RE: Postmaster @ vtext.com (or what are best practice to send SMS these days)
If you stick with SMS messages, the weakest link will always be the carriers SMS gateway. Since this is the last item in the chain, any upstream service will still be handicapped by the gateway. I've worked with a variety of carriers, and they have all had problems at one point or another with their SMS gateways getting overwhelmed with SMS spam, etc.. causing long SMS delivery queues or dropped messages. If you can find the SMS gateway admin at Verizon they can probably comment on what the issue is and any planned resolutions, else you may need to switch providers to one with a more cluefull SMS gateway team. So far this year, I have only had a couple instances of delayed/dropped SMS delivery via the ATT/Cingular SMS Gateway.. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Ulevitch Sent: Wednesday, April 16, 2008 10:00 AM To: nanog@merit.edu Subject: Postmaster @ vtext.com (or what are best practice to send SMS these days) We've noticed that [EMAIL PROTECTED] is no longer a very reliable form of delivery for alerts from Nagios, et al. It seems as our volume of alerts has risen, our delivery rate has dropped precipitously. We don't expect much trying to actually reach a postmaster for vtext.com so I thought the better question would be to ask what the current best practice is to get SMS alerts out? Back in the day, I remember a company I worked for had something called a TAP gateway. Is that still a good route? I've also been told to check out an SMS gateway/api service called clickatell.com -- anyone using them to delivering timely notifications? Is the best thing to do to try and get a programmable cellphone in a datacenter? What else are operators doing to get the pages out when things go wonky? -David
Re: enterprise change/configuration management and compliance software?
Well, at Exodus we started talkimg about IASON. In the long run everybody was afraid of IASON. They dared not work on it. Later I developed some bits and parts. When we changed hardware in a small company (200 PCs, 20 servers 5 HP Procurve switches and two routers) IASON would discover the switches as fast as they were powered and would move them to a management network. Operators and management were not amused. IASON was changing passwords and ip-addresses :) That has been the only try. They idea is still a prolog based AI system, learning and knowing every hardware, how it is configures and connected. You move a PC from one location to another because people do move or because a port on a switch has gone dead. IASON reprogrammes switches and ports so you get the same VLAN. Somebody is replacing a switch for whatever reason. IASON finds the new switch and sees the connected pcs and uplinks. It reconfigures the switch so as to replace the old one. You do net even need to mind where everything was connected. IASON can change across vendors. I guess it will take same time - but in the long run we will get it and it will be open source. Kind regards Peter Phil Regnauld wrote: jamie (j) writes: ` device, and by 'device' i mean router and/or switch) configuration management (and (ideally) compliance-auditing_and_assurance) software. We currently use Voyence (now EMC) and are looking into other options for various reasons, support being in the top-3 ... So I guess using something tried, tested and free like Rancid + ISC's audit scripts are not within scope ? So, I pose: To you operators of multi-hundred-device networks : what do you use for such purposes(*) ? Rancid :) (+ and now some home developed stuff) This topic seemed to spark lively debate on efnet, The current weather would spark lively debate on most IRC channels. Phil -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Problems sending mail to yahoo?
Roger Marquis wrote: Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM. Seen from inside, it is not spamfilters but it is the routing table. I have seen spam dropping by 98% when zerorouting some networks. Nobody complained about false positives :) But this is another story for the big ones. They might have customers. The problem is that it is an art, not well documented (without reading 5 or 6 sendmail/postfix and anti-spam mailing lists for a several years), is not taught in school (unlike systems and network administration), and rarely gets measured with decent metrics. That is true. Plus the rules are constantly changeing. Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts... At the edge it does. It can bring your VoIP down and video on demand. I know from campus networks who improved p2p service when zerorouting networks known for sending spam. Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: 10GE router resource
Paul Vixie wrote: [EMAIL PROTECTED] writes: People rolling their own router are not the only ones who want to do 10G on Linux. speaking of which, has anybody run xorp in production? it looks as much like JunOS as quagga/zebra looks like IOS. if click works on current hardware and if the xorp/click integration is good, this could be a great science fair project for smaller network operators who need big PPS. Vyatta is built on top of xorp. You can download the bootable iso from their site and take a low-commitment look: http://www.vyatta.com/download/index.php --Peter
Re: Mitigating HTTP DDoS attacks?
On Mon, Mar 24, 2008 at 11:34:58PM +, Paul Vixie wrote: i only use or recommend operating systems that have their own host based firewalls. That was exactly my problem. Barney Wolff wrote: What finally broke was doing a table list, possibly because the command prints in sorted order. Happened to me too. First step: Borrowed sort.c from Minix. Next step: Large swap file. Finally: changed the distribution. sort is one the biggest hidden problems. There are broken sorts around, I guess some of the problems are character set specific. There is no more EBCDIC but UTF-8 and UTF-16 are even worse. Related to sort, you may have more than enough memory or swap but your process wont get it. You can avoid sorting by looking into the /proc files. proc2pl might get you ideas, from the ISAON tools on http://iason.site.voila.fr/ You might even sort or grep the output and you can always do that on a machine that is not your router. Kind regards Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: default routes question or any way to do the rebundant
At 04:20 AM 21/3/08, ann kok wrote: ls it possible to have 2 default routes? or how can I do the rebundant when the route is still working either eth1 or eth2 down? A google search for ipfilter policy routing turns up lots of hints (mine included). There are some variations using lo0 so that the route is always available esp. in BSDs. rant Though this is NANOG, I'd guess that many subscribers are only familiar with using Cisco and Juniper boxen i.e. fully fledged routers, for multihoming at the edge. Some of us live at the edge, providing services and content using Alteon/F5/BSD We have often solved these issues WITHOUT using C or J (other than for upstream connections). Even with multi Gb connectivity, C J are not essential ! /rant
Re: wanted: offshore hosting
That depends on your legislation: There are a lot of things forbidden in the US but allowed in Europe as well as a lot of things allowed in the US but prohibited in Europe. Then there are a lot of misunderstangs like accidently or colaterally censoring. I remeber a physicist beeing banned in germany who could have saved lives and who could have prevented a lot of people from beeing put into lunatic asylums. Or maybe he is simply afraid of google. After all you can be sent to prison if your judge does not know how google works but your enemy does. A relatively good place seems to be Québec - they dont know english ... A really good place seems to be The Netherlands - they dont even know they dont know english. They both are save havens as long as your activity as not criminal. Another good place seems to be Burma. Not even google can look inside there. Sorry that is a bad one. Even France can be a save place. E.g. I had to leave germany wirh http://iason.site.voila.fr because IASON is considered a terrorist tool in germany. The interesting law in germany is StGB 202c. Kind regards Peter and Karin Hex Star wrote: On 10/9/07, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello all. Last time I asked for a hosting place, I ended up going with LayeredTech, but I can give you a list of options if you like. So, I'd like to rent a box somewhere outside of the US, for geographic redundancy and other reasons. Must be dedicated hosting, relatively cheap bandwidth, lots of space (500GB?), allow us to run Debian Linux, take US credit cards. No tech support other than rebooting the box needed. I'd prefer if they spoke English, but weren't in the UK or US. I could deal with it if they only spoke Spanish. A reputable Brazilian shop would be nice, but I'm pretty open to any suggestions. Does anyone have good experience with any outfits that match this description? Are you seeking this for legal intentions or...? As I doubt this list condones the seeking of hosting for illegal purposes -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Operational Feedback Requested on Pending Standard
Hi Ted, develloping IASON I did run into that problem. Among other things IASON was meant to read the configuration of a device and the things connected to it. When e.g. a switch port was bad, a device was unplugged and plugged into another port, then IASON was meant to reconfigure the switch, vpn and parameters, so that the device could run as if nothing had changed. Most dramatically IASON would allow you to replace a CISCO by an HP ProCurve switch and automatically configure everything as soon as the device was switched on (DHCP and bootp). IASON would discover any device that was asking for DHCP and bootp to query an initial configuration then it would look through its ports and MAC lists to see where it was connected and what devices where connected Of course IASON would work with ifIndex not with ifName as these are different from manufacturer to manufacturer - and definitely not ifAlias because IASON would configure the device before an operator could see it. I might teach IASON to use ifName and keep tables for the different hardware but definitely not ifAlias. Well, neither Global Crossing nor Exodus cared for IASON so the snmp part was never finished and IASON only used snmpwalk to scan devices. I remember the faces of two operators at a new installation when they plugged in three new switches and IASON immediately moved them to a vpn where the operators could not find them. As soon as they plugged in a service laptop it would connect that laptop to the NOC vpn but they would never see the management port. Of course IASON had already issued new passwords, so rs232 would not help them either :) Cheers Peter and Karin Ted Seely wrote: All, Below is an email sent to the IETF OPS Area mailing list soliciting feedback from operators regarding firewalls. We would also appreciate feedback from the Operators Mailing Lists. Please respond to the OPS Area mailing list if you have a position on the item below. You can subscribe to the Operations and Management Area mailing list at the URL below if you are not already subscribed. https://www.ietf.org/mailman/listinfo/ops-area On behalf of the OPS Area Directors and myself, thank you. Ted - With OPS Area WG Hat On -- During the final review phases of the review of http://www.ietf.org/internet-drafts/draft-ietf-midcom-mib-09.txt the issue described below surfaced. It is actually not completely new, it was discussed in the past in a form or another, and it is not necessarily specific to this document and MIB module only, but also to other MIB modules. We believe that input from network operators can help, and we solicit this input. The MIDCOM-MIB defines tables containing firewall rules, indexed by ifIndex. ifIndex values can change when interfaces are swapped or devices reboot, and this could lead to rules being applied to the wrong interface. How do you, network operators, prefer interfaces be identified? - Is ifIndex the preferred choice even though the indices can change on reboot? - Is ifName a better choice for identifying interfaces in rules, since it is set by the device and remains fairly stable across reboots and is guaranteed to be unique? - is ifAlias a better choice, since it can be set by operators, although it is not guaranteed to be unique? We would appreciate inputs and thank you for your cooperation. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: IPv6 network boundaries vs. IPv4
John Osmon wrote: Is anyone out there setting up routing boundaries differently for IPv4 and IPv6? I'm setting up a network where it seems to make sense to route IPv4, while bridging IPv6 -- but I can be talked out of it rather easily. Years ago, I worked on a academic network where we had a mix of IPX, DECnet, Appletalk, and IP(v4). Not all of the routers actually routed each protocol -- DECnet wasn't routable, and I recall some routers that routed IPX, while bridging IP... This all made sense at the time -- there were IPX networks that needed to be split, while IP didn't need to be. DECnet was... DECnet -- and Appletalk was chatty, but useful. I keep hearing the mantra in my head of: I want my routers to route, and my switches to switch. I agree wholeheartedly if there is only one protocol -- but with the mix of IPv4 and IPv6, are there any folks doing things differently? With a new protocol in the mix are the lessons of the last 10 (or so) years not as clear-cut? Hi John, I remember old DECNET, DDCMP, IPX and NetBios days. I used to have a couple of 19.2 kilobaud async lines, 2 arcnets and an ethernet (thinwire technology but on RG13U cables, almost yellow wire and UHF connectors - PL-259 like CB-radio). DDCMP could route, IPX could and NetBios was riding on either IPX or DDCMP so it did not matter. Later the DDCMP async was replaced with a lots of switches and repeaters. Whe used to have a backbone (yellow cable) connecting two VAXes and a repeater that was feeding some 8 thinwires. Half of the thinwires were feeding DECNET Terminalservers and PCs the other half were IPX with a single one Netware server and lots of PCs. In its best times the network was seeing some 1000 hosts. Everything was running 10 MBit ethernet. there were 9 segments and no routers. I have seen you could put some 30 NetBios PCs into a single segment or more than 200 DECNET hosts if they were connected via switches and thinwire transceivers. Today without thinwire or yellow cable and with switches that can do 1 Gbit between switches and 100 Mbit to devices you should be able to keep some 1000 hosts within a single switched network. NAT-routers seem to have a limit of some 250 hosts within a single 255.255.255.0 network. I dont know if those boxes really can do 250 or if their MAC address tables break even earlier. I have seen those boxes missbehave when a bad ethernet adapter randomly changed its MAC address. There are quite some link local things in IPv6 so it makes a lot of sense to keep them within a single network - beside that nasty /64 habit that suggests forget radvd and automatic addresses but have an IPv4 address of the 192.168... variety and use 6to4 adressing for your local network. I was running my own network, 4 IPv4 networks and 3 IPv6 networks without routers, only switches :) the 6to4 trick helped me survive but now I dont know if the IPv6 boxes were really seeing each other other simply using 6to4 routes :) Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: SpamHaus Drop List
I hope this mail does not go out twice. Accidently used the wrong mailer. Sean Donelan wrote: On Thu, 23 Aug 2007, Paul Vixie wrote: Does anyone use spamhaus drop list ? http://www.spamhaus.org/drop/index.lasso i do. I'm glad to listen opinions or experience. no false positives yet. mostly seems to drop inbound tcp/53. Waving a dead chicken over your computer will have no false positives too. Is it a placebo or does it actually have an effect? Although very little good or bad will come from those networks, just like the various BOGON lists, the Spamhause DROP list does require maintenance. If you don't have a process in place to maintain it even after you are gone, proceed with caution. If you do have a process in place, not only for routing but also for your new customer order process, it is a useful source of information. I had to get rid of some people who notoriously brought my exim down. Here is my personal list: 212.22.0.0 * 255.255.255.0 U 0 00 eth0 218.174.212.0 * 255.255.255.0 U 0 00 eth0 218.167.73.0* 255.255.255.0 U 0 00 eth0 62.227.222.0* 255.255.255.0 U 0 00 eth0 219.91.64.0 * 255.255.255.0 U 0 00 eth0 219.91.92.0 * 255.255.255.0 U 0 00 eth0 122.116.17.0* 255.255.255.0 U 0 00 eth0 Dont copy it without knowing what you are doing. I did not mind losing something. I lost all spammers using my system as a relay. I did not find any of my routes in the DROP list. No good for me. I remember friends telling me they got rid of SpamHaus because it killed too many legal emails - but that was not the DROP list. My router keeps telling me - the more routes, the slower it gets. I guess with 120 routes it gets slowly enough for all spammers to time out :) Remember the US is a republic. The UK is an old-fashioned monarchy and their legal system might not be compatible with what you expect :) Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Thank you for helping my english a bit. Found the right word - reservoir, but I guess swimming pool is better. With IPv6 controling sinks and toilets, why not? Dont tell the environmentalists. Cheers Peter and Karin Jay Hennigan wrote: Carl Karsten wrote: I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. what is a non swimmers basin ? A toilet? Or maybe a kiddie wading pool. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Paul Atkins wrote: Hello, I am a network researcher. One question I want to ask the ISPs here are that if they have a choice of finding more information about the hosts that connect to them, is it something they will like to spend money on? For example if the ISP can find out what applications is the host running etc. would it be useful for the ISPs? Thanks I am not exactly an ISP. Sometimes somebody is nocking at my door. If it sounds like they are knocking with a pick and a hoe, I forget about good manners and ask back with nmap. Depending an what IASON and nmap are reporting I might give botnet Gadi an email - but I dont take money for that sevice nor is that so interesting I would pay money to know more. And I see netbios ports open most of the time, so I guess it must be windows mostly and the application is a bot. The friendlier guys keep telling me their os and browser via the html interface. If they disguise a Linux Konqeror as a Winows IE that is no big problem. Would it be useful for ISPs? I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. But I as a costumer would not want that. And paying money for that sevice - beware. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Client information?
