Sticky Bogons
a little help ... - Forwarded by Joe Loiacono/CIV/CSC on 01/11/2006 10:51 AM - Dong Yan dongyan @cnnic.cn Sent by: apnic-talk-bounces 01/09/2006 10:17 PM To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Chen Tao [EMAIL PROTECTED], Xiangjian Li [EMAIL PROTECTED] Subject: Re: [apnic-talk] [Apnic-announce] APNIC new IPv4 addresses(121/8and122/7) The same issue from China. One of our member got a block /17 from 125/8, this block caused many web-accessing problems, which annoyed our member very much. This time, when they came back for subsequent IPv4 application, they pointed out clearly they do not want to get any block in 125/8 or even newer /8. Any doable suggestion and action from APNIC and all members in AP region will be helpfull. Dong Yan CNNIC - Original Message - From: Skeeve Stevens [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, January 09, 2006 5:08 PM Subject: RE: [apnic-talk] [Apnic-announce] APNIC new IPv4 addresses (121/8and122/7) Just an opinion... But as someone who is currently experiencing the pain of using a /19 in 125/8 at present and have our customers suffering greatly, I think APNIC needs to do something better to be approaching the bogon list managers and perhaps giving notice of 6 months or some such that these ranges will be used so the pain will be a lot less. ..Skeeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tran Sent: Monday, 9 January 2006 3:15 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [apnic-talk] [Apnic-announce] APNIC new IPv4 addresses (121/8 and122/7) Dear colleagues APNIC received IPv4 address blocks 121/8 and 122/7 from IANA in January 2006 and will be making allocations from these ranges in the near future. This announcement is being made for the information of the Internet community so that network configurations such as routing filters may be updated as appropriate. For more information on the resources administered by APNIC, see: http://www.apnic.net/db/ranges.html For information on the minimum allocation sizes within address ranges administered by APNIC, see: http://www.apnic.net/db/min-alloc.html Kind regards Son Resources Services Manager [EMAIL PROTECTED] Asia Pacific Network Information Centre phone: +61 7 3858 3100 http://www.apnic.net fax: +61 7 3858 3199 Helpdesk phone: +61 7 3858 3188 email: [EMAIL PROTECTED] Please send Internet Resource Requests to [EMAIL PROTECTED] _ ___ Apnic-announce mailing list [EMAIL PROTECTED] http://mailman.apnic.net/mailman/listinfo/apnic-announce ___ apnic-talk mailing list [EMAIL PROTECTED] http://mailman.apnic.net/mailman/listinfo/apnic-talk iBurst Wireless Broadband from $34.95/month www.platformnetworks.net Forward undetected SPAM to: [EMAIL PROTECTED] ___ apnic-talk mailing list [EMAIL PROTECTED] http://mailman.apnic.net/mailman/listinfo/apnic-talk ___ apnic-talk mailing list [EMAIL PROTECTED] http://mailman.apnic.net/mailman/listinfo/apnic-talk
Re: Reporting botnets?
There are companies/products that specialize in mitigating CC traffic in a fairly elegant manner. One specific one that we've had good experiences with is Mainnerv's Darknet product. They deploy a box on the network, interfacing with your enterprise via a BGP peer, which issues a handful of routes to actively blackhole, intercept, and analyzer traffic to known CC's that are being actively tracked. That part isn't too exotic, their strength lies in the good intelligence processes on their side, for maintaining their blackhole listing. The implementation impact is minimal and trojan outbreaks are generally stopped dead even as the compromise is taking effect. As a proactive measure, it's a fast way to spot compromised machines within your network even as the malignant activity is mitigated. - billn On Tue, 10 Jan 2006, Martin Hannigan wrote: Please advise, where to can I report botnet control activities? I'm from overseas and interested if there are some law enforcement organizations in US who may handle these issues? I assume it is illegal business in US, and I have enough evidence how botnet control sites command our trojaned customer PC's to send spam and activate DDoS attacks. I think your best bet is to report it first to your local authorities and then report it to the ISP that the CC is sitting on. There are techniques that have been established over time and a few things you can do to mitigate, at least temporarily, (1) identify it and any others (2) make sure that taking action won't cause collateral damage or important stuff runs on it and blackhole it, (3) contact the dns provider and ask them to (a) lock out the user, (b) extend the TTl to the max that their software allows, (c) change the CC resolution to 127.0.03. That will at least do some level of mitigation and allow you to clean up the mess while you figure out how you want to pursue it. I'm sure you'll also hear from some people on this list who can assist. Botnets are a dime a dozen. It's good to kill the CC's and it's good to report them to LEA's, but from there, all bets are off. I believe any action would depend on exactly what they were doing with them. For example, if it's a bunch of skiddies fighting over who controls an iRC channel and they are DDOS'ing each other, well, that may not get much attention. Hope that helps. -M
Re: Sticky Bogons
On Wed, 11 Jan 2006 10:50:52 EST, Joe Loiacono said: a little help ... ... The same issue from China. One of our member got a block /17 from 125/8, this block caused The only thing likely to help is a baseball bat (although a cricket bat will probably serve in a pinch, and you're from that part of the world). Seriously. We've been having this *SAME* problem since we started allocating from 68/8 or 69/8. If sites *still* haven't figured out yet how to get their bogon filters maintained, they need to have Team Cymru's address tattooed onto their skulls with a baseball bat. pgpBbeWXCOSbC.pgp Description: PGP signature
do bogon filters still help?
