Re: UPnP
That reads more like a person who is customer centric with an acceptable idea... -HenrySean Donelan [EMAIL PROTECTED] wrote: On Fri, 12 Mar 2004, James Edwards wrote: I see a lot of unicast UPnP traffic on my networks. UPnP seems like a train wreck waiting to happen, to me.Yep. Giving insecure PC's the power to change firewall settings. Doesn'tsound like the cleverest idea.I have a firewall, my computer can't be a zombie. Yes, I click on everyattachment I see and install every program any random web site offers me,but I have a firewall so my computer can't be a zombie :-(But it does demostrate that people really, really want to run theirapplications no matter how we try to stop them. Instead of blockingpeople from running their applications, can we figure out better waysfor them to run them safely?
Telia v ATT?
Can anyone shed any light on the difficulties last night between Telia and {ATT, ATDN, others}? For a while it seemed like it was ATT specific. The problem started about 9:30pm Eastern and didn't get resolved until about 12:30am; during this time routes were being seen but traffic wasn't passing over interfaces between Teliasonera and ATT at a minimum, and probably several other providers as well. Feel free to respond privately. Tim
Re: Counter DoS
Joel Jaeggli wrote: On Thu, 11 Mar 2004, Petri Helenius wrote: Gregory Taylor wrote: Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees. Fortunately people with less clue usually have less bandwidth. When pricing structures and deployment of broadband in the US approaches that of Korea and Japan, I think you'll find that that isn't the case in the US anymore. Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it? Sam
Re: Counter DoS
Sam Stickland wrote: Out of interest, do the people see much in the way of DDOS attacks from Japan? All that bandwidth and quite a sizable population (130 million) - but maybe the latency to US and European targets contrains it? Most attacks are unidirectional so the latency does not matter. Pete
who offers cheap (personal) 1U colo?
every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. and then a few questions come in -- where can i put a 1U for the $50/month you claim is possible? so as a public service i've decided to gather some answers to that question and put them on the web someplace so i can refer folks to it when i'm asked. if you know of a place that offers 1U/month for $50/month with some kind of bandwidth limitations (moderate peak, low average), and a strong abuse desk (including repossessing the 1U server upon proof of abuse or neglect), please send me e-mail with a url and some details. i'll summarize it all online and report the aggregation URL back to this mailing list.
possible new DoS?
Over the past week the following error started to appear in the router logs; Mar 9 19:44:16 fe-0-1-100.blah.net 16: Mar 10 02:44:15.477: %CRYPTO-4-IKMP_NO_SA: IKE message from 206.207.248.58 has no SA and is not an initialization offer. According to Cisco, 1. %CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack. Any suggestions are appreciated. The router that generated those log files dropped part of an IGP routing table. Since I've never seen this log entry before, I'm curious whether it's a 'new' DoS. Thank you. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Will your cisco have the FBI's IOS?
X-URL: http://www.washingtonpost.com/ac2/wp-dyn/A54512-2004Mar12?language=printer Easier Internet Wiretaps Sought Justice Dept., FBI Want Consumers To Pay the Cost By Dan Eggen and Jonathan Krim Washington Post Staff Writers Saturday, March 13, 2004; Page A01 The Justice Department wants to significantly expand the government's ability to monitor online traffic, proposing that providers of high-speed Internet service should be forced to grant easier access for FBI wiretaps and other electronic surveillance, according to documents and government officials. A petition filed this week with the Federal Communications Commission also suggests that consumers should be required to foot the bill. {meaning guess who does their work?} Justice Department lawyers argue in a 75-page FCC petition that Internet broadband and online telephone providers should be treated the same as traditional telephone companies, which are required by law to provide access for wiretaps and other monitoring of voice communications. The law enforcement agencies complain that many providers do not comply with existing wiretap rules and that rapidly changing technology is limiting the government's ability to track terrorists and other threats. They are asking the FCC to curtail its usual review process to rapidly implement the proposed changes. The FBI views the petition as narrowly crafted and aimed only at making sure that terrorist and criminal suspects are not able to evade monitoring because of the type of telephone communications they use, according to a federal law enforcement official who spoke on the condition of anonymity. {..} {It sounds to me like this means: Tear out backbone Move MAE-East, West and whatever into the Jill Edgar Hoover Building. Pay them rent for the Colo space... YMMV} -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
RE: Will your cisco have the FBI's IOS?
