Postmaster @ vtext.com (or what are best practice to send SMS these days)
We've noticed that [EMAIL PROTECTED] is no longer a very reliable form of delivery for alerts from Nagios, et al. It seems as our volume of alerts has risen, our delivery rate has dropped precipitously. We don't expect much trying to actually reach a postmaster for vtext.com so I thought the better question would be to ask what the current best practice is to get SMS alerts out? Back in the day, I remember a company I worked for had something called a TAP gateway. Is that still a good route? I've also been told to check out an SMS gateway/api service called clickatell.com -- anyone using them to delivering timely notifications? Is the best thing to do to try and get a programmable cellphone in a datacenter? What else are operators doing to get the pages out when things go wonky? -David
Re: NXDOMAIN data needed for survey
Ray Demain wrote: Isn't it funny though that OpenDNS is funded by the same group who funded Paxfire? It might seem weird to you, but it's very common. Once VC has done the due diligence in a space they are more likely to invest in another company doing something in a related space, for better or worse. OpenDNS can be an angel on one shoulder while Paxfire is on the other, right? Your inference is unfounded. -David Ulevitch ps: End of this thread for me. It was dumb to begin with and despite the flaming, I'm sure a bunch of netops wrote back to the guy offering to sell NXDOMAIN data. Giving it more airtime is a waste of bits.
Re: RIPE NCC publishes case study of youtube.com hijack
The report states: Sunday, 24 February 2008, 20:07 (UTC): AS36561 (YouTube) starts announcing 208.65.153.0/24. With two identical prefixes in the routing system, BGP policy rules, such as preferring the shortest AS path, determine which route is chosen. This means that AS17557 (Pakistan Telecom) continues to attract some of YouTube's traffic. It's worth noting that from where I sit, it appears as though none of Youtube's transit providers accepted this announcement. Only their peers. The point is -- Restrictive customer filtering can also bite you in the butt. Trying to require your providers to do a ge 19 le 25 (or whatever your largest supernet is), rather than filters for specific prefix sizes seems a worthwhile endeavor so you can de-aggregate on the fly, as necessary. -David Tom Quilling wrote: for those interested in the matter tom Dear Colleagues, As you may be aware from recent news reports, traffic to the youtube.com website was 'hijacked' on a global scale on Sunday, 24 February 2008. The incident was a result of the unauthorised announcement of the prefix 208.65.153.0/24 and caused the popular video sharing website to become unreachable from most, if not all, of the Internet. The RIPE NCC conducted an analysis into how this incident was seen and tracked by the RIPE NCC's Routing Information Service (RIS) and has published a case study at: http://www.ripe.net/news/study-youtube-hijacking.html The RIPE NCC RIS is a service that collects Border Gateway Protocol (BGP) routing information from roughly 600 peers at 16 Internet Exchange Points (IXPs) across the world. Data is stored in near real-time and can be instantly queried by anyone to provide multiple views of routing activity for any point in time. The RIS forms part of the RIPE NCC's suite of Information Services, which together provide a deeper insight into the workings of the Internet. The RIPE NCC is a neutral and impartial organisation, and commercial interests therefore do not influence the data collected. The RIPE NCC Information Services suite also includes the Test Traffic Measurement (TTM) service, the DNS Monitoring (DNSMON) service and Hostcount. All of these services are available to anyone, and most of them are offered free of charge. More information about RIPE NCC Information Services can be found at: http://is-portal.ripe.net Regards, Daniel Karrenberg Chief Scientist, RIPE NCC
Re: RIPE NCC publishes case study of youtube.com hijack
Danny McPherson wrote: On Feb 29, 2008, at 7:46 AM, David Ulevitch wrote: It's worth noting that from where I sit, it appears as though none of Youtube's transit providers accepted this announcement. Only their peers. A simple artifact of shortest AS path route selection. Well, we (youtube and opendns) share some common transit providers -- and so I had expected to see all announcements from one customer to another customer directly downstream from the provider. But you very well could be right. Had those same providers explicitly not accepted the /24 announcement from AS 17557 via their peers you wouldn't have been affected at all. Of course... In fact, wouldn't it even providers benefit from having some logic that says don't ever accept a more specific of a customer-announced prefix? Customers might not like that though... :-) You prevent this by ubiquitous deployment of explicit customer and inter- provider prefix filters, you don't open things up more so that when problems occur, folks can try to hack around them. Like most things, ymmv. -David
Cogent communities still working?
