Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Kradorex Xeron <[EMAIL PROTECTED]> wrote: >On Thursday 24 May 2007 03:13, Suresh Ramasubramanian wrote: > >> Some of them do. Others dont know (several in asia) or are aware and >> dont care - theres some in russia, some stateside that mostly kite >> domains but dont mind registering a ton of blog and email spammer >> domains. >Very true - If this is going to work, it's goign to have to be on a global > scale, Not just one country of registrars can be made to correct the problem as people who maliciously register domains will just do what the spyware companies do, go to a country that doesn't care and do business there. > Well, registrars have to be accredited by ICANN, right? This is a policy enforcement issue, methinks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGVcnBq1pz9mNUZTMRAscKAKCo2depssyh0WYbLwsDa3f31ZaJVgCg6Cvn /jgr0q8uHu2cQFT6fsATr04= =oZYe -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: >Sure work on an expedited removal process inside a real procedure from >ICANN down to the registry. Work on a metric and monetary system used to >punish/disincent registrys from allowing their systems to be abused. Work >on a service/solution for the end-user/enterprise that allows them to take >action based on solid intelligence in a timely fashion with tracking on >the bits of that intelligence. > >three options, go play :) > Good dialogue. Fow what it's worth, I never advocated pushing "mechanisms" into the DNS core to deal with this issue -- in fact, I agree with you: It's an issue that can dealt with locally in recursive DNS, and it also needs to be dealt with in the policies that exists. One technical, one non-technical. Even up. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGU8Dkq1pz9mNUZTMRAuB3AJ4wWU9pq+thPlyR52jLCSH+UOW+3wCg/0Fx d82qbmHd89AVVSHgnFg+MAs= =VsuA -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- David Ulevitch <[EMAIL PROTECTED]> wrote: >But very few people (okay, not nobody) are saying, "Hey, why should I allow that compromised windows box that has never sent me an MX request before all of the sudden be able to request 10,000 MX records across my resolvers?" "Why am I resolving a domain name that was just added into the DNS an hour ago but has already changed NS servers 50 times?" > >These questions, and more (but I'm biased to DNS), can be solved at the edge for those who want them. It's decentralized there. It's done the right way there. It's also doable in a safe and fail-open kind of way. > David, As you (and some others) may be aware, that's an approach that we (Trend Micro) took a while back, but we got a lot (that's an understatement) of push-back from service providers, specifically, because they're not very inclined to change out their infrastructure (in this case, their recursive DNS) for something that could identify these types of behaviors. And actually, in the case you mentioned above -- to identify this exact specific behavior. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGU2NQq1pz9mNUZTMRAn5EAKCxlJ6uAkM+GMK15oCezkBVXHcBpgCeLuzK Sn4ppcRBy8Nbc5MJU+zYiSE= =+JDX -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: >> >> While I agree with you, there are many of us who know that these >> fast-flux hosts are malicious due to malware & malicious traffic >> analysis... > >Oh, so we switched from 'the domain is bad because..' to 'the hosts using >the domain are bad because...' I wasn't assuming some piece of intel at >the TLD that told the TLD that 'hostX that was just named NS for domain >foo.bar is also compromised'. I was assuming a s'simple' system of >'changing NS's X times in Y period == bad'. I admit that's a might naive, >but given the number, breadth, content, operators of lists of 'bad things' >on the internet today I'm not sure I'd rely on them for a global decision >making process, especially if I were a TLD operator potentially liable for >removal of a domain used to process real business :( Well, I don't think I ever implied that, but let's say that there are certainly some fast-flux behavior (fluxing across multiple administratively managed prefix blocks, NS fast-flux) which should immediately raise a red flag. Decisions based on those flags are policy issues -- whether or not someone decides to take action upon only on that information or do further research, is something that has to be determined by the person(s) who detect the behavior, etc. Having said that, most people don't even realize that fast-flux exists... - - ferg -BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUeNhq1pz9mNUZTMRAgC5AJ98cW092rV7ghrlIzjLP89qjiurDACdEFaV qUxEcKgfr42Mh9IQAOmaKr0= =Hrk0 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: >So, I think that what we (security folks) want is probably not to >auto-squish domains in the TLD because of NS's moving about at some rate >other than 'normal' but to be able to ask for a quick takedown of said >domain, yes? I don't think we'll be able to reduce false positive rates >low enough to be acceptable with an 'auto-squish' method :( Hi Chris, While I agree with you, there are many of us who know that these fast-flux hosts are malicious due to malware & malicious traffic analysis... I completely agree with you, however, on the issue of making assumptions that it will always be malicious -- of course, that will not always be the case. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUd/7q1pz9mNUZTMRAigSAKDgooaGUsp+GT0sEYcEOivjY0afFwCfWmk6 EaWuXUl9W+3+uQEAEJ1c1SQ= =V6Mu -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Roger Marquis <[EMAIL PROTECTED]> wrote: >Nobody's saying that the root servers are responsible, only that they >are the point at which these domains would have to be squelched. In >theory registrars could do this, but some would have a financial >incentive not to. Also I don't believe registrars can update the roots >quickly enough to be effective (correct me if I'm wrong). Why not? The Registrars seem sto being doing a great job of expediting the activation of new domains -- why can't they de-activate them just as quickly when they find out they are being used for malicious purposes? The "business interests" of the registrars, that's why. This is one of the many ways that ICANN, and the registrars in general, are falling down on the job. But I digress... I'll slink back under my rock now. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUS6Cq1pz9mNUZTMRAtRpAKC0GSrPnj3GRTtZ57sAOQfz4vnraACcDV10 Bp4R0+pkkIWJ5ZvTESy2KUw= =mue1 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Interesting new dns failures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Roger Marquis <[EMAIL PROTECTED]> wrote: >An odd pattern of DNS failures began appearing in the logs yesterday: > >May 20 15:05:19 PDT named[345]: wrong ans. name (uzmores.com != >ns5.uzmores.com) > Perhaps some fast-flux sticky cruft leftover from abuse? I just looked at the first one on the list [above], and it's certainly tell-tale: http://cert.uni-stuttgart.de/stats/dns-replication.php?query=ns5.uzmores.co m&submit=Query - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUSmOq1pz9mNUZTMRAjwHAKCotvseQNDwuJ8FScudOW3/lRUzVgCg23ec PtpYE7OtI5J8qRTpvxg0Vp8= =Vl8r -----END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Broadband routers and botnets - being proactive
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Suresh Ramasubramanian" <[EMAIL PROTECTED]> wrote: >On 5/12/07, Albert Meyer <[EMAIL PROTECTED]> wrote: > >> I and numerous others (including some whom any reasonable NANOG-L poster >> would respect and listen to) have asked you repeatedly to stop trolling >> NANOG-L with this botnet crap. It is off-topic here. The last time you >> pulled this (starting > >As frequent as Gadi is with his botnet posts, insecure and wide open >CPE getting deployed across a large provider is definitely >operational. Suresh is right -- if you don't think CPE compromises are an operational problem, then I'm not sure what is. :-) [changing gears] I'll even go a step further, and say that if ISPs keep punting on the whole botnet issue, and continue to think of themselves as 'common carriers' in some sense -- and continue to disengage on the issue -- then you may eventually forced to address those issues at some point in the not-so-distant future. I understand the financial disincentives, etc., but if the problem continues to grow and fester, and consumer (and financial institutions) losses grow larger, things may take a really ugly turn. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGRXxaq1pz9mNUZTMRArMKAJ9r5LymJwHl70u7b3XU5XzvB88WugCfWRFO jWmj4+AadZTVBwQ6VGjUmHE= =oZYK -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: BGP Session Timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One could also presume that BFD should also be considered dangerous, if enabled. - - ferg - -- Pascal Gloor <[EMAIL PROTECTED]> wrote: > Is it likely that BGP times out before underlying IP topology > reconvergences > after a link/node failure? Do service providers ever set such low > values of > BGP timeouts that BGP timeout will occur? > > If not, what else may cause a BGP session to time out? Depending on your hardware, you can trigger your BGP and IGP to shut sessions when the peer is gone. On some cisco, you can have BFD (Bidirectional Forwarding Detection). you have to enable this on both sides. If BFD notices the peer is down, it will notify OSPF,BGP,... (if configured so). for example: ! interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.252 bfd neighbor 10.1.1.2 bfd interval 250 min_rx 250 multiplier 3 ip ospf bfd ! This will send a BFD packet every 250ms, expect one every 250ms and if 3 packets are missed (after 750ms) it will tell OSPF to shut any session towards 10.1.1.2 (or routed via 10.1.1.2 for the BGP case). Pascal -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGNvYRq1pz9mNUZTMRAjKOAKDTAyIHrxZMjzuBmzCG54Mz1jWOZwCfVYzj DG01G8MGXfV/KQ27Pj6N58Y= =HfOW -END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen <[EMAIL PROTECTED]> wrote: >On Apr 8, 2007, at 2:51 AM, Fergie wrote: > >> Again, a simple recursive WHOIS will show you sub-allocations if they >> are properly SWIP'ed. > >Define "properly". The Cox addresses in my example are SWIPed. Are they "properly" SWIPed? How could you tell from whois? > Are is/are the exact prefix(es) in question? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGGJtq1pz9mNUZTMRAqEvAKDc2heZ5tTCZPkJXP1BkKiCQbjpwACg5+kA aMVT4/A79/VEZR8rKVv+AcY= =KafZ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen <[EMAIL PROTECTED]> wrote: >On Apr 7, 2007, at 11:41 PM, Fergie wrote: > >> Please read what I wrote: >> >> "I would think that it's actually very easy to do when >> sub-allocations are SWIP'ed." >> >> I cannot, and will not, presuppose that in cases when they are >> not SWIP'ed that some kind of magic happens. :-) > >And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. > Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Not a big deal, really. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGFiiq1pz9mNUZTMRArfSAJ9X5CMo0M+Tg0Tf1vN2UWytF3oB8gCg/TEH fP3GwH7aW3J7DeNpH3m/aeY= =VQ9W -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen <[EMAIL PROTECTED]> wrote: >On Apr 7, 2007, at 11:00 PM, Fergie wrote: > >> I would think that it's actually very easy to do when >> sub-allocations are SWIP'ed. > >Not that I'm really defending this policy, but sub-allocations are very often not SWIPed. I'd say 75% or more of the time I'm looking a problem IP address it is part of a /19 or larger block with no sub- allocation. > Please read what I wrote: "I would think that it's actually very easy to do when sub-allocations are SWIP'ed." I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCw4q1pz9mNUZTMRAgEDAKCB4eiFluFcXcYlSj4EjleHpxy8PgCg26ei sZW4CKfCOm5H3KOGQsxYd8w= =ZoDl -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephen Satchell <[EMAIL PROTECTED]> wrote: >It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. > Exactly why is this hard to do? I would think that it's actually very easy to do when sub-allocations are SWIP'ed. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCKUq1pz9mNUZTMRAq6gAJ4ve8lc4IBU9nt0C5BEQDOfcPYZUgCgxExW Nio0yTd77qAjI10oOsv2Vh4= =d5Jd -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "william(at)elan.net" <[EMAIL PROTECTED]> wrote: >On Sat, 7 Apr 2007, Fergie wrote: > >> I would have to respectfully disagree with you. When network >> operators do due diligence and SWIP their sub-allocations, they >> (the sub-allocations) should be authoritative in regards to things >> like RBLs. > >Yes. But the answer is that it also depends how many other cases like >this exist from same operator. If they have 16 suballocations in /24 >but say 5 of them are spewing, I'd block /24 (or larger) ISP block. Why? When you can block on more specific prefixes? This just doesn't make sense to me. >The exact % of bad blocks (i.e. when to start blocking ISP) depends >on your point of view and history with that ISP but most in fact do >held ISPs partially responsible. Indeed -- your point of view. Which I would argue is unfair and not "due diligence". - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBv8q1pz9mNUZTMRAuufAKC+/0DwFmrVA15UZaNib02GgR25MgCdFlu3 45XhfZTvgE+Oaiij4LoLNh0= =MO1u -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec <[EMAIL PROTECTED]> wrote: 1. There's nothing "indiscriminate" about it. >I often block /24's and larger because I'm holding the *network* operators >responsible for what comes out of their operation. If they can't hold >the outbound abuse down to a minimum, then I guess I'll have to make >up for their negligence on my end. I don't care why it happens -- they >should have thought through all this BEFORE plugging themselves in >and planned accordingly. ("Never build something you can't control.") I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBIlq1pz9mNUZTMRAkLuAJ4sjBnZ1IF4FBjFvMn4NlgK7lZysgCg3gT2 8e9PswhChgNhDHnCsY+Yf9M= =oJaW -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: summarising [was: Re: ICANNs role]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Douglas Otis <[EMAIL PROTECTED]> wrote: >[...]Just because this information can be published within a few milliseconds, does not make doing so a good idea.[...] Very well said. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEv77q1pz9mNUZTMRAhQtAJ4omynbNbOi6uLe+tN6ezXrYkNwGgCgwVIG rgcrtWdNCOOOodnPXz6FfGk= =EWm+ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Putting Some Circuit Breakers Into DNS to Protect The Net [Was: Re: su mmarising ...][
