Re: NANOG laptops (was Re: Customer-facing ACLs)
So the overwhelming question for me is why? Is it simply the fact that the native *nix underpinnings are where most users (within the aforementioned demographic) spend most of their time anyway? That's what did it for me - repeated attempts to get FreeBSD to run stable on the Inspiron I had at the time. Note: The question isn't what's better, the question is what got all us router and systems jockeys so interested in the first place. If this is too OT (or has the potential to become so), feel free to kill it. On 9-Mar-08, at 3:29 PM, Randy Bush [EMAIL PROTECTED] wrote: i am moving to a macbook pro, or trying to, from a freebsd/winxp. but why did they have to 'add value' by mucking with freebsd and breaking my fingers? and whoever thought the mac screen was good never used my alienware 1920x1024. at the ipv4 econ meet on tasman last week, macs were in extreme majority. randy
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On 14-Dec-05, at 10:02 AM, Joe Abley wrote: You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. A conservative approach to this kind of transition is to arrange for your nameserver (or different nameservers hosting the same data) to respond on both the old and new addresses, and to continue in that mode until you see no queries directed at the old address for some safe-seeming interval (bearing in mind TTLs and cached records, alluded to by Steven and Sam). If you have access customers (Dial/Broadband/etc) make sure they know the IP for your DNS server is changing incase they hardcode IP of your DNS server into their PCs.
Fore/Marconi Mailing Lists/Forums?
Anyone know of any Fore/Marconi mailing lists and/or forums?
Re: Am I crazy!?
On Jan 27, 2005, at 3:01 PM, Jared Mauch wrote: On Thu, Jan 27, 2005 at 02:51:35PM -0500, Jason Lixfeld wrote: Good thing this router isn't in production yet, but unless I'm crazy, Telus is having a bad day: *i0.0.0.0 64.201.161.218100 0 20161 852 i It's quite common for providers to advertise default route to bgp customers. Agreed, but in this case it's just a matter of BCP. My provider takes a default from Telus. If I wanted to a default from that provider (who is already taking a default from Telus), should best practice be such that the default is sourced from my provider's AS, not Telus'? If you don't want it, 1) ask them to change their config 2) filter it Absolutely. In this case, I hadn't dropped my filters in yet so it stuck out like a sore thumb. If you ever get stuck on low memory or having to a split AS, it may be of value to have default route to hold things together.. Yup, been there, done that too... - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Anyone alive at ALTDB?
On Apr 14, 2004, at 2:47 PM, Robert E. Seastrom wrote: Jason Lixfeld [EMAIL PROTECTED] writes: messages to db-admin have so far gone unanswered. I spoke with the db-admin; he advises as follows: 1) you sent a single message to create a maintainer object, about 24 hours before posting to NANOG. The turnaround time that you have experienced is well within historical norms for creating new maint objects. Please be patient. There was no documentation anywhere specifying the turnaround time for maintainer object creation. Had there been a message returned with the object saying hold your horses for 3 days, I would have.
Anyone alive at ALTDB?
messages to db-admin have so far gone unanswered.
Re: [OT: slightly]Looking for Engineers
On Mar 5, 2004, at 2:52 PM, Randy Bush wrote: so anyone who is willing to be a whore for a list spammer should just sign up right now. I don't see anything specifically in NANOG's AUP or in the Charter implying that this sort of thing is prohibited. Am I not looking hard enough? ... and the horse you rode in on. randy
Re: Lame Yahoo social engineering scam
On Feb 7, 2004, at 3:34 PM, Scott Call wrote: My question is who is stupid enough to actually respond to an email written in 'leet speak like this. I dunno what in the blue hell it's called but it sure as hell isn't l337 speak. It's a cross between boken engrish and kindergarten spelling.
