Re: IP Delegations for Forum Spammers and Invalid Whois info
On Monday 03 Jul 2006 06:16, you wrote: Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE? I don't think RIPE will be that interested. The address range gets connectivity from someone. I suggest reporting upstream. Oh dear upstream is ISPrime -- anyone here think they are anything but a spam house? Is not then why are they still in NY?
Re: IP Delegations for Forum Spammers and Invalid Whois info
This is a known problem with known solutions. There are RBL's, bayesian filters, behaviour filters, and what not. For a phpbb forum I'd suggest a captcha, although that's extremely annoying. This is becoming the next (last) spamvertising medium and Google poisoning medium. I and others spend hours on this issue every day. We even have a mailing list for this. Good luck, Gadi. On Mon, 3 Jul 2006, Mark Foster wrote: I assume the ongoing problems that forum administrators have with people randomly signing up to forums - even closed ones requiring admin approval for all accounts - for the purpose of spamming their web urls around the place is an old one. I run such a forum and have started implementing /16 level bans to try to slow them down. Obviously not the best solution. The forum in question is phpBB (I know - whos isn't) and i'm yet to have time to actually start digging into whether there are better ways of responding to this issue. (Volume isnt prohibitive - yet.) In the most recent case the IP address space that the website concerned points back to is in the Ukraine and the listed abuse contact is on a domain which is canned due to invalid contact details provided. My question then is - what happens now? The IP address space is essentially 'untraceable' except perhaps through bandwidth-supplier-agreements or somesuch. Shouldn't IP's with similarly invalid contact details be 'suspended' after being given opportunity to provide updated, correct details? The IP range in question is 195.225.176.0 - 195.225.179.255 and a snippet of the whois info provided is as follows: remarks: remarks: * Abuse contacts: [EMAIL PROTECTED] * remarks: person: Vsevolod Stetsinsky address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206. phone:+38 050 6226676 e-mail: [EMAIL PROTECTED] nic-hdl: VS1142-RIPE source: RIPE # Filtered Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE?
Huawei Routers in the Core
Hello, We have been looking at Huawei line of routers recently and i was kind of surprised to see they have Core stuff, that are able to handle Gigs of traffic and MPLS, i cant seem to find anyone around that have used any of these, i wonder if anyone here has, i'd love to hear what he/she has to say, positive or negative feedback. Offline messages are welcomed. Thanks, Kim
Huawei Routers in the Core
Hello, We have been looking at Huawei line of routers recently and i was kind of surprised to see they have Core stuff, that are able to handle Gigs of traffic and MPLS, i cant seem to find anyone around that have used any of these, i wonder if anyone here has, i'd love to hear what he/she has to say, positive or negative feedback. Offline messages are welcomed. Thanks, Kim
Re: IP Delegations for Forum Spammers and Invalid Whois info
Hello, On Jul 3, 2006, at 3:53 AM, Simon Waters wrote: On Monday 03 Jul 2006 06:16, you wrote: Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE? I don't think RIPE will be that interested. The address range gets connectivity from someone. I suggest reporting upstream. Oh dear upstream is ISPrime -- anyone here think they are anything but a spam house? Is not then why are they still in NY? We are very much anti-spam and I will look into Mark's issue - I'm looking through the tickets for abuse@ and there is no email sent in from [EMAIL PROTECTED] ... Mark - Please email me off list with whatever issue you're having and I'll have it dealt with, please cc: [EMAIL PROTECTED] Thanks, --Phil
Re: DNS Based Load Balancers
On Jul 3, 2006, at 12:09 AM, Paul Vixie wrote: well, i see that fezhead is dead. but 3-party TCP is alive and well: http://www.cs.bu.edu/~best/res/projects/DPRClusterLoadBalancing/. see also http://www.tenereillo.com/GSLBPageOfShame.htm and http://www.tenereillo.com/GSLBPageOfShameII.htm. Paul - I'm still eagerly waiting your reply to Patrick's questions. Here at least we finally have something to read other than relying on blind faith, but the author is so convinced DNS based GSLB doesn't work[1] (and gives good examples of why it doesn't). However, these are all pretty much theoretical examples, and there's no explanation of why DNS based CDNs do in fact work so well in practice[2]. [1] FSVO doesn't work that is... [2] I was going to say appear to work so well, but that's unfair use of sarcasm - I know just how well at least one CDN works :)
RE: DNS Based Load Balancers