Has anyone else noticed that Cogent communities appear to no longer be taking effect for BGP speaking customers? Particularly 174:991, 174:3002 and no-export? Prefixes I'm talking about (if you want to see from your routeview) include: 208.67.222.0/24 and 208.67.220.0/24 sourced from 36692. I can't find a public-facing looking glass which makes debugging difficult... -David
Re: Getting DSL at your datacenter for OOB
chuck goolsbee wrote: I thought it would be cool to start up a little co-op in our building of copper cross-connects between various providers STRICTLY for OOB network access. No sales involved, no revenue, strictly butt-saving OOB access. I was actually getting traction until one ... for lack of a better term party pooper... put the kibosh on the whole thing and ripped all the wiring out before we had finished. Several of us thought it was a fine idea. I imagine it *could* work in certain buildings/environments with more enlightened facilities and technical people around. I've mentioned it to EQNX and PAIX numerous times that it would be a value-add at the right price point. They don't seem interested. Most replies offlist seem to recommend just dealing with the hell that is the incumbent carrier ... or buying 1mbps-committed transit from someone willing to do it. The problem with that is the $300+ MRC that places like EQNX and PAIX will charge for the ethernet XC. Some other replies offered the you-scratch-my-back-I-scratch-yours solution of throwing an XC to each other in facilities like the Westin or the MMR at 111 8th where XC fees aren't MRCs. -David
Re: more-specifics via IX
Stephen Wilcox wrote: On 17 Oct 2007, at 20:55, Bradley Urberg Carlson wrote: Thanks for the suggestions. On Oct 17, 2007, at 6:06 PM, Stephen Wilcox wrote: well.. the problem of course is that you pull in the traffic from the aggregate transit prefix which costs you $$$ but then you offload it to the customer via a peering link for which you are not being paid A bigger problem is that my IX peer pays less to my customer for transit. If my customer notices that transit traffic has been going around him, he may be grumpy. I prefer happy customers. Okay but: 1. Your customer/customer's customer is the one doing the broken routing here not you.. if he wants to be grumpy you should point him in the direction of the guy who is announcing the bad routes in the first place! s/broken// and s/bad// 'broken' and 'bad' are all a matter of perspective here. 2. If I'm following this, your peer pays your customer? So you are peering with your customer's customer? If that was me I would either depeer them or tell them that you have an issue and need it resolving urgently or you my depeer them. It's an MLPA policy based exchange (and probably just using a central route-server) not bi-lateral peering. De-peering isn't possible here. It's not an excuse for lack of filters, but as the OP pointed out, the filters weren't expecting the routes from their customer's customer. -david
Re: dns authority changes and lame servers
Justin Scott wrote: As an operator of both free and paid DNS services, I wish there was a quick and easy way to pull a list of all of the zones that were delegated to a specific IP address. I say IP because people can now register their own DNS name servers at the registrar and use our IP addresses, so using the official hostname isn't even fool-proof. Being able to pull such an official list for forward DNS zones would certainly make life easier. How annoying or frustrating is it for people? Is it so annoying that you'd be willing to pay for a list of every public-facing NS record pointed at a given IP? I should also mention the related work starting over here: http://www.nanog.org/mtg-0710/presentations/Vixie-lightning.pdf -David
Re: Cogent latency / congestion
Yes, their status page is not accurate. We're seeing traffic hitting the bitbucket at various locations on their network including Dallas (IAH) and Ashburn (IAD). It's be nice if they pulled their routes for this stuff. For example: traceroute to grouse.dabbledb.com (64.15.129.72), 64 hops max, 40 byte packets 1 38.99.21.1 (38.99.21.1) 2.012 ms 1.122 ms 0.468 ms 2 g0-10.na21.b003104-1.sfo01.atlas.cogentco.com (38.104.128.129) 1.229 ms 2.223 ms 0.975 ms 3 g1-7.111.core01.sfo01.atlas.cogentco.com (38.112.39.45) 1.758 ms 1.153 ms 2.523 ms 4 p4-0.core01.sjc01.atlas.cogentco.com (66.28.4.94) 2.010 ms 2.290 ms 3.886 ms 5 p14-0.core01.iah01.atlas.cogentco.com (66.28.4.237) 47.753 ms 46.791 ms 47.996 ms 6 * * * 7 * * * 8 * * * 9 *^C -david Mike Tancsa wrote: Does anyone have any details about the Cogent outage that started this morning (9am GMT-400) and is still continuing ? If its a fibre cut between Montville (NJ?) and Cleveland OH (http://status.cogentco.com/) why is it so bad in Chicago and Albany locations ? Is there really that little excess capacity ? My connection out of Toronto is pretty bad via Albany 3 g8-22.mpd01.yyz02.atlas.cogentco.com (38.104.158.77) 7.470 ms 6.754 ms 6.481 ms 4 v3493.mpd01.yyz01.atlas.cogentco.com (154.54.5.85) 6.981 ms 6.730 ms 6.984 ms 5 g2-0-0-3490.core01.yyz01.atlas.cogentco.com (154.54.5.73) 6.482 ms 7.175 ms 5.974 ms 6 p4-0.core01.alb02.atlas.cogentco.com (66.28.4.217) 105.954 ms 112.055 ms 111.426 ms 7 p6-0.core01.bos01.atlas.cogentco.com (154.54.7.42) 115.413 ms 117.090 ms 113.816 ms and Bell's through Chicago is even worse 6 64.230.229.5 (64.230.229.5) 12.572 ms 36.983 ms 200.187 ms 7 64.230.242.97 (64.230.242.97) 4.685 ms 5.439 ms 3.645 ms 8 64.230.147.14 (64.230.147.14) 14.351 ms 15.344 ms 14.387 ms 9 206.108.103.142 (206.108.103.142) 14.374 ms 14.280 ms 14.255 ms 10 p13-0.core01.ord01.atlas.cogentco.com (154.54.11.29) 156.616 ms * 142.150 ms 11 te3-1.mpd01.ord01.atlas.cogentco.com (154.54.1.206) 135.199 ms 138.900 ms * 12 t2-4.mpd01.mci01.atlas.cogentco.com (154.54.2.233) 152.292 ms 149.956 ms 148.095 ms 13 t4-2.mpd01.iah01.atlas.cogentco.com (154.54.5.221) 149.047 ms 150.556 ms 151.232 ms ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
BGP Speaking tenants in 360 Spear // NAC
NANOG, We're interested in doing a XC for a neighbor-of-last-resort with a BGP speaking tenant located at 360 Spear in the NAC on the first floor. This would essentially serve as an OOB peer and a fall-back default route for our office (which is point to point into the NAC). We would extend the same offer back to you. Replies off-list please. Thanks, David Ulevitch