Every time IANA allocates new prefixes, we're treated to complaints about sites that are not reachable because they're in the new space and some places haven't updated their bogon filters. My question is this: have we reached a point where the bogon filters are causing more pain than they're worth? The Team Cymru web page (http://www.cymru.com/Bogons/index.html) gives some justification, but I think the question should be revisited. First, as the page (and the associated presentation) note, most of the benefit comes from filtering obvious stuff -- 0/8, 127/8, and class D and E source addresses. Second, the study is about 5 years old, maybe more; attack patterns have changed since then. Third, considerably more address space has been allocated; this means that the percentage of address space that can be considered bogus is significantly smaller. Possibly, there are more sites doing edge filtering, but I'd hate to count on that. So -- I'd like people to re-examine the question. Does anyone have more recent data on the frequency of bogons as a percentage of attack packets? What would that number look like if you filtered just the obvious -- the ranges given above, plus the RFC 1918 prefixes? Are your defenses against non-spoofed attacks really helped by the extra filtering? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: do bogon filters still help?
Hi, Steve. ] So -- I'd like people to re-examine the question. Does anyone have more ] recent data on the frequency of bogons as a percentage of attack ] packets? What would that number look like if you filtered just the ] obvious -- the ranges given above, plus the RFC 1918 prefixes? Are ] your defenses against non-spoofed attacks really helped by the extra ] filtering? Great question, and we're eager to hear the results as well. Our study is well past its prime, to be sure. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: do bogon filters still help?
No data, but I thought I should add...RFC 3330 Special-Use IPv4 Addresses lists the obvious stuff. I just went through an exercise in de-bogonizing and needed that reference. [http://www.ietf.org/rfc/rfc3330.txt] Be careful though. It lists 24.0.0.0/8 as special, explaining that this went to cable operators (and eventually administered via ARIN). So don't just use the Summary Table in section 3 blindly. At 13:03 -0500 1/11/06, Steven M. Bellovin wrote: Every time IANA allocates new prefixes, we're treated to complaints about sites that are not reachable because they're in the new space and some places haven't updated their bogon filters. My question is this: have we reached a point where the bogon filters are causing more pain than they're worth? The Team Cymru web page (http://www.cymru.com/Bogons/index.html) gives some justification, but I think the question should be revisited. First, as the page (and the associated presentation) note, most of the benefit comes from filtering obvious stuff -- 0/8, 127/8, and class D and E source addresses. Second, the study is about 5 years old, maybe more; attack patterns have changed since then. Third, considerably more address space has been allocated; this means that the percentage of address space that can be considered bogus is significantly smaller. Possibly, there are more sites doing edge filtering, but I'd hate to count on that. So -- I'd like people to re-examine the question. Does anyone have more recent data on the frequency of bogons as a percentage of attack packets? What would that number look like if you filtered just the obvious -- the ranges given above, plus the RFC 1918 prefixes? Are your defenses against non-spoofed attacks really helped by the extra filtering? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar Inactionable unintelligence is bliss.