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Monday, July 03, 2006 12:09 AM To: nanog@merit.edu Subject: Re: DNS Based Load Balancers The problem being that most of what you linked to below is either A) out of date, or B) the only way to get proximity based load balancing (GSLB type stuff) with them is with DNS tricks. =20 most of, huh? let's have a looksie. Breaking it down in order: The IBM solution hasn't been updated since 1999. It also seems relatively proprietary. the ibm white paper i referred you to was writteh in 1999. websphere is quite current, and its implementation of GSLB functionality has been updated plenty since 1999. and the competitors james baldwin said he was eval'ing (cisco, f5) are certainly patent-holders offering proprietary solutions. The Cisco solution relies on either doing HTTP redirects (which is useless if you're not doing HTTP) or DNS. =20 james baldwin said he was using the cisco solution today, so clearly HTTP is the main target. i can't think of a protocol requiring GSLB that isn't HTTP based (either web browsing or web services). FTP just isn't a growth industry and the transaction processing systems i know of (the ones that aren't based on HTTP, that is) have GSLB hooks built into them. IOW, either you can do GSLB with session redirects, or you don't need GSLB. Both Foundry and Radware rely 100% on DNS to do their GSLB. You can do local load balancing on both boxes without, however. did you read the same radware white paper i did? in http://www.radware.com/content/products/library/faq_wsd.pdf it says that they can do session level redirects. so, less than 100% of radware is dns. i can see that i misread the foundry whitepaper i ref'd (perhaps we both saw most readily that data which fit our preconceptions?) The last link is an outdated thesis paper that makes reference moreso to local load balancing and not global. why is it outdated? as a survey of the desired functionality it's still pretty good background. no new GSLB has been invented since then, surely? It seems that in lieu of a real, currently produced solution, the only option is presently DNS to meet the requirements. Others have sent me off-list stuff they're working on, but none of it's ready for prime time. =20 well, i see that fezhead is dead. but 3-party TCP is alive and well: http://www.cs.bu.edu/~best/res/projects/DPRClusterLoadBalancing/. see also http://www.tenereillo.com/GSLBPageOfShame.htm and http://www.tenereillo.com/GSLBPageOfShameII.htm. the references sections of those last three are particularly informative. -- Paul Vixie Without getting into a massive back and forth, I just want to make 3 points: 1) Websphere is proprietary to IBM and requires their servers. It's not scalable to other applications. It's also not targeted to the same market as, say, F5. 2) There are definitely protocols that require GSLB that aren't HTTP. Off the top of my head: RTSP/MMS, VoIP services. I'd say that, at the very least, VoIP protocols are the killer app for GSLB moreso than HTTP. Surely the internet isn't only the web, right? 3) TCP-redirect solutions, such as the Radware one you pointed out, do not work in large scales. Have you ever met anyone who's actually implemented that in a large scale? The solution they point to they don't even sell anymore (the WSD-DS/NP). If you talk to their sales, they'll point you at the DNS based solution because they know that doing Triangulation is a joke. Triangulation and NAT-based methods both crumble under any sort of DoS and provide no site isolation. Pete Tenereillo's papers are interesting, but they're also slanted and ignore other implementation methods of DNS GSLB. How about handing out NS records instead of A records? That's an method that would make large parts of his papers irrelevant. My main point here is that each solution has it's evils, and when faced with a choice, he needs to evaluate what method works best for him. Anyone could just as easily say that Triangulation and NAT are a hack just the same as GSLB DNS is a hack. Akamai and UltraDNS will actually sell you GSLB without even buying localized hardware to do it - are these bad services, too? Patrick said it best: Just in case we like to decide things for ourselves. -Dave
Call for Volunteers for Mailing List Administration Panel
There is an opening on the NANOG Mail List Administration Panel. According to the draft charter[1]: ... The NANOG list will be administered and minimally moderated by a panel selected by the Steering Committee. Accordingly, the Steering Committee is soliciting nominations for this open position, from now through 17:00 GMT Thursday, August 13, 2006. ** Procedure ** To volunteer yourself or nominate someone else, please send mail to [EMAIL PROTECTED] with the following information, no later than 17:00 GMT Sunday August 13, 2006. - Your name - Nominee's name (if not you) - Nominee's email address - Nominee's phone number - Nominee's employer - Reasons why you believe the nominee is qualified to serve on the Mail List Panel. We will contact each of the nominees to verify interest and possibly request additional information. Once all nominations have been received, the Steering Committee, in cooperation with the Mailing List Panel, will select the new member from among the nominees. The result will be announced on the nanog-announce mailing list. ** Eligibility ** Anyone actively reading the [EMAIL PROTECTED] mailing list is eligible. A nominee may not be a member of the NANOG Program Committee or of the NANOG Steering Committee. ** Duties ** Basic duties include reading the mailing list and assisting with keeping things on-topic. The team also deals with abuse issues as they arise. ** Length of term ** The charter does not specify ML Panel member term lengths. Open discussion of this is being led by the NANOG Steering Committee. If you have any questions, please post to the meta-discussion list, [EMAIL PROTECTED], or email [EMAIL PROTECTED] and [EMAIL PROTECTED] Finally, on behalf of the Mailing List Panel and the Steering Committee, we would like to thank everyone for their help in making NANOG a useful environment for operators. randy for the SC Chris Malayter, for the MLC
Re: DNS Based Load Balancers