Re: MS is vulnerable
On Jan 29, 2004, at 9:26 AM, [EMAIL PROTECTED] wrote: Microsoft software is inherently less safe than Linux/*BSD software. This is because Microsoft has favored usability over security. This is because the market has responded better to that tradeoff. This is because your mom doesn't want to have to hire a technical consultant to manage her IT infrastructure when all she wants to do is get email pictures of her grandkids. Then yer mom should get a Mac. doug
Re: MS is vulnerable
On Jan 29, 2004, at 11:10 AM, Vivien M. wrote: Then yer mom should get a Mac. And if she's like my mom, she'll be in the aisle in the computer store (well, the big box electronics store, more realistically) and be like Why should I pay $2000 for this one when I can get 'a computer' for $500? [1] Agreed. That's where you educate your mom on why Macs are godly, PCs running windows are evil and Linux is a little to complex still for the end user, and bluntly doesn't look as pretty out of the box. If she squaks at the price, you tell her that you get what you pay for. How many times has her printer stopped working or she's been unable to download her pics or watch some video or a dvd or something else that XP touts as super easy, and integrated? Actually, since I got my first Mac last year, I've been barking up and down about how amazing it is. I told everyone I sold every PC I ever owned because I could do it all on my powerbook. They are all jealous. I had XP for my email, visio and word, *nix for my geek router perl stuff, another PC for my audio production stuff. All gone. All I have now is a 17 Powerbook. It's all I'll ever need. Well, no -- it's not. When I need something for music, I'll get a G5. Plain and simple, I will never own a PC again. It's funny, I went out of town for thanksgiving with my family. When we got to where we were going, my mom was complaining that her digital camera flash was full and she didn't have another one. I told her that I could download the pictures to my powerbook and email them to her later. As I was connecting the camera, she asked Well, don't you need to download and install the softw she stopped mid-sentence as the Mac found the PowerShot, opened iphoto and proceeded to download the pictures -- no software needed. She looked Jealous. When the last big MS virus/worm caused it's major shitstorm, my mom asked me if I ever get infected with viruses. I said no, I run a Mac. They are immune to these viruses. She looked jealous. Needless to say, a year after she bought herself her Dell with her 19 flat panel monitor, in a couple months, she'll be picking up her new 20 iMac. Now I'm jealous. I've got a couple other friends who are going to shitcan their PCs in favor of Macs. I agree, price is a big thing and it will continue to be. Until people can convince others to look beyond that, they are all going to be stuck in the MS world, plagued by all this badness wondering Is there something else better out there? All this, while us non-MS folks sit back with a big satisfying grin. You can't expect people's mothers to actually know the differences between the different platforms, just like I'm sure that when most people's mothers shop for cars, they can't tell you the advantage of a particular engine type over another. They just end up picking based on price and ability to meet need, and for most mothers old-enough-to-have-NANOG-posting-kids out there, your $500 eMachines or whatever is more than enough. Expecting them to spend additional money to address a problem they don't understand is an unrealistic expectation. Of course you can't expect them to know. That's where we come in; the free and the saved :) It's all about educating the less fortunate :) There is a very fine line between pay now, save later and save now, pay later. The latter almost always works out to cost a hell of a lot more than the former ever would have. (hypothetical) Buy the $12,000.00 (CDN) KIA with no snow tires, no ABS, no nothing. Drive somewhere in a snow storm, get stuck going up a hill, try to back down the hill, get sideswiped by the guy in the Touareg because he can't see your tiny little $12,000.00 KIA soap box, get flung over the guardrail, down the hill and into the valley. Pay the tow truck to come bail your ass out, pay your insurance deductible and the extra rates you are going to ensue because you just wrote off your car. Add all that up and compare that to the price of a brand new Touareg over 10 years. Guess what, your analogy just lost ground :) Vivien -- Vivien M. [EMAIL PROTECTED] Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
Re: MS is vulnerable
On Jan 29, 2004, at 12:04 PM, Martin Hepworth wrote: Actually, since I got my first Mac last year, I've been barking up and down about how amazing it is. I told everyone I sold every PC I ever owned because I could do it all on my powerbook. They are all jealous. I had XP for my email, visio and word, *nix for my geek router perl stuff, another PC for my audio production stuff. All gone. All I have now is a 17 Powerbook. It's all I'll ever need. Well, no -- it's not. When I need something for music, I'll get a G5. Plain and simple, I will never own a PC again. Of course the Powerbook will do all music stuff as well (unless you need the PCI based add in cards for protools!). True, it will do all the audio stuff, to a point. It will do well for basic, intermediate and advanced production techniques, however when you start doing pro stuff with lots of filtering and effects, that's when it'll turn ugly and the 1Ghz bus on the G5 with the SATA drives will come in real handy! :) Got a colleague who swapped hi twin 1GHZ PC for a 17 powerbook to do his video editing side business. Guess wot - the powerbook works much much better than his w2k based system!! Funny that, eh? :) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: MS is vulnerable
On Jan 29, 2004, at 12:31 PM, Michel Py wrote: If the Powershot was designed as a Mac-only camera, it's Canon's stupidity. I never used one, but when I plug my Sony cybershot to any PC it comes up right away without any software. I should withdraw this comment. After I sent the message, I realized that my comment was unfounded. Sorry. Since Macs are available in stores, how do you explain that they don't get the lion's share of the market if they're so superior to the PeeCee as you claim? ... Guess what: the Wintel platform became standard, over the established leader (Apple). Because IBM and Microsoft managed to produced what the market wanted to buy, instead of what a few gurus in an ivory tower in Cupertino thought what the ultimate PC would be. Yes, and the guys in the white ivory tower realized that they err'd. I'm glad they have only 3% market share. I doubt they will ever get past 5-10% market share and that's not a bad thing, it's a good thing (tm) because that will mean they will never be plagued with the problems MS has. They (Apple) make a great product, IMO far superior to anything that can be found in PC land. To that end, I'm happy being one of the 3% watching the masses of the 97% struggle. When the last big MS virus/worm caused it's major shitstorm, my mom asked me if I ever get infected with viruses. I said no, I run a Mac. They are immune to these viruses. Complete BS. There are Mac viruses allright, and the reason these worms target the Windows platform is simply because there are much more of them and therefore an Outlook worm is much more likely to succeed than a Mac worm. They are immune to these viruses actually meant these viruses/works specifically causing the havoc in the last year or so. Sorry for not being more clear. If Apple is still around with 3% of the market, it's because Bill Gates bailed them out as he wanted to keep a competitor alive when they were in the feds cross-hairs because of that monopoly thing. I'll tell you what: if you know how to make the Mac the dominant platform, go see Steve Jobs and ask for 100 million bucks in cash in exchange for the tip. Jobs is hardly a competitor for Gates. 3% to what? 90%? I hardly call that competition. And if you're not happy with Windows, you're free to write a competitive product to replace it. That's what Microsoft did to Apple 20 years ago, BTW. It's called market economy. I don't need to write anything, I have it already, it runs on my powerbook. Like I said, if things hadn't happened the way they did, we would all be stuck using MS with even less alternatives. I say again, IMO Apple builds a superior product. It's because they only have 3% market share that product exists. I'm happy paying the premium because I get what I pay for. Michel.
Re: MS is vulnerable
On Jan 29, 2004, at 1:29 PM, just me wrote: Your analogies suck for two reasons: 1: take a look at the huge problems apple is having with quality control and returns on the ibooks. They've finally started admitting there's a problem (after months and months of consumer outrage) http://www.apple.com/support/ibook/faq/ Try again. They are having quality control issues, grated. The thing is, the issue isn't huge. I read an article about this yesterday. Out of the 837,000 ibooks sold in 2003, 0.2% of all ibooks were affected. 2: VW build quality control and reliability sucks as well. Theres a long list of problems every Jetta owner will eventually see. Most are not covered by a recall or other warranty replacement. I can only imagine the problems the Toureg owners will be seeing in a brand new platform. Sure, no company goes without having a glitch in their production or something at some point -- that's life. Apple acknowledges their problems with their hardware, fixes it and makes sure it doesn't happen again. VW fixes their problems and makes sure they don't happen again. Microsoft acknowledges their problems and says F**k you, we're Microsoft. Deal with it. Not to mention that most VW dealers are raging crooks, and VWOA does nothing to stop or discourage their theft and fraud. *shrug* sorry about your luck. I've had nothing but good luck with my Rabbit that went 15 years on it's original clutch (and I drove like Andretti in those days). Aside from some body work on my GTI now, there aren't any crippling mechanical issues. You must just have really bad luck. http://matt.ethereal.net/ggvw/ As an iBook owner, and a VW owner, I can say with authority that I'd think twice before making another Apple or VW purchase. Too bad. The moral of the story is that theres always a downside, and you should take any evangelist's schpiel with a giant salt lick. As we have done here.. Now, then, I'm done. Back to on-topic stuff. matto On Thu, 29 Jan 2004, Jason Lixfeld wrote: Agreed. That's where you educate your mom on why Macs are godly, PCs running windows are evil and Linux is a little to complex still for the end user, and bluntly doesn't look as pretty out of the box. [...] (hypothetical) Buy the $12,000.00 (CDN) KIA with no snow tires, no ABS, no nothing. Drive somewhere in a snow storm, get stuck going up a hill, try to back down the hill, get sideswiped by the guy in the Touareg because he can't see your tiny little $12,000.00 KIA soap box, get flung over the guardrail, down the hill and into the valley. Pay the tow truck to come bail your ass out, pay your insurance deductible and the extra rates you are going to ensue because you just wrote off your car. Add all that up and compare that to the price of a brand new Touareg over 10 years. Guess what, your analogy just lost ground :) [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Automated Network Abuse Reporting
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
Re: Cisco IOS Vulnerability
So that was the one... On Thursday, July 17, 2003, at 1:09 AM, Jared Mauch wrote: On Thu, Jul 17, 2003 at 01:02:42AM -0400, Jason Lixfeld wrote: On Wednesday, July 16, 2003, at 11:34 PM, joshua sahala wrote: anyone have the 'scheduled maintenance mp3 lying around? i have a feeling i am going to need it This wouldn't be the My gig port's down, and now it's up again... song would it? :) If not, pass along the right one when you find it, will ya? 1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight http://puck.nether.net/~jared/gigflapping.mp3 - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: OT: Notebooks /w a serial port?
I forgot to cc nanog, but you can pick up USB to Serial adapters. I just picked up a high speed usb to serial adapter for about $80CDN: http://www.keyspan.com/products/usb/USA19W/ hth. On Friday, March 21, 2003, at 04:31 PM, Larry Rosenman wrote: --On Friday, March 21, 2003 16:46:51 -0500 Drew Weaver [EMAIL PROTECTED] wrote: Seems like these are all but extinct, but does anyone know of a 'new' notebook that has a serial port built onto it? I've found some that have port replicators, but that can be a pain when you need to serial into a router or some other device. What do you guys use? Socketcomm has a PCMCIA serial port card. Not cheap. If you hear of something else, Please let me know. LER -Drew -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED] US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
VoIP QOS best practices
Looking for some links to case studies or other documentation which describe implementing VoIP between sites which do not have point to point links. From what I understand, you can't enforce end-to-end QoS on a public network, nor over tunnels. I'm wondering if my basic understanding of this is flawed and in the case that it's not, how is this dealt with if the ISPs of said sites don't have any QoS policies? -jL
Re: VoIP QOS best practices
Providing your sites are local to the same ISP, that would be fine. Worst case scenario and probably a more likely scenario in most cases is that company A has a satellite office in Boston, one in Sydney and one in Tokyo while their head office is in Toronto. Not a very wide range of providers who can reach those areas, not to mention wether or not they can deliver MPLS. On Monday, February 10, 2003, at 11:52 AM, Christopher J. Wolff wrote: Jason, My strategy would be to use the same carrier at point A and point B and purchase some kind of high-priority MPLS switching config between the two. I believe Global Crossing offers something like this where they differentiate between the proletarian traffic and the uber-business traffic. The other thing to keep in mind is that QoS only comes into play when you saturate your links. Regards, Christopher J. Wolff, VP, CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Lixfeld Sent: Monday, February 10, 2003 9:47 AM To: [EMAIL PROTECTED] Subject: VoIP QOS best practices Looking for some links to case studies or other documentation which describe implementing VoIP between sites which do not have point to point links. From what I understand, you can't enforce end-to-end QoS on a public network, nor over tunnels. I'm wondering if my basic understanding of this is flawed and in the case that it's not, how is this dealt with if the ISPs of said sites don't have any QoS policies? -jL
Re: VoIP QOS best practices
Hmm, didn't know GC was lit up in Canada. On Monday, February 10, 2003, at 12:01 PM, Christopher J. Wolff wrote: Jason, I believe Global Crossing supports those sites, keep in mind I don't sell their product, but UUNET should as well. Regards, Christopher J. Wolff, VP, CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Lixfeld Sent: Monday, February 10, 2003 9:58 AM To: Christopher J. Wolff Cc: [EMAIL PROTECTED] Subject: Re: VoIP QOS best practices Providing your sites are local to the same ISP, that would be fine. Worst case scenario and probably a more likely scenario in most cases is that company A has a satellite office in Boston, one in Sydney and one in Tokyo while their head office is in Toronto. Not a very wide range of providers who can reach those areas, not to mention wether or not they can deliver MPLS. On Monday, February 10, 2003, at 11:52 AM, Christopher J. Wolff wrote: Jason, My strategy would be to use the same carrier at point A and point B and purchase some kind of high-priority MPLS switching config between the two. I believe Global Crossing offers something like this where they differentiate between the proletarian traffic and the uber-business traffic. The other thing to keep in mind is that QoS only comes into play when you saturate your links. Regards, Christopher J. Wolff, VP, CIO Broadband Laboratories, Inc. http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Lixfeld Sent: Monday, February 10, 2003 9:47 AM To: [EMAIL PROTECTED] Subject: VoIP QOS best practices Looking for some links to case studies or other documentation which describe implementing VoIP between sites which do not have point to point links. From what I understand, you can't enforce end-to-end QoS on a public network, nor over tunnels. I'm wondering if my basic understanding of this is flawed and in the case that it's not, how is this dealt with if the ISPs of said sites don't have any QoS policies? -jL
Re: VoIP QOS best practices
On Monday, February 10, 2003, at 12:47 PM, Bill Woodcock wrote: Looking for some links to case studies or other documentation which describe implementing VoIP between sites which do not have point to point links. From what I understand, you can't enforce end-to-end QoS on a public network, nor over tunnels. I'm wondering if my basic understanding of this is flawed and in the case that it's not, how is this dealt with if the ISPs of said sites don't have any QoS policies? QoS is completely unnecessary for VoIP. Doesn't appear to make a bit of difference. Any relationship between the two is just FUD from people who've never used VoIP. Indeed, people like me :)
Re: VoIP QOS best practices
On Monday, February 10, 2003, at 12:59 PM, Bill Woodcock wrote: Any relationship between the two is just FUD from people who've never used VoIP. Indeed, people like me :) No, no, I didn't mean you, you were just asking the question. I meant the folks who don't want end-users doing their own VoIP because it means lost revenue on circuit-switched networks. And then tehre's the whole IEPREP crowd. laugh -- Well, I do admittedly fall under the category of someone who's never used it before, but I'm in a different category than what you describe. Anyway... off to the next reply :) -Bill
RE: MSN Messenger
Seems to be OK as long as you are connected... Whoops.. there it goes, nevermind :P On Mon, 2003-01-06 at 11:49, Mark Segal wrote: Service status is available at http://messenger.microsoft.com/support/status.asp But according to the page all is fine.. Which is NOT the case here either. Mark -- Mark Segal Director, Data Services Futureway Communications Inc. Tel: (905)326-1570 -Original Message- From: David Diaz [mailto:[EMAIL PROTECTED]] Sent: January 6, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: MSN Messenger Morning all, Is anyone else seeing MSN messenger issues? I had verification from a few people that they started seeing problems this morning. At first the messages seemed to be of a server not found message, now it's server error. I didnt see anything on MSN's site. Does anyone know of a maint page they have? Thought this also might be helpful to any ISPs with a large amount of users. David -- David Diaz [EMAIL PROTECTED] [Email] [EMAIL PROTECTED] [Pager] www.smoton.net [Peering Site under development] Smotons (Smart Photons) trump dumb photons -- i'm we toddid. sofa king we toddid.
RE: Spam. Again.. -- and blocking net blocks?
I like Segal's DoS idea, except instead of the packet generators, let's be nice and just DDoS port 25 on the sunzofbiatches mail servers/load balancers... fight fire with fire... :) On Tue, 2002-12-10 at 20:39, Scott Silzer wrote: That is exactly what was done to to Futureway a third party spammed for a site hosted by a downstream ISP and the result was there entire network begging blacklisted by SPEWS. At 15:41 -0800 12/10/2002, David Schwartz wrote: On Tue, 10 Dec 2002 15:45:29 -0500, Scott Silzer wrote: I could understand if an ISP was allowing spam from a portion of there network. But in this case the only thing that the ISP did is host a website, the SPAM was sent from from a third party's network. The ISP did terminate the customer but in the meantime the entire NSP's network has been blacklisted, for a rouge webhosting account does sound a bit harsh. A spam blocking service that worked that way would be useless. Anyone could get any site they didn't like blacklisted simply by spamvertising it. Anyone who uses a spam blocking list that works that way is DoSing themselves. DS -- -JaL AFAIK, You think I'm a BOFH for continually bashing you over the head with a clue-by-four. OTOH, if you would just RTFM every once in a while, my life would suck *much* less.
RE: attacking DDOS using BGP communities?
Interesting -- I was actually having a conversation about this very same thing with a friend of mine a few days ago. The problem we had, was that he had next-hop-self on all of his ibgp mesh routers. Does that not make it difficult to put an ip next-hop in? Also, would that ip next-hop be propagated throughout his mesh or would that same route-map have to be present on all the edge routers? The other thing we were toying with was a setting the administrative distance for said black-holed route to be less than that of his igp and having his IGP route to 127.0.0.1 or something. The whole goal was to try and kill the route as close to the source as possible so as not to have the traffic traverse the core. The question is, how to? -- AFAIK, I'm a BOFH for continually bashing you with a clue-by-four. OTOH, if you would just RTFM every once in a while, my life would suck *much* less. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of Frank Scalzo Sent: Friday, October 18, 2002 9:52 AM To: Saku Ytti; [EMAIL PROTECTED] Subject: RE: attacking DDOS using BGP communities? 701 has a blackhole community, 701:, basically it sets the next-hop to something blackholed on their edge so the DOS attack gets dropped as soon as it hits them. I have made use of this to kill at least one DDOS event. A global blackhole community may be difficult to achieve, but getting the majority of large providers to implement one is a good start. -Original Message- From: Saku Ytti [mailto:saku+nanog;ytti.fi] Sent: Thursday, October 17, 2002 5:23 PM To: [EMAIL PROTECTED] Subject: attacking DDOS using BGP communities? How feasible would these ideas be? 1) Signaling unwanted traffic. You would set community which would just inform that you are receiving unwanted traffic. This way responsible AS# with statistical netflow could easily automaticly search for these networks and report to NOC if both there is increased traffic to them and community is on. -would it be affective at all? Could your netflow parser use it easily? +wouldn't need big changes 2) 'TTL' community. You would have ~10 communities representing how many AS hops until route should not be advertised anymore. If you would experience DOS you'd start from TTL 1 and increase until DOS flow starts again, with any luck you would end up having very limited amount of AS# to communicate with in hopes of fixing their anti-spoofing filters and to catch malicious party. -just think about the amount of route-maps : -you would need to flap the network possible 10 times == damped +some idea who to contact w/o co-operation of NOCs (can be hard) +wins you time, often DOS is over before you've reached 3rd AS number to ask where the traffic is originating. 3) 'null route' community. This would only be useful if it would mean that you are also accepting more spesific annoucement, preferally even /32. Most people are propably crying about the idea already, but if you plan it wisely with prefix-limit setting it might not be suicide. Just remember that all downstream prefix-limit+your prefices must be smaller than what your upstream has set for prefix-limit, if this is not done then your downstreams can effectively trigger your upstream prefix-limit killing your connectivity. How AS handles the 'null route' community could vary, others set next-hop to null0 other might set it to analyzer tool. Just that it shouldn't reach the other end anymore. -the obvious: explosion of global bgp routing table (no, not nececcarily) +effective, you'd instantly free your link from any DOS traffic to given destination. -- ++ytti
RE: what's that smell?
I am sure thats part of it. Also, it might be a CPU issue as well. Unicast RPF is affordable CPU-wise even in the most mediocre boxes people tend to have. In more cases than not, especially now adays with lots of networks peering all over gods creation, RPF can have some pretty detrimental effects if your routing is somewhat asymmetrical.
RE: what's that smell?
On Tue, 8 Oct 2002, Jason Lixfeld wrote: In more cases than not, especially now adays with lots of networks peering all over gods creation, RPF can have some pretty detrimental effects if your routing is somewhat asymmetrical. actually RPF is extremely effective especially where its highly asymmetrical, eg at the edge. theres virtually no reason not to RPF dialup/isdn/cable/dsl/etc customers for example. Sure, but to RPF so many customer facing edge ports in comparison to the far fewer number of egress ports makes the implementation procedure quite extensive. The more configuration, the more room for errors or oops, forgot to configure that there, not to mention change management.
Implementation practices
Irrd-discuss didn't have anything at all to say about this, so I thought I'd bring it here for a different, practical perspective. I'm wondering what the general concensus is with regards to IRR implementation practices. I've done a little digging and have tried to find practical examples of networks listing their detailed peering sets and detailed aut-num objects to see how their import and export entries look for things like community strings, MEDs, Local-Pref, etc. I haven't had much luck in finding any detailed, practical examples. I can come up with only two conclusions: 1) Security policies for most networks networks likely mandate against disclosing routing policy by means of mirroring your database with RADB. 2) People just don't use the irrd to it's fullest extent, hence no detailed entries. I'd like to think that the former is true :) so if that's the case, what are some of the best practices? Is it just as simple as creating a database which RADB mirrors, containing general maintainer, as and route objects then having a private, un-mirrored/non-exported database containing all the nuts and bolts which you run ratoolset (or other, home made widget) against?
RE: iBGP next hop and multi-access media
Ok, so correct me if I'm wrong here (I'm just trying to paint a picture of what this thread is trying to conceive), RA-FA1: 10.10.10.1/30, RB-FA0: 10.10.10.2/30, 172.16.16.1/24 secondary? iBGP setup between RA RB, RB announces to RA with a next-hop of the primary address on FA0, RA announces to RB with a next-hop of the primary address on FA1. When iBGP announces 172.16.16 to RA, you want it announce with a next-hop of 172.16.16.1 as opposed to the primary address 10.10.10.2. Is that right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:56 AM To: Jason Lixfeld Cc: 'Alex Rubenstein'; [EMAIL PROTECTED] Subject: RE: iBGP next hop and multi-access media It's a theoretical question. So far I've had one person email me saying OSPF can advertise a subnet as local on a shared multi-access media. If in fact BGP can't do this, then it's no big deal to me as nothing in my network relies on this functionality. Ralph Doncaster principal, IStop.com On Mon, 7 Oct 2002, Jason Lixfeld wrote: Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: [EMAIL PROTECTED] Subject: Re: iBGP next hop and multi-access media My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface. Ralph Doncaster principal, IStop.com On Mon, 7 Oct 2002, Alex Rubenstein wrote: Aha. So, if you route to a ethernet interface, it will try to arp for that address on that subnet, even without having a local address on the same subnet? This seems to me to be something you don't want to do. Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet? On Mon, 7 Oct 2002, Ralph Doncaster wrote: On Mon, 7 Oct 2002, Alex Rubenstein wrote: I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined. I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ? When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary How does it determine where to send the packets? ARP. Which is the same as adding the route described above. -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
RE: what's that smell?
And to that end, I wonder how many of the bad queries are coming from MS DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stephen J. Wilcox Sent: Monday, October 07, 2002 7:05 PM To: Paul Vixie Cc: [EMAIL PROTECTED] Subject: Re: what's that smell? to that end why doesnt bind ship with default zone files for rfc1918 space as well as 127.0.0.0 ? Steve On Mon, 7 Oct 2002, Paul Vixie wrote: since the last time we cleared the firewall statistics on c.root-servers.net, 1895GB of udp/53 input has led to 6687GB of udp/53 output, but, and this is the important part now so pay attention, 185GB of input was dropped due to an RFC1918 source address. who needs DDOS when most network operators aren't filtering RFC1918 on output? (there's only been 4.2GB of udp/2002 and other wormy traffic, by comparison.) current winners of the sustained input traffic over 100KBits/sec award are 164.58.150.146, 200.52.12.131, and 195.146.194.12. c-root keeps on ignoring you, but you just never give up. congradulations, or something. (note that c-root's network operator has offered to filter RFC1918 on input from other AS's, but it's actually useful to keep on measuring it.)
RE: what's that smell?
Hope this doesn't come across as DNS-101, but is there some way to tell what DNS server one uses? Kinda like telnetting to port 80 or 25? I know if it is possible, it's just as possible for them to change the output, but chances are the brainiacs of the world who don't filter probably aren't smart enough to change what their DNS server 'appears' to be either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Hollis Sent: Monday, October 07, 2002 7:11 PM To: Jason Lixfeld Cc: 'Stephen J. Wilcox'; 'Paul Vixie'; [EMAIL PROTECTED] Subject: RE: what's that smell? On Mon, 7 Oct 2002, Jason Lixfeld wrote: And to that end, I wonder how many of the bad queries are coming from MS DNS servers. to that end, i wonder how many of the bad queries are coming directly from microsoft campus. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
RE: iBGP next hop and multi-access media
Are you just asking a question to get a better understanding of how things work, Ralph or have you already put this into production and are wondering why it doesn't work a certain way? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Doncaster Sent: Monday, October 07, 2002 12:43 AM To: Alex Rubenstein Cc: [EMAIL PROTECTED] Subject: Re: iBGP next hop and multi-access media My understanding is the route is valid as long as the interface is up; just like adding a secondary IP on the interface. Ralph Doncaster principal, IStop.com On Mon, 7 Oct 2002, Alex Rubenstein wrote: Aha. So, if you route to a ethernet interface, it will try to arp for that address on that subnet, even without having a local address on the same subnet? This seems to me to be something you don't want to do. Is the entire route valid as long as the router can ARP for one of the addresses in the routed subnet? On Mon, 7 Oct 2002, Ralph Doncaster wrote: On Mon, 7 Oct 2002, Alex Rubenstein wrote: I've been doing ip route statements going on 8 years now, and I can't imagine why ever -- and how it would even work -- you'd want to ip route a netblock with a next hop of a multi-access brandcast media. As in, the next hop is still truly undetermined. I guess I don't know this because I've never tried it. But, how does the router determine where to send the packets for a route statement as specified above (ip route a.b.c.d e.f.g.h f0/0) ? When you setup a secondary ip on an interface int fa0/0 ip address a.b.c.d e.f.g.h secondary How does it determine where to send the packets? ARP. Which is the same as adding the route described above. -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
RE: routing architectures ( was Re: ATT NYCrouting )
Figure out how to do reverse route reflecting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Doncaster Sent: Thursday, August 29, 2002 3:46 PM To: Robert A. Hayden Cc: Peter van Dijk; [EMAIL PROTECTED] Subject: routing architectures ( was Re: ATT NYCrouting ) On Thu, 29 Aug 2002, Robert A. Hayden wrote: Um. Set up more than one reflector So how many is enough? I would think 3 is a minimum to come close to the reliability/redundancy of OSPF. -Ralph
RE: routing architectures ( was Re: ATT NYCrouting )
Uhh, come to think of it, the term reverse route reflecting probably won't get you much help -- client to client route reflecting is probably an easier term to understand.. My bad. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Doncaster Sent: Thursday, August 29, 2002 3:46 PM To: Robert A. Hayden Cc: Peter van Dijk; [EMAIL PROTECTED] Subject: routing architectures ( was Re: ATT NYCrouting ) On Thu, 29 Aug 2002, Robert A. Hayden wrote: Um. Set up more than one reflector So how many is enough? I would think 3 is a minimum to come close to the reliability/redundancy of OSPF. -Ralph
