It's the IP Options. Most firewalls will drop any packet with an IP Options. Many firewalls will not let you turn this off. I do not know how to allow IP Options through a PIX, but I know how to do it in Cisco IOS. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Trace and Ping with Record Option on Cisco Routers
I believe source routing must be permitted in order for the record route to function. Otherwise the packet is dropped. Chris On Mon, 2003-12-22 at 16:45, [EMAIL PROTECTED] wrote: > Hey, Group. > > In my production network, I'm trying to do some extended traces and > pings with the record option turned on to see what route my > packets take going and returning. It's not working. If I do > the extended traceroute or ping without the record option, it works > fine. There is a firewall (PIX) a few hops in front of the > destination I'm trying to record the route for. What part of ICMP is > this that needs to be opened on the firewall to allow this to come > back? First time I'm coming across this. > > Thanks, > Danny > >
Re: A headsup re Verizon Wireless paging
"Michael R. Wayne" wrote: > > Summary: > If you use Verizon Wireless pagers (pagers with an @myairmail.com > email address) to monitor your network, your alerts may be blocked > without notice. > [snip] > I did get a call back as promised. I mentioned that they were not > filtering on address but the entire messaged and got an: > "Oh, I knew that" (would have been nice of him to TELL me). > He claimed that the block would be removed either later Friday > night, Saturday morning at the latest. Pages were still being > blocked Friday night and Saturday morning but a test page sent this > morning worked OK. Please explain the reason why you continue to use this terribly unreliable service again.
Re: Extreme spam testing
On Mon, 22 Dec 2003, Chris Brenton wrote: > > If we have a single entitity that does all > > this scanning, we as individual entities do not need to scan ourselves. > > This is going to sound really snippy, but who died and made then > god/goddess of the Internet? Where is the document trail empowering them > to be spam cops of the Internet with absolute authority to probe who > ever they see fit? This is a can of worms with no answer. Who gives authority to IANA for that matter? We're dealing with protocols, not laws. If you don't like X persons traffic, you have 100% authority to filter it. That's the sole authority on the internet. You'd be hard pressed to frame what NJABL does in terms of "abuse", because of the intent, and because of the actual bit volume involved. Since you can't call it abuse, NJABL's upstream has no reason to swing the abuse hammer. (We all know it's hard enough to get many networks to swing any sort of hammer at all, even for significantly more egregious behavior.) Since you can't convince their upstream to swing the abuse hammer, you have two options: 1) Filter the traffic 2) Not filter the traffic For the simple reason that there IS no central authority on the internet who CAN decide what flys and what doesn't, grumbling on a mailing list is about as far as one can go in response. > Humm. This is something I have not run into before. Can you supply a URL > that explains how to relay mail though a Telnet or RADIUS server? No, but I can supply a URL that explains how to change the port that proxy servers bind to. I don't think you actually need that, though. You really think people who professionally hack servers and setup spam relay proxies put them on the standard ports? > LOL! I see, this is my fault because I actually take steps to secure my > environment. ;-) No, but it is your fault for overreacting to your IDS. Security doesn't require an IDS. An IDS merely tells you who's checking your doorknobs to see if they're locked. If you do a good enough job keeping your doors locked, an IDS is little more than a touchy doorbell at 3 AM, being tripped by the wind. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Trace and Ping with Record Option on Cisco Routers
Title: Message Hey, Group. In my production network, I'm trying to do some extended traces and pings with the record option turned on to see what route my packets take going and returning. It's not working. If I do the extended traceroute or ping without the record option, it works fine. There is a firewall (PIX) a few hops in front of the destination I'm trying to record the route for. What part of ICMP is this that needs to be opened on the firewall to allow this to come back? First time I'm coming across this. Thanks, Danny
www.dhs.gov looking for input for future solicitations
for those who don't speak inside-dc-beltway, the below is a request for information that a well-funded federal agency will use to write a proposal solicitation, to which folks (including but not limited to operators) then write proposals to get ops research funding. (and ultimately, presumably for implementations/ infrastructure.) so if you want to influence what the U.S. department of homeland security funds in the area of IPS (not my meme), jan 2004 is an opportunity to tell them what to ask for. you are encouraged to take it, lots of people there trying to do the right thing and could use help from experts regarding what exactly that is. formatted below, unreadable version of your very own at: http://www.fbodaily.com/archive/2003/11-November/23-Nov-2003/FBO-00474736.htm k --- NATIONAL COMMUNICATIONS SYSTEM INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY INTERNET PRIORITY