Without getting into a massive back and forth, I just want to make 3 points: as long as the back-and-forth remains informative and constructive, i'll play: 1) Websphere is proprietary to IBM and requires their servers. It's not scalable to other applications. It's also not targeted to the same market as, say, F5. websphere is a trade name for a family of products and services. the GSLB component is able to play as a proxy to someone else's web server. (don't take my word for it, call an ibm salesweenie.) 2) There are definitely protocols that require GSLB that aren't HTTP. Off the top of my head: RTSP/MMS, VoIP services. I'd say that, at the very least, VoIP protocols are the killer app for GSLB moreso than HTTP. Surely the internet isn't only the web, right? according to http://www.isc.org/pubs/tn/isc-tn-2004-2.html, the internet is much larger than the web. but i'm not sure what you're replying to. i said that session level redirection would be possible in all cases where GSLB was needed. voip has session level redirection (several kinds). 3) TCP-redirect solutions, such as the Radware one you pointed out, do not work in large scales. Have you ever met anyone who's actually implemented that in a large scale? The solution they point to they don't even sell anymore (the WSD-DS/NP). If you talk to their sales, they'll point you at the DNS based solution because they know that doing Triangulation is a joke. Triangulation and NAT-based methods both crumble under any sort of DoS and provide no site isolation. i did not know radware has given up on wsd. but i don't see an explaination of what you mean by not work in large scales beyond radware gave up. i gave another reference to third-party TCP, have you looked at it or surveyed the rest of the field to find out how assymetric IP (satellite downlink, terrestrial uplink) and third-party TCP is working for the various pacific islands who depend on it? Pete Tenereillo's papers are interesting, but they're also slanted and ignore other implementation methods of DNS GSLB. How about handing out NS records instead of A records? That's an method that would make large parts of his papers irrelevant.=20 just as one can always find an example that supports one's preconceptions, one can always find a single counterexample that will support one's prejudices. i'm sure that any technology can be successfully demo'd or successfully counter-demo'd. this conversation started out as what DNS GSLB should i use? and then if DNS GSLB is such a bad idea then what do you propose as an alternative? and now it's every alternative has known failure modes that are as bad as DNS GSLB's worst case. does that mean we're done with the informative and constructive part of this thread? My main point here is that each solution has it's evils, and when faced with a choice, he needs to evaluate what method works best for him. Anyone could just as easily say that Triangulation and NAT are a hack just the same as GSLB DNS is a hack. Akamai and UltraDNS will actually sell you GSLB without even buying localized hardware to do it - are these bad services, too? Patrick said it best: Just in case we like to decide things for ourselves. nobody ever got fired for buying akamai's or ultradns's DNS GSLB services, that's for sure. -- Paul Vixie
ICANN at risk
With three days left and no mention of it from the folks that matter, I'm referring NANOG readers to: http://www.ntia.doc.gov/ntiahome/frnotices/2006/NOI_DNS_Transition_0506.htm From the article: SUMMARY: The United States Department of Commerce's National Telecommunications and Information Administration (NTIA) seeks comment on the continuation of the transition of the technical coordination and management of the Internet domain name and addressing system (Internet DNS) to the private sector. [...] Comments are due on or before July 7, 2006. -- Jeremy Kister http://jeremy.kister.net./
RE: DNS Based Load Balancers
just as one can always find an example that supports one's preconceptions, one can always find a single counterexample that will support one's prejudices. i'm sure that any technology can be successfully demo'd or successfully counter-demo'd. this conversation started out as what DNS GSLB should i use? and then if DNS GSLB is such a bad idea then what do you propose as an alternative? and now it's every alternative has known failure modes that are as bad as DNS GSLB's worst case. does that mean we're done with the informative and constructive part of this thread? I don't think anyone disagrees with you there. I just felt that any comprehensive answer should go beyond DNS GSLB is broken, don't use it. As someone who administers a rather large both appliance and service provider based GSLB network, as well as someone who's administered triangulation and BGP-based methods in the past, I can honestly say that thus far the DNS implementation has been far less broken.. Does that mean that someone else feels differently? I sure hope so. My main point here is that each solution has it's evils, and when faced with a choice, he needs to evaluate what method works best for him. Anyone could just as easily say that Triangulation and NAT are a hack just the same as GSLB DNS is a hack. Akamai and UltraDNS will actually sell you GSLB without even buying localized hardware to do it - are these bad services, too? Patrick said it best: Just in case we like to decide things for ourselves. nobody ever got fired for buying akamai's or ultradns's DNS GSLB services, that's for sure. Very true, but does that mean they're a viable alternative for him? Or are they just as broken as hardware vendor GSLB? The local load balancing piece can be served by any number of hardware appliances or software products. -Dave