Re: it was damp in belleview
Randy Bush wrote: i.e., it's time to turn it off. you are damaging your customers and others' customers. There is a growing number of Tier 1 NSPs who do not dampen anymore (or at least they don't dampen their customers). NTT is one of them. Who are the others? -David
Re: Interesting new dns failures
Douglas Otis wrote: On May 22, 2007, at 2:16 PM, Gadi Evron wrote: On Tue, 22 May 2007, David Ulevitch wrote: These questions, and more (but I'm biased to DNS), can be solved at the edge for those who want them. It's decentralized there. It's done the right way there. It's also doable in a safe and fail-open kind of way. This is what I'm talking about. Agreed. Gadi, What is the downside of a preview of zones being published by a TLD? Previews could be on a 12 or 24 hour cycle. This would enable defenses at the edge by disabling fast-flux outright. There could be exceptions, of course. When millions of domains are in rapid flux daily, few protective schemes are able to sustain or afford the dispersion of raw threat information. In addition, these raw updates arrive too late at that. A preview would not change how the core works, only how fast changes occur, while also dramatically reducing the amount data required for comprehensive protections at the edge. This would be a policy change at the core that enables defenses at the edge. Lots of people already track newly added domains. Rick Wesson runs a feed called Day old bread that is just such a feed. Again, good idea, but doesn't belong in the core. If I register a domain, it should be live immediately, not after some 5 day waiting period. On the same token, if you want to track new domains and not accept any email from me until my domain is 5 days old, go for it. Your prerogative. -david -Doug
Re: Interesting new dns failures
Gadi Evron wrote: On Mon, 21 May 2007, Chris L. Morrow wrote: ok, so 'today' you can't think of a reason (nor can I really easily) but it's not clear that this may remain the case tomorrow. It's possible that as a way to 'better loadshare' traffic akamai (just to make an example) could start doing this as well. So, I think that what we (security folks) want is probably not to auto-squish domains in the TLD because of NS's moving about at some rate other than 'normal' but to be able to ask for a quick takedown of said domain, yes? I don't think we'll be able to reduce false positive rates low enough to be acceptable with an 'auto-squish' method :( Auto-squish on a registrar level is actually starting to work, but there is a long way yet.. As to NS fastflux, I think you are right. But it may also be an issue of policy. Is there a reason today to allow any domain to change NSs constantly? Why are people trying to solve these problems in the core? These issues need to and must be solved at the edge. In this case the edge can be on customer networks, customer resolvers, or at the registrar. It's dangerous to fix problems at the core where visibility is limited and data is moving quickly. These issues should not be solved by the registry operators or root server operators, that's very dangerous. There are, of course, exceptions where it's helpful when a registry operator steps in to help mitigate a serious Internet disturbance, but that's the exception and should not be the rule. People are suggesting it become the rule because nobody is trying anything else. -David Ulevitch
Re: Interesting new dns failures
Gadi Evron wrote: People are suggesting it become the rule because nobody is trying anything else. I was with you up to this sentence. Obviously avoiding the core is key, but should we not have the capability of preventing abuse in the core rather than mitigating it there? Allowing NS changes with no other verification or limitation is silly imo, but I am unsure if it is relevant as a solution? And who is nobody and why doesn't he try something else? That is a bit insulting to nobody. :) Putting that aside, what do you think nobody should try at the edge? People should try putting the intelligence that we have into software and hardware. Why can't we put Gadi into an edge device? I say this tongue-in-cheek, but am a bit serious. You (Gadi) are very good at looking at interesting trends and more than saying it's a problem, you are able to come up with a report like the botnet rat-out reports. We know who the CC's are. We know who the compromised drones are. We know all of this. Today. But very few people (okay, not nobody) are saying, Hey, why should I allow that compromised windows box that has never sent me an MX request before all of the sudden be able to request 10,000 MX records across my resolvers? Why am I resolving a domain name that was just added into the DNS an hour ago but has already changed NS servers 50 times? These questions, and more (but I'm biased to DNS), can be solved at the edge for those who want them. It's decentralized there. It's done the right way there. It's also doable in a safe and fail-open kind of way. This is what I'm talking about. After all, nobody's security being affected by the edge of some end-user machine on the other side of the world is irrelevant to my edge security. FUSSP. DNS abuse is mostly not an edge issue. I disagree. DNS is the enabler for many many issues which are edge issues. (Botnets, spam, etc) -David Ulevitch Gadi. -David Ulevitch
Re: Interesting new dns failures
Fergie wrote: David, As you (and some others) may be aware, that's an approach that we (Trend Micro) took a while back, but we got a lot (that's an understatement) of push-back from service providers, specifically, because they're not very inclined to change out their infrastructure (in this case, their recursive DNS) for something that could identify these types of behaviors. Was that the real reason? Here's a crazy question... Did it by chance cost money? :-) I'm not saying it should have been free just that the hesitation to roll it out *might* have been for factors besides the fact that it mitigated DNS based botnets. How do operators decide the expense is worth it to mitigate spew coming out of their network? When their outbound DoS traffic exceeds their inbound transit ratios? :-) -David And actually, in the case you mentioned above -- to identify this exact specific behavior.
