date:20050120


On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
 
 Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
 some of our systems are reporting that they open many HTTP connections
 to our web sites, without ever sending any data and immediately
 disconnecting. This is getting to a level where it disturbs us.
 

I have heard previous stories of inktomi ignoring robots.txt (not seen
this for myself though).  And there are threads like this -

Quoting from http://www.webmasterworld.com/forum11/1968-1-15.htm

 I've got Scooter allowed in, but I've also got it lumped int with a
 number of agents that are not allowed to get non-HTML files. This is
 especially important at my site as it includes a number of very large
 binary datasets in numerous locations and the robots have proven too
 stupid to understand that downloading them is a waste of bandwidth.
 
 RewriteCond %{HTTP_USER_AGENT} .*Ask.Jeeves.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*FAST.WebCrawl.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*ia_archiver.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*InfoSeek.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*inktomi.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*Scooter.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*Slurp.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*Teoma.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*VoilaBot.* [OR]
 RewriteCond %{HTTP_USER_AGENT} .*Google.*
 RewriteRule!.*(html¦htm¦txt¦/)$ /www/msgs/badagent.html [F]

Re: Regarding registrar LOCK for panix.com

2005-01-20 Thread Hank Nussbacher

At 12:22 AM 20-01-05 +, Eric Brunner-Williams in Portland Maine wrote:
I picked 1990 because Panix is 15 year old.
And not to forget that Panix was the 1st victim ever of a SYN attack in 
Sept 1996:
http://www.panix.com/press/synattack.html
http://www.panix.com/press/synattack2.html

Seems like someone out there just luvs Panix! :-)
-Hank

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


David Barak [EMAIL PROTECTED] wrote:

 While it says that bogon filters change, and provides
 a URL to check it, what percentage of folks who would
 use a feature like autosecure would ever update
 their filters?  


What do they do to update that bogon list anyway - push a new IOS image?

srs

Re: Regarding registrar LOCK for panix.com

2005-01-20 Thread Michael . Dillon


 And not to forget that Panix was the 1st victim ever of a SYN attack in 
 Sept 1996:
 http://www.panix.com/press/synattack.html
 http://www.panix.com/press/synattack2.html

And due to coordinated action between members of the
NANOG mailing list and the FIREWALLS mailing list, 
within 24 hours, there were patches made available for
Linux and various BSD kernels that mitigated these
attacks.

This type of an event shows the real power of the NANOG
mailing list to communicate in a crisis. If only we could
extend this communication to other media (INOC-DBA) and
to include representatives of more network operators.

I hope that the NANOG reform discussion spends a good 
bit of its time on articulating a vision for the future
of a membership-based NANOG organization, and not worry
so much about past problems.

--Michael Dillon

Re: Confirmation of receipt of the transfer request at Verisign

2005-01-20 Thread David Lesher


Speaking on Deep Background, the Press Secretary whispered:
 
 
 on 1/19/05 9:56 PM, Bruce Tonkin at [EMAIL PROTECTED] wrote:
 
  Here is the copy of the email Melbourne IT received.
 
 Thanks for providing a copy of the e-mail Bruce.  You've been
 extraordinarily forthcoming on NANOG.  I wish that Dotster, as the losing
 registrar, was as willing to discuss the hijack of panix.com as you as a
 representative of the gaining registrar, Melbourne IT, have been.
 

I wonder if they have anything to share? From what I recall, they
state they didn't receive any notification... 


-- 
A host is a host from coast to [EMAIL PROTECTED]
 no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: panix hijack press

2005-01-20 Thread David Lesher


Speaking on Deep Background, the Press Secretary whispered:
 
 (1) Stop blaming the victim!

To me, as big an issue as the original FUBAR is the
alleged/reported failure of both MelIT and VGRS to respond and
attempt to lessen the damage they had helped cause.

I'm no lawyer, but believe under US laws such failure to mitigate
is a factor in civil judgements -- if you choose to {say} just
stand there and look stoopid rather than call 911 after you knock
over the propane torch and start the house on fire

Add to the mix the detail that Verisign is paying a LARGE
settlement out on a past infamous theftand you'd think they'd
Buy Some Clue...


-- 
A host is a host from coast to [EMAIL PROTECTED]
 no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Jared Mauch


On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
 
 David Barak [EMAIL PROTECTED] wrote:
 
  While it says that bogon filters change, and provides
  a URL to check it, what percentage of folks who would
  use a feature like autosecure would ever update
  their filters?  
 
 
 What do they do to update that bogon list anyway - push a new IOS image?

Actually, my assumption is anyone with autosecure gets
free software upgrades for life, as this is a flexible list that
will change over time.  Each time a change is made they
need to release new software, and notify their installed
customer base.

- jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
 Actually, my assumption is anyone with autosecure gets
 free software upgrades for life, as this is a flexible list that

...  or as long as your support contract with cisco lasts, whichever
comes earlier.

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Regarding registrar LOCK for panix.com


On Thu, 20 Jan 2005 13:18:03 +, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
 
 I hope that the NANOG reform discussion spends a good
 bit of its time on articulating a vision for the future
 of a membership-based NANOG organization, and not worry
 so much about past problems.
 

That is something I am working on, as it strikes me as a really good
way to bring more asian operators into the mainstream.

A clueful contact at an ISP prevents people dropping in blackhole
routes and access.db entries for huge netblocks when they see the
first sign of abuse from out of there ... which would be a very good
thing.

INOC-DBA does get talked about on several other operator lists like
apricot and sanog .. but there's not nearly enough adoption yet.  I'm
still hopeful about seeing it grow in popularity and get some critical
mass.

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Jared Mauch


On Thu, Jan 20, 2005 at 08:03:42PM +0530, Suresh Ramasubramanian wrote:
 On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
  Actually, my assumption is anyone with autosecure gets
  free software upgrades for life, as this is a flexible list that
 
 ...  or as long as your support contract with cisco lasts, whichever
 comes earlier.

No, cisco providing a time sensitive feature like this
implies free upgrades to repair this critical defect.  Just like
they give out free software to people without contracts when
they have a major security vulnerability.

Seems like this falls in the same category to me.

- jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
 No, cisco providing a time sensitive feature like this
 implies free upgrades to repair this critical defect.  Just like
 they give out free software to people without contracts when
 they have a major security vulnerability.
 
 Seems like this falls in the same category to me.

Analogies suck, but look at (for example) Norton AntiVirus.  You pay
for a year of virus definition updates.  Then when the year runs out,
Symantec is not going to give you a single new virus definition even
if there's a new worm around that dwarfs Sobig, Klez and all the other
viruses put together ...  I can see brand C following a similar
strategy with their bogon updates.

[and that's not a new thing I guess - every single virus that comes
down the pike is written up in the press as the worst and most
virulent virus yet]

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Graphing Peering

2005-01-20 Thread [EMAIL PROTECTED]


On Wed, 2005-01-19 at 22:41, andrew matthews wrote:
 Anyone have any suggestions on graphing peering on a cisco router? I'm
 using mrtg and i did mac address accounting but the numbers are off.


off in what sense? We use mac-accounting, snmp nad mrtg to graph per
peer utilization. The following script is helpful

http://www.thiscow.com/dl/bgp-peers-1.5.pl

I reworked it to spit out the AS number instead of the ip address. The
issue you then have is that multiple sessions with one As number all
show as the same target. Which MRTG does not like. You can fix that as
well of course in the script. And it does not autoscan, which means
that if people change their mac-address, you lose the data, until you
rerun the script.

Another problem you might run into is counter wrapping. When polling
every 5 minutes, some counters may wrap. (there is no 64 bit counter for
the mac-address accounting). So you have to run it in short timeframes,
causing more cpu utilization.

But all in all, mac-accounting and Netflow source-as give you a very
good overview of your network flows.

Frank

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Jared Mauch


On Thu, Jan 20, 2005 at 08:16:14PM +0530, Suresh Ramasubramanian wrote:
 On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
  No, cisco providing a time sensitive feature like this
  implies free upgrades to repair this critical defect.  Just like
  they give out free software to people without contracts when
  they have a major security vulnerability.
  
  Seems like this falls in the same category to me.
 
 Analogies suck, but look at (for example) Norton AntiVirus.  You pay
 for a year of virus definition updates.  Then when the year runs out,

Yes, but this is protection of an end-host/end-node, not
a portion of the global internet infrastructure.  Bad features like
this and bad behaviour are serious issues when they cause these
ripple effects.  It's flat-out defective software to me.

This hurts Ciscos reputation that they are causing
pockets of the internet to not work.  Next subnets to get allocated
will increase the size of those pockets and so on.  Then the internet
will become less reliable as an end-to-end transport medium, hurting
*everyone*.

At minimum, cisco should be offering free software updates to
people who have the older releases through something simple like
a updated maint release of software (same ver they have running
but with *CORRECT* filters), but doing the minimum isn't
always the best thing as most of us know.  Providing a reliable
mechanisim for this to happen is important, and possibly something
that Cisco could productize and sell a for-fee monthly subscription for
(a bgp feed or somesuch like what Team CYMRU provides is an example)
but there are those (Hi Rob  Co.) doing it for free already, so
the key is getting the blackholes minimized that exist today.  If
there is software that I can download from CCO that hasn't
been deferred that has these old filters in it, Cisco is being a
poor net.citizen IMHO.

I'm not saying this to trash cisco, many people there know that,
but the important thing is insuring that the global internet isn't
further harmed, and as more allocations are done the harm becomes
greater and it hurts every single person in this industry, providers
and vendors alike.

- Jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Fergie (Paul Ferguson)




...and it's not like ARIN, etc., does not announce to the
Internet community when it allocates from address space
which may have previously been listed in various operational
places as bogon or unalloacted -- they do.

I recall seeing similar announcements on the list from time
to time, suggesting due diligence on ARIN's behalf to notifying
people to modify their filtering. *plonk*

Scanning the archives, an example:

http://www.merit.edu/mail.archives/nanog/2004-01/msg00374.html

- ferg


-- Jared Mauch [EMAIL PROTECTED] wrote:

This hurts Ciscos reputation that they are causing
pockets of the internet to not work.  Next subnets to get allocated
will increase the size of those pockets and so on.  Then the internet
will become less reliable as an end-to-end transport medium, hurting
*everyone*.

--
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 [EMAIL PROTECTED] or
 [EMAIL PROTECTED]

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread David Barak



--- Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:

 David Barak [EMAIL PROTECTED] wrote:
 
  While it says that bogon filters change, and
 provides
  a URL to check it, what percentage of folks who
 would
  use a feature like autosecure would ever update
  their filters?  
 
 
 What do they do to update that bogon list anyway -
 push a new IOS image?
 

That's a mighty fine question: the link I referenced
is the most recent I was able to find, and its list of
bogons is thoroughly out-of-date.  In the interest of
long-term reachability, I would call on Cisco to
remove the IANA-UNASSIGNED blocks from the autosecure
filters.

This will only get worse: consider how bad the GWF
problem is now with the antivirus-response-spam...



=
David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com



__ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo

Re: Graphing Peering - Solution

2005-01-20 Thread Richard J. Sears


Take a look at http://jffnms.sourceforge.net

According to the Author whom I know very well it will do exactly what
you need it to do:

---SNIP---
Yes, JFFNMS has a specific system to do this.

Using MAC Accounting, we track each MAC address, using ARP its IP, and using 
BGP 
Table its ASN (by the IP).

So you will get MAC Accounting graphs labeled with the ASN you are peering.
SNIP-




On Wed, 19 Jan 2005 23:01:11 -0600
Kevin [EMAIL PROTECTED] wrote:

 
 On Wed, 19 Jan 2005 14:37:54 -0800, andrew matthews [EMAIL PROTECTED] wrote:
  no i mean graph bgp sessions...
  
  it's a single interface, and i want to graph every bgp session so i
  can see how much traffic i'm doing between each peer.
 
 If you are looking to graph statistics about the BGP peering sessions,
 (rather than graphing transit router bytes in/out as suggested elsewhere),
 you might take a look at the sample-config for the Cricket graphing tool,
 specifically ~cricket/cricket-1.0.4/sample-config/routing
 
 Unfortunately this graphs counts of BGP peering messages, not bytes.
 
 Cricket can track BGP route announcements,  including graphing counts
 (rates) of peer updates in/out along along with total BGP messages,
 for each peering session.  You could use Cricket itself to view the data,
 extract the collected data from 'rrdtool', or just look at the sources to
 get an idea of the requisite Cisco OIDs to use in another tool entirely.
 
 More information on Cricket is available from http://cricket.sourceforge.net/
 
 
 Kevin


**
Richard J. Sears
Vice President 
American Internet Services  

[EMAIL PROTECTED]
http://www.adnc.com

858.576.4272 - Phone
858.427.2401 - Fax
INOC-DBA - 6130


I fly because it releases my mind 
from the tyranny of petty things . . 


Work like you don't need the money, love like you've
never been hurt and dance like you do when nobody's
watching.

Router-switch-router peering module

2005-01-20 Thread Howard C. Berkowitz

I'm hunting for some presentations or papers on what I've seen called 
a peering module, using a router, a L2 switch, and a router in 
series, rather than a single router. Unfortunately, I can't remember 
where I saw the detailed description, and I haven't been able to find 
it in the NANOG archives.

IIRC, the rationale was to spread filtering and rate limiting over a 
set of processors, also to keep the configuations more manageable.

Does anyone have any pointers to detail?  I've seen the topology, but 
not a detailed discussion, in a couple of Cisco presentations.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Daniel Golding



Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
was just an RFC published on why IP addresses for specific purposes (like
NTP) shouldn't be encoded into hardware.

Using a dynamic feed needs to be codified so that it finds its way into
training classes, documentation, etc. Otherwise, this problem will recur
indefinitely.

- Dan 

On 1/20/05 10:18 AM, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote:

 
 
 
 ...and it's not like ARIN, etc., does not announce to the
 Internet community when it allocates from address space
 which may have previously been listed in various operational
 places as bogon or unalloacted -- they do.
 
 I recall seeing similar announcements on the list from time
 to time, suggesting due diligence on ARIN's behalf to notifying
 people to modify their filtering. *plonk*
 
 Scanning the archives, an example:
 
 http://www.merit.edu/mail.archives/nanog/2004-01/msg00374.html
 
 - ferg
 
 
 -- Jared Mauch [EMAIL PROTECTED] wrote:
 
 This hurts Ciscos reputation that they are causing
 pockets of the internet to not work.  Next subnets to get allocated
 will increase the size of those pockets and so on.  Then the internet
 will become less reliable as an end-to-end transport medium, hurting
 *everyone*.
 
 --
 Fergie, a.k.a. Paul Ferguson
  Engineering Architecture for the Internet
  [EMAIL PROTECTED] or
  [EMAIL PROTECTED]

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Joe Maimon


David Barak wrote:
--- Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:
 

David Barak [EMAIL PROTECTED] wrote:
   

While it says that bogon filters change, and
 

provides
   

a URL to check it, what percentage of folks who
 

would
   

use a feature like autosecure would ever update
their filters?  

 

What do they do to update that bogon list anyway -
push a new IOS image?
   

That's a mighty fine question: the link I referenced
is the most recent I was able to find, and its list of
bogons is thoroughly out-of-date.  In the interest of
long-term reachability, I would call on Cisco to
remove the IANA-UNASSIGNED blocks from the autosecure
filters.
 

I think the last time this was hashed out here, there was a consensus 
that Cisco should not be promoting a feature that uses a static list for 
blackholing. The problem is with now-good-bogons bad enough as it is, 
even with a presumably competent admin responsible for the setup.

Perhaps Cisco could couple this with a scheduled scp to a server of 
choice, preferably Cisco's,  for an update checking feature. At that 
point I would think perhaps it has a bit more + than - to it.

At any rate it should NOT be tied to IOS images, the vast majority of 
those never get upgraded. Make ACLS be able to parse their rules from a 
file stored wherever. Just like that new DHCP static bindings from text 
file feature.

Joe

Re: Graphing Peering

2005-01-20 Thread Daniel Golding


Andrew,

The 32 bit counters are a significant problem when using gigabit ethernet
public peering interfaces. Needless to say, MAC accounting was not designed
for gigabit speeds. Frequent polling is, sadly the only solution. If you
write your own scripts, make sure to account for counter wrapping.

- Dan

on 1/20/05 9:45 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 
 On Wed, 2005-01-19 at 22:41, andrew matthews wrote:
 Anyone have any suggestions on graphing peering on a cisco router? I'm
 using mrtg and i did mac address accounting but the numbers are off.
 
 
 off in what sense? We use mac-accounting, snmp nad mrtg to graph per
 peer utilization. The following script is helpful
 
 http://www.thiscow.com/dl/bgp-peers-1.5.pl
 
 I reworked it to spit out the AS number instead of the ip address. The
 issue you then have is that multiple sessions with one As number all
 show as the same target. Which MRTG does not like. You can fix that as
 well of course in the script. And it does not autoscan, which means
 that if people change their mac-address, you lose the data, until you
 rerun the script.
 
 Another problem you might run into is counter wrapping. When polling
 every 5 minutes, some counters may wrap. (there is no 64 bit counter for
 the mac-address accounting). So you have to run it in short timeframes,
 causing more cpu utilization.
 
 But all in all, mac-accounting and Netflow source-as give you a very
 good overview of your network flows.
 
 Frank

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Rodney Dunn


I will check on this and get back with
you.

Rodney


On Thu, Jan 20, 2005 at 11:18:10AM -0500, Joe Maimon wrote:
 
 
 
 David Barak wrote:
 
 --- Suresh Ramasubramanian [EMAIL PROTECTED]
 wrote:
 
   
 
 David Barak [EMAIL PROTECTED] wrote:
 
 
 While it says that bogon filters change, and
   
 
 provides
 
 
 a URL to check it, what percentage of folks who
   
 
 would
 
 
 use a feature like autosecure would ever update
 their filters?  
 
   
 
 What do they do to update that bogon list anyway -
 push a new IOS image?
 
 
 
 
 That's a mighty fine question: the link I referenced
 is the most recent I was able to find, and its list of
 bogons is thoroughly out-of-date.  In the interest of
 long-term reachability, I would call on Cisco to
 remove the IANA-UNASSIGNED blocks from the autosecure
 filters.
 
 
   
 
 I think the last time this was hashed out here, there was a consensus 
 that Cisco should not be promoting a feature that uses a static list for 
 blackholing. The problem is with now-good-bogons bad enough as it is, 
 even with a presumably competent admin responsible for the setup.
 
 Perhaps Cisco could couple this with a scheduled scp to a server of 
 choice, preferably Cisco's,  for an update checking feature. At that 
 point I would think perhaps it has a bit more + than - to it.
 
 At any rate it should NOT be tied to IOS images, the vast majority of 
 those never get upgraded. Make ACLS be able to parse their rules from a 
 file stored wherever. Just like that new DHCP static bindings from text 
 file feature.
 
 Joe

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Curtis Doty


11:02am Daniel Golding said:

 Is there an RFC or other standards document that clearly states that static
 bogon filter lists are a bad idea? While this seems like common sense, there

Since this keeps coming up. I'll toss my quick and dirty reminder cronjob 
into the discussion. I cannot imagine any other way of managing the static 
bogons published on the Team Cymru web site. (For those of us who don't 
need to run their many other dynamic options.) Copying a static config 
wholesale is a classic case of myopic thinking.

  $ cat /etc/cron.monthly/ckbogons.sh
  #!/bin/bash
  
  bnagg=http://www.cymru.com/Documents/bogon-bn-agg.txt
  
  # make a new bogon list from the web
  newbog=`mktemp` || exit 1
  wget -qO- $bnagg |awk '{print any net  $1 \treject}' $newbog
  
  # get current list from our static-route config
  oldbog=`sed -ne '/^any.*reject$/,/^$/p' /etc/sysconfig/static-routes`
  
  # commpare
  #echo $oldbog |cdiff - $newbog
  echo $oldbog |diff -uw - $newbog
  
  rm -f $newbog

Obviously it's for a linux edge using Red Hat style initscripts. But the 
basic gist is sound; alert the admin whenever we are out of sync. And an 
expect script could easily be whipped up for monitoring IOS/whatever other 
static bogons one has installed.

Admins who choose the *static* bogon list should use this technique of 
self-control.

../C

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Vicky Rode

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
in-line:
Jared Mauch wrote:
| On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
|
|David Barak [EMAIL PROTECTED] wrote:
|
|While it says that bogon filters change, and provides
|a URL to check it, what percentage of folks who would
|use a feature like autosecure would ever update
|their filters?
|
|
|What do they do to update that bogon list anyway - push a new IOS image?
|
|
|   Actually, my assumption is anyone with autosecure gets
| free software upgrades for life, as this is a flexible list that
| will change over time.  Each time a change is made they
| need to release new software, and notify their installed
| customer base.
- ---
i understand bogon filters and reasoning behind it and i'm all for it.
but why does one think (maybe i missing something) this approach
(autosecure) is scalable and acceptable to update your ios or even
constantly updating your acls every time one has to update their bogon
filters? yet another think to look out for? i like to see the network
availability for aol, google, nasdaq, every time they update their bogons.
why can't this somehow be dynamically updated and /or linked to a
master file as opposed to upgrading the ios?
like to hear more thoughts on it.

regards,
/vicky
|
|   - jared
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7+ugpbZvCIJx1bcRApL0AJ0T2xb1ZHkxDSg0Ne3UwXqQ8z7xogCaA4rc
/An79+f9qmCKqfqkDsMH1wU=
=Sv6E
-END PGP SIGNATURE-

Apparently, some folks just don't get it
Richard Parker wrote:
... However, all domain holders
can directly monitor the status of their domain using the .com registry's
whois server - including whether or not their domain has a status of
registrar-lock. They do not have to rely on their registrar to tell them if
their domain is locked or not.

Now let's get this straight. You think that ISPs in general need to
assign staff to monitor the lock status of the hundreds or thousands
of registered domains of our subscribers.

Or that the subscribers, who typically aren't even on the whois
contacts list, should be monitoring the lock status, of which they
probably don't know (nor care) exists?
What are you smoking?
The whole locking mechanism was a poor design from the beginning.
It's opt-out. And we all are so fond of opt-out schemes, eh?
I don't think registrar-lock is a red-herring. In the wake of the panix.com
hijack holders of domain names are naturally going to want to know what they
can do to prevent something similar happening to them. The ability to
request registrar-lock is one the few defenses domain holders have.

Huh? What you are saying is maybe panix.com isn't at fault because
they had requested (or expected) registrar-lock, but they are at fault
because their registrar didn't properly lock it? Or at fault because
they didn't monitor the lock?
Stop blaming the victim!
The registrar-lock isn't a defense for the domain holder. Not one iota.
It was designed as a defense for the registrar.

And the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
I haven't seen anyone on NANOG claim that Panix is not a victim. Clearly a
serious error occurred in the process Melbourne IT uses to authenticate
transfers. However, your analogies seem unnecessarily inflammatory.

Sometimes folks such as yourself need to be educated in clear, unambigous
terms that relate to life. And yet the lesson still hasn't taken hold:

Another analogy might be to describe Panix as a bank.

An analogy that is pretty far off, since the bank in this case would
be the REGISTRAR, not Panix.
And the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
A personal responder wrote:
On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:

(6) Stop blaming the victim!

Well, in this case, it appears that the victim is saying that it had
taken precautions... and I concur with whomever it was who said that if
the lock date on all their other domains is post-incident, that's
pretty strong circumstantial evidence that they hadn't requested a lock
(which is what we *mean* when we say customer locked that domain, so
kindly leggo that red herring).

You concur, without checking, and have no idea whomever it was that
speculated, nor how many domains are administered by panix or dotster?

You mean the REGISTRAR didn't lock the domain.
But the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
So all we're *really* annoyed about here is that Bruce stepped up to
the plate, but Alexis (*reportedly*) won't. IMHO.

Huh? I've seen no such reports. On what do you base your speculation?
The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41
+1100 quoting Sat, 8 Jan 2005 20:40:34 -0500):
(1) you have obtained the requisite authorization from the domain
name registrant listed in the database of the Current Registrar,

NO. Obviously not.
and (2) you have retained a copy of reliable evidence of the
authorization.

NO. Nothing described here.
Indeed, as for Mel-IT stepping up to the plate, we've seen only
contrary evidence here.

Sure Bruce seems to be a nice guy. So what? His staff wasn't
responding to phone calls. His boss wasn't responding, either. His lawyer was actively hostile.

Looks to me like Alexis is the one that got screwed. Certainly spent a
lot of time at the plate, many many hours!
So, let's go back to basics:
- If you leave your house unlocked, the thief still goes to jail.
- If you leave your car unlocked and the engine running, the thief
still goes to jail.
- If your bank leaves its doors unlocked and the safe open and all
the employees go to lunch, the thief still goes to jail.
Stop blaming the victim!
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread David Barak



--- Chris A. Epler [EMAIL PROTECTED] wrote:

 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Jared Mauch wrote:
 
 | I'm not saying this to trash cisco, many people
 there know that,
 | but the important thing is insuring that the
 global internet isn't
 | further harmed, and as more allocations are done
 the harm becomes
 | greater and it hurts every single person in this
 industry, providers
 | and vendors alike.
 
 k, bit my tongue as much as I could...  But I gotta
 vent ;-P
 
 So, Cisco provides this 'AutoSecure' function and
 everyone jumps all
 over the static bogon list.  Why?  Hello?  The basic
 idea here is that
 it gets you decent out of the box setup defaults
 which you tailor after
 running it, right?  (NOTE: I haven't actually hit
 the AUTOSECURE button
 yet, just read a little about it)
 

Well, the problem is that the autosecure feature
introduces a static element (address filtering) into a
dynamic world (routing), in a way which is generally
considered set and forget.

The target audience for autosecure is people who don't
have their own security people on staff, thus ensuring
that the filters will get out of date, and cause
mysterious reachability issues (mysterious, that is,
because no one will think of looking for the problem
in the router...)


 Whats so bad about decent secure defaults?  I just
 see it as a shortcut
 to getting a router online, not a solution to
 security.  

Getting a router online is giving it an IP address. 
Translate from geek to English: when someone who is
not-so-technical hears autosecure the end result is
something like automatic transmission - i.e.
something which doesn't need to be played with except
once every few years.

 If you're
 implementing a new router and setting up Bogon
 filters 

The argument is that autosecure SHOULDN'T set up bogon
filters.

 you should
 already know that they'll need to be updated
 regularly and should
 replace the access list with a refreshed one using
 the autosecure
 configuration as a TEMPLATE that you work off of. 
 If you don't know
 this, then you shouldn't be in charge of said
 router.  Am I missing
 something here???

The primary audience for the autosecure feature is
people who really don't quite get routers.  No, they
don't have any business with enable, but do they have
it?  yes.



=
David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com



__ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Rob Evans


 Whats so bad about decent secure defaults?

I don't consider a configuration that disenfranchises part of the
internet as decent [...] defaults. :)

Cheers,
Rob

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread joshua sahala


On (20/01/05 13:20), Chris A. Epler wrote:
 
 Whats so bad about decent secure defaults?  

 secure defaults are good...but there are other aspects of cisco ios which
 would be better suited to be disabled out of the box:  redirects, proxy 
 arp, tcp/udp small-servers, the lack of decent ssh (this is getting
 better), lack of receive acls on all but the big boxen, etc...these are a
 few things which would be better to have out of the box.

 If you're implementing a new router and setting up Bogon filters you 
 should already know that they'll need to be updated regularly

 read the beginning of this thread - people implement bogon filters
 without keeping them up to date already.  this is just another mechanism
 to do the same thing (but on a larger scale).

 If you don't know this, then you shouldn't be in charge of said router.
 Am I missing something here???

 in an ideal world, yes, this would be true; however we all know the
 reality of this.  there are already secure config templates available
 which people follow without actually knowing the implications of.  one
 more 'feature' in ios will go unnoticed by most, and thus will be left
 out of date...that was, i believe, jared's point.

/joshua
-- 

THIS .sig CENSORSED

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Valdis . Kletnieks

On Thu, 20 Jan 2005 13:20:45 EST, Chris A. Epler said:

 Whats so bad about decent secure defaults?  I just see it as a shortcut
 to getting a router online, not a solution to security.  If you're
 implementing a new router and setting up Bogon filters you should
 already know that they'll need to be updated regularly and should
 replace the access list with a refreshed one using the autosecure
 configuration as a TEMPLATE that you work off of.  If you don't know
 this, then you shouldn't be in charge of said router.  Am I missing
 something here???

Only thing you're missing is that shouldn't be in charge of said router
describes a nice-to-dream-about but nonexistent state of affairs.

I'll go out on a limb and say that 3/4 of the Cisco routers in production use
are managed by unqualified network monkeys employed by the leaf sites. The fact
that they get one interface connected to their local LAN, and the other
interface connected to the fractional T-1 back to the ISP, and that packets
make it from the LAN to www.google.com and back is amazing enough. Expecting
them to do things like proper inbound bogon filtering and outbound 1918 egress
filtering is pushing it...

In other words, the only people who are likely to *use* the autosecure feature
are people who (a) will Get It Wrong (either at initial config, or failure to
update it regularly), (b) aren't reading this list anyhow (or any other
place where they're likely to see the Update your bogons mantra), and
(c) indeed shouldn't have enable.





pgpPCbuENUotj.pgp
Description: PGP signature

Enough. (was Re: panix hijack press)

2005-01-20 Thread Steve Gibbard


Ok.  I think at this point we all know there are problems with the domain
transfer process.  I suspect we can further agree that, as with many
serious problems, there were probably multiple contributing factors here.

I'd like to suggest that getting into a public screaming match or trying
to establish fault probably won't do anything useful, or at the very least
would be more productive if done in a court rather than on the NANOG list.

What might be more useful would be for those of you with a lot of time to
spend on this issue to come up with proposals for fixing or better
documentng the system, so that it will be more obvious how to avoid
problems like this in the future.

-Steve

On Thu, 20 Jan 2005, William Allen Simpson wrote:


 Apparently, some folks just don't get it


 Richard Parker wrote:

 ...  However, all domain holders
 can directly monitor the status of their domain using the .com registry's
 whois server - including whether or not their domain has a status of
 registrar-lock.  They do not have to rely on their registrar to tell them if
 their domain is locked or not.
 
 
 
 Now let's get this straight.  You think that ISPs in general need to
 assign staff to monitor the lock status of the hundreds or thousands
 of registered domains of our subscribers.

 Or that the subscribers, who typically aren't even on the whois
 contacts list, should be monitoring the lock status, of which they
 probably don't know (nor care) exists?

 What are you smoking?

 The whole locking mechanism was a poor design from the beginning.

 It's opt-out.  And we all are so fond of opt-out schemes, eh?

 I don't think registrar-lock is a red-herring.  In the wake of the panix.com
 hijack holders of domain names are naturally going to want to know what they
 can do to prevent something similar happening to them.  The ability to
 request registrar-lock is one the few defenses domain holders have.
 

 Huh?  What you are saying is maybe panix.com isn't at fault because
 they had requested (or expected) registrar-lock, but they are at fault
 because their registrar didn't properly lock it?  Or at fault because
 they didn't monitor the lock?

 Stop blaming the victim!

 The registrar-lock isn't a defense for the domain holder.  Not one iota.
 It was designed as a defense for the registrar.

 And the registrar in this case is a victim as much as the domain holder.

 Stop blaming the victim!

 I haven't seen anyone on NANOG claim that Panix is not a victim.  Clearly a
 serious error occurred in the process Melbourne IT uses to authenticate
 transfers.  However, your analogies seem unnecessarily inflammatory.
 
 
 
 Sometimes folks such as yourself need to be educated in clear, unambigous
 terms that relate to life.  And yet the lesson still hasn't taken hold:


 Another analogy might be to describe Panix as a bank.
 
 
 An analogy that is pretty far off, since the bank in this case would
 be the REGISTRAR, not Panix.

 And the registrar in this case is a victim as much as the domain holder.

 Stop blaming the victim!


 A personal responder wrote:

 On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:
 
 
 (6) Stop blaming the victim!
 
 
 Well, in this case, it appears that the victim is saying that it had
 taken precautions... and I concur with whomever it was who said that if
 the lock date on all their other domains is post-incident, that's
 pretty strong circumstantial evidence that they hadn't requested a lock
 (which is what we *mean* when we say customer locked that domain, so
 kindly leggo that red herring).
 
 
 
 You concur, without checking, and have no idea whomever it was that
 speculated, nor how many domains are administered by panix or dotster?

 You mean the REGISTRAR didn't lock the domain.

 But the registrar in this case is a victim as much as the domain holder.

 Stop blaming the victim!

 So all we're *really* annoyed about here is that Bruce stepped up to
 the plate, but Alexis (*reportedly*) won't.  IMHO.
 
 
 
 Huh?  I've seen no such reports.  On what do you base your speculation?

 The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41
 +1100 quoting Sat, 8 Jan 2005 20:40:34 -0500):

   (1) you have obtained the requisite authorization from the domain
   name registrant listed in the database of the Current Registrar,

 NO.  Obviously not.

   and (2) you have retained a copy of reliable evidence of the
   authorization.

 NO.  Nothing described here.

 Indeed, as for Mel-IT stepping up to the plate, we've seen only
 contrary evidence here.

 Sure Bruce seems to be a nice guy.  So what?  His staff wasn't
 responding to phone calls.  His boss wasn't responding, either.  His lawyer 
 was actively hostile.


 Looks to me like Alexis is the one that got screwed.  Certainly spent a
 lot of time at the plate, many many hours!

 So, let's go back to basics:

  - If you leave your house unlocked, the thief still goes to jail.

  - If you leave your car unlocked

Re: broke Inktomi floods?

2005-01-20 Thread Dan Hollis


On Thu, 20 Jan 2005, Suresh Ramasubramanian wrote:
 On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
  Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
  some of our systems are reporting that they open many HTTP connections
  to our web sites, without ever sending any data and immediately
  disconnecting. This is getting to a level where it disturbs us.
 I have heard previous stories of inktomi ignoring robots.txt (not seen
 this for myself though).  And there are threads like this -
 Quoting from http://www.webmasterworld.com/forum11/1968-1-15.htm

back in 1999 inktomi hammered our nameserver (which never has, and never 
will run http. ever.) After _weeks_ of complaining to them and to their 
upstream exodus (hah!) I finally got them to stop. Only to have them 
start up again a month later.

not suprising to see them up to their old antics again.

time to nullroute i guess?

-Dan

Re: broke Inktomi floods?

2005-01-20 Thread Vicky Rode

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
not sure if spiders falls under spam or ddos bracket when they
repeatedly start hammering one's network. you could possible report to
spamcop (*grin*) to get a quicker response. spamcom hasn't been accurate
in some instances :-)
do you remember this incident, http://www.cs.wisc.edu/~plonka/netgear-sntp/

regards,
/vicky
Dan Hollis wrote:
| On Thu, 20 Jan 2005, Suresh Ramasubramanian wrote:
|
|On Thu, 20 Jan 2005 14:30:04 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
|
|Inktomi (now Yahoo!) sends it's spiders all over the Internet. Lately
|some of our systems are reporting that they open many HTTP connections
|to our web sites, without ever sending any data and immediately
|disconnecting. This is getting to a level where it disturbs us.
|
|I have heard previous stories of inktomi ignoring robots.txt (not seen
|this for myself though).  And there are threads like this -
|Quoting from http://www.webmasterworld.com/forum11/1968-1-15.htm
|
|
| back in 1999 inktomi hammered our nameserver (which never has, and never
| will run http. ever.) After _weeks_ of complaining to them and to their
| upstream exodus (hah!) I finally got them to stop. Only to have them
| start up again a month later.
|
| not suprising to see them up to their old antics again.
|
| time to nullroute i guess?
|
| -Dan
|
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB8DFOpbZvCIJx1bcRAu2FAJ4+a2SHF7XxWgaHKFZzi7hf46tJFwCfcU12
fbIMwtwkPhI33onPawlBKYE=
=P+y0
-END PGP SIGNATURE-

Ability to use and monitor LOCK status



 However, that still looks to me like Users can only ask that 
 domains be locked.  Unless you are claiming that users can 
 send the lock request directly to the registry, and monitor 
 its status.

Only a registrar can send commands directly the registry.  

Different registrars offer different services.  Most are now offering
the ability for customer to put a name on Lock, and remove a name from
lock using the normal online maintenance tools.

The status of LOCK is published in the Registry WHOIS service, although
this display is not in real-time (ie believe it is updated once a day).

Registrars have real-time access to the lock status of a name under
their management.

Regards,
Bruce

RE: improving the registrar transfer process


Hello William,

 
 We know how to do 3-way handshakes.  Rather a fundamental of 
 the Internet.  So quickly folks forget
 
 We knew in advance that the VRSN/NetSol/whatever protocol was 
 terrible, and that the ICANN policy change was not going to 
 be helpful.

The ICANN policy change had no impact on this particular incident.

As the incident has been documented so far, the transfer would have
occurred under both the old and the new policy.

With respect to the protocol.  An IETF process was used to develop the
EPP protocol as a replacement for RRP.

With respect to notifications of transfers, the new protocol handles
this by a message queue at the registry.   (ie email is no longer the
mechanism).

It might be useful to consider reviewing the protocol to ensure that a
transfer cannot proceed unless the losing registrar system confirms
receipt of the transfer request.

Regards,
Bruce

RE: improving the registrar transfer process



  
  Accountability.  Responsibility.
 
 I agree with you on this 100%.  ICANN needs to enforce there 
 current policies.  

I agree too.

 Look at totalnic/pacnames.  They have been 
 refusing transfer requests years now until very very recent.  
 What has ICANN done about all those complaints and violations 
 that has been well documented?
 nothing!
 
 ICANN needs to stop just accepting money and start enforcing 
 policies...
 


Interestingly, the ICANN equivalent in Australia (auDA), does
pro-actively enforce policies, and even took Capital Networks to court
on the basis that they could be de-accredited as a registrar for .au, if
they continued not to allow transfers for .com.

See:

http://www.austlii.edu.au/au/cases/cth/FCAFC/2004/324.html

The original judgment is at:

http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/808.html

RE: improving the registrar transfer process

2005-01-20 Thread Thornton


On Fri, 2005-01-21 at 10:28 +1100, Bruce Tonkin wrote:

 Interestingly, the ICANN equivalent in Australia (auDA), does
 pro-actively enforce policies, and even took Capital Networks to court
 on the basis that they could be de-accredited as a registrar for .au, if
 they continued not to allow transfers for .com.
 
 See:
 
 http://www.austlii.edu.au/au/cases/cth/FCAFC/2004/324.html
 
 The original judgment is at:
 
 http://www.austlii.edu.au/au/cases/cth/federal_ct/2004/808.html
 
 
yes they did. now pacnames in another country supposedly bought
capital...  at least they are allowing you to transfer away this time
though

auDA being proactive is good...now its time icann is...

Re: Gtld transfer process

2005-01-20 Thread Matt Larson


On Wed, 19 Jan 2005, Bruce Tonkin wrote:
   (5) The registry will send a message to the losing registrar 
   confirming that a transfer has been initiated.
  
  Can you confirm or deny whether this actually happened in the 
  case of the panix.com transfer?
 
 I don't have any direct visibility over this.
 I have asked Verisign and Dotster if they can confirm.
 
 My personal view is that I think it unlikely that this part of the
 system failed.
 
 Note however that Verisign would send the message via email to Dotster.
 Verisign could prove that they sent the email, but it is possible that
 it was not delivered.

I'd like to make a few comments about the panix.com transfer issue.

First, I can confirm that the panix.com domain was not in registrar
lock status at the time of the transfer.

Second, VeriSign did indeed send a transfer email to Dotster.  The
logs below show the message to Melbourne IT that Bruce already posted
as well as the corresponding message to Dotster:

  To Melbourne IT:
  Jan  8 20:40:34 imx2 sendmail[19959]: j091eXp7019959:
  from=[EMAIL PROTECTED], size=1432, class=0, nrcpts=1,
  msgid=[EMAIL PROTECTED], proto=SMTP,
  daemon=MTA, relay=dump.pvt.dr.verisign-grs.net [172.26.148.34] Jan  8
  20:40:35 imx2 sendmail[19977]: j091eXp7019959:
  to=[EMAIL PROTECTED], delay=00:00:01,
  xdelay=00:00:01, mailer=esmtp, pri=30130,
  relay=prod.internetnamesww.com. [203.27.227.115], dsn=2.0.0, stat=Sent
  (2.0.0 j091eYgt003545 Message accepted for delivery)

  To Dotster:
  Jan  8 20:40:34 imx2 sendmail[19959]: j091eXp9019959:
  from=[EMAIL PROTECTED], size=1113, class=0, nrcpts=1,
  msgid=[EMAIL PROTECTED], proto=SMTP,
  daemon=MTA, relay=dump.pvt.dr.verisign-grs.net [172.26.148.34] Jan  8
  20:40:35 imx2 sendmail[19979]: j091eXp9019959:
  to=[EMAIL PROTECTED], delay=00:00:01, xdelay=00:00:01,
  mailer=esmtp, pri=30122, relay=mailgwca01.rightnowtech.com.
  [216.136.229.28], dsn=2.0.0, stat=Sent (2.6.0 Ok, id=31930-07, from
  MTA:
  250 Ok: queued as BF1E258415)

Third, every day VeriSign publishes a report for each registrar that
shows, among other things, a list of pending outbound transfers.  We
have confirmed that panix.com appeared on Dotster's daily report as a
pending outbound transfer for five days.  (We cannot publish Dotster's
reports without Dotster's permission.)

Finally, there were many people here at VeriSign working behind the
scenes over the weekend on this issue.  Our ability to act
unilaterally is constrained as we follow the process within the
consensus policy for transfers--I hope everyone can understand and
appreciate this.  But we can focus our efforts on opening
communications and working toward a resolution among the all parties.
That's what happened last weekend: Martin Hannigan and I got the ball
rolling on Sunday morning about 1000 EST.  Our 24x7 customer service
department contacted Dotster and Melbourne IT.  Melbourne IT changed
the panix.com name servers back to their original settings and
transferred the domain back to Dotster.

Matt
--
Matt Larson [EMAIL PROTECTED]
VeriSign Naming and Directory Services

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Rob Thomas


Hi, NANOGers.

Will makes an excellent point here:

] I beg to differ -  3/4 of the Cisco routers in (enterprise) production are
] *unmaintained*. These will have a variety of vulnerable, buggy or just plain
] crap IOS versions and no-one would've even considered upgrading for years.

While I don't have any numbers, I can say that we see a LOT of
routers overtly compromised and modified as a result.  The
modifications are generally scripted, and include changing the
passwords (to anything but cisco), disabling logging, and
adding filters.  You'd think such things would be rather
obvious, and they are, yet no one notices.

Most of these compromised routers are at the end of FR or
frac-T connections.  I suspect a great many of them were
configured once, then left to rot with the same code and
configuration for years and years.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.

RE: Gtld transfer process


Hello Mark,

 That's what happened last weekend: Martin Hannigan and I got 
 the ball rolling on Sunday morning about 1000 EST.  Our 24x7 
 customer service department contacted Dotster and Melbourne 
 IT.  Melbourne IT changed the panix.com name servers back to 
 their original settings and transferred the domain back to Dotster.
 

I can confirm that Verisign did get in touch with our Production Manager
(Peter Berry) around 1pm Sunday (New York time), and our Reseller
Program Manager (Steve Karabatsos) around 4:30pm Sunday (New York time).

We were contacted previously by Panix around 5pm Saturday (New York
time).

I believe that Verisign complied with all their obligations with respect
to the ICANN transfer policy, and Verisign was very cooperative in
assisting us with the issue.

Regards,
Bruce

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Charles R. Anderson


On Fri, Jan 21, 2005 at 12:55:45AM +, Will Hargrave wrote:
 If filters depend on IOS upgrades then those filters are there to stay.

Perhaps the feature/filters ought to have an expiration date/TTL.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


Chris A. Epler [EMAIL PROTECTED] wrote:

 Whats so bad about decent secure defaults?  I just see it as a shortcut

Nothing at all as long as they remain decent.

New /8s getting allocated every few months make it positively indecent.

srs

Re: broke Inktomi floods?


Vicky Rode [EMAIL PROTECTED] wrote:

 not sure if spiders falls under spam or ddos bracket when they
 repeatedly start hammering one's network. you could possible report to
 spamcop (*grin*) to get a quicker response. spamcom hasn't been accurate
 in some instances :-)

Er.. just what would you report to spamcop, and what would spamcop do with your
reports?

 do you remember this incident, http://www.cs.wisc.edu/~plonka/netgear-sntp/

Not very new .. broken apps which keep hammering on a resource for some reason
are a fairly regular feature of the internet.

srs

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


  Whats so bad about decent secure defaults?

 I don't consider a configuration that disenfranchises part of the
 internet as decent [...] defaults. :)

The big problem that we're experiencing here is that the big telco
ISP's, network providers and managed service providers that should have
something better than a 'network monkey' running their routers are
having BOGON filtering problems.  

We diagnosed a problem getting to east cost government sites and in
working with SAVVIS, we corrected problems in a matter of hours.  This
has been the only positive progress we've made in unblackholing out
network segment.  We're going on day number 4 trying to get SBC to fix
'managed' local government routers.

To tell you the truth, the little leaf nodes that have a corporation
without world-accessible resources behind their router are
unconsequential to us -- let them filter on old BOGON lists -- our
customers need to be able to get to the resources that are behind the
huge networks that are maintained by companies much larger than ours
that are running out of date filters.

Why more people don't use resources like what Cymru offer is beyond
me...


James Laszko
Pipeline Communications, Inc.
[EMAIL PROTECTED]

RE: Gtld transfer process

2005-01-20 Thread Jim Popovitch



 I can confirm that * did get in touch with our Production 
 Manager (*) around 1pm Sunday 


What I want to know, as a customer of a domain registrar and a holder of
many domains, is why wasn't the person/company paying for the domain
contacted through out this process?  It seems to me that the majority of
the communicationswas between people who contributed nothing to the
domain and had nothing to loose by corruption of the domain.

Clearly, in my mind, the process seems broken.  Abounding apologies do
nothing to assure my concerns that this problem will re-occur.  I
sincerely doubt that the outcome would be as quick and complete if the
domain in question wasn't as substantial as panix.com.  

-Jim P.

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Chris Kuethe


On Thu, 20 Jan 2005 21:14:12 -0800, James Laszko [EMAIL PROTECTED] wrote:
 ...
 Why more people don't use resources like what Cymru offer is beyond
 me...

Not-Invented-Here syndrome?

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Christopher L. Morrow



On Thu, 20 Jan 2005, James Laszko wrote:


   Whats so bad about decent secure defaults?

  I don't consider a configuration that disenfranchises part of the
  internet as decent [...] defaults. :)

 The big problem that we're experiencing here is that the big telco
 ISP's, network providers and managed service providers that should have
 something better than a 'network monkey' running their routers are
 having BOGON filtering problems.

 We diagnosed a problem getting to east cost government sites and in
 working with SAVVIS, we corrected problems in a matter of hours.  This
 has been the only positive progress we've made in unblackholing out
 network segment.  We're going on day number 4 trying to get SBC to fix
 'managed' local government routers.

you do understand that for SBC (or anyone who manages customer devices) to
make a change:
1) the customer has to be notified of the change and given a reason for
the change
2) the customer has to agree to the change (presumably they also have to
actually be contacted a task of it's own at times)
3) the change has to be scheduled into a maint window
4) the procedures and maintenance changes probably have to be checked over
with the 'network monkey' (as you put it) and customer
5) change happens, for 1 customer...

Wash, rinse, repeat for the other 70,000 routers you manage for
customers... This is definitely NOT a half-rack in a colo fix. Just
contacting the customers is a feat.

-Chris

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19


 Wash, rinse, repeat for the other 70,000 routers you manage for
 customers... This is definitely NOT a half-rack in a colo fix. Just
 contacting the customers is a feat.

In the same hand, do you know how hard it was to get in touch with
someone at SBC/SBC-IS/PBI/PacBell that knew what the heck I was talking
about -- much less someone that might be able to do something about it?
Every group wanted to point their finger at some other group in the
company...




James Laszko
Pipeline Communications, Inc.
[EMAIL PROTECTED]

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19



 Wash, rinse, repeat for the other 70,000 routers you manage for
 customers... This is definitely NOT a half-rack in a colo fix. Just
 contacting the customers is a feat.


And I completely agree that it's a big pain to coordinate this.  In the
same hand, SBC and all other 'big' providers use BGP to dynamically
update their routing tables.  Their BOGON filtering should use the same
sort of mechanism.  If they're not going to use something like the Cymru
BOGON BGP feed they should build their own and should have configured
their managed routers to query that from the beginning.  As more
old-BOGON IP's come into play, more and more of the Internet is going to
'fall off' to these legacy route access list restricted routers.

As much as I would have liked to coin the term 'network monkey', I read
it in this thread by someone much more creative than I.  :-)



James Laszko
Pipeline Communications, Inc.
[EMAIL PROTECTED]

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Valdis . Kletnieks

On Fri, 21 Jan 2005 00:55:45 GMT, Will Hargrave said:

 I beg to differ -  3/4 of the Cisco routers in (enterprise) production are 
 *unmaintained*. These will have a variety of vulnerable, buggy or just plain 
 crap IOS versions and no-one would've even considered upgrading for years.

Oh.. I was including all the sites where a secretary saw somebody power cycle
the box and it fixed the problem, so that's what they do when they have a
problem. It's the rare site that can't even scare up somebody who knows how
to power cycle the box while dancing widdershins 3 times around the box while
waving a dead chicken



pgpxUfvMrZCcZ.pgp
Description: PGP signature

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Christopher L. Morrow




On Thu, 20 Jan 2005, James Laszko wrote:


  Wash, rinse, repeat for the other 70,000 routers you manage for
  customers... This is definitely NOT a half-rack in a colo fix. Just
  contacting the customers is a feat.


 And I completely agree that it's a big pain to coordinate this.  In the
 same hand, SBC and all other 'big' providers use BGP to dynamically
 update their routing tables.  Their BOGON filtering should use the same

BGP holds destination info, the problem filters you speak of are MOST
PROBABLY not BGP related at all, they are likely interface filters of the
form:

access-list 100 deny ip 0.0.0.0 0.255.255.255 any

(assuming a cisco box of course, and this is a single line, hopefully they
permit the customer network to get something as a last line in the acl)

 sort of mechanism.  If they're not going to use something like the Cymru
 BOGON BGP feed they should build their own and should have configured
 their managed routers to query that from the beginning.  As more

This is impractical as the afore-mentioned 70,000 routers are likely not
bgp capable (not all atleast, why buy that feature when all it'll ever do
is static and conencted routes?).

 old-BOGON IP's come into play, more and more of the Internet is going to
 'fall off' to these legacy route access list restricted routers.


Perhaps they will see the problems and move to a better solution, perhaps
their customers will ask for filter adjustments as these new pesky /8's
you speak of are 'released' for people to use... what's an ip address
again? :(

 As much as I would have liked to coin the term 'network monkey', I read
 it in this thread by someone much more creative than I.  :-)


Either way, it's not the monkeys in this case most likely. I'd bet at the
least there is the issue of getting in touch with the customer, and
initiatinng change at his/her/their request... why 'fix' something that
isn't broken? there are hundreds of thousands of 2511's out there with 2MB
of flash and 11.2 code still running on them. These will NEVER be upgraded
to anything 'new' because cost to upgrade includes upgrading the hardware
at 3k minimum per box... not to mention outages for customers who 'dont
see a problem today' and don't like outages.

-Chris

RE: improving the registrar transfer process

2005-01-20 Thread william(at)elan.net



On Fri, 21 Jan 2005, Bruce Tonkin wrote:

  We know how to do 3-way handshakes.  Rather a fundamental of 
  the Internet.  So quickly folks forget
 
 The ICANN policy change had no impact on this particular incident.
 
 As the incident has been documented so far, the transfer would have
 occurred under both the old and the new policy.

I think it would be helpfull if you explain what steps are involved in 
domain transfer process (to your registrar) and its authorization, i.e. 
something like
 1. MIT receives transfer request from reseller
 2. MIT sends email confirmation to whois contact (which contact - tech, 
admin?)
 3. MIT sends email (or is it request through Verisign RRP?) to Verisign
 4. MIT waits for such and such action...
 etc.

I also would like to confirm who is responsible for denying transfer 
request if LOCK is present. Is Registry supposed to do it automaticly
or is it responsibility of losing registrar to actively deny the request
if they have put lock on domain?

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Christopher L. Morrow



On Thu, 20 Jan 2005, James Laszko wrote:

  Wash, rinse, repeat for the other 70,000 routers you manage for
  customers... This is definitely NOT a half-rack in a colo fix. Just
  contacting the customers is a feat.

 In the same hand, do you know how hard it was to get in touch with
 someone at SBC/SBC-IS/PBI/PacBell that knew what the heck I was talking
 about -- much less someone that might be able to do something about it?
 Every group wanted to point their finger at some other group in the
 company...

Sure, start with the customer and convince them that there is a problem.
SBC has, like
sprint/att/mci/qwest/abovenet/blah-provider-of-managed-services 12 groups
that do 'similar' things for 'managed customers'. Fighting their phone
tree as a non-customer is a fruitless effort. Fighting the phone-tree for
gov't agency #13 to let them know that some of their 'customers' aren't
able to reach them might prove simpler.

-Chris

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

2005-01-20 Thread Hank Nussbacher


On Thu, 20 Jan 2005, James Laszko wrote:

 sort of mechanism.  If they're not going to use something like the Cymru
 BOGON BGP feed they should build their own and should have configured
 their managed routers to query that from the beginning.  As more

How would this scale for say 200K routers?  2M?  -Hank

FW: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19



We've had complaints from people at the other side of Broadwing
connections -- anyone here from Broadwing?  Looks like you may even be
stripping 72.0.0.0/8 from BGP announcements.




James Laszko
Pipeline Communications, Inc.
[EMAIL PROTECTED]


-Original Message-
From: Christopher L. Morrow [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 20, 2005 9:55 PM
To: James Laszko
Cc: Rob Evans; Chris A. Epler; nanog@merit.edu
Subject: RE: Please Check Filters - BOGON Filtering IP Space
72.14.128.0/19


On Thu, 20 Jan 2005, James Laszko wrote:

  Wash, rinse, repeat for the other 70,000 routers you manage for
  customers... This is definitely NOT a half-rack in a colo fix. Just
  contacting the customers is a feat.

 In the same hand, do you know how hard it was to get in touch with
 someone at SBC/SBC-IS/PBI/PacBell that knew what the heck I was
talking
 about -- much less someone that might be able to do something about
it?
 Every group wanted to point their finger at some other group in the
 company...

Sure, start with the customer and convince them that there is a problem.
SBC has, like
sprint/att/mci/qwest/abovenet/blah-provider-of-managed-services 12
groups
that do 'similar' things for 'managed customers'. Fighting their phone
tree as a non-customer is a fruitless effort. Fighting the phone-tree
for
gov't agency #13 to let them know that some of their 'customers' aren't
able to reach them might prove simpler.

-Chris

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19