Re: Problems sending mail to yahoo?
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it, When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them? The reason abuse@ addresses are useless is because what is being sent to them is useless. George Roettger Netlink Services
RE: FW: ISPs slowing P2P traffic...
> As long as we're keeping up this metaphor, P2P is the fat man who says Guys, according to wikipedia over 70 million people fileshare http://en.wikipedia.org/wiki/Ethics_of_file_sharing That's not the fat man, that's a significant portion of the market. Demand is changing, meet the new needs or die at the hands of your customers. It's not like you have a choice. The equipment makers need to recognize that it's no longer a one size fits all world (where download is the most critical) but instead that the hardware needs to adjust the available bandwidth to accomodate the direction data is flowing at that particular moment. Hopefully some of them monitor this list and are getting ideas for the next generation of equipment. George Roettger Netlink Services
Re: ISPs slowing P2P traffic...
The vast majority of our last-mile connections are fixed wireless. The design of the system is essentially half-duplex with an adjustable ratio between download/upload traffic. This in a nutshell is the problem, the ratio between upload and download should be 1:1 and if it were then there would be no problems. Folks need to stop pretending they aren't part of the internet. Setting a ratio where upload:download is not 1:1 makes you a leech. It's a cheat designed to allow technology companies to claim their devices provide more bandwidth than they actually do. Bandwidth is 2 way, you should give as much as you get. Making the last mile a 18x unbalanced pipe (ie 6mb down and 384K up) is what has created this problem, not file sharing, not running backups, not any of the things that require up speed. For the entire internet up speed must equal down speed or it can't work. You can't leech and expect everyone else to pay for your unbalanced approach. Geo.
Re: Can P2P applications learn to play fair on networks?
The problem is that ISPs work under the assumption that users only use a certain percentage of their available bandwidth, while (some) users work under the assumption that they get to use all their available bandwidth 24/7 if they choose to do so. My home dsl is 6mb/384k, so what exactly is the true cost of a dedicated 384K of bandwidth? I mean what you say would be true if we were talking download but for most dsl up speed is so insignificant compared to downspeed I have trouble believing that the true cost for 24x7 isn't being paid. It's just that some of the cable services are offering more up speed (1mb plus) and so are getting a disproportionate amount of fileshare upload traffic (if a download takes X minutes more is upload by a source on a 1mb upload pipe compared to a 384k upload pipe so the upload totals are greater for the cable isp). Geo. George Roettger Netlink Services
RE: BitTorrent swarms have a deadly bite on broadband nets
> > Seems to me a programmer setting a default schedule in an > application is > > far simpler than many of the other suggestions I've seen for solving > > this problem. > > End users do not have any interest in saving ISP upstream > bandwidth, they also have no interest in learning so setting defaults in popular software, for example RFC1918 space zones in MS DNS server, can make all the difference in the world. This way, the bulk of filesharing would have the defaults set to minimize use during peak periods and still allow the freedom on a per user basis to change that. Most would not simply because they don't know about it. The effects of such a default could be considerable. Also if this default stepping back during peak times only affected upload speeds, the user would never notice, in fact if they did notice they would probably like that it allows them more bandwidth for browsing and sending email during the hours they are likely to use it. I fail to see a downside? Geo.
RE: BitTorrent swarms have a deadly bite on broadband nets
> Actually, it sounds a lot like the Electric7 tariffs found in the UK for > electricity. These are typically used by low income people who have less > education than the average population. And yet they can understand the > concept of saving money by using more electricity at night. I can't comment on MPLS or DSCP bits but the concept of night-time on the internet I found interesting. This would be a localized event as night moved around the earth. If the scheduling feature in many of the fileshare applications were preset to run full bore during late night hours and back off to 1/4 speed during the day I wonder how that might affect both the networks and the ISPs. Since the far side of the planet would be on the opposite schedule from each other, that might also help to localize the traffic from fileshare networks. Seems to me a programmer setting a default schedule in an application is far simpler than many of the other suggestions I've seen for solving this problem. Geo. George Roettger Netlink Services
RE: Can P2P applications learn to play fair on networks?
> Would stronger topological sharing be beneficial? If so, how do you > suggest end users software get access to the information required to > make these decisions in an informed manner? I would think simply looking at the TTL of packets from it's peers should be sufficient to decide who is close and who is far away. The problem comes in do you pick someone who is 2 hops away but only has 12K upload or do you pick someone 20 hops away but who has 1M upload? I mean obviously from the point of view of a file sharer, it's speed not location that is important. Geo. George Roettger Netlink Services
Re: Can P2P applications learn to play fair on networks?
H... me wonders how you know this for fact? Last time I took the time to snoop a running torrent, I didn't get the the impression it was pulling packets from the same country as I, let alone my network neighbors. That would be totally dependent on what tracker you use. Geo.
Re: Can P2P applications learn to play fair on networks?
One of the things to remember is that many customers are simply looking for Internet access, but couldn't tell a megabit from a mackerel. That may have been true 5 years ago, it's not true today. People learn. Here's an interesting issue. I recently learned that the local RR affiliate has changed its service offerings. They now offer 7M/512k resi for $45/mo, or 14M/1M for $50/mo (or thereabouts, prices not exact). Now, does anybody really think that the additional capacity that they're offering for just a few bucks more is real, or are they just playing the numbers for advertising purposes? Windstream offers 6m/384k for $29.95 and 6m/768k for $100, does that answer your question? What is comcast's upspeed, is it this low or is comcast's real problem that they offer 1m or more of upspeed for too cheap a price? Hmmm.. perhaps it's not the customers who don't know a megabit from a mackerel but instead perhaps it's comcast who thinks customers are stupid and as a result they've ended up with the people who want upspeed? Geo. George Roettger Netlink Services
Re: Can P2P applications learn to play fair on networks?
Surely one ISP out there has to have investigated ways that p2p could co-exist with their network.. Some ideas from one small ISP. First, fileshare networks drive the need for bandwidth, and since an ISP sells bandwidth that should be viewed as good for business because you aren't going to sell many 6mb dsl lines to home users if they just want to do email and browse. Second, the more people on your network running fileshare network software and sharing, the less backbone bandwidth your users are going to use when downloading from a fileshare network because those on your network are going to supply full bandwidth to them. This means that while your internal network may see the traffic your expensive backbone connections won't (at least for the download). Blocking the uploading is a stupid idea because now all downloading has to come across your backbone connection. Uploads from your users are good, this is the traffic that everyone looks for when looking for peering partners. Ok now all that said, the users are going to do what they are going to do. If it takes them 20 minutes or 3 days to download a file they are still going to download that file. So it's like the way people thought back in the old dialup days when everyone said you can't build megabit pipes on the last mile because the network won't support it. People download what they want then the bandwidth sits idle. Nothing you do is going to stop them from using the internet as they see fit so either they get it fast or they get it slow but the bandwidth usage is still going to be there and as an ISP your job is to make sure supply meets demand. If you expect them to pay for 6mb pipes, they better see it run faster than it does on a 1.5mb pipe or they are going to head to your competition. Geo. George Roettger Netlink Services
RE: airfrance.com
> AF has country-specific front pages. Airfrance.com, the generic > corporate site, is OK from here; Airfrance.us is reachable from London > (if you lie:-)) but extremely slow loading. Airfrance.fr is OK. > Airfrance.co.uk is slow but OK. So far everyone who responded has managed to get the site to come up. When I go to www.airfrance.com from anywhere in my network 216.144.0.0/18 I simply get a timeout using anything including telnet to port 80, see below 15 297ms 299ms 299ms pos9-0.ncmar302.Marseille.francetelecom.net [193.252.101.53] 16 300ms 295ms 300ms pos-4-0.marg2.marseille.raei.francetelecom.net [193.253.14.102] 17 306ms 301ms 296ms atm-6-0-0-732.sph2.sophia.raei.transitip.francetelecom.net [81.52.15.234] 18 306ms 298ms 307ms 81.54.114.30 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 ^C g:\>telnet 193.57.244.15 80 Connecting To 193.57.244.15...Could not open a connection to host on port 80 : C onnect failed If anyone has any ideas I'm all eyes. George Roettger Netlink Services www.nls.net
airfrance.com
I was wondering if a few folks on this list could look at a problem I'm seeing. I've poked around most of yesterday and this morning and initially I thought it was a dns problem but it appears to me that www.airfrance.com is blocking a whole lot of the IP space in the US from accessing their website. Using proxy servers I find that ATT network, my network are both blocked but roadrunner can access their website. Can you? Can a few of you check from wherever you are and see if I'm correct in my assessment of the problem? George Roettger Netlink Services www.nls.net
Re: death of the net predicted by deloitte -- film at 11
10 or 1000 channels it's going to be better than not using it. I don't see the logic in using it for nothing because it's not good for some things. Multicast isn't going to help the phoneco atm network. Whatever model emerges will only work if it works all the way to the end user. If you have a weak link in the chain then the chain breaks and right now that weak link is the last 2 miles. You can't pump gigE bandwidth speed over a DS3 to a dslam because you have 65 users watching HD content at 6pm. But if you accept that the average user only watches 3-6 hours of HDTV per day, you can spread the load out over 24 hours, the effects on available bandwidth can be reduced. The TIVO model appears to have an advantage for the viewer (a large archive to select from) and for the phoneco's and ISP's at the customer end. Geo.
Re: death of the net predicted by deloitte -- film at 11
a point in the technology relatively soon where a movie can be shipped across the net for about the same cost as postage today. You mean like fileshare networks have been doing for years now? The delivery model is already functional. Geo.
Re: death of the net predicted by deloitte -- film at 11
do what google is presumably doing (lots of fiber), or would they put some capital and preorder into IDMR? IDMR is great if you're a broadcaster or a backbone, but how does it help the last 2 miles, the phoneco ATM network or the ISP network where you have 10k different users watching 10k different channels? I'm not sure if it would help with a multinode replication network like what google is probably up to either (which explains why they want dedicated bandwidth, internode replication solves the backup problems as well). Also forgetting that bandwidth issue for a moment, where is the draw that makes IPTV better than cable or satellite? I mean come on guys, if the world had started out with IPTV live broadcasts over the internet and then someone developed cable, satellite, or over the air broadcasting, any of those would have been considered an improvement. IPTV needs something the others don't have and a simple advantage is that of an archive instead of broadcast medium. The model has to be different from the broadcast model or it's never going to fly. TIVO type setup with a massive archive of every show so you can not only watch this weeks episode but you can tivo download any show from the last 6 years worth of your favorite series is one heck of a draw over cable or satellite and might be enough to motivate the public to move to a different service. A better tivo than tivo. As for making money, just stick a commercial on the front of every download. How many movies are claimed downloaded on the fileshare networks every week? Geo.
Re: death of the net predicted by deloitte -- film at 11
:-). however, you did seem to miss the hue and cry about how ALL YOUR BASE ARE BELONG TO GOOGLE now. a smattering of this can be found at: Has anyone considered that perhaps google is not looking at beating Microsoft but instead at beating TIVO, ABC, CBS, Warner Cable, etc? You can't possibly believe that there is enough bandwidth to stream High Def video to everyone, that's just not going to happen any time soon. However, as the file share networks have proven, it is possible to download that content in mass today with todays last mile. Download it over time to watch it when you want to, the internet version of TIVO. Thats where I think Google is headed with the dark fiber and massive storage containers. The fiber lets them get content to local points across the internet, like a great big fileshare network except with google in control so they can promise media producers that the material will be downloaded with commercials in the downloads. All you need is someone like Cisco to team with who can produce a network consumer DVD player capable of assuming the roll of a physical tivo box, say something like the kiss technology DP-600 box (cisco bought kiss last year) that the MPAA loves so much (MPAA bought thousands of them for their own purposes) and presto things are suddenly taking a whole new shape and direction. So now you get a choice, buy a new HD TV tuner or buy a new DVD player that does standard or HD tv even after the over the air broadcast change happens in the US. All your base indeed.. no hue required. George Roettger Netlink Services
RE: DNS - connection limit (without any extra hardware)
> Actually, reading your reply (which is the same as my own, pretty much), I > figure the guy asked a question and he has a real problem. Assuming he > doesn't want to clean them up is not nice of us. Infected machines (bots) will cause a lot more than just DNS issues. Issues like this have a way of getting worse all by themselves if not addressed. Anyway, to play nice.. how about using a router to dampen traffic much like icmp dampening? Would it be possible to do DNS dampening? Geo.
RE: DNS - connection limit (without any extra hardware)
I know this is kind of a crazy idea but how about making cleaning up all these infected machines the priority as a solution instead of defending your dns from your infected clients. They not only affect you, they affect the rest of us so why should we give you a solution to your problem when you don't appear to care about causing problems for the rest of us? George Roettger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Luke Sent: Friday, December 08, 2006 9:41 AM To: [EMAIL PROTECTED] Subject: DNS - connection limit (without any extra hardware) Hi, as a comsequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers. Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service. I can't blacklist them on my DNSs, because the infected clients are too much. For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address. Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper? Thanks Best Regards Luke
af.mil contact
If anyone has a contact for the dns folks over at af.mil could you please inform them that their authorative DNS servers have no A records so their zone is failing to resolve for many people who have enabled anti-dnscache poisoning features. George Roettger Netlink Services
RE: MEDIA: ICANN rejects .xxx domain
> Why? > > If we can coral them in it and legislate to have no porn anywhere > else than on .xxx ... should fix the issue for the prudes out there. Because once you separate them out, the government is free to slap a tax on .xxx websites. Geo.
Contact at chase.com
Anyone here from chase.com? http://dnsreport.com/tools/dnsreport.ch?domain=chaseonline.chase.com If so please pass that on to your dns folks. It's causing problems for people who have dns anti cache poisoning enabled. George Roettger Netlink
RE: DNS Amplification Attacks
> Recursion the way it is set now with most DNS implementations, is the > problem being exploited by spoofing. It is true spoofing is bad for our > health, but that does not mean we should ignore what actually gets > exploited, which is recursive name servers open to the world. > > Fixing the one does not mean we shouldn't fix the other. But fixing recursion also fixes the internet (fixes as in how you fix a dog) in that he who controls the DNS controls the net. Fixing DNS is going to hand over strict control to governments because now they can prevent you from resolving anything they don't want you to resolve. It also severely cuts into redundancy functions on the net. I realize even if we eliminate spoofing completely, dns can still be used to flood, but so can any other shared function on the net. We closed relay but I can still flood you with emails by doing a joe-job is a good example. At some point we really need to look at this and ask ourselves is it worth what we must give up in order to eliminate some attack vector and isn't there a better way that doesn't involve us giving up so much. I think in this case the answer is maybe there is a better way, eliminate spoofing or eliminate udp use in recursive dns queries are valid options. So in answer to the last part of the above quote, maybe we shouldn't fix the other. (just something to consider) George Roettger Netlink Services
RE: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )
>>It doesn't matter what the notifications look like. There is no reason that my SMTP server should be subject to more than TEN THOUSAND of these damned things every day, << I hear you but you and I both know AV companies are not going to give up the automated spamming feature that easily. A standard message beginning they might be willing to impliment in a relatively short time and AV software is constantly updated so this could make a difference and happen relatively quickly. As for the quantity you receive, its nothing compared to the amount of spam those infected machines are soon going to be generating. George Roettger Netlink Services
RE: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )
>>While AV scanning may be done during the session, it would also require additional steps to also contain _all_ upstream activity within the same session as well, when attempting to achieve an apparent point-to-point operation. If SMTP were point-to-point, this would be evolving into the IM model where the message queue or storage would always be at the sender. Such mode of operation will increase the average transaction time needed for email.<< You know, the problem we are trying to solve is virus notification blowback, etc. So instead of changing the system why not work with it. If everyone would just standardize on at least the first part of every virus notification being the same thing, say: XXX VIRUS NOTIFICATION: blah blah blah where XXX is some error number, we could all easily control virus notifications at the receiving end, allowing or blocking, as the recipients choice. A simple standard message format and all the problems and complaints go away. George Roettger Netlink Services
Re: Clueless anti-virus products/vendors (was Re: Sober)
>>What about all the viruses out there that don't forge addresses? What virus in the past 2 years doesn't forge the from address? George Roettger
Re: Blocking certain terrorism/porn sites and DNS
>>Again, I am not discussing "censoring ideas". I want to know if its indeed "tehnically" possible and feasible to block a website URL from being accessed.<< Technically, easy enough to test, open your hosts file and do an entry like 127.0.0.1 www.abc.com it should block it just as if the root servers blocked it and you can test to see if this is "feasible" all you like without actually affecting anyone else. The problem with feasibility is that not all of us consider peril sensitive sunglasses to be a solution. Geo. George Roettger Netlink Services
Re: Blocking certain terrorism/porn sites and DNS
>>It was bad enough back in the '90s when Internic refused to accept registration of certain four letter words. DNS is not a proper venue for censoring ideas.<< and the end result is a monopoly http://datapimp.com/ Geo. George Roettger Netlink Services
RE: UUNET connectivity in Minneapolis, MN
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of James D. Butt > Unless there is some sort of crazy story related to why a service provider > could not keep the lights on, this should have not been an issue with > proper operations and engineering. The building where one of our nodes sites got hit with an electrical fire in the basement one day, the fire department shut off all electrical to the whole building including the big diesel generators sitting outside the back of the building so all we had was battery power until that ran out 6 hours later. How do you prepare for that? Geo. George Roettger Netlink Services
RE: "Cisco gate" and "Meet the Fed" at Defcon....
>> ok so your issue is totally irrelvant to the recent "ciscogate" >> paranoia? That would depend on what other exploits cisco has slipstream patched wouldn't it? (honest question as I don't know but it would be nice if cisco would clarify the situation) Geo. George Roettger Netlink Services
Re: Cisco and the tobacco industry
- Original Message - From: "Ivan Groenewald" <[EMAIL PROTECTED]> > Applying patches to binaries, hm. Sounds a bit difficult. It's actually quite simple, you do a compare between the old binary and the new and the patch contains only the differences. It's a very effective way to do patches in a non dll type world because it's efficient size wise and it requires that you already have the product so manual verification isn't necessary. I think it would work well for Cisco's IOS patch requirements. Geo.
Re: Cisco and the tobacco industry
- Original Message - From: "Owen DeLong" <[EMAIL PROTECTED]> >>Whether 90% of the world uses it or not, the point is that the problem is your software doesn't comply with the established standards. Why should everyone who has software that complies be incumbered with the limitations of the bugs in software that doesn't. The reason we have an IETF and RFCs is to allow interoperability and the ability to depend on capabilities implemented according to standards.<< Right, does your mail server do strict enforcement of RFC 821 standards or do you accept mail from microsoft Outlook users since it doesn't adhere to 821? So what does that say about your attitude towards what 90% of the people use? Geo.
Re: Cisco and the tobacco industry
> Just because 90% of the people in the world are stupid, does that > mean that we all have to be stupid as well? If nine out of ten > people jumped off a bridge, should the other guy be forced to do the > same? Gee, it must be nice to be in the top 10% of the smart people. Why don't you suggest Valdis aim for the top 5% and figure out how Mr. Jeffrey I. Schiller manages to post using debian PGP signed messages that don't appear as attachments? I'm not forcing you to do anything, simple netizen that I am I try to be as compatible with others as I can (notice how I post in text not html?), however Valdis chose to read something into my choice of email software so I read something into his choice and oh surprise it seems to have struck a nerve . How about we don't waste any more bandwidth on this stupid sideline? Side note to Valdis: I don't mind, I was just pushing your buttons after the OE comment. Geo. George Roettger Netlink Services
Re: Cisco and the tobacco industry
- Original Message - From: <[EMAIL PROTECTED]> >>Your original suggestion was that it push it to the router.<< Ok I guess it could be read that way but I was more suggesting they look for a way to patch not upgrade to a new version. I've been around the industry long enough to have seen Autodesk use the exe patch routine to patch existing files right on disk so I know this is nothing new. My original suggestion was to take that one step further and patch right in memory on the router but if that's a security issue then fine patch the image on disk and upload it like normal, makes no difference to my point. >>My behavior hasn't changed because my MUA has been able to understand the formats originally defined in RFC1847 and RFC2015, as updated by RFC3156, for over a decade now.<< Yeah yeah, I've had this discussion several times, it's a bug in my software and you couldn't give a darn if you are doing something that is incompatible with what 90% of the world uses for email because you are right and everyone else is wrong. Such is the spirit of the internet huh? (you picked on my use of OE first, I was just responding) Geo. George Roettger Netlink Services
Re: Cisco and the tobacco industry
- Original Message - From: <[EMAIL PROTECTED]> >>The ability to connect to the router and push a software change? Let's think this through a bit, shall we? ;)<< Who said push? I said cisco's whole patch method is to move people to a new version of IOS instead of patching the old version. Cisco charges for new versions so it's not in their financial interest to make new versions available for free like the patches need to be. So I suggest they employ a different patch method, you download an exe from their ftp site, it takes your current build which is stored on your computer, patches it, and uploads it to your router or you then upload it to your router. Since this would require you already have the image they could continue to manage their image distributions as they do now. I mean your issue is not impossible to work around. >>X-mailer: Microsoft Outlook Express 6.00.2800.1506 >>Now, what were you saying about a few worms causing *ANY* change in behavior? ;) it's amazing how safe software can be when used by a professional, isn't it? Everyone here knows you have a woodie for OE by the format of your posts which appear as attachments instead of normal text in OE. I notice that behavior hasn't changed either . Nuff said? Geo. George Roettger Netlink Services
Re: Cisco and the tobacco industry
> Sorry, but its a traditional part of the product model for > telecommunications equipment. PBX's, routers, pretty much everything - > support contract required. Sure, you could have it a different way, but you > would have to be willing to pay significantly more up front to pay for that > ongoing support. What ongoing support, just put the fixes on an ftp site. Cisco's problem is they aren't patches, they are full versions. If they created an exe file that attached via tcp/ip to the router and just changed the bits that needed changing instead of requiring a whole new build be loaded it wouldn't be such an issue to just leave the patches out there on cisco.com so anyone with a router could get them without costing cisco anything but a bit of bandwidth. Look, it's up to Cisco how they do this but if DHS wants this country's infrastructure to be secure then Cisco is going to need to realize that a whole lot of people are not going to be willing to pay to fix product defects and they're not going to be willing to spend days trying to get those fixes for free. Perhaps after a few router worms it will make more sense. Oh and I don't know about you but if I buy a PBX and a flaw in it allows any remote caller to make outbound calls at my expense, you can bet money that I'm going to expect a flaw like that to be fixed free of charge, contract or not. Geo.
RE: Cisco and the tobacco industry
No, the point is if you want the internet to be patched then you can't torture people when they come to you for the patches. Cisco routers are being sold to every company who connects to the internet, it's one step up from consumer products. You can't expect every company who owns a cisco router to buy an expensive contract or be willing to go thru the gauntlet to get the patches. Cisco needs to come up with a better way. If your point is simply that it's possible to get the patches, well it's possible to code them yourself too if you know assembler. Geo. George Roettger Netlink Services -Original Message- > Have you ever actually tried to get the updates using this method? It really > does take the better part of a week and no less than half a dozen emails or > phone calls and then there is the begging... The point is you did get the update, right? It's better than no update. As far as what happens, I've found the TAC underperform my expectations in every possible situation, what you say above doesn't shock me. - jared
RE: Cisco and the tobacco industry
Jared, Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging... Geo. George Roettger Netlink Services > Cisco always has provided free upgrades to non-contract holders >for security bugs. > > eg: > >http://www.cisco.com/en/US/products/products_security_advisory09186a008042d 51b.shtml > >-- snip -- > Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. -- snip --
RE: Cisco IOS Exploit Cover Up
>>I think he's just pointing out that the risk assessments of many network operators are way off.<< I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy. Geo.
Re: Utah governor signs Net-porn bill
> Finally, someone who recognizes what this bill is > all about. It merely asks ISPs to provide parents > with a filtering tool that cannot be overridden by > their children because the process of filtering takes > place entirely outside the home. The problem is the state isn't specifying that ISP's provide some software module that the state wrote to accomplish this, instead what they are doing is telling a transport provider they must provide something other than transport, they must provide some unspecified piece of software. It's like if parents required the state provide some piece of hardware to prevent kids from speeding in their cars because the state provides the roads. Geo.
rr.com
does anyone know if there is something going on with rr.com email today? I'm seeing lots and lots of delivery retrys for valid emails from our customers but rr.com doesn't seem to be accepting them. George R. Netlink Services
Port 5000
We are seeing many customers here probing port 5000 across the network. It appears to be some new worm or something but I've had no luck yet in figuring out what it is except to say norton AV detects nothing yet. Anyone have a clue? http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query the jump in traffic is obvious. Geo.
hotmail-msn
Is everyone else still having problems delivering email to MSN and Hotmail? It seems the queues have gotten even longer over the past 24 hours instead of improving. Was just wondering if it's us or if everyone is seeing this? Geo.
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
>> Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? << It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Re: SPAM Directly from AT&T Data Networking
>>Having spoken directly to her, I would like to point out that she did indeed take the time to research the FCC SPAM laws and has stuck to them. She has provided an opt-out message and assures me she takes it very seriously. If you have responded to her with a request to NOT be contacted again, you have not been.<< Excellent, can I have an ATT address? Because there are about 100 million people I'd like to email and ask to buy my crap and I promise I'll use the correct return address and honor all opt-out requests. Geo.
Re: Postmaster, hostmaster etc....
>>Our spam software shows 98% of all email to the RFC accounts is spam. The reason those addresses get on the spamlists is so that you will disable the addresses making it harder for people to report that a spammer is using your server or your network to spam. Geo.
DNS requests for 1918 space
Can anyone point me at any papers that talk about security issues raised by private networks passing dns requests for RFC 1918 private address space out to their ISP's dns servers? I'm aware of the issues involved with an ISP passing the requests on to the root servers but was looking specifically for security type issues relating to a private network passing the requests out to their ISP's dns servers. Geo.
New email virus?
anyone seen a new email virus that uses windows help file attachments to infect a machine? I just received what looks like a new attempt to trojan folks via email. It claims to be an AV warning with instructions contained in a help file attachment. Geo.
Re: routing invalid IP addresses
> Anybody hook up a new Macintosh lately? OS X seems to spew traffic in > that range. It appears to be some optional component as they don't all do > it, about half of ours do it. I haven't cared enough to track down what > exactly is doing it. Not on this segment, only two linux boxes directly on the wire and two NT boxes behind a Pix 506e. Whatever was going on has stopped now so I'm just going from log fragments the admins are emailing me. It looks like someone was trying to exploit apache/php on one of the linux boxes using spoofed udp from that IP address I posted. Geo.
RE: routing invalid IP addresses
>>If you had given the whole IP in the first place you could have saved yourself some abuse. :-)<< Now what fun would that have been? Ya gotta let these guys spit out abuse once in a while, heck it's not often they know the right answer ... Anyway, I'm currently investigating to see if it's possible the traffic was coming from another local machine. The machine's admin mentioned a few things that sounded to me like there were 2 way connections from this IP involved instead of just spoofed UDP. Geo.
Re: routing invalid IP addresses
traceroute to 248.245.255.191, that's what made me think it was invalid. I did get the answer, I was being stupid and trying to use IP route instead of an acl. Thanks to everyone who replied, even the "nooooo" guy. Geo. (I'm not the cisco guy, I was just the only one working last night) - Original Message - From: "Bill Woodcock" <[EMAIL PROTECTED]> To: "Geo." <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, February 21, 2004 8:03 AM Subject: Re: routing invalid IP addresses > > x.x.255.x isn't a valid IP address > > Clue me in? > > Clue: it's a valid address. > > -Bill > >
routing invalid IP addresses
We had an attack here last night and the attack traffic was coming from an IP address of x.x.255.x which isn't a valid IP address yet the traffic was being routed over the internet (as far as I can tell anyway). When I attempted to track down the source I found our cisco routers wouldn't accept the address as valid so it was not possible to null route or trace the traffic. Has anyone else ever seen this before? Clue me in? Geo.
RE: Portable Cooling
www.ppe.com shows them there. Geo. -Original Message- >basis. I recall a product called, "move n kool"? It looked like the robot
Need a DNS expert
Got something really weird going on and I need a bit of help from someone who is really good with dns. Domain elby.ch seems to resolve from some DNS servers but not from others. Can you see anything that might break dns resolution for this domain? Specifically it appears NT4 dns servers with SecureResponses turned on. Please feel free to answer me offlist. Geo.
RE: Site Finder
>>Verisign is trying to move this argument into a question of what best serves the end-user.<< This doesn't matter, their point should be moot. Verisign is charged with managing the .com and .net domains for the public. They DO NOT OWN those domains so they are not allowed to use them for their own greedy purposes. An example, some outfit gets charged with managing a government housing development, so they decide to use the parking lot to hold their own private flee market. It's not their property and they have no right to do this. Same goes for whoever gets to manage .net and .com. It's not about what's best for anyone, it's about improper use of public property for personal gain. Geo.
RE: Hotmail Problems
>>> Has anyone seen issues with hotmail receiving emails several days after they are sent. We are not getting bounces, just long delays in what appears to be hotmails posting to inboxes. >>We've been seeing lots of server timeouts and connection resets to hotmail.com and msn MXs over the last couple of days. -Alan Hotmail and MSN have decided that "printed-quotable" and "rich text" formats (the ones with = signs at the end of lines, are not valid emails. Trying to deliver such to their servers gets you dropped with no error message of any kind so the emails sit in the queues trying to go. Sending a plain text email and it goes thru immediately. Geo.
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
>>There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com << There is another option, create an email filter and block any email that includes the text ".biz/" in any email. That will do two things, it will stop the spams from being received in the first place and it will cause one heck of a headache for the .biz domain so they clean up their act and deal with their problems. Geo.
RE: A RR Wildcards and Stability
>> Close :-) but a new garbage disposal in a building may still offer some benfits to the tenants. These wildcards did not. Keep 'em coming... << How about this, you hire a company to manage your apartment complex and find they are using the property to run their own daily flee market, which pisses off all your tenants. Geo.
Re: ICMP Blocking Woes
> AFAIK, it's been that way since Win95. I recall a certain > vendor's dodgy ISDN router * * * on Windows traceroute, but > working fine under *ix... for whatever reason, said router didn't > like the ICMP traceroute, but returned unreachables in response > to UDP when TTL expired. WindowsNT tracert.exe uses 92 byte icmp packets. There is a modified version that uses a smaller sized icmp packet at http://www.nthelp.com/NT6/tracert_broken.htm that works fine on Windows 2000. Geo.
RE: monkeys.dom UPL being DDOSed to death
>>The benefit of using a blacklist like monkeys or ordb is that there is only one removal process for all the mail servers. The issue is that when the webserver is dDOS'd, it is very hard for people to get removed.<< There shouldn't be a need for any removal process. A server should be listed for as long as the spam continues to come from it. Once the spam stops the blacklisting should stop as well. That is how a dynamic list SHOULD work. Geo.
Re: monkeys.dom UPL being DDOSed to death
> Ron, good luck with it. You're stuck between a rock and a hard place. If > you down it the kiddies win again, and will feel they can bully the next > guy. If you don't your network is crippled. It's a no win situation. If any of the dos'ed to death rbls really want's to get back at the spammers it's easy. Write software that allows any ISP or business to use their mail servers and their customers/employees (via a foward to address) to maintain their own highly dynamic blacklist. Blacklists are just one kind of filter. If we could load software that allowed us to forward spams caught by other filters into it and it maintained a DNS blacklist we could have our servers use, we wouldn't need big public rbl's, everyone doing any kind of mail volume could easily run their own IF THE SOFTWARE WAS AVAILABLE. A distributed solution for a distributed problem. Resistance is NOT futile. Geo.
Re: Home Storage Area Network security
> If it prevents network-debiliatating attacks like Blaster and friends, > YES. Ok I understand where you are coming from but that's a completely different requirement than your previous post suggested, protecting the network is the job of a network admin, protecting the applications using the network is something else entirely. As an example the recent nachia worm that causes network problems for some devices because of the arp request issue, can be solved by patching or replacing those devices that are susceptible to excessive arp request DOS. This in no way requires blocking any of the protocols, it's simply a vulnerability in certain devices that needs patched. Those devices are susceptible to attack, not from a worm or a protocol, but from a function of the network, and blocking the port a worm uses does nothing to protect those devices from attack via this vulnerability. It would be trivial to write an exploit that exposes this vuln and which blocking 135 provides no protection at all. Geo.
Re: Home Storage Area Network security
> What caused me to completely cross over into the "port filtering is OK" > camp was the fact that Microsoft themselves, in a "securing Windows NT" > document we found a while back, recommended that due to inherent > insecurities, NetBIOS be disabled on Internet machines. If the vendor > says it shouldn't be connected to the Internet, I tend to agree. So basically what you are saying is that it should be the network operators responsibility to secure every application that might be used over said network? Geo.
RE: TnT ethernet card fix?
Yeah, we did, we are in the process of installing 5 new patton boxes instead of the TNT.. Lucent is unconscious. Geo. -Original Message- Anyone ever come up with a solution for the performance/reliability issues with the TNT without having to buy a new Ethernet card? Thanks, -Drew
Max TNT ping thing
Someone on this list had mentioned a network card for the Max TNT that made it immune to the nachia worm ping issue. Is that the 4 port (3 ethernet, 1 fast ether) card or the single port card with the dongle thing or something else? Has anyone seen a fix from Lucent yet? (besides the filters that have been posted) Geo.
RE: Virus
>>We've found that downloading both the appropriate patches and cleaning tools, and then disconnecting from the network (as in unplug your ethernet cord or hang up your modem line) before you run them both - patch then clean - works and prevents you from being re-infected during the process.<< For those who can't download the fixes first, you should be able to turn on IP filtering in the network properties (it blocks incoming connect attempts), permit nothing, to allow yourself time to get to windowsupdate and get patched. With XP just enable the firewall. Geo.
RE: Cisco filter question
>point a route to null0 and set the next hop to be down that route makes no difference, the problem isn't that the packets aren't being routed to null0, the problem is that the packets don't match the route-map for some reason. Only difference I see is the fragment flag is set to allow fragment on the ones that are getting thru. Geo.
Cisco filter question
Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 & 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: ...0 = Individual address ETHERNET: ..0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: ...0 = No routing information present ETHERNET: ..0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: ...0 = Last fragment in datagram IP: ..0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 0: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã•f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ.EØ 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA ‚ªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00060: AA AA AA AA AA AA AA AA AA AA ªª
Re: TNTs Rebooting, was RE: Weird network problems
> > "...an intermittent problem that has been discovered to be affecting a > > specific type of network card used by some of the NAS devices that > > populate our network. The problem is exacerbated by the blaster worm and > > has been replicated by Lucent, our vendor and others. In order to resolve > > the issue, we are working with Lucent to test and deploy an emergency > > updated version of software to the affected NAS devices." Has anyone gotten a patch from Lucent yet for the Max TNT's? I need something, I've got a bunch of these and when a customer on the TNT has the worm the ping packets coming from his dialup are causing the TNT to crash. Even a way to filter within the TNT would be useful if anyone has any ideas on that. I've already placed filters in my cisco routers for the 92 byte pings but that doesn't stop the ones that originate with the dialup user from crashing the TNT. Geo.
Re: Weird network problems
> > Is anyone out there tracking down some weird network behavior yesterday > > and today? I'm not talking about ping traffic from the worm or anything > > like that, I'm seeing TNT MAX boxes go unpingable, arp broadcast storms, > > one way traffic blocks on T1's between cisco routers, stuff that I have > > not been able to explain yet. > > I'm seeing the exact same issues with the TNTs and am in the process of > trying to track down exactly what is causing it. So far no pattern has > emerged. go here http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml Implement the 92byte ping filter on all interfaces that are allowing the worm's pings thru, solved our problem perfectly. The problem is when the worm pings IP addresses that have nothing on them it creates the arp request, as the number of those requests build some devices can't handle it and it's crashing them. The TNT is one of the more braindead of those devices. I'd be interested in knowing what other devices are also failing from this. Geo.
Weird network problems
Is anyone out there tracking down some weird network behavior yesterday and today? I'm not talking about ping traffic from the worm or anything like that, I'm seeing TNT MAX boxes go unpingable, arp broadcast storms, one way traffic blocks on T1's between cisco routers, stuff that I have not been able to explain yet. Just wondering if it's only me seeing this or if others are working on the same sorts of issues. I heard a rumor that ICG was also experiencing some strange network problems so I figured it was time to post. Geo.
Re: East Coast outage?
> My guess is when it shakes out, the failure will be traced to a rather large > unit or interconnect tripping offline. It will be traced back to a huge branch from a huge tree that fell and took down a couple of transmission lines which then melted the road in a fairly expensive neighborhood in northeastern ohio. That started a chain reaction because it was too big a ripple. Geo.
RE: Power outage in North East
Cleveland power is out, northern parts of Akron Ohio as well. Geo. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Damian Gerow Sent: Thursday, August 14, 2003 4:31 PM To: [EMAIL PROTECTED] Subject: Re: Power outage in North East Thus spake Joel Perez ([EMAIL PROTECTED]) [14/08/03 16:27]: > Has anyone heard of a big Power outage in the North east? > I just got a call from one of my tech's in the GBLX bldg in Newark, NJ > at 1085 raymond and they are telling him that they lost power! > But I also got a call from AT&T in NY that they also lost Power! It looks like a rather large power outage -- we're in South Western Ontario, Canada, and power is out in Waterloo, Cambridge, Guelph, Hespler, and (I'm pretty sure) London as well. Can't say about Toronto. - Damian
Re: AOL breaking dns spoof protection
Just for everyone's information, the issue I originally mentioned has been fixed, there was a weird NS entry loop in the aol dns but it's been corrected and seems to function normally now (for IPv4 anyway, don't know about that 4/6 issue someone mentioned). One of the guys from AOL reads the list and worked with me to get it resolved, hats off to that nameless man. :) Geo.
AOL breaking dns spoof protection
anyone here having problems resolving americaonline.aol.com with spoof protection enabled on their dns servers? It appears AOL via a series of cnames is specifying a non-authoritive dns server as authoritive for internet.aol.com which is where the first url is cnamed. I need a dns expert to untangle this one so I can explain it to the aol tech. Can anyone help? Geo.
Re: Root server error
http://www.amazon.com/exec/obidos/ASIN/0671723650/qid=1046567734/sr=2-1/ref= sr_2_1/002-9383411-3569615 right back at cha.. Geo. - Original Message - From: "Nathan J. Mehl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 01, 2003 7:46 PM Subject: Re: Root server error > > In the immortal words of Geo. ([EMAIL PROTECTED]): > > > > > > Can someone verify something for me? > > Do an NSLOOKUP for www.stemtostern.com and stemtostern.com against the > > i.gtld-servers.net > > why would the www one resolve? > > http://www.amazon.com/exec/obidos/tg/detail/-/0596001584/ > > Sheesh. > > <[EMAIL PROTECTED] org> > "This is UNIX. Stop acting so helpless." > <http://blank.org/memory/>-- --
Root server error
Can someone verify something for me? Do an NSLOOKUP for www.stemtostern.com and stemtostern.com against the i.gtld-servers.net why would the www one resolve? Geo.
RE: Total Traffic. Was: Sprint peering policy
> I typically have a 251Kbps (broadband) stream from www.thebasement.com.au Speaking of streaming, I once saw this mentioned here, does anyone have the current URL for the 300K streak for BBC news? Geo.
Re: SPEWS?
> > Why spamcop and not spews? > > My question is why a dnsbl that the *maintainer* of which says should not > be used for production mail systems? Because it's a targetted dynamic solution for a dynamic problem and I believe it has a chance at working? That was kinda my point. We need to stop this pushing and shoving back and forth and find solutions that work and don't depend on bending every ISP on the planet to conformity because that's never going to happen. The forcing approach reminds me of copy protection, lets force everyone to be good. Guess what, it's a big network and it's getting bigger and you'll never get everyone to conform. So I suggest we take a different road whether that be dynamic blocking as soon as a spamming starts or heuristic filters or whatever else we can come up with that works. Note, I'm not saying don't use spews, just realize it's a copy protection type of approach and will be of limited success for the same reasons. Geo.
RE: SPEWS?
> Can't find the terrorists you're looking for so start killing bystanders > until someone submits? Sounds militia to me. > > The service providers are not the enemies. If you treat them like enemies > then enemies they will become. Folks, I've been watching this discussion and holding my fingers but now I have to speak. I am a postmaster for a state wide ISP and we maintain our own blacklist along with usage of one other public blacklist, the spamcop blacklist. Why spamcop and not spews? Simple, the problem is spammers and open relays and that's what we need to deal with. If we can solve that problem without relying on the ISP to find and close every open relay then it will work better for us and it will be better for the ISP's. Remember the idea is to eliminate the spam so the rest of us can enjoy the internet. Geo.