Re: Interesting new dns failures
Roger Marquis wrote: Simply saying it is dangerous is indistinguishable from any other verisign astroturfing. It's not everyday that you get accused of astroturfing for Verisign. I'm printing this, framing it, putting it on my wall, and leaving this thread. Thanks! -David
Re: qwest backbone
Philip Lavine wrote: Any issues on the qwest backbone Something fun up in SEA. We see 701 down and 2914 down in the westin building as of about 10-15 minutes ago. -david Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/
Re: qwest backbone
David Ulevitch wrote: Philip Lavine wrote: Any issues on the qwest backbone Something fun up in SEA. We see 701 down and 2914 down in the westin building as of about 10-15 minutes ago. Nevermind, 2914 and 701 were fine. It was qworst causing fun churn. Thanks to 2914 for emailing me in like 5 seconds after this though to see if I needed anything... :-) -David
Re: On-going Internet Emergency and Domain Names
Paul Vixie wrote: ... Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? on any given day, there's always something broken somewhere. in dns, there's always something broken everywhere. since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. I'd say it's a way to get DNS to be more inconsistent and it's likely to happen. Broken is both in the eye of the beholder and in the eye of the end-user. but, isp's responsible for large broadband populations could do this in their recursion farms That's right. And it will perpetuate the arms race of whitehats vs. blackhats. But that's no reason not to add intelligence into the DNS -- either in-band or out-of-band. Most of us already do some level of DNS intelligence out-of-band (passive dns, uribls, etc) and the power of doing it in-band is a logical next step. fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible. Unfortunately, that day, if it ever comes, will come after bot herders stop using DNS to manage their botnets because other mitigation strategies will have already forced them to move on. -David
Paging ATT.com DNS master
You broke the zone for ATT.com. That's probably not good. -david $ dig @ns3.attdns.com att.com ; DiG 9.2.2 @ns3.attdns.com att.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 940 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;att.com. IN A ;; Query time: 75 msec ;; SERVER: 144.160.20.47#53(ns3.attdns.com) ;; WHEN: Thu Feb 15 08:54:58 2007 ;; MSG SIZE rcvd: 25
Re: what the heck do i do now?
Paul Vixie wrote: bear with me, this appears to be about DNS but it's actually about e-mail. maps.vix.com has been gone since 1999 or so. mail-abuse.org is the new thing. i've tried just about everything to get traffic toward the old domain name to stop... right now there's a DNAME but it made no real difference. Paul, Not offering a solution but a bit of an explanation perhaps... From: http://cr.yp.to/ucspi-tcp/rblsmtpd.html If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions. So checking the last released version: /ucspi-tcp-0.88# grep -hn maps.vix.com rblsmtpd.c 193: if (flagwantdefaultrbl) rbl(rbl.maps.vix.com); Looks like that could be a cause of some of your pain... Not everyone runs rblsmptd on their mailserver, but I know lots of large mail servers that run rblsmptd (qmail). The fact that the option is the default without being explicit means that at least some folks don't even know maps.vix.com zones are no longer present and the current failure case is not impacting them. -david ulevitch
Re: Google wants to be your Internet
Rodrick Brown wrote: On 1/20/07, Mark Boolootian [EMAIL PROTECTED] wrote: Cringley has a theory and it involves Google, video, and oversubscribed backbones: http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html The following comment has to be one of the most important comments in the entire article and its a bit disturbing. Right now somewhat more than half of all Internet bandwidth is being used for BitTorrent traffic, which is mainly video. Yet if you surveyed your neighbors you'd find that few of them are BitTorrent users. Less than 5 percent of all Internet users are presently consuming more than 50 percent of all bandwidth. Moreover, those of you who were at NANOG in June will remember some of the numbers Colin gave about Youtube using 20gbps outbound. That number was still early in the exponential growth phase the site is (*still*) having. The 20gbps number would likely seem laughable now. -david
Re: Google wants to be your Internet
Alexander Harrowell wrote: The Internet: the world's only industry that complains that people want its product. The quote sounds good, but nobody in this thread is complaining. There have always been top-talkers on networks and there always will be. The current top-talkers are the joe and jane users of tomorrow. That is what is important. BitTorrent-like technology might start showing up in your media center, your access point, etc. The Venice Project (Joost) and a number of other new startups are also built around this model of distribution. Maybe a more symmetric load on the network (at least on the edge) will improve economic models or maybe we'll see eyeball networks start to peer with each other as they start sourcing more and more of the bits. Maybe that's already happening. -david On 1/20/07, *David Ulevitch* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Rodrick Brown wrote: On 1/20/07, Mark Boolootian [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Cringley has a theory and it involves Google, video, and oversubscribed backbones: http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html The following comment has to be one of the most important comments in the entire article and its a bit disturbing. Right now somewhat more than half of all Internet bandwidth is being used for BitTorrent traffic, which is mainly video. Yet if you surveyed your neighbors you'd find that few of them are BitTorrent users. Less than 5 percent of all Internet users are presently consuming more than 50 percent of all bandwidth. Moreover, those of you who were at NANOG in June will remember some of the numbers Colin gave about Youtube using 20gbps outbound. That number was still early in the exponential growth phase the site is (*still*) having. The 20gbps number would likely seem laughable now. -david
Re: DNS Query Question
Dennis Dayman wrote: I have a customer having some DNS issues. They have done some research regarding some DNS timeout errors they saw with Verizon's sender verify looking up their MX records. What they have discovered is their current DNS service has a 1% failure/timeout rate. They are exploring other vendors (UltraDNS for one), but need an estimate of the number of DNS queries for accurate pricing to put together a ROI argument for the switch. I have no IDEA if this can be determined, but what is a good estimate of the number of DNS queries generated from sending an email? That's not a good tack to take to figure out the answer. Just check the logs of your current DNS server and count 'em up. UltraDNS isn't cheap. But neither is downtime, I suppose. -david
Re: EveryDNS.net down?