SERVICE (IPS) REQUEST FOR INFORMATION 1. INTRODUCTION 1.1 Scope The National Communications System (NCS) of the Department of Homeland Security is soliciting information regarding assured communications through the Internet. This information is with respect to services or products that carriers, vendors, and third parties can provide, or plan in the future to provide, applicable to designing/developing an Internet Priority Service (IPS) capability to support national security and emergency preparedness (NS/EP) communications. This request for information (RFI) seeks technical information regarding Internet-based assured communications for data, including Voice over Internet Protocol (VoIP). Responses from all organizations including commercial entities, academic institutions, and Government departments and agencies, are encouraged. 1.2 Background Under the provisions of Executive Order 12472, the NCS is responsible for ensuring that an NS/EP telecommunications infrastructure exists and is responsive to the needs of the President and the Federal departments and agencies using public and private telecommunications systems. In support of this mission, we have initiated several programs designed to overcome network failure and congestion during emergency situations, including the Government Emergency Telecommunications Service (GETS), Telecommunications Service Priority (TSP), and Wireless Priority Service (WPS) to address priority services for Federal, State, and local Critical Infrastructure leadership personnel during an emergency. The current implementations of priority service for NS/EP telecommunications consist of voice and voice-band data only in the circuit switched wire-line and wireless networks. Due to the ever-increasing use of the Internet for transmission of all types of communications, we are looking at ways to provide similar types of assured communications for data applications and voice or video applications running over the Internet. Information learned from this RFI will be used to help NCS achieve the following goals: _ Identify plans and emerging technologies for providing priority services through the Internet. _ Facilitate promising technologies as prototypes and proof-of-concept projects. _ Identify any new areas requiring standardization. _ Model technologies to determine what enhancements are required. _ Develop an Internet Priority Service (IPS) program plan. 2. AREAS OF INTEREST The following functional goals of an IPS concept should be considered: Enhanced Priority Treatment Secure Networks Ubiquitous Coverage International Connectivity Interoperable Scalable Bandwidth Mobility Voice Band Service Broadband Service Reliability/Availability Restorable Survivable Non-Traceable Affordable Ultimately, the service should be resilient to large-scale outages of the Internet infrastructure in addition to other infrastructures the Internet is dependent upon_such as electric power and telecommunications. It should also be resilient to cyber attacks originating within the Internet itself, such as denial of service, worms, etc. Solutions should have ubiquitous coverage in that they translate to various physical and link layer technologies, locations, applications, and network topologies. Specifically, we are looking for solutions that will work in inter-AS cross-provider environments, as well as within single provider networks. To enable interoperability, we have IPS standards efforts underway through the Parlay Group 4 requirements; however, a lack of standards should not preclude a response--we are also interested in concepts and implementatio
smart hands requested in san jose
hello all, i was wondering if anyone was interested in some possible ongoing 'smart hands'-type work in the san jose area. ideally looking for someone with some unix (debian), juniper, and/or cabling skills. if you are interested please drop me a note. thanks /joshua /* i hope everyone in the quake area is ok */
Re: Request for submissions: messy cabling and other broken things
i've started taking pictures of the places i've worked, since I was proud of one...and entertained by another. you can decide which is which: http://gallery.arxys.net/gallery/Cogent/IMGP0320 http://gallery.arxys.net/gallery/Cogent/IMGP0322 http://gallery.arxys.net/gallery/Rivien/main_LAN_rack http://gallery.arxys.net/gallery/Rivien/LAN_2 http://gallery.arxys.net/gallery/Rivien/main_rack_front_1 http://gallery.arxys.net/gallery/Rivien/main_LAN_back Eric Kuhnke said: > > Sometimes illustrating the way a job should *not* be done is a powerful > educational tool. I have collected a gallery of messy and ridiculous > cabling jobs: > > http://gallery.colofinder.net/shameful-cabling > > my favorite (not horrible, but funny): > http://gallery.colofinder.net/shameful-cabling/cables > > Anonymous submissions can be sent to [EMAIL PROTECTED] , equipment > labels and faces will be blurred if requested. > >
Re: Extreme spam testing
* [EMAIL PROTECTED] (Chris Brenton) [Mon 22 Dec 2003, 21:07 CET]: [proxies] > Humm. This is something I have not run into before. Can you supply a URL > that explains how to relay mail though a Telnet or RADIUS server? Older versions of WinGate used to run a listener service on port 23 that would take a hostname and a port as input and connect to that. Real easy to abuse, and also to DoS itself - let it connect to localhost:23 a bunch of times and eventually Windows would run out of clean winsocks, thus solving the problem for a little while. -- Niels.
Re: Extreme spam testing
Speaking as and for SORBS (another hated and loved antispam bl).. Chris Lewis wrote: It's worth commenting: Triggering relay testing can occur in a number of different ways. Some simply scan all IPs. I consider this abuse and don't do it. Some scan particular ranges. Same as above ;-) Some scan an IP when they receive email from it. RR and AOL do this amongst biggies. This is what SORBS started doing - now the volume is so high, and the number of ports to check (and ways to check them) are so large I cannot do it. Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this. This is what SORBS does now. If we receive a mail to a SORBS feeder server with a spam assassin score of 5 or more, we automatically scan the host for proxies and relays. Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively. [Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.] SORBS scans after listing with 'spam in hand' for a number of reasons 1/ Not everyone uses the spam DB for blocking (eg: I use it for weighting at the ISP I run - I use it for blocking on my home mail) 2/ People listed will demand delisting immediately regardless (they don't care - it's their "right to send email"), and if they have an open proxy/relay, telling them to fix that first is the best way of stopping future spam. 3/ Proxy and relay scanning takes on average 2 hours per host (purely because we don't want to crash it, or the testers for that matter). SORBS updates ever 20 minutes. As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces). We do 19 relay tests, and we perform them twice 2 sets of to and from data. Some of our tests cause bounces - we do try to avoid upsetting people, but the 'from [EMAIL PROTECTED]' test is an important one, so we do use it. The test message does include a details description of what it is and who to contact if there is a problem though. In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing... wait till he triggers SORBS - it starts with a full port scan... :-/ By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all. That's right an if SORBS detects firewalling to avoid open-relay detection you get listed as a test blocker in the system, and should you get listed for spam, you will find it near on impossible to get out (even if it was one of your users) - just because you are considered to be someone 'hiding something'. SORBS makes a point of being up front and port scanning uses no stealth features of nmap. It also doesn't do stealth testing. The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit. NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it. And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad. ...and I'll be a very happy man the day I shut down SORBS because spam is no longer an issue. I might get a life then. / Mat
Re: Extreme spam testing
On Mon, 2003-12-22 at 13:46, Andy Dills wrote: > > > Agreed. My spam is _my_ problem and fixing it should not include making > > it everyone else's problem. Forget whether its legal, its pretty > > inconsiderate as many environments flag this stuff as malicious so it > > triggers alerts. > > Hmm...actually, YOUR spam is MY problem. > That's how this works. Except its broken because the message in question was not spam. It was a technical post to the NANOG mailing list that triggered the 100+ port scan, as well as about 15 different variations attempting to relay e-mail through my sever. Am I missing the Viagra ad that gets tacked to the end of all NANOG posts? ;-) > I applaud njabl. I guess I don't. I can *totally* understand wanting to control the amount of spam that an environment receives. I obviously deal with this problem as well. I guess in my mind however I feel like the cost/burden of dealing with that spam should be my responsibility, and I should not expect legitimate organizations that are not part of the problem to incur a financial impact due to my efforts. For example their scans and probes would easily trigger an alert in most environments (they did in mine and I'm by no means high security). This means that a security analyst now has to check out the traces and see if its a real attack. Then a decision has to be made as to how to deal with it, which may well require (depending on policy) multiple resources. So I end up spending money so njabl can try and reduce the amount of spam they receive. Oh joy, oh rapture. Also, I don't see this as a totally effective solution. This works if the spam comes through an open relay, but fails if it does not. That means you need some other layer of checking to deal with the non-relay spam. Something like Spamassassin for example. Of course Spamassassin can also easily deal with the open relay spam as well, without requiring an obtrusive check back system. Finally, I used to blacklist known spammer's IP addresses as well, but stopped after I crunched some numbers. When you blacklist the spammers IP, they don't give up and remove your address, they just keep trying. The bandwidth lost to the retries (on average) is greater than the bandwidth used to transmit the actual spam. So blocking spam saves you some temporary disk space, but increase network utilization. > If you have open relays, proxies, or whatnot, I want to know about it, so > I can reject all mail from you. Again, except I don't. If I transmit spam, I should expect to be poked and probed. When one receives an unprovoked probe/attack like this, the target is going to assume the source is hostile. Its not till you spend time looking into it (in other words, burn $$$ on resources) that you figure out that someone actually considers this pattern to be "a feature". > If we have a single entitity that does all > this scanning, we as individual entities do not need to scan ourselves. This is going to sound really snippy, but who died and made then god/goddess of the Internet? Where is the document trail empowering them to be spam cops of the Internet with absolute authority to probe who ever they see fit? Also, it does not quite work out that they are the only ones doing it (see earlier thread on AOL). They just seem to be more aggressive than most. > Therefore, njabl is REDUCING the number of people scanning your netblocks > for proxies. If they didn't do it for me, I'd be doing it myself, along > with numerous other networks. I guess we can "agree to disagree" here as I'm not a "ends justifies the means" type of person. I want to reduce the amount of spam I receive as well, and certainly would not mind making the spammer's lives a bit more difficult. I don't want to do that however at the cost of annoying/sucking money out of legitimate Internet users. > > As a follow up, it also looks like they did a pretty aggressive port > > scan of my system. Not sure how checking Telnet, X-Windows or RADIUS > > will tell them if I'm a spammer, but what ever. > > proxies, proxies, proxies. Humm. This is something I have not run into before. Can you supply a URL that explains how to relay mail though a Telnet or RADIUS server? > But like you say, "whatever". It's not like you > would have noticed if you didn't obsessively scan your logfiles or have an > IDS. LOL! I see, this is my fault because I actually take steps to secure my environment. ;-) Thanks for the chuckle, C
RE: california quake
If a fault line slips, then the terrorists have already won. -Original Message- From: Gerald [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 1:34 PM Cc: [EMAIL PROTECTED] Subject: Re: california quake On Mon, 22 Dec 2003, Scott Granados wrote: > Apparently there was just a 6.4 quake in central california. Terrorists! Gerald
RE: california quake
Now four 3.x or 4.x shocks south of the major epicenter. I felt the first one also. It was significant shaking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aviva Garrett Sent: Monday, December 22, 2003 11:30 AM To: Scott Granados Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: california quake Yep, we felt it too, in Sunnyvale. It was 6.5, near San Simeon. http://quake.wr.usgs.gov/recenteqs/Quakes/nc40148755.htm In message <[EMAIL PROTECTED]>you wr ite: > > Apparently there was just a 6.4 quake in central california. > > We felt it here in San Jose but its probably to minor up here to cause any > disruptions. However closer to the center there may be. > >
Re: california quake
On Mon, 22 Dec 2003, Scott Granados wrote: > Apparently there was just a 6.4 quake in central california. Terrorists! Gerald
RE: california quake
According to current data, it was a 6.5, and the epicenter was 7 miles NE of San Simeon, CA. -Original Message- From: Scott Granados [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 1:27 PM To: [EMAIL PROTECTED] Subject: california quake Apparently there was just a 6.4 quake in central california. We felt it here in San Jose but its probably to minor up here to cause any disruptions. However closer to the center there may be.
RE: california quake
| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott | Granados | Sent: Monday, December 22, 2003 2:27 PM | | Apparently there was just a 6.4 quake in central california. | | We felt it here in San Jose but its probably to minor up here to cause any | disruptions. However closer to the center there may be. http://earthquake.usgs.gov/recenteqsUS/Quakes/nc40148755.htm Todd --
Re: california quake
Yep, we felt it too, in Sunnyvale. It was 6.5, near San Simeon. http://quake.wr.usgs.gov/recenteqs/Quakes/nc40148755.htm In message <[EMAIL PROTECTED]>you wr ite: > > Apparently there was just a 6.4 quake in central california. > > We felt it here in San Jose but its probably to minor up here to cause any > disruptions. However closer to the center there may be. > >
california quake
Apparently there was just a 6.4 quake in central california. We felt it here in San Jose but its probably to minor up here to cause any disruptions. However closer to the center there may be.
Re: A headsup re Verizon Wireless paging
On Mon, 22 Dec 2003, Dave O'Shea wrote: > If you have one of the > super-duper(tm) motorola pagers that skytel uses, you > can even filter those messages so they won't set off > the audible alert; they just show up in the "received" > list. Same with the Blackberry/RIM service, which is what I've been happily using for the last year or so. -Bill
Re: A headsup re Verizon Wireless paging
I'm not sure I'd fault Verizon, it's got to be a major pain to keep the spam level down on pagers. It would probably be useful if SMS/paging companies posted a "this is the approved way to" guide for customers. I set up nagios/netsaint with a pager system, and programmed it to send an "all is well" page twice a day to a couple of key people. If you have one of the super-duper(tm) motorola pagers that skytel uses, you can even filter those messages so they won't set off the audible alert; they just show up in the "received" list. I made a habit of checking the freshness of those messages right before staff meetings and customer calls. --- "Michael R. Wayne" <[EMAIL PROTECTED]> wrote: > > > Summary: > If you use Verizon Wireless pagers (pagers with an > @myairmail.com > email address) to monitor your network, your > alerts may be blocked > without notice. > > The saga: > > We use multiple paging companies for our pagers, > under the theory > that redundancy is a "good thing". Last week, our > people who carry > pagers from Verizon Wireless realized that they were > not getting > pages from our Netsaint monitoring system, although > they were > getting other pages and people carrying pagers from > other paging > companies were getting Netsaint pages.
Re: Extreme spam testing
On Mon, 22 Dec 2003, Chris Brenton wrote: > > I hate spammers. I loathe and > > despise them. I hate njabl even more. > > Agreed. My spam is _my_ problem and fixing it should not include making > it everyone else's problem. Forget whether its legal, its pretty > inconsiderate as many environments flag this stuff as malicious so it > triggers alerts. Hmm...actually, YOUR spam is MY problem. That's how this works. I applaud njabl. If you have open relays, proxies, or whatnot, I want to know about it, so I can reject all mail from you. If we have a single entitity that does all this scanning, we as individual entities do not need to scan ourselves. Therefore, njabl is REDUCING the number of people scanning your netblocks for proxies. If they didn't do it for me, I'd be doing it myself, along with numerous other networks. > As a follow up, it also looks like they did a pretty aggressive port > scan of my system. Not sure how checking Telnet, X-Windows or RADIUS > will tell them if I'm a spammer, but what ever. proxies, proxies, proxies. But like you say, "whatever". It's not like you would have noticed if you didn't obsessively scan your logfiles or have an IDS. > > Well, nope, I didn't, and I don't. They just did it > > again, and by "it", I mean that they hit every machine in my little > > netblock > > I've tweaked my perimeter to return host-unreachables to all packets > originating from their network (rate limited of course). If that stops > them from accepting me mail, oh well I'll survive. In the old days, when Abovenet and ORBS (I think, could be wrong, been awhile) got into it, and ORBS (or whoever) blacklisted Abovenet's IP space because they were firewalled, that was simply petty and stupid. NJABL will not list you for preventing them from scanning your servers. Is Jon aggressive? Yes. Is he a dickhead? No. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Extreme spam testing
Robin Lynn Frank wrote: This is not the only list where this is occurring. It has been happening on the spamtools list, as well. We've now dropped them at the firewall. No loss to us. It's worth commenting: Triggering relay testing can occur in a number of different ways. Some simply scan all IPs. Some scan particular ranges. Some scan an IP when they receive email from it. RR and AOL do this amongst biggies. Some scan an IP when they receive suspicious/spam email from a given IP. We've done this from time to time. MANY other sites do this. Many consider scanning to be abusive in and of itself, however, there is a considerable amount of agreement that "scanning with email in hand", or, more stringently, "scanning with spam in hand" is perfectly justified, as in "sending me email gives implicit permission to check that you're secure", or, "sending me spam gives permission to check that you're secure" respectively. [Some people say "if they've sent you spam, why test? Simply blacklist!". Which is silly, because you end up blacklisting everyone sooner or later. By testing and not listing on a negative result, you have less chance of blocking a legitimate site.] As another dimension, some people prefer to do very aggressive scanning - they'll test every combination of "tricks" that has been known to bypass anti-relay. Others try to avoid "tricks" that are likely to cause grief to the testee (eg: avoiding double bounces). Don't assume that the testers are specifically targeting mailing lists. Chances are that a NJABL person is on the lists, and is doing a "test if email or spam in hand". [I don't know what NJABL's testing criteria are.] In the scheme of things, such testing is relatively minor, even of the "obnoxious bounce to postmaster" variety. Tune your alarm system to ignore them. If you consider a dozen or two relay tests to be "extreme", I'd hate to think of what you'd think of _some_ other forms of vulnerability testing... By blackholing the tester, you run a _significant_ risk of getting blacklisted, even if you don't relay or proxy. Some blacklists do that. [I don't think NJABL does, but others do.] Secondly, some of them use highly distributed testing. Like SORBS. You'll never get them all. The spamming problem really has gotten so bad that many reputable organizations feel they have no choice do test. It's a sign of the times. It's best to not get bent out of shape over it and adjust your processes to suit. NJABL is reasonably well regarded. It's best not to play games with it, otherwise, you may end up getting blocked by all of its users. We're not using NJABL, but it is one of the ones we'd consider if some of our current ones went down. Some medium to large sites _do_ use it. And don't expect a "we want to be blocked so we can discourage the use of blacklists" attitude to work anymore. From us, at best you'd get a whitelist entry. The spamming problem really _is_ that bad.
Broadwing Network Status Page?
One of my customers is experiencing what I'm being told is backhoe fade in the Philadelphia area. It's a Broadwing circuit resold by another party, so they won't talk to me directly. Does anyone know if they have a network status page? I've not found anything googling around. Thanks, Daryl G. Jurbala BMPC Network Operations Tel: +1 215 825 8401 x235 Fax: +1 508 526 8500 INOC-DBA: 26412*DGJ PGP Key: http://www.introspect.net/pgp
A headsup re Verizon Wireless paging
Summary: If you use Verizon Wireless pagers (pagers with an @myairmail.com email address) to monitor your network, your alerts may be blocked without notice. The saga: We use multiple paging companies for our pagers, under the theory that redundancy is a "good thing". Last week, our people who carry pagers from Verizon Wireless realized that they were not getting pages from our Netsaint monitoring system, although they were getting other pages and people carrying pagers from other paging companies were getting Netsaint pages. After a bit of testing, we discovered that email to pagers from netsaint@ was not getting through but email to pagers from any other username on that machine seemed to go through fine. So one of my people contacted their tech support Friday morning. After 7.5 hours of being told: 1) The problem is that you are not running a web server on that machine. (Actually we are but it's firewalled and why should they care?) 2) The problem is that DNS is broken for that address. (It's not, plus why do pages for other users go through?) 3) The problem is that our server is not actually sending the messages to Verizon wireless (we sent them the sendmail logs to prove that the messages were accepted). 4) The problem must be something else at our end. 5) The problem is that you are using email to deliver the page, can't you use a modem? 6) Assorted other excuses which we neglected to note. someone FINALLY admitted that pages from the netsaint address were being filtered. The guy who eventually admitted this basically told the gal who had been working on this all day: "We did this to protect our network, no, you cannot speak to anyone else about it, we may just leave it in forever and we're not going to do anything about it." And hung up on her. He must have been pretty rude (which I why I omit his name) because after dealing with this all day she was frustrated to the point that she was in tears. So, I sent her home and picked up the fight. I eventually, reached the same person who admitted that they were filtering email from that address because of a problem with one customer earlier in the month so they discarded messages to ALL customers if the address contained netsaint. His stand: - Verizon Wireless did this to protect their network. - They occasionally install such filters for an indeterminate amount of time. - No notice is given to customers of such a filter. When I asked about it he seemed to feel that there was no way to inform customers. I figure it would take about an hour to develop a script with a simple database of pager destinations that paged once to inform customers that a word was suppressed. - No notice is given to their tech support people that such a filter has been put in place. - No notice is given to their resellers, so if a customer calls to inquire, the reseller has no clue that it's going on. - There is no clear process for a customer to determine that such a filter has been installed. - He had to obtain permission from "the field" as to whether or not the block could be removed. - He pretty much ignored my question as to why they blocked all customers rather than just the one in question. But he promised to contact me before leaving for the day. I started hacking a filter to simply substitute another address for netsaint and, in the process, discovered that what was actually going on was that any page that contains the word netsaint anywhere in the header or in the message was being discared without notice. I did get a call back as promised. I mentioned that they were not filtering on address but the entire messaged and got an: "Oh, I knew that" (would have been nice of him to TELL me). He claimed that the block would be removed either later Friday night, Saturday morning at the latest. Pages were still being blocked Friday night and Saturday morning but a test page sent this morning worked OK. /\/\ \/\/
Re: Extreme spam testing
On Mon, 2003-12-22 at 11:04, Etaoin Shrdlu wrote: > > Um, welcome to the world of spam nazis. I've seen returning MX queries and even source address validation, but never anything this excessive up till now. IMHO its hard to tell if they are looking for spam relays to reduce spam, or because they are looking to generate some spam themselves. ;-) > I hate spammers. I loathe and > despise them. I hate njabl even more. Agreed. My spam is _my_ problem and fixing it should not include making it everyone else's problem. Forget whether its legal, its pretty inconsiderate as many environments flag this stuff as malicious so it triggers alerts. > The last time I called their ISP to > complain, I was assured that I must have done something to deserve the > aggressive testing. As a follow up, it also looks like they did a pretty aggressive port scan of my system. Not sure how checking Telnet, X-Windows or RADIUS will tell them if I'm a spammer, but what ever. > Well, nope, I didn't, and I don't. They just did it > again, and by "it", I mean that they hit every machine in my little > netblock I've tweaked my perimeter to return host-unreachables to all packets originating from their network (rate limited of course). If that stops them from accepting me mail, oh well I'll survive. Thanks for the confirmation, C
Re: Extreme spam testing
Chris Brenton wrote: > > Greets again all, > > I noticed something kind of interesting when I made my last post to > NANOG. I can understand people wanting to do spam checking, but IMHO > this is a bit excessive and inconsiderate. > > I'm guessing njabl.org is doing this to everyone who posts to the list, > so I thought others might want to know about it in case they have not > noticed it in their own logs. BTW, if you are curious about the > "spammers_waste_oxygen" portion, that was grabbed off my SMTP banner. Yep, and see below. > *** > > Dec 22 08:21:50 mailgate sendmail[492]: hBMDLnHS000492: > before-reporting-as-abuse-please-see-www.njabl.org [209.208.0.15] did > not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHS000495: > ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org > [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying Um, welcome to the world of spam nazis. I hate spammers. I loathe and despise them. I hate njabl even more. The last time I called their ISP to complain, I was assured that I must have done something to deserve the aggressive testing. Well, nope, I didn't, and I don't. They just did it again, and by "it", I mean that they hit every machine in my little netblock (I suppose the last post to nanog did it). If they were just picking on the machine I posted from, it'd annoy me, but I'd get over it. Why they feel the need to abuse machines that I've NEVER sent email from, to anywhere, is beyond me. Sure, I recognize that I'm in a block frequented by clueless wonders (i.e. DSL), but it isn't dynamic, I've had it for a while now, and it's never been implicated during the time I've had it. In addition, I think that a post to nanog should not get such treatment. Isn't it bad enough that posting to the Full Disclosure mailing list has added to my spam level by a thousand percent? Sigh. -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking.-- Larry Wall
Re: Minimum Internet MTU
On Mon, 2003-12-22 at 09:36, Robert E. Seastrom wrote: > > You mean like everyone who's still running TCP/IP over AX.25 in the > ham radio community? I actually thought of this, but only as an end-point which would not generate fragmented packets. I didn't consider that people could be using Linux or what ever to hide an Ethernet network behind the link, which of course would fragment the stream. Looks like I need to drop my threshold to < 500. This is exactly what I needed, thanks! > What are you trying to accomplish by killing off the fragments? My experience has been that attackers still like to use fragmentation as a method of covering their tracks. No they do not do it all the time, but I've noticed that a lot of the time when I've been able to catch 0-day stuff its fragmented in order to help stealth it. So what I'm looking for is a definable limit to be able to say "a non-last fragment below this size is very likely to be hostile and should be handled accordingly". Running with less than 500 bytes is still cool, as the stuff I've found is always less than 100 bytes. I'm just looking to add as much "slop" as possible to catch what I have not thought of without triggering false positives. So unless someone knows of a case below 500 bytes, I think I'm all set. Thanks for the great feedback. C
Re: Minimum Internet MTU
Or the X.25/IP gateways beloved of Airlines who are also good at complaining when traffic is dropped on the floor Scott C. McGrath On 22 Dec 2003, Robert E. Seastrom wrote: > > > Chris Brenton <[EMAIL PROTECTED]> writes: > > > I agree, this is a bit of a loaded question. I guess by safe I mean "Is > > anyone aware of a specific link or set of conditions that could cause > > _legitimate_ non-last fragmented packets on the wire that have a size of > > less than 1200 bytes". I agree there are bound to be inexperienced users > > who have shot themselves in the foot and tweaked their personal system > > lower than this threshold, thus my 99.9% requirement. > > You mean like everyone who's still running TCP/IP over AX.25 in the > ham radio community? They're generally technically adept and good at > complaining... I'm sure rbush would encourage his competitors to do this. > > What are you trying to accomplish by killing off the fragments? > > ---Rob > >
Re: Minimum Internet MTU
Chris Brenton <[EMAIL PROTECTED]> writes: > I agree, this is a bit of a loaded question. I guess by safe I mean "Is > anyone aware of a specific link or set of conditions that could cause > _legitimate_ non-last fragmented packets on the wire that have a size of > less than 1200 bytes". I agree there are bound to be inexperienced users > who have shot themselves in the foot and tweaked their personal system > lower than this threshold, thus my 99.9% requirement. You mean like everyone who's still running TCP/IP over AX.25 in the ham radio community? They're generally technically adept and good at complaining... I'm sure rbush would encourage his competitors to do this. What are you trying to accomplish by killing off the fragments? ---Rob
Extreme spam testing
Greets again all, I noticed something kind of interesting when I made my last post to NANOG. I can understand people wanting to do spam checking, but IMHO this is a bit excessive and inconsiderate. I'm guessing njabl.org is doing this to everyone who posts to the list, so I thought others might want to know about it in case they have not noticed it in their own logs. BTW, if you are curious about the "spammers_waste_oxygen" portion, that was grabbed off my SMTP banner. Cheers, C *** Dec 22 08:21:50 mailgate sendmail[492]: hBMDLnHS000492: before-reporting-as-abuse-please-see-www.njabl.org [209.208.0.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHS000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHT000495: ruleset=check_mail, arg1=<[EMAIL PROTECTED];>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <[EMAIL PROTECTED];>... Domain of sender address [EMAIL PROTECTED] does not exist Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHU000495: ruleset=check_mail, arg1=<"[EMAIL PROTECTED]"@spammers_waste_oxygen;>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <"[EMAIL PROTECTED]"@spammers_waste_oxygen;>... Domain of sender address [EMAIL PROTECTED]@spammers_waste_oxygen does not exist Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHV000495: ruleset=check_mail, arg1=, relay=rt.njabl.org [209.208.0.15], reject=553 5.5.4 ... Domain name required for sender address relaytestsend Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHW000495: ruleset=check_mail, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=553 5.5.4 <[EMAIL PROTECTED]>... Real domain name required for sender address Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHX000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHY000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:51 mailgate sendmail[495]: hBMDLoHZ000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHa000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHb000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHc000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHd000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Dec 22 08:21:52 mailgate sendmail[495]: hBMDLoHe000495: ruleset=check_mail, arg1=<[EMAIL PROTECTED];>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <[EMAIL PROTECTED];>... Domain of sender address [EMAIL PROTECTED] does not exist Dec 22 08:21:53 mailgate sendmail[495]: hBMDLoHf000495: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED];>, relay=rt.njabl.org [209.208.0.15], reject=550 5.7.1 <[EMAIL PROTECTED];>... Relaying denied Dec 22 08:21:53 mailgate sendmail[495]: hBMDLoHh000495: ruleset=check_mail, arg1=<[EMAIL PROTECTED];>, relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8 <[EMAIL PROTECTED];>... Domain of sender address [EMAIL PROTECTED] does not exist
Re: Minimum Internet MTU
On Mon, 2003-12-22 at 08:27, bill wrote: > > > Is is safe to assume > > that 99.9% of the Internet is running on 1500 MTU or higher these days? > > define safe. I agree, this is a bit of a loaded question. I guess by safe I mean "Is anyone aware of a specific link or set of conditions that could cause _legitimate_ non-last fragmented packets on the wire that have a size of less than 1200 bytes". I agree there are bound to be inexperienced users who have shot themselves in the foot and tweaked their personal system lower than this threshold, thus my 99.9% requirement. I had a couple of people e-mail me about Cisco's Pre-fragmentation feature for IPSec. If I understand it correctly (someone please correct me if I'm wrong), its the original datagrams that get fragmented. Thus its the encapsulated payload that will have MF set, not the actual IPSec packet seen on the wire. With this in mind, the exposed IP header would just show it to be a small packet, not a small fragment. Am I off here? > now that you mention it... :) > btw, what will your IDS/firewall do when presented w/ a 9k mtu? Depends on the setup. I've actually been running this as a set of IDS rules for a few years and have detected a few 0-day events this way. I have not hit any false positives that I'm aware of, but then again we're only talking my small view of the Internet. Thus my question to the group. If anyone is going to know the answer its this crew. :) I'm looking to move the rules into the firewall/IPS realm, but want to be sure before I do as now we are talking blocking the traffic rather than just recording it. First implementation would be a set of iptables rules, with pf shortly after. I have not seen any commercial firewalls with this type of capability, but I have not had a chance to focus on this aspect too deeply as of yet. Checkpoint has possibilities, but implementation would probably be beyond the typical point and click admin. Thanks for all the great feedback! C
Re: Minimum Internet MTU
> by GRE or IPSec. With this in mind, would we be safe to flag/drop/what > ever all fragments smaller than 1200 bytes that are not last fragments > (i.e., more fragments is still set)? No. Check previous thread about IPSec and MTU. Some IPSec implementations split the greater-than-mtu sized packet in half in order to avoid the possibility of further fragmentation down the road, thus better performance. ~Hani Mustafa
Re: Minimum Internet MTU
> > > A few years back I noted some 512-536 MTU links in ASIA. I've been doing > some testing and can't seem to find them anymore. Is is safe to assume > that 99.9% of the Internet is running on 1500 MTU or higher these days? define safe. > I know some people artificially set their end point MTU a bit lower > (like 1400) to deal with things like having their traffic encapsulated > by GRE or IPSec. With this in mind, would we be safe to flag/drop/what > ever all fragments smaller than 1200 bytes that are not last fragments > (i.e., more fragments is still set)? Does anyone maintain, or is aware, > of links that would not meet this 1200 MTU? now that you mention it... :) btw, what will your IDS/firewall do when presented w/ a 9k mtu? > > Any and all feedback would be greatly appreciated, > C > >
Re: Minimum Internet MTU
> Is is safe to assume > that 99.9% of the Internet is running on 1500 MTU or higher these days? I'd say no, usually you'll find that the one site your customer is interested in the most has some braindead configuration and you never hear the end of it.
Minimum Internet MTU
Greetings all, I'm working with a few folks on firewall and IDS rules that will flag suspicious fragmented traffic. I know the legal minimum of a non-terminal fragment is 28 bytes, but given non-terminals should reflect the MTU of the topologies along the link, this number is far lower than what I expect you should see for legitimate fragmentation in the wild. A few years back I noted some 512-536 MTU links in ASIA. I've been doing some testing and can't seem to find them anymore. Is is safe to assume that 99.9% of the Internet is running on 1500 MTU or higher these days? I know some people artificially set their end point MTU a bit lower (like 1400) to deal with things like having their traffic encapsulated by GRE or IPSec. With this in mind, would we be safe to flag/drop/what ever all fragments smaller than 1200 bytes that are not last fragments (i.e., more fragments is still set)? Does anyone maintain, or is aware, of links that would not meet this 1200 MTU? Any and all feedback would be greatly appreciated, C