Carl Karsten wrote: I guess yes. They might implement a non swimmers basin for the windows people and a sharks only basin for the rest of us. what is a non swimmers basin ? Hi Carl, in germany our public swimming pools have pools for swimmers and pools for people who cannot swim. If swimmers accidently fall into the the non swimmers and get drowned by all those non swimmers permanently plunging onto them, its their problem and not a fault of the people running the pool :) The shark basin and the non swimmers basin are very much used in popular language here - but maybe my translation is horrible. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
40Gbit private peer
SUnet (AS1653) and STUPI (AS1880) want to announce that we have brought up what we believe is the first private peer at 40G between two independent networks. It speaks IPv4, IPv6 both unicast and multicast. -Peter RP/0/RP0/CPU0:HFR1-F#sh int pos 0/3/0/0 POS0/3/0/0 is up, line protocol is up Interface state transitions: 2 Hardware is Packet over SONET/SDH Description: OC768 Private Peering to Sunet [EMAIL PROTECTED] Internet address is 193.11.20.146/30 MTU 4474 bytes, BW 39813120 Kbit reliability 255/255, txload 0/255, rxload 0/255 Encapsulation HDLC, crc 32, controller loopback not set, keepalive set (10 sec) Last clearing of show interface counters 1d00h 30 second input rate 77849000 bits/sec, 7236 packets/sec 30 second output rate 17464000 bits/sec, 5023 packets/sec 115627177 packets input, 155140727534 bytes, 0 total input drops 0 drops for unrecognized upper-level protocol Received 0 runts, 0 giants, 0 throttles, 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 78946374 packets output, 34499886901 bytes, 0 total output drops 0 output errors, 0 underruns, 0 applique, 0 resets 0 output buffer failures, 0 output buffers swapped out RP/0/RP0/CPU0:HFR1-F#sh controllers soNET 0/3/0/0 Port SONET0/3/0/0: Status: Up Loopback: None SECTION LOF = 0 LOS= 0BIP(B1) = 0 LINE AIS = 0 RDI= 0 FEBE = 0 BIP(B2) = 0 PATH AIS = 0 RDI= 0 FEBE = 0 BIP(B3) = 0 LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 PLM = 0 TIM= 0 Detected Alarms: None Asserted Alarms: None Mask for Detected-Asserted: None Detected Alerts: None Reported Alerts: None Mask for Detected-Reported: None Alarm reporting enabled for: SLOS SLOF SF_BER PLOP Alert reporting enabled for: B1-TCA B2-TCA B3-TCA Framing: SONET SPE Scrambling: Enabled C2 State: Stable C2_rx = 0x16 (22) C2_tx = 0x16 (22) / Scrambling Derived S1S0(tx): 0x0 S1S0(rx): 0x0 / Framing Derived PATH TRACE BUFFER : STABLE Remote hostname : c1sth-re1 so-7/0/0 Remote interface: Remote IP addr : APS No APS Group Configured Protect Channel 0 DISABLED Rx(K1/K2) : 0x00/0x00 Tx(K1/K2) : 0x00/0x00 Remote Rx(K1/K2): 1/Remote Tx(K1/K2): 1/ BER thresholds: SF = 10e-3 SD = 10e-6 TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 Optics type: VSR2000-3R2 (2km) Clock source: internal (actual) internal (configured) Optical Power Monitoring (accuracy: +/- 1dB) Rx power = 1.3796 mW, 1.4 dBm Tx power = 1.7380 mW, 2.4 dBm Tx laser current bias = 58.3 mA
Re: An Internet IPv6 Transition Plan
Scott Francis wrote: On 7/29/07, Peter Dambier [EMAIL PROTECTED] wrote: Ways have been found to drill holes into NAT-routers and firewalls, but they are working only as long as it is only you who wants to break out of the NAT. As soon as the mainstream has only left rfc 1918 addresses p2p will stop. really? http://samy.pl/chownat/ NAT stops nothing. The concept in the above script (which has been around for several years) would be trivial for any P2P software to implement if it detects it is behind a NAT; in fact, this method may well be in use already. I have read that is what skype is doing and probably some troyans. Still you have to talk to your NAT-router and the other party has to talk to their NAT-router to make those two NAT-routers talk to each other. When those two router cannot see each other because they too are living behind NAT then you have got a problem. I guess you can solve it but the number of ports is limited and things get a lot trickier. When you try to get out of the big NAT (china) then the number of available ports versus the number of users who want to get out - is the limit. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Stephen Wilcox wrote: ... Firstly, all p2p nets use some process to register with the network. It is simple to imagine a way to ensure these superpeers are publically addressed and let them coordinate the NATted hosts. e.g. dyndns (no-ip.com) or OpenDHD and other not so wellknown. Bots very often use IRC channels, also not strictly p2p, sometimes. You may not like them (I dont) but they still are p2p applications, if not the most popular. Secondly, there is no big NAT in china. China is meant as a bad example. They will be the first to grow out of IPv4 space and their IPv9 is kind of a big NAT. And even if there was, very large private networks should flourish for p2p sharing amongst each other. Indeed if the island is becomming big enough. But there is no communication to the outside. I think you're trying to demonstrate NAT to be a security mechanism and its long been known that that is not the case. No, I think NAT is a pain in the backside and should never have been. Indeed a lot of fools get tricked into believing NAT is kind of a firewall. It is like closing your eyes so the attacker cannot see you. Talking about spam and malware going away with NAT behind NAT ... I meant communication via email would go away in the first place. I should have marked that as sarkasm. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Petri Helenius wrote: Stephen Wilcox wrote: Now, if you suddenly charge $2.50/mo to have a public IP or $15/mo for a /28 it does become a consideration to the customer as to if they _REALLY_ need it Where would this money go to? To ip-squatters. Get your allocation now and turn it into gold tommorow. p2p people will be happy if they can get rid of their tunnels. With rfc 1918 addresses for all there will be no more filesharing, voip, spam and troyans. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: An Internet IPv6 Transition Plan
Stephen Wilcox wrote: On Sun, Jul 29, 2007 at 10:50:10AM +0200, Peter Dambier wrote: p2p people will be happy if they can get rid of their tunnels. With rfc 1918 addresses for all there will be no more filesharing, voip, spam and troyans. really? because p2p doesnt work behind NAT, and computers behind NAT dont get infected? this is the Internet today and NAT has no effect on the above. I am pessimistic. The malware will find its way. It is port 25 smtp that goes away and takes part of the spam away too. Ways have been found to drill holes into NAT-routers and firewalls, but they are working only as long as it is only you who wants to break out of the NAT. As soon as the mainstream has only left rfc 1918 addresses p2p will stop. I see lots of p2p-ers already communicating via IPv6 tunnels. They are prepared. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
RE: more on SF outage
Once the final analysis of this event is provided, it is likely going to be due to a failure of one of the redundant systems to handle the event as designed due to a software or other low level failure. It's a very complex system designed to exceed anything in the region as far as redundancy goes, but as a result it's got a lot of moving parts, and like the space shuttle, can fail unexpectedly. You can bet engineering is scratching their head and calling in the vendors to figure out what went wrong. Last time this occurred it took weeks to pinpoint the root cause.
Re: DNS Hijacking by Cox
Mattias Ahnberg wrote: Peter Dambier wrote: The problem is, you dont know what is behind that probably NATted ip address. Probably you have 3 unix machines running smtp and uucp and a single infected windows box and maybe some VoIPs and ... This is why I spoke of merely intercepting web traffic to inform, to not interrupt other services that may use the same link. I am in the same situation myself, sharing lots of stuff via the same fiber to my house. I even have TV through it. So I actually thought of that. You are right. Intercepting is mostly harmless. And an ISP probably knows a bit more about their customer base than what we do, so this idea would ofcourse have to adapt to that. But as said, its a complicated matter and probably not a good idea either way before we know who is supposed to do what and for whom. Having been a costumer to some ISPs and communicating with others, I dont agree. At least concerning email they dont have a clue about their costumers and there are others things like uucp, VoIP and p2p or IPv6 tunnels they dont have either. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: DNS Hijacking by Cox
The problem is, you dont know what is behind that probably NATted ip address. Probably you have 3 unix machines running smtp and uucp and a single infected windows box and maybe some VoIPs and ... You kill everything but that single maudit infected windows. The guy who is running the windows box is Dad and he wont come home before the weekend. Oh, you killed the VoIP. Sorry I cannot fone Dad and tell him his pc is infected. You might as well hit a small business with some 50 workstations. Again you hit their VoIP and maybe their VPN so their outsourced system manager cannot dial in and try to repair things. Maybe it would teach them not to get infected but I would not want to be their ISP. Of course we are only talking about IRC but which botherder is depending on IRC only? Kind regards Peter and Karin Mattias Ahnberg wrote: James Hess wrote: I suspect it would be most useful if detected drones by most major IRC network would be visible to cooperating ISPs for further analysis, not just Undernet. I'd dare to say that most of us major networks hardly see a small percentage of the big botnets around, the miscreants have since a long time back learned to use own CCs where the connected IPs of a connected client is hidden from all but themselves. But it certainly would not hurt if there was a good way to report drones to ISPs and actually get some attention to the problem. A bunch of small streams quickly build up to a larger river in the end, I guess. Perhaps a larger issue for the ISPs is what to actually DO with their infected customers. To what extent is the ISP responsible for what their users do and how their computers are setup? I do not have a clear answer to that. Since almost every user is using the web a nice system could be to redirect reported PCs through a proxy the ISP controls where the user can get information about what to do about problems and at the same time still reach the Internet after chosing to click away the information; or something along those lines. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: trans-Atlantic latency?
Neal R wrote: I have a customer with IP transport from Sprint and McLeod and fiber connectivity to Sprint in the Chicago area. The person making the decisions is not a routing guy but is very sharp overall. He is currently examining the latency on trans-Atlantic links and has fixed on the idea that he needs 40ms or less to London through whatever carrier he picks. He has spoken to someone at Cogent about a point to point link. What is a reasonable latency to see on a link of that distance? I get the impression he is shopping for something that involves dilithium crystal powered negative latency inducers, wormhole technology, or an ethernet to tachyon bridge, but its been a long time (9/14/2001, to be exact) since I've had a trans-Atlantic circuit under my care and things were different back then. Anyone care to enlighten me on what these guys can reasonably expect on such a link? My best guess is he'd like service from Colt based on the type of customer he is trying to reach, but its a big muddle and I don't get to talk to all of the players ... I remember voiping over the pond, from Frankfurt, germany to New York. We had to twist asterisk to even accept the sip. Time was between 80 and 90 msec. The experienced time was higher. Roger, Over and Out with their interstallar hamradio experience could do it, but to a normal citizen it was unuseble. (dsl 1000 customer, close to Frankfurt) 1 krzach.peter-dambier.de (192.168.48.2) 2.918 ms 3.599 ms 3.926 ms 2 * * * 3 217.0.78.58 85.268 ms 85.301 ms 102.059 ms 4 f-ea1.F.DE.net.DTAG.DE (62.154.18.22) 102.092 ms 110.057 ms 126.310 ms 5 p2-0.core01.fra01.atlas.cogentco.com (212.20.159.38) 126.344 ms * * 6 * * * 7 p3-0.core01.ams03.atlas.cogentco.com (130.117.0.145) 132.262 ms 139.333 ms 147.174 ms 8 p12-0.core01.lon01.atlas.cogentco.com (130.117.0.198) 76.436 ms 76.444 ms 84.374 ms 9 t1-4.mpd02.lon01.atlas.cogentco.com (130.117.1.74) 99.840 ms 99.873 ms 107.508 ms 10 t3-2.mpd01.bos01.atlas.cogentco.com (130.117.0.185) 209.678 ms 217.428 ms 225.601 ms 11 t2-4.mpd01.ord01.atlas.cogentco.com (154.54.6.22) 233.514 ms * * 12 vl3491.mpd01.ord03.atlas.cogentco.com (154.54.6.210) 243.741 ms * * 13 * * * 14 ge-1-3-0x24.aa1.mich.net (198.108.23.241) 165.776 ms 174.752 ms 193.770 ms 15 www.merit.edu (198.108.1.92)(H!) 193.812 ms (H!) 201.863 ms (H!) 209.704 ms (colo in Amsterdam) 1 205.189.71.253 (205.189.71.253) 0.227 ms 0.257 ms 0.227 ms 2 ge-5-2-234.ipcolo1.Amsterdam1.Level3.net (212.72.46.165) 0.985 ms 0.811 ms 0.856 ms 3 ae-32-54.ebr2.Amsterdam1.Level3.net (4.68.120.126) 4.235 ms 6.575 ms 1.360 ms 4 ae-2.ebr2.London1.Level3.net (4.69.132.133) 19.097 ms 12.816 ms 18.220 ms 5 ae-4.ebr1.NewYork1.Level3.net (4.69.132.109) 78.197 ms 78.769 ms 87.062 ms 6 ae-71-71.csw2.NewYork1.Level3.net (4.69.134.70) 78.068 ms 79.058 ms 89.192 ms 7 ae-22-79.car2.NewYork1.Level3.net (4.68.16.68) 142.665 ms 135.007 ms 214.243 ms 8 te-7-4-71.nycmny2wch010.wcg.Level3.net (4.68.110.22) 75.824 ms 75.695 ms 76.566 ms 9 64.200.249.153 (64.200.249.153) 282.356 ms 138.384 ms 243.104 ms 10 * * * 11 * * * 12 * * * 13 * * * 14 www.merit.edu (198.108.1.92) 112.906 ms !C 110.515 ms !C 113.418 ms !C Try Switch (swizzerland) they are testing warp tunnels - but not producting yet :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: BGP announce/withdrawal history.