Thanks to netops at: nLayer, Cogent, HE for working tirelessly to help mitigate this. No thanks to Level(3) despite the best intentions of one sec-ops person (Richard). -david Nate Carlson wrote: On Fri, 1 Dec 2006, david raistrick wrote: got off the phone with davidu just a second ago. DoS. they're working on it,. Yeah, that's the only thing I'd really expect to take them down. Thanks much for the confirmation! | nate carlson | [EMAIL PROTECTED] | http://www.natecarlson.com | | depriving some poor village of its idiot since 1981|
WorldNIC nameserver issues
We're seeing a number of issues with WorldNIC nameservers failing from multiple points on our network this morning and was wondering if anyone was seeing similar problems. We're seeing issues with: ns47.worldnic.com (domain: cpurocket.com) ns48.worldnic.com (domain: cpurocket.com) ns87.worldnic.com (domain insightcollect.com) ns88.worldnic.com (domain insightcollect.com) and many many more... Anyone else seeing these failures? WorldNIC does a lot of authoritative DNS -david
Re: Verizon Looking Glass
On Sep 5, 2006, at 6:52 AM, Joe Abley wrote: On 5-Sep-2006, at 09:31, Tim Donahue wrote: Does anyone know if Verizon has a publicly accessable looking glass? There is not one listed on bgp4.net nor could I find one searching Google. It might pay to specify exactly which AS number you're particularly interested in peeking into. I'd be helped by having one in AS701 and AS702... -david
Feedback on providers who offer communities that restrict route propagation
Hi, I'm looking at a number of transit providers in Europe who offer communities that will limit the scope of an announcement by geographic region. For example if you are AS1 you can tell upstream AS2 to propagate your announcements only to peers and neighbors within EU, but not those in the NA or AP regions. This helps networks with unique routing policies. (If you're curious what these might be, just ping me offlist) I'm looking for feedback from people who have done this before. All advice, experiences (preferably with what upstream ASNs) is helpful. Our concerns are basically that this puts a management and engineering aspect of our network into someone else's hands to not mess up. I already know we deal with peers who leak routes, but my guess is that since this is a business relationship with the upstream network they are less likely to bork it up and hopefully manage it programatically. Wishful thinking or sound practice/service offered by high-quality carriers? My questions are thus: 1) I'd this to find out how reliable it is/was (were your routes ever leaked)? 2) How effective it is/was (did it accomplish your goals)? 3) Advice you might have for someone who is considering doing this? Providers to shy away from? Providers who are pretty good? Thanks, David Ulevitch
Re: comast email issues, who else has them?
On Sep 1, 2006, at 6:33 PM, Brandon Galbraith wrote: I never understood why Gmail didn't put an X-Originating-From header in mail sent out by web users. Seconded! It may not be a requirement but the omission is certainly inconsistent with most web-based email services, particularly a popular one like Gmail. A lot of abuse ends at a dead-end because trying to deal with security/abuse @ gmail is a losing cause. -david
Re: Detecting parked domains
On Aug 2, 2006, at 2:03 PM, Sean Donelan wrote: There seems to be DNSBL's for every other thing, I was expecting to find one for parked domain names or the server IP addresses used. That's not hard. It's the value of providing it I question. It only encourages them to start putting syndicated content on them and then it starts to get more confusing as to what is BS and what is real, which wastes even more time. For less legitimate domain parking (i.e. typo-squatters), its a different problem. Totally agreed, and one probably worth providing a solution to. Sites like www.stationary.com bother me a lot less than www.craigslists.org And http://www.myspaces.com ... Well, maybe that's no more disturbing than myspace. j/k CNET held onto tv.com for a long long time before making it a site. They're still parking radio.com. So some parked domains eventually get built out. So while it'd be easy to have a list of parked domains encouraging blocking content-less sites[1] will just teach domain parkers how to use XML-RPC calls to syndicate content from flickr and other web2.0 sites for google fodder, etc. I'm not sure if that's yet another arms race worth starting. Vixie's comments a few days back resonate pretty strongly in my mind. Botnets, spammers and other miscreants already waste enough of my time. Typo-squatting is a different beast indeed, one which annoys people endlessly. -davidu 1: I know Sean didn't specifically say he wanted to block sites, I'm just picking the obvious use of such a feed, especially if it were made public.
Re: managing mycompany.{all iso TLD + icann TLD) ?
On Jul 24, 2006, at 6:18 AM, Jim Mercer wrote: the company i'm working for has a growing list of domains for the company and its trademarks. are there resellers out there that have agreements with _most_ TLD registries? i realize that i won't likely find a single reseller for all the TLD's, but i'd like to switch from using 10 baskets to 2 or three. There are companies that specialize in this: http://www.markmonitor.com/ http://www.ironmountain.com/ipm/dns/ -david
Re: Sitefinder II, the sequel...
On Jul 12, 2006, at 12:30 AM, Simon Waters wrote: On Tuesday 11 Jul 2006 20:22, Daniel Golding wrote: I'm at a loss to explain why people are trying so hard to condemn something like this. Experience? People have never created a platform to manage recursive DNS, so it's surprising you have experience here. I don't think we've ever talked either, though I'd be happy to and learn more about what you think and how it compares to other things you've used. Have you seen this: http://www.opendns.com/prefs/ People that make a comparison to Site Finder still are showing a substantive lack of clue, at this point it should be clear that such a comparison is inappropriate. That said, I'm still working on messaging -- going from someone who talks about DNS to someone who talks about DNS and gets some press about it is new to me. Cool, but new. ;-) Best, David Ulevitch
Re: Sitefinder II, the sequel...
On Jul 11, 2006, at 12:09 AM, Stephane Bortzmeyer wrote: On Mon, Jul 10, 2006 at 11:19:51PM -0700, Steve Sobol [EMAIL PROTECTED] wrote a message of 16 lines which said: There's a big difference, of course, between INTENTIONALLY pointing your computers at DNS servers that do this kind of thing, and having it done for you without your knowledge and/or consent. As Steven Bellovin pointed out, most OpenDNS users will not choose it: it will be choosen for them by their corporate IT department or by their Internet access provider. Our preference system is designed around CIDR and the most specific prefix will win a lookup meaning a /32 settings are preferred over that of a /24. A corporate network can have a policy changing that (aka, you are fired), but an ISP can't. The policies of IT departments and ISPs are not remotely comparable. This is a deliberate design choice. As usual, ymmv. -david
Re: Sitefinder II, the sequel...
On Jul 10, 2006, at 6:44 AM, Gerry Boudreaux wrote: For those who have not yet seen this: http://www.opendns.com/ They will 'correct' your spelling mistakes for you. I'm happy to answer any and all questions off-list but I want to point out one aspect that hasn't quite been messaged correctly. A big point being missed is the addition of if you want. We have written this as a recursive dns service that can do different things to different IPs. You quote from our FAQ but you leave out the cluefull parts of the FAQ so this is one that's important: How do I turn off phishing protection or typo correction? If you want to use OpenDNS but do not want phishing protection and/ or typo correction, you may ask us to disable that protection for you. Currently, setting these preferences requires an OpenDNS team member. In the future, you may manage this preference yourself, if registered. Registration will be free, and not required to use the service. This preference will be offered first for members with a static IP address, and then for those with dynamic IP addresses. So if you want standard NXDOMAIN, that's fine. Happy to do it. Different strokes for different folks. That's the whole idea. We're not new at this, or looking to make a quick buck by annoying you with ads. I recommend giving it a try and letting me know your thoughts. The idea of both building an intelligent recursive dns server and a recursive DNS service are both a long time in the making and make a lot of sense. Perhaps we can work on our messaging to more technical audiences. :-) Best, David Ulevitch From their FAQ: -- Why is OpenDNS smarter? We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.If we're not sure what to do with an error, we provide search results for you to choose from. How does OpenDNS make money? OpenDNS makes money by offering clearly labeled advertisements alongside search results on error pages. OpenDNS will provide additional services on top of its enhanced DNS service. ---
Re: Black Frog - the botnets keep coming
On May 25, 2006, at 5:37 AM, Niels Bakker wrote: * [EMAIL PROTECTED] (Gadi Evron) [Thu 25 May 2006, 12:38 CEST]: Sometimes being quiet is not going to win the war. It would behoove you, however, to not cry wolf so often Maybe it would behoove network operators to not encourage kids to build distributed botnet systems[1] in the name of vigilante justice: http://www.legrice.net/Okopipi/OkopipiNetworkFlow.jpg http://www.legrice.net/Okopipi/OkopipiBasicSystemOverview.jpg Blue Security shouldn't be glorified for what they did, they should be nailed for DoS'ing SixApart. -david 1: Granted, based on those pictures, we might not have a lot to worry about... ;)
Re: MEDIA: ICANN rejects .xxx domain
On May 11, 2006, at 11:28 PM, Martin Hannigan wrote: Im having an offline discussion with a list member and I'll ask, why does it matter if you have a domain name if a directory can hold everything you need to know about them via key words and ip-addrs, NAT's and all? It's all about authority, literally and figuratively. Google might be a good search engine, but I don't control google like I control my zones. Being that google is evil now, I don't think I want to give them authority for my zones. ;) -David
Re: New depths in phishing
On Mar 24, 2006, at 8:12 AM, Lucy E. Lynch wrote: On Fri, 24 Mar 2006, David Ulevitch wrote: On Mar 24, 2006, at 6:50 AM, Lucy E. Lynch wrote: edu skimming - try http://umich.edu.com/ While it's kinda lame it is far from a phishing site. They even say on the submit form: Yes! I'd like additional information from College.us.com and its marketing partners. Chances are that you will actually get something from UMich (along with a bunch of other junk too no doubt). Phishing is bad enough as it is, let's not broaden its definition to include all things we find uncool. actually, this is cross posted from the UNISOG list, and the schools in question have no connection with this and get no referrals from collected data. Your admissions office is misleading you or you just haven't asked them or they don't care to answer you. They pull leads from many sources including the College Board and numerous others. Many of those sources aggregate their data from places like this and flyers in high schools, reps and all kinds of junk. If you are really concerned, tell your school CSO to talk to Admissions and get some details. I think Admissions and Alumni Relations workers probably compete with each other over who can annoy more people. :-) Universities are often huge organizations and do all kinds of great and sometimes some not so great things. Don't be surprised. But now we're getting off-topic. Best, David Ulevitch