Re: do bogon filters still help?
On Wed, 11 Jan 2006, Edward Lewis wrote: No data, but I thought I should add...RFC 3330 Special-Use IPv4 Addresses lists the obvious stuff. I just went through an exercise in de-bogonizing and needed that reference. [http://www.ietf.org/rfc/rfc3330.txt] Be careful though. It lists 24.0.0.0/8 as special, explaining that this went to cable operators (and eventually administered via ARIN). So don't just use the Summary Table in section 3 blindly. For those doing similar exercise, you might want to look at rephrased version of rfc330 listed blocks: http://www.completewhois.com/iana-ipv4-specialuse.txt -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: do bogon filters still help?
On Wed, 11 Jan 2006 13:03:51 -0500 Steven M. Bellovin [EMAIL PROTECTED] wrote: Every time IANA allocates new prefixes, we're treated to complaints about sites that are not reachable because they're in the new space and some places haven't updated their bogon filters. My question is this: have we reached a point where the bogon filters are causing more pain than they're worth? Perhaps operators can be convinced that the only best practice implementation of bogon filtering is through the use of a well maintained bogon route server service, be it from Team Cymru or some other well regarded 3rd party. All static, manual config management of bogon routes should be strongly discouraged. Now if router vendors could figure out ways to use a bogon route server for multicast protocols, that would be of a great help to niche community that has to run that service. There the pain is arguably worth it (dig about multicast being painful with or without them here :-) John
Re: do bogon filters still help?
* william elan net: For those doing similar exercise, you might want to look at rephrased version of rfc330 listed blocks: http://www.completewhois.com/iana-ipv4-specialuse.txt You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). to make the list more future-proof, listing 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24 and 223.255.255.0/24 as YES might be a good idea. I'm not sure what to do with 39/8. I haven't looked at RFC 3330, but another RFC reserves 192.0.2.0/24 for examples in documentation. In practice, this prefix is used for distributing fake null routes over BGP, so it's a rather strong NO.
Re: do bogon filters still help?
* william elan net: For those doing similar exercise, you might want to look at rephrased version of rfc330 listed blocks: http://www.completewhois.com/iana-ipv4-specialuse.txt You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). Good example as to why to use authoratative sources only. Completewhois is far from that. (it's a good effort though.. so thanks william). -M
Re: do bogon filters still help?
* Martin Hannigan: You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). Good example as to why to use authoratative sources only. But most authoritative sources are too shy to make explicit operational recommendations. 8-)
Re: do bogon filters still help?
On Wed, 11 Jan 2006, Florian Weimer wrote: Thank you for your suggestions. * william elan net: For those doing similar exercise, you might want to look at rephrased version of rfc330 listed blocks: http://www.completewhois.com/iana-ipv4-specialuse.txt You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). I think you just explained it yourself why this is SPECIAL, i.e. routing of it depends on local policies and setup. Anything where it is not clear from RFCs if it should be routable or not and where it depends on local decisions policy is what I called SPECIAL. Perhaps better documentation is needed to explain each case, which I'll likely do some point way in the future when html version of the same page also becomes available. It is on the TODO list. to make the list more future-proof, listing 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24 and 223.255.255.0/24 as YES might be a good idea. I'm not sure what to do with 39/8. Yes, I considered that. Ultimately these blocks might well become routed. It should be pointed out though that the file is not set in stone and was intended to be updated when some block's status changes just like this is done with iana-ipv4-allocations.txt It is however possible that I'll change it to YES with special comment because the data does seem more of something that people are going to configure and left alone rather then expect changes as with bogon data. I haven't looked at RFC 3330, but another RFC reserves 192.0.2.0/24 for examples in documentation. In practice, this prefix is used for distributing fake null routes over BGP, so it's a rather strong NO. If you know which RFC it is, I'll update the reference table. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: do bogon filters still help?
At 20:28 +0100 1/11/06, Florian Weimer wrote: * Martin Hannigan: You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). Good example as to why to use authoratative sources only. But most authoritative sources are too shy to make explicit operational recommendations. 8-) The authoritative sources put the data out there. What more can you ask of them? What more do you want? It's been said that the neutral parties (the authorities are supposed to be neutral) should not make business decisions for the industry. Recommending route filters is a business decision. Operational recommendations in general are business decisions. Consider it lucky you have a choice here. The plain official version, William's marked up copy, and edits to William's on the list. You have a choice here, you can't beat that. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar Inactionable unintelligence is bliss.
Re: do bogon filters still help?
* william elan net: You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). I think you just explained it yourself why this is SPECIAL, i.e. routing of it depends on local policies and setup. Anything where it is not clear from RFCs if it should be routable or not and where it depends on local decisions policy is what I called SPECIAL. Uhm, no. 6to4 anycast only works without hickups when the prefix is NOT treated in any special way. 8-) That's part of its charm. If operators start to install special filters, they break this functionality for no real gain. I haven't looked at RFC 3330, but another RFC reserves 192.0.2.0/24 for examples in documentation. In practice, this prefix is used for distributing fake null routes over BGP, so it's a rather strong NO. If you know which RFC it is, I'll update the reference table. Uhm, looks like I was mistaken. Each time the topic comes up, I confuse this with RFC 2606 (domain names). No such RFC exists for IPv4 addresses.
Re: do bogon filters still help?
On Wed, 11 Jan 2006, Edward Lewis wrote: At 20:28 +0100 1/11/06, Florian Weimer wrote: * Martin Hannigan: You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). Good example as to why to use authoratative sources only. But most authoritative sources are too shy to make explicit operational recommendations. 8-) The authoritative sources put the data out there. What more can you ask of them? What more do you want? It's been said that the neutral parties (the authorities are supposed to be neutral) should not make business decisions for the industry. Recommending route filters is a business decision. Operational recommendations in general are business decisions. Nevertheless I'd prefer to see authoritative source (i.e. ICANN IANA) be more involved then just text file on a website. For example IETF does more both in terms of notifications (which they sent to multiple lists for each published RFC - with lists being different depending on what RFC its on-topic for) and in terms of information for operational use (i.e. published BCPs and separate OPS area). Ultimately of course IANA is closely related to activities of IETF but I think it does have its own role to play and notifications of changes to its indexes is within its area of responsibility. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: do bogon filters still help?
On Wed, 11 Jan 2006, Florian Weimer wrote: You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it wouldn't be link-local). I think you just explained it yourself why this is SPECIAL, i.e. routing of it depends on local policies and setup. Anything where it is not clear from RFCs if it should be routable or not and where it depends on local decisions policy is what I called SPECIAL. Uhm, no. 6to4 anycast only works without hickups when the prefix is NOT treated in any special way. 8-) That's part of its charm. If operators start to install special filters, they break this functionality for no real gain. I think this is still quite a bit of a special case as opposed to for example 24/8 block which is ultimately used same as regular RIR blocks. Nevertheless I changed routing to YES and leave explanation for future. I also did update and listed comment for reserved blocks with explanation that either regularly updated filters should be used or blocks should be left fully routable. -- William Leibzon Elan Networks [EMAIL PROTECTED]
SprintPCS Contact
Can somesone from SprintPCS contact me offline? -Dennis
Re: workhorse of the future...
Slightly associated with the workhorse of the future thread... Is anyone out there rolling out the triple play thingie using alcatel? In particular the 7750, 7450, 7670 and 7300 products. If so, please let me know what to be afraid of --uh-- I mean look forward to... ;-) Off list is fine if this isn't what others want to hear. Thanks, scott
Re: workhorse of the future...
Bill, alas, i think the days of being able to deploy one type of god box swiss-army-knife router are passing. depending on what it is that the router is planned to be doing defines its PPS requirements what speeds/feeds you need to run various features at. from http://www.merit.edu/mail.archives/nanog/2005-09/msg00635.html can you classify what functionality you see yourself as needing? that pretty much sets the discussion as to whether you're after something that can be s/w-forwarding or not ... cheers, lincoln. [EMAIL PROTECTED] wrote: first it was the vitalinks, then the bridge gear, then proteon, then cisco AGS, then 7600VXR, then 7301s looking to find the next-gen workhorse ... looking for 4-6yr life expectancy. pointers(private are ok) are appreciated - as well as -why- you think the suggested boxen are likely candidates. --bill
Re: do bogon filters still help?
Hi Florian, others, | You should move 192.88.99.0/24 from SPECIAL to YES (although you | shouldn't see source addresses from that prefix, no matter what the | folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it | wouldn't be link-local). Hi, here's a member of 'the folks at bit.nl'. Just a quick note to say that we have been sourcing IPv4 packets from 192.88.99.1 at a rate of 2.000 to 10.000 packets per second since early 2003, so I'm guessing we have sent some 750.000 billion packets by now. I have accounted for some 850.000 IPv4 addresses speaking to and from our 6to4 relay in Q4/2005 alone, so one might argue that there are the proverbial One Million people can't be wrong. Groet, Pim (keeping the myth alive!) -- Met vriendelijke groet, BIT BV / Ing P.B. van Pelt PBVP1-RIPE (PGPKEY-4DCA7E5E)
Re: workhorse of the future...
On Thu, Jan 12, 2006 at 09:56:33AM +1100, Lincoln Dale wrote: Bill, alas, i think the days of being able to deploy one type of god box swiss-army-knife router are passing. that is too true... some misty-eyed moments for the demise of chaosnet support ... depending on what it is that the router is planned to be doing defines its PPS requirements what speeds/feeds you need to run various features at. from http://www.merit.edu/mail.archives/nanog/2005-09/msg00635.html can you classify what functionality you see yourself as needing? nice list, but incomplete. while the pace of innovation has slowed, OM features have grown, and a raw desire to keep up the ROI by pandering to the idol of convergence have not kept me aware of the fact that NEW, UNEXPECTED events will place demands on my boxen for the forseeable future - and a s/w driven box has more resilience in that vector. that pretty much sets the discussion as to whether you're after something that can be s/w-forwarding or not ... i guess i was hoping for some kind soul to provide some insight as to other factors that may be sea-change events to the routing system in the next 48-60month horizon. IPv6 table size, on-board key/sig mgmt/computation are TWO... are there others? --bill cheers, lincoln. [EMAIL PROTECTED] wrote: first it was the vitalinks, then the bridge gear, then proteon, then cisco AGS, then 7600VXR, then 7301s looking to find the next-gen workhorse ... looking for 4-6yr life expectancy. pointers(private are ok) are appreciated - as well as -why- you think the suggested boxen are likely candidates. --bill
Re: do bogon filters still help?
* Pim van Pelt: Hi Florian, others, | You should move 192.88.99.0/24 from SPECIAL to YES (although you | shouldn't see source addresses from that prefix, no matter what the | folks at bit.nl think). 169.254.0.0/16 should be NO (otherwise it | wouldn't be link-local). Hi, here's a member of 'the folks at bit.nl'. Just a quick note to say that we have been sourcing IPv4 packets from 192.88.99.1 at a rate of 2.000 to 10.000 packets per second since early 2003, so I'm guessing we have sent some 750.000 billion packets by now. And this is just so wrong. You should use an address you own as a source address. Otherwise, packets tend to get dropped by filters. And no, anyone should be able to spoof from 192.88.99.0/24 is not the answer to this kind of problem.
RE: workhorse of the future...
dons flame suit How about a Mikrotik? / -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 4:18 PM To: Lincoln Dale Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: workhorse of the future... On Thu, Jan 12, 2006 at 09:56:33AM +1100, Lincoln Dale wrote: Bill, alas, i think the days of being able to deploy one type of god box swiss-army-knife router are passing. that is too true... some misty-eyed moments for the demise of chaosnet support ... depending on what it is that the router is planned to be doing defines its PPS requirements what speeds/feeds you need to run various features at. from http://www.merit.edu/mail.archives/nanog/2005-09/msg00635.html can you classify what functionality you see yourself as needing? nice list, but incomplete. while the pace of innovation has slowed, OM features have grown, and a raw desire to keep up the ROI by pandering to the idol of convergence have not kept me aware of the fact that NEW, UNEXPECTED events will place demands on my boxen for the forseeable future - and a s/w driven box has more resilience in that vector. that pretty much sets the discussion as to whether you're after something that can be s/w-forwarding or not ... i guess i was hoping for some kind soul to provide some insight as to other factors that may be sea-change events to the routing system in the next 48-60month horizon. IPv6 table size, on-board key/sig mgmt/computation are TWO... are there others? --bill cheers, lincoln. [EMAIL PROTECTED] wrote: first it was the vitalinks, then the bridge gear, then proteon, then cisco AGS, then 7600VXR, then 7301s looking to find the next-gen workhorse ... looking for 4-6yr life expectancy. pointers(private are ok) are appreciated - as well as -why- you think the suggested boxen are likely candidates. --bill
Re: do bogon filters still help?