You could try using bgpplay www.ris.ripe.net/bgplay/ bgplay.routeviews.org/bgplay/ it can only look at one prefix at a time but I think it will give you the info you need. Peter --On 24 May 2007 01:42 -0600 Forrest W. Christian [EMAIL PROTECTED] wrote: Any pointers would be helpful.
Re: Broadband routers and botnets - being proactive
Ross Hosman wrote: Gadi, I appreciate your well thought out email but I sit here and wonder what exactly you are trying to accomplish with it? Are you just trying to shame the two ISPs listed publicly or are you trying to spark a discussion about something that many people here can't fix? Many businesses today are focused on driving revenue and fixing old CPE equipment doesn't generate revenue, it only ties up money and resources that can be used elsewhere to drive revenue. If I were you I would try to spin this problem in a way where you can show large ISPs by fixing CPE's it will free up network resources and staff which can be used elsewhere. The people that can fix these problems are usually unaware of them so try to educate those people. Write CEOs/CTOs/CSOs educating them and push the security teams for these companies to escalate these issues to their upper management (on that note I would say this type of discussion would be better suited for a security mailing list for the reason I stated before, many people here can't fix these problems). Simply stating that there is a problem and shunning ISPs with this problem isn't a fix for the problem, it just makes them ignore you and the problem. -Ross Hi Ross, Gadi is talking about DTAG.de our biggest ISP in germany and quasi a monopoly. Gadi has reached the ears of the Pirates Party, a political party that fights monopolies. The hardware is very likely a branded version from AVM. They have no updates for the branded version, but you can unbrand it. Then you have a hardware that accepts open source firmware. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Cacti 0.8.6j Released (fwd)
Matthew Palmer wrote: On Tue, May 08, 2007 at 08:10:56PM -0700, matthew zeier wrote: and more to the point how the whole shebang (I'm using net-snmpd) is typically used. Agent on device provides values, management app(s) collect data by polling (and possibly via traps), sysadmin gets to go home on time for once. I have yet to see this work in practice however. Yeah, I misread 'typically' as 'theoretically'. Practical experience is more like: Agent on device lies about it's values, management apps collect lies (and ignore/lose traps), and the sysadmin has yet more software to swear at. grin - Matt Just for curiousities sake IASON is reading logs most of the time. proc2pl is reading the /proc filesystem. I did not find the time and equipment for testing so I used snmpwalk to write a file and read it just like any normal file or /proc. Processing the output of snmpwalk just got me the normal log file I was interested in. I tried writing back into snmp variables but I never got a HP Procurve switch to do what I wanted. When they used different MIBs for different families of their switches, I gave up. Now I see linux boxes most of the time. They all use different MIBs for different things. Reading /proc is much easier and there a fewer differences between the machines. The soho stuff I find mostly uses web interfaces sometimes a real linux with a real log but almost never snmp. Looks sad, but I am still interested as it could make things a lot easier. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
Joe Maimon wrote: Jo Rhett wrote: On May 6, 2007, at 6:07 PM, Joe Maimon wrote: Of course, and thats why I have cut down ip mtu and tcp adjust mss and all the rest. Not making much of a difference. Um.. sorry if you mean more than you said, but where did you cut down the TCP MTU? If you did it on your routers, then you are creating or at least complementing the problem. On the CPE dialer interface. On the ezvpn dvti virtual-template The only way to make smaller MTUs work is to alter the MTU on both the origin and destination systems. Altering the MTU anywhere along the path only breaks things. Lower than 1500 mtu always requires some kind of hack in real life. That would be the adjust-mss which is the hack-of-choice I remember from my early DSL days, it was recommended to configure mtu=1480 on all interfaces connected to the internet or to the NAT-router. I remember at least the Grandstream ATA and DSL-NAT-router was brainded (lobotomized ICMP) enough simply to break connections when packets exceeded the 1480 bytes. Practically all german internet users are on dsl lines. Some smaller hosts with ftp or http servers are on dsl or tunnels, maybe with even smaller mtu. So mtu 1500 is practically the norm. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Warning about UltraDNS terms
Try DNSmadeEasy.com, cheesy name, great service and reliability. Much cheaper, anycasted. Not great for international, but perfect for US. It's DNS, not a $125,000/year line item. Beckman On Wed, 2 May 2007, Sean Donelan wrote: Although UltraDNS/Neustar gives month-to-month pricing, they actually have a 1 year term even if you cancel. So you may want to be aware of it in case you are just testing their service for a few months. --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ ---
infrastructure security
Hi, My coauthors and I are looking for more input on a draft that we wrote on infrastructure security. The draft is intended to document methods that providers can refer to and implement to harden their network. The draft is broken up into several different areas, Edge Infrastructure ACLs, Edge rewriting/remarking, Device/element protection, and Infrastructure hiding. We are very interested in getting more feedback from network operators. The draft can be found at: http://www.ietf.org/internet-drafts/draft-ietf-opsec-infrastructure- security-01.txt Thanks Peter Schoenmaker
Re: infrastructure security
There is a carriage return in the URL, try http://www.ietf.org/internet-drafts/draft-ietf-opsec-infrastructure- security-01.txt peter On Apr 26, 2007, at 5:42 PM, Hess, DJ wrote: The draft was not there? DJ Hess, CISSP, Information Security Administrator City of Raleigh Information Technology (CORIT) Office Phone: (919) 890-3192 Cell: (919) 278-6132 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Schoenmaker Sent: Thursday, April 26, 2007 2:58 PM To: nanog@merit.edu Subject: infrastructure security Hi, My coauthors and I are looking for more input on a draft that we wrote on infrastructure security. The draft is intended to document methods that providers can refer to and implement to harden their network. The draft is broken up into several different areas, Edge Infrastructure ACLs, Edge rewriting/remarking, Device/element protection, and Infrastructure hiding. We are very interested in getting more feedback from network operators. The draft can be found at: http://www.ietf.org/internet-drafts/draft-ietf-opsec-infrastructure- security-01.txt Thanks Peter Schoenmaker “E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized City or Law Enforcement official.”
1500 does not work: Thoughts on increasing MTUs on the internet
Fred Baker wrote: ... 1500 byte MTUs in fact work. I'm all for 9K MTUs, and would recommend them. I don't see the point of 65K MTUs. ... Well, with almost everybody using PPP0E in germany and at least half of europe our mtu is somewhere arround 1480. Many routers are braindead (ICMP lobotomiced). When you hit somebody on an ip2ip link or IPv6 tunnel your mtu goes down to even smaller packets and things live ftp or ssh simply break. I have seen many gamers on mtu = 1024 and smaller. Kind regards Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Abuse procedures... Reality Checks
J. Oquendo wrote: ... So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... Well, that's the reason why I have a gmail account and all my customers have. I can send even from my dynamic ip-address and still they let me in. They can send to my dynamic ip-address. Important mails are sent host to host. For the records are sent via gmail. There is no need for any other mail provider. They are blocking mails most of the time only allowing spam to get through. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Blocking mail from bad places
joej wrote: Greetings. While its a pretty brute force approach, one method I’m trying is to curtail the source of email. In otherwords, if smtp traffic comes from an unknown source it gets directed to a sendmail server that intentionally rejects the email message (550 with a informational message/url). If the email message comes from a “known� source (friend/family’s ISP) it gets routed to my main sendmail server which allows most email after checking for the obvious (non resolvable domains, blacklisted domains etc) using an access lists. I’ve cut down on Spam (including this account which I use solely for NANOG) to about 0. Granted the amount of valid email that can get rejected is high, but since I log the bounces on the drop server I can look for obvious rejects from good/expected email servers. Not by any means a solution to/for a large even medium size provider, but for a small home based setup it works well. Details at http://www.sumless.net/nsh.html Cheers, -Joe Blanchard Hi Joe, 1) You send bounces from spammers to innocent people, whose addresses have been forged. 2) Even if you modified the return address, so the bounce returns to the zombie, it does not make sense. Bots dont listen. Looks like you are adding to the noise and chance is good you are finding youself in a blacklist. 3) You are dropping valid emails. It might make more sense telling your friends not to send emails to port 25 but to port 26 if they want to get in. The spammers dont know how to switch to port 26. They will knock on the door once and go away. Another means would be switching to uucp. I have not seen any spam on our little uucp network yet. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: America takes over DNS
The Racines Libres have failed? There are so many out there that we cannot count them any longer. I think the only failure is the single point of failure root. They have failed to be trustworthy. It is so easy, get a copy of a trustworthy root-zone and run your own root. From time to time compare your root to the others and fix any diffs. Better take the authoritative servers and fix your root-zone. I have never seen a personal root-server attacked. The single point of failure root gets attacked once per hour, because every hour it is 8 o'clock in the morning on some place and all those windows boxes get switched on. Cheers Peter and Karin Dambier [EMAIL PROTECTED] wrote: The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The key-signing key signs the zone key, which is held by VeriSign. Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: On-going Internet Emergency and Domain Names
Port 25 is bad. It has been blocked. Port 53 is bad. Some ISPs are already going to block it. How about port 80? I think port 80 should have been the first and only port to block. Let the other ports stay alive. And maby a test for port 42 would be nice. If port 42 is answered by an IEN 116 nameserver then everything is fine. If it is windows nameservice - then shot the guy. Chance is 75% that it is a bot already. If you dont shot him chance is 75% that he will get infected anyhow. Can somebody tell me how to delay this post until midnight your time? I have unlocked the mettre en voyage lever already and the kettle is boiling. I am shure we built staem enough :) Cheers Peter and Karin Gadi Evron wrote: On Sat, 31 Mar 2007, Mikael Abrahamsson wrote: On Sat, 31 Mar 2007, Gadi Evron wrote: In this case, we speak of a problem with DNS, not sendmail, and not bind. The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS. Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam. So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms. The real problem? Okay, I'd like your ideas than. :) What we are referring to here is not just malware, phishing, DDoS (rings a bell, root servers?) and othr threats. It is about the DNS being manipulated and abused and causing instability across the board, only not in reachability and availability which is the infrastructure risk already being looked after. Hijacking may be resolved by DNS-SEC, this isn't. If an A record with a low TTL can be changed every 10 minutes, that means no matter what the problem is, we can't mitigate it. There are legitimate reasons to do that, though. The CC for a botnet would not disapear, as it would be half way across the world by the time we see it. The only constant is the malicious domain name. If the NS keeps skipping around, that's just plain silly. :) If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. It HAS become an infrastructure for abuse, and it disturbs daily life on the Internet. We'd like solutions and we raised some ideas - we are willing to accept they are not good ones, please help us out with better ones? Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Gadi. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: On-going Internet Emergency and Domain Names
What really surprises the living crap out of me is that you're attempting to find a technical solution to what is essentially a social problem. If you really want to do something to fix this problem, as you describe it, try suing microsoft for lost time/man-hours/profits/whatever due to their lax security practices instead of mucking about with DNS/ICANN/whatever else. Wasn't going to comment on this thread as I really can't add much (as I read the entire thread bemused as I still don't see the prob even when i learned abou this zero day days ago) but amen to Allen's comment here. There are multiple issues here and DNS and / or $insert_favorite_technology isn't the problem. On completely OT side comment for laughs: why is nobody blaming the real root problem here ... marketing folk and their insistent drive for multimedia for sales reasons (e.g.animated cursors and HTML email) :)
Re: Linksys WAG200G - Information disclosure (fwd)
Karin and me have just completed a little test, in case you own such a router. On the IASON homepage http://iason.site.voila.fr scroll down, look for the picture of the two pirates and klick Port 916 Backdoor the file udp916.tgz contains Makefile and sources for test916 router name or ip and in case your router does not answer port 916 udp a little server server-916. The server must be run as root. It will terminate after the first test from the client, telling you at least the query from the client and the name and ip-addresses. Enjoy Peter and Karin Dambier Robert Boyle wrote: At 05:48 PM 3/20/2007, you wrote: I wonder what their security process is for other types of routers? Try [EMAIL PROTECTED] http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#Problems -Robert -- Forwarded message -- Date: 20 Mar 2007 20:31:01 - From: [EMAIL PROTECTED] To: bugtraq@securityfocus.com Subject: Linksys WAG200G - Information disclosure Hi there, About 2 months ago I bought a wireless ADSL modem/router, the Linksys WAG200G. Just did some basic security checks and to my utter surprise the device responded with about all sensitive information it knows: * Product model * Password webinterface * Username PPPoA * Password PPPoA * SSID * WPA Passphrase I notified Linksys, got some regular support questions and was then assured my concerns would be forwarded to the product engineers. Some weeks later I tried again, same message, silence since then. My firmware version is 1.01.01, latest available for this type. 'Technical' info: Sent a packet to UDP port 916. Answer contains mentioned information. (LAN interface and Wireless interface) Greetings, Daniël Niggebrugge Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Well done is better than well said. - Benjamin Frankli n -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
April Fools' Day
The first true April Fools' Day RFC (748) is about to celebrate its 29th birthday. There was none last year. But Tom Limoncelli and I have collected all the RFCs together with some bonus material. Bonus material includes commentary by Salus and Limoncelli, other funny and historical RFCs (the ones not published in April), plus forewords by Mike O'Dell, Scott Bradner, and Brad Templeton. Over 400 pages of delight! See //www.rfc-humor.com/ Peter
Re: [funsec] Not so fast, broadband providers tell big users (fwd)
On Tue, Mar 13, 2007 at 08:27:04AM -0700, Roland Dobbins wrote: On Mar 13, 2007, at 8:17 AM, Chris L. Morrow wrote: [...] what business drivers are there to put more bits on the wire to the end user? BitTorrent. The download speed is however limited by the upload speed of the peers, which acts as its own rate-limit given that the bandwidth on broadband connections is somewhat asymmetric.