Re: dnsstealer.com
On Mar 13, 2006, at 8:16 PM, Martin Hannigan wrote: Better yet, why don't the registrars police themselves? Many do. They just don't police each other. -david
Re: Word file
On Jan 30, 2006, at 10:25 PM, davidu wrote: WARNING: WinProxy has detected a virus in file attached to this e-mail message! I'm a mac/unix guy -- I promise. :-) That email did not come from me, but this one did. -david
Re: IP Addresses from a different region
On Jan 19, 2006, at 8:08 AM, [EMAIL PROTECTED] wrote: On Thu, 19 Jan 2006 15:11:18 GMT, Sam Stickland said: I can't of course start naming our clients. I could harp on about how they are a multinational, running legimate operations and blah blah blah.. But you'd only have my word for it. So you'll just have to take my word for the fact that we run an operational that comes down hard on nefrarious activities. Sorry. Well, Sam's organization, if it was black hat, *could* just have hijacked the space and announced it anyhow. The fact he asked on NANOG means either: 1) He's on the level. 2) He's a really stupid black hat. 3) He's a really clever black hat applying misdirection of some sort. ;) [ The fact that my message was offlist aside... ] I don't doubt Sam at all but even the best of organizations or the best of tech clue and the worst of sales clue can bring nefarious users into an otherwise whitehat colo/isp/whatever. Also, from a research standpoint I'm curious as to why this organization thinks they need ARIN IP space to do what they do. Most of us know that's probably not true. I keep pretty close tabs on ongoing research in network location based services, dns mapping, online advertising, etc. I just smell BS or something really new and unique and am curious in either case. There is some good research going on in this space though (location based determinations): http://www.coralcdn.org/oasis/ (presenting at CodeCon) http://www.cs.cornell.edu/People/egs/Meridian/ just to name a couple... -davidu
Re: is this like a peering war somehow?
On Jan 19, 2006, at 3:44 PM, Paul Vixie wrote: proving once again that peering ratios only matter if the other guy's customers can live without your assymetric content. I'm sure the hardware vendors don't mind the prospect of wide-scale cycle-intensive QoS being deployed on large networks. -david
Re: westin, the serial
On Nov 18, 2005, at 10:11 AM, Niels Bakker wrote: Dear Randy: * [EMAIL PROTECTED] (Randy Bush) [Fri 18 Nov 2005, 18:40 CET]: anyone at seattle westin have something that talks serial so i can deal with a freaked 2511 oob through its console? Don't you agree that this would be more appropriate on cisco-nsp@ ? The Westin building being in Seattle, USA, North America is the relevant piece of info for Randy's request. Not that it's a freaked 2511. -david Best regards, -- Niels. -- Calling religion a drug is an insult to drugs everywhere. Religion is more like the placebo of the masses. -- MeFi user boaz
Re: Calling all NANOG'ers - idea for national hardware price quote registry
On Sep 16, 2005, at 2:48 PM, Matt Bazan wrote: Actually, not the case. CDW and Dell (and all the others) only publish their prices for the low end gear that they sell. Anything else requires a call to a rep and establishing a relationship. This is not true, particularly with places like CDW or Insight, etc. I don't buy enough from Dell but I imagine it's the same. There are usually three prices: 1) The price on the website, if listed at all. 2) The price on the website after logging in and getting your special pricing based on what company/login/who you know/etc. 3) The price you get by calling your sales rep and demanding better/volume/blackmail pricing. Anyways, this whole idea strikes me as a bad one for all the reasons others have mentioned but particularly because just knowing the price someone else has doesn't mean that you will get the price, in fact, you might find yourself on the receiving end of have a nice day dealing with vendor Z -- particularly if they already know you are set on using them as your vendor and you'll come back to them begging. It's a game of poker bluff all you want but then be comfortable walking away without making a deal. -david
Re: Computer systems blamed for feeble hurricane response?
On Sep 13, 2005, at 1:13 PM, Fergie (Paul Ferguson) wrote: Attempts by agencies to spur the Federal Emergency Management Agency into urgent action were met with bouncing emails, the Journal said. http://www.fema.gov/staff/extended.jsp Lists an IT Services Division that has ~250 possible points of contact. Surely one of them has some clue... :-/ I think this sort of problem shows the endemic disease currently in place at FEMA. It's not just an IT gaffe or firewall mistake. It's a failure much more serious, sadly. -David
Re: Computer systems blamed for feeble hurricane response?
On Sep 13, 2005, at 11:13 AM, Hannigan, Martin wrote: ObOp: Email is NOT a reliable form of communication. ^^^ unrelated and I disagree... DHS shouldn't start to think so either. NANOG shouldn't worry about if someones email is working as a byproduct, but sure worry if the store and forward function of an ISP is. ' ^^^ There exist networks and operators who do not run ISPs. People often forget. Perhaps there are reasons some corporate or volunteer mail service is not working i.e. blocked, disallowed on port, etc. ^^^ I'm sure there is a reason. My first guess is that it's broken. My second is that it was never intended to be a domain used for email and the website techs never got the memo. ObNotOp: Anyone who needs to contact FEMA, already knows how. If they are using a web page address, they probably shouldn't be contacting FEMA directly, but working through their own government hierarchy. In dealing with incidents it is possible to cover many areas of failure. There are many cases where the chain of command, the hierarchy process and many other elements fail. In those times, sometimes getting to a website and finding a contact address serve as a real means of communication and should be regarded as such. History proves the point that out of band comms and other forms of handling are often used during an emergency that were not expected. Right now if I go to http://www.fema.gov and click on How to get help and then Contact us I get a 404 forbidden. That's a failure. It's narrow-sighted to underestimate the importance of things like FEMAs website in dealing with national disaster and incident response. -david
Re: What happened to root-server serial number?