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Joseph S D Yao <[EMAIL PROTECTED]> wrote: >Again - DNS is the infrastructure for EVERYTHING. It facilitates >EVERYTHING. If you threw it out and put something else in that was not >as clunky as editing hosts.txt files 'scp'ed from DARPA daily, then THAT >would be what was facilitating everything. Interestingly enough, Karl Auerbach just posted this over on CircleID: http://www.circleid.com/posts/circuit_breakers_dns_protect/ - - ferg p.s. Comments might be more appropriate on CircleID. :-) -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEqvoq1pz9mNUZTMRAha9AKDfKbuY6ho7LkWoOkRkuqi6VHGmaQCePRZ0 e1ViNX7sijcXguBDk6bJbJ0= =e00A -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: ICANNs role [was: Re: On-going ...]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron <[EMAIL PROTECTED]> wrote: >Thanks David, of course, as you know, this was not an attack on you. I >appreciate you clarifying to me a bitmore on what ICANN does, does not >and is not supposed to do. > >I will contact you off-list for further consultation. Many thanks again >for all your help! > >So, who *is* able to help affect change? You are. I am. We all are: http://icann.org/meetings/sanjuan/ Let your voice be heard. Let a thousand voices be heard. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEdmlq1pz9mNUZTMRAnVFAKCEzGE0b0J7WwBx9kssS2nNRgq8vgCfRCOx OqSLwSooDrNXdiUhR+AzW9Q= =pZNq -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: ICANNs role [was: Re: On-going ...]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [top-posting to maintain the entire context below] I think Doug makes some good points here (with the exception of number 6)... - - ferg - -- Douglas Otis <[EMAIL PROTECTED]> wrote: On Apr 2, 2007, at 7:02 PM, Gadi Evron wrote: > On Mon, 2 Apr 2007, David Conrad wrote: >> On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote: >> >> The one concrete suggestion I've seen is to induce a delay in zone >> creation and publish a list of newly created names within the zone. >> The problem with this is that is sort of assumes: > > What are your thoughts on basic suggestions such as: > 1. Allowing registrars to terminate domains based on abuse, rather > than just fake contact details. This requires a separate agency tasked to respond to reports of crime. Registrars have a conflict of interest (they want to be profitable). Even answering the phone to deal with this type of problem costs more than a registration is worth. Hence, it is easier to establish domain tasting which essentially drops this entire problem into someone else's lap. > 2. Following these incidents as they happen so that YOU, in charge, > can make these suggestion? Often enforcement policies begins with a complaint. But who is taking the role of enforcement? > 3. For true emergencies threatening the survivability of the > system, shoudln't we be able to black-list a domain in the core? It would be nice if there were an agency that had a mechanism in place for routinely yanking domains that pose a public threat. Who would you trust in that role? Unfortunately, the US has lost their credibility as loudly echoed on this list. > 4. Black lists for providers are not perfect, but perhaps they > could help protect users significantly? Black-hole or block-lists is where protection can be introduced, political push back will thwart centralized enforcement. To support this mode of operation, a preview mode of operation would be highly beneficial. Currently bad actors will keep such efforts in a futile feckless reactive mode. > 5. Enforcing that registrars act in say, not a whitehat fashion, > but a not blackhat fashion? Of course a bad registrar might warrant greater scrutiny. At what point would all their customers need to find a different registrar? > 6. Yours here? Perhaps only banks should be allowed to act as registrars? At least they know how to check physical IDs. - -Doug -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEc7Vq1pz9mNUZTMRAtoyAKDHDvGL6rvC+tKjlfrN0T09f4JjGACg+GBa rARiLG+Oj2UY1y1EFjqPlA8= =PJHj -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Patrick Giagnocavo <[EMAIL PROTECTED]> wrote: >On Apr 2, 2007, at 10:27 PM, Douglas Otis wrote: > >> The suggestion was to preview the addition of domains 24 hours in >> advance of being published. This can identify look-alike and cousin >> domain exploits, and establish a watch list when necessary. A preview >> provides valuable information for tracking bad actors and for setting <> up more effective defenses as well. >> > >And just how many humans would this require? > >Or are you going to write a 12-kilobyte regex in Perl to do the work for you? > >Do you know how many trademarks and words that represent companies there are in existence? > >What about local lingo that might be misleading--like if you weren't familiar with college sports and thus "officialNittanyLions.com" (contrived example) didn't raise any red flags with you? > >I could see perhaps a flag or a standard value to go into TXT (maybe part of the exiting SPF conventions) that indicate the age of the domain. > >Then leave it up to the user as to what to do with that information (a mail server not allowing emails from domains less than 15 days old for example). > Good questions, all -- but having said that, there are certainly ways to approach each of these. And of course, there will obviously be things that fall through the cracks. And having said that, something is better than nothing. The value in matching newly registered domains, the registrants themselves, the nameservers, MX records, and historical IP addresses as a matrix operation is incrementally positive as the effort itself becomes also incremental in the positive. What I'm saying is this: Historical reputation systems, coupled with intelligence on known malware domains, observed fast-flux'ers, etc., gives some measure of control. You still have to do an enormous amount of weeding, but again, this is an endeavor that can be undertaken by private and commercial organizations, as long as the domain registration process is changed only slightly, to allow for a minor delay between toe time that the registration(s) are made, and the time that they become "live". As it stands now, everyone gets pretty much blind-sided by domains that crop up solely for the sake of malfeasance. I'm not sure I articulated that very well, but there it is. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcveq1pz9mNUZTMRAtR8AKDvPCd/yJ4plkMROu/xg69CiHWfuQCfUmpZ SEW7BxFuIWvenbzn3KxBK38= =3prE -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Correction: - -- "Fergie" <[EMAIL PROTECTED]> wrote: >-- Joseph S D Yao <[EMAIL PROTECTED]> wrote: > >>See the aforementioned "restock fees" presented to ICANN. How much of a >>disincentive would they be? >> > >Not much, I would think. > > http://www.icann.org/minutes/resolutions-22nov06.htm > >Unless you have a more explicit pointer, a quick check at ICANN >reveals that the "restock fee" proposed in November 2000 applies 2006 >to PIR and the .ORG TLD. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcbEq1pz9mNUZTMRAg4BAJ4ziGIW/eb23Ayhqs66V40dqc6RgACgoFIa EiA+IkpvIcwLCNTgi+d3opw= =bM0V -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Joseph S D Yao <[EMAIL PROTECTED]> wrote: >See the aforementioned "restock fees" presented to ICANN. How much of a >disincentive would they be? > Not much, I would think. http://www.icann.org/minutes/resolutions-22nov06.htm Unless you have a more explicit pointer, a quick check at ICANN reveals that the "restock fee" proposed in November 2000 applies to PIR and the .ORG TLD. And even if it applied to all (non-ccTLD) domains across the board, it probably wouldn't stop the abuse that we are seeing with bulk registrations, tasting, abuse, etc. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcSxq1pz9mNUZTMRAnmDAJwNhX1NRADNzvqoWbXp6Yt3at81UACg87Pw 0MFaN0+owW878PmA7bRx9ZI= =5VZI -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- David Conrad <[EMAIL PROTECTED]> wrote: >On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: >> On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: >>> I think this might be a bit in conflict with efforts registries have to >>> reduce the turnaround in zone modification to the order of tens of >>> minutes. >> >> Why is this necessary? Other than the cool factor. > >I think the question is "why should the Internet be constrained to engineering decisions made in 1992?" > For me, it's more of a matter of "Is the Internet actually a bigger cesspool than it was ten years ago?" and the answer I keep hearing from every corner is a resounding "Yes". $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEbXnq1pz9mNUZTMRAmdfAJ0W1L5jl5qjl6YNJQZCfJa/CZnwfQCgy7xd FXLYVmJDk2xTJGqgVNRt6Eg= =WXoe -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- David Conrad <[EMAIL PROTECTED]> wrote: >On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: >> The recommendation was for registries to provide a preview of the >> next day's zone. > >I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. > I'm not even sure how to respond to that one. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEaSsq1pz9mNUZTMRAofwAJ44O+cHJ8K5+Ini4Ub8Q5fpBYXpwQCeKUno QLU8T4gI9IgFRRBX0J9UV2A= =oDm8 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Mattias Ahnberg <[EMAIL PROTECTED]> wrote: >Fergie wrote: >> I would posit that it does when criminals are able to abuse the >> system. > >Almost any system can be abused by people with bad intentions. I >am a strong advocate to not holding back on features, tools, new >technologies or whatever merely because someone could abuse with >it. The problem is the abuser, not the tool. We need to stop the >abusers, not the tools. > >We should certainly always attempt to improve the tools, better >the routines and so forth but always keep in mind that no matter >what we do they will adapt and find another angle. > >If we add a 24h period to domain registrations, what harm will it >REALLY do to the abusers? They will just register a myriad of the >domains they want, have them stored and push them out when needed >instead of at once. > >If we add some checkups on who registers a domain name, they will >get middlemen to do it for them. Just look at the captcha stuff >added on various sites to prevent spammers that lead to spammers >paying people small amounts of money for each captcha solved, or >put up fake pr0n sites where the visitors got free images when >they solved a captcha (that was linked from the actual site). > >If we block low TTL from functioning we would break tools that >use the low TTL setting for fast changing environments, load >balancing or whatever and we would also block ourselves from a >quick merger from one system to another for our customers. > >I don't want to sound all negative to efforts suggested that we >may have use for in a _current_ problem; but we should consider >what they will do next when we make major changes to a general >system that will likely bother ourselves more than them. These are all very good, legitimate questions -- I do not profess to have answers to them all. The one thing that seems to be missing, however, is accountability and an ability to stem the abuses in the domain registry system. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGD+flq1pz9mNUZTMRAtr7AJ9LCQi1B+BLPkVJQ5X76KXx9qTDLwCgx3nL tBYpzk7SoFgAr2ff/aYd5lI= =FElG -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Roland Dobbins <[EMAIL PROTECTED]> wrote: >On Mar 31, 2007, at 11:36 PM, Fergie wrote: > >> Would love to arguments to the contrary. > Roland, I'm not so great with trick questions, but I'm sure you asked it for a very goos reason, Care to expand? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDvuzq1pz9mNUZTMRAs3OAKDJrxGY8+1ux3t3bftDp5lYqTlXkgCgm6kX LZw43cjPyA59PvY2RcF48Gc= =qYAi -----END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Douglas Otis <[EMAIL PROTECTED]> wrote: >On Sat, 2007-03-31 at 16:47 -0500, Frank Bulk wrote: >> For some operations or situations 24 hours would be too long a time to >> wait. There would need to be some mechanism where the delay could be >> bypassed. > >What operation requires a new domain be published within 24 hours? Even >banks require several days before honoring checks as protection against >fraud. A slight delay allows preemptive enforcement measures. It seems >most if not all operations could factor in this delay into their planning. > Doug and I completely agree on this issue. So again, I ask: When does a policy breakdown become an operational issue? I would posit that it does when criminals are able to abuse the system. Would love to arguments to the contrary. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDvB3q1pz9mNUZTMRAo1VAJ9rOisFN1xm4PjJsqUOeuSIWjy+OwCgpLQm gU76B10LtNBWYrE9/JjiQ+U= =vxKU -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gordon Cook <[EMAIL PROTECTED]> wrote: >ICANN it is said would like to move to switzerland. I doubt that they much care about any of this stuff > If that is indeed the case, then this boils down to nothing less than _strictly_ an operational issue. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDuEcq1pz9mNUZTMRAoLXAJ9IhniqK47nxJk60PWYorta8B3F/ACgyHCQ 1tmX7pbPC8vrjV7Yxf7oGfA= =3iuZ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Matt Ghali <[EMAIL PROTECTED]> wrote: >On Sat, 31 Mar 2007, Fergie wrote: > >> So very clever. >> >> If you're not part of the solution... etc. > >I feel so worthless standing next to you, the Solver. Sounds like a personal problem. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDuCIq1pz9mNUZTMRAj/VAKDPwS6aJhLwlro7/JJfpTo8fD0SiACgxXBV u5LwUMFRu5TJgfbwbXdP62A= =+eLD -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Matt Ghali <[EMAIL PROTECTED]> wrote: >On Sat, 31 Mar 2007, Fergie wrote: > >> The Registry policies, as they stand today, enable criminals. > >and airlines enable drug smugglers. idiot. > So very clever. If you're not part of the solution... etc. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDt11q1pz9mNUZTMRAk/yAKD0Io4pZSmtlXtnRs2DyhG3uCoufQCg4XWr htOnWKGKRCrKPm08RbRlzZk= =kJw0 -----END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "william(at)elan.net" <[EMAIL PROTECTED]> wrote: >But those are policy process issues and this is an operations mail >list. Original question raised is who is ultimately better at acting >on dns operational issues? Do you want all issues going through 100s >of different registrars with some as "responsible" as RegisterFly? When the policies are broken, and allow this type of behaviors, then it becomes an operational issue. Period. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDtw/q1pz9mNUZTMRAhDfAKCDM2CIzl2ukDUYVPpXVytFBfr0ZACfZQMX w9csTPEvM3mtCYLkcPmU0lY= =MPPT -----END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephen Satchell <[EMAIL PROTECTED]> wrote: >Gadi Evron wrote: >> >> Amen. Really. >> >> I'd honestly like more ideas. > >What did IETF and ICANN say when you approached them through their public-comment channels? > The IETF does not deal with registry policy issues. ICANN, from what I can tell, had this issue (doamin tasting) on their agenda as a discussion iten in Lisbon last week, but i am unaware of the discussion outcome. Having said that, if this particular policy issue can be measured by ICANN's proclivity with other domain policy issues, I think we're talking years here. And that's kind of sobering, from a policy perspective. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDtf3q1pz9mNUZTMRAvgoAKCRgrGta2dtbGCLowMMtJf4htwGqwCg3BXm nw7SEgMDEvMU3F4w8801Yos= =IPRQ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "william(at)elan.net" <[EMAIL PROTECTED]> wrote: >On Sat, 31 Mar 2007, Fergie wrote: > >> Amen. >> >> The Registry policies, as they stand today, enable criminals. > >Registry or Registrar? Good question. It is my understanding that the various domain registries answer to ICANN policy -- if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDtZwq1pz9mNUZTMRAu8KAKC/hVfAcj8iY5bnyN69kSnVFJcmFgCgmNcO ZNPLZTyYIBpUNtf84qvdKEg= =8531 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Douglas Otis <[EMAIL PROTECTED]> wrote: >The financial damage caused by crime taking advantage of DNS features to >then dance rapidly over the globe should justify rather minor changes to >the current mode of registry operations. > Amen. The Registry policies, as they stand today, enable criminals. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj4DBQFGDtNqq1pz9mNUZTMRAkcSAJd9o4g/6QjPciucwmDm+y3F03T1AJ0XCQyj X/n9+C6XfOfZi+f6M6IllQ== =IMb/ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: >Jeff Shultz <[EMAIL PROTECTED]> wrote: > >> >> I won't discount the assertion that there is some sort of emergency >> occurring. I would however, like to see a bit of a reference to where >> we can learn more about what is going on (I assume this is the >> javascript exploit I heard about a couple days ago). >> > >No -- it's a 0day in Internet Explorer involving animated cursors -- >and it can be spread by visiting an infected web site or even by email. > Not that I like being in the position of correcting Steve :-) but the real answer is "yes" and "no" -- or ctually just yes. While the 0-day exploit is the ANI vulnerability, there are many, many compromised websites (remember the MiamiDolhins.com embedded javascript iframe redirect?) that are using similar embedded .js redirects to malware hosted sites which fancy this exploit. And some of them have vast audiences, increasing the potential for a major "issue" -- TBD. Track with the SANS ISC -- they're doing a good job of keeping the community abreast. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDc/4q1pz9mNUZTMRAjqiAJ0UYDDep4RbSmaJ3jUdsGssSVt7AwCgnDPV PIfR8hlav9Bh20TBXBPsUZo= =wtJu -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Jeff Shultz <[EMAIL PROTECTED]> wrote: >So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat? > >I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago). > Yes -- I would suggest that the best point of reference right now is the SANS ISC Daily Handler's Diary. They have done a great job of summarizing the issues: http://isc.sans.org/ - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcucq1pz9mNUZTMRAp6KAKCB2Pm1AE1Muawlfz33pSfb0Ij67wCeM7Sk 57+JNx+REjiILkNkdSerqQQ= =d3Bq -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron <[EMAIL PROTECTED]> wrote: >There is a current on-going Internet emergency: a critical 0day >vulnerability currently exploited in the wild threatens numerous desktop >systems which are being compromised and turned into bots, and the domain >names hosting it are a significant part of the reason why this attack has >not yet been mitigated. > >This incident is currenly being handled by several operational groups. > ...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious. Please check the facts regarding this issue before firing up your flame-throwers -- this weekend could prove to be a quite horrible one. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcayq1pz9mNUZTMRAj48AKCVdw3bZ63ryIAI6f/NSbABZR10VACg3iZf thCHKv5hpQ6Dqrq+iY4j1J8= =MoWp -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
ISPs & BCP38
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to talk briefly to any ISPs who implement BCP38 -- just a couple of casual questions. If you could contact me off-list, it would be much appreciated. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDVMtq1pz9mNUZTMRAlH5AKDYdEVAB7kRblbGIsDz884b3MR0OQCg7w3D wR4C+PcVHjQ2xBqL1IJbSMs= =b6rW -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: [routing-wg]Re: RIS modifications for 4-byte ASNs on 27 March
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A notable milestone. FYI, - - ferg [snip] From: Erik Romijn <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Wed, 28 Mar 2007 16:52:10 +0200 On Thu, Mar 22, 2007 at 02:32:29PM +0100, Erik Romijn wrote: > We will switch one Remote Route Collector (RRC) to 4-byte ASN supporting > software on 27 March 2007, somewhere between 09:00 and 13:00 (UTC). > > We plan to switch the other RRCs to 4-byte ASN supporting software on 28 > March 2007, between 09:00 and 17:00 (UTC). This work has been succesfully completed. The RIS now supports 4-byte ASNs. We have also configured a 4-byte ASN beacon: a route originating from a 4-byte ASN. The prefix is 84.205.88.0/24 and it originates from AS3.7. AS3.7 peers with our route collector on the AMS-IX, from where the route is announced to all our peers. No hosts are configured in this prefix. Regards, Erik Romijn Information Services Department RIPE NCC [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGCoVmq1pz9mNUZTMRAgHSAKCU3w9MKNCB71C1kd+Rv+8ijcKCoQCgxf3A 7JO2mZqjr84CkZDK7M36SnQ= =wTKJ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Ethernet won (was: RE: [funsec] Not so fast, broadband...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: >On Tue, 13 Mar 2007, [EMAIL PROTECTED] wrote: >> Sure, as long as you're willing to fork over the cash for CPE capable of >> handling OC-XX linecards. The service cost is hardly the only cost >> associated with buying that kind of bandwidth. It's amusing to me that >> we're worrying about FTTH when some of the largest carriers are still >> not capable of delivering ethernet handoffs in some of those same top 30 >> cities. Don't we need to get there first before we start wiring >> everyone's home with fiber and a small router with an SFP? > >Bell Atlantic had ethernet access since the early 1990's, along with FDDI, > SMDS, ATM, etc, etc, etc and whatever else various government agencies >wanted to buy around Maryland, Virginia and Washington DC. Now AT&T, >Qwest and Verizon have metro ethernet access tariffs in major cities in >each of their territories. Ethernet seems to have won for data access >especially for 10Gbps and greater. > I know I saw a reference to "...wiring everyone's homes..." in the exchange above, so... Perhaps, depending on the last-mile and the consumer/business distinction, but up through the late 90's, all that was available to consumers (at best) was ISDN in Bell Atlantic territory -- at least in Northern Virginia. I left that area around 2000. >If you've got the money, they've got the ethernet for you. > >Unfortunately, "I want it" isn't a good business case. > True enough, and let's not confuse "business services" with "consumer services." The telcos/cablecos don't. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFF928iq1pz9mNUZTMRAop/AJ9LTDxC/7zRYNLNy9kv3+cFegNaxQCfafQ8 vdPns/UKKR49VZWzy8wFeTE= =1lvC -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: 96.2.0.0/16 Bogons
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Randy Bush <[EMAIL PROTECTED]> wrote: >> your interpersonal skills are improving. > >well, at least i am actually doing research instead of doing nothing but >blindly whining abour anything by others that moves. Regardless of your slides, some people are still questioning that particular issue. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFF5SYhq1pz9mNUZTMRAtzJAJsGIl8mAadGTt7n/YTO08+PHpJHGgCePOCX C0DuVsTnXcSsQ+5Ph2ephXw= =wOuc -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: Impending publication: draft-iab-iwout-report-03.txt