Re: [funsec] Not so fast, broadband providers tell big users (fwd)
On Tue, Mar 13, 2007 at 09:13:01AM -0700, Jeremy Chadwick wrote: [...] Ideally that's how it's supposed to work, but isn't how it works as of present-day. Speaking solely about the BitTorrent protocol, upstream does not affect downstream speed. In fact, there's a BitTorrent client out there which specifically *does not* share any of the data being downloaded (thus acting as a pure leeching client): Yes, but if *everybody* did that, nobody would be uploading and thus there would be nothing being downloaded.
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons
http://www.completewhois.com/hijacked/files/203.27.251.0.txt http://www.completewhois.com/hijacked/index.htm This can proof the opposite. Malware comes from redirected allocated blocks, not from bogons. Kind regards Peter and Karin Sean Donelan wrote: On Fri, 2 Mar 2007, Daniel Senie wrote: How do you know, if you're the one being attacked and you have no idea if the originating network or their immediate upstream implemented BCP38? Shall we just discard ingress filtering? If few attacks are using it today, should we declare it no longer relevant? At the same time we should ask if we should be x-raying shoes at the airport, since there's only been one guy who tried to blow up his shoes. The larger security question is, do you stop looking for old threats simply because they're not the most common threats? How many CodeRed packets flow over the Internet on a typical day? I assure you it's not zero. Show me the data. How many CodeRed packets originate from unallocated addresses? Is the proposal actually effective at detecting or protecting against the threat? Or is it just a wasted effort for show? http://www.tsa.gov/press/happenings/kip_hawley_x-ray_remarks.shtm Instead of dropping packets with unallocated sources addresses, perhaps backbones should shutdown interfaces they receive packets from unallocated address space. Would this be more effective at both stopping the sources of unallocated addresses; as well as sources that spoof other addresses because the best way to prevent your interface from being shutdown by backbone operators is to be certain you only transmit packets with your source addresses. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons
Perhaps, bogon acls are helpful when they are configured on backbone, but not everywhere. And if ever major backbones (read tier 2/3) would do so all us little guys wouldn't have to (yet for some reason I keep getting the odd hit in my acl logs from bogon space daily). Yes I know they will defend this with we sell unfiltered service (which of course isn't true); I am just not convinced filtering bogon's would invalidate this any more than their MPLS QoS clouds do.
Re: botnets: web servers, end-systems and Vint Cerf
systems were botted. Just a little while back, Vint Cerf guesstimated that there's 140 million botted end user boxes. Unless 100% of Google's servers are botted, there's no way there's that many botted servers. :) I kept quiet on this for a while, but honestly, I appreciate Vint Cerf mentioning this where he did, and raising awareness among people who can potentially help us solve the problem of the Internet. Still, although I kept quiet for a while, us so-called botnet experts gotta ask: where does he get his numbers? I would appreciate some backing up to these or I'd be forced to call him up on his statement. My belief is that it is much worse. I am capable of proving only somewhat worse. His numbers are still staggering so.. where why when how what? (not necessarily in that order). So, data please Vint/Google. Dr. Cerf wasn't speaking for Google when he said this, so I'm not sure why you're looking that direction for answers. But since you ask, his data came from informal conversations with A/V companies and folks actually in the trenches of dealing with botnet ddos mitigation. The numbers weren't taken from any sort of scientific study, and they were in fact mis-quoted (he said more like 10%-20%). so you go ahead an call him on it Gadi; you're a botnet expert after all. And the fact that web servers are getting botted is just the cycle of reincarnation - it wasn't that long ago that .edu's had a reputation of getting pwned for the exact same reasons that webservers are targets now: easy to attack, and usually lots of bang-for-buck in pipe size and similar. You mean they aren't now? Do we have any EDU admins around who want to tell us how bad it still is, despite attempts at working on this? Dorms are basically large honey nets. :) spoken like someone who's not actually spent time cleaning up a resnet. cleaning up a resnet must look downright impossible when you spend so much time organizing conferences. (my opinions != my employer's, etc. etc.) Cheers, .peter
Re: DNS: Definitely Not Safe?
MARLON BORBA wrote: Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors. I am not shure wether the author isn't walking beside his shoes. DNS is like a telephone book. Yes it is dangerous to have your telephone number listed in a publicly available book. We should forbid telephone books and the world would me much safer? If you are afraid of people using axfr to slave a nameserver then dont publish it. Use /etc/hosts not DNS and best dont tell anybody your ip-address. In some places (Africa ?) root-servers may be difficult to see, so why not clone them and have the root on your local network? If they are attacked again - no problem. Your personal root-server will survive at least a month without them. Of course you need axfr transfers to do that. I dont know how you can use axfr transfers to DoS somebody else but yourself. It is a tcp connection after all. You need to be connected. Overloading electricity supply like the NSA tries to do is a lot more efficent. Rests recursive nameservers, resolvers. Yes, that could help. Forbid all publicly available resolvers including those of your ISP then attackers, mostly running windows in their botnets will not find their targets any longer. The big problem is IT-personal relying on windows for their backbones. You cannot help them, only an attack can. I remember companies used to run their own internal nameservers. Why dont they do it any longer? DNS has become so much more relyable that they dont need to. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: death of the net predicted by deloitte -- film at 11
On Mon, 12 Feb 2007, Paul Vixie wrote: I never quite understood why layered multicast never took off which would solved the problems you state above. There have been so many research papers on the subject from the late 90s that I would have thought that by now IPmc would be the silver bullet for video distribution. as i said earlier, for intranet use, ip multicast is all the rage for video content. i'm fairly sure it was in use at my hotel in cairo last week, and i know it's been deployed in a number of digital television networks in asia. it's internet multicast (idmr) that never happened, and as far as i can tell, that's because there's no billing or business model for it. Why couldn't internet multicast be used for content other than video? Stream Torrents, .mp4 files, etc. Instead of just sending a single video stream at some data rate, stream data files sequentially. Stream owners can post a schedule (or not, just sending a stream of files with metadata headers), your pc-based TiVo-like software can tune in (request the stream from your provider, which turns on and off all the streams they receive and only sends requested streams to your Last Mile on request) based on that schedule or request. NBC can now stream their shows to me as a .mp4 and I could grab them as fast as they could send it, rather than in realtime. They might offer the same stream at different data rates: 1mbps, 5mbps, 10mbps, 30mbps (for those of us lucky enough to have Verizon FIOS at home). The streams would simply repeat once they streamed all the files in a list. Think of a YouTube stream. As videos are uploaded, they are encoded and sent out an internet multicast stream. It's not a video stream, but a file stream, where one file is sent right after the other, and your end receiver knows what to do with the data. Metadata is put into the file headers so you can scan for content/description. Your TiVo can pickup the videos you might like to watch based on your keywords, and now you can watch those videos on your TV on demand, already on your PC. YouTube only had to broadcast it once, and thousands of people who may get the YouTube stream have decided to keep it or not. Sure, it might take up lots of disk space, and analyzing a stream (or 10 simultaneously) might take up a bunch of CPU/memory, but it'd be a way to distribute content efficiently and potentially lower transit bandwidth usage as people started to use it rather than today's status quo. If a channel is popular enough, people ask their provider to carry it. The provider is incentivized to carry a channel if the bandwidth they utilize to serve the unicast version of that data is greater than the amount of data they might use for a single multicasted stream of that same data. Rather than the end user paying for it, the provider saves money by utilizing the stream. Beckman --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ ---
ien116 nameserver on port 42
http://www.isc.org/index.pl?/sources/network/utils/ien116.php Shows how to implement the good old ien 116 nameserver and how to query it. It runs from the inetd. No need to have it waste memory and cpu all the time. Run an ien 116 nameserver at home and query it, using your laptop. Next maintain your /etc/hosts I hope your laptop reads /etc/hosts or the windows hosts file before querying DNS. Mine do. Except for the Mac there is no way short from a firewall to convince your laptop to use another port than 53 for DNS. But why not run your personal dns-server, bind or djbdns. they both can use other ports than 53. Kind regards Peter and Karin Lasher, Donn wrote: If so, how do you configure your client operating system of choice to use the novel, un-proxied ports instead of using port 53? * Set up the profile, to your house/work/etc, of your favorite SSH client to forward port 53 local to port 53 on your remote machine. * Make sure your SSH Profile connects to your house/work/etc via IP, not name * make sure there is some sort of DNS server running on the target of your SSH session * make sure your SSH server supports forwarded ports * connect to your house/work/etc. * repoint your local DNS client config to 127.0.0.1 * browse at will * (don't forget to undo this later or risk losing your sanity) Same type of config works great for HTTP (with squid, and browser proxy settings) etc.. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: broken DNS proxying at public wireless hotspots
I am running djbdns and my own root-server (tinydns) on my laptop. To axfr the root and some other zones, I use port 3001 (Cesidian Root). With cloned (not actually slaved) zones I have no problem at all but others might still get me. I have seen the Mac can use things like nameserver 192.168.208.228:3001 in his /etc/resolv.conf, linux cannot. That is why I have not tried. Anyhow there are not many open resolvers on port 3001. You can run bind on your laptop (even with windows). I dont know if you can tell it to use other ports than 53 for the forwarders - but you have the source. Dig can do it. In case you need ip-addresses for djbdns, try ifconfig lo:1 127.0.1.16 netmask 255.255.255.0 ifconfig lo:1 127.0.2.16 netmask 255.255.255.0 Now you have enough ip-addresses to run dnscache, tinydns and axfrdns on one and the same laptop, even when your ip-address to the wlan is constantly changeing. Cheers Peter and Karin Suresh Ramasubramanian wrote: Right now, I'm on a swisscom eurospot wifi connection at Paris airport, and this - yet again - has a DNS proxy setup so that the first few queries for a host will return some nonsense value like 1.2.3.4, or will return the records for com instead. Some 4 or 5 minutes later, the dns server might actually return the right dns record. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25634 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11 ;; QUESTION SECTION: ;www.kcircle.com. IN A ;; AUTHORITY SECTION: com.172573 IN NS j.gtld-servers.net. com.172573 IN NS k.gtld-servers.net. [etc] ;; Query time: 1032 msec ;; SERVER: 192.168.48.1#53(192.168.48.1) ;; WHEN: Sat Feb 3 11:33:07 2007 ;; MSG SIZE rcvd: 433 They're not the first provider I've seen doing this, and the obvious workarounds (setting another NS in resolv.conf, or running a local dns caching resolver) dont work either as all dns traffic is proxied. Sure I could route dns queries out through a ssh tunnel but the latency makes this kind of thing unusable at times. I'm then reduced to hardwiring some critical work server IPs into /etc/hosts What do nanogers usually do when caught in a situation like this? thanks srs -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: broken DNS proxying at public wireless hotspots
At 04:58 PM 4/2/07, Trent Lloyd [EMAIL PROTECTED] wrote: * Set up the profile, to your house/work/etc, of your favorite SSH client to forward port 53 local to port 53 on your remote machine. The flaw here is that DNS operates over 53(UDP), last time I checked SSH doesn't do UDP port forwarding? At the risk of stating the obvious ... Whats wrong with using an OpenVPN tunnel with appropriate acls ? (It works for me !)
Re: Anyone from BT...
On Mon, Jan 22, 2007 at 04:09:48AM +, Fergie wrote: ...on the list who might be able to comment on how they/you/BT is detecting downstream clients that are bot-infected, and how exactly you are dealing with them? Which bit of BT? They've got their fingers in quite a lot of pies, and the Clue level varies wildly. Although given you've asked that question, I suspect that you're enquiring about their retail Internet offerings, and my impression is that they don't bother to check for or deal with infected hosts.