On Sep 2, 2005, at 5:27 PM, Roy Badami wrote: Is the named.root file on ftp.internic.net defunct now then? Because it is dated 2004 and contains no records... Nope. Not defunct. Apples: http://www.internic.net/zones/named.root and Oranges: http://www.internic.net/zones/root.zone -david -roy !DSPAM:4318ee2b79667136511555!
Re: drone armies CC report - July/2005
On Aug 15, 2005, at 9:39 PM, Hannigan, Martin wrote: the summaries are primarily useful for CC's that are still alive a month later even though plenty of notices have been sent to the relevant NOC's. in other words it's sort of like defcon's wall of sheep. i like the approach. Wall of sheep certainly is humorous, but IL CERT using this data as a shaming mechanism is, well, a shame. Why you associate IL CERT with this is confusing to others. I am confident that you know there is little or no connection. We all have employers. You, me and Gadi included. ;-) Many of us choose to work to make the Internet a better place or at least make it as safe as it were before we signed on. I don't like having to worry about my mom being phished or my sisters' laptop taking part in a global botnet. If this kind of work falls within the guidelines of our employment; great. If not; that's why there are groups like this. For purely operational activities there are lists and fora to foster that. This is different. This is about turning the tide and not simply reacting and mitigating after the fact. I certainly don't speak for Gadi or the group so I'll stop there. Once the NOC engages in an excercise of futility based on that list, it will never be read again and the effort ends up being more futile, which is another shame. It's a good project, but it got ripe before it was ready, IMO. There was nothing actionable in the list posted. Any NOC that engages in anything besides a request to be notified in the future would be confounding. Thanks, David
Re: Internet vulnerabilities
quote who=Jason Lewis What if someone actually had the skills to disrupt BGP on a widescale? I think the media talk about taking down the Internet are kind of bogus. Nobody has ever died because they couldn't check their email. If the net went down for an hour, a day, or even a week I think that my mom and the rest of the non glued-to-their-terminal world would somehow struggle through and sustain a normal daily routine. -davidu [who probably would not survive a week long net outage ;) ] -- Never doubt that a small group of thoughtful citizens can change the world. Indeed, it is the only thing that ever has. --Margaret Mead
Re: Adeklphia update
quote who=Martin Hannigan On Tue, 18 Jun 2002, blitz wrote: Adelphia announced price increases today 90 cents a month for cable TV, bringing the package to about $39. a month in Buffalo, and $41. outside. Also they increased the powerlink cablemodem $2.00 a month. (this is the second increase this year) Gee, someone finally figured out they can't offer it at a loss... For the second time this year no less! ;-) -davidu -- Never doubt that a small group of thoughtful citizens can change the world. Indeed, it is the only thing that ever has. --Margaret Mead
Re: proposed government regulation of .za namespace
bert hubert said: [SNIP] I argued about this with them *at length* and they kept inventing more reasons why I was breaking RFC compliance. They even told me they couldn't accept my nameservers as these would 'waste bandwidth' which was 'terriby expensive' in South Africa. It probably is, but that has nothing to do with my nameservers and their reverse delegation! In the end sanity more or less broke out and one of them stated that they were very busy with legislation c and unable to change a script that was only causing problems for me and for nobody else. You are not the only one, We also have had many problems with them regarding this issue and were essentially stonewalled. Any of our users in the .co.za namespace are unable to use ns3 or ns4 of our nameservers. It's a shame especially because it seems to be such a worthless requirement. (Then again there are some registrars which require AXFR access from you) -davidu --- Never doubt that a small group of thoughtful citizens can change the world. Indeed, it is the only thing that ever has. --Margaret Mead
Re: NANOG on Trial
Hello Conrad, Monday, April 8, 2002, 2:55:01 PM, you wrote: NickCatal naa.. my job in the new company is to make ideas and provide a public face to the company.. a 14 year old selling enterprise hosting looks good on Leno CAR Come on now, he's one of those 14 year old wonder kids that will change CAR the way we think of the Internet, go Generation Y It's generation K-12: http://latency.net/~asr/wcom.jpg but to make this more OT, here are my woes of the moment: http://nts.wustl.edu/~mrtg/brook0.20.html Thanks, Davidmailto:[EMAIL PROTECTED]
Contact at dellhost.com
Hello nanog, I'm sorry to have to resort to NANOG-L for this but I desperately need to speak with a head sysadmin from dellhost.com puck.nether.net shows nothing for dell.com or dellhost.com Network Solutions contact info just goes into voice mail hell for which there has been no response for over three weeks. Email is unanswered. I just need a warm bodied person to contact to resolve some DNS issues they are having. (dnsadmin@ and dnstech@ all go unanswered) Thanks, David Ulevitch mailto:[EMAIL PROTECTED] Founder, EveryDNS.nethttp://www.everydns.net