I thought that many of you on the list might actually be interested in this... FYI. - ferg [snip] To: IETF Announcement list From: Leslie Daigle <[EMAIL PROTECTED]> Date: Fri, 23 Feb 2007 14:56:39 -0500 Cc: [EMAIL PROTECTED] Subject: Impending publication: draft-iab-iwout-report-03.txt The IAB is ready to ask the RFC-Editor to publish Report from the IAB workshop on Unwanted Traffic March 9-10, 2006 as an Informational RFC. This document is a report from an invitational workshop convened by the IAB. As such, it represents the opinions of the attendees expressed at the time of the workshop. Please direct any comments to improve the clarity of the report to the IAB (iab@iab.org) by March 23, 2007. The document can be found at http://www.ietf.org/internet-drafts/draft-iab-iwout-report-03.txt From the Abstract: This document reports the outcome of a workshop held by the Internet Architecture Board (IAB) on Unwanted Internet Traffic. The workshop was held on March 9-10, 2006 at USC/ISI in Marina del Rey, CA, USA. The primary goal of the workshop was to foster interchange between the operator, standards, and research communities on the topic of unwanted traffic, as manifested in, for example, Distributed Denial of Service (DDoS) attacks, spam, and phishing, to gain understandings on the ultimate sources of these unwanted traffic, and to assess their impact and the effectiveness of existing solutions. It was also a goal of the workshop to identify engineering and research topics that could be undertaken by the IAB, the IETF, the IRTF, and the network research and development community at large to develop effective countermeasures against the unwanted traffic. Leslie Daigle, For the IAB. ___ IETF-Announce mailing list IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron <[EMAIL PROTECTED]> wrote: >And this is before we get into the academic off-topic discussion of what a >bot actually is, which after almost 11 years of dealing with these I find >difficult to define. Is it an IP address? A computer? Perhaps an instance >of a bot (and every machine could have even hundreds). > >Welcome to the realm of Internet security operations and the different >groups and folks involved (and now industry). It is about Internet >security rather than this or that network security or this and that sample >detection. Interestingly enough, I discovered during my trip to Tokyo this week that the Japanese government is _mandating_ that the national ISPs address the botnet problem, specifically. I'm still gathering details on the framework -- which is still being defined, if I'm not mistaken -- but I applaud them for taking the lead in this regard. If they are even marginally successful, I hope it will be an example for others around the world to stop making excuses and begin addressing the problem. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFF2+dhq1pz9mNUZTMRAhd9AJ9FqULfYzAXzwlhSRdrU2a5Xd5frwCcDedO XAQipmVgJwGfqq34fANSy7w= =mAC6 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: botnets: web servers, end-systems and Vint Cerf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, Danny: - -- Danny McPherson <[EMAIL PROTECTED]> wrote: >While I understand your frustration, lest we not forget, providers are in >the business of making money, and solutions of this type today only add >to churn, additional operational expense and liability. It's not quite so >black and white as you make it, unfortunately. Unfortunately, if ISPs don't do _something_ to "clean up their own backyards", I hate to think of what the alternative may be. >With that, as Sean points out, providers are trying to address the issues >in an business-savvy manner and some do seem to have reasonable (IMO) >solutions underway. But be careful what you ask for, some of these >solutions you're mandating might very well resemble SiteFinder-style >schema's (or far worse) in order to justify the investment by the >providers. Indeed. It's a hairy problem, but an important one that needs to be addressed. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFF16eOq1pz9mNUZTMRAhNYAKCSmQieIM8K44H4AnRWcWbXVwax8wCglsF6 BMb6JC95v5IrtIH2x+MYMw0= =T5dQ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
The Root of The Problem [Was: Re: botnets: web servers, end-systems an d Vint Cerf]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well, I'm going to add my $.02 here, too, and I don't care who likes it or not. :-) I know Vint, and I've known Vint for a long time. He's a smart guy. And he's right. Why is he right? Because he got in front of the folks who actually _can_ manage this problem, and that is the people (actually the NGOs) who have the monetary and fiduciary duty to begin looking at problems at the financial loss level. If you think that these problems are going to solely resolved on a technical basis, you're delusional. Rock on, Vint. - - ferg - -- Gadi Evron <[EMAIL PROTECTED]> wrote: On Thu, 15 Feb 2007, Peter Moody wrote: > > I kept quiet on this for a while, but honestly, I appreciate Vint Cerf > > mentioning this where he did, and raising awareness among people who > > can potentially help us solve the problem of the Internet. > > > > Still, although I kept quiet for a while, us so-called "botnet > > experts" gotta ask: where does he get his numbers? I would appreciate > > some backing up to these or I'd be forced to call him up on his > > statement. > > > > My belief is that it is much worse. I am capable of proving only > > somewhat worse. His numbers are still staggering so.. where why when > > how what? (not necessarily in that order). > > > > So, data please Vint/Google. > > > > Dr. Cerf wasn't speaking for Google when he said this, so I'm not sure > why Okay, thansk for clarifying that. :) > you're looking that direction for answers. But since you ask, his data > came from informal conversations with A/V companies and folks actually in > the Interesting. > trenches of dealing with botnet ddos mitigation. The numbers weren't > taken Botnet trenches? Yes, I suppose the analogy to World War I is correct. I should know, I was there (metaphorically speaking). My guess is, if we are to follow this analogy, we are now just before the invention of the tank now in 2007, but oh well. > from any sort of scientific study, and they were in fact mis-quoted (he > said more like 10%-20%). Interesting. > (my opinions != my employer's, etc. etc.) > Many thanks, > Cheers, > .peter Gadi. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFF1UQFq1pz9mNUZTMRApjPAKDmKCfWqAbn6k8Qpks+hNlHrpqLQQCg6axq YQaCMxuU8co3TawE6nsOWaw= =OYij -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: Question about SLAs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 An SLA is a contract. A contract is... a contract. Read it carefully. :-) - - ferg - -- "Chad Skidmore" <[EMAIL PROTECTED]> wrote: Agreed, any termination liability is something to consider. You also need to consider the impact to your business that the SLA violations is causing and how that might translate to dollars. Documentation is going to be key if the vendor is nickel and diming you. If you have solid documentation of a pattern of behavior that is contrary to the spirit (and hopefully letter) of your SLA the vendor is probably not going to push the termination liability. They may not refund for SLA violations but they also would probably not push the termination liability too far. SLA claims can turn into a game of chicken at times. If you honestly feel your position is solid, don't blink. Good luck, Chad - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, February 08, 2007 7:29 PM To: Chad Skidmore Cc: Barry Shein; nanog@merit.edu Subject: Re: Question about SLAs On Thu, 08 Feb 2007 19:09:34 PST, Chad Skidmore said: > Find a new vendor is certainly one solution. Your current vendor probably knows how much it would cost for you to move to another vendor (quite possibly to more significant digits than *you* know). They also know exactly how much they're making/losing on SLA issues, and what percent of the move cost you're willing to tolerate - there's probably very few of us that can get away with being righteous and principled and spending $100K on a move to a new vendor over a $980 SLA issue. And even those of us who *can* do that probably can't do it a second time anytime soon. Of course, YMMV - spending $25K to get out of a contract with somebody who's already shafted you for $12K of SLA rebates and shows no sign of stopping is probably justifiable by almost all of us But I think Barry was asking specifically about the vendor who nickels and dimes you precisely because they know it's not enough to make a business case for moving. [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFFzAbKq1pz9mNUZTMRAqTkAKCuVOT8/ZMIWeWlh05YTfbxXFouKgCgm0Li 56DDOcg1G9HzrlM7kzcMtxE= =i2LJ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: broken DNS proxying at public wireless hotspots
Yes, then he's screwed. :-) As we all are in a similar situation. Mea culpa. - ferg -- Joe Abley <[EMAIL PROTECTED]> wrote: On 3-Feb-2007, at 06:20, Fergie wrote: > Use OpenDNS? OpenDNS provides service on other than 53/tcp and 53/udp? If so, how do you configure your client operating system of choice to use the novel, un-proxied ports instead of using port 53? Joe
Re: broken DNS proxying at public wireless hotspots
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Use OpenDNS? - - ferg - -- "Suresh Ramasubramanian" <[EMAIL PROTECTED]> wrote: Right now, I'm on a swisscom eurospot wifi connection at Paris airport, and this - yet again - has a DNS proxy setup so that the first few queries for a host will return some nonsense value like 1.2.3.4, or will return the records for com instead. Some 4 or 5 minutes later, the dns server might actually return the right dns record. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25634 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11 ;; QUESTION SECTION: ;www.kcircle.com. IN A ;; AUTHORITY SECTION: com.172573 IN NS j.gtld-servers.net. com.172573 IN NS k.gtld-servers.net. [etc] ;; Query time: 1032 msec ;; SERVER: 192.168.48.1#53(192.168.48.1) ;; WHEN: Sat Feb 3 11:33:07 2007 ;; MSG SIZE rcvd: 433 They're not the first provider I've seen doing this, and the obvious workarounds (setting another NS in resolv.conf, or running a local dns caching resolver) dont work either as all dns traffic is proxied. Sure I could route dns queries out through a ssh tunnel but the latency makes this kind of thing unusable at times. I'm then reduced to hardwiring some critical work server IPs into /etc/hosts What do nanogers usually do when caught in a situation like this? thanks srs - -- Suresh Ramasubramanian ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFFxCmJq1pz9mNUZTMRAhCBAKCpmCoKnQ09hCF+uwAfnF/Ht5VQ8wCfXykH ATEHEAwCnErNlgbZHYAmF+M= =V8Zf -END PGP SIGNATURE-
Re: BellSouth OC192 Fiber Cut
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Pablo Espinosa" <[EMAIL PROTECTED]> wrote: >Just received some individual threads with feedback. Thanks for the >replies! > Individual threads? Sweet. Send us pictures. ;-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFFws1Nq1pz9mNUZTMRAsvcAJsGHNfQg/1Yx3ZvGP+3BbgPh+tPXwCg1/BE WVppnPDxnhY9zrXg6mDQY+Y= =2Heq -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: [dns-operations] RIPE-400 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FYI, some goodness. - - ferg [snip] Date: Fri, 26 Jan 2007 09:24:04 -0500 From: Keith Mitchell <[EMAIL PROTECTED]> Organization: Internet Systems Consortium User-Agent: Thunderbird 1.5.0.9 (X11/20060911) MIME-Version: 1.0 To: [EMAIL PROTECTED] May be of interest: "Measuring and Reporting on Reverse Tree DNS Lameness in the RIPE NCC Service Region." ___ dns-operations mailing list [EMAIL PROTECTED] http://lists.oarci.net/mailman/listinfo/dns-operations [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFuklZq1pz9mNUZTMRAu95AKCMe1zvP376ZZq+Mswq3xixGDoTvQCgqnHf DL8HYC7r9OLDyPDx5lwODX8= =qUPD -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
IAB Workshop on Routing and Addressing [Was: Re: Google wants to be yo ur Internet]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Jason LeBlanc <[EMAIL PROTECTED]> wrote: >...Some days it kills me that v6 >is still not really viable, I keep asking providers where they're >at with it. Their most common complaint is that the operating >systems don't support it yet. They mention primarily Windows since >that is what is most implemented, not in the colo world but what the >users have. I suggested they offer a service that somehow translates >(heh, shifting the pain to them) v4 to v6 for their customers to move >it along. > If you *really* want to know where things with IPv6, then you need to read this: Report from the IAB Workshop on Routing and Addressing http://www.ietf.org/internet-drafts/draft-iab-raws-report-00.txt - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFt5xMq1pz9mNUZTMRApvtAKCSIwmfi4ISc8jFg7yHgt2rlrK+7gCgyHiY /ukrrvZTVFL52zm7eu2ZuZs= =OtBi -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Anyone from BT...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Peter Corlett <[EMAIL PROTECTED]> wrote: >On Mon, Jan 22, 2007 at 04:09:48AM +0000, Fergie wrote: >> ...on the list who might be able to comment on how they/you/BT is >> detecting downstream clients that are bot-infected, and how exactly you >> are dealing with them? > >Which bit of BT? They've got their fingers in quite a lot of pies, and the >Clue level varies wildly. > >Although given you've asked that question, I suspect that you're enquiring >about their retail Internet offerings, and my impression is that they >don't bother to check for or deal with infected hosts. > Well, thanks for the response :-) but I am looking for anyone who could shed some light on this statement: "BT has launched an automated system to identify professional spammers and 'botnet'-infected customers on the BT broadband network." ref: http://www.networkworld.com/news/2006/101306-bt-fires-back-at.html I am curious as to what they're actually doing. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFtPjSq1pz9mNUZTMRAnziAJ0dur37zDjC5ji7r+LKz8GwP7w8UgCg8dqH omyWrRvl4I1WffMdZegUEEY= =3jjq -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Anyone from BT...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Thanks, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFtDkGq1pz9mNUZTMRApHfAKCkuZPgTDTIx0/6BErLhWffFa0xRwCeOhdO b3A6O789/hBy0CiXmNiyHn0= =4X/Z -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: Undersea fiber cut after Taiwan earthquake - PCCW / Singtel / KT e tc connectivity disrupted