David, I believe that CALEA versions of IOS are already available on cisco.com. It has a backdoor for any traffic originating from dhs.gov address space. ;) C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Lesher Sent: Saturday, March 13, 2004 10:41 AM To: nanog list Subject: Will your cisco have the FBI's IOS? X-URL: http://www.washingtonpost.com/ac2/wp-dyn/A54512-2004Mar12?language=printer Easier Internet Wiretaps Sought Justice Dept., FBI Want Consumers To Pay the Cost By Dan Eggen and Jonathan Krim Washington Post Staff Writers Saturday, March 13, 2004; Page A01 The Justice Department wants to significantly expand the government's ability to monitor online traffic, proposing that providers of high-speed Internet service should be forced to grant easier access for FBI wiretaps and other electronic surveillance, according to documents and government officials. A petition filed this week with the Federal Communications Commission also suggests that consumers should be required to foot the bill. {meaning guess who does their work?} Justice Department lawyers argue in a 75-page FCC petition that Internet broadband and online telephone providers should be treated the same as traditional telephone companies, which are required by law to provide access for wiretaps and other monitoring of voice communications. The law enforcement agencies complain that many providers do not comply with existing wiretap rules and that rapidly changing technology is limiting the government's ability to track terrorists and other threats. They are asking the FCC to curtail its usual review process to rapidly implement the proposed changes. The FBI views the petition as narrowly crafted and aimed only at making sure that terrorist and criminal suspects are not able to evade monitoring because of the type of telephone communications they use, according to a federal law enforcement official who spoke on the condition of anonymity. {..} {It sounds to me like this means: Tear out backbone Move MAE-East, West and whatever into the Jill Edgar Hoover Building. Pay them rent for the Colo space... YMMV} -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
RE: who offers cheap (personal) 1U colo?
Paul Vixie wrote: every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. me puts the devil's advocate suit on $50 is a lot of money; I currently send email from my aDSL address because a) my ISP's smarthost sucks b) historically their SMTP hosts have been blacklisted more than mine c) even if they did not suck (which has improved a lot recently, actually) they still won't accept large attachments or mailing-list traffic. I pay $36/mo for my aDSL. $50 _more_ sounds a lot. /me puts the devil's advocate suit on Besides, although this list is definitely the right place to find people that would operate a personal SMTP relay in a colo just by the virtue that it's the geeky thing to do, what does it change in the big scheme of things? All these small business customers (20 persons) that I have that use a sub-$100 business DSL and M$ Small Business Server + Exchange are not going to go for it, because the cost then will suddenly become $50 plus the 1U server plus my time plus maintaining it. Michel.
Re: who offers cheap (personal) 1U colo?
I pay $36/mo for my aDSL. $50 _more_ sounds a lot. rest assured, some of the mail i've received in response to this has even lower price points. several have described service businesses which amount to virtual linux or shell/imap/smarthost but i havn't decided whether to include all of those categories in my results. ... it's the geeky thing to do, what does it change in the big scheme ...? it's a vision thing. i like the idea of responsible 1U-owners extending their digital footprint to all parts of the globe. most domestic residences don't have UPS, backup generator, or high speed IP with static global addresses. and there is no reason to try to solve that problem given the way-more-efficient 1U colo model. $50/month at 40U rentable is $2000/rack/month if it's full. after paying for 60A of power and 50Mbits/sec of transit and whatever the rack rents for, the provider's gross margin will be between 25% and 50%, out of which they have to pay salaries. as a standalone business this makes no sense, but at scale or as part of another business, $50/month @1U is just about right.