Re: Network end users to pull down 2 gigabytes a day, continuously?
On Tue, Jan 16, 2007 at 11:53:25AM +1300, Richard Naylor wrote: [...] I don't see many obstacles for content and neither do other broadcasters. The broadcast world is changing. Late last year ABC or NBC (sorry brain fade) announced the lay off of 700 News staff, saying news is no longer king. Was it ever? Allegedly Murdoch's Sky only launched their Sky News channel so they could claim to be a reputable broadcaster.
Re: Ams-ix issues?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonas Frey wrote: | All sessions up here (29686). I dont see even a single flap within the | last 30 mins and we peer with quite many. | | Cant ping your ip tho: | | [EMAIL PROTECTED] ping 195.69.144.113 | PING 195.69.144.113 (195.69.144.113): 56 data bytes | ^C | --- 195.69.144.113 ping statistics --- | 12 packets transmitted, 0 packets received, 100% packet loss | | Regards, | Jonas | | On Tue, 2007-01-16 at 22:52, Christian Koch wrote: | |Anyone aware of any issues as of right now? Seems I may have lost |connectivity at amsix | | PING 195.69.144.113 (195.69.144.113) from 192.168.48.226 : 56(84) bytes of data. - --- 195.69.144.113 ping statistics --- 7 packets transmitted, 0 received, 100% loss, time 6014ms | /usr/sbin/traceroute 195.69.144.113 traceroute to 195.69.144.113 (195.69.144.113), 30 hops max, 40 byte packets ~ 1 krzach.peter-dambier.de (192.168.48.2) 2.960 ms 3.165 ms 3.774 ms ~ 2 MANX45-erx (217.0.116.41) 53.313 ms 64.280 ms 82.398 ms ~ 3 217.0.66.234(H!) 76.091 ms * * From host_look(84.171.231.46,echnaton.serveftp.com,1420551982). host_name(84.171.231.46,p54ABE72E.dip.t-dialin.net). Cheers Peter and Karin - -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFFrVAFPGG/Vycj6zYRAtw2AJ9nHhjJoB/TpWyukaz4fOXZhAU8mACfTi48 k8cs0YpDJubWE6klh+CbSPY= =pbdZ -END PGP SIGNATURE-
Re: Comment spammers chewing blogger bandwidth like crazy
On 14 Jan 2007, at 13:27, Tony Finch wrote: [Blog spammers] Most of the IP addresss you listed are are already on various DNS blacklists. Ooh, now that is interesting. I had assumed that the DNSBLs only covered SMTP spam sources, but on reflection I suppose SMTP is a dead protocol these days in the wider Internet. For the benefit of those of us who have been lucky to Recover from ISP work and now herd blogs[0], would you be so kind as to share which blacklists are worthwhile and worth consulting on this front? [0] Before you ask, no, it's no easier, in fact arguably harder work, although the pay and hours are better. But yes, we're hiring.
Re: Network end users to pull down 2 gigabytes a day, continuously?
Gian Constantine wrote: Well, yes. My view on this subject is U.S.-centric. In fairness to me, this is NANOG, not AFNOG or EuroNOG or SANOG. I thought Québec and Mexico did belong to the North American Network too. ... I agree there is a market for ethnic and niche content, but it is not the broad market many companies look for. The investment becomes much more of a gamble than marketing the latest and greatest (again debatable :-) ) to the larger market of...well...everyone. There is only a minority in north america who happens to be white and only some of them do speak english. I remember the times when I could watch mexican tv transmitted from a studio in florida. Today everything is crypted on the sats. We have to use the internet when we want someting special here in germany. I guess Karin and me are not the only ones who do net even own a tv set. The internet is the richer choice. Even if it is mostly audio, video is nasty overseas, I am shure it does make an impact in north america. Listening to my VoIP fone is mostly impossible now at least overseas. I used to be able to fone overseas. but even the landline has deteriorated because the fonecompanies have switched to VoIP themselves. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher-Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Security of National Infrastructure
Why is it that every company out there allows connections through their firewalls to their web and mail infrastructure from countries that they don't even do business in. Shouldn't it be our default to only allow US based IP addresses and then allow others as needed? The only case I can think of would be traveling folks that need to VPN or something, which could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still seem to be in the wild west, but no-one has the [EMAIL PROTECTED] to be braven and block the unnecessary access. I assume you want this: http://geekculture.com/joyoftech/joyarchives/446.html Most unnecessary access I see seems to be coming from US-based IP addresses anyway. A Great Firewall Of USA would certainly reduce the amount of spam I get :)
Re: [dns-operations] WorldNIC nameserver issues
David Ulevitch wrote: We're seeing a number of issues with WorldNIC nameservers failing from multiple points on our network this morning and was wondering if anyone was seeing similar problems. We're seeing issues with: ns47.worldnic.com (domain: cpurocket.com) ns48.worldnic.com (domain: cpurocket.com) ns87.worldnic.com (domain insightcollect.com) ns88.worldnic.com (domain insightcollect.com) and many many more... Seen from Europe, Germany, Darmstadt: check_soa cpurocket.com NS47.WORLDNIC.com has serial number 2006030200 NS48.WORLDNIC.com has serial number 2006030200 check_soa cpurocket.com NS47.WORLDNIC.com has serial number 2006030200 NS48.WORLDNIC.com has serial number 2006030200 check_soa insightcollect.com NS87.WORLDNIC.com has serial number 2006092800 NS88.WORLDNIC.com has serial number 2006092800 check_soa insightcollect.com NS87.WORLDNIC.com has serial number 2006092800 NS88.WORLDNIC.com has serial number 2006092800 No problems here. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Von-Erthal-Strasse 4 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: time.nist.gov
Roy wrote: time.nist.gov (192.43.244.18) seems to be down. I tired it via several different paths. I can't find any notice that this is a planned event. Does anyone have any further info? Roy Nothing found. It was dead yesterday. Now it is working again. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: Comcast contact
Anshuman: A good place to start for operational contacts is both the puck.nether.net site and the www.peeringdb.com. i found this: http://puck.nether.net/netops/nocs.cgi?ispname=comcast and this: (you can log in as a guest)... https://www.peeringdb.com/private/participant_view.php?id=822 now go get them peter cohen. On 9/25/06, Anshuman Kanwar [EMAIL PROTECTED] wrote: Can someone from comcast contact me off list please ? Thanks, Ansh Kanwar Lead Network Engineer -- Citrix Online (AS16815) 5385 Hollister Avenue Santa Barbara, CA 93111 USA --
Re: [offtopic] Topicality debate [my 2 bits]
Hi Gadi, I took the effort and looked into the other postings of some of the guys. I guess they are only keyword or sender envoked bots. I have never seen any positive postings from them. Kind regards Peter and Karin Gadi Evron wrote: On Sat, 23 Sep 2006, John Underhill wrote: -Moderated Approach Create an nanogofftopic@ to give a vent to members. If a post is clearly offtopic and not announced as such, use a 'three strikes your out' approach, first warning and inviting review of list guidelines, then as a last measure cancelling list subscription. Include 'this is offtopic!' responders among offences, and maybe we can reduce some of the list noise. Hi John, thanks for the wise words. I believe our biggest problem is that on topic is not defined. Many here see different issues as operational to them while a few here always yell and scream the minute someone posts that interest. An off-topic list won't help much, if we can't decide, by poll or arbitrary choice, what actually is on-topic. That can later on be followed. Lists evolve, readerships change, and subjects of interest change. But without certain guidelines, I don't see why any crowd should be silenced or any minority with loud voices should silence them. If such a concensus/decision is reached, it will be followed to the letter with the full backing of whoever needs to back itup. Thanks, Gadi. John -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]
On 24 Sep 2006, at 04:00, Gadi Evron wrote: [...] With thousands of sites on every server and virtual machines everywhere, all it takes is one insecure web application such as xxxBB or PHPxx for the server to be remote accessed, and for a remote connect-back shell to be installed. The rest is history. Hence why I'm rather partial to the ROT13 of a certain such application: cucOO. [...] We all (well, never say all, every, never, ever, etc.), many of us face this. What solutions have you found? Some solutions I heard used, or utilized: 1. Remote scanning of web servers. Well, I *did* at one point have a script that looked for files with any of a list of MD5 sums and chmod them 000 if it found one. Grepping for Matt Wright in Perl scripts and chmodding them is also not a bad idea :) 2. Much stronger security enforcement on servers. Actually, even bothering to use Unix user accounts rather than running everything under the Apache uid (or sometimes nobody or root!) would be a fine start. 3. Quietly patching user web applications without permission. I would like to plead the Fifth at this point. 4. JGH - Just getting hacked. This seems to be a popular enough technique, as long as the money still keeps rolling in, but not one I particularly subscribe to because the bad reputation gets round after a while. What have you encountered? What have you done, sorry, heard of someone else do, to combat this very difficult problem on your networks? Hacked accounts aren't evenly distributed over the customer base. A judiciously-applied account suspension or bollocking goes a long way.
Re: Zimbabwe satellite service shutdown for non-payment
Gadi Evron wrote: On Mon, 18 Sep 2006, Sean Donelan wrote: Intelsat has shutdown the primary satellite link for Zimbabwe's state communications company for non-payment, which has affected most of the ISPs in the country. I can't really blame them. I doubt the Internet is considered critical infrastructure over there yet, and I doubt Intelsat would care... but this is interesting in the sense that even if you can't fault intelsat in any way... Intelsat, Inmarsat, etc. run quite a bit, and if it's a country that gets disconnected, that is a problem even if it's not their problem. Gadi. http://www.itu.int/africainternet2000/countryreports/zwe_e.htm http://www.comone.co.zw/ http://www.telone.co.zw % Information related to '194.133.122.0 - 194.133.122.255' inetnum:194.133.122.0 - 194.133.122.255 netname:TelOne-BLK01 descr: TelOne (formerly ZPTC) country:ZW The nameservers and internet sites can be seen here (europe) but they are slow. Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Why is RFC1918 space in public DNS evil?
At 04:40 PM 18/9/06, Matthew Palmer wrote: I've been directed to put all of the internal hosts and such into the public DNS zone for a client. ... But this client, having a large number of hosts on RFC1918 space and a VPN for external people to get to it, ... What happens when the external people are coming from 1918 nets that clash with those of the MP's client ??? It makes sense to use REAL addresses for the client's hosts so that there are no collisions, and NATing to 1918 space at one end or the other of the vpn. I've used this technique, with both VPNs and private interconnects, when delivering add-on services to client who already had existing internet connected infrastructure. The various services are listed in the public dns with public addresses, the traffic normally only going via the private paths. If it does leak, they're addresses in your control. YMMV, I had these sort of tricks in production for 100+ client sites from back in ISDN days with SS5s doing gw/router/fw/nat
Re: Why is RFC1918 space in public DNS evil?
Matthew Palmer wrote: I've been directed to put all of the internal hosts and such into the public DNS zone for a client. My typical policy is to have a subdomain of the zone served internally, and leave only the publically-reachable hosts in the public zone. But this client, having a large number of hosts on RFC1918 space and a VPN for external people to get to it, is pushing against this somewhat. Their reasoning is that there's no guarantee that forwarding DNS down the VPN will work nicely, and it's overhead. It can make sense: I am sending my mails mostly from lumbamba.peter-dambier.de (192.168.48.226) my router is krzach.peter-dambier.de (192.168.48.2) my mailer is echnaton.peter-dambier.de (192.168.48.228) My traceroute looks ok although some of the hosts are RFC1918 If somebody looks into my email headers they find information that makes sense although they could not ping the hosts. As long as you do not allow AXFR, nobody can see the information about RFC1918 hosts. So there is no risk. Even if they could get the data via AXFR they could not reach the hosts behind nat. I have seen zones allowing AXFR with lots of RFC1918 hosts. I dont see any harm. Leaking routing information would be evil. I know the common wisdom is that putting 192.168 addresses in a public zonefile is right up there with kicking babies who have just had their candy It is common wisdom like the lie about spinach beeing healthy. (It is told spinach contains iron. Well not much really. They mixed up milligrams and micrograms. But it does containt oxal-acid, a deadly poison for babies) stolen, but I'm really struggling to come up with anything more authoritative than just because, now eat your brussel sprouts. My Google-fu isn't working, and none of the reasons I can come up with myself sound particularly convincing. Can someone give a lucid technical explanation, or a link, that explains it to me so I can explain it to Those In Power? Thanks, - Matt Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: IPv6 PI block is announced - update your filters 2620:0000::/23
[...] Call me naive, but could somebody enlighten me as to what tangible benefit filtering out bogon space actually achieves? It strikes me that it causes more headaches than it solves.
Re: Spain was offline
On 31 Aug 2006, at 16:30, Joseph Jackson wrote: I wish the article had more info since I have been wondering how a software upgrade downed the entire zone. Oh, loads of ways. Wasn't there any backup servers? Well, a quick poke suggests, assuming a reasonably traditional setup, that ns1.nic.es is the master, and there are various slaves, not necessarily directly under their control. ns1.nic.es appears to be running BIND 9.3.2, and there's other versions running on the other nameservers. So if it *was* a software update of BIND, it's probably not global. OTOH, I can believe that somebody broke a Perl script critical to it and it rolled out a valid, but empty, zonefile which the secondaries faithfully replicated. Not that I've watched cascading DNS failures at too many places with bits of crufty Perl, oh no... Actually, it amazes me that this sort of thing doesn't happen more often. Did they not test the upgrade before hand? I know I'd lose my job if I upgraded our dns servers all at once with out testing. It's Europe, it's harder to fire people. There's probably a bit of scapegoating and shooting of messengers going on, but it's quite likely that the root cause is a general process failure that's not attributable to a single individual.
Re: Experiences with DDoS platforms...
On 29 Aug 2006, at 02:01, Fergie wrote: [...] I was looking to see what opinions folks on the list may have on the DDoS appliance vendor products available -- I'm particularly looking for a stand-alone (or in conjunction with a 'traffic analysis' box) to off-load DoS mitigation -- real-world experiences welcome. Two jobs ago, I was at UKSolutions (aka UKS). One of UKS's products is the UKShells brand which is a script kiddie magnet and has a good number of IRC servers running on the accounts. IRC servers are a DDoS magnet as you probably know, so UKS got rather good at automating DDoS mitigation so nobody has to get out of bed to deal with it nor do any customers really notice. The exact details of the system a bit of a mystery to me, but it was a multi-faceted approach that did a fair bit of analysis of the traffic and quite selective in its filtering, and was most definitely rather effective against DDoSes that should by rights have crippled the whole ISP, never mind the single box that was being targetted. You'll be wanting to speak to Dan Lowe.
Re: GTSM - Do you use it?
On 17 Aug 2006, at 21:45, Pekka Savola wrote: [...] Enhancement Requests haven't gotten through, but maybe gripes on nanog will :-( IME, griping about something on a mailing list, while typically getting you an email from a techie at the company concerned (especially if the gripe was ferocious enough to strip paint), rarely actually gets the problem fixed. It's not unreasonable, I guess. Decision makers aren't likely to be reading operational mailing lists with a low S/N ratio.
Re: i am not a list moderator, but i do have a request
Paul Vixie wrote: which is, please move these threads to a non-SP mailing list. R [ 41: Danny McPherson ] Re: mitigating botnet CCs has become useless R [ 22: Laurence F. Sheldon] R45: Danny McPherson R [ 62: Laurence F. Sheldon] R [ 162: J. Oquendo] Re: [Full-disclosure] what can be done with botnet CC's? R 211: Payam Tarverdyan Ch R [ 66: Michael Nicks ] i already apologized to the moderators for participating in a non-ops thread here. there are plenty of mailing lists for which botnets are on-topic. nanog is not one and should not become one. nanog has other useful purposes. We have already enough botnets DoSsing the net. We dont need nondisclosed botlists DoSsing this forum. We both agree Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: ISP wants to stop outgoing web based spam
On 10 Aug 2006, at 22:07, Barry Shein wrote: [...] The vector for these has been almost purely Microsoft Windows. I wonder. From the point of view of a MX host (as opposed to a customer-facing smarthost), would TCP fingerprinting to identify the OS and apply a weighting to the spam score be a viable technique?
Re: ISP wants to stop outgoing web based spam
On 11 Aug 2006, at 05:24, Hank Nussbacher wrote: [...] Please show me which virus scanner scans html pages for the words like V I A G R A, or Free M O R T G A G E, as it is going outbound. It's the one you're going to have to write, or coerce somebody to write, if you want it that much. I have a sneaking suspicion that SpamAssassin's core could probably be pressed into action here, wrapped in a HTTP proxy. It wouldn't scale terribly well, but it might be enough to keep tabs on a few tens of hosts that you expect trouble to come from. HTTPS would be a bit more tricky and would require the co-operation of the cybercafe to install your CA cert on their browsers and crank down the security settings so you could do a MITM attack.
Re: New Laptop Polices
Given the new threats and the change in policy with the airlines and traveling in and around the UK, has anyone changed their laptop and portable computing device policy? We are being questioned about the safety of executives traveling with their laptops. Michael Cullen Global Security, Universal Music Group 818 286-5473 (w) | 818 919-6974 (c) UMG GSO Michael (aim) | UMG.GSO.Michael (gtalk) | [EMAIL PROTECTED] (msn) For me, i think there are two items that jump out: 1. durability of the case of a laptop being checked baggage vs. carryon if indeed we now have to check bags on certain/all flights... 2. with regard to safety of laptops, if you mean that exec's are targets of robberies, than this further lends value i suspect of keeping everything on the network and having passwords to reach the network from the laptop, etc Nothing on the laptop but pics of the kids and mp3's. all downloaded legally of course...secure computing/safeword/etc.. to reach your remote files would seem like a good idea... peter
Re: SORBS Contact
On 10 Aug 2006, at 00:06, Matthew Sullivan wrote: [...] This is also why I took the time to create: http://www.ietf.org/internet-drafts/draft-msullivan-dnsop-generic- naming-schemes-00.txt Why is this information being encoded into the regular PTR records that already have another purpose, thus reducing its usefulness? It seems the only purpose is as a bandaid over dumb SORBS policy. Create a new SPF-like record if you want *additional* information in DNS. Don't clobber an existing service. There are things in the works that will enable the most complained about aspects of SORBS to be fixed and to go away permanently... The only thing that is delaying it is developer time... So I will say this publicly - those that want to see drastic changes @ SORBS that are, or have access to a perl coder with SQL knowledge, and is able to spend 20-40 hours of pure coding time writing a user interface for user permissions roles in Perl contact me off list as the user interface is the only thing that is holding up moving to the beta stage of the SORBS2 database. I have the skills and time, but zero inclination to support SORBS. In fact, I think I'll hack my mostly-default SpamAssassin configuration to ignore SORBS. Grepping mailboxes for the SA tag suggests that SORBS makes no difference in detecting spam, and it tags a number of legitimate correspondents, including, it appears, Spamcop at 204.15.82.27. (I'm going by the tags SA added to the message since I can't get past the CAPTCHA on your website to query that address.) Blacklisting competitors is a low and dirty trick.
Re: ISP wants to stop outgoing web based spam
On 10 Aug 2006, at 19:12, Hank Nussbacher wrote: I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up burning quite a few IPs before the feedback loop of user-spam report-BL-ISP-block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue. This seems to imply that you're using dynamic addressing. The rather obvious solution would seem to be that you provide static addressing. It also makes it rather easier to identify the spammer when the complaints come in since you won't need to grovel through your RADIUS logs.
Re: mitigating botnet CCs has become useless
Mikael Abrahamsson wrote: On Tue, 8 Aug 2006, Rick Wesson wrote: Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets. you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003 just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud. I am sure that the total cost would be less if everybody cleaned up their act. It doesn't change the fact that the individual ISP has to spend money it will never see returns on, for this common good to emerge. If the government wants to do this, then I guess it should start demanding responsibility from individuals as well, otherwise I don't see this happening anytime soon. Microsoft has a big cash reserve, perhaps the US government should start demanding them clean up their act and release more secure products, and start fining people who don't use their products responsibly. Oh, and go after the companies installing spyware, in ernest? And to find these, they have to start wiretapping everybody to collect the information they need. I remember working in the sysops group of a big company we made our own law: Leaving your terminal without logoff would cost you a bottle of cognac. Writing your password under the keyboard would cost you a bottle of cognac. ... My boss used to have stomach aches. That is why arround noon you would find most of us in the machine room - sorting tapes :) It was the coldest place in the building. Right to cool down our red faces :) It might be cool if an ISP was to charge his costumers a bottle of Pepsi everytime they got hacked. It might be even more cool if the costumer succeeded to charge Microsoft if they were the culprit :) Otoh this added security might add up to more losses than 2B per year in less functionality and more administration and procedures (overhead), so perhaps those 2B is the price we pay for freedom and liberty in this space? Always hard to find the balance. No more balance after that bottle of cognac :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: small group seeks european IPv6 sceptic for good time
Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Jeroen Massar [EMAIL PROTECTED] wrote: * = not even joking, but could somebody set up a free IPv6 p0rn service; that should considerably raise the demand for IPv6 around the globe. I have some nice statistics from users from a certain asian ISP who are looking at some cosy pictures quite often, most likely using IPv6 as the content is blocked over IPv4 as The Great Firewall doesn't support the new protocol yet ;) news://newszilla6.xs4all.nl/ :) Mike. The alternative root community has already had similar ideas. The good thing, governement censoring bastards are not allowed to change their rootservers LOL. IPv6 would even kick the router twisting guys ROFL. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Netgear wgt624 v3 (OT?)
[EMAIL PROTECTED] wrote: Hi, Perhaps not the best place to ask but I thought I would ask here before possibly hitting Netgear (since you have to register) or BUGTRAQ. My Netgear wgt624 v3 allows for port triggering. When I do that, it doesn't seem to work. Port FORWARDING works fine. Port triggering appears completely broken in both their stable firmware and in their beta. Anyone else experience this with their Netgear? http://www.portforward.com/help/porttriggering.htm I guess the problem is timing. Can you provide a continuous datastream to trigger and keep the door open? Portforwarding is much easier. I never got it working :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: traffic from DE to DE goes via NL-UK-US-FR
Andrius Kazimieras Kasparavic(ius wrote: Hi, Just wondering if it is normal for traffic from DE to DE to flow through NL-UK-US-FR and so increase delay nearly 100 times? Traceroute here: http://pastebin.ca/115200 and there is only 4 AS, so ASPATH does not help a lot in finding such links with a horrifying optimisation. I believe there is much worse links, any software to detect this? Something like scanning one ip from larger IP blocks with icmp and comparing geotrajectoyi via geoip? thank you, AKK I remember two peculiarities. Between Amsterdam and London packets were summersolting. The fifth packet arrived before the second. Making VoIP impossible. In the Cyberbunker every IPv4 address gave a different traceroute. Most addresses did not work at all. When I replaced a GrandStream ATA-486 as VoIP gateway and DSL-router by a slow linux box, that mess cleared. Everything working fine and fast. The ICMP in the GrandStream was broken. I guess in the Cyberbunker a local router was broken too. The sh** needed both routers to reach the fan. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Duane Wessels wrote: I am looking for a way that you, or anyone else, could indicate a domain should not be considered in service although the name is registered and has an A record pointing to an active server so when I check that name it doesn't require a human to interpret the results. You might be able to use lack of an SOA record as a hint. In my experience, parked domains often do not have SOA records because the parking companies are lazy. It is a lot easier to put all the parked domains in a parent zone file, or even use a wildcard, rather than have a zone file for each parked name. Duane W. From DNS nutshell or from the DNS and BIND book the programme check_soa peter-dambier.de ns1.peter-dambier.de has serial number 2005050401 ns2.peter-dambier.de has serial number 2005050401 Can do. In the IASON tools there is a hacked version chk1soa ns1.peter-dambier.de peter-dambier.de soa(peter-dambier.de,2005050401,ns1.peter-dambier.de,195.20.224.105). chk1soa m.root-servers.net peter-dambier.de error(peter-dambier.de,m.root-servers.net,202.12.27.33,no soa). IASON compiles on most flavours of unix including Mac OS-X and linux. http://iason.site.voila.fr/ http://www.kokoom.com/iason If you have an idea what is missing you are welcome to send me a private email. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
No, it does not look good :) ; DiG 9.1.3 -t any eoileon.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47446 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.172800 IN NS ns11.chestertonholdings.com. eoileon.com.172800 IN NS ns1.chestertonholdings.com. ;; AUTHORITY SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; ADDITIONAL SECTION: ns1.chestertonholdings.com. 172800 IN A 204.13.160.12 ns11.chestertonholdings.com. 172800 IN A 204.13.161.12 ;; Query time: 146 msec ;; SERVER: 192.168.48.227#53(192.168.48.227) ;; WHEN: Thu Aug 3 20:11:49 2006 ;; MSG SIZE rcvd: 145 No SOA. Of course not. It is my own resolver :) but ; DiG 9.1.3 -t any eoileon.com @ns1.chestertonholdings.com. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60197 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.86400 IN A 204.13.161.31 ;; AUTHORITY SECTION: com.86400 IN NS k.gtld-servers.net. com.86400 IN NS l.gtld-servers.net. com.86400 IN NS m.gtld-servers.net. com.86400 IN NS a.gtld-servers.net. com.86400 IN NS b.gtld-servers.net. com.86400 IN NS c.gtld-servers.net. com.86400 IN NS d.gtld-servers.net. com.86400 IN NS e.gtld-servers.net. com.86400 IN NS f.gtld-servers.net. com.86400 IN NS g.gtld-servers.net. com.86400 IN NS h.gtld-servers.net. com.86400 IN NS i.gtld-servers.net. com.86400 IN NS j.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 ;; Query time: 245 msec ;; SERVER: 204.13.160.12#53(ns1.chestertonholdings.com.) ;; WHEN: Thu Aug 3 20:12:12 2006 ;; MSG SIZE rcvd: 501 I wonder why bind did not say lame server? ; DiG 9.1.3 -t any eoileon.com @a.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39156 ;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;eoileon.com. IN ANY ;; ANSWER SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; AUTHORITY SECTION: eoileon.com.172800 IN NS ns1.chestertonholdings.com. eoileon.com.172800 IN NS ns11.chestertonholdings.com. ;; ADDITIONAL SECTION: ns1.chestertonholdings.com. 172800 IN A 204.13.160.12 ns11.chestertonholdings.com. 172800 IN A 204.13.161.12 ;; Query time: 160 msec ;; SERVER: 192.5.6.30#53(a.gtld-servers.net) ;; WHEN: Thu Aug 3 20:19:33 2006 ;; MSG SIZE rcvd: 145 And no, they are not authoritative either. check_soa eoileon.com There was no response from ns11.chestertonholdings.com ns1.chestertonholdings.com: expected 1 answer, got 0 ; DiG 9.1.3 -t any eoileon.com @ns11.chestertonholdings.com. ;; global options: printcmd ;; connection timed out; no servers could be reached I should say the domain eoileon.com is at least broken if not broke :) Cheers Peter and Karin Duane Wessels wrote: On Thu, 3 Aug 2006, Joe Abley said: Do you have an example of a parked domain with no SOA record? eoileon.com tri-cityhearald.com Surely for that to work for most of the domains we're talking about, the parking companies would need to be able to insert arbitrary records into zones such as ORG, NET and COM, which isn't something that any
Re: mitigating botnet CCs has become useless
Barry Shein wrote: On August 1, 2006 at 11:50 [EMAIL PROTECTED] (Scott Weeks) wrote: ... there has to be a technical way to do this, rather than a diplomatic way as the diplomatic ways historically have not worked in the other areas mentioned, so they probably won't work here, either. Or we have to keep going until one can be contrived. Many good attempts have been made and there will be more to come until we hopefully rid ourselves of the sickness others of lower values force on us daily... I have nothing against technical solutions tho after over ten years of a lot of smart people trying, and a grand prize of probably a billion dollars increase in personal wealth, it doesn't seem forthcoming. Let me try to become Gadi. First of all block port 80 (http) :) Next block port 53 udp (dns). Now you have got rid of amplification attacks because spoofing does no longer work and you have got rid of all those silly users that only know how to click the mouse. Put every client leaking netbios into a sandbox. Dont allow them anything but logon :) However, I do take exception to the assertion that diplomatic ways historically have not worked in other areas mentioned. I think what you mean is that they haven't worked perfectly, but slipped the semantics a little. Surely you didn't mean to say that all efforts to oppose, e.g., the human slave trade have been in vain? The effectiveness has a lot to do with the profitability making the risk worthwhile (e.g., drug trade), and who the crime appeals to; some poor, desparate people will take risks others won't (e.g., high-seas piracy.) Unfortunately all this reasoning might be edifying but it leads nowhere. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Sean Donelan wrote: On Wed, 2 Aug 2006, Florian Weimer wrote: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? AFAICT, the main challenge is to define what parked means in the context of your application. There seems to be DNSBL's for every other thing, I was expecting to find one for parked domain names or the server IP addresses used. This was for personal interest, rather than a commercial opportunity. I'm a lousy typist and its unlikely change. But I can write computer applications. I'd rather get a message my application can process rather than relying on a human. My preference is legitimate domain parking firms included a standardized piece of meta-data my application could detect and use as this domain doesn't really exist. Sorta of a variant of the web robots.txt file, but I prefer it to be application independent, instead of assuming everything is HTTP Port 80. Perhaps start with a standard record associated with the parked domain, i.e. _notexist.example.com. For less legitimate domain parking (i.e. typo-squatters), its a different problem. How about creating a database domain(domain_owner,domain_name) and then querying by domain_owner. If the guy has more than 100 he looks like a squatter and can me manually looked at. e.g. 6.ag. 86400 IN NS ns1.sedoparking.com. 6.ag. 86400 IN NS ns2.sedoparking.com. auktion.ag. 86400 IN NS ns1.sedoparking.com. auktion.ag. 86400 IN NS ns2.sedoparking.com. bilder.ag. 86400 IN NS ns1.sedoparking.com. bilder.ag. 86400 IN NS ns2.sedoparking.com. ... tvshop.ag. 86400 IN NS ns1.sedoparking.com. tvshop.ag. 86400 IN NS ns2.sedoparking.com. videothek.ag. 86400 IN NS ns1.sedoparking.com. videothek.ag. 86400 IN NS ns2.sedoparking.com. webhosting.ag. 86400 IN NS ns1.sedoparking.com. webhosting.ag. 86400 IN NS ns2.sedoparking.com. grep | wc says he has 51 lines. I guess it is 26 domains. The name suggests they are parked. 01.ag. 86400 IN NS ns19.schlund.de. 01.ag. 86400 IN NS ns20.schlund.de. 0800fitness.ag. 86400 IN NS ns11.schlund.de. 0800fitness.ag. 86400 IN NS ns12.schlund.de. 1-and-1.ag. 86400 IN NS ns3.schlund.de. 1-and-1.ag. 86400 IN NS ns4.schlund.de. ... zusatzverdienst.ag. 86400 IN NS ns7.schlund.de. zusatzverdienst.ag. 86400 IN NS ns8.schlund.de. zweitmarkt.ag. 86400 IN NS ns25.schlund.de. zweitmarkt.ag. 86400 IN NS ns26.schlund.de. zypern.ag. 86400 IN NS ns21.schlund.de. zypern.ag. 86400 IN NS ns22.schlund.de. grep | wc says 3226 lines. But they are a famous german hoster. I dont think they are squatting. Just for curiousity AG is the german equivalent of PLC or SA in french. I thought the namesevers would do. Maybe the whois gives more help. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: mitigating botnet CCs has become useless
Paul Vixie wrote: [EMAIL PROTECTED] (Scott Weeks) writes: From: Paul Vixie [EMAIL PROTECTED] http://fm.vix.com/internet/security/superbugs.html ... I'd like to see ...jackbooted [US is implied in the text] government thugs...kicking in a door somewhere ... Paul, it is people like you tell us there is still hope in the US :) There is a nuclear bunker between the shelde rivers in the netherlands. The facility used to house an XTC lab and the turkish root - and the police would not dare to kick their doors in because the guys told them they were an indpendent country and threatened to send bombs upon Amsterdam :) And there are other countries in europe were it is a military secret that they are wearing boots and they are able to kick doors in. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Detecting parked domains
Stephane Bortzmeyer wrote: On Tue, Aug 01, 2006 at 03:35:40PM -0400, Sean Donelan [EMAIL PROTECTED] wrote a message of 6 lines which said: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I don't think it is possible: being parked cannot be defined in an algorithmic way. My own domain sources.org does not even have a Web site (and I swear it is not parked). Let's try: * Bayesian filtering on the content of the Web page, after suitable training? * Number of different pages on the site (if n == 1 then the domain is parked)? * (Based on the analysis of many sites, not just one) Content of the page almost identical to the content of many other pages? (Caveat: the Apache default installation page...) Dont forget there are mail only domains. I used to have one. Now it is used to forward html somehow to my real homepage. ; DiG 9.1.3 -t any peter-dambier.de @212.227.123.12 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 28472 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;peter-dambier.de. IN ANY ;; ANSWER SECTION: peter-dambier.de. 86400 IN SOA ns15.schlund.de. hostmaster.schlund.de. 2005050401 28800 7200 604800 86400 peter-dambier.de. 86400 IN NS ns15.schlund.de. peter-dambier.de. 86400 IN NS ns16.schlund.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.de. peter-dambier.de. 86400 IN MX 10 mx0.gmx.net. peter-dambier.de. 10800 IN A 82.165.62.90 ;; Query time: 63 msec ;; SERVER: 212.227.123.12#53(212.227.123.12) ;; WHEN: Tue Aug 1 22:18:51 2006 ;; MSG SIZE rcvd: 217 HT MLHE AD TI TLEPeter und Karin Dambier/TI TLE /HE AD FR AMESET ROWS=100%,* BORDER=0 FR AMEBORDER=0 FR AME SRC=http://www.peter-dambier.gmxhome.de/; SCROLLING=AUTO NAME=bannerframe NORESIZE /FR AMESET NOF RAMES Peter und Karin Dambier P DI V AL IGN=CENTERA HR EF=http://www.peter-dambier.gmxhome.de/;http://peter-dambier.de//A/D IV /NOF RAMES /HT ML -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: AOL Mail Problem
Tom Quilling wrote: Hi Folks We are an ISP in Germany and experience since this morning, July 27 07:00 GMT problems with all mail-in Servers at AOL. They seem to refuse mailconnections, giving error message 554 for no reason at all, since our servers are not listed in any RBL etc.. We can see, that they extract from the header the original sender IP of a mail, instead of the one from the MAIL-RELAY-SERVER, as specified in RFC. As these senders are from ADSL IP's, AOL refuses them. This is definitely wrong by AOL... Does anybody else experience this Problem.. Regards Tom Quilling Even worse. Except from [EMAIL PROTECTED] I could never ever send emails to AOL. I do not even get bounces. I tried GMX 11 gmail yahoo.ca memor.net (.it) wannado.fr cyberbunker.net (.nl) But dont worry, SPAM gets through. They block only emails :) Cheers Peter abd Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Web typo-correction (Re: Sitefinder II, the sequel...)
Edward B. DREGER wrote: I'm generally ignoring other protocols to limit the discussion scope. However, one can see how SMTP and FTP might be similarly handled. (IMHO not as good as a SRV-ish system that could return NXDOMAIN per service, but actually somewhat usable today.) No, you should not. The other iportant things that come into my mind are mail My thunderbird does use dns, looking for MX records mostly. For me it is the most important application. phone - Either VoIP or Skype they both need dns, looking for NAPTR? The box is hardware. It does not run windows and it has its own resolver onboard. dns --- Some resolvers do not use forwarders. They know whom to query. They will get a hickup if somebody is returning them the wrong ip address for a nameserver (agreed, if you use e.g. djbdns you most likely will not use OpenDNS in the first place) -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Sitefinder II, the sequel...
On 13 Jul 2006, at 16:48, Patrick W. Gilmore wrote: On Jul 13, 2006, at 11:35 AM, Larry Smith wrote: [...] Hmmm, while a good question - how about another example, someone mistypes whitehouse.gov - do you return the real whitehouse.gov or the whitehouse.com site ??? Note: and the domain does not exist. Whitehouse.gov absolutely exists. I don't think that was quite what was meant. Suppose the user typed whitehouse.cov?
Re: Sitefinder II, the sequel...
Having seen a lot cons and little pros, here is my scenario: I am running my own root, a copy of the Cesidan Root plus some TLDs of my own liking, some shared with friends who dont want to risk cache poisoning. I am runnings both djbdns (dnscache with tinydns and axfrdns as root) and Bind 9.4.0.a6 I have seen that my own nameservers are always faster than my ISP's. I like the idea of catching the phishermen before they can catch me, although I am not running Phishermans friend (windows eXPerimental). I have seen with my own eyes on a windowssystem OpenDNS is a MUST. Even if I dont click on install or execute... and I do not trust open MACs too very much either. I do not neccessarily improove speed when using OpenDNS and I am not shure wether I want OpenDNS decide between typos and alt. TLDs. But I still want to catch the phishermen. Does it make sense for me and the mine? Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
...: DA Workshop - ISOI
Gadi Evron wrote: This is a call for papers for a DA Workshop (ISOTF/TISF DA). Its name is: Internet Security Operations and Intelligence Workshop or ISOI for short. DA stands for Drone Armies (botnets), which is the main subject of this workshop. Sorry, I always thought DA stands for Dumbledores Army or Defense against the Dark Arts :) ... communities with the much appreciated help of Cisco Systems, Inc., Isn't that the people we must defend against, with backdoors and nondisclosure agreements and things like that? and is closed to members of the following communities: Looks more like The One Whose Name Must Not Be Spoken Laud than Dumbledore. If you are not a member and would like to attend, feel free to send a request. We would be happy to learn of your interest. No, IASON is ment to stay open source. The workshop is closed to reporters. I am a writer, I think that comes close to a reporter. Maybe another time? Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: NANOG Spam?
Henry Linneweh wrote: I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog, anticipating spam -Henry sage From: Dominic J. Eidson [EMAIL PROTECTED] To: nanog@merit.edu Sent: Thursday, July 6, 2006 8:14:58 AM Subject: Re: NANOG Spam? On Thu, 6 Jul 2006, Sabri Berisha wrote: On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote: Hi, Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon. So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :) unlurked:) Having very good experiences with spam filters (I have them all switched off :) I did not even see the spam. My manual spamfilter successfully removed them. Yes, I remember spam with nanog in the sender field. I receive a lot of spam from everybody, including myself. That is why it never occured it me it might not have been faked. The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access? Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants... - d. Mine is more a fly-by without pants :) Having been hit by the lurking bit, you most likely have not spammed or that bit would not be set in the first place. Looks like a job for a trunk monkey. Regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Virtual routers from Cisco
Radia Perlman gave a brilliant talk on these Virtual Routers at USENIX in Boston. Peter
Re: Who wants to be in charge of the Internet today?
At one of my old jobs, my boss honestly believed that we had a 'switch' that turned the entire internet off or on. When she was having problems accessing her shopping sites, she'd storm in the office and say something like 'did you guys turn the the internet off again?' sigh Then again, this is the same person that tried to tell me that 768 OC-192s are carried on a single DS1.. - Peter On Fri, 23 Jun 2006, Patrick W. Gilmore wrote: On Jun 23, 2006, at 12:45 AM, Sean Donelan wrote: I shudder to think what would happen under large scale attack if one of the CEOs in that room had responsibility for the correct functioning of the Internet. This definitely falls into the Just Doesn't Get It category. -- TTFN, patrick
Re: Silicon-germanium routers?
David W. Hankins wrote: IBM and Georgia Institute of Technology are experimenting with silicon- germanium, it is said here: http://tinyurl.com/g26bu I find this interesting having just attended NANOG 37 where some manufacturers of network devices told us in a panel that network heat problems weren't going away unless there's a 'next big thing' in manufacturing process. Is this it? Corrolary: If our routers are made of silicon-germanium, would the CLI only operate in Deutsch? Jawoll, es wuerde :) I remember my old radio days. My audion and diode receivers never would work with silicon only with germanium diodes and transistors. The difference is the voltage threshold where the device would start conducting. That is 200 mV for germanium but 800 mV for silicon. Devices running with silicon and 2.4 volts will go down to 600 mV. That means power consumtion will drop to 1/4. The real thing is a bit more complex but for a guesstimation ... Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
RE: Interesting new spam technique - getting a lot more popular.
Has anyone considered using sFlow to detect this type of bad behavior? Many layer 2 switches vendors mentioned in the discussion support sFlow (see http://www.sflow.org/products/network.php for a list). sFlow operates at layer 2 (think of it as a kind of remote sampled mirror port capability that lets you capture the first 128 bytes of Ethernet frames from every l2/l3 switch port in the data center). Information that you could get from sFlow that is relevant to the discussion include: ingress switch port, source and destination mac addresses, vlans, ip addresses, ARP targets and senders, layer 4 protocol and ports. Peter
Re: on topic?
Paul Vixie wrote: The effect of Nanog is remarkable. All the hybrid cells became fully converted to embryonic stem cells, said Jose Silva of the University of Edinburgh, Scotland, who reported the findings in the journal Nature. http://news.com.com/Gene+may+mean+adult+cells+can+be+reprogrammed/2100-1008_3-6083878.html?tag=nefd.top That is why more people from the old continent have subscribed NANOG than lists.ripe.net :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Tracing network procedure for stolen computers
Colin Johnston wrote: Hi folks, Quick security tracing question, flame me if you think offnetwork topic. Earlier this month my daughters Ibook was stolen, oh well that is life I guess. Anyway updated mail server software for full debug and IP log since noticed that mail account was accessed yesterday. I am now hoping it is access'd again, system was setup to pull each min so when they(thugs) access internet again hopefully will honeytrap IP number. What does one do next ? I guess inform police etc but would this be too slow ?? Do I contact ARIN/RIPE contacts direct ?? I know about software that should have been installed for tracing if stolen but wondered about in the real network world how useful this was and if any items recovered ?? Colin Johnston Satsig sysadmin Apple have their own good ideas. Besides a VoIP phone software or something like no-ip.com is good to permanently know what ip-address the toy has. Knowing the ip you can traceroute to guess what continent, state, province it is, via its final router. The police and the owner of the final router should do the rest. Bad idea :) have some child porn on the box and mail it to the police. They will trace it very fast. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Zebra/linux device production networking?
Nick Burke wrote: Greetings fellow nanogers, How many of you have actually use(d) Zebra/Linux as a routing device (core and/or regional, I'd be interested in both) in a production (read: 99.999% required, hsrp, bgp, dot1q, other goodies) environment? Just have a look for MTU. If you connect home - aDSL - someplace and your MTU is smaller than the aDSL packetsize then your connection is home - adsl - tunnel - someplace That tunnel consists of two routers, linux or whatever. Behind the tunnel you might find some 200 hosts. The speed is 2Meg through the tunnel. It used to connect one /18 and a handful of /24 The two linux boxes were maintained by a guru. They almost never gave problems. Mostly the hardware router behind that tunnel did. I dont know what kind of device it is. All I know is, it seems to know some 8 or more interfaces, hardware or virtual. The installation, a nuclear bunker, used to house some websites and services. (And an XTC-lab :) There are a lot of network bunkers arround. I guess half of them looks the same. Cheers Peter and Karin Dambier -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Telia network degredation / POC
Hello, for the future/past, i would point people to www.peeringdb.com as that has the record information for the noc in there If anyone wants further info about Teliasonera in the states or elsewhere, please contact me off line. Peter Cohen On 6/2/06, Bjørn Mork [EMAIL PROTECTED] wrote: Jeremy Chadwick [EMAIL PROTECTED] writes: Does anyone have a contact number/POC of any sort for Telia that's within the United States? Jared's NOC list only contains a contact number in Sweden. Just curiuos: What's the problem with the contact number in Sweden? Bjørn
Re: Fwd: 41/8 announcement
Stephen Sprunk [EMAIL PROTECTED] wrote: [...] It's extremely ugly, but that's what one gets for using private address space. This exact scenario was a large part of why I supported ULAs for IPv6. I can sort of see the point in ULAs, although if you want a globally unique address, why not just use a public address? Anyway, the problem is that nobody actually seems to have bothered to read RFC1918 and/or realise the possibility of collision: If two (or more) organizations follow the address allocation specified in this document and then later wish to establish IP connectivity with each other, then there is a risk that address uniqueness would be violated. To minimize the risk it is strongly recommended that an organization using private IP addresses choose randomly from the reserved pool of private addresses, when allocating sub-blocks for its internal allocation. I tend to pick out random /24s from 172.16/12 when I need private addresses. Virtually nobody uses those, which makes them most suitable. -- I have heard it said that the reason Microsoft is choosing to work with the government of Nigeria in stopping 419 scammers is that it's easier to rebuild the Nigerian government and economy than to fix the bugs in Microsoft code. - Mike Andrews in the Monastery
Re: Botnet List Discussed on NANOG
Sat Mandri wrote: Hi Rick Peter We at Telecom NZ/Xtra are quite keen to learn from you guys how the following Statistical Data on “Botnet” was gathered and what’s the initiative driving it. We look forward to hearing from you guys on this matter. Kind Regards Sat Mandri Hi Sat, I built IASON to check and protect computer centres against attackers. The first thing IASON did was analyzing logs on routers, switches and everything. Next step might be tuning firewalls and switches, if need be, isolating devices from the net. http://iason.site.voila.fr/ http://www.kokoom.com/iason/ I still have a little trouble with https://sourceforge.net/projects/iason/ Taking parts of IASON you can adapt it to count anything, like: Whenever a firewall, an xinetd or or somebody else, sees activity on a port that is known to be notorious for a bot then count and remember that ip-address. That is a crude one but it gives you an overview. With tools like IASON, you could analyze your findings for repeating patterns. Now you can identify the bots even after they change ip-addresses. Why did I build IASON in the first place? Working for companies like GLC, Global Center and Exodus I got tired of watching people in the NOC doing the same thing again and again for hours. Their expertise was not knowledge but pure typing speed. IASON can type much faster and he even has time to read the logs. With the core of IASON programmed in prolog it might even get a clue :) Cheers Peter and Karin -- Forwarded message -- Date: Fri, 26 May 2006 10:21:10 -0700 From: Rick Wesson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Are botnets relevant to NANOG? Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | *9325 | XTRA-AS Telecom XTRA, Auckland | 1415* | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788
Re: Botnet List Discussed on NANOG
Hi Sat, your mailer does not like me. If it is interesting for you, please forward. Kind regards Peter and Karin Dambier [EMAIL PROTECTED]: 146.171.13.195_does_not_like_recipient. /Remote_host_said:_554_Service_unavailable; _Client_host_[213.165.64.20]_blocked_using_dnsbl.sorbs.net; _Spam_Received_See: _http://www.sorbs.net/lookup.shtml?213.165.64.20/Giving_up_on_146.171.13.195./ Sat Mandri wrote: Hi Rick Peter We at Telecom NZ/Xtra are quite keen to learn from you guys how the following Statistical Data on “Botnet” was gathered and what’s the initiative driving it. We look forward to hearing from you guys on this matter. Kind Regards Sat Mandri -- Forwarded message -- Date: Fri, 26 May 2006 10:21:10 -0700 From: Rick Wesson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Are botnets relevant to NANOG? Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. lets see, should we be concerned? here are a few interesting tables, the cnt column is new IP addresses we have seen in the last 5 days. The first table is Tier-2 ASNs as classified by Fontas's ASN Taxonomy paper [1] The second table is Universities. The ASN concerned are just in the announced by orgs in USA as to imply that they should be on NANOG. Let me say it again the counts are NEW observations in the last 5 days. also note I'm not Gati, and I've got much more data on everyones networks. -rick New compromised unique IP addresses (last 5 days) Tier-2 ASN +---++---+ | asnum | asname | cnt | +---++---+ | 19262 | Verizon Internet Services | 35790 | | 20115 | Charter Communications | 4453 | | 8584 | Barak AS | 3930 | | 5668 | CenturyTel Internet Holdings, Inc. | 2633 | | 12271 | Road Runner| 2485 | | 22291 | Charter Communications | 2039 | | 8113 | VRIS Verizon Internet Services | 1664 | | 6197 | BellSouth Network Solutions, Inc | 1634 | | 6198 | BellSouth Network Solutions, Inc | 1531 | | *9325 | XTRA-AS Telecom XTRA, Auckland | 1415* | | 11351 | Road Runner| 1415 | | 6140 | ImpSat | 1051 | | 7021 | Verizon Internet Services | 961 | | 6350 | Verizon Internet Services | 945 | | 19444 | CHARTER COMMUNICATIONS | 845 | +---++---+ Universities, new unique ip last 5 days +---++-+ | asnum | left(asname,30)| cnt | +---++-+ |14 | Columbia University| 93 | | 3 | MIT-2 Massachusetts Institute | 45 | |73 | University of Washington | 25 | | 7925 | West Virginia Network for Educ | 24 | | 4385 | RIT-3 Rochester Institute of T | 20 | | 23369 | SCOE-5 Sonoma County Office of | 19 | | 5078 | Oklahoma Network for Education | 18 | | 3388 | UNM University of New Mexico | 18 | |55 | University of Pennsylvania | 13 | | 159 | The Ohio State University | 12 | | 104 | University of Colorado at Boul | 12 | | 4265 | CERFN California Education and | 11 | | 693 | University of Notre Dame | 10 | | 2900 | Arizona Tri University Network | 9 | | 2637 | Georgia Institute of Technolog | 9 | +---++-+ [1] http://www.ece.gatech.edu/research/labs/MANIACS/as_taxonomy/ -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
[EMAIL PROTECTED] wrote: In recent discussions about botnets, some people maintained that botnets (and viruses and worms) are really not a relevant topic for NANOG discussion and are not something that we should be worried about. I think that the CSI and FBI would disagree with that. Some people need whatever bandwidth they can get for ranting. Of course routing reports, virus reports and botnet bgp statistics take away a lot of valuable bandwidth that could otherwise be used for nagging. On the other hand without Gadi's howling for the wolves those wolves might be lost species and without the wolves all the nagging and ranting would make less fun. Now NANOG members cannot change OS security, they can't change corporate security practices, but they can have an impact on botnets because this is where the nefarious activity meets the network. They can. All you have to do is look for free software and join the devellopers or the testers or report whatever you have found out. When working for Exodus and GLC I have seen I could change security practices. I was working in London, Munich and Frankfurt NOCs. Sorry I did not know about NANOG that time. It would have made my live a lot more interesting. Therefore, I conclude that discussions of botnets do belong on the NANOG list as long as the NANOG list is not used as a primary venue for discussing them. Botnets are networks. We should have the network operators on the NANOG list. (I am afraid we do already have them :) One thing that surveys, such as the CSI/FBI Security Survey, cannot do well is to measure the impact of botnet researchers and the people who attempt to shut down botnets. It's similar to the fight against terrorism. I know that there have been 2 terrorist attacks on London since 9/11 but I don't know HOW MANY ATTACKS HAVE BEEN THWARTED. At least two have been publicised but there could be dozens more. Cleaning up botnets is rather like fighting terrorism. At the end, you have nothing to show for it. No news coverage, no big heaps of praise. Most people aren't sure there was ever a problem to begin with. That doesn't mean that the work should stop or that network providers should withold their support for cleaning up the botnet problem. Maybe it is high time for a transparent frog. Invisible for secure systems but as soon as one of the bots tries to infect it, it will ... In case you are not Gadi or working for Gadi, feel free to ignore the tranparent frog. I have never met one :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Are botnets relevant to NANOG?
John Kristoff wrote: On Fri, 26 May 2006 11:50:21 -0700 Rick Wesson [EMAIL PROTECTED] wrote: The longer answer is that we haven't found a reliable way to identify dynamic blocks. Should anyone point me to an authoritative source I'd be happy to do the analysis and provide some graphs on how dynamic addresses effect the numbers. I don't know how effective the dynamic lists maintained by some in the anti-spamming community is, you'd probably know better than I, but that is one way as decribed in the paper. In the first section of the paper I cited they lists three methods they used to try to capture stable IP addresses. Summarizing those: 1. reverse map the IP address and analyze the hostname 2. do same for nearby addresses and analyze character difference ratio 3. compare active probes of suspect app with icmp echo response Tool to help you. Try natnum form the IASON tools. $ natnum echnaton.serveftp.com host_look(84.167.246.104,echnaton.serveftp.com,1420293736). host_name(84.167.246.104,p54A7F668.dip.t-dialin.net). You can feed natnum a hostname or an ip-address or even a long integer. If you want to dump an address range use name2pl. $ name2pl 84.167.246.100 8 host_name(84.167.246.100,p54A7F664.dip.t-dialin.net). host_name(84.167.246.101,p54A7F665.dip.t-dialin.net). ... host_name(84.167.246.106,p54A7F66A.dip.t-dialin.net). host_name(84.167.246.107,p54A7F66B.dip.t-dialin.net). Dumps you 8 ip-addresses starting from 84.167.246.100. Without the 8 you will get 256 http://iason.site.voila.fr/ http://www.kokoom.com/ Sorry the sourceforge still gives me hickups :) Sorry will compile and run on UNIX, BSD, Linux, MAC OS-X only. None of these will be foolproof and the last one will probably only be good for cases where there is a service running where'd you'd rather there not be and you can test for it (e.g. open relays). There was at least one additional reference to related work in that paper, which leads to more still, but I'll let those interested to do their own research on additional ideas for themselves. also note that we are using TCP fingerprinting in our spamtraps and expect to have some interesting results published in the august/sept time frame. We won't be able to say that a block is dynamic but we will be able to better understand if we talk to the same spammer from different ip addresses and how often those addresses change. Will look forward to seeing more. Thanks, John Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/