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: >The FAA, Federal Reserve, SFTI and SMART are probably at the top as >far as trying to engineer their networks and maintain diversity >assurances. But even the Federal Reserve found the cost more than >it could afford. What commercial banks are doing is impressive, >but only in a "commercially reasonable" way. Some residual risk and >outages are always going to exist. > >No matter what the salesman tells you, Murphy still lives. > This really has more to do with analogies regarding organizations such as DeBeers, and less with Murphy's Law. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFs/0Iq1pz9mNUZTMRAnhwAJ43Idwddu7LUfDyvIRqdal0tB6wKwCfZpgF KRslz7vAmtiHEZQ+CioIgIw= =cC3f -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: HTML email, was Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: >> a combination of retarded registry policies (pitting business >> interests against common technical sense) > >In a capitalist country, I do not see how you could do otherwise. In a >non-capitalist country, there is still hope, I'll talk to Fidel about >that, next time we meet. > Whatever. :-) I'm sure that all 30,090 results of a search for "ebay" are legit: http://domain-search.domaintools.com/?q=ebay Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFsP8Aq1pz9mNUZTMRAvxTAJ0dDPpqcUhEDirzpEQNrdBf9jWdlACg7GmU 3EeA9OZ5veYUQfooHsUFh58= =Waoa -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: HTML email, was Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Randy Bush <[EMAIL PROTECTED]> wrote: >> Back in the day, pre-CIRA, .CA was managed according to rules which >> included the restriction that a single company was only allowed one >> domain name. So, to choose a company at random, General Motors Canada >> was welcome to GMC.CA but they couldn't also register PONTIAC.CA or >> GM.CA or GENERALMOTORS.CA. > >for those of us who manage smaller cctlds pro bono, it is also good >for our sanity, especially when paired with the requirement that the >registrant be real and in-country. > >it also encourages the isps in-country to take over the cctld, which >is good. they can charge a bit for the service and multiple name >registrants become a good thing. > It's funny you should bring this up (or whomever). I'm actually in the process of putting together my presentation for next week's ISOI meeting in Redmond on DNS issues in the security realm, and one of the major bullet items on my check-list of "why we suck" is the whole mish-mash of issues w.r.t a combination of retarded registry policies (pitting business interests against common technical sense) and the lag between published domain registrations and trickle-down WHOIS information (and admittedly, there are a couple of associated social-engineering foos in there, too). We do suck. And we have created a horrible situation wherein we need to stop pointing fingers and figure out how to dig ourselves out of this sh*thole. It's deplorable. - - ferg p.s. Since I'm still putting my presentation together, I'd love to solicit comments from the field. :-) See: http://isotf.org/isoi2.html -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFsGkhq1pz9mNUZTMRAsljAKCaU9+SSpJReSPhgs6g2SPptFlxcgCguvsr wkO8LAtIBcmxwdxmcf8SQE4= =b1N5 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: [routing-wg]New Document Available: RIPE-399
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I hadn't seen any mention of this on the list today, so I figured I would mention it. I finally got a few free minutes to review this document this evening and I think it is a really good community resource. FYI, - - ferg [forwarded message] To: [EMAIL PROTECTED] From: RIPE NCC Document Announcement Service <[EMAIL PROTECTED]> Subject: [routing-wg]New Document Available: RIPE-399 Sender: [EMAIL PROTECTED] Date: Wed, 10 Jan 2007 16:57:36 +0100 New RIPE Document Announcement - -- A new document is available from the RIPE Document store. Ref:ripe-399 Title: RIPE Routing Working Group Recommendations on Route Aggregation Author: Philip Smith, Rob Evans, Mike Hughes Format: PDF= 89, 997 Date: December 2006 Short content description - - This document discusses the need for aggregation of prefixes on the Internet today, and recommends good working practices for Internet Service Providers and other Autonomous Networks connected to the Internet. Accessing the RIPE Document Store - - You can access this RIPE document at: http://www.ripe.net/docs/ripe-399.html [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFpbr7q1pz9mNUZTMRAoZ8AJ4gbdH1fo8OD/KaRToztqpcbp+E3QCdEeZn FtwMbt3qzzAs485WlPvJLwk= =jcbf -END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Network end users to pull down 2 gigabytes a day, continuously?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gian Constantine <[EMAIL PROTECTED]> wrote: >Ah-ha. You are mistaken. :-) > >My focus is next-gen broadband and video. The wifi guys have their own >>department. > >Good try, though. :-) > Indeed. Also, the current state of wifi (and indeed, wireless connectivity in general) quality has to improve immensely before I would be too terribly concerned with the onslaught of multimedia traffic -- most people are still frustrated with dropped cellphone calls. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFpQsgq1pz9mNUZTMRAsb9AKDjlvJJi7ywr5Qx3GREQLeBLeHyfQCfd+jM 960CsCul1q3NqQYUtENmyvc= =sTEg -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Network end users to pull down 2 gigabytes a day, continuously?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: [lots of good stuff elided] >There is rarely only one way to solve a problem. There will be multiple >ways to distribute data, video, voice, etc. > Completely agreed, and I think this is the crux of the entire thread. As I mentioned to Bill earlier in this thread, costs are one thing -- business models are built around them, while balancing the technical economies of scale. :-) Vive la diversité! - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFpHnxq1pz9mNUZTMRAl2GAJ9csRbQe8XxCNmWn3inumLnzPYF+gCdEH5q s5L54COvtGjZBvjcwI4cCpI= =gEo/ -END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Internet Video: The Next Wave of Massive Disruption to the US Peer ing Ecosystem (v1.2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "William B. Norton" <[EMAIL PROTECTED]> wrote: >On 1/9/07, Fergie <[EMAIL PROTECTED]> wrote: > >> I think it remains to be seen that that model will actually change >> dramatically to more of a "semi- real-time" model, regardless of >> the desires (or fears) of various vendors or operators. > >Hmm...I should have been more clear. I'm comparing the options a video >guy has : buy transit to distribute the videos, buy CDN services, buy >a mix or transit and peering, or use P2P. I have sample configurations >and cost models for each, and cost them in units of $/video >distributed for side to side comparison. > >From the reviews and discussions it was interesting how entrenched and >enraged some people became when the p2p distribution model costed out >to be the cheapest by far: > Well, cost issues speak for themselves. Adoption issues, of course, are another issue entirely. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFo+1gq1pz9mNUZTMRAqOdAKDtm916QwEqKlrPbEBNVgD0QjI4egCgvLmv M0LDP50+LZEfR/IlrIfk0vM= =PVII -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Network end users to pull down 2 gigabytes a day, continuously?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gian Constantine <[EMAIL PROTECTED]> wrote: >The available address space for multicast in IPv4 is limited. IPv6 vastly >expands this space. And here, I may have been guilty of putting the cart >before the horse. Inter-AS multicast does not exist today because the >motivators are not there. It is absolutely possible, but providers have to >want to do it. Consumers need to see some benefit from it. Again, the >benefit needs to be seen by a large market. Providers make decisions in >the interest of their bottom line. A niche service is not a motivator for >inter-AS multicast. If demand for variety in service provider selection >grows with the proliferation of IPTV, we may see the required motivation >for inter-AS multicast, which places us in a position moving to the large >multicast space available in IPv6. > I don't think I'd be hanging my hat on IPv6 operational frobs at this moment in time. But that's just me. :-) $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFo+oXq1pz9mNUZTMRAuSaAJ47tTGFI+kTaZwOO2D6CHOWmIn6eACgyZzd xy6wZ7sFYsU3jeU2a3XIBq4= =aRhp -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: Internet Video: The Next Wave of Massive Disruption to the US Peer ing Ecosystem (v1.2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Bora Akyol" <[EMAIL PROTECTED]> wrote: >I think this discussion is going towards the content that one would >**actually** like to see. On this, we agree. :-) >I understand there are people that don't watch >TV at all. I am not one of them. I have had a Tivo since when they first >came out. The problem that I see is that the product pipeline for how TV >content should be distributed and watched got constipated mostly due to >the pressure from the content owners (possibly justified). > Question: How is your content delivered to your TV/TiVo today? How will it be tomorrow? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFo+Auq1pz9mNUZTMRAiLQAKCvvUIdnN6Gows01Zb7kdilvIFHsACcC5Fx 00iSBH3YpOXtmjJ4Cbdr1DE= =bhtZ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Internet Video: The Next Wave of Massive Disruption to the US Peer ing Ecosystem (v1.2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Bill, Just as an observation, it appears to me (at least) that the most popular method of video distribution today is via GooTube. :-) I think it remains to be seen that that model will actually change dramatically to more of a "semi- real-time" model, regardless of the desires (or fears) of various vendors or operators. $.02, - - ferg - -- "William B. Norton" <[EMAIL PROTECTED]> wrote: Hi all - Over the last year or so I have been working with Internet video companies who asked essentially the same question - "What is the most effective way of distributing massive quantities of Internet (video) traffic?" This has become a significant issue NOW because a few of the largest US ISPs are turning away these n*10G Internet video transit customers ! Thanks to all of you that shared your insights, or let me walk you through what this community has found to date, and especially those of you who shared their data points and allowed me to cite you as a source. I'm at the point now where I'd like to share the current draft (v1.2) of this discussion paper with a broader audience, epsecially those who will allow me to schedule a time to talk through the draft with you. (I have found this is the most effective way to get feedback next to face-to-face walkthroughs over lunch). Here's the Abstract: Video Internet: The Next Wave of Massive Disruption to the U.S. Peering Ecosystem (v1.2) In previous research we documented three significant disruptions to the U.S. Peering Ecosystem as the Cable Companies, Large Scale Network Savvy Content Companies, and Tier 2 ISPs started peering openly. By peering with directly each other they effectively bypassed the Tier 1 ISPs resulting in improved performance, greater control over the end-user experience, and overall lower operating costs. This paper predicts a new wave of disruption that potentially dwarfs currently peered Internet traffic. Some of this emerging wave of Video Traffic is demonstrating viral properties, so the more popular videos are generating massive "Flash Crowd" effects. Viral Amplifiers (sites that do not host but rather highlight the most popular videos) amplify any viral properties a video may have. If we combine this flash crowd effect and the increased size of the video files downloaded, we see the crest of the first wave of significant incremental load on the Internet. The majority of this paper details four models for Internet Video Distribution (Transit, Content Delivery Networks, Transit/Peering/DIY CDN, Peer2Peer) across three load models. The cost models include network and server equipment along with pricing models for various distribution methods. Dozens of walkthroughs of this paper have led to stepwise refinement of the models and insights into why one would prefer or not prefer one model over the other. The summary is a comparison in cost-per-video across small, medium, and large distributions. The models (spreadsheets) can be made available to those interested. Bill - - -- // // William B. Norton <[EMAIL PROTECTED]> // Co-Founder and Chief Technical Liaison, Equinix // GSM Mobile: 650-315-8635 // Skype, Y!IM: williambnorton -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFo9Lzq1pz9mNUZTMRAmonAKChhR7OS2yFlvnv7sVXqnShgPgrJACgsOHm QOf1iGUMwD2ktDO/8+1FJhI= =s8q2 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Network end users to pull down 2 gigabytes a day, continuously?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Joe Abley <[EMAIL PROTECTED]> wrote: >If I acquire content the same time as many other people, since what I'm watching is some coordinated, streaming event, then it seems far more likely that the popularity of the content will lead to network congestion, or push up a peak on an interface somewhere which will lead to a requirement for a circuit upgrade, or affect a 95%ile transit cost, or something. > >If asynchronous delivery of content is as free as I think it is, and synchronous delivery of content is as expensive as I suspect it might be, it follows that there ought to be more of the former than the latter going on. > Completely agree here. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFoVX6q1pz9mNUZTMRArMxAKC1HcQzuRVtw7RizPH9Sxubpd4CyACfe9Mp IVrcy6mKMtdNdzu6qMMdpOs= =ehDE -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: NATting a whole country?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: >According to >http://www.nytimes.com/aponline/technology/AP-TechBit-Wikipedia-Block.html >all of Qatar appears on the net as a single IP address. I don't know >if it's NAT or a proxy that you need to use to get out to the world, >but whatever the exact cause, it had a predictable consequence -- the >entire country was barred from editing Wikipedia, due to abuse by >(presumably) a few people. > Sweet. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFnD+tq1pz9mNUZTMRAo6kAJ9bk/vMGK/uUAZp8mMjbYYCBh0ZTACePN0s ybCrkk82NcUJalY6qrwpY8I= =vAih -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One more thing: If anyone thinks that fast-flux hosting isn't a problem, then you haven't dealt with it. I cannot imagine inject a /32 continuously into a BGP community-set. That just sounds... insane. More: http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164 Cheers! - - ferg - -- "Fergie" <[EMAIL PROTECTED]> wrote: Instead of quoting earlier submissions, let me just add two thoughts to this Bad Idea (tm): (1) Proxy bypasses; and (2) Fast-Flux place-shifters... These are two hard problems, by themselves, although not impossible. Having said that, injecting candidate host-routes into BGP (given the already intolerable churn) is a horribly worse idea. Good luck with all that... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFm1dTq1pz9mNUZTMRAgN2AJ0ZvWf0ikxt8dpmzdVjuRX5MmcEagCg668t NNFPoVJlAH1cNvSaiY+DmT4= =3zHg -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Phishing and BGP Blackholing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Instead of quoting earlier submissions, let me just add two thoughts to this Bad Idea (tm): (1) Proxy bypasses; and (2) Fast-Flux place-shifters... These are two hard problems, by themselves, although not impossible. Having said that, injecting candidate host-routes into BGP (given the already intolerable churn) is a horribly worse idea. Good luck with all that... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFm1DNq1pz9mNUZTMRAqyxAJwOrUTIs1Olrj8Gt2jB+Uc9557WqgCfQO+R LSsa8HsYTOkZPi4sjtQFUyY= =HvaD -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Regarding NDU.EDU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sure. That's what it is: "architectural changes". I heard the Naval War College was doing that, too. :-) http://blogs.abcnews.com/theblotter/2006/12/mystery_hacker_.html - - ferg - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: On Tue, 2 Jan 2007, Steven M. Bellovin wrote: > > They took their systems offline a few weeks ago: > > http://www.fcw.com/article97160-12-19-06-Web > Right -- something's definitely going on on that part of the world. > See http://fcw.com/article97178-12-22-06-Web which talks about how DoD > is banning HTML email (what a wonderful thought in any event!) and > Outlook Web Access. Why? The threat level has been raised from > Information Condition 5 to Information Condition 4 -- but they won't > say why why terrorists of course... :) in all seriousness, perhaps they are doing some architectural changes to better secure their perimeter in light of (as the hawaii.edu gentleman pointed out) the internet becoming more and more critical to the common person? -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFmvd8q1pz9mNUZTMRAtmdAJ9Ywah+H+vITdYSI5nMtvia1deOaQCggnxn m7+UFpHQwDFr2a/fa6+iYfU= =i5RY -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Regarding NDU.EDU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 They took their systems offline a few weeks ago: http://www.fcw.com/article97160-12-19-06-Web Cheers, - - ferg - -- Robert Mathews <[EMAIL PROTECTED]> wrote: Ladies & Gentlemen: I thought to post here - that NDU.EDU' (National Defense University') MX record and A record seems to be missing. This has been going on for nearly TWO weeks (since before Christmas 2006)! One can reach their WEB servers.. but, all mail to NDU is presently bouncing. Technical and Admin Contacts have been unreachable over the same duration of time. Does anyone have any idea (more than just an extemporaneous ref.) as to why this is happening? Appreciate having some insight. If you wish to reply privately, I welcome it. All my best, Robert. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFmtMlq1pz9mNUZTMRAnH0AJ9APYWTyOsOzFhpYstkZNuIwFFqVQCg6N78 6t/Zam6sI6Vek38YoM45K4o= =p3D6 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Undersea fiber cut after Taiwan earthquake - PCCW / Singtel / KT e tc connectivity disrupted
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reuters AlertNet says (props, Vicky Rode): [snip] While a tsunami warning came to nothing, the quake damaged at least six undersea telecommunication cables, affecting users in Taiwan and South Korea, and was felt in China and Hong Kong. [snip] More: http://www.alertnet.org/thenews/newsdesk/TP172793.htm - - ferg - -- "Suresh Ramasubramanian" <[EMAIL PROTECTED]> wrote: http://www.bloomberg.com/apps/news?pid=20601087&sid=aYHaxhLE4rr0&refer=home Singapore Telecom, PCCW Say Internet Disrupted by Taiwan Quakes By Andrea Tan Dec. 27 (Bloomberg) -- Singapore Telecommunications Ltd. Southeast Asia's largest telephone company, and Hong Kong's PCCW Ltd. said Internet service in Asia slowed down after three earthquakes hit southern Taiwan yesterday. ``The Taiwan earthquake has affected several submarine cable systems in Asia, causing cable cuts near Taiwan late last night,'' Singapore Telecom spokesman Chia Boon Chong said by telephone today. ``Some customers might experience a slowdown in data or Internet access. Traffic diversion and restoration works are currently in progress.'' Taiwan was jolted by three earthquakes yesterday, killing two people and injuring 42 others, the island's National Fire Agency said. The tremors damaged undersea cables, causing a disruption to Internet traffic and some telephone calls in the region for customers including Singapore Telecom, PCCW, Chunghwa Telecom Co., Taiwan's biggest telephone operator, and KDDI Corp., Japan's second-largest telephone carrier. PCCW, Hong Kong's largest phone company, said data capacity on its networks was reduced to 50 percent due to the quake. ``Data service to Japan, Taiwan, South Korea and the U.S. were affected,'' said Hans Leung, a spokesman in Hong Kong. Two of Chunghwa Telecom's cables were damaged by the earthquake, resulting in ``near zero'' capacity for voice calls to Southeast Asia, apart from Vietnam, said Leng Tai-feng, the company's vice president of international business. ``The repairs could take two to three weeks,'' Leng said. ``We're doing our best to coordinate with other operators in the region to resolve the problem.'' Southern Taiwan The first earthquake, which was magnitude 6.7, occurred at 8:26 p.m. local time yesterday off Taiwan's south coast, the island's Central Weather Bureau said on its Web site. The second, magnitude 6.4, happened at 8:34 p.m. and the third, magnitude 5.2, occurred at 8:40 p.m. All three were centered in the same area, the bureau said. On Dec. 26, 2004, a magnitude 9.1 earthquake off Sumatra unleashed waves that destroyed coastal villages on the Indian Ocean from Indonesia to Sri Lanka, killing more than 220,000 people. Some of the areas have yet to recover. KDDI said its fiber-optic undersea cable in Taiwan was damaged, affecting fixed-line services to Southeast Asia. The company is re-routing phone calls to go through the U.S. and Europe and may take several weeks to two months to repair cables that are damaged, KDDI's Tokyo-based spokesman Haruhiko Maede said. KT Corp., South Korea's largest provider of fixed-line phone and Internet access service, said the outages affected overseas connections of the foreign ministry and Reuters, which use leased lines, said Kim Cheol Kee, a spokesman for Seongnam-based KT. KT is in discussions with foreign phone companies to redirect traffic elsewhere, Kim says. To contact the reporter on this story: Andrea Tan in Singapore at [EMAIL PROTECTED] Last Updated: December 26, 2006 22:57 EST - -- Suresh Ramasubramanian ([EMAIL PROTECTED]) -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFkg+5q1pz9mNUZTMRAipFAJ9OjJ/zSPPL0CTxvlXXZo3+eR7hzACfWAkE yQ6ittrZadD4GVS1kEcehK4= =mhgJ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: Re: Routing & Addressing -- activities (BOF)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In the spirit of follow-up. - - ferg [snip] To: IETF Announcement list From: Brian Carpenter <[EMAIL PROTECTED]> Date: Thu, 21 Dec 2006 02:51:18 -0500 As part of the routing and addressing activities, a BOF is planned during IETF 68, as a plenary activity (day and time to be announced later). This will be tracked in the BOF wiki at http://www1.tools.ietf.org/bof/trac/wiki Details so far: * ROAP o ROuting and Addressing Problem BOF o Joint with Internet Area; will be a plenary session o Status: preliminary discussions o Background: RAWS report o Responsible ADs: Ross Callon, Mark Townsley Ross and Mark will be collecting proposals for the goals and content of the BOF. ___ IETF-Announce mailing list IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFikSLq1pz9mNUZTMRApF/AKDvjf8BHmUijrkT9uor17yQvXmxYwCg36xs 0PYXVj4BDzqNkNqzrathD1A= =vIeU -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Fwd: [RAM] Routing & Addressing -- activities
d to have a lifetime of about 5 years (with an annual review of membership). The Directorate will be organized and reviewed periodically to ensure it is running smoothly and reporting on overall progress. Specific objectives of the Directorate will be: (i) On a continuing basis, survey existing efforts on the lines of action listed above, and facilitate discussion of effectiveness and timeliness of proposals and problem statements, etc. (ii) Report to the IAB, IESG and the community regularly (at least once per IETF meeting) about those efforts, and highlight specific gaps or concerns about progress. (iii) Provide feedback to IESG, IAB and IRSG on any relevant proposed activities in the area (e.g., WG or RG charters, BOF or workshop proposals, etc). The Directorate will be charged with encouraging appropriate communication with all the identified constituencies. Leslie & Brian, for the IAB & IESG. ___ RAM mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ram [snip] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.2 (Build 4075) wj8DBQFFifY9q1pz9mNUZTMRAgAsAJ46FAuVI04u261DetElSc88I9raEACgpFgi ZM4zPZBtHCsVNBT21fDY2fA= =TdlZ -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Curious question on hop identity...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This may be far afield insofar as topic fodder, but I am curious if anyone knows exactly what these two hops [9] [10] below, actually are? [snip] [...] 5 165 ms 161 ms 183 ms 10g-9-1-ur04.sanjose.ca.sfba.comcast.net [68.87. 192.49] 6 155 ms 156 ms 149 ms 10g-7-1-ur03.sanjose.ca.sfba.comcast.net [68.87. 192.41] 7 ** 163 ms 10g-9-1-ar01.sfsutro.ca.sfba.comcast.net [68.87. 192.37] 8 161 ms 157 ms * 68.87.226.130 9 169 ms 185 ms 171 ms 12.116.90.17 10 197 ms 198 ms 196 ms 12.122.114.66 11 157 ms 169 ms 175 ms ggr3-ge110.sffca.ip.att.net [12.122.82.169] 12 145 ms 149 ms 148 ms 192.205.33.82 13 182 ms 196 ms 209 ms ae-2-54.bbr2.SanJose1.Level3.net [4.68.123.97] 14 344 ms 332 ms 339 ms as-0-0.mp2.Stockholm1.Level3.net [4.68.128.70] 15 330 ms 343 ms 390 ms ge-1-1.car2.Stockholm1.Level3.net [4.68.96.226] [...] [snip] I have asked SBC/AT&T folks and received no reply at all... Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFgPw+q1pz9mNUZTMRAiFEAJ9y481aCutAqVuQrLcMPa3iC6SoXwCgigNC ZE+BBNraVc4VMlUKfyzYNJg= =34zg -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
SatCom communications alert
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just as an FYI, radio communications, satellites communications, and power grids (including some SCADA systems) could face potential interruptions or damage tomorrow due to some very odd (out of cycle) solar activity. Story here: http://www.msnbc.msn.com/id/16187534/ More: http://www.sec.noaa.gov/ Just a heads-up. They're talking about midday tomorrow (Eastern Time, I suppose)... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFgOTeq1pz9mNUZTMRAnqoAKC9cjZ03Uk0LwFltbFqBf8Uvdu7YQCfYQTS D/PYMcYa7TO/W6HWNmmMZIY= =EvSN -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: DNS - connection limit (without any extra hardware)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for the top-post, but wanted to retain context here. Also, sorry for the specific product mention, but much of is mentioned below is something that we are doing with ICSS/BASE: http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm $.02, - - ferg - -- Joe Abley <[EMAIL PROTECTED]> wrote: On 8-Dec-2006, at 11:52, Geo. wrote: > >> Actually, reading your reply (which is the same as my own, pretty >> much), I >> figure the guy asked a question and he has a real problem. >> Assuming he >> doesn't want to clean them up is not nice of us. > > Infected machines (bots) will cause a lot more than just DNS > issues. Issues > like this have a way of getting worse all by themselves if not > addressed. > > Anyway, to play nice.. how about using a router to dampen traffic > much like > icmp dampening? Would it be possible to do DNS dampening? I think the trouble comes when you want to limit the request rate *per client source address*, rather than limiting the request rate across the board. That implies the retention of state, and since DNS transactions are brief (and since the client population is often large) that can add up to a lot of state to keep at an aggregation point like a router. There some appliances which are designed to hold large amounts of state (e.g. f5's big-ip) but you're talking non-trivial dollars for that. Beware enterprise-scale stateful firewall devices which might seem like sensible solutions to this problem. They are often not suitable for use in front of busy DNS servers (even a few hundred new flows per second is a lot for some vendors, despite the apparent marketing headroom based on the number of kbps you need to handle). You may find that you can install ipfw (or similar) rules on your nameservers themselves to do this kind of thing. Take careful note of what happens when the client population becomes large, though -- the garbage collection ought to be smooth and painless, or you'll just wind up swapping one worm proliferation failure mode for another. Host-based per-client rate limits scale better if there are many hosts providing service, e.g. behind a load balancer or using something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>. As to the wider question, cleaning up the infected hosts is an excellent goal, but it'd certainly be nice if your DNS servers continued to function while you were doing so. Having every non- infected customer phone up screaming at once can be an unwelcome distraction when you already have more man hours of work to do per day than you have (staff * 24). Joe -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFebFQq1pz9mNUZTMRAk+xAKCg1dPMivTo6ee5Nj1I4yjVXQzvCQCgnBSI NV3RnsEijPJcHNawWS4uWog= =pawb -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
ietf-bcp38bis mailing list [Was: RFC2827-bis comments solicitation]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As a follow-up to my previous message re: "RFC2827-bis comments solicitation", we now have a dedicated mailing list for discussion of bringing BCP38 up-to-date: [snip] ietf-bcp38bis mailing list The ietf-bcp38bis mailing list is for discussing an update to BCP 38, "Network Ingress Filtering". To subscribe to the mailing list, send a message to: [EMAIL PROTECTED] ...with the single word 'subscribe' in the body of the message. [snip] The web site for this mailing list is sponsored by the VPN Consortium. If you have any suggestions for additions or corrections to this web page, please send them to paul.hoffman(at)vpnc.org. Many thanks to Paul Hoffman for hosting the list. - - ferg > >First, sorry for any duplicates, but we wanted to reach all >interested parties. > >After several discussions with many different folks last week >at IETF 67 in San Diego, as well as various people over the >course of the past few months, Dan Senie and I have decided to >undertake an effort to "update" RFC2827/BCP38 [1]. > >I know that I'm not the only person who has heard various >discussions in the past couple of years that concluded that >(paraphrased), "BCP38 needs to be updated." > >Now is your chance to speak up. :-) > >We would very much like to solicit comments & suggestions from the >community-at-large on areas where you feel BCP38 is lacking, or in >areas where you feel it does not properly address with regards to >prohibiting source-spoofed traffic from any given administrative >network boundary, given that some technical aspects of the Internet >may have changed since it's publication. > >While we acknowledge that a uniform application of a source address >verification architecture/ingress filtering scheme will not mitigate >_all_ "unwanted traffic" [2] in the Internet, it will most certainly >address the issue of hosts which attempt to source-spoof traffic into >the Internet. > >I have not set up a mailing list for this yet, but if there is >enough discussion/input, I will make an effort to do so (or perhaps >the SAVA mailing list [3] might be a good place for discussion). In >the interim, you can contact me or Dan directly: > > Paul Ferguson: fergdawg(at)netzero.net > Dan Senie: dts(at)senie.com > > >Thanks, > >fergie & dan > >p.s. Also, for anyone who might be interesting in related work, >there is an effort to bring some additional work into the IETF >called SAVA, or Source Address Validation Architecture [4]. > > >[1] http://www.rfc-editor.org/rfc/rfc2827.txt >[2] http://www.iab.org/about/workshops/unwantedtraffic/index.html >[3] http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava >[4] >http://www.nrc.tsinghua.edu.cn/pipermail/sava/2006-September/04.html -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFXgK9q1pz9mNUZTMRArqOAKDzeVk2VCfD/Ru0OtrgtNLyJ90MqACePChS 2dqaaWAbXonj185jAtwnZ8Q= =jieX -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RFC2827-bis comments solicitation
First, sorry for any duplicates, but we wanted to reach all interested parties. After several discussions with many different folks last week at IETF 67 in San Diego, as well as various people over the course of the past few months, Dan Senie and I have decided to undertake an effort to "update" RFC2827/BCP38 [1]. I know that I'm not the only person who has heard various discussions in the past couple of years that concluded that (paraphrased), "BCP38 needs to be updated." Now is your chance to speak up. :-) We would very much like to solicit comments & suggestions from the community-at-large on areas where you feel BCP38 is lacking, or in areas where you feel it does not properly address with regards to prohibiting source-spoofed traffic from any given administrative network boundary, given that some technical aspects of the Internet may have changed since it's publication. While we acknowledge that a uniform application of a source address verification architecture/ingress filtering scheme will not mitigate _all_ "unwanted traffic" [2] in the Internet, it will most certainly address the issue of hosts which attempt to source-spoof traffic into the Internet. I have not set up a mailing list for this yet, but if there is enough discussion/input, I will make an effort to do so (or perhaps the SAVA mailing list [3] might be a good place for discussion). In the interim, you can contact me or Dan directly: Paul Ferguson: fergdawg(at)netzero.net Dan Senie: dts(at)senie.com Thanks, fergie & dan p.s. Also, for anyone who might be interesting in related work, there is an effort to bring some additional work into the IETF called SAVA, or Source Address Validation Architecture [4]. [1] http://www.rfc-editor.org/rfc/rfc2827.txt [2] http://www.iab.org/about/workshops/unwantedtraffic/index.html [3] http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava [4] http://www.nrc.tsinghua.edu.cn/pipermail/sava/2006-September/04.html -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Call for Presentations - NANOG 39 - Toronto
Steve, February 4-7? That would be Sunday through Wednesday... is this correct? Did I miss something at the last NANOG meeting? :-) Thanks, - ferg -- Steve Feldman <[EMAIL PROTECTED]> wrote: The North American Network Operators' Group (NANOG) will hold its 39th meeting February 4-7, 2007, in Toronto, Canada. The meeting will be co-hosted by the Toronto Internet Exchange and Teleglobe, a VSNL International company. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: The Cidr Report
Indeed -- it apears to have flaked out a bit this (IETF) week. :-) Date PrefixesCIDR Aggregated 04-11-06 199323 129829 05-11-06 199330 129854 06-11-06 199273 129854 07-11-06 -1077937252 129854 08-11-06 -1077936760 129854 09-11-06 672037797 129854 10-11-06 -1077937324 129854 11-11-06 134555024 129854 - ferg -- Simon Leinen <[EMAIL PROTECTED]> wrote: cidr-report writes: > Recent Table History > Date PrefixesCIDR Agg > 03-11-06199409 129843 [...] > 10-11-06 134555024 129854 Growth of the "global routing table" really picked up pace this week! (But maybe I'm just hallucinating for having heard the report from the IAB Routing Workshop report three times in a week :-) Or the CIDR Report software has an R200K problem? -- Simon. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point etherne t link]
Take a look at: http://www.cymru.com/Bogons/index.html - ferg -- Adrian Chadd <[EMAIL PROTECTED]> wrote: On Thu, Nov 09, 2006, Robert Boyle wrote: > You should also create a bogons list for your BGP routes which you > accept from your upstream. Block all RFC1918 space and unassigned > public addresses too. Just keep on top of it when new allocations are > put into use. We see all kinds of crazy things which people try to > announce (and successfully too - up to our borders anyway.) Is there a somewhat-reliable bogon BGP feed that can be subscribed to these days? Adrian -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
FYI: Explosions Reported At eBay PayPal Building In SJ, All Cool Now
No one injured, no operations interrupted on this, Oidhche Shamhna. http://cbs5.com/local/local_story_305004735.html Cheers, - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: advise on network security report
Telecom| | 4755 | 19673 | UK | VSNL-AS | | 8764 | 19571 | LT | TELECOMLT-AS| | 28725 | 18369 | CZ | CZ-EUROTEL-AS AS of Eurotel Praha | | 6830 | 18360 | HU | UPC | | 12542 | 17893 | PT | TVCABO Autonomous System| | 9299 | 17854 | PH | IPG-AS-AP | | 18101 | 17325 | IN | RIL-IDC Reliance Infocom Ltd Intern | | 3257 | 16918 | DE | TISCALI-BACKBONE| | 1257 | 16418 | FI | TELE2 AB| | 8881 | 15944 | DE | VERSATEL| | 5713 | 15566 | XX | Telkom SA Ltd. | | 6855 | 15420 | SK | SK SLOVAK TELECOM, AS6855 | | 9304 | 15311 | HK | HUTCHISON-AS-AP | | 5391 | 14937 | EU | T-HT T-Com Croatia Internet network | | 9583 | 14785 | IN | SIFY-AS-IN | | 209 | 14678 | US | Qwest | | 22047 | 14499 | XX | VTR BANDA ANCHA S.A.| | 6849 | 14419 | EU | UKRTELNET | | 24863 | 13616 | EU | LINKDOTNET-AS LINKdotNET AS number | | 8167 | 13184 | BR | TELESC - Telecomunicacoes de Santa | | 20838 | 12898 | ES | YIF-AS | | 6400 | 12563 | XX | Codetel | | 2860 | 12467 | PT | NOVIS Novis Telecom, S.A. | | 13285 | 12347 | UK | OPALTELECOM-AS | | 18403 | 12230 | VN | FPT-AS-AP The Corporation for Finan | | 7132 | 12031 | US | SBC Internet Services | | 20115 | 11683 | US | Charter Communications | | 8452 | 11507 | EU | TEDATA TEDATA | | 4230 | 11385 | BR | Embratel| | 5384 | 10946 | EU | EMIRATES-INTERNET | | 1221 | 10629 | AU | ASN-TELSTRA | | 28573 | 10475 | BR | NET Servicos de Comunicao S.A. | | 8866 | 10434 | BG | BTC-AS | | 9506 | 10126 | SG | MAGIX-SG-AP | | 8997 | 10123 | RU | ASN-SPBNIT SPBNIT-RU Autonomous Sys | | 8404 | 9941 | EU | CABLECOM| | 7693 | 9719 | TH | COMNET-TH | | 12880 | 9663 | IR | DCI-AS | | 6057 | 9432 | XX | Administracion Nacional de Telecomu | | 8402 | 9224 | RU | CORBINA-AS | | 6478 | 8943 | XX | AT&T WorldNet Services | | 5603 | 8913 | SI | SIOL-NET SiOL Internet d.o.o. | | 6327 | 8912 | CA | Shaw Communications Inc.| | 3303 | 8823 | CH | SWISSCOM| | 7552 | 8770 | VN | VIETEL-AS-AP Vietel Corporation | | 11427 | 8757 | XX | Road Runner | | 5466 | 8736 | IE | EIRCOM Eircom | | 6799 | 8634 | GR | OTENET-GR OTEnet S.A. Multiprotocol | | 10318 | 8526 | XX | CABLEVISION S.A.| +---+---+--+-+ -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
ICANN Registrar Policy [Was: Re: register.com down sev0?]
On a semi-related note, I feel compelled to add that it seems to be getting worse with regards to "due diligence" paid by domain registrars in how domains are being "issued", as well: http://www.f-secure.com/weblog/#1008 - ferg -- Jeremy Chadwick <[EMAIL PROTECTED]> wrote: [snip] The entire situation is depressing, solely because ICANN is doing absolutely nothing to try and stop this sort-of behaviour (both what the DROA does, and registrars selling their customers' WHOIS records to whoever bids the most for it). [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: register.com down sev0?
We all have our opinions, Randy. Hammers and nails being what they are... - ferg -- Randy Bush <[EMAIL PROTECTED]> wrote: > what's curious, to me atleat, is that folks equate 'botnet' and 'spoofed > source attacks' more often than I'd think is reasonable. I've not got > 'hard numbers' but almost every time the attack is determined to be > 'botnet' it's not spoofed. > > Odd... (not that I'm against bcp38, I just think the distraction in > conversation from 'bcp38 is good' to 'we must stop bots' is not helpful) bingo! when you have religion about a hammer, everything looks like a nail. randy -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: register.com down sev0?
Chris, W.R.T. #2 below: Be for real: No one ever suggested that backbone service providers attempt to ingress filter traffic -- this is an edge function. Cheers, - ferg -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: On Thu, 26 Oct 2006, Fergie wrote: > and co-authored -- and likewise, cannot figure out for life of > me, why there is such push-back from the Ops community on doing > The Right Thing. you could google answers from other folks but in shor: 1) it doesn't always work as advertised 2) people don't always tell you the routes the hold 3) equipment vendors don't alway splan properly for 'features' Not everyone is as smart as you (both) and can manage that problem as they scale... -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
This would appear, on its face, to be an easy exercise in educating the IPSs in the foodchain. Is there reasonable enough interest with NANOG to do that? If so, I volunteer to workshop at the next NANOG. But only if there is reasonable consensus to that effect. Or someone else could do it, too. :-) The point I'm trying to make is that if the community thinks it is valuable, then the path is clear. If not, then... - ferg -- Sean Donelan <[EMAIL PROTECTED]> wrote: The only data I have is from the MIT anti-spoofing test project which has been pretty consistent for a long time. About 75%-80% of the nets, addressses, ASNs tests couldn't spoof, and about 20%-25% could. The geo-location maps don't show much difference between parts of the world. RIPE countries don't seem to be better or worse than ARIN countries or APNIC countries or so on. ISPs on every continent seem to be about the same. http://spoofer.csail.mit.edu/summary.php If someone finds the silver bullet that will change the remaining 25% or so of networks, I think ISPs on every continent would be interested. On Thu, 26 Oct 2006, Fergie wrote: > No. > > I think that is indicative of the problem. > > Don't you? > > -- Sean Donelan <[EMAIL PROTECTED]> wrote: > On Thu, 26 Oct 2006, Fergie wrote: >> I don't want to detract from the heat of this discussion, as >> important as it is, but it (the discussion) illustrates a point >> that RIPE has recognized -- and is actively perusing -- yet, ISPs >> on this continent seem consistently to ignore: The consistent >> implementation of BCP 38. >> >> It is nothing less than irresponsible, IMO... >> >> Why _is_ that? > > Do you have any data concerning the actual consistent deployment of > BCP38++ in different parts of the world? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
Actually, I misspoke earlier, but not quite. ;-) Rob Beverly has an ongoing project which I have wholly endorsed, but it has gotten relatively little attention: http://spoofer.csail.mit.edu/ I would highly recommend that folks how choose to so, please participate. :-) - ferg p.s. Statistics available: http://spoofer.csail.mit.edu/summary.php -- Sean Donelan <[EMAIL PROTECTED]> wrote: On Thu, 26 Oct 2006, Fergie wrote: > I don't want to detract from the heat of this discussion, as > important as it is, but it (the discussion) illustrates a point > that RIPE has recognized -- and is actively perusing -- yet, ISPs > on this continent seem consistently to ignore: The consistent > implementation of BCP 38. > > It is nothing less than irresponsible, IMO... > > Why _is_ that? Do you have any data concerning the actual consistent deployment of BCP38++ in different parts of the world? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: register.com down sev0?
Randy, I don't think I implied anything of the sort. I did, however, pipe up when a BCP is mentioned that I endorse, and co-authored -- and likewise, cannot figure out for life of me, why there is such push-back from the Ops community on doing The Right Thing. Having said that, botnets don't need to spoof addresses -- the sheer dispersion of geographic and AS infection base renders the whole point of spoofing almost moot. And having said that, it doesn't make BCP 38 any less valid. - ferg -- Randy Bush <[EMAIL PROTECTED]> wrote: > I don't want to detract from the heat of this discussion, as > important as it is, but it (the discussion) illustrates a point > that RIPE has recognized -- and is actively perusing -- yet, ISPs > on this continent seem consistently to ignore: The consistent > implementation of BCP 38. oh? you have knowledge that this botnet attack used spoofed source addresses? randy -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
No. I think that is indicative of the problem. Don't you? - ferg -- Sean Donelan <[EMAIL PROTECTED]> wrote: On Thu, 26 Oct 2006, Fergie wrote: > I don't want to detract from the heat of this discussion, as > important as it is, but it (the discussion) illustrates a point > that RIPE has recognized -- and is actively perusing -- yet, ISPs > on this continent seem consistently to ignore: The consistent > implementation of BCP 38. > > It is nothing less than irresponsible, IMO... > > Why _is_ that? Do you have any data concerning the actual consistent deployment of BCP38++ in different parts of the world? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: 10,352 active botnets (was Re: register.com down sev0?)
Jose's numbers are conservative. Given some mathematical acrobatics, I'd suggest examining some of the (shocking) number sin Microsoft's Security Intelligence Report (Google it) -- these are reflective: "Of the 4 million computers cleaned by the company's MSRT (malicious software removal tool), about 50 percent (2 million) contained at least one backdoor Trojan. While this is a high percentage, Microsoft notes that this is a decrease from the second half of 2005. During that period, the MSRT data showed that 68 percent of machines cleaned by the tool contained a backdoor Trojan." Ref: http://www.eweek.com/article2/0,1759,2036439,00.asp If you're wondering why DDoS attacks are so effective, look no further than your backyard. - ferg -- Sean Donelan <[EMAIL PROTECTED]> wrote: On Thu, 26 Oct 2006, [EMAIL PROTECTED] wrote: > Well, let's talk about "worst-case ddos". Let's say, 50mpps (I have not > heard of ddos larger that that number). Let's say, you can sink/filter > 100kpps on each box (not unreasonable on higher-end box with nsd). That > means, you should be able to filter this attack with ~500 servers, > appropriately place. Say, because you don't know where the attack will > come in, you need 4 times more the estimated number of servers, that's > 2000 servers. That's not entirely unreasonable number for a large enough > company. Botnets were the topic at today's Info Security conference in New York City. <http://www.infosecurityevent.com> Coincidences? Or just as random as your iPod shuffle? Jose Nazario estimated that there were 10,352 botnets active on the Internet earlier this year. You will probably always be outnumbered on the public Internet. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: register.com down sev0?
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38. It is nothing less than irresponsible, IMO... Why _is_ that? - ferg -- "Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote: [snip] There is no single "appropriately[sic] place" which can absorb 50Mpps. If you meant "appropriately placed" (as in topologically dispersed locations), a well crafted attack could still guarantee _at least_ a partial DoS from an end user PoV. It is essentially impossible to distinguish end-user requests from (im)properly created DoS packets (especially until BCP38 is widely adopted - i.e. probably never). Since there is no single place - no 13 places - which can withstand a well crafted DoS, you are guaranteed that some users will not be able to reach any of your listed authorities. This is not speculation, this is fact. All a good provider can do, even with 1000s of server, is minimize the impact of any DoS. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: CO fire St. Johns Newfoundland
Bet it wasn't bizarre as the the fire tonight at Ft. Meade: http://www.msnbc.msn.com/id/15354940/ - ferg -- Dan Armstrong <[EMAIL PROTECTED]> wrote: I bet it was set by the codfather. :-) Sean Donelan wrote: > > > Its been a while since the last big telephone central office fire. > > 100,000+ lines are out of service in St. John's Newfoundland (Canada, > the other part of North America). -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
In Memoriam: Abha Ahuja
Five years ago today. I miss her. She was a great friend. http://fergdawg.blogspot.com/2006/10/in-memoriam-abha-ahuja.html - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Refusing Pings on Core Routers??? A new trend?
IIRC, this is not news. - ferg -- "Rubens Kuhl Jr." <[EMAIL PROTECTED]> wrote: > template response -- I hear is "Well, you can't rely on traceroute > because of ICMP prioritisation". When you start to explain how > traceroute actually works (both ICMP-based and UDP-based (which > still relies on ICMP responses, of course!)), and that ICMP prio > should only affect the IP of which the router listens on (and not > hops beyond or at the dest), most NOCs fire back with another If I recall well, Cisco GSRs impose low priority and/or limits for all ICMP traffic flowing thru the box, not just packets to/from router itself, and there's not a knob to adjust that. Also of notice is that packets that expire TTL needs some kind of low-path processing, and will be subject to increased latency or loss compared to normal ones, and this affects every tool to trace packets thru the network I've seen. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: RFC2468
"A name indicates what we seek. An address indicates where it is. A route indicates how we get there." - RFC 791, Internet Protocol (September 1981), Editor: Jon Postel - ferg -- "Scott Weeks" <[EMAIL PROTECTED]> wrote: : 8 years ago today was the beginning of the end. Not to disagree as many of you knew him, but the RFC says, "He would remind us that there is still much work to be done and that we now have the responsibility and the opportunity to do our part. Let's keep getting busy with it... ;-) scott -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: 200K prefixes - Weekly Routing Table Report
I'll bet you nickels to doughnuts that it won't make much of a difference -- in the fact that too may end-ASs originate specifics to attempt to "engineer" their traffic - ferg -- "Alex Rubenstein" <[EMAIL PROTECTED]> wrote: > > Maybe reboot all our routers at once or something? > > Who wants to go first...? Then again, maybe better not... > > philip > -- > I suspect if we do this, when things 'come back up', we'll be under 200k. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: 200K prefixes - Weekly Routing Table Report
Somehow it seems appropriate for today: Friday the 13th. :-) - ferg -- "Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote: On Oct 13, 2006, at 2:02 PM, Routing Analysis Role Account wrote: > Routing Table Report 04:00 +10GMT Sat 14 Oct, 2006 > > Analysis Summary > > > BGP routing table entries examined: > 200339 > Prefixes after maximum aggregation: > 108814 Shall we all have a moment of silence for 200K prefixes in the global table. Maybe reboot all our routers at once or something? -- TTFN, patrick -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Broadband ISPs taxed for "generating light energy"
Is it April 1st already? :-) - ferg -- Suresh Ramasubramanian <[EMAIL PROTECTED]> wrote: .. because they provide internet over fiber optic cables, which work by sending pulses of light down the cable to push packets .. http://www.hindu.com/2006/10/10/stories/2006101012450400.htm So they get slapped with tax + penalties of INR 241.8 million. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Experiences on dampening
No idea w.r.t. SIP, but I assume that you have seen this? "BGP Route Flap Dampening Considered Harmful" http://www.ripe.net/docs/ripe-378.html - ferg -- "J. Oquendo" <[EMAIL PROTECTED]> wrote: Hey all, attempting to assess something related to networking but its on the SIP/telephony side of things. I'd like to know how many have had success and failures with route dampening. Purpose of this question is, I'm wondering about a method a VoIP PBX could take similar to BGP's dampening where the following would occur: SIPUSER REGISTER (SEND SIPINFO + IP_INFO) --> Server If SIPUSER decides to either REGISTER, INVITE, SUBSCRIBE, etc., in an insane amount of time, VoIP PBX would take action on it. Give SIPUSER an initial penalty and increment it justly however, it *cannot* be address based. It would likely be two predefined variables. Overall I just would like to know experiences, pros and cons, with dampening. Thanks in advanced. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Google Outage Yesterday
Elijah: http://www.macworld.com/news/2006/09/27/comcast/index.php - ferg -- Elijah Savage <[EMAIL PROTECTED]> wrote: http://www.ipdemocracy.com/archives/2006/09/27/#001985 I have not seen this show up on the list yet neither have I seen any public statements released. It is being passed on as a comcast problem but I know of others with connectivity as well as myself hat has no connectivity at all with comcast. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/