RE: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Michel Py wrote: me puts the devil's advocate suit on $50 is a lot of money; I currently send email from my aDSL address because a) my ISP's smarthost sucks b) historically their SMTP hosts have been blacklisted more than mine c) even if they did not suck (which has improved a lot recently, actually) they still won't accept large attachments or mailing-list traffic. I pay $36/mo for my aDSL. $50 _more_ sounds a lot. /me puts the devil's advocate suit on I checked with our hosting dept. and we won't sell 1U traffic policed colo quite that cheap. Close to it, but not $50/month. And I agree, for most people spending an extra $50/month just to be able to send email (though I imagine they'd also do some personal web hosting and maybe other things as long as the machine was there), not to mention the expense of buying a 1U server and having to maintain it remotely isn't going to fly. You'd have to be a pretty hard core netgeek and have the disposible income ($600/year + the server...I can think of lots of better ways to spend that) to consider that a good solution...at which point why not just pay a bit extra to your ISP (or another ISP) and get a static IP with reverse DNS, which I would think would get you excluded from most reasonable DNSBLs. For most people it'd probably make much more sense to find a provider that offers some form of SMTP relay service. It'd probably be cheaper/month, and they wouldn't have the trouble and expense of providing/maintaining a colo server. Besides, although this list is definitely the right place to find people that would operate a personal SMTP relay in a colo just by the virtue that it's the geeky thing to do, what does it change in the big scheme I'd imagine you could even find a few friends and share the cost/utility of the server such that it only cost each person a few dollars/month...but then someone's got to pay the bills, collect money, harass the people who don't pay their share, etc. of things? All these small business customers (20 persons) that I have that use a sub-$100 business DSL and M$ Small Business Server + Exchange are not going to go for it, because the cost then will suddenly become $50 plus the 1U server plus my time plus maintaining it. What if the cost were only $10/month and they didn't have to maintain anything other than a set of usernames/passwds (SMTP Auth) or perhaps a list of their own IPs (relaying based on IP)? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: who offers cheap (personal) 1U colo?
paul, - Original Message - From: Paul Vixie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 13, 2004 2:59 PM Subject: Re: who offers cheap (personal) 1U colo? -- snip -- $50/month at 40U rentable is $2000/rack/month if it's full. after paying for 60A of power and 50Mbits/sec of transit and whatever the rack rents for, the provider's gross margin will be between 25% and 50%, out of which they have to pay salaries. as a standalone business this makes no sense, but at scale or as part of another business, $50/month @1U is just about right. according to your calculations, 1U + 1.5 breakered amps + 1 Mb/s should cost us $25 to $37.50 to provide. care to share where that is? paul
Re: who offers cheap (personal) 1U colo?
I'd have to chime in and say I'm already paying almost $100 for my aDSL connection for my home. I'm paying for a static IP allocation which has been SWIP'd with ARIN and have forward and reverse DNS pointing to my domain. However I deal with on a regular basis ISPs which will reject the mail from my servers as saying they're dynamic dial-up IP space. Not that any one of them ever respond to inquires to try and get removed (RoadRunner being the most recent) from the list; nor the fact that not one piece of spam has been sent through my servers given that they are SMTP AUTH only, have extensive anti-virus scanning (which doesn't send out emails to anyone but postmaster), and spam tagging. I can understand the ISPs that don't allow hosting of servers on the DSL line and/or blocking SMTP outbound traffic; however if a customer is paying for static IP space and the ability to host servers on the DSL line then it's not dynamic. I'm not gonna pay another $50/month to have my mail server at some colo just so my mail can be delievered because some ISP doesn't want to accept the mail. I've even recently published the SPF details in my zones so any SMTP+SPF compliant machine can even verify that the message is coming from an authorized machine. Unfortunately not enough domains are doing the same. Regards, Jeremy On Sat, Mar 13, 2004 at 11:45:44AM -0800, Michel Py wrote: Paul Vixie wrote: every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. me puts the devil's advocate suit on $50 is a lot of money; I currently send email from my aDSL address because a) my ISP's smarthost sucks b) historically their SMTP hosts have been blacklisted more than mine c) even if they did not suck (which has improved a lot recently, actually) they still won't accept large attachments or mailing-list traffic. I pay $36/mo for my aDSL. $50 _more_ sounds a lot. /me puts the devil's advocate suit on Besides, although this list is definitely the right place to find people that would operate a personal SMTP relay in a colo just by the virtue that it's the geeky thing to do, what does it change in the big scheme of things? All these small business customers (20 persons) that I have that use a sub-$100 business DSL and M$ Small Business Server + Exchange are not going to go for it, because the cost then will suddenly become $50 plus the 1U server plus my time plus maintaining it. Michel. signature.asc Description: Digital signature
RE: who offers cheap (personal) 1U colo?
Michel Py wrote: I pay $36/mo for my aDSL. $50 _more_ sounds a lot. Paul Vixie wrote: rest assured, some of the mail i've received in response to this has even lower price points. I'm not the one to convince; you're preaching the choir. What do you say to the non-geek female Supreme Commander that oversees the home budget? I'm walking a fine line already with 9 computers, a 12U router that makes more noise than a 747, and a fair amount of other indispensable network geek items. most domestic residences don't have UPS I do, and the geek clientele that reads this that would colo a 1U likely does as well. As a matter of fact, I have 5 UPSes at home: one for the server, one for the router (needs one on its own), one for my PC, one for my wife's PC and even one for the DirecTiVo DVR (an old 200va that can't power any recent computer). or high speed IP with static global addresses. I also have this and it would also be higher on the list of many network geeks than the 1U colo me thinks. [EMAIL PROTECTED] wrote: (though I imagine they'd also do some personal web hosting and maybe other things as long as the machine was there), I don't see what. For the kind of personal web hosting I care of, my 384 upstream is more than I need. Besides, half of the stuff on my home page would have to come from the home server in the first place. You'd have to be a pretty hard core netgeek and have the disposible income ($600/year + the server...I can think of lots of better ways to spend that) So can my wife. Michel.
Re: Will your cisco have the FBI's IOS?
X-URL: http://www.washingtonpost.com/ac2/wp-dyn/A54512-2004Mar12?language=printer Easier Internet Wiretaps Sought Justice Dept., FBI Want Consumers To Pay the Cost Not sure whos viewpoint this is, it reads like its the FBI's: The problem the FBI faces is that it cannot identify and break down information that travels as packets of data over the Internet. Phone calls placed over the Internet are changed from voice signals into data packets that look much like other data packets that contain e-mail or instructions for browsing the Internet Erm no, phone calls on the internet use the same data structure as they do on the phone network, the difference is in the transport. Kinda worrying they want to pass a law but dont know why they want it. Steve
Re: Will your cisco have the FBI's IOS?
They have access into the TDM network at present. Now they want VoIP. -- James H. Edwards Routing and Security At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED]
Telia...
Looking for opinions and experience on Telias IP network performance within Europe and out of Europe i.e. North America on the whole.. Thanks in advance for your time. Regards -Shazad
Re: who offers cheap (personal) 1U colo?
according to your calculations, 1U + 1.5 breakered amps + 1 Mb/s should cost us $25 to $37.50 to provide. care to share where that is? i'll publish an initial list of responses tomorrow (sunday) if possible. note that those numbers only work at scale (when you have lots of racks and/or are doing lots of other business.) as a standalone business this would almost never work out. -- Paul Vixie
Re: Enterprise Multihoming
On Fri, 12 Mar 2004, Stephen Fisher wrote: Most of the multi-homing talk has been about failover capabilities between different providers. What about the effects of multiple providers when neither has actually failed; such as different paths for inbound/outbound traffic. One provider may have better connectivity to x site whereas the other provider has better connectivity to y. (Or is this not as important as it used to be?) Capacity and congestion isnt a (big) issue with bandwidth and circuits being so cheap, most corporates just need to know they can get their email and browse the web and whether it takes 70 or 140ms for data to cross the atlantic providing it pops up on their screen within a few seconds they're happy. So in this way I think the answer to your question is its not important to most multihomers but ymmv.. Steve On Fri, Mar 12, 2004 at 09:15:55AM -0700, John Neiberger wrote: In our case, we already are multihoming and I'm considering moving away from that to a simpler solution. It's been my assertion that we didn't need to multihome in the beginning. The decision was made at a level higher than me. However, now that we have it I'm trying to determine the pros and cons related to moving to a single provider.
Re: Telia...
On Sat, 13 Mar 2004, Shazad wrote: Looking for opinions and experience on Telias IP network performance within Europe and out of Europe i.e. North America on the whole.. Thanks in advance for your time. I like them, only had one issue in over a year which was localised to the PE router I plug into (linecard failure or something..) Theyre very well peered and engineered in Europe, I'm less familiar with their US setup but thats primarily where my traffic is going and it gets their just fine :) [Peter, fwd my commission cheque to the usual address thx ;) ] Steve
Re: Telia...
On Sat, 13 Mar 2004, Shazad wrote: Looking for opinions and experience on Telias IP network performance within Europe and out of Europe i.e. North America on the whole.. Thanks in advance for your time. We recently moved our London DNS site from Rackspace to Telia and have had no problems with their network. Excellent RTTs into Germany and the rest of Europe, no problem connecting back to our main site in Boston. Tim Wilde -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: Load Balancing Multiple DS3s (outgoing) on a 7500
On Fri, Mar 12, 2004 at 11:37:25PM -0500, Joe Abley wrote: On 12 Mar 2004, at 23:24, joe mcguckin wrote: I suspect that each FE goes to a different AS... In that case, sample/count outbound traffic volumes by (prefix/AS/AS_PATH/something), sort the resulting list, and develop an import policy based on the top N entries which shares the traffic by tweaking some other attribute to avoid the last-resort tie-break. The tool ehnt is pretty useful for generating a top style list of ASes in order of the amount of traffic you're sending their way. By the way, w/r/t to the tiebreaker stuff, note that (on Cisco devices) if you don't have bgp bestpath compare-routerid set, the route that was received first will be preferred. This minimizes route-flap, but can cause weird shifts in your traffic patterns when one bgp session or another goes down (credit goes to Mark Nagel for figuring out this one for me). -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: who offers cheap (personal) 1U colo?
it's a vision thing. i like the idea of responsible 1U-owners extending their digital footprint to all parts of the globe. most domestic residences don't have UPS, backup generator, or high speed IP with static global addresses. and there is no reason to try to solve that problem given the way-more-efficient 1U colo model. On the other hand, if the person doesn't have a UPS at home, what good is when their SMTP server in a colo is still chugging? :) Rob Nelson [EMAIL PROTECTED]
Re: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Paul Vixie wrote: every time i tell somebody that they shouldn't bother trying to send e-mail from their dsl or cablemodem ip address due to the unlikelihood of a well staffed and well trained and empowered abuse desk defending the reputation of that address space, i also say buy a 1U and put it someplace with a real abuse desk, and use your dsl or cablemodem to tunnel to that place. Why the assumption that a server connected via a patch cord will be better administered than a server connected by a dsl or cable modem or T1 line? What you seem to actually be looking for is a connection with a fixed IP address which doesn't share address reputation with others. Old timers who were able to obtain small IP address blocks for free don't have as much of a problem. They can arrange for any ISP to announce those IP addresses from any location, including their home basement colo over a DSL line. Their address reputation less dependent on third-parties. But with address conservation measures, new IP addresses are much more tightly packed with all sorts of address assignments very close to each other. Unlike provider independent IP addresses, some operators of block lists will block large numbers of provider assigned addresses even if any particular address has never done anything wrong. Even if an ISP had a perfect abuse response desk, some people pre-emptively block all so-called dialup address ranges. Why shouldn't an individual be able to operated a server on their DSL or cable modem connection? Wasn't the original end-to-end nature of the Internet based on that? Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? Why is one unsafe, and the other is considered Ok?
Re: who offers cheap (personal) 1U colo?
On the other hand, if the person doesn't have a UPS at home, what good is when their SMTP server in a colo is still chugging? :) as a matter of courtesy, it's good to let mail be delivered rather than sitting in other people's retry queues. especially secondary-mx retry queues.
Re: who offers cheap (personal) 1U colo?
Why the assumption that a server connected via a patch cord will be better administered than a server connected by a dsl or cable modem or T1 line? partly it's a question of scale. if a provider is terribly successful at this low end personal colo business they might have 10 racks of 40 customers per rack, such that they could quit their day job and just run this low-end personal colo business. which would be a 400:1 ratio between customers and staff, which is better than the 1:1 ratio you'll see from your best-case dsl or cable isp. thus, a customer who neglects their server and allows others to use it as an abuse-staging platform, or a script kiddie who stupidly fouls their own nest by staging an attack from their own host, will get noticed by someone with clue, in nearly real time. What you seem to actually be looking for is a connection with a fixed IP address which doesn't share address reputation with others. no, i'm looking for a way to share address reputation amongst a group of serious-minded professional power-users who have learned over the years how to maintain their own BSD or Linux platform. Why shouldn't an individual be able to operated a server on their DSL or cable modem connection? because their provider is, statistically speaking, a money-grubbing slob. Wasn't the original end-to-end nature of the Internet based on that? why, yes, it was. but an implicit design criteria was that all of the users would always be as smart and as professional as the scientists, engineers, and educators who were the first generation of IP's users. (big mistake.) Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? because most providers don't want to give out static ip addresses, for one thing. because these providers are counting on a high suck:blow ratios from its customer base. because these providers know that people will pay more to get real internet access and they're holding you all for ransom. take your pick. Why is one unsafe, and the other is considered Ok? one is totally governed by a bilateral relationship between a 1U owner and a colo provider, neither of whom has a monopoly, and both of whom have something to lose if the IP address used in the relationship is abused. this isn't a technical thing. it's all about people getting what they want. -- Paul Vixie
Re: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Rob Nelson wrote: On the other hand, if the person doesn't have a UPS at home, what good is when their SMTP server in a colo is still chugging? :) Just because my power is out at home doesn't mean I don't have net access. With the colo server collecting mail you can SSH into it and still review messages. Don't forget those who have access at work, a laptop with wireless, and cell phones/modems. Plus when the power comes back you can force the queue to dump to your home machine and you don't need to wait for all of the other servers to retry their queues in xx minutes. Andrew (another VT person) --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
Re: Packet Kiddies Invade NANOG
maturity in its purest form. -- Original Message -- From: [EMAIL PROTECTED] Date: Sat, 13 Mar 2004 17:17:42 -0800 I've noticed a number of shining stars in the network engineering industry have graced us with their presence and infinite wisdom in the past few days, including Gregory Taylor. I can't help but wonder if this is the same who launched multi-gigabit DDoS attacks against IRC servers and major ISP's recently: http://www.geocities.com/osek_owned/ http://www.urbandictionary.com/define.php?term=osek Coincidence? You decide. Better yet, call his mother at 1-253-475-1227, and let her know you don't approve of his hacking activities. If enough of us put the pressure on, it's possible he'll be grounded, and his computer priviledges will be revoked. It's happened before, it can happen again. For those of you wondering, Xpert Web Builders (XWB.COM) is bogus. They don't operate a network, they're a sole proprietorship tech support and web dev group, run by some clue- challenged kids who don't even have the cashflow needed to invest in a post-paid cellular phone. Then there's Andrew Kirch, aka trelane, who just published a fascinating (albeit highly technically inaccurate, and bearing little or no basis in reality) whitepaper on the script kiddie culture: http://software.newsforge.com/software/04/02/28/0130209.shtml Only problem is, he hangs out on EFNet in #sigdie, a channel known in security circles as a place where large-scale DDoS attacks, usually involving 1000's of drone nets or otherwise compromised machines, are coordinated. Takes one to know one, I guess. The fun doesn't stop there: he's publicly admitted to helping packet IRC servers before! I'm still working on building a rap sheet on Kirch's friend, Brian Bruns, and their Summit Open Source Development Group (which, by all accounts, is a legitimate-looking front for their not-so-legitimate activities). If anyone has any info, mail me privately, and I'll summarize. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427
Re: who offers cheap (personal) 1U colo?
In message [EMAIL PROTECTED], Paul Vixie writes: Why prevent people from running servers on DSL and cable modem connections, yet say they could run an identical server in a colo? because most providers don't want to give out static ip addresses, for one thing. because these providers are counting on a high suck:blow ratios from its customer base. because these providers know that people will pay more to get real internet access and they're holding you all for ransom. take your pick. Why is one unsafe, and the other is considered Ok? one is totally governed by a bilateral relationship between a 1U owner and a colo provider, neither of whom has a monopoly, and both of whom have something to lose if the IP address used in the relationship is abused. this isn't a technical thing. it's all about people getting what they want. And in fact, there are technical reasons as well. Downstream IP transmission on a cable plant uses any arbitrary channel; if there's a lot of downstream traffic, just displace the Home Gerbil Channel or some such and allocate more bandwidth to IP. Upstream traffic uses the band below channel 1, and it's not easy to add more unless you split the tree and put in another fiber node. This is done for the sake of the repeaters -- the downstream repeaters are fed by a high-pass filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone. --Steve Bellovin, http://www.research.att.com/~smb
Re: Telia...