Florian, On Thu, Jan 12, 2006 at 12:21:30AM +0100, Florian Weimer wrote: | And this is just so wrong. You should use an address you own as a | source address. Otherwise, packets tend to get dropped by filters. Who says so? It's anycasted, and operators source from it after making note of this in the proper routing registries. RIPE NCC would confirm that AS12859 can source from 192.88.99.0/24, just like the other operators in RFC3068-MNT can. If anybody marks this prefix as a bogon and filters it, that's their absolute right as a network operator. Their customers might not appreciate it that much though, if they would like to use 6to4. | And no, anyone should be able to spoof from 192.88.99.0/24 is not | the answer to this kind of problem. I didn't say, type, or even think this. -- Met vriendelijke groet, BIT BV / Ing P.B. van Pelt PBVP1-RIPE (PGPKEY-4DCA7E5E)
Re: workhorse of the future...
personally, i prefer moka with schlagrahm and chocolate sprinkles. randy
Re: do bogon filters still help?
On Thu, Jan 12, 2006 at 12:21:30AM +0100, Florian Weimer wrote: Hi, here's a member of 'the folks at bit.nl'. Just a quick note to say that we have been sourcing IPv4 packets from 192.88.99.1 at a rate of 2.000 to 10.000 packets per second since early 2003, so I'm guessing we have sent some 750.000 billion packets by now. And this is just so wrong. You should use an address you own as a source address. You may want to review the discussion there: http://dict.regex.info/ipv6/ngtrans/2002-01.mail/0083.html I'm undecided wether it's The Right Thing to do, so I just want to provide this pointer. Otherwise, packets tend to get dropped by filters. By which ones? Folks with too much time feeding their paranoia, or is there any actual realistic attack to prevent by filtering packets with source 192.88.99.1? Regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: do bogon filters still help?
On Wed, 11 Jan 2006, Florian Weimer wrote: For those doing similar exercise, you might want to look at rephrased version of rfc330 listed blocks: http://www.completewhois.com/iana-ipv4-specialuse.txt You should move 192.88.99.0/24 from SPECIAL to YES (although you shouldn't see source addresses from that prefix, no matter what the folks at bit.nl think). This is not correct. It's perfectly fine to source packets from 192.88.99.0/24. Please show a citation if you think different. -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Re: Sticky Bogons
On 1/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: from 68/8 or 69/8. If sites *still* haven't figured out yet how to get their bogon filters maintained, they need to have Team Cymru's address tattooed onto their skulls with a baseball bat. It's that kind of hardcoding that got us here in the first place. ;) -Mike
Broadwing IRR maintainer contact.
If someone from Broadwing reponsible for maintaining routing registry entries, or who could direct me to the correct person, would contact me off-list, I'd appreciate. I need Broadwing to remove stale RR information for our prefixes, and I have not received any responses to queries sent to [EMAIL PROTECTED] Thanks, -- Stephen.
Re: Sticky Bogons
--==_Exmh_1136999684_3854P Content-Type: text/plain; charset=us-ascii On Wed, 11 Jan 2006 10:50:52 EST, Joe Loiacono said: a little help ... ... The same issue from China. One of our member got a block /17 from 125/8, this block caused The only thing likely to help is a baseball bat (although a cricket bat will probably serve in a pinch, and you're from that part of the world). Seriously. We've been having this *SAME* problem since we started allocating from 68/8 or 69/8. If sites *still* haven't figured out yet how to get their bogon filters maintained, they need to have Team Cymru's address tattooed onto their skulls with a baseball bat. No, you are incorrect. Networks need to use authoritative sources for their information. Cymru is behind IANA, not in front. Cymru is a good resource, but I don't hear them calling themselves authoritative. I've never worked anywhere that I could blame a network problem on an RBL et. al. .edu may be different, but I doubt it. -M