They are one of the best providers in Russia (and when I was there, in Europe). I visited their NOC in Stokholm about 5 years ago, they used very effective _common sense_ approach , combining brand names with brandless when it is more effective, using both commercial and home made opensource software. I do not know about USA, this (USA) is another world (with another marketing, support habits etc). PS. It is interesting, how Teleglob is positioned today? They was first, who came to Russia about 7 years ago, but then they lost their position to Telia (may be, I am wrong). - Original Message - From: Tim Wilde [EMAIL PROTECTED] To: Shazad [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 13, 2004 2:30 PM Subject: Re: Telia... On Sat, 13 Mar 2004, Shazad wrote: Looking for opinions and experience on Telias IP network performance within Europe and out of Europe i.e. North America on the whole.. Thanks in advance for your time. We recently moved our London DNS site from Rackspace to Telia and have had no problems with their network. Excellent RTTs into Germany and the rest of Europe, no problem connecting back to our main site in Boston. Tim Wilde -- Tim Wilde [EMAIL PROTECTED] Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: who offers cheap (personal) 1U colo?
Thus spake Steven M. Bellovin [EMAIL PROTECTED] And in fact, there are technical reasons as well. Downstream IP transmission on a cable plant uses any arbitrary channel; if there's a lot of downstream traffic, just displace the Home Gerbil Channel or some such and allocate more bandwidth to IP. Upstream traffic uses the band below channel 1, and it's not easy to add more unless you split the tree and put in another fiber node. This is done for the sake of the repeaters -- the downstream repeaters are fed by a high-pass filter, and the upstream repeaters are fed by a low-pass filter. If too many people are fielding home servers, it affects everyone. So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. Other last-mile technologies provide symmetric bandwidth yet providers still prohibit servers; this is clearly a business issue, not a technical one. S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
Re: who offers cheap (personal) 1U colo?
[EMAIL PROTECTED] (Sean Donelan) writes: If the block list operators think it is a dialup range, they pre-emptively block all the addresses in the range. that's because at $30/month there's no budget for a dialup provider to call their worm-infested customers one at a time and talk them through Windows Update, and the free antivirus software they include on their customer cdroms is crippleware or adware or both. providers who refuse to enter the race to the bottom can get their dialup blocks delisted from any blackhole list operator i know of, just by demonstrating clue and conviction. It has very little to do with the quality of the ISP's abuse desk. long term, it does. my sister is in sbc-dsl territory and before i linuxed her and tunneled her, i had a terrible time getting e-mail from her. the /24 that her nat/dsl box got by dhcp had a dozen open proxies in it. sbc's abuse desk sure as hell didn't want to hear from me about it and the owners of the infected pee cee's wouldn't've wanted to hear from me even if i'd had some way to identify them and offer them a free linux upgrade if they'd just open their front door and lead me to their pee cee. ... But large DSL or cable address ranges, even if the addresses are statically assigned to specific customers, are pre-emptively blocked. there's a sound statistical basis for this. and a strong abuse desk (which would show up as higher-than-$30/month-fees) would change those statistics and improve the reputation of that kind of address space. I suppose ISPs could create boutique service provider subsidaries for serious-minded professional power-users. Ask ARIN for independent elite IP address ranges. Maybe even get a different 1-800 number for customer service and abuse complaints. Of course, customers would pay more for this elite service. rather, i think that your employer and other dsl providers ought to get into the $50/month 1U colo business and market this to their power users and budget for a strong abuse desk for the small amounts of address space used by that function. (and if you do, please send me the URL and details.) it would be marketing suicide to offer a different dsl-dhcp ip address to people willing to pay enough to budget for an abuse desk. but if you call it colocation then it doesn't look as if you're cheap bastards for not being willing to budget for a strong abuse desk for ALL your customers. -- Paul Vixie
Re: who offers cheap (personal) 1U colo?
On Sat, 13 Mar 2004, Stephen Sprunk wrote: So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. I think people are being sloppy about saying no servers on certain types of networks. I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems without long-term unique end-to-end identifiers would only be able to do a limited number of things because they are essentially fungible. Neither the location nor type of access media is important. A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile server on a US Navy ship on a 1200 baud radio connection with a fixed address would be permitted to run a server even though you may have no idea where in the world the ship is physically located today because you could identify which server it was. (server clusters acting as a single system doesn't change this.) If you want to spend about $50/month for a static IP address for your DSL line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail.
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Sean Donelan wrote: I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems Now my question becomesIs this an identifier that other providers can use to trace the machine, or only for the local isp. I look at it this way. If I'm the provider I don't really care what username they are, I can determine their location by the logs. Sure they may be a DSL, but they will at some point request an address. When they request an address I have their circuit ID and I can at least narrow it down to a house or apartment. A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved? I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought. Andrew --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
Re: who offers cheap (personal) 1U colo?
On Sun, 14 Mar 2004, Sean Donelan wrote: line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail. I think this is hinting at another larger issue. The fact that so many ISPs are filtering services and controlling what a user can and can't do. I know several providers who block SMTP outbound at their border for anything thats not their mail box or a registered mail host. Sure this stops spam complaints but if I'm paying for service I'm wanting raw access, not some censored service. I had major issues with a small ISP who decided they would firewall all of their customers and filter in/out ports. It got to the point I couldn't even send or receive files with individuals using that ISP. Finally I ended up building a VPN through their firewall to conduct business. As far as SMTP goes, in the past I've allowed mail into my machine from anywhere for my domain, then I'd relay my outbound mail through my providers SMTP box just to bypass all the stupid blacklists. I don't mind the idea of having to register my servers with my isp or some future regulatory board but that becomes rediculous when I'm constantly changing my home network/lab. Andrew --- [EMAIL PROTECTED] http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself.
RE: Will your cisco have the FBI's IOS?
On Sat, 13 Mar 2004, Christopher J. Wolff wrote: I believe that CALEA versions of IOS are already available on cisco.com. It has a backdoor for any traffic originating from dhs.gov address space. ;) If law enforcement was satisified with the solutions already available, I don't think they would have spent the time creating this filing. It's probably a good idea for anyone associated in the Internet industry to read the filing because it may be requesting the FCC change definitions of who is covered and what they must do. Even if you thought CALEA didn't apply to you for the last 10 years; you might find out after this you will be required to provide complete CALEA capabilities. The requested capabilities may be more than are currently available from vendors. Do you know what is the difference between call-identifying information and communications-identifying information? They both have the intials CII. What is the difference between the phone number of a fax machine and the from/to lines on the cover page of the fax?
Re: who offers cheap (personal) 1U colo?
Thus spake Sean Donelan [EMAIL PROTECTED] On Sat, 13 Mar 2004, Stephen Sprunk wrote: So DOCSIS has a technical limitation which may or may not apply. This is reasonable justification for limiting upstream bandwidth, not for specifying that users can't run servers. If users can run servers effectively in the limited available upstream bandwidth, then there is no _technical_ reason to prevent them. I think people are being sloppy about saying no servers on certain types of networks. Sloppy? IMHO it's completely intentional. Most consumer/residential AUPs explicitly ban running any sort of server -- you have to pay more for that privledge. I think the actual requirement is for a long-term end-to-end identifier for systems, and maybe even network users, before they can do certain activities on the network so you can trace or block the system. Systems without long-term unique end-to-end identifiers would only be able to do a limited number of things because they are essentially fungible. You're talking about the complete death of anonymity... This also touches on a fundamental problem with IP -- its addresses are both locators and identifiers. If you want to spend about $50/month for a static IP address for your DSL line, then the question becomes should you be able to send mail directly from your home server with a static IP address on a DSL line until abused? No need to buy another box, find a colo or figure out how to remotely administer another system or tunnel to it to send mail. Some ISPs block or intercept all outbound traffic on port 25 unless you register your mail server (for free). Given the amount of spam coming from virus-infected PCs these days, I have a tough time arguing with